ccie security tutorial
TRANSCRIPT
-
8/9/2019 CCIE Security Tutorial
1/189
CCIE Security Techtorial
TECCCIE-3001
TECCCIE-3001_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
AgendaSection Topic
1 CCIE® Program Overview
®
3 Core Knowledge Section Overview
4 Implement secure networks using Cisco ASA Firewalls
5 Implement secure networks using Cisco IOS Firewalls
6 Implement secure networks using Cisco VPN solutions
7 Configure Cisco IPS to mitigate network threats
8 Implement Identity Management
9 Implement Control Plane & Management Plane Security
10 Configure Advanced Security
11 Identify and Mitigate Network Attacks
12 Preparation Resources and Test-Taking Tips
-
8/9/2019 CCIE Security Tutorial
2/189
Disclaimer
Not all the topics discussed today appear onevery exam
For time reasons, we’re unable to discuss everyfeature and topic possible on the exam
Section 1
CCIE® Program Overview
-
8/9/2019 CCIE Security Tutorial
3/189
CCIEs Worldwide
Most highly respected IT certification for more than 15 years
Industry standard for validating expert skills and experience
More than 20,000 CCIEs worldwide—less than 3% of allprofessionals certified by Cisco
Demonstrate strong commitment and investmentto networking career, life-long learning, anddedication to remaining an active CCIE
New Certification Logos
The Learning@Cisco organization is pleased tointroduce new logos for its Cisco Career Certification
https://cisco.hosted.jivesoftware.com/docs/DOC-3813
Program.
The logos were designed with input from the Ciscocertified community, and represent the prestige anddedication defined by the program.
Effective January 12, 2009, all certificates and plaques.
Certified individuals can access and download thelogos by logging into the Certifications Tracking Systemat: www.cisco.com/go/certifications/login
-
8/9/2019 CCIE Security Tutorial
4/189
New Certification Logos
Overview: CCIE Tracks
Routing andSwitching
Security
• Introduced 2002
Voice
• Introduced 2003
•
• 64% of all bookings
• Labs in all regions, allworldwide locations
• 13% of bookings
• Labs in Beijing, Hong Kong,Brussels, RTP, San Jose,Sydney, Dubai, Bangaloreand Tokyo
Service ProviderNetworks
•
• 16% of bookings
• Labs in Brussels, SanJose, RTP, Sydney andTokyo
Storage Networking
• Introduced 2004
Wireless
• Introduced 2009
•
• 6% of bookings
• Labs in Brussels, Beijing,Hong Kong, RTP, SaoPaulo, Sydney
• o oo ngs
• Labs in Brussels and RTP
Available in Six Technical Specialties
Jose
-
8/9/2019 CCIE Security Tutorial
5/189
CCIE Information Worldwide
Total of Worldwide CCIEs: 19,134*
Total of Routing and Switching CCIEs: 16,727
Total of Security CCIEs: 2,147
Multiple CertificationsMany CCIEs Have Gone on to Pass the Certification
“Total of Service Provider CCIEs: 1,182
Total of Storage Networking CCIEs: 140
Total of Voice CCIEs: 901
,CCIE.” Below Are Selected Statistics on CCIEs Who
Are Certified in More Than One Track
Total with Multiple CertificationsWorldwide:
1,974
Total of Routing and Switching andSecurity CCIEs:
739
Total of Routing and Switching andService Provider CCIEs:
496
*Updated 23-Feb-2009
Total of Routing and Switching andStorage Networking CCIEs:
35
Total of Routing and Switching and Voice
CCIEs: 258
Total with 3 or More Certifications 316
http://www.cisco.com/web/learning/le3/ccie/certified_ccies/worldwide.html
CCIE Exam Development Process
Cisco Business Units/Technology Groups
Input Sought From:
Reaching out to Extended
CCIE [Track ]ProgramManager
Cisco Standard Architectures(AVVID, SAFE)
Advisory SubjectMatter Experts
Technical SupportTAC Cases
Technical Bulletins, BestPractices, Whitepapers
and Relevant
ContentAdvisory
Group
CCIEProgram
Input:
Feedback:
Exam Objectives
and CCIE Written and
Lab Blueprints
Enterprise Technical Advisory Board
Focus Groups/CustomerSessions
CCIE Field Surveys
Team
-
8/9/2019 CCIE Security Tutorial
6/189
Certification Process
CCIEs must pass two exams
100 multiple-choice questions
The lab exam is what makes CCIEdifferent. The full-day, hands-on labexam tests the ability to configureand troubleshoot equipment
Not all lab exams are offered at alllab locations
Step 1: CCIE Written Exam: #350-018
Available worldwide at any Pearson VUE testing facility for ~$350USD. Costs may vary due to exchange rates and local taxes
,
Two-hour exam with 100 multiple-choice questions
Closed book; no outside reference materials allowed
Pass/fail results are available immediately following the exam;the passing score is set by statistical analysis and is subject toperiodic change
a ng per o o ve ca en ar ays o re a e e exam
Candidates who pass a CCIE written exam must wait a minimumof six months before taking the same number exam
From passing written, candidate “must” take first lab exam attemptwithin 18 months
No “skip-question” functionality
-
8/9/2019 CCIE Security Tutorial
7/189
Step 2: CCIE Lab Exam
Available in select Cisco locations for $1,400 USD,adjusted for exchange rates and local taxes whereapplicable, not including travel and lodging
Eight-hour exam requires working configurations andtroubleshooting to demonstrate expertise
Cisco documentation available via Cisco Web; nopersonal materials of any kind allowed in lab
Minimum score of 80% to pass
Scores can be viewed normally online within 48 hoursand failing score reports indicate areas whereadditional study may be useful
Section 2
CCIE® Security Overview
-
8/9/2019 CCIE Security Tutorial
8/189
CCIE Security Overview
Security is one of the fastest-growing areas inthe industry
Information security is on top agenda to allorganizations
There is an ever-growing demand for Securityprofessionals in the industry
The CCIE Security certification was introduced in 2002and has evolved into one of the industry’s mostrespected high-level security certifications
Just around 2,200 CCIE Security worldwide
Securit
Advanced Technology Market Growth
Market and Job SpecializationCompanies are dedicating job rolesnow and expecting to increase thetrend within 5 years
Voice
Wireless
G r o w t h
SecurityFrom 46% dedicated now to 80%in 5 years
VoiceFrom 40% now to 69% in 5 years
WirelessFrom 39% now to 66% in 5 years
Time2008 Worldwide Survey by Forrester Consulting on Behalf of Cisco
-
8/9/2019 CCIE Security Tutorial
9/189
CCIE Security Written Exam
v2.0CCIE Security Written Exam
Covers networking theory related to:
General Networkin
Security Protocols
Application Protocols
Security Technologies
Cisco Security Appliances and Apps
Cisco Security Management
Cisco Security General
Security Solutions
Security General
Lays foundation for Security lab exam
-
8/9/2019 CCIE Security Tutorial
10/189
CCIE Security Written Exam
The CCIE Security v2.0 written exam strengthenscoverage of technologies critical to highly-secure
v2.0
enterprise networks
Topics such as ASA, IPS, NAC/ATD, CS-MARS, IPv6,security policies and standards are added to testcandidates on the security technologies and bestpractices in use today
.can schedule their Lab for v3.0. There is no additional
requirement to schedule v3.0 lab exam.
Security Written Exam:
Sample Question 1
A. Prevents DoS attacks based on ARP spoofing
Which Is a Benefit of Implementing RFC-2827?
.
C. Prevents DoS attacks based on MAC spoofing
D. Prevents leaking of Private Internet address space
E. Prevents leaking of Special-Use IPv4 Addresses
Answer is B
-
8/9/2019 CCIE Security Tutorial
11/189
Security Written Exam:Sample Question 2
Which One of the Secure Access Methods Below CanCS-MARS Use to Get Configuration Information froman Adaptive Security Appliance (ASA)?
.
B. SFTP
C. SCP
D. SSL
E. HTTPS
Answer is A
New v3.0
CCIE Security Lab Exam
-
8/9/2019 CCIE Security Tutorial
12/189
CCIE Security Lab Exam
Candidates build a secure network to a series ofsupplied specifications
The point values for each question are shown onthe exam
Some questions depend upon completion of previousparts of the network
Report any suspected equipment issues to the proctoras soon as possible; adjustments cannot be made oncethe exam is over
Beijing RTPBrussels
Security Lab Exam: Locations
Tokyo
San Jose
Hong Kong
Sydney
Nine Worldwide CCIE Lab Locations for Security
DubaiBangalore
-
8/9/2019 CCIE Security Tutorial
13/189
Security Lab Exam: Changes
The CCIE Security Lab exam content was revised andimplemented worldwide on 20th April 2009, to include
New v3.0
some of the current trends and technologies in thesecurity industry
New topics and hardware and software upgrades havebeen introduced
End-of-Life devices were also removed;
an were remove
Routers were replaced with ISR series models
Catalyst 3550 Switches were replaced with 3560
Security Lab Exam: Equipment
and Software Versions New v3.0Lab May Test Any Feature That Can BeConfigured on the Equipment and Cisco IOSVersions Listed Below, or on the CCIE Website;
Cisco Integrated Services Routers (ISR) series runningCisco IOS version 12.4T
Cisco Catalyst 3560 series switches running 12.2SE
Cisco ASA 5500 series Firewalls running version 8.x
Lab, But You Won’t Be Tested on Them
Cisco IPS 4240 Appliance Sensor running version 6.x
Cisco Secure ACS version 4.1
Test PC for Testing and Troubleshooting
Candidate PC for rack access
-
8/9/2019 CCIE Security Tutorial
14/189
Security Lab Exam: Blueprint
1. Implement secure networks using Cisco ASAFirewalls
New v3.0
2. Implement secure networks using Cisco IOS Firewalls
3. Implement secure networks using Cisco VPNsolutions
4. Configure Cisco IPS to mitigate network threats
.
6. Implement Control Plane & Management PlaneSecurity
7. Configure Advanced IOS Security
8. Identify and Mitigate Network Attacks
Security Lab Exam: Pre-Configuration
Basic IP addressing, hostname, passwords
The Routers and Switches in Your Topology ArePreconfigured With:
Switching: Trunking, VTP, VLANs
WAN: Frame Relay DLCI mappings, HDLC, PPP
Routing: OSPF, RIP, EIGRP, BGP
All pre-configured passwords are ‘cisco’
Occasionally, security devices may also have some
Do Not Change Any Pre-Configuration on AnyDevices Unless Explicitly Stated in a Question
pre-configuration. If not, candidate is required toinitialize all security devices
-
8/9/2019 CCIE Security Tutorial
15/189
Security Lab Exam: Sample Topology
Context 2Context 1
BB2BB1
ASA Multi-Contextwith Failover
ACS
vs0
vs1
BB3
FR
TEST PC
PPP
Security Lab Exam: Rack and PC Access
CCIE Lab
Remote Location
CCIE Lab
Central Location
CiscoIntranet
CCIEBB
BB1
RackCommSrv
Candidate PC
Remote GWRouter
Central GWRouter
NIC1
NIC2
BB2
TEST PCRemote Desktop Enabled on NIC1
ACS
-
8/9/2019 CCIE Security Tutorial
16/189
Security Lab Exam:The Equipment in Rack
The equipment on the rack assigned to you isphysically cabled and should not be tampered with.Before starting the exam, confirm working order of alldevices in your rack
During the exam, if any device is locked or inaccessiblefor any reason, you must recover it
When finishing the exam, ensure all devices are.
not accessible for grading; can not be marked and may
cause you to lose substantial points
Security Lab Exam: Grading
Proctors grade all lab exams
Automatic tools are never solely responsible for labexam grading—proctors are
Proctors complete grading of the exam and submits thefinal score within 48 hours
Points are awarded for working solutions only
Some questions have multiple solutions
-
8/9/2019 CCIE Security Tutorial
17/189
Summary
1. Firewalls (ASA and IOSFW)Topics Covered in the Exam:
.
3. Intrusion protection
4. Identity authentication
5. Router plane protection
6. Advanced IOS security technologies
7. Mitigation techniques to respond to network attacks
Section 3
Core Knowledge Section Overview
-
8/9/2019 CCIE Security Tutorial
18/189
Core Knowledge Section—Overview
Cisco CCIE team has implemented a new type ofquestion format to the CCIE Security Lab exam called–Core Knowledge Section a.k.a. Interview Section.
In addition to the live configuration scenarios,candidates will be asked a series of open-ended short-answer questions, covered from the lab exam blueprint.
No new topics are being added.
The new short-answer questions will be randomlyselected for each candidate every day
Core Knowledge Section—Why
One of the primary goals to introduce the new Core
Why Are You Adding Short-Answer Questions tothe CCIE Lab Exam?
now e ge ec on s ma n a n exam secur y anintegrity and ensure only qualified candidates achievecertification.
The questions will be designed to validate concepts,theory, architecture and fundamental knowledge ofproducts and protocols.
-
8/9/2019 CCIE Security Tutorial
19/189
Core Knowledge Section—Format
Candidates will be asked four open-ended questions,computer-delivered, drawn from a pool of questionsbased on the material covered on the lab examblueprint.
Core Knowledge section format will not be multiple-choice type questions.
Candidates will be required to type out their answers,.
Candidates cannot use Cisco Documentation.
No changes are being made to the lab exam blueprintor to the length of the lab exam.
Core Knowledge Section—Time
Candidates are allowed a maximum of 30 minutes tocomplete the questions. The 30 minutes is inclusive inthe total length of the lab exam.
The total length of the CCIE lab exam will remain eighthours.
Well-prepared candidates should be able to answer thequestions in 15 minutes or less and move immediately
.
-
8/9/2019 CCIE Security Tutorial
20/189
Core Knowledge Section—Scoring
The Core Knowledge section is scored Pass/Fail andevery candidate will be required to pass in order toachieve CCIE certification.
A candidate must answer at least three of the four short-answer questions correctly to Pass the CoreKnowledge section, which will be indicated with a 100%mark on the score report.
,Core Knowledge section will be marked 0%, indicating
a Fail. A 0% does not necessarily indicate thecandidate answered all the questions incorrectly.
1
2
3
Core Knowledge Section—Sample Q1
Header Header SA
Header Header KeyNonce
Header SAHeader
4
6
5
MSG 1: Initiator offers acceptable encryption and authentication algorithms (3DES,MD5, RSA)—i.e. the transform-set
MSG 2: Responder presents acceptance of the proposal (or not)
MSG 3: Initiator Diffie Helman key and nounce (key value is usually a number of 1024
Header Header [Cert] IDSig
Header NonceKeyHeader
Header SigID [Cert]Header
bit length) MSG 4: Responder Diffie Helman key and nounce
MSG 5: Initiator signature, ID and keys (maybe cert), i.e. authentication data
MSG 6: Responder signature, ID and keys (maybe cert)
Which ISAKMP mode is shown above?
Answer = Main Mode
-
8/9/2019 CCIE Security Tutorial
21/189
Conditions for IPS signature to fire:
Version: IPv4 Protocol: TCP String:”CWD~root”Port Destination: 21
Core Knowledge Section—Sample Q2
Hacker
Fire alarm if packet is an IPv4 TCP packet destined for port 21
@IP Dest. 10.0.0.1Dest Port: 21
first Segment TCPxxxCWDyyy
@IP Dest. 10.0.0.1Dest: 21
last Segment TCP yyyootzzz FTP
server
@IP
@IP Dest. 10.0.0.1Dest Port: 21
sec Segment TCP Yyy~r yyy
Target
and contains the string “CWD~root” 10.0.0.1
Which type of pattern matching must be used to mitigatethis multi-vector attack?
Answer = Stateful Pattern Matching
Section 4
Implement Secure Networks UsingCisco ASA Firewalls
-
8/9/2019 CCIE Security Tutorial
22/189
Exam Objectives
Perform basic firewall Initialization
Configure device management
on gure a ress trans at on nat, g o a , stat c
Configure ACLs
Configure IP routing
Configure object groups
Configure VLANs
Configure filtering
Configure failover
Configure Layer 2 Transparent Firewall
Configure security contexts (virtual firewall)
Configure Modular Policy Framework
Configure Application-Aware Inspection
Configure high availability solutions
Configure QoS policies
Firewall—Defined
A firewall is a security device which is configured topermit, deny or proxy data connections set by theorgan za on s secur y po cy. rewa s can e er ehardware or software based
A firewall's basic task is to control traffic between computernetworks with different zones of trust
Today’s firewalls combine multilayer stateful packetinspection and multiprotocol application inspection
Source: Wikipedia (www.wikipedia.com)
Virtual Private Network (VPN) services and IntrusionPrevention Services (IPS) have been combined with thefirewall inspection engine(s)
Despite these enhancements, the primary role of the firewallis to enforce security policy
-
8/9/2019 CCIE Security Tutorial
23/189
Cisco ASA Firewall
Basic Overview
Firewall Design—Modes of Operation
Routed Mode
There Are a Variety of Choices When Designing aFirewall Deployment
Is the traditional mode of the firewall that acts as a routed hop and actsas a default gateway for hosts that connect to one of its screenedsubnets. Two or more interfaces that separate L3 domains.
Transparent Mode
Is where the firewall acts as a bridge functioning mostly at Layer2, thatacts like a "bump in the wire," or a "stealth firewall," and is not seen as a
router ho to connected devices
Single Mode
Is the regular basic firewall
Multi-context Mode
Involves the use of virtual firewalls (security contexts)
-
8/9/2019 CCIE Security Tutorial
24/189
Interface and Security Levels
Inside Interface always has a security level of 100.Most Secure level
Outside Interface always has a security level of 0.Least Secure level
Multiple perimeter networks can exist. Use DMZInterface. Security levels between 1–99
Initializing Cisco ASA
Firewall Mode (Router vs. Transparent)
.
Enable/Allocate interfaces
Assign IP address for each active Interface
Un-shut Interfaces
Configure Address Translation (optional)
Configure Static/Dynamic Routing
-
8/9/2019 CCIE Security Tutorial
25/189
VLAN Interface
Virtual LANs (VLANs) are used to create separatebroadcast domains within a single switched network
You can configure multiple logical interfaces on a singlephysical interface and assign each logical interface to aspecific VLAN
ASA supports 802.1q, allowing it to send and receivetraffic for multiple VLANs on a single interface
Routing Protocols
ASA supports RIP, OSPF and EIGRP routing protocols
Practice route filtering and summarization for protocols
Running multiple routing protocols concurrently on thesame Firewall is now supported
Routing protocol in multi-context mode is not,
-
8/9/2019 CCIE Security Tutorial
26/189
Address Translation
Dynamic translations are built using:
Network Address Translation NAT
Subject to NAT-Control
(one-to-one mapping)
or
Port Address Translation (PAT)(many-to-one mapping)
Static translations are built using:
a c comman(create permanent mapping between a local
IP address and a global IP address)
Policy NAT
Policy NAT lets you identify local traffic for addresstranslation by specifying the source and destinationaddresses (or ports) in an access list
Regular NAT uses source addresses/ports only,whereas policy NAT uses both source and destinationaddresses/ports
With policy NAT, you can create multiple static
as the source/port and destination/port combination isunique for each statement
Use an access list with the static command to enablepolicy NAT
-
8/9/2019 CCIE Security Tutorial
27/189
Object Grouping
Used for simplifying complex access control policies.Object grouping provides a way to reduce the numberof access rule entries required to describe complexsecurity policies
Following types of objects:
Protocol—group of IP protocols. It can be one of the followingkeywords; icmp, ip, tcp, or udp, or an integer in the range 1 to254 representing an IP protocol number. To match any Internet
, , , , .
Service—group of TCP or UDP port numbers assigned to
different servicesicmp-type—group of ICMP message types to which youpermit or deny access
Network—group of hosts or subnets
Basic Feature Summary:
Practice Them All
Address Translation
Source/Destination NAT
AAA
Object Grouping
VLAN
RIP
OSPF
EIGRP
Syslog
DHCP
PPPoE
URL Filtering
IDS
SSH
Failover
TCP Intercept
Java Filtering
ActiveX Filtering
SNMP
NTP
Packet Capture
Packet Tracer
-
8/9/2019 CCIE Security Tutorial
28/189
Cisco ASA Firewall
Advanced Features
Advanced Features—Important
1. Virtual Firewall (Security Contexts)
.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control
-
8/9/2019 CCIE Security Tutorial
29/189
Advanced Features—Important
1. Virtual Firewall (Security Contexts)
.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control
Virtual Firewall
Virtualization provides a way to create multiplefirewalls in the same physical chassis
Virtual Firewall—when a single Firewall devicecan support multiple contexts
A context defines connected networks and thepolicies that the Firewall enforces
enforce many (up to 100s) policiesbetween different networks
Virtualization is a licensed feature
-
8/9/2019 CCIE Security Tutorial
30/189
Virtual Firewall on ASA
Context = a virtual firewall
All virtualized firewalls must define a System context and an Admin
Admin context:
Remote root accessand access to allcontexts
A
B
C
Admin(mandatory)
context at a minimum
Virtual Firewall
contexts
There is no policy inheritance between contexts
The system space uses the admin context for network connectivity;system space creates other contexts
Physical ports assigned
Virtual Firewall:
Multiple Security ContextConfiguration
Changing single mode to Multiple Mode:
mode {single | multiple}
To Show system or Context information:
From the system execution space:show context [[name] [detail] | count]From a context execution space:show context [detail]
To specify contexts’ configuration file:config-url ur l Where URL can be flash/Disk/ftp server/http server
o a oca e p ys ca n er aces o e con ex scontext {context name}allocate-interface Ethernet0allocate-interface Ethernet1
Accessing the contexts:changeto {system | context name}context [name] - Changes to the context with the specified name.system - Changes to the system execution space.
-
8/9/2019 CCIE Security Tutorial
31/189
Virtual Firewall:Multiple Security Context
hostname ASAenable password ciscono mac-address auto
admin-context admin
!
context admin
Sample Configuration: System Context
interface Ethernet0/0
speed auto
duplex auto
!
interface Ethernet0/0.30
vlan 30
!
interface Ethernet0/0.40
vlan 40
!
allocate-interface Ethernet0/0
config-url flash:/admin.cfg
!
context custA
allocate-interface Ethernet0/0.30
allocate-interface Ethernet0/1
config-url flash:custA.cfg
!
context custB
allocate-interface Ethernet0/0.40
interface Ethernet0/1
speed auto
duplex auto
!
interface Ethernet0/2speed autoduplex auto
!
allocate-interface Ethernet0/2
config-url flash:custB.cfg
System Context
The context is not operational until the
conf ig-ur l command has been entered.
Virtual Firewall:
Multiple Security Context
ASA# changeto context custA ASA/custA# changeto context custB
Context CustA Context CustB
Inside a Context
cust s ow run
hostname custA
enable password cisco
!
interface Ethernet0/0.30
nameif outside
security-level 0
ip address 172.16.30.1 255.255.255.0
!
interface Ethernet0/1
cust s ow run
hostname custB
enable password cisco
!
interface Ethernet0/0.40
nameif outside
security-level 0
ip address 172.16.40.1 255.255.255.0
!
interface Ethernet0/2
nameif insidesecurity-level 100
ip address 192.168.1.1 255.255.255.0
!
ASA/custA# changeto system
ASA#
nameif insidesecurity-level 100
ip address 192.168.2.1 255.255.255.0
!
ASA/custB# changeto system
ASA#
-
8/9/2019 CCIE Security Tutorial
32/189
Advanced Features—Important
1. Virtual Firewall (Security Contexts)
.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control
Transparent Firewall Mode (L2 Firewall)
Transparent Firewalls have the capability of operatingat layer 2—same level as a bridge
This Firewall is “transparent” to the data
IP addresses (the network) on either side of theFirewall are the same
Same subnet exists on inside and outside, differentVLANs on inside and outside
NAT is now supported in Transparent Firewall (v8.0 onthe ASA)
VPN traffic terminating on the firewall is not supportedwith the exception of management traffic ONLY
-
8/9/2019 CCIE Security Tutorial
33/189
Transparent Firewall
Backbone
Router
Vlan 20
Vlan 30
HSRP, VRRP, GLBP
OSPF, EIGRP, RIP, etc.
PIM, multicast traffic
BPDUs, IPX, MPLS
10.1.1.2 224.0.0.x
10.1.1.2
10.1.1.3
OK if ACLpermits
Routers can establish routing protocols adjacencies through the firewall Protocols such as HSRP, VRRP, GLBP can cross the firewall
Multicast streams can also traverse the firewall
Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
Router
Transparent Firewall
Sample Configurationciscoasa# show firewallFirewall mode: Router
ciscoasa(config)# firewall transparentSwitched to transparent mode
ciscoasa(config)# ip address 10.1.1.254 255.255.255.0ciscoasa(config)# interface Ethernet0ciscoasa(config-if)# nameif outsideciscoasa(config-if)# security-level 0
-ciscoasa(config)# interface Ethernet1ciscoasa(config-if)# nameif insideciscoasa(config-if)# security-level 100ciscoasa(config-if)# no shutdownciscoasa(config)# access-list 101 permit icmp any anyciscoasa(config)# access-group 101 in interface outside
-
8/9/2019 CCIE Security Tutorial
34/189
Advanced Features—Important
1. Virtual Firewall (Security Contexts)
.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control
New HA Feature—Interface Redundancy
Compatible with all firewallmodes (routed/transparent and
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
no nameif deployments (A/A and A/S)
When the active physicalinterface fails, traffic fails to thestandby physical interface androuting adjacencies,connection, and auth statewon’t need to be relearned.
no security-level
no ip address
!
interface Redundant1.4
vlan 4
nameif inside
security-level 100
ip address 172.16.10.1 255.255.255.0
Feature available on ASA5510and above.
Sub-interfaces (dot1q) need tobe built on top of the logicalredundant interface, notphysical member interfaces.
interface Redundant1.10
vlan 10
nameif outside
security-level 0
ip address 172.16.50.10 255.255.255.0
-
8/9/2019 CCIE Security Tutorial
35/189
New HA Feature—Route Tracking
Method for tracking the availability of static routes with the ability toinstall a backup route should the primary route fail
Commonly used for static default routes, often in a dual ISPenvironment
Uses ICMP echo replies to monitor the availability of a target host,usually the next hop gateway
Can only be used in single routed mode
asa(config)# sla monitor 1234
asa(config-sla-monitor)# type echo protocol ipIcmpEcho10.1.1.1 interface outside
asa(config-sla-monitor-echo)# frequency 3asa(config)# sla monitor 1234 life forever start-time now
asa(config)# track 1 rtr 1234 reachability
asa(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1
Firewall HA Failover: Basics
Active/standby vs.primary/ secondary
Stateful failover (optional)
A failover only occurswhen either FWdetermines the standbyFW is healthier than theactive FW
ActiveUnit
StandbyUnit
LAN FO
Stateful
Both FWs swap MAC andIP addresses when afailover occurs
Level 1 syslogs will givereason of failover
-
8/9/2019 CCIE Security Tutorial
36/189
Firewall HA—Active/Standby FO
Supported on all ASA models
ASA only supports
serial cable).
Both platforms must beidentical in software,licensing, memory andinterfaces
Not recommended to sharethe state and failover link, usea dedicated link for each
Preferably these cables willbe connected into the sameswitch with no hosts
Not recommended to use adirect connection betweenfirewalls (i.e. straight throughor X-over)
Firewall HA: Active/Active FO
Supported on allplatforms except the
Requires virtualization(multi-context) whichrequires additionallicensing
Use FO Group command
Re uires FO AA orcontexts
UR license
No load-balancingor load-sharingsupport today
-
8/9/2019 CCIE Security Tutorial
37/189
Firewall HA: A/A Failover withAsymmetric Routing Support
A/A ASR mode adds supportfor asymmetric traffic flowsInternet
.
A/A ASR is enabled by addingmultiple A/A units to the same
ASR Group.
If traffic returns via ISP-Bwhich does not contain stateinfo so packets are forwarded
ISP-A
.1 .4 .2 .3
ISP-B
o e o er mem er o e ASR group
Inside Network B-1 Inside Network B-2
Logical1-A Logical2-S Logical2-ALogical1-S
InsideNetwork
.1 .4 .2 .3
Advanced Features—Important
1. Virtual Firewall (Security Contexts)
.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control
-
8/9/2019 CCIE Security Tutorial
38/189
Modular Policy Framework (MPF)
Rules
All of My Flows Were Treated Pretty Much the Same
Inside Outside
Granular and Flexible Policies
Rules aboutHTTPRules Rules about
FTP
Modular Policy Framework (MPF)
There is a growing need to provide greater granularityand flexibility in configuring network policies
For example, the ability to include destination IPaddress as one of the criteria to identify traffic forNetwork Address Translation, or the ability to createa timeout configuration that is specific to a particularTCP application, as opposed to the current timeoutscheme which applies a timeout value to all TCP
applications, etc. MPF provides the tools to meet these specific needs
-
8/9/2019 CCIE Security Tutorial
39/189
Modular Policy Framework (MPF)
MPF features are derived from QoS as implemented inCisco IOS; not all features have been carried across though
MPF is built on three related CLI commands …
class-map—This command identifies the traffic that needs a specifictype of control. Class-maps have specific names which tie them into thepolicy-map
policy-map—This command describes the actions to be taken on thetraffic described in the class-map. Class-maps are listed by name underthe appropriate policy-map. Policy-maps have specific names too whicht e t em nto t e serv ce-po cy
service-policy—This command describes where the traffic should be
intercepted for control. Only one service-policy can exist per interface. An additional service-policy, “global-service-policy,” is defined fortraffic and general policy application. This policy applies to traffic onall interfaces
Modular Policy Framework (MPF)
Understand how show service-policy command works
that the ASA would apply to that flow. You can use thisto check that your service policy configuration willprovide the services you want for specific connections.
ASA1# show service-policy flow tcp host 0.0.0.0 host YY.YY.1.1 eq 80Global policy:
Service-policy: global_policyClass-map: WebServerMatch: access-list WebServer Access rule: permit tcp any host YY.YY.1.1 eq www
Action:Input flow: set connection embryonic-conn-max 100 per-client-max 5
-
8/9/2019 CCIE Security Tutorial
40/189
Advanced Features—Important
1. Virtual Firewall (Security Contexts)
.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. Application Firewall
6. NAT-Control
NAT Control
The security appliance has always been a devicesupporting, even requiring Network Address Translation
or max mum ex y an secur y.
Introduced in v7.0 is NAT as an option. Specifying NAT-CONTROL specifies the requirement to use NAT for outsidecommunications
To enable NAT control, use the nat-control command inglobal configuration mode
To disable NAT control, which allows inside hosts tocommunicate with outside networks without configuring aNAT rule, use the command, no nat-control in globalconfiguration mode
By default, NAT control is disabled
-
8/9/2019 CCIE Security Tutorial
41/189
NAT Control
Syntax
Configuration
The nat-control statement is valid in routed firewallmode and in single and multiple security context mode.
No new NAT functionality is provided with this feature.
All existing NAT functionality remains the same.
NAT Control
Consider … NAT-CONTROL (v6.3 behavior)
All traffic leavin a firewall from a hi her to lower securit interface requires a NAT/GLOBAL pair
All traffic entering a firewall from a lower to higher securityrequires a STATIC/ACCESS-LIST pair
All other traffic is dropped
Consider … NO NAT-CONTROL (v7.0 behavior)
ra c eav ng a rewa rom a g er o ower secur yinterface moves freely
All traffic entering a firewall from a lower to higher security onlyrequires an ACCESS-LIST
NAT/GLOBAL pairs are needed only for traffic requiringaddress translation
-
8/9/2019 CCIE Security Tutorial
42/189
Troubleshooting Firewall
Firewall Troubleshooting Tools
Understanding the packet flow
Debug commands
Show commands
Packet capture
-
8/9/2019 CCIE Security Tutorial
43/189
Understanding the Packet Flow
To effectively troubleshoot a problem, one must firstunderstand the packet path through the network
Attempt to isolate the problem down to a single device
Then perform a systematic walk of the packet paththrough the device to determine where the problemcould be
For problems relating to the ASA, always:
Determine the flow: SRC IP, DST IP, SRC port, DST port,and protocol
Determine the interfaces through which the flow passes
Note: All Firewall Issues Can Be Simplified to Two Interfaces (Ingress and Egress)and the Rules Tied to Both
1. Receive Packet
2. Ingress Interface
3. Existing Connection?
4. Permit by Inbound ACL
No1 3 4
ExistingConn
RecvPkt
IngressInterface
2No
Packet Processing Flow Diagram
ACLPermit
on Interface?
5. Match Translation Rule(NAT, Static)
6. NAT Embedded IP andPerform Security Checks/Randomize Sequence Number
7. NAT IP Header
8. Pass Packet to OutgoingInterface
9. Layer 3 Route Lookup?
es
Yes
5
6
7NAT IP
rop
No
Drop
No
Drop
L7 NATSec
Checks
Matchxlate
10. Layer 2 Next Hop?11. Transmit Packet
Yes Yes
Drop Drop
XmitPkt
9 10 11Egress
Interface
Header
8Egress
Interface
No No
Once the Device andFlow Have BeenIdentified, Walk the Pathof the Packet Throughthe Device
L3Route
L2Addr
-
8/9/2019 CCIE Security Tutorial
44/189
Translation and NAT Order of Operations
1. nat 0 access-list (nat-exempt)
2. Match existing xlates
3. Match static commands (first match)
a. Static NAT with and without access-list
b. Static PAT with and without access-list
F i r s t M a
4. Match nat commands
a. nat access-list (first match)
b. nat (best match)
i. If the ID is 0, create an identity xlate
ii. Use global pool for dynamic NAT
iii. Use global pool for dynamic PAT
c h
Syslog
Three different syslog destinations:
Tra —S slo server
Console—Serial console port
Monitor—Telnet sessions
“Log Host” defines ASA interface, IP address, protocoland port for syslog server
Syslog standard protocol is UDP, port is 514
Note: ASA supports syslog over TCP (port 514)
Don’t forget “Logging On” to enable syslog
Most common “pilot error”
-
8/9/2019 CCIE Security Tutorial
45/189
Logging Levels and Events
LogLevel
Alert Event Messages
0 Emergencies Not used, only for RFC compliance
1 Alerts Mostly failover-related events
2 Critical Denied packets/connections
3 Errors AAA failures, CPU/memory issues, routing
issues, some VPN issues
4 WarningsDenied conns due to ACL, IDS events,
,
5 NotificationsUser and Session activity and firewall
configuration changes6 Informational
ACL logging, AAA events, DHCP activity,TCP/UDP connection and teardown
7 DebuggingDebug events, TCP/UDP request handling,
IPSEC and SSL VPN connection information
Network
Debug ICMP Trace
Ping
Valuable tool used to troubleshoot connectivity issues
Provides interface and translation information to quicklydetermine flow
ICMP echo-request from inside:10.1.1.2 to 198.133.219.25 ID=3239 seq=4369 length=80
ICMP echo-request: translating inside:10.1.1.2 to outside:209.165.201.22
ICMP echo-reply from outside:198.133.219.25 to 209.165.201.22 ID=3239 seq=4369 length=80ICMP echo-reply: untranslating outside:209.165.201.22 to inside:10.1.1.2
Example of debug icmp trace output c o-rep es mus e exp c y perm e roug
-
8/9/2019 CCIE Security Tutorial
46/189
fw# show traffic
Show Traffic
The Show Traffic Command Displays the TrafficReceived and Transmitted out Each Interface of the ASA
outside:received (in 124.650 secs):
295468 packets 167218253 bytes2370 pkts/sec 1341502 bytes/sec
transmitted (in 124.650 secs):260901 packets 120467981 bytes2093 pkts/sec 966449 bytes/sec
inside:
received (in 124.650 secs):261478 packets 120145678 bytes2097 pkts/sec 963864 bytes/sec
transmitted (in 124.650 secs):294649 packets 167380042 bytes2363 pkts/sec 1342800 bytes/sec
Show Local-Host
A local-host entry is created for any source IP on a higher securitylevel interface
fw# show local-hostInterface inside: 1131 active, 2042 maximum active, 0 deniedlocal host: ,
TCP connection count/limit = 1/unlimitedTCP embryonic count = 0TCP intercept watermark = 50
=
It groups the xlates, connections, and AAA information together
Very useful for seeing the connections terminating on servers
AAA:user 'cisco' at 10.1.1.9, authenticated (idle for 00:00:10)
absolute timeout: 0:05:00inactivity timeout: 0:00:00
Xlate(s):Global 172.18.124.69 Local 10.1.1.9
Conn(s):TCP out 198.133.219.25:80 in 10.1.1.9:11055 idle 0:00:10 Bytes 127 flags UIO
-
8/9/2019 CCIE Security Tutorial
47/189
Show Xlate and Show Xlate Debug
show xlate [global|local [netmask ]][gport |lport ] [debug]
fw# show xlate2 in use, 2381 most usedGlobal 172.18.124.68 Local 10.1.1.9PAT Global 172.18.124.65(1024) Local 10.9.9.3(11066)
fw# show xlate debug2 in use, 2381 most usedFlags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
NAT from inside:10.1.1.9 to outside:172.18.124.68
flags - idle 0:02:03 timeout 3:00:00
TCP PAT from inside:10.9.9.3/11066 to outside:172.18.124.65/1024flags r idle 0:00:08 timeout 0:00:30
fw# show conn
Idle Time,Bytes
Transferred
ConnectionFlags
Show Conn and Show Conn Detail
2 in use, 64511 most used
TCP out 198.133.219.25:23 in 10.9.9.3:11068 idle 0:00:06 Bytes 127 flags UIOUDP out 172.18.124.1:123 in 10.1.1.9:123 idle 0:00:13 flags –
fw# show conn detail2 in use, 64511 most usedFlags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
“detail” AddsInterface Names
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,E - outside back connection, F - outside FIN, f - inside FIN,G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,i - incomplete, J - GTP, j - GTP data, K - GTP t3-responsek - Skinny media, M - SMTP data, m - SIP media, O - outbound data,P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN,R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
TCP outside:198.133.219.25/23 inside:10.9.9.3/11068 flags UOUDP outside:172.18.124.1/123 inside:10.1.1.9/123 flags -
-
8/9/2019 CCIE Security Tutorial
48/189
Outbound Connection Inbound Connection
Connection Flags: Quick Reference
TCP Flags FW Flags
SYN
SYN+ACK
ACK
Inbound Data
Outbound Data
FIN
FIN+ACK
saA
A
U
UI
UIO
Uf
UfFR
TCP Flags FW Flags
SYN
SYN+ACK
ACK
Inbound Data
Outbound Data
FIN
FIN+ACK
saAB
aB
UB
UIB
UIOB
UBF
UBfFr
OutsideInside
Client Server
OutsideInside
Server Client
ACK UfFRr ACK UBfFRr
capture [access-list ] [buffer ][ethernet-type ] [interface ] [packet-length ]
Packet Capture
an ACL
Traffic can be captured both before and after it passesthrough the ASA
Key steps:
Create an ACL that will match interesting traffic
Define the capture and bind it to an access-list and interface
View the capture on the ASA, or copy it off in pcap format
OutsideInside
Capture In Capture Out
-
8/9/2019 CCIE Security Tutorial
49/189
packet-tracer input [src-interface] [protocol] [SrcAddr] [SrcPort][DstAddr] [DstPort] detailed
Packet Tracer
- .
In addition to capturing packets, you can trace thelifespan of a packet through the security appliance tosee whether the packet is operating correctly. This toollets you do the following:
Debug all packet drops in a production network.
er y t e con gurat on s wor ng as nten e .
Show all rules applicable to a packet, along with the CLI
commands that caused the rule addition.
Show a time line of packet changes in a data path.
Inject tracer packets into the data path.
Packet Tracer (Cont.)
The packet-tracer command provides detailedinformation about the packets and how they areprocessed by the security appliance.
For example; run packet-tracer to verify NAT translationfor any host accessing web server 198.133.219.25/80,then the source is translated to YY.YY.5.21. ASA# packet-tracer input inside tcp 0.0.0.0 1025 198.133.219.25 80
Phase: 6T e: NAT
Subtype:Result: ALLOWConfig:nat (inside) 1 access-list policynatnat-controlmatch ip inside 0.0.0.0 255.255.255.255 outside 198.133.219.25 255.255.255.255dynamic translation to pool 1 (YY.YY.5.21)translate_hits = 1, untranslate_hits = 0
Additional Information:Dynamic translate 10.1.1.1/1025 to YY.YY.5.21/1024 using netmask 255.255.255.255
-
8/9/2019 CCIE Security Tutorial
50/189
Section 5
Implement Secure Networks Using Cisco IOS Firewalls
Exam Objectives Configure Zone-Based Firewall
Configure CBAC
Configure Flexible Packet Matching
Configure URL Filtering
Configure Audit
Configure Auth Proxy
Configure PAM
Configure access control Configure performance tuning
Configure advanced IOS Firewall features
-
8/9/2019 CCIE Security Tutorial
51/189
Cisco IOS Firewall Overview
Stateful filtering Advanced Layer 3–7 Firewall
AdvancedFirewall
Application inspection (Layer 3 through Layer 7)
Application control—Application Layer Gateway (ALG)engines with wide range of protocols and applications
Built-in DoS protection capabilities
Supports deployments with Virtualization (VRFs),transparent mode and stateful failover
IPv6 support
http://www.cisco.com/go/iosfw
Cisco IOS Zone-Based PolicyFirewall (ZFW)
-
8/9/2019 CCIE Security Tutorial
52/189
Zone-Based Policy Firewall (ZFW)
Introduced in Cisco IOS v12.4(6)T, where the CBAC model isbeing replaced with the new configuration model that uses ZFW
Allows grouping of physical and virtual interfaces into zones
Firewall policies are applied to traffic traversing zones
Simple to add or remove interfaces and integrate intofirewall policy
This new feature was added mainly to overcome the limitations ofthe CBAC that was employing stateful inspection policy on an
- .through the interface was subject to the same inspection policy,thereby limiting the granularity and policy enforcement particularlyin scenarios where multiple interfaces existed.
With ZFW, stateful inspection can now be applied on a zone-basedmodel. Interfaces are assigned to zones, and policy inspection isapplied to traffic moving between zones.
Zone-Based Policy Firewall (ZFW)—
Security Zones and Policy
Security Zones establish the security boundaries of the networkwhere traffic is subjected to policy restrictions as it crosses to
.
By default, traffic between the zones is blocked unless an explicitpolicy dictates the permission.
DMZPublic-DMZ
Policy
DMZ-PrivatePolicy
Private-DMZPolicy
DMZ Zone
UntrustedTrusted
Private-PublicPolicy
Internet
Private Zone
-
8/9/2019 CCIE Security Tutorial
53/189
Zone-Based Policy Firewall (ZFW)—Supported Features and New Syntax
Supported Features
Stateful Inspection
Application Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP
URL filtering
Per-policy parameter
Transparent firewall
VRF-aware firewall (Virtual Firewall)
command set.
ZFW policies are configured with the new Cisco PolicyLanguage (CPL), which employs a hierarchical structure todefine inspection for network protocols and the groups ofhosts to which the inspection will be applied.
Zone-Based Policy Firewall (ZFW)—
Configuration Example
class-map type inspect match-any services
match protocol tcp
!
Define ServicesInspected by Policy
policy-map type inspect firewall-policy
class type inspect services
inspect
!
zone security private
zone security public
!
interface fastethernet 0/0
-
Configure Firewall Actionfor Traffic
Define Zones
!
interface fastethernet 0/1
zone-member security public
!
zone-pair security private-public source private destination public
service-policy type inspect firewall-policyEstablish Zone Pair, and
Apply Policy
ss gn n er aces oZones
-
8/9/2019 CCIE Security Tutorial
54/189
Cisco IOS Context-Based AccessControl (CBAC)
CBAC Overview
Cisco router performs traffic filtering, traffic inspection,sends alerts, and tracks audit trails
Traffic filtering
Protocol filtering based on application-layer session information.Filters packets originating in sessions from either the protectedor non-protected networks, but only forwards traffic originatingfrom protected network
Traffic ins ection
Inspects packets at a firewall interface and manages stateinformation of TCP/UDP sessions. State information is used tocreate temporary openings in access lists to permit return traffic.Inspection helps prevent DoS attacks
-
8/9/2019 CCIE Security Tutorial
55/189
Creating an Inspection Rule
An inspection rule specifies each application-layerprotocol that is to be inspected by CBAC
Typically, only one inspection rule is defined
Inspection rule can be applied to the interface onan inbound or outbound basis
One inspection rule per interface
CBAC: Configuration Example
Access Control List (ACL) on the outside interfacestops everything
access-list 101 deny ip any any log-input
interface Serial0
description outside
ip access-group 101 inSecured
Network
Unsecured
Network
CBAC
ip inspect name MYFW tcp
ip inspect name MYFW udp
interface Serial0
description outside
ip inspect MYFW out
Inspected traffic will open up temporary access forreturn traffic
s0 e0Internet
ACL
101 Inspect
Temporary Access Opened to Permit Matching
Return Traffic (Stateful Cisco IOSFW)
-
8/9/2019 CCIE Security Tutorial
56/189
Cisco IOS Layer 2 Transparent Firewall
Layer 2 Transparent Firewall
Introduces “stealth firewall” capabilityNo IP address associated with firewall (nothing to attack)
No need to renumber or break u IP subnets
IOS Router is bridging between the two “halves” of the network
Use Case: Firewall Between Wireless and Wired LANs
Both “wired” and wireless segments are in same subnet 192.168.1.0/24
VLAN 1 is the “private” protected network.
Wireless is not allowed to access wired LAN
192.168.1.3
Fa 0/0
VLAN 1
Wireless
Transparent
Firewall192.168.1.2
Internet
-
8/9/2019 CCIE Security Tutorial
57/189
Layer 2 Transparent Firewall—Configuration Example
Security Zone Policy:
zone-pair security zone-policy source wireddestination wireless
Classification:
class-map type inspect match-any protocols
match protocol dnsservce-po cy ype nspec rewa -po cy
!
interface VLAN 1
description private interface
bridge-group 1
zone-member security wired
!
interface VLAN2
description public interface
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
Security Policy:
- -bridge-group 1
zone-member security wireless
Layer2 Configuration:bridge configuration
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
- -
class type inspect protocols
Inspect
Security Zones:
zone security wired
zone security wireless
Cisco IOS URL Filtering
-
8/9/2019 CCIE Security Tutorial
58/189
URL Filtering
Control employee access to entertainment sites duringwork hours
Internet Usage Control
Control downloads of objectionable or offensive material,limit liabilities
Cisco IOS supports static whitelist and blacklist URL filtering
External filtering servers such as Websense, Smartfilter canbe used at the corporate office, with Cisco IOS static listsas backu
Internet
WebSurfing
BranchOffice
Blocked
Get www.badsites.com
URL Filtering (Web Access Control)URL Filtering Options
Allowed
Get www.cisco.com
Get www.badsites.com
Get www.cisco.com
Black/white lists
Third-party filter server
N2H2
Websense
SmartFilter
-
8/9/2019 CCIE Security Tutorial
59/189
Section 6
Implement Secure Networks UsingCisco VPN Solutions
Exam Objectives
Configure IPsec LAN-to-LAN (IOS/ASA)
Configure SSL VPN (IOS/ASA)
Configure Group Encrypted Transport (GET) VPN
Configure Easy VPN (IOS/ASA)
Configure CA (PKI)
Configure Remote Access VPN
Configure Cisco Unity Client
Configure Clientless WebVPN
Confi ure An Connect VPN
Configure XAuth, Split-Tunnel, RRI, NAT-T
Configure High Availability
Configure QoS for VPN
Configure GRE, mGRE
Configure L2TP
Configure advanced Cisco VPN features
-
8/9/2019 CCIE Security Tutorial
60/189
This Section Is Divided into Six Parts:
1. IPsec
.
3. Group Encrypted Transport (GET) VPN
4. Easy VPN
5. SSL VPN
6. PKI (IOS CA Server)
IPSec
Part 1:
-
8/9/2019 CCIE Security Tutorial
61/189
Data Security Assurance Model (CIA)
Network Security
Benefit
Confidentiality
Benefit Benefit
Integrity Authentication
of originator orrecipient of data
Shuns Impersonation
Replay
Shuns
Sniffing Replay
is unalteredduring transit
Shuns Alteration
Replay
What Is IPsec?
A set of security protocols and algorithms used tosecure IP data at the network layer
Internet Protocol Security
IPsec provides data confidentiality (encryption),integrity (hash), authentication (signature/certificates)of IP packets while maintaining the ability to route themthrough existing IP networks
-
8/9/2019 CCIE Security Tutorial
62/189
IKE (Phase 1)
IPsec: Building a Connection
sec ase
Data
Two-phase protocol:
Phase 1 exchange: two peers establish a secure, authenticatedchannel with which to communicate; Main mode or Aggressive mode
There is also a Transaction Mode in between which is used for EzVPN clientscenario performing XAUTH and/or Client attributes (Mode Config)
Phase 2 exchange: security associations are negotiated on behalfof IPsec services; Quick mode accomplishes a Phase 2 exchange
Each phase has its SAs: ISAKMP SA (Phase 1)and IPsec SA (Phase 2)
Deployment Scenarios:Basic Peer-to-Peer Topology
-
8/9/2019 CCIE Security Tutorial
63/189
Site-to-Site VPN Deployment Scenarios
Basic peer-to-peer topology
Basic site-to-site IPsec confi uration
Static vs. dynamic mapping
Split tunneling consideration
Filtering/Access Control
Crypto ACL consideration
High Availability
STEP 1—IKE Phase 1 PolicySite-2-Site Configuration
3.2.0.0/243.1.0.0/24
R1 R2
2.0.0.1/30 2.0.0.2/30
IPsec
IP
crypto isakmp policy 1authentication pre-sharedhash shaencr aes 128group 2
!crypto isakmp key 123 address 2.0.0.2
crypto isakmp policy 1authentication pre-sharedhash shaencr aes 128group 2
!crypto isakmp key 123 address 2.0.0.1
-
8/9/2019 CCIE Security Tutorial
64/189
STEP 2—IKE Phase 2 PolicySite-2-Site Configuration
3.2.0.0/243.1.0.0/24
R1 R2
2.0.0.1/30 2.0.0.2/30
IPsec
IP
crypto ipsec transform-set ts esp-aes128 esp-sha-hmac!access-list 101 permit ip 3.1.0.00.0.0.255 3.2.0.0 0.0.0.255!crypto map cm 10 ipsec-isakmpset peer 2.0.0.2
crypto ipsec transform-set ts esp-aes128 esp-sha-hmac!access-list 101 permit ip 3.2.0.00.0.0.255 3.1.0.0 0.0.0.255!crypto map cm 10 ipsec-isakmpset peer 2.0.0.1
ma c a ressset transform-set ts
ma c a ressset transform-set ts
STEP 3—Applying the VPN PolicySite-2-Site Configuration
3.2.0.0/243.1.0.0/24
R1 R2
2.0.0.1/30 2.0.0.2/30
IPsec
IP
interface serial 1/0ip address 2.0.0.1 255.255.255.0crypto map cm
!ip route 3.2.0.0 255.255.255.0 2.0.0.2
interface serial 1/0ip address 2.0.0.2 255.255.255.0crypto map cm
!ip route 3.1.0.0 255.255.255.0 2.0.0.1
-
8/9/2019 CCIE Security Tutorial
65/189
Static vs. Dynamic Crypto Map
ISP
Static Crypto Map
crypto map vpn 10 IPSec-isakmp
set peer Site_A
set transform-set …
match address 101
crypto map vpn 20 IPSec-isakmp
set peer Site_B
Site_A
set transform-set …
match address 102crypto map vpn 10 IPSec-isamkpdynamic dynamap
crypto dynamic-map dynamap 10set transform-set …
match address …
_
Static vs. Dynamic Crypto Map (Cont.)
Static Crypto Map
Need to VPN peer, crypto
Dynamic Crypto Map
Only need to configure IPsec ACL, IPsec transform-set
Use multiple crypto mapinstances to define multipleVPN peers
Bidirectional tunnel initiation
Requires more intensive
transform-set,crypto ACL is optional
One dynamic map asa template
Only the remote peercan initiate tunnel
managemen , ep oymen antroubleshooting
se w en remo e peerhas dynamic IP address
Simple to manageand deploy
-
8/9/2019 CCIE Security Tutorial
66/189
Split Tunneling
Definition: “Split Tunneling” Is the Ability of a Device toForward Clear and Encrypted Traffic at the Same Timeover e ame n er ace
In site-to-site VPN, use routing and crypto ACL to controlsplit tunneling
Central Site Central Site
Without Split Tunneling With Split Tunneling
http://www.cisco.com/http://www.cisco.com/
VPN Head-End VPN Head-EndVPN VPN
Filtering/Access Control
When filtering at the edge there’s not much to see
IKE
UDP port 500
ESP, AH
IP protocol numbers 50, 51 respectively
NAT transparency-enabled
UDP port 4500
Internal access control should be implemented via theinternal interface ACLs or group policy and not thecrypto ACLs for performance reasons
-
8/9/2019 CCIE Security Tutorial
67/189
High Availability
Common High Availability (HA) practice in conjunctionwith IPsec HA features
Design options
Local HA using link resiliency
Local HA using HSRP and RRI
Cisco IOS IPsec Stateful Failover
Geographical HA using IPsec backup peers
Local/geographical HA using GRE over IPsec(dynamic routing)
Local HA Using Link Resiliency1
Link resiliency: ISDN backup, backup Frame RelayDLCI, etc.
Choose multiple ISPs to achieve link diversity
ISPs
Use a loopback interface as the ISAKMP identity for theVPN router
Failover mechanism: backup interface, dialer watch,floating static routes
-
8/9/2019 CCIE Security Tutorial
68/189
Local HA Using HSRP and RRI
(2) Router P RRI:“I can reach 10.1.1.0”
(1) SA Established to Primary
Sending IKE Keepalives (2) Router P RRI:“I can reach 10.1.1.0”
2
PHead-End
emo e
Internet
10.1.1.0/24
(3) 10.1.1.0/24 via P
(8) 10.1.1.0/24 via S
(5) Secondary Active(6) New SA Established to Secondary
Sending IKE Keepalives(7) Router S RRI:“I Can Reach 10.1.1.0”
= Unscheduled Immediate Memory Initialization Routine (4)
(3) 10.1.1.0/24 via P
S
HSRP is enable on outside (WAN facing) interface
Cisco IOS IPsec HA enhancement features: Allow IPsec use HSRP virtual IP as the peer address
Reverse route injection (RRI) injects IPsec remote proxy IDsinto dynamic routing process
Cisco IOS IPsec Stateful Failover 3
HA-1
IPsec stateful failover greatly improves failover timecompared to the stateless IPSec/HSPR failure
Peer et
Gateway
HA-2
n erna
NetworkInternet
with stateful switchover (SSO) and Hot Standby RoutingProtocol (HSRP).
SSO allows the active and standby routers to share IKE andIPSec state information so that each router has enoughinformation to become the active router at any time.
-
8/9/2019 CCIE Security Tutorial
69/189
Geographic HA Using Backup Peers
200.1.1.1
4
crypto isakmp keepalive 20 3
crypto map vpn 10 ipsec-isakmp
set peer 200.1.1.1
set peer 200.1.5.1
set transform-set m set
rancOffice
CorporateNetwork
ISPs
200.1.5.1
match address 101
During IKE negotiation, IKE timer (three retries) detectsthe peer failure
IKE keepalive or DPD detected failed peer after tunnel isestablished1
s1
Local/Geographical HA Using
GRE over IPsec: Dynamic RoutingSan Jose
5
h2
s2
Network
Except under failure conditions:
Internet
New York
Geographical HA Local HA with Redundant Hub Design
Primary TunnelSecondary Tunnel
The IPsec and GRE tunnels are always up since routingprotocols are always running
The remote sites always have two apparent paths to all networksavailable via the head-end
Use dynamic routing for path selection and failover
-
8/9/2019 CCIE Security Tutorial
70/189
Troubleshooting IPsec
Troubleshooting IPsec
Is the problem in connection establishment?
Phase 1 failure
Determine the Problem Characteristics
Transaction Mode/XAUTH
Phase 2 failure
Is the problem in passing traffic?
All traffic
S ecific traffic
-
8/9/2019 CCIE Security Tutorial
71/189
Always Use Show CommandBefore Debug
show crypto isakmp sa
show crypto ipsec saImportant
Show
s ow cryp o eng ne connec on ac ve
Main Mode IKE Negotiation
Quick Mode Negotiation
Interesting Traffic Received
Show
Establishment of TunnelFlowchart
IKE
IPsec
Data
Debug Commandsdebug crypto isakmp
debug crypto ipsecImportantDebugs
e ug cryp o eng ne
Main Mode IKE Negotiation
Quick Mode Negotiation
Interesting Traffic Received
Debug
Establishment o TunnelFlowchartIKE
IPsec
Data
-
8/9/2019 CCIE Security Tutorial
72/189
Basic Hub and Spoke Topology:GRE over IPsec
Hub and Spoke Topology
90% hub spoke, 10% spoke spoke traffic
Cisco IOS: uses crypto ACL summarization for smaller scaledeployment; uses GRE over IPsec with dynamic routing protocolfor larger scale deployment
ASA use summarized network lists for small scale deployment
Best option: GRE over IPsec with dynamic routing
-
8/9/2019 CCIE Security Tutorial
73/189
Why GRE over IPsec
IPsec TunnelGRE TunnelL3
IPsec (ESP) tunnels only IP unicast traffic
GRE encapsulates non-IP and IP multicast or
Encrypted DecapsulateTwice
IP
HDRDataData
ESP
HDR
IP
HDR
GRE
HDR
IP
HDR
IP
HDRData
IPHDR
IP
HDRDataGRE
HDR
IP
HDR
roa cas pac e s n o un cas pac e s
GRE over IPsec Configuration Evolution
Before 12.2(13)T, crypto maps are required to apply toboth GRE tunnel interface and physical interface
From 12.2(13)T and later
Only need to apply crypto map on physical interface or
Use tunnel protection IPsec profile under tunnel interface
-
8/9/2019 CCIE Security Tutorial
74/189
GRE over IPsec Configuration
authentication pre-share
crypto isakmp key cisco47 address 172.17.63.18
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
!
crypto map vpnmap2 local-address Ethernet1
crypto map vpnmap2 10 IPSec-isakmp
set peer 172.17.63.18
set transform-set trans2
match address 110
interface Ethernet1
ip address 172.16.175.75 255.255.255.0
crypto map vpnmap2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 172.16.175.75
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
crypto ipsec profile vpnprof
set transform-set trans2
!
interface Ethernet1
12.2(13)T and Later
interface Tunnel0
ip address 10.10.2.1 255.255.255.252
ip mtu 1400
tunnel source Ethernet1
tunnel destination 172.17.63.18crypto map vpnmap2
ip route 0.0.0.0 0.0.0.0 172.16.175.1
!
access-list 110 permit gre -
host 172.16.175.75 host 172.17.63.18
p a ress . . . . . .
interface Tunnel0
ip address 10.10.2.2 255.255.255.252
ip mtu 1400
tunnel source Ethernet1tunnel destination 172.16.175.75
tunnel protection ipsec profile vpnprof
ip route 0.0.0.0 0.0.0.0 172.17.63.1z
IPsec Virtual Tunnel Interface(VTI) and Dynamic VTI (DVTI)
-
8/9/2019 CCIE Security Tutorial
75/189
Virtual Tunnel Interface
IPsec Static Virtual Tunnel Interfaces
. .
192.168.100.0/30
.1 .2 . 1 6 8 . 1 . 0
/ 2 4
. 1 6 8 . 2 . 0
/ 2 4
Simplifies VPN configuration by eliminating crypto maps, accesscontrol lists (ACLs), and Generic Router Encapsulation (GRE)
Simplifies VPN design:
.1 .1
1 9
1 9
1:1 relationship between tunnels and sites with a dedicated logical interface
More scalable alternative to GRE VTI can support Quality of Service (QoS), multicast, and other
routing functions that previously required GRE
Improves VPN interoperability with other vendors
VTI Peer-to-Peer Configuration:
IKE (Phase One) Policy
172.16.172.10 172.16.171.20
crypto isakmp policy 1
-
crypto isakmp policy 1
-
Backbone
Router1 Router2
10.1.1.0/24 10.1.2.0/24
hash sha
encr aes 256
group 5
crypto isakmp key cisco address172.16.172.10 netmask 255.255.255.255
hash sha
encr aes 256
group 5
crypto isakmp key cisco address172.16.171.20 netmask 255.255.255.255
-
8/9/2019 CCIE Security Tutorial
76/189
IPsec (Phase Two) Policy
172.16.172.10 172.16.171.20
crypto ipsec transform-set tset aes_sha
Backbone
Router1 Router2
10.1.1.0/24 10.1.2.0/24
esp-aes 256 esp-sha-hmac
crypto ipsec profile VTIset transform-set tset
- _ -aes 256 esp-sha-hmac
crypto ipsec profile VTIset transform-set tset
Apply VPN Configuration
172.16.172.10 172.16.171.20
interface Tunnel0ip address 10.10.10.1 255.255.255.0 interface Tunnel0
Backbone
Router1 Router2
10.1.1.0/24 10.1.2.0/24
tunnel mode ipsec ipv4tunnel source 172.16.172.10tunnel destination 172.16.171.20tunnel protection ipsec profile VTI
. . . . . .
tunnel mode ipsec ipv4tunnel source 172.16.172.20tunnel destination 172.16.171.10tunnel protection ipsec profile VTI
-
8/9/2019 CCIE Security Tutorial
77/189
Dynamic Virtual Interfaces Taxonomy
Term Description
Virtual Template Is a Generic Infrastructure Which
Virtual Template
Provides Template for Configuration
Virtual Template Provides Mechanisms to DynamicallyCreate and Delete Interfaces
Defined on Router
Virtual Access InterfaceDynamically Created Interface for Each New User
Configuration from Virtual Templates
Cloning Applying Virtual Template’s Cisco IOS Commandsonto a Virtual Access Interface
User 1
RemoteLAN
Dynamic Virtual Interface: How It Works?
auth
LocalAuth.
Router
DSL
Single UserClient
Bridge/Router
Single UserClient withISDN Card
Virtual
Access
Virtual
Template
InterfaceISDN
21
3
4
4Physical
Interface
1. User 1 calls the router
2. Router 1 checks authentication locally/AAA server
3. Authentication succeeds
4. Clone virtual access interface from virtual template interface
-
8/9/2019 CCIE Security Tutorial
78/189
Virtual
Dynamic Virtual Interface: Example
3
AAAUser 1
RemoteLAN
Bridge/ 1
-
Router
Virtual
Access
Interface
emp a e
Interface2
4
4
-
DSL
Single UserClient
Router
Single UserClient withISDN Card
ISDNPhysical
Interface
ip unnumbered loopback1
load-interval 30tunnel mode ipsec ipv4tunnel protection ipsec profile vpn1-ra
aaa author network list vpn-client group radius
crypto isakmp profile vpn1-ramatch identity group vpn 1client authentication list vpn-clientisakmp authorization list vpn-clientclient address respondvirtual-template 1
Head-end configuration
Old way: easy VPN server with dynamic crypto map
New way: IPsec virtual interface
Authorization, authentication, and accounting via RADIUS
Part 2:
Dynamic Multipoint VPN (DMVPN)
-
8/9/2019 CCIE Security Tutorial
79/189
Dynamic Multipoint VPN (DMVPN)
Provides full meshed connectivity with simpleconfiguration of hub and spoke
Supports dynamically addressed spokes
Facilitates zero-touch configuration for addition ofnew spokes
Features automatic IPsec triggering for building anIPsec tunnel
10.1.0.0 255.255.255.0
10.1.0.1
= Dynamic and Temporary
= Dynamic and Permanent
Spoke-to-Hub IPsec Tunnels
Dynamic Multipoint VPN (DMVPN)
po e- o- po e sec unne s
Static
Public IP
Address
10.1.3.1
130.25.13.1
Dynamic(or Static)Public IP
Addresses
Spoke
10.1.1.0 255.255.255.0
10.1.1.1
10.1.3.0 255.255.255.0
10.1.2.0 255.255.255.0
10.1.2.1
-
8/9/2019 CCIE Security Tutorial
80/189
DMVPN Advantages
Supports IP Unicast, IP Multicast, and dynamicrouting protocols
Supports spoke routers behind dynamic NATand hub routers behind static NAT
Dynamic partial-mesh or full-mesh VPNs
Usable with or without IPsec encryption
DMVPN Components
Next Hop Resolution Protocol (NHRP)
NHRP Re istration
NHRP Resolution and Redirect
Multipoint GRE Tunnel Interface (mGRE)
Single GRE interface to support multiple GRE/IPSec tunnels
Simplifies size and complexity of configuration
Dynamically creates and applies encryption policies
Routing
Dynamic advertisement of branch networks; almost all routingprotocols (EIGRP, RIP, OSPF, BGP, ODR) are supported
-
8/9/2019 CCIE Security Tutorial
81/189
DMVPN Components: NHRP Registration
Spokes register to hub as clients of the NHRP serverusing static NHRP mapping
Hub creates a dynamic NHRP entry, mapping spoke’sprivate tunnel address to the spoke’s dynamicpublic address
Using the routing protocol, spokes advertise their LANnetwork to hub and learn about remote LAN addresses
With routing and NHRP mappings in place, traffic flows
over newly created spoke to hub GRE tunnels
These spoke to hub tunnels permanently stay up
DMVPN Components: NHRP Resolution
and Redirect
Traffic from LAN behind one spoke is always forwardedto LAN behind another spoke via the hub initially
Hub realizes traffic entered and exited the same tunnelinterface and sends an NHRP redirect to the spoke
The originating spoke sends an NHRP resolutionrequest trying to resolve the public address fordestination prefix
Hub forwards this query to spoke that owns the prefix
Remote spoke responds back to this query by initiatinga new dynamic GRE tunnel
-
8/9/2019 CCIE Security Tutorial
82/189
Network Designs
Hub-and-spoke Design
Spoke-to-spoke traffic via hub
Spokes configured with pt-to-pt GRE tunnels –Dual DMVPN Clouds
Spokes configured with mGRE tunnels –Single DMVPN cloud
Spoke-to-spoke Design
Spoke to spoke data traffic over dynamic tunnels
Hub-and-Spoke
Spoke-to-Spoke
Spokes configured with mGRE tunnels –Single or Dual DMVPN clouds
Large Scale IOS SLB Design
Hub and Spoke as well as Spoke to Spoke support
Multiple “identical” hubs increase the CPU power
Server Load Balancing
Network DesignsSpoke-to-hub tunnels
Spoke-to-spoke path
Hub and spoke (Phase 1) Spoke-to-spoke (Phase 2)
Server Load Balancing Hierarchical (Phase 3)
-
8/9/2019 CCIE Security Tutorial
83/189
Phase 1 Phase 2 Phase 3
DMVPN Phases Summarized
Hub and spokefunctionality 12.2(13)T
Simplified and smallerconfig for hub & spoke
Support dynamicallyaddress CPE
Spoke to spokefunctionality 12.3(4)T
Single mGREinterface in spokes
Direct spoke to spokedata traffic reducedload on hub
Architecture andscaling 12.4(6)T
Increase number ofhub with same huband spoke ratio
No hub daisy-chain
’ traffic from hubto spoke
Summarize routingat hub
Cannot summarizespoke routes on hub
Route on spoke musthave IP next hop ofremote spoke
routing table
OSPF routing protocol
not limited to 2 hubs
Cannot mix phase 2and phase 3 in sameDMVPN cloud
Troubleshooting DMVPN
-
8/9/2019 CCIE Security Tutorial
84/189
Debug and Show CommandsIntroduced in 12.4(9)T
Showshow dmvpn
[ peer {{{ nbma | tunnel } ip_address } |
{ network ip_address mask } | { interface tunnel# } |
{ vrf vrf_name }}]
[ detail ] [ static ]
Debugdebug dmvpn [ { error | event | detail | packet | all }
n rp cryp o unne soc e a
debug dmvpn condition [ peer
{{{ nbma | tunnel } ip_address } | { network ip_address mask } |{ interface tunnel# } | { vrf vrf_name }}]
Logginglogging dmvpn { | rate-limit < 0-3600 > }
DMVPN Show Commands
HUB-1#show dmvpn
“show dmvpn”Tu1: 172.20.1.1
Spoke-1 Spoke-2
1.1.1.1 2.2.2.2
3.3.3.3
Hub-1
192.1.1.0 192.2.2.0
192.100.1.0
Tu1: 172.20.1.100
Tu1: 172.20.1.2
Legend: Attrb --> S - Static, D - Dynamic, I - IncompleteN - NATed, L - Local, X - No Socket# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Hub, NHRP Peers:2,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb----- --------------- --------------- ----- -------- -----
1 1.1.1.1 172.20.1.1 UP 00:04:32 D1 2.2.2.2 172.20.1.2 UP 00:01:25 D
SPOKE-1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - IncompleteaN - NATed, L - Local, X - No Socket# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Spoke, NHRP Peers:1,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb----- --------------- --------------- ----- -------- -----
1 3.3.3.3 172.20.1.100 UP 00:21:56 S
-
8/9/2019 CCIE Security Tutorial
85/189
DMVPN Show Commands
HUB-1#show dmvpn detail
“show dmvpn detail”Tu1: 172.20.1.1
Spoke-1 Spoke-2
1.1.1.1 2.2.2.2
3.3.3.3
Hub-1
192.1.1.0 192.2.2.0
192.100.1.0
Tu1: 172.20.1.100
Tu1: 172.20.1.2
Legend: Attrb --> S - Static, D - Dynamic, I - IncompleteaN - NATed, L - Local, X - No Socket# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel1 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100
Source addr: 3.3.3.3, Dest addr: MGREProtocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:Type:Hub, NBMA Peers:2# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- -----------------
1 1.1.1.1 172.20.1.1 UP 00:26:38 D 172.20.1.1/32
IKE SA: local 3.3.3.3/500 remote 1.1.1.1/500 Active
Crypto Session Status: UP-ACTIVEfvrf: (none)IPSEC FLOW: permit 47 host 3.3.3.3 host 1.1.1.1
Active SAs: 2, origin: crypto mapOutbound SPI : 0xB28957C6, transform : esp-3des esp-sha-hmacSocket State: Open
DMVPN Show Commands
HUB-1#show dmvpn peer nbma 2.2.2.2 detail
Tu1: 172.20.1.1
Spoke-1 Spoke-2
1.1.1.1 2.2.2.2
3.3.3.3
Hub-1
192.1.1.0 192.2.2.0
192.100.1.0
Tu1: 172.20.1.100
Tu1: 172.20.1.2“show dmvpn peer…”
Legend: Attrb --> S - Static, D - Dynamic, I - IncompleteaN - NATed, L - Local, X - No Socket# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel1 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100
Source addr: 3.3.3.3, Dest addr: MGREProtocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:Type:Hub, NBMA Peers:1# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------1 2.2.2.2 172.20.1.2 UP 00:35:01 D 172.20.1.2/32
IKE SA: local 3.3.3.3/500 remote 2.2.2.2/500 ActiveCrypto Session Status: UP-ACTIVEfvrf: (none)IPSEC FLOW: permit 47 host 3.3.3.3 host 2.2.2.2
Active SAs: 2, origin: crypto mapOutbound SPI : 0x74146521, transform : esp-3des esp-sha-hmacSocket State: Open
-
8/9/2019 CCIE Security Tutorial
86/189
DMVPN Show Commands
HUB-1#show ip nhrp traffic
Tu1: 172.20.1.1
Spoke-1 Spoke-2
1.1.1.1 2.2.2.2
3.3.3.3
Hub-1
192.1.1.0 192.2.2.0
192.100.1.0
Tu1: 172.20.1.100
Tu1: 172.20.1.2
“show ip nhrp traffic”
Tunnel1: Max-send limit:100Pkts/10Sec, Usage:0%
Sent: Total 20 Resolution Request 0 Resolution Reply 0 Registration Request2 Registration Reply 0 Purge Request 0 Purge Reply0 Error Indication 0 Traffic Indication
Rcvd: Total 20 Resolution Request 0 Resolution Reply 2 Registration Request0 Registration Reply 0 Purge Request 0 Purge Reply0 Error Indication 0 Traffic Indication
Part 3:
Group Encrypted Transport (GET) VPN
-
8/9/2019 CCIE Security Tutorial
87/189
Cisco Group Encrypted Transport (GET)VPN—Solution for Tunnel-Less VPNs
Cisco GET VPN Delivers a Revolutionary Solutionfor Tunnel-Less, Any-to-Any Branch ConfidentialCommunications
Large-scale any-to-any encryptedcommunications
Native routing without tunnel overlay
Optimal for QoS and Multicastsupport—improves applicationperformance
Transport agnostic—private
Any-to-Any
Connectivity
Any-to-Any
Connectivity
LAN/WAN, FR/AATM, IP, MPLS
Offers flexible span of control among
subscribers and providers Available on Cisco Integrated Services
Routers; Cisco 7200 and Cisco 7301with Cisco IOS 12.4(11)T
Real TimeScalable
Cisco GET
VPN
Benefits of Cisco GET VPN
Previous Limitations New Feature and Benefits
u cas r a c encryp on rougIPsec tunnels:
– Not scalable – Difficult to troubleshoot
ncryp on suppor e or a ve u cas an
Unicast traffic with GDOI
– Allows higher scalability – Simplifies Troubleshooting – Extensible standards-based framework
Overlay VPN Network – Overlay Routing – Sub-optimal Multicast
No Overlay
– Leverages Core network for Multicastreplication via IP Header preservation
rep ca on – Lack of Advanced QoS – p ma ou ng n ro uce n – Advanced QoS for encrypted traffic
Full Mesh Connectivity – Hub and Spoke primary
support – Spoke to Spoke not scalable
Any to Any Instant Enterprise Connectivity
– Leverages core for instant communication – Optimal for Voice over VPN deployments
-
8/9/2019 CCIE Security Tutorial
88/189
GET VPN
Overview
Group Security Functions
Key Server Key Server • Validate Group Members
Routing Member • Forwarding• Replication• Routing
Group
Group
Member Routing
Members
• anage ecur ty o cy• Create Group Keys• Distribute Policy / Keys
Group
Member
Group
Member
Group Member • Encryption Devices• Route Between Secure / UnsecureRegions• Multicast Participation
-
8/9/2019 CCIE Security Tutorial
89/189
Group Security Elements
Key ServersGroup Policy Proprietary: KSCooperative Protocol
Group
Group
Member Routing
Members
(KEK)
Traffic EncryptionKey (TEK)
Group
Member
Group
Member
RFC3547:Group Domain ofInterpretation(GDOI)
Group Keys
Key Encryption Key (KEK)
Used to encr t GDOI i.e. control Key Server . .traffic) between KS and GM
Traffic Encryption Key (TEK)
Used to encrypt data (i.e. usertraffic) between GM
IP VPN
KEKTEK1
Group Member
Group Member
Group Member
-
8/9/2019 CCIE Security Tutorial
90/189
GET VPN
Data Plane
IPsec Tunnel Mode with IP Address
Preservation
IP Packet
Group
IP PayloadIP Header
IP PayloadIP Header E P
IP Header ncryp eTransport
IPsec header preserved by VPNGateway Preserved IP address uses original
routing plane
-
8/9/2019 CCIE Security Tutorial
91/189
Secure Data Plane Multicast
Premise: Sender doesnot know the potential
Data Protection
Secure
Multicast
GM
GM
recipients
?
GM
Secure Data Plane Multicast
Premise: Sender doesnot know the potential KS
Data Protection
SecureMulticast
recipients
Sender assumes thatlegitimate groupmembersobtain TrafficEncryption
GM
GM
Key from key serverfor the group
GM
-
8/9/2019 CCIE Security Tutorial
92/189
Secure Data Plane Multicast
Premise: Sender does notknow the potential recipients KS
Data Protection
Secure
Multicast
Sender assumes that legitimategroup members obtain trafficencryption key from keyserver for the group
Encrypt Multicast
GM
GM
preservation
Replication in the corebased on original (S,G)
GM
Corollary:
Secure Data Plane Unicast
Premise: Receiver advertisesdestination prefix but does
Data Protection
SecureUnicast
GM
GM
not know the potentialencryption sources
?
?
GM
?
-
8/9/2019 CCIE Security Tutorial
93/189
Corollary:Secure Data Plane Unicast
Premise: Receiver advertisesdestination prefix but does KS
Data Protection
Secure
Unicast
not know the potentialencryption sources
Receiver assumesthat legitimategroup membersobtain Traffic Encryption
GM
GM
Key from key serverfor the group
GM
Corollary:
Secure Data Plane Unicast
Premise: Receiver advertisesdestination prefix but does KS
Data Protection
SecureUnicast
not know the potentialencryption sources
Receiver assumesthat legitimategroup membersobtain Traffic Encryption
GM
GM
Key from key serverfor the group
Receiver can authenticatethe group membership
GM
-
8/9/2019 CCIE Security Tutorial
94/189
GET VPN
Control Plane GM-KS
Group Member: Membership
Management
Group Member Join: Registration
Immediatel u on boot
Immediately upon applying crypto map
Protected by IKE SA (Pre-shared Keys or PKI Certificate)
Group Member Maintenance: Rekey
Periodic Update Protected by Rekey SA (IKE SA expires)
New Policies Time S nc or New Ke s TEK or KEK, ,
Acknowledgement with Unicast Rekey
Unacknowledged with Multicast Rekey
-
8/9/2019 CCIE Security Tutorial
95/189
Group Member States
Unknown