ccna security study guide: exam 210-260

CCNA®

SecurityStudyGuideExam210-260

TroyMcMillan

SeniorAcquisitionsEditor:KenyonBrownDevelopmentEditor:DavidClark

TechnicalEditors:JonBuhagiarandMarkDittmerProductionManager:KathleenWisor

CopyEditor:KimWimpsettEditorialManager:MaryBethWakefield

ExecutiveEditor:JimMinatelBookDesigner:JudyFungandBillGibson

Proofreader:AmySchneiderIndexer:JohnnaVanHooseDinse

ProjectCoordinator,Cover:BrentSavageCoverDesigner:Wiley

CoverImage:@JeremyWoodhouse/GettyImages,Inc.Copyright©2018byJohnWiley&Sons,Inc.,Indianapolis,Indiana

PublishedsimultaneouslyinCanadaISBN:978-1-119-40993-9

ISBN:978-1-119-40991-5(ebk.)ISBN:978-1-119-40988-5(ebk.)

ManufacturedintheUnitedStatesofAmericaNopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.

LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.

Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.LibraryofCongressControlNumber:2017962360

TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.CCNAisaregisteredtrademarkofCiscoTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.

http://www.wiley.com/go/permissions

http://booksupport.wiley.com

http://www.wiley.com

Formybestfriend,WadeLong,forjustbeingagoodfriend.

AcknowledgmentsSpecialthanksgotoDavidClarkforkeepingmeonscheduleandensuringallthedetailsarecorrect.Also,I’dliketothankJonBuhagiarfortheexcellenttechnicaleditthatsavedmefrommyselfattimes.Finally,asalways,I’dliketoacknowledgeKenyonBrownforhiscontinuedsupportofallmywritingefforts.

AbouttheAuthorTroyMcMillanwritespracticetests,studyguides,andonlinecoursematerialsforKaplanITTraining,whilealsorunninghisownconsultingandtrainingbusiness.Heholdsmorethan30industrycertificationsandalsoappearsintrainingvideosforOnCourseLearningandPearsonPress.Troycanbereachedatmcmillantroy@hotmail.com.

mailto://[email protected]

ContentsAcknowledgmentsAbouttheAuthorIntroduction

WhatDoesThisBookCover?InteractiveOnlineLearningEnvironmentandTestBankWhoShouldReadThisBookHowtoUseThisBookHowDoYouGoAboutTakingtheExam?CertificationExamPolicies

AssessmentTestAnswerstoAssessmentTestChapter1UnderstandingSecurityFundamentals

GoalsofSecurityNetworkTopologiesCommonNetworkSecurityZonesSummaryExamEssentialsReviewQuestions

Chapter2UnderstandingSecurityThreatsCommonNetworkAttacksSocialEngineeringMalwareDataLossandExfiltrationSummaryExamEssentialsReviewQuestions

Chapter3UnderstandingCryptographySymmetricandAsymmetricEncryptionHashingAlgorithmsKeyExchangePublicKeyInfrastructure

SummaryExamEssentialsReviewQuestions

Chapter4SecuringtheRoutingProcessSecuringRouterAccessImplementingOSPFRoutingUpdateAuthenticationSecuringtheControlPlaneSummaryExamEssentialsReviewQuestions

Chapter5UnderstandingLayer2AttacksUnderstandingSTPAttacksUnderstandingARPAttacksUnderstandingMACAttacksUnderstandingCAMOverflowsUnderstandingCDP/LLDPReconnaissanceUnderstandingVLANHoppingUnderstandingDHCPSpoofingSummaryExamEssentialsReviewQuestions

Chapter6PreventingLayer2AttacksConfiguringDHCPSnoopingConfiguringDynamicARPInspectionConfiguringPortSecurityConfiguringSTPSecurityFeaturesDisablingDTPVerifyingMitigationsSummaryExamEssentialsReviewQuestions

Chapter7VLANSecurityNativeVLANsPVLANs

ACLsonSwitchesSummaryExamEssentialsReviewQuestions

Chapter8SecuringManagementTrafficIn-BandandOut-of-BandManagementSecuringNetworkManagementSecuringAccessthroughSNMPv3SecuringNTPUsingSCPforFileTransferSummaryExamEssentialsReviewQuestions

Chapter9Understanding802.1xandAAA802.1xComponentsRADIUSandTACACS+TechnologiesConfiguringAdministrativeAccesswithTACACS+UnderstandingAuthenticationandAuthorizationUsingACSandISEUnderstandingtheIntegrationofActiveDirectorywithAAASummaryExamEssentialsReviewQuestions

Chapter10SecuringaBYODInitiativeTheBYODArchitectureFrameworkTheFunctionofMobileDeviceManagementSummaryExamEssentialsReviewQuestions

Chapter11UnderstandingVPNsUnderstandingIPsecUnderstandingAdvancedVPNConceptsSummaryExamEssentialsReviewQuestions

Chapter12ConfiguringVPNsConfiguringRemoteAccessVPNsConfiguringSite-to-SiteVPNsSummaryExamEssentialsReviewQuestions

Chapter13UnderstandingFirewallsUnderstandingFirewallTechnologiesStatefulvs.StatelessFirewallsSummaryExamEssentialsReviewQuestions

Chapter14ConfiguringNATandZone-BasedFirewallsImplementingNATonASA9.xConfiguringZone-BasedFirewallsSummaryExamEssentialsReviewQuestions

Chapter15ConfiguringtheFirewallonanASAUnderstandingFirewallServicesUnderstandingModesofDeploymentUnderstandingMethodsofImplementingHighAvailabilityUnderstandingSecurityContextsConfiguringASAManagementAccessConfiguringCiscoASAInterfaceSecurityLevelsConfiguringSecurityAccessPoliciesConfiguringDefaultCiscoModularPolicyFramework(MPF)SummaryExamEssentialsReviewQuestions

Chapter16IntrusionPreventionIPSTerminologyEvasionTechniquesIntroducingCiscoFireSIGHT

UnderstandingModesofDeploymentPositioningoftheIPSwithintheNetworkUnderstandingFalsePositives,FalseNegatives,TruePositives,andTrueNegativesSummaryExamEssentialsReviewQuestions

Chapter17ContentandEndpointSecurityMitigatingEmailThreatsMitigatingWeb-BasedThreatsMitigatingEndpointThreatsSummaryExamEssentialsReviewQuestions

AppendixAnswerstoReviewQuestionsChapter1:UnderstandingSecurityFundamentalsChapter2:UnderstandingSecurityThreatsChapter3:UnderstandingCryptographyChapter4:SecuringtheRoutingProcessChapter5:UnderstandingLayer2AttacksChapter6:PreventingLayer2AttacksChapter7:VLANSecurityChapter8:SecuringManagementTrafficChapter9:Understanding802.1xandAAAChapter10:SecuringaBYODInitiativeChapter11:UnderstandingVPNsChapter12:ConfiguringVPNsChapter13:UnderstandingFirewallsChapter14:ConfiguringNATandZone-BasedFirewallsChapter15:ConfiguringtheFirewallonanASAChapter16:IntrusionPreventionChapter17:ContentandEndpointSecurity

AdvertEULA

ListofTablesChapter1

TABLE1.1

Chapter3

TABLE3.1

TABLE3.2

Chapter9

TABLE9.1

Chapter16

TABLE16.1

ListofIllustrationsChapter1

FIGURE1.1Defenseindepth

FIGURE1.2Securitycycle

FIGURE1.3Campusareanetwork

Chapter2

FIGURE2.1Pingscanwithnmap

FIGURE2.2TCPheader

FIGURE2.3NULLscan

FIGURE2.4XMASscan

FIGURE2.5TCPhandshake

FIGURE2.6SYNflood

FIGURE2.7Ping-of-deathpacket

FIGURE2.8DirectDDoS

FIGURE2.9Smurfattack

Chapter3

FIGURE3.1ROT13Caesarcipher

FIGURE3.2Vigenèrecipher

FIGURE3.3ECBprocess

FIGURE3.4CBCprocess

FIGURE3.5Hashprocess

FIGURE3.6HMACprocess

FIGURE3.7Digitalsignatureprocess

FIGURE3.8PKIencryption

FIGURE3.9PKIdigitalsignature

FIGURE3.10SSLprocess

FIGURE3.11PKIhierarchy

FIGURE3.12Crosscertification

FIGURE3.13Viewingcertificates

Chapter4

FIGURE4.1CoPP

FIGURE4.2Modularpolicyframework

Chapter5

FIGURE5.1STPattack

FIGURE5.2ARPprocess

FIGURE5.3ARPcachepoisoning

FIGURE5.4MACspoofing

FIGURE5.5CAMoverflow

FIGURE5.6Switchspoofing

FIGURE5.7Doubletagging

FIGURE5.8DHCPspoofing

Chapter6

FIGURE6.1DHCPsnooping

FIGURE6.2DAIinaction

FIGURE6.3BPDUGuardinaction

Chapter7

FIGURE7.1PVLANs

FIGURE7.2PVLANproxyattack

Chapter8

FIGURE8.1PartialMIB

FIGURE8.2NTPauthenticationprocess

Chapter9

FIGURE9.1802.1x

Chapter10

FIGURE10.1ISEcontext-basedaccess

FIGURE10.2CMD

FIGURE10.3SXPandSGT

FIGURE10.4Permissionmatrix

FIGURE10.5MDMwithIDE

FIGURE10.6ISEauthorizationpolicyintegration

Chapter11

FIGURE11.1Diffie-Hellman

FIGURE11.2IKEphase1

FIGURE11.3MatchingISAKMPparameters

FIGURE11.4AHprocess

FIGURE11.5AHintunnelmode

FIGURE11.6ESPintunnelmode

FIGURE11.7AHintransportmode

FIGURE11.8ESPintransportmode

FIGURE11.9IPv6headerwithextensions

FIGURE11.10Theneedforhairpinning

FIGURE11.11Hairpinconfiguration

FIGURE11.12Splittunneling

FIGURE11.13Preferences(Part2)window

FIGURE11.14NATtraversal

Chapter12

FIGURE12.1SupportedSSL/TLSalgorithms

Chapter13

FIGURE13.1TCPthree-wayhandshake

FIGURE13.2Statefulfirewalloperation

Chapter14

FIGURE14.1Multipleclassmaps

FIGURE14.2Reuseofclassmaps

FIGURE14.3Defaultpolicies

FIGURE14.4Defaultpolicies(self-zone)

Chapter15

FIGURE15.1Active/Standbyfailover

FIGURE15.2Active/Activefailover

FIGURE15.3Clustering

FIGURE15.4Securitycontexts

FIGURE15.5Securitylevelsinaction

Chapter16

FIGURE16.1IPheaderfragmentationflags

FIGURE16.2Fragmentationprocess

FIGURE16.3Fragmentationattack

FIGURE16.4Injectionattack

FIGURE16.5SPAN

FIGURE16.6Tap

FIGURE16.7Inlinemode

FIGURE16.8Outsidedeployment

FIGURE16.9DMZdeployment

FIGURE16.10Insidedeployment

Chapter17

FIGURE17.1Fileretrospection

FIGURE17.2ESAinbound

FIGURE17.3ESAoutbound

FIGURE17.4Incomingmailprocessing

FIGURE17.5Outgoingmailprocessing

IntroductionTheCCNASecuritycertificationprogramisoneoftheelectivepathsyoucantakewhenachievingtheCCNA.ItrequirespassingtheCCENTexam(100-105)andthenpassingtheCCNASecurityexam(210-260).

TheCiscoSecurityexamobjectivesareperiodicallyupdatedtokeepthecertificationapplicabletothemostrecenthardwareandsoftware.Thisisnecessarybecauseatechnicianmustbeabletoworkonthelatestequipment.Themostrecentrevisionstotheobjectives—andtothewholeprogram—wereintroducedin2016andarereflectedinthisbook.

ThisbookandtheSybexCCNASecurity+CompleteStudyGuide(boththeStandardandDeluxeeditions)aretoolstohelpyouprepareforthiscertification—andforthenewareasoffocusofamodernservertechnician’sjob.

WhatIstheCCNASecurityCertification?CiscoCertifiedNetworkAssociateSecurity(CCNASecurity)validatesassociate-levelknowledgeandskillsrequiredtosecureCisconetworks.WithaCCNASecuritycertification,anetworkprofessionaldemonstratestheskillsrequiredtodevelopasecurityinfrastructure,recognizethreatsandvulnerabilitiestonetworks,andmitigatesecuritythreats.TheCCNASecuritycurriculumemphasizescoresecuritytechnologies;theinstallation,troubleshooting,andmonitoringofnetworkdevicestomaintainintegrity,confidentiality,andavailabilityofdataanddevices;andcompetencyinthetechnologiesthatCiscousesinitssecuritystructure.

TheCCNASecuritycertificationisn’tawardeduntilyou’vepassedthetwotests.Forthelatestpricingontheexamsandupdatestotheregistrationprocedures,callPearsonVUEat(877)551-7587.YoucanalsogotoPearsonVUE’swebsiteatwww.vue.comforadditionalforinformationortoregisteronline.Ifyouhavefurtherquestionsaboutthescopeoftheexams,seehttps://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html.

http://www.vue.com

https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html

WhatDoesThisBookCover?Hereisaglanceatwhat’sineachchapter.

Chapter1:UnderstandingSecurityFundamentalscoverscommonsecurityprinciplessuchastheCIAtriad;commonsecuritytermssuchasrisk,vulnerability,andthreat;theproperapplicationofcommonsecurityzones,suchasintranet,DMZ,andextranets;adiscussionofnetworktopologiesasseenfromtheperspectiveoftheCiscoCampusAreanetwork;andmethodsofnetworksegmentationsuchasVLANs.

Chapter2:UnderstandingSecurityThreatscoverscommonnetworkattacksandtheirmotivations;attackvectorssuchasmaliciousandnon-maliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel;variousmethodsusedtoperformnetworkreconnaissancesuchaspingscansandportscans;typesofmalware;andtheexfiltrationofsensitivedatasuchasIP,PII,andcreditcarddata.

Chapter3:UnderstandingCryptographycoverssymmetricandasymmetrickeycryptography,thehashingprocess,majorhashingalgorithms,PKIandthecomponentsthatmakeitfunction,andcommonattacksoncryptography.

Chapter4:SecuringtheRoutingProcesscoversmethodsofsecuringadministrativeaccesstotherouter,IOSprivilegelevels,IOSrole-basedCLIaccess,CiscoIOSresilientconfiguration,authenticationforrouterupdatesforbothOSPFandEIGRP,andcontrolplanepolicing.

Chapter5:UnderstandingLayer2AttackscoversSTPattackssuchasrogueswitches,ARPspoofing,MACspoofing,andCAMoverflow.ItalsodiscussesboththevalueandthedangerinusingCDPandLLDP.Finally,youwilllearnhowVLANhoppingattacksareperformed.

Chapter6:PreventingLayer2AttackscoversDHCPsnooping,DAIandhowitcanpreventARPpoisoningattacks,preventingMACoverflowattacksandtheintroductionofunauthorizeddevicestoswitchportsbyusingportsecurity,andtheuseofBPDUGuard,RootGuard,andLoopGuard,allSTPfeaturesdesignedtopreventchangestotheSTPtopology.

Chapter7:VLANSecuritycoverspreventingVLANhoppingattacksthattakeadvantageofthenativeVLAN;privateVLANs;settingportsaspromiscuous,community,andisolated;thePVLANEdgefeature;andusingACLstopreventaPVLANproxyattack.

Chapter8:SecuringManagementTrafficcoversmanagingdevicesin-bandandout-of-band,methodsofsecuringmanagementinterfacesincludingenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagement,typesofbannermessage,andsecuringtheNTPprotocol.

Chapter9:Understanding802.1xandAAAcoversAAAservicethatcanbeprovidedbyTACACS+andRADIUSservers,configuringadministrativeaccesstoarouterusing

TACACS+,howAAAcanbeintegratedwithActiveDirectory,theCiscoimplementationsofaRADIUSserverincludingtheCiscoSecureAccessControlServer(ACS)andtheCiscoIdentityServicesEngine(ISR),andthefunctionsofvarious802.1Xcomponents.

Chapter10:SecuringaBYODInitiativecoverschallengesinvolvedinsupportingaBYODinitiative,componentsprovidedbyCiscoforthisincludingtheCiscoIntegratedServicesEngine(ISE),andtheCiscoTrustSecprovisioningandmanagementplatform.ItalsocoversadvancedfeaturesofCiscoISE,includingdownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGAs),changeofauthorization(COA),andpostureassessment.FurtherwediscusstheauthenticationmechanismsISEcanaccept,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).Finally,weendthechaptercoveringthethreemainfunctionsofTrustSec.

Chapter11:UnderstandingVPNscoversIPsecandthesecurityservicesitprovides;thecomponentsofIPsecsuchasISAKMP,IKE,AH,andESP;howtousehairpinningtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface;andsplittunnelinganditsbenefits.

Chapter12:ConfiguringVPNscoversthevalueoftheCiscoclientlessSSLVPNandthestepsrequiredtoconfigureit,theCiscoAnyConnectSSLVPN,modulesintheCiscoAnyConnectclientthatcanprovideendpointpostureassessment,andhowtoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.

Chapter13:UnderstandingFirewallscoversvariousfirewalltechnologiessuchasproxy,application,personal,andstatefulfirewalls,withstatefulfirewallscoveredingreaterdetailanddescribedinrelationtotheoperationofthesefirewallsandtheTCPthree-wayhandshake.Finallyyoulearnwhatiscontainedinthestatetableofastatefulfirewall.

Chapter14:ConfiguringNATandZone-BasedFirewallscoversthreeformsofNAT:staticNAT,dynamicNAT,andPAT;theNAToptionsavailableintheASA,thebenefitsofNAT;andhowtoconfigureitandverifyitsoperation.Youwilllearnaboutclassmaps,policymaps,andservicepoliciesandtheirrespectivefunctionsinazone-basedfirewall.Finally,thestepstoconfigureandverifyazone-basedfirewallendthechapter.

Chapter15:ConfiguringtheFirewallonanASAcovershowtosetuptheASAsoyoucanremotelyadministeritusingtheASDM,thedefaultsecuritypoliciesthatareinplace,howthedefaultglobalpolicyinteractswithconfiguredpolicies,howinterfacesecuritylevelsaffecttrafficflows,howtheCiscoModularPolicyframeworkisusedtocreatepolicies;thedifferencebetweenatransparentandroutefirewall;andhighavailabilitysolutionsincludingactive-active,active-passive,andclusteringapproaches.

Chapter16:IntrusionPreventioncoversgeneralIPSconceptssuchasnetwork-basedandhost-baseddeployments;modesofdeploymentsuchasinline,SPAN,andtap;thepositioningoptionsavailable;falsepositivesandfalsenegatives;howrulesandsignaturesareusedintheprocessofidentifyingpotentialattacks;andtriggeractionsofwhichanIPSmightbecapable,suchasdropping,resetting,andalerting.

Chapter17:ContentandEndpointSecuritycoversmitigationtechniquesavailablewhen

usingtheCiscoEmailSecurityAppliance,includingreputationandcontext-basedfiltering,andtheCiscoWebSecurityAppliance,whichusesblacklisting,URLfiltering,andmalwarescanningtosecurewebtrafficandwebapplications.Finally,thechapterdiscussesendpointprotectionprovidedbytheCiscoIdentityServicesEngineandCiscoTrustSectechnology.

InteractiveOnlineLearningEnvironmentandTestBankWe’veputtogethersomereallygreatonlinetoolstohelpyoupasstheCCNASecurityexam.TheinteractiveonlinelearningenvironmentthataccompaniestheCCNASecurityexamcertificationguideprovidesatestbankandstudytoolstohelpyoupreparefortheexam.Byusingthesetoolsyoucandramaticallyincreaseyourchancesofpassingtheexamonyourfirsttry.

Theonlinetestbankincludesthefollowing:

SampleTestsManysampletestsareprovidedthroughoutthisbookandonline,includingtheAssessmentTest,whichyou’llfindattheendofthisintroduction,andtheChapterTeststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwobonuspracticeexams.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.

FlashcardsTheonlinetextbankincludes100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst!They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes!Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.

ResourcesAglossaryofkeytermsfromthisbookandtheirdefinitionsareavailableasafullysearchablePDF.

Gotohttp://www.wiley.com/go/Sybextestpreptoregisterandgainaccessto

thisinteractiveonlinelearningenvironmentandtestbankwithstudytools.

WhoShouldReadThisBookIfyouwanttoacquireasolidfoundationinmanagingsecurityonCiscodevicesoryourgoalistopreparefortheexamsbyfillinginanygapsinyourknowledge,thisbookisforyou.You’llfindclearexplanationsoftheconceptsyouneedtograspandplentyofhelptoachievethehighlevelofprofessionalcompetencyyouneedinordertosucceedinyourchosenfield.

http://www.wiley.com/go/Sybextestprep

IfyouwanttobecomecertifiedasaCCNASecurityprofessional,thisbookisdefinitelywhatyouneed.However,ifyoujustwanttoattempttopasstheexamwithoutreallyunderstandingthebasicsofpersonalcomputers,thisguideisn’tforyou.It’swrittenforpeoplewhowanttoacquireskillsandknowledgeofserversandstoragesystems.

HowtoUseThisBookIfyouwantasolidfoundationfortheseriouseffortofpreparingfortheCiscoCCNASecurityexam,thenlooknofurther.We’vespenthundredsofhoursputtingtogetherthisbookwiththesoleintentionofhelpingyoutopasstheexamaswellasreallylearnabouttheexcitingfieldofnetworksecurity!

Thisbookisloadedwithvaluableinformation,andyouwillgetthemostoutofyourstudytimeifyouunderstandwhythebookisorganizedthewayitis.

So,tomaximizeyourbenefitfromthisbook,Irecommendthefollowingstudymethod:

1. Taketheassessmenttestthat’sprovidedattheendofthisintroduction.(Theanswersareattheendofthetest.)It’sokayifyoudon’tknowanyoftheanswers;that’swhyyouboughtthisbook!Carefullyreadovertheexplanationsforanyquestionsyougetwrongandnotethechaptersinwhichthematerialrelevanttothemiscovered.Thisinformationshouldhelpyouplanyourstudystrategy.

2. Studyeachchaptercarefully,makingsureyoufullyunderstandtheinformationandthetestobjectiveslistedatthebeginningofeachone.Payextra-closeattentiontoanychapterthatincludesmaterialcoveredinquestionsyoumissed.

3. Completeallhands-onlabsineachchapter,referringtothetextofthechaptersothatyouunderstandthereasonforeachstepyoutake.

4. Answerallofthereviewquestionsrelatedtoeachchapter.(TheanswersappearinAppendix.)Notethequestionsthatconfuseyou,andstudythetopicstheycoveragainuntiltheconceptsarecrystalclear.Andagain—donotjustskimthesequestions!Makesureyoufullycomprehendthereasonforeachcorrectanswer.Rememberthatthesewillnotbetheexactquestionsyouwillfindontheexam,butthey’rewrittentohelpyouunderstandthechaptermaterialandultimatelypasstheexam!

5. Tryyourhandatthepracticequestionsthatareexclusivetothisbook.Thequestionscanbefoundathttp://www.sybex.com/go/ccnasecuritystudyguide.

6. Testyourselfusingalltheflashcards,whicharealsofoundatthedownloadlink.Thesearebrand-newandupdatedflashcardstohelpyoupreparefortheCCNASecurityexamandawonderfulstudytool!

Tolearneverybitofthematerialcoveredinthisbook,you’llhavetoapplyyourselfregularly,andwithdiscipline.Trytosetasidethesametimeperiodeverydaytostudy,andselectacomfortableandquietplacetodoso.I’mconfidentthatifyouworkhard,you’llbesurprisedathowquicklyyoulearnthismaterial!

http://www.sybex.com/go/ccnasecuritystudyguide

Ifyoufollowthesestepsandreallystudyinadditiontousingthereviewquestions,thepracticeexams,andtheelectronicflashcards,itwouldactuallybehardtofailtheCCNASecurityexam.ButunderstandthatstudyingfortheCiscoexamsisalotlikegettinginshape—ifyoudonotgotothegymeveryday,it’snotgoingtohappen!

AccordingtotheCiscowebsitetheCiscoCCNASecurityexamdetailsareasfollows:

Examcode:210-260

Examdescription:Thisexamteststhecandidate’sknowledgeofsecurenetworkinfrastructure,understandingcoresecurityconcepts,managingsecureaccess,VPNencryption,firewalls,intrusionprevention,webandemailcontentsecurity,andendpointsecurityusingCiscoroutersandtheASA9x.

Numberofquestions:60–70

Typeofquestions:multiplechoice,draganddrop,testlet,simulation

Lengthoftest:90minutes

Passingscore:860(onascaleof100–900)

Language:English

HowDoYouGoAboutTakingtheExam?Whenthetimecomestoscheduleyourexamyouwillneedtocreateanaccountathttp://www.pearsonvue.com/cisco/andregisterforyourexam.CiscotestingisprovidedbytheirglobaltestingpartnerPearsonVUE.Youcanlocateyourclosesttestingcenterathttps://home.pearsonvue.com/.Youcanscheduleatanyofthelistedtestingcenters.

Topurchasetheexam,youwillneedtobuyanexamvoucherfromCisco.Thevoucherisacodetheyprovideyoutousetoscheduletheexam.Informationonpurchasingavouchercanbefoundat:http://www.pearsonvue.com/vouchers/pricelist/cisco.asp.

Whenyouhaveavoucherandhaveselectedatestingcenter,youcanscheduletheCisco210-260exambyfollowingthislink:http://www.pearsonvue.com/cisco/.ThiswilltakeyoutothePearsonVUEwebsiteandfromhereyoucanalsolocateatestingcenterorpurchasevouchersifyouhavenotalreadydoneso.

WhenyouhaveregisteredfortheCCNASecuritycertificationexamyouwillreceiveaconfirmatione-mailthatsuppliesyouwithalloftheinformationyouwillneedtotaketheexam.Remembertotakeaprintoutofthise-mailwithyoutothetestingcenter.

CertificationExamPoliciesForthemostcurrentinformationregardingCiscoexampolicies,itisrecommendedthatyoufollowthehttps://www.cisco.com/c/en/us/training-events/training-certifications/exams/policies.htmllinktobecomefamiliarwithCiscopolicies.Itcontainsa

http://www.pearsonvue.com/cisco/

https://home.pearsonvue.com/

http://www.pearsonvue.com/vouchers/pricelist/cisco.asp

http://www.pearsonvue.com/cisco/

https://www.cisco.com/c/en/us/training-events/training-certifications/exams/policies.html

largeamountofusefulinformationregarding:

Exampolicyrequirements

Agerequirementsandpoliciesconcerningminors

Certificationandconfidentialityagreement

Candidateidentificationandauthentication

Candidaterightsandresponsibilities

Confidentialityandagreements

Embargoedcountrypolicy

Privacy

Examandtestingpolicies

Conduct

Confidentialityandagreements

Examdiscounts,vouchers,andpromotionalcodes

Examviolations

Preliminaryscorereport

Retakingexams

Postexampolicies

Certificationtrackingsystem

Correspondence

Examrecertification

Examretirement

Examscoring

Logoguidelines

TipsforTakingYourExamTheCiscoCCNASecurityexamcontains60–90multiplechoice,draganddrop,testlet,andsimulationitemquestions,andmustbecompletedin90minutesorless.Thisinformationmaychangeovertimeanditisadvisedtocheckwww.cisco.comforthelatestupdates.

Manyquestionsontheexamofferanswerchoicesthatatfirstglancelookidentical—especiallythesyntaxquestions!Soremembertoreadthroughthechoicescarefullybecauseclosejustdoesn’tcutit.Ifyougetinformationinthewrongorderorforgetonemeaslycharacter,youmaygetthequestionwrong.So,topractice,dothepracticeexamsandhands-on

http://www.cisco.com

exercisesinthisbook’schaptersoverandoveragainuntiltheyfeelnaturaltoyou;also,andthisisveryimportant,dotheonlinesampletestuntilyoucanconsistentlyanswerallthequestionscorrectly.Relax,readthequestionoverandoveruntilyouare100%clearonwhatitisasking,andthenyoucanusuallyeliminateafewoftheobviouslywronganswers.

Herearesomegeneraltipsforexamsuccess:

Arriveearlyattheexamcentersoyoucanrelaxandreviewyourstudymaterials.

Readthequestionscarefully.Don’tjumptoconclusions.Makesureyou’reclearaboutexactlywhateachquestionasks.“Readtwice,answeronce!”

Askforapieceofpaperandpencilifitisofferedtotakedownquicknotesandmakesketchesduringtheexam.

Whenansweringmultiple-choicequestionsthatyou’renotsureabout,usetheprocessofeliminationtogetridoftheobviouslyincorrectanswersfirst.Doingthisgreatlyimprovesyouroddsifyouneedtomakeaneducatedguess.

Afteryoucompleteanexam,you’llgetimmediatenotificationofyourpassorfailstatus,aprintedexaminationscorereportthatindicatesyourpassorfailstatus,andyourexamresultsbysection.(Thetestadministratorwillgiveyoutheprintedscorereport.)TestscoresareautomaticallyforwardedtoCiscoafteryoutakethetest,soyoudon’tneedtosendyourscoretothem.Ifyoupasstheexam,you’llreceiveconfirmationfromCiscoandapackageinthepostwithanicedocumentsuitableforframingshowingthatyouarenowaCiscocertifiedengineer.

ExamObjectivesCiscogoestogreatlengthstoensurethatitscertificationprogramsaccuratelyreflecttheITindustry’sbestpractices.ThecompanydoesthisbyestablishingCornerstoneCommitteesforeachofitsexamprograms.EachcommitteecomprisesasmallgroupofITprofessionals,trainingproviders,andpublisherswhoareresponsibleforestablishingtheexam’sbaselinecompetencylevelandwhodeterminetheappropriatetargetaudiencelevel.

Oncethesefactorsaredetermined,Ciscosharesthisinformationwithagroupofhand-selectedsubject-matterexperts(SMEs).Thesefolksarethetruebrainpowerbehindthecertificationprogram.Theyreviewthecommittee’sfindings,refinethem,andshapethemintotheobjectivesyouseebeforeyou.Ciscocallsthisprocessajobtaskanalysis(JTA).

Finally,Ciscoconductsasurveytoensurethattheobjectivesandweightingstrulyreflectthejobrequirements.OnlythencantheSMEsgotoworkwritingthehundredsofquestionsneededfortheexam.And,inmanycases,theyhavetogobacktothedrawingboardforfurtherrefinementsbeforetheexamisreadytogoliveinitsfinalstate.So,restassured,thecontentyou’reabouttolearnwillserveyoulongafteryoutaketheexam.

Ciscoalsopublishesrelativeweightingsforeachoftheexam’sobjectives.Thefollowingtableliststheobjectivedomainsandtheextenttowhichthey’rerepresentedoneachexam.

210-260ExamDomains %ofExam1.0SecurityConcepts 12%2.0SecureAccess4.0Security 14%3.0VPN 17%4.0SecureRoutingandSwitching 18%5.0CiscoFirewallTechnologies 18%6.0IPS 9%7.0ContentandEndpointSecurity 12%Total 100%

210-260SubDomains Chapters1.2Commonsecuritythreats 21.3Cryptographyconcepts 21.4Describenetworktopologies 32.1Securemanagement 82.2AAAconcepts 92.3802.1xauthentication 92.4BYOD 103.1VPNconcepts 113.2RemoteaccessVPN 123.3Site-to-siteVPN 124.1SecurityonCiscorouters 44.2Securingroutingprotocols 44.3Securingthecontrolplane 44.4CommonLayer2attacks 54.5Mitigationprocedures 64.6VLANsecurity 75.1Describeoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies

13

5.2Comparestatefulvs.statelessfirewalls 135.3ImplementNATonCiscoASA9.x 145.4Implementzone-basedfirewall 145.5FirewallfeaturesontheCiscoAdaptiveSecurityAppliance(ASA)9.x 156.1DescribeIPSdeploymentconsiderations 166.2DescribeIPStechnologies 167.1Describemitigationtechnologyforemail-basedthreats 177.2Describemitigationtechnologyforweb-basedthreats 177.3Describemitigationtechnologyforendpointthreats 17

AssessmentTest1. Whenyouareconcernedwithpreventingdatafromunauthorizededitsyouareconcerned

withwhichofthefollowing?

A. integrity

B. confidentiality

C. availability

D. authorization

2. Whenasystemsadministratorisissuedbothanadministrative-levelaccountandanormaluseraccountandusestheadministrativeaccountonlywhenperforminganadministrativetask,itisanexampleofwhichconcept?

A. leastprivilege

B. splitknowledge

C. dualcontrol

D. separationofduties

3. Whatisthepurposeofmandatoryvacations?

A. crosstraining

B. fraudprevention

C. improvesmorale

D. employeeretention

4. Whichofthefollowingoccurswhenanorganizationalassetisexposedtolosses?

A. risk

B. threat

C. exposure

D. vulnerability

5. Whichofthefollowingisastandardusedbythesecurityautomationcommunitytoenumeratesoftwareflawsandconfigurationissues?

A. CSE

B. SCAP

C. CVE

D. CWE

6. Whichhackertypehacksforapoliticalcause?

A. blackhats

B. whitehats

C. scriptkiddies

D. hacktivists

7. WhichofthefollowingisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator?

A. PGP

B. S/MIME

C. SMTP

D. SPF

8. Whatdoesthefollowingcommanddo?

nmap-sP192.168.0.0-100

A. portscan

B. pingscan

C. vulnerabilityscan

D. penetrationtest

9. Youjustexecutedahalfopenscanandgotnoresponse.Whatdoesthattellyou?

A. theportisopen

B. theportisclosed

C. theportisblocked

D. itcannotbedetermined

10. Whichofthefollowingisamitigationforabufferoverflow?

A. antivirussoftware

B. IOSupdates

C. inputvalidation

D. encryption

11. WhichofthefollowingisaLayer2attack?

A. bufferoverflow

B. DoS

C. ARPpoisoning

D. IPspoofing

12. Whichofthefollowingisnotintellectualproperty?

A. designs

B. advertisements

C. recipes

D. contactlists

13. Whatisthebestcountermeasuretosocialengineering?

A. training

B. accesslists

C. HIDS

D. encryption

14. WhichofthefollowingisamitigationforARPpoisoning?

A. VLANs

B. DAI

C. DNSSec

D. STP

15. Inwhichcryptographicattackdoestheattackeruserecurringpatternstoreverseengineerthemessage?

A. sidechannel

B. frequency

C. plaintextonly

D. ciphertextonly

16. Youhavefiveusersinyourdepartment.Thesefiveusersonlyneedtoencryptinformationwithoneanother.Ifyouimplementasymmetricencryptionalgorithm,howmanykeyswillbeneededtosupportthedepartment?

A. 5

B. 8

C. 10

D. 12

17. Whichstatementistruewithregardtoasymmetricencryption?

A. lessexpensivethansymmetric

B. slowerthansymmetric

C. hardertocrackthansymmetric

D. keycompromisecanoccurmoreeasilythanwithsymmetric

18. Whichofthefollowingisastream-basedcipher?

A. RC4

B. DES

C. 3DES

D. AES

19. WhatisthepurposeofanIV?

A. doublestheencryption

B. addsrandomness

C. performs16roundsoftransposition

D. hashesthemessage

20. WhichstepisnotrequiredtoconfigureSSHonarouter?

A. Settheroutername

B. SettherouterID

C. Settherouterdomainname

D. GeneratetheRSAkey

21. Whichofthefollowingallowsyoutoassignatechniciansetsofactivitiesthatcoincidewiththeleveltheyhavebeenassigned?

A. accesslevels

B. jobparameters

C. privilegelevels

D. rules

22. Whichofthefollowingisawaytopreventunwantedchangestotheconfiguration?

A. routerlockdown

B. resilientconfiguration

C. secureIOS

D. config-sec

23. WhichofthefollowingisusedtoholdmultiplekeysusedinOSPFRoutingUpdateAuthentication?

A. keystore

B. keychain

C. keydb

D. keyauth

24. Whichofthefollowingcharacteristicsofarogueswitchcouldcauseittobecometherootbridge?

A. higherMACaddress

B. higherIPaddress

C. asuperiorBPDU

D. lowerrouterID

25. WhichofthefollowingisusedbyamaliciousindividualtopollutetheARPcacheofothermachines?

A. pingofdeath

B. bufferoverflow

C. boundviolation

D. gratuitousARP

26. WhathappenswhentheCAMtableofaswitchisfulloffakeMACaddressesandcanholdnootherMACaddresses?

A. itgetsdumped

B. theswitchshutsdown

C. theswitchstartforwardingalltrafficoutofallports

D. allportsareshutdown

27. Whichswitchfeatureusestheconceptoftrustedanduntrustedports?

A. DAI

B. DHCPsnooping

C. STP

D. RootGuard

28. Whichcommandenablesportsecurityontheswitch?

A. SW70(config-if)#switchportmodeaccess

B. SW70(config-if)#switchportport-securitymaximum2

C. SW70(config-if)#switchportport-security

D. SW70(config-if)#switchportport-securityviolationshutdown

29. Whichswitchfeaturepreventstheintroductionofarogueswitchtothetopology?

A. RootGuard

B. BPDUGuard

C. LoopGuard

D. DTP

30. Whatpreventsswitchingloops?

A. DAI

B. DHCPsnooping

C. STP

D. RootGuard

AnswerstoAssessmentTest1. A.Integrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfrom

unauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.

2. A.Theprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.

3. B.Withmandatoryvacations,allpersonnelarerequiredtotaketimeoff,allowingotherpersonneltofilltheirpositionwhilegone.Thisdetectiveadministrativecontrolenhancestheopportunitytodiscoverunusualactivity.

4. C.Anexposureoccurswhenanorganizationalassetisexposedtolosses.

5. B.SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunitytoenumeratesoftwareflawsandconfigurationissues.Itstandardizedthenomenclatureandformatsused.

6. D.Hacktivistsarethosewhohacknotforpersonalgain,buttofurtheracause.Forexample,theAnonymousgrouphacksfromtimetotimeforvariouspoliticalreasons.

7. D.SenderPolicyFramework(SPF)isanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.

8. B.0–100istherangeofIPaddressestobescannedinthe192.168.0.0network.

9. C.Ifyoureceivenoresponsetheportisblockedonthefirewall.

10. C.Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.

11. C.Oneofthewaysaman-in-the-middleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthispoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswithhisownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placinghim“inthemiddle.”

12. B.Anadvertisementwouldbepubliclyavailable.

13. A.Thebestcountermeasureagainstsocialengineeringthreatsistoprovideusersecurityawarenesstraining.Thistrainingshouldberequiredandmustoccuronaregularbasisbecausesocialengineeringtechniquesevolveconstantly.

14. B.DynamicARPinspection(DAI)isasecurityfeaturethatinterceptsallARPrequestsand

responsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.

15. B.Oneoftheissueswithsubstitutionciphersisthatifthemessageisofsufficientlength,patternsintheencryptionbegintobecomenoticeable,whichmakesitvulnerabletoafrequencyattack.Afrequencyattackiswhentheattackerusestheserecurringpatternstoreverseengineerthemessage.

16. C.Tocalculatethenumberofkeysthatwouldbeneededinthisexample,youwouldusethefollowingformula:

#ofusers×(#ofusers–1)/2

Usingourexample,youwouldcalculate5×(4)/2or10neededkeys.

17. B.Asymmetricencryptionismoreexpensivethansymmetric,itisslowerthansymmetric,itiseasiertocrackthansymmetric,andkeycompromisecanoccurlesseasilythanwithsymmetric.

18. A.OnlyRC4isastreamcipher.

19. B.Somemodesofsymmetrickeyalgorithmsuseinitializationvectors(IVs)toensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.

20. B.ArouterIDisnotapartoftheconfiguration.

21. C.Privilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththeleveltheyhavebeenassigned.Thereare16levelsfrom0to15.

22. B.TheIOSResilientConfigurationfeaturecanprovideawaytoeasilyrecoverfromanattackontheconfiguration,anditcanalsohelptorecoverfromanevenworseattackinwhichtheattackerdeletesnotonlythestartupconfigurationbutalsothebootimage.

23. B.Akeychaincanbeusedtoholdmultiplekeysifrequired.

24. C.WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.

25. A.GratuitousARPiscalledgratuitousbecausetheARPmessagesentisananswertoaquestionthatthetargetneverasksanditcausethetargettochangeitsARPcache.

26. C.Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahubandnotaswitch.

27. B.DHCPsnoopingisimplementedontheswitchesinthenetwork,soitisaLayer2solution.Theswitchportsontheswitcharelabeledeithertrustedoruntrusted.TrustedportsarethosethatwillallowaDHCPmessagetotraverse.

28. C.Withoutexecutingthiscommandtheothercommandswillhavenoeffect.

29. B.TheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesonaccessports.

30. SpanningTreeProtocol(STP),preventsswitchingloopsinredundantswitchingnetworks.

Chapter1UnderstandingSecurityFundamentalsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

1.1Commonsecurityprinciples

Describeconfidentiality,integrity,availability(CIA)

Identifycommonsecurityterms

Identifycommonnetworksecurityzones

1.4Describenetworktopologies

Campusareanetwork(CAN)

Cloud,wideareanetwork(WAN)

Datacenter

Smalloffice/homeoffice(SOHO)

Networksecurityforavirtualenvironment

Securinganetworkisnoeasytask.Dailyyouprobablyhearaboutdatadisclosuresandnewnetworkattacks.However,youarenotdefenseless.ByproperlyimplementingthesecurityfeaturesavailableinCiscorouters,switches,andfirewalls,youcanreducetheriskofasecuritybreachtoamanageablelevel.Thisbookisdesignedtohelpyouunderstandtheissues,identifyyoursecurityoptions,anddeploythoseoptionsinthecorrectmanner.Intheprocess,thebookwillprepareyoufortheCiscoCCNASecuritycertification,whichvalidatestheskillsandknowledgerequiredtosecureanetworkusingCiscoproducts.

Inthischapter,youwilllearnthefollowing:

Commonsecurityprinciples

Networktopologies

GoalsofSecurityWhenyou’resecuringanetwork,severalimportantsecurityprinciplesshouldguideyourefforts.Everysecuritymeasureyouimplementshouldcontributetotheachievementofoneof

threegoals.Thethreefundamentalsofsecurityareconfidentiality,integrity,andavailability(CIA),oftenreferredtoastheCIAtriad.

MostsecurityissuesresultinaviolationofatleastonefacetoftheCIAtriad.Understandingthesethreesecurityprincipleswillhelpensurethatthesecuritycontrolsandmechanismsimplementedprotectatleastoneoftheseprinciples.

EverysecuritycontrolthatisputintoplacebyanorganizationfulfillsatleastoneofthesecurityprinciplesoftheCIAtriad.Understandinghowtocircumventthesesecurityprinciplesisjustasimportantasunderstandinghowtoprovidethem.

ConfidentialityToensureconfidentiality,youmustpreventthedisclosureofdataorinformationtounauthorizedentities.Aspartofconfidentiality,thesensitivitylevelofdatamustbedeterminedbeforeputtinganyaccesscontrolsinplace.Datawithahighersensitivitylevelwillhavemoreaccesscontrolsinplacethandataatalowersensitivitylevel.Identification,authentication,andauthorizationcanbeusedtomaintaindataconfidentiality.Encryptionisanotherpopularexampleofacontrolthatprovidesconfidentiality.

IntegrityIntegrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfromunauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.

Anaccesscontrollist(ACL)isanexampleofacontrolthathelpstoprovideintegrity.Anotherexampleisthegenerationofhashvaluesthatcanbeusedtovalidatedataintegrity.

AvailabilityAvailabilitymeansensuringthatdataisaccessiblewhenandwhereitisneeded.Onlyindividualswhoneedaccesstodatashouldbeallowedaccesstothatdata.Thetwomainareaswhereavailabilityisaffectedare

Whenattacksarecarriedoutthatdisableorcrippleasystem.

Whenservicelossoccursduringandafterdisasters.Eachsystemshouldbeassessedonitscriticalitytoorganizationaloperations.Controlsareimplementedbasedoneachsystem’scriticalitylevel.

Fault-toleranttechnologies,suchasRAIDorredundantsites,areexamplesofcontrolsthathelptoimproveavailability.

GuidingPrinciplesWhenmanagingnetworksecurityandaccesstoresources,therearesomeprovenprinciplesthatshouldguideyourefforts.Theseconceptshavestoodthetestoftimebecausethey

contributetosupportingtheCIAtriad.

LeastPrivilege/Need-to-KnowTheprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.Itsmainpurposeistoensurethatusersonlyhaveaccesstotheresourcestheyneedandareauthorizedtoperformonlythetaskstheyneedtoperform.Toproperlyimplementtheleastprivilegeprinciple,organizationsmustidentifyallusers’jobsandrestrictusersonlytotheidentifiedprivileges.

Theneed-to-knowprincipleiscloselyassociatedwiththeconceptofleastprivilege.Althoughleastprivilegeseekstoreduceaccesstoaminimum,theneed-to-knowprincipleactuallydefineswhattheminimumsforeachjoborbusinessfunctionare.Excessiveprivilegesbecomeaproblemwhenauserhasmorerights,privileges,andpermissionsthanheneedstodohisjob.Excessiveprivilegesarehardtocontrolinlargeenvironments.

Acommonimplementationoftheleastprivilegeandneed-to-knowprinciplesiswhenasystemsadministratorisissuedbothanadministrative-levelaccountandanormaluseraccount.Inmostday-to-dayfunctions,theadministratorshouldusehisnormaluseraccount.Whenthesystemsadministratorneedstoperformadministrative-leveltasks,heshouldusetheadministrative-levelaccount.Iftheadministratoruseshisadministrative-levelaccountwhileperformingroutinetasks,heriskscompromisingthesecurityofthesystemanduseraccountability.

Organizationalrulesthatsupporttheprincipleofleastprivilegeincludethefollowing:

Keepthenumberofadministrativeaccountstoaminimum.

Administratorsshouldusenormaluseraccountswhenperformingroutineoperations.

Permissionsontoolsthatarelikelytobeusedbyattackersshouldbeasrestrictiveaspossible.

Tomoreeasilysupporttheleastprivilegeandneed-to-knowprinciples,usersshouldbedividedintogroupstofacilitatetheconfinementofinformationtoasinglegrouporarea.Thisprocessisreferredtoascompartmentalization.

DefaulttoNoAccessDuringtheauthorizationprocess,youshouldconfigureanorganization’saccesscontrolmechanismssothatthedefaultlevelofsecurityistodefaulttonoaccess.Thismeansthatifnothinghasbeenspecificallyallowedforauserorgroup,thentheuserorgroupwillnotbeabletoaccesstheresource.Thebestsecurityapproachistostartwithnoaccessandaddrightsbasedonauser’sneedtoknowandleastprivilegeneededtoaccomplishdailytasks.

DefenseinDepthAdefense-in-depthstrategyreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers.Thefirstlayerofagood

defense-in-depthstrategyisappropriateaccesscontrolstrategies.Accesscontrolsexistinallareasofaninformationsystems(IS)infrastructure(morecommonlyreferredtoasanITinfrastructure),butadefense-in-depthstrategygoesbeyondaccesscontrol.Italsoconsiderssoftwaredevelopmentsecurity,cryptography,andphysicalsecurity.Figure1.1showsanexampleofthedefense-in-depthconcept.

FIGURE1.1Defenseindepth

SeparationofDutiesSeparationofdutiesisapreventiveadministrativecontroltokeepinmindwhendesigninganorganization’sauthenticationandauthorizationpolicies.Separationofdutiespreventsfraudbydistributingtasksandtheirassociatedrightsandprivilegesbetweenmorethanoneuser.Ithelpstodeterfraudandcollusionbecausewhenanorganizationimplementsadequateseparationofduties,collusionbetweentwoormorepersonnelwouldberequiredtocarryoutfraudagainsttheorganization.Agoodexampleofseparationdutiesisauthorizingonepersontomanagebackupproceduresandanothertomanagerestoreprocedures.

Separationofdutiesisassociatedwithdualcontrolsandsplitknowledge.Withdualcontrols,twoormoreusersareauthorizedandrequiredtoperformcertainfunctions.Forexample,aretailestablishmentmightrequiretwomanagerstoopenthesafe.Splitknowledgeensuresthatnosingleuserhasalltheinformationtoperformaparticulartask.Anexampleofasplitcontrolisthemilitaryrequiringtwoindividualstoeachenterauniquecombinationtoauthorizemissilefiring.

Separationofdutiesensuresthatonepersonisnotcapableofcompromisingorganizationalsecurity.Anyactivitiesthatareidentifiedashighriskshouldbedividedintoindividualtasks,whichcanthenbeallocatedtodifferentpersonnelordepartments.

Let’slookatanexampleoftheviolationofseparationofduties.Anorganization’sinternalauditdepartmentinvestigatesapossiblebreachofsecurity.Oneoftheauditorsinterviewsthreeemployees.

Aclerkwhoworksintheaccountsreceivableofficeandisinchargeofenteringdataintothefinancesystem

Anadministrativeassistantwhoworksintheaccountspayableofficeandisinchargeofapprovingpurchaseorders

Thefinancedepartmentmanagerwhocanperformthefunctionsofboththeclerkandtheadministrativeassistant

Toavoidfuturesecuritybreaches,theauditorshouldsuggestthatthemanagershouldonlybeabletoreviewthedataandapprovepurchaseorders.

JobRotationFromasecurityperspective,jobrotationreferstothedetectiveadministrativecontrolwheremultipleusersaretrainedtoperformthedutiesofapositiontohelppreventfraudbyanyindividualemployee.Theideaisthatbymakingmultiplepeoplefamiliarwiththelegitimatefunctionsoftheposition,thelikelihoodincreasesthatunusualactivitiesbyanyonepersonwillbenoticed.Jobrotationisoftenusedinconjunctionwithmandatoryvacations.Beyondthesecurityaspectsofjobrotation,additionalbenefitsincludethefollowing:

Trainedbackupincaseofemergencies

Protectionagainstfraud

Cross-trainingofemployees

MandatoryVacationWithmandatoryvacations,allpersonnelarerequiredtotaketimeoff,allowingotherpersonneltofilltheirpositionswhilegone.Thisdetectiveadministrativecontrolenhancestheopportunitytodiscoverunusualactivity.

Someofthesecuritybenefitsofusingmandatoryvacationsincludehavingthereplacementemployeedothefollowing:

Runthesameapplicationsasthevacationingemployee

Performtasksinadifferentorderfromthevacationingemployee

Performthejobfromadifferentworkstationthanthevacationingemployee

Replacementemployeesshouldavoidrunningscriptsthatwerecreatedbythevacationingemployee.Areplacementemployeeshouldeitherdeveloptheirownscriptormanuallycompletethetasksinthescript.

CommonSecurityTermsTheriskmanagementprocesscannotbediscussedwithoutunderstandingsomekeytermsusedinriskmanagement.Securityprofessionalsshouldbecomefamiliarwiththefollowingtermsastheyareusedinriskmanagement:

Assetsincludeanythingthatisofvaluetotheorganization.Assetscanbephysicalsuchasbuildings,land,andcomputers,andtheycanbeintangiblesuchasdata,plans,andrecipes.

Avulnerabilityisanabsenceorweaknessofacountermeasurethatisinplace.Vulnerabilitiescanoccurinsoftware,hardware,orpersonnel.Anexampleofavulnerabilityisunrestrictedaccesstoafolderonacomputer.Mostorganizationsimplementavulnerabilityassessmenttoidentifyvulnerabilities.

Athreatisthenextlogicalprogressioninriskmanagement.Athreatoccurswhenvulnerabilityisidentifiedorexploited.AthreatwouldoccurwhenanattackeridentifiedthefolderonthecomputerthathasaninappropriateorabsentACL.

Athreatagentissomethingthatcarriesoutathreat.Continuingwiththeexample,theattackerwhotakesadvantageoftheinappropriateorabsentACListhethreatagent.Keepinmind,though,thatthreatagentscandiscoverand/orexploitvulnerabilities.Notallthreatagentswillactuallyexploitanidentifiedvulnerability.

Ariskistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout.Theriskinthevulnerabilityexamplewouldbefairlyhighifthedataresidinginthefolderisconfidential.However,ifthefoldercontainsonlypublicdata,thentheriskwouldbelow.Identifyingthepotentialimpactofariskoftenrequiressecurityprofessionalstoenlistthehelpofsubject-matterexperts.

Anexposureoccurswhenanorganizationalassetisexposedtolosses.IfthefolderwiththeinappropriateorabsentACLiscompromisedbyathreatagent,theorganizationisexposedtothepossibilityofdataexposureandloss.

Acountermeasurereducesthepotentialrisk.Countermeasuresarealsoreferredtoassafeguardsorcontrols.Threethingsmustbeconsideredwhenimplementingacountermeasure:vulnerability,threat,andrisk.Forthisexample,agoodcountermeasurewouldbetoimplementtheappropriateACLandtoencryptthedata.TheACLprotectstheintegrityofthedata,andtheencryptionprotectstheconfidentialityofthedata.

Countermeasuresorcontrolscomeinmanycategoriesandtypes.Thecategoriesandtypesofcontrolsarediscussedlaterinthischapter.

AlltheaforementionedsecurityconceptsworktogetherintherelationshipdemonstratedinFigure1.2.

FIGURE1.2Securitycycle

RiskManagementProcessTheriskmanagementprocessiscomposedofaseriesofoperationsinwhichthedatafromoneoperationfeedsthenextoperation.AccordingtoNISTSP800-30,commoninformation-gatheringtechniquesusedinriskanalysisincludeautomatedriskassessmenttools,questionnaires,interviews,andpolicydocumentreviews.Keepinmindthatmultiplesourcesshouldbeusedtodeterminetheriskstoasingleasset.NISTSP800-30identifiesthefollowingstepsintheriskmanagementprocess:

1. Identifytheassetsandtheirvalue.

2. Identifythreats.

3. Identifyvulnerabilities.

4. Determinelikelihood.

5. Identifyimpact.

6. Determineriskasacombinationoflikelihoodandimpact.

Thefollowingsectionsincludetheseprocessesandtwoadditionalonesthatrelatetotheidentificationofcountermeasuresandcost-benefitanalysis.

AssetClassificationThefirststepofanyriskassessmentistoidentifytheassetsanddeterminetheassetvalue,calledassetclassification.Assetsarebothtangibleandintangible.Tangibleassetsincludecomputers,facilities,supplies,andpersonnel.Intangibleassetsincludeintellectualproperty,data,andorganizationalreputation.Thevalueofanassetshouldbeconsideredinrespecttotheassetowner’sview.Thesixfollowingconsiderationscanbeusedtodeterminetheasset’svalue:

Valuetoowner

Workrequireddevelopingorobtainingtheasset

Coststomaintaintheasset

Damagethatwouldresultiftheassetwerelost

Costthatcompetitorswouldpayfortheasset

Penaltiesthatwouldresultiftheassetwaslost

Afterdeterminingthevalueoftheassets,youshoulddeterminethevulnerabilitiesandthreatstoeachasset.

DataAssetsDatashouldbeclassifiedbasedonitsvaluetotheorganizationanditssensitivitytodisclosure.Assigningavaluetodataallowsanorganizationtodeterminetheresourcesthatshouldbeusedtoprotectthedata.Resourcesthatareusedtoprotectdataincludepersonnelresources,monetaryresources,accesscontrolresources,andsoon.Classifyingdataallowsyoutoapplydifferentprotectivemeasures.Dataclassificationiscriticaltoallsystemstoprotecttheconfidentiality,integrity,andavailabilityofdata.

Afterdataisclassified,thedatacanbesegmentedbasedonitslevelofprotectionneeded.Theclassificationlevelsensurethatdataishandledandprotectedinthemostcost-effectivemannerpossible.Anorganizationshoulddeterminetheclassificationlevelsitusesbasedontheneedsoftheorganization.Severalcommercialbusinessandmilitaryandgovernmentinformationclassificationsarecommonlyused.

Theinformationlifecycleshouldalsobebasedontheclassificationofthedata.Organizationsarerequiredtoretaincertaininformation,particularlyfinancialdata,basedonlocal,state,orgovernmentlawsandregulations.

Inthissection,wewilldiscussthesensitivityandcriticalityofdata,commercialbusinessclassifications,militaryandgovernmentclassifications,informationlifecycle,databasemaintenance,anddataaudit.

SENSITIVITYANDCRITICALITYSensitivityisameasureofhowfreelythedatacanbehandled.Somedatarequiresspecialcareandhandling,especiallywheninappropriatehandlingcouldresultinpenalties,identitytheft,financialloss,invasionofprivacy,orunauthorizedaccessbyanindividualormanyindividuals.Somedataisalsosubjecttoregulationbystateorfederallawsandrequiresnotificationintheeventofadisclosure.

Dataisassignedalevelofsensitivitybasedonwhoshouldhaveaccesstoitandhowmuchharmwouldbedoneifitweredisclosed.Thisassignmentofsensitivityiscalleddataclassification.

Criticalityisameasureoftheimportanceofthedata.Dataconsideredsensitivemaynotnecessarilybeconsideredcritical.Assigningalevelofcriticalitytoaparticulardatasetmusttakeintoconsiderationtheanswerstoafewquestions:

Willyoubeabletorecoverthedataincaseofdisaster?

Howlongwillittaketorecoverthedata?

Whatistheeffectofthisdowntime,includinglossofpublicstanding?

Dataisconsideredessentialwhenitiscriticaltotheorganization’sbusiness.Whenessentialdataisnotavailable,evenforabriefperiodoftime,oritsintegrityisquestionable,theorganizationwillbeunabletofunction.Dataisconsideredrequiredwhenitisimportanttotheorganization,butorganizationaloperationswouldcontinueforapredeterminedperiodoftimeevenifthedataisnotavailable.Dataisnonessentialiftheorganizationisabletooperatewithoutitduringextendedperiodsoftime.

Oncethesensitivityandcriticalityofdataisunderstoodanddocumented,theorganizationshouldthenworktocreateadataclassificationsystem.Mostorganizationswilluseeitheracommercialbusinessclassificationsystemoramilitaryandgovernmentclassificationsystem.

COMMERCIALBUSINESSCLASSIFICATIONSCommercialbusinessesusuallyclassifydatausingfourmainclassificationlevels,listedfromhighestsensitivityleveltolowest:

1. Confidential

2. Private

3. Sensitive

4. Public

Datathatisconfidentialincludestradesecrets,intellectualdata,applicationprogrammingcode,andotherdatathatcouldseriouslyaffecttheorganizationifunauthorizeddisclosureoccurred.Dataatthislevelwouldbeavailableonlytopersonnelintheorganizationwhoseworkrelatestothedata’ssubject.Accesstoconfidentialdatausuallyrequiresauthorizationforeachaccess.ConfidentialdataisexemptfromdisclosureundertheFreedomofInformation

Act.Inmostcases,theonlywayforexternalentitiestohaveauthorizedaccesstoconfidentialdataisasfollows:

Aftersigningaconfidentialityagreement

Whencomplyingwithacourtorder

Aspartofagovernmentprojectorcontractprocurementagreement

Datathatisprivateincludesanyinformationrelatedtopersonnel,includinghumanresourcerecords,medicalrecords,andsalaryinformation,thatisusedonlywithintheorganization.DatathatissensitiveincludesorganizationalfinancialinformationandrequiresextrameasurestoensureitsCIAandaccuracy.Publicdataisdatathatwouldnotcauseanegativeimpactontheorganization.

MILITARYANDGOVERNMENTCLASSIFICATIONSMilitaryandgovernmentalentitiesusuallyclassifydatausingfivemainclassificationlevels,listedfromhighestsensitivityleveltolowest:

1. Topsecret

2. Secret

3. Confidential

4. Sensitivebutunclassified

5. Unclassified

Datathatistopsecretincludesweaponblueprints,technologyspecifications,spysatelliteinformation,andothermilitaryinformationthatcouldgravelydamagenationalsecurityifdisclosed.Datathatissecretincludesdeploymentplans,missileplacement,andotherinformationthatcouldseriouslydamagenationalsecurityifdisclosed.Datathatisconfidentialincludespatents,tradesecrets,andotherinformationthatcouldseriouslyaffectthegovernmentifunauthorizeddisclosureoccurred.Datathatissensitivebutunclassifiedincludesmedicalorotherpersonaldatathatmightnotcauseseriousdamagetonationalsecuritybutcouldcausecitizenstoquestionthereputationofthegovernment.MilitaryandgovernmentinformationthatdoesnotfallintoanyoftheotherfourcategoriesisconsideredunclassifiedandusuallyhastobegrantedtothepublicbasedontheFreedomofInformationAct.

OTHERCLASSIFICATIONSYSTEMSAnotherclassificationsystemcreatedbytheUnitedKingdom’sNationalInfrastructureSecurityCoordinationCentre(NISCC,nowCentreforProtectionofNationalInfrastructure)andsinceadoptedbytheISO/IECaspartoftheStandardonInformationsecuritymanagementforintersectorandinterorganizationalcommunicationsandbyCERTistheTrafficLightProtocol(TLP).Thissystemusestrafficlightcolorstoclassifyinformationassets.Table1.1showsthefourcolorsandtheirmeanings.

TABLE1.1TLPclassifications

Color MeaningRed SharedonlywithinameetingAmber SharedonlywiththoseintheorganizationwithaneedtoknowGreen SharedonlywithinacommunityWhite Norestrictionbutstillsubjecttocopyrightrules

VulnerabilityIdentificationWhenidentifyingvulnerabilities,theCommonVulnerabilityScoringSystemandtheSecurityContentAutomationProtocolarestandardsusedinthisprocess.Inthissection,you’lllearnaboutthesetwomethodsforenumeratingvulnerabilitiesinacommonformat.

SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues.Itstandardizedthenomenclatureandformatsused.AvendorofsecurityautomationproductscanobtainavalidationagainstSCAP,demonstratingthatitwillinteroperatewithotherscannersandexpressthescanresultsinastandardizedway.

UnderstandingtheoperationofSCAPrequiresanunderstandingofthecomponentsofit.

CommonConfigurationEnumeration(CCE)Theseareconfigurationbest-practicestatementsmaintainedbyNIST.

CommonPlatformEnumeration(CPE)Thesearemethodsfordescribingandclassifyingoperatingsystemsapplicationsandhardwaredevices.

CommonWeaknessEnumeration(CWE)Thesearedesignflawsinthedevelopmentofsoftwarethatcanleadtovulnerabilities.

CommonVulnerabilitiesandExposures(CVE)Thesearevulnerabilitiesinpublishedoperatingsystemsandapplicationssoftware.

TheCommonVulnerabilityScoringSystem(CVSS)isasystemofrankingvulnerabilitiesthatarediscoveredbasedonpredefinedmetrics.Thissystemensuresthatthemostcriticalvulnerabilitiescanbeeasilyidentifiedandaddressedafteravulnerabilitytestismet.Scoresareawardedonascaleof0to10,withthevalueshavingthefollowingranks:

0:Noissues

0.1to3.9:Low

4.0to6.9:Medium

7.0to8.9:High

9.0to10.0:Critical

CVSSiscomposedofthreemetricgroups.Thesemetricgroupsaredescribedasfollows:

Baseincludescharacteristicsofavulnerabilitythatareconstantovertimeanduserenvironments.

Temporalincludescharacteristicsofavulnerabilitythatchangeovertimebutnotamonguserenvironments.

Environmentalincludescharacteristicsofavulnerabilitythatarerelevantanduniquetoaparticularuser’senvironment.

Thebasemetricgroupincludesthefollowingmetrics:

Accessvector(AV)describeshowtheattackerwouldexploitthevulnerabilityandhasthreepossiblevalues.

LstandsforLocalandmeansthattheattackermusthavephysicalorlogicalaccesstotheaffectedsystem.

AstandsforAdjacentnetworkandmeansthattheattackermustbeonthelocalnetwork.

NstandsforNetworkandmeansthattheattackercancausethevulnerabilityfromanynetwork.

Accesscomplexity(AC)describesthedifficultyofexploitingthevulnerabilityandhasthreepossiblevalues.

HstandsforHighandmeansthatthevulnerabilityrequiresspecialconditionsthatarehardtofind.

MstandsforMediumandmeansthatthevulnerabilityrequiressomewhatspecialconditions.

LstandsforLowandmeansthatthevulnerabilitydoesnotrequirespecialconditions.

Authentication(Au)describestheauthenticationanattackerwouldneedtogetthroughtoexploitthevulnerabilityandhasthreepossiblevalues.

MstandsforMultipleandmeansthattheattackerwouldneedtogetthroughtwoormoreauthenticationmechanisms.

SstandsforSingleandmeansthattheattackerwouldneedtogetthroughoneauthenticationmechanism.

NstandsforNoneandmeansthatnoauthenticationmechanismsareinplacetostoptheexploitofthevulnerability.

Availability(A)describesthedisruptionthatmightoccurifthevulnerabilityisexploitedandhasthreepossiblevalues.

NstandsforNoneandmeansthatthereisnoavailabilityimpact.

PstandsforPartialandmeansthatsystemperformanceisdegraded.

CstandsforCompleteandmeansthatthesystemiscompletelyshutdown.

Confidentiality(C)describestheinformationdisclosurethatmayoccurifthevulnerabilityisexploitedandhasthreepossiblevalues.

NstandsforNoneandmeansthatthereisnoconfidentialityimpact.

PstandsforPartialandmeanssomeaccesstoinformationwouldoccur.

CstandsforCompleteandmeansallinformationonthesystemcouldbecompromised.

Integrity(I)describesthetypeofdataalterationthatmightoccurandhasthreepossiblevalues.

NstandsforNoneandmeansthatthereisnointegrityimpact.

PstandsforPartialandmeanssomeinformationmodificationwouldoccur.

CstandsforCompleteandmeansallinformationonthesystemcouldbecompromised.

TheCVSSvectorwilllooksomethinglikethis:

CVSS2#AV:L/AC:H/Au:M/C:P/I:N/A:N

Thisvectorisreadasfollows:

AV:L

AccessVector:LstandsforLocalandmeansthattheattackermusthavephysicalorlogicalaccesstotheaffectedsystem.

AC:H

AccessComplexity:HstandsforstandsforHighandmeansthatthevulnerabilityrequiresspecialconditionsthatarehardtofind.

Au:M

Authentication:MstandsforMultipleandmeansthattheattackerwouldneedtogetthroughtwoormoreauthenticationmechanisms.

C:P

Confidentiality:PstandsforPartialandmeanssomeaccesstoinformationwouldoccur.

I:N

Integrity:NstandsforNoneandmeansthatthereisnointegrityimpact.

A:N

Availability:NstandsforNoneandmeansthatthereisnoavailabilityimpact.

ControlSelectionOncetheassetshavebeenclassifiedandtheirvaluedeterminedandallvulnerabilitieshavebeenidentified,controlsormitigationsmustbeselectedtoaddressthevulnerabilities.Thiscannotbedoneuntilthelevelofriskassociatedwitheachvulnerabilityhasbeendetermined

throughoneoftwomethods,qualitativeandquantitativeriskassessment.

QualitativeRiskAnalysisQualitativeriskanalysisdoesnotassignmonetaryandnumericvaluestoallfacetsoftheriskanalysisprocess.Qualitativeriskanalysistechniquesincludeintuition,experience,andbest-practicetechniques,suchasbrainstorming,focusgroups,surveys,questionnaires,meetings,interviews,andDelphi.Althoughallofthesetechniquescanbeused,mostorganizationswilldeterminethebesttechnique(ortechniques)basedonthethreatstobeassessed.Experienceandeducationonthethreatsareneeded.

Eachmemberofthegroupwhohasbeenchosentoparticipateinthequalitativeriskanalysisusestheirexperiencetorankthelikelihoodofeachthreatandthedamagethatmightresult.Aftereachgroupmemberranksthethreatpossibility,losspotential,andsafeguardadvantage,dataiscombinedinareporttopresenttomanagement.Alllevelsofstaffshouldberepresentedaspartofthequalitativeriskanalysis,butitisvitalthatsomeparticipantsinthisprocessshouldhavesomeexpertiseinriskanalysis.

QuantitativeRiskAnalysisAquantitativeriskanalysisassignsmonetaryandnumericvaluestoallfacetsoftheriskanalysisprocess,includingassetvalue,threatfrequency,vulnerabilityseverity,impact,safeguardcosts,andsoon.Equationsareusedtodeterminetotalandresidualrisks.Themostcommonequationsareforsinglelossexpectancy(SLE)andannuallossexpectancy(ALE).

TheSLEisthemonetaryimpactofeachthreatoccurrence.TodeterminetheSLE,youmustknowtheassetvalue(AV)andtheexposurefactor(EF).TheEFisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.ThecalculationforobtainingtheSLEisasfollows:

SLE=AV×EF

Forexample,anorganizationhasawebserverfarmwithanAVof$10,000.Iftheriskassessmenthasdeterminedthatapowerfailureisathreatagentforthewebserverfarmandtheexposurefactorforapowerfailureis25percent,theSLEforthiseventequals$2,500.

Theannuallossexpectancy(ALE)istheexpectedriskfactorofanannualthreatevent.TodeterminetheALE,youmustknowtheSLEandtheannualizedrateofoccurrence(ARO).TheAROistheestimateofhowoftenagiventhreatmightoccurannually.ThecalculationforobtainingtheALEisasfollows:

ALE=SLE×ARO

Usingthepreviouslymentionedexample,iftheriskassessmenthasdeterminedthattheAROforthepowerfailureofthewebserverfarmis50percent,theALEforthiseventequals$1,250.

Cost-BenefitAnalysis

UsingtheALE,theorganizationcandecidewhethertoimplementcontrols.IftheannualcostofthecontroltoprotectthewebserverfarmismorethantheALE,theorganizationcouldeasilychoosetoaccepttheriskbynotimplementingthecontrol.IftheannualcostofthecontroltoprotectthewebserverfarmislessthantheALE,theorganizationshouldconsiderimplementingthecontrol.

HandlingRiskRiskreductionistheprocessofalteringelementsoftheorganizationinresponsetoriskanalysis.Afteranorganizationunderstandsitstotalandresidualrisk,itmustdeterminehowtohandletherisk.Thefollowingfourbasicmethodsareusedtohandlerisk:

AvoidanceTerminatingtheactivitythatcausesariskorchoosinganalternativethatisnotasrisky

TransferPassingtheriskontoathirdparty,includinginsurancecompanies

MitigationDefiningtheacceptableriskleveltheorganizationcantolerateandreducingtherisktothatlevel

AcceptanceUnderstandingandacceptingthelevelofriskaswellasthecostofdamagesthatcanoccur

NetworkTopologiesUnderstandingthetypesofnetworktopologiesthatyoumayseewillhelpyouappreciatesomeofthesecuritymeasurescalledforinvariousscenarios.Inthissection,you’lllearnaboutsometopologiesthatmayexistinyourorganization.

CANThecampusareanetwork(CAN)comprisesthepartofthenetworkwheredata,services,andconnectivitytotheoutsideworldareprovidedtothosewhoworkinthecorporateofficeorheadquarters.Itcanbefurthersubdividedintothefollowing:

Enterprisecoreconnectstheenterprisecampusandtheintranetdatacenter.

Enterprisecampusincludestheenddevicesandprovidesthemaccesstotheoutsideworldandtotheintranetdatacenterthroughtheenterprisecore.

Intranetdatacenterincludesthedatacenterwhereresourcesaremadeavailabletotheenterprisecampusandtobranchofficesthoughtheenterprisecore.

Figure1.3showsthecomponentsoftheCAN.Itincludestwopartsthatarenotpartoftheenterprisecampus(WANedgeandInternetedge)thatcomprisethenetworksthatareusedtoconnecttotheoutsideworld.

FIGURE1.3Campusareanetwork

Securityissuesintheenterprisecoreincludethefollowing:

Servicedisruptions(denialofservice[DoS],distributeddenialofservice[DDoS])

Unauthorizedaccess(intrusions,routingprotocolattacks)

Dataleaksanddatamodifications(packetsniffing,maninthemiddle[MITM]attacks)

Securityissuesintheenterprisecampusincludethefollowing:

Servicedisruptions(botnets,malware,DoS)

Unauthorizedaccess(intrusions,IPspoofing)

Dataleaksanddatamodifications(packetsniffing,MiTMattacks)

Identifytheftandfraud(phishing,emailspam)

Securityissuesintheintranetdatacenterincludethefollowing:

Unauthorizedaccess(deviceaccess,dataaccess,privilegeescalation)

Servicedisruptions(botnets,DoS)

Dataleaksanddatamodifications(MITM,malware,scripting,SQLattacks)

WANTheWANconnectionoftheorganizationiscalledtheenterpriseWANedgeintheCisconetworkmodel.ItisoneoftwomodulesthatareusedtoconnecttheCANtotheoutsideworld,theotherbeingtheenterpriseInternetedge(showninFigure1.3).ThiscomprisestheprovisionedWANconnectionstootheroffices.

SecurityissuesintheenterpriseWANedgeincludethefollowing:

Maliciousbranchclientactivity(malware,Trojans,botnets)

Transmissionthreats(MITM,sniffing)

Infrastructureattacks(reconnaissance,DoS,serviceattacks)

DataCenterWhilethedatacentermaybelocatedinthecampusareanetwork,itmayalsobelocatedinthecloud.Theintroductionsofcloudenvironmentsbringmanybenefits,buttheyalsobringsecuritythreats.Thesethreatsincludethefollowing:

Accountorservicehijacking

Dataloss

Improperdevicehardeningandpatching

DoSattacks

InsecureAPIsanduserinterfaces

Maliciousproviderinsiders

Improperaccessfromothertenants

SOHOManyoftoday’sworkersoperatefromhomeratherthaninthemainofficeorheadquarters.Otheruserswillbeoperatingfromsmallerbranchoffices.Whenthisisthecase,thesmalloffice/homeoffice(SOHO)networkwillconnecttothemainofficeviatheWANedgemoduleincaseswheretheconnectionisprovisionedandviatheInternetedgemodulewhentheconnectionleveragestheInternet(suchasaVPNconnection).ThesetwoedgemoduleswereshowninFigure1.3.Sincethismoduleinterfaceswiththosetwomodules,thesecurityissuesintheSOHOnetworkwillbethesameasthosepresentintheInternetedgeandWANedgemodules.

VirtualToday’sdatacentersareincreasinglymovingtoavirtualenvironment.Whenavirtualenvironmentispresent,itmayresideinthecampusdatacenter,oritmayresideinaclouddatacenter.Also,itisnotunusualtofindthattheorganizationhasbothaphysicaldatacenterandavirtualdatacenter.Regardlessoftheexactconfiguration,therearechallengestosecuringavirtualenvironment.

Inavirtualenvironmenttherearetwotrafficpathways,onethatisusedwithinthevirtualenvironmentandoneusedbetweenthevirtualenvironmentandthephysicalenvironment.Physicalsecuritydevicescannotbeusedtoenforcesecurityonthetrafficthatneverleavesaphysicalhost(trafficbetweenVMslocatedonthesamehost)orontrafficthatneverleavesthevirtualenvironment(trafficbetweenVMsondifferenthosts).ThesolutionisthedeploymentofvirtualsecuritydevicessuchastheCiscoASAvfirewall,theCiscoCSR1000vrouter,andtheCiscoNexus1000vswitch.

CommonNetworkSecurityZones

Oneofthemostbasicdesignprinciplesforasecurenetworkcallsforcreatingsecurityzones.Thesearelogicaldivisionsofthenetworkwithaccesscontrolsappliedtocontroltrafficbetweenthezones.Byorganizingresourcesinthesezonesandapplyingtheproperaccesscontrols,youcanreducethepossibilitythatunauthorizedaccesstodataisallowed.Inthissection,you’llexplorefourcommonsecurityzones.

DMZAdemilitarizedzone(DMZ)isanareawhereyoucanplaceapublicserverforaccessbypeopleyoumightnottrustotherwise.ByisolatingaserverinaDMZ,youcanhideorremoveaccesstootherareasofyournetwork.Youcanstillaccesstheserverusingyournetwork,butothersaren’tabletoaccessfurthernetworkresources.Thiscanbeaccomplishedusingfirewallstoisolateyournetwork.

WhenestablishingaDMZ,youassumethatthepersonaccessingtheresourceisn’tnecessarilysomeoneyouwouldtrustwithotherinformation.Bykeepingtherestofthenetworkfrombeingvisibletoexternalusers,thislowersthethreatofintrusionintheinternalnetwork.

Anytimeyouwanttoseparatepublicinformationfromprivateinformation,a

DMZisanacceptableoption.

TheeasiestwaytocreateaDMZistouseafirewallthatcantransmitinthesethreedirections:

Totheinternalnetwork

Totheexternalworld(Internet)

Tothepublicinformationyou’resharing(theDMZ)

Fromthere,youcandecidewhattrafficgoeswhere;forexample,HTTPtrafficwouldbesenttotheDMZ,andemailwouldgototheinternalnetwork.

IntranetandExtranetWhileDMZsareoftenusedtomakeassetspubliclyavailable,extranetsareusedtomakedataavailabletoasmallersetofthepublic—forexample,apartnerorganization.IntranetisatermtodescribetheinteriorLAN;anextranetisanetworklogicallyseparatefromtheintranet,theInternet,andtheDMZ(ifbothexistinthedesign),whereresourcesthatwillbeaccessedfromtheoutsideworldaremadeavailable.Accessmaybegrantedtocustomers,businesspartners,andthepublicingeneral.Alltrafficbetweenthisnetworkandtheintranetshouldbecloselymonitoredandsecurelycontrolled.Nothingofasensitivenatureshouldbeplacedintheextranet.

PublicandPrivate

ThepurposeofcreatingsecurityzonessuchasDMZsistoseparatesensitiveassetsfromthosethatrequirelessprotection.Becausethegoalsofsecurityandofperformanceandeaseofusearetypicallymutuallyexclusive,notallnetworksshouldhavethesamelevelsofsecurity.

Informationthatisofapublicnature,orthatyouotherwisedeemnottobeofasensitivenature,canbelocatedinanyofthezonesyoucreate.However,youshouldensurethatprivatecorporatedataandespeciallypersonallyidentifiableinformation(PII)—informationthatcanbeusedtoidentifyanemployeeorcustomerandperhapsstealtheiridentity—islocatedonlyinsecurezonesandneverintheDMZortheextranet.

VLANNetworksecurityzonescanalsobecreatedatlayer2.Virtuallocalareanetworks(VLANs)arelogicalsubdivisionsofaswitchthatsegregateportsfromoneanotherasiftheywereindifferentLANs.VLANsofferanotherwaytoaddalayerofseparationbetweensensitivedevicesandtherestofthenetwork.Forexample,ifonlyonedeviceshouldbeabletoconnecttothefinanceserver,thedeviceandthefinanceservercouldbeplacedinaVLANseparatefromtheotherVLANs.AstrafficbetweenVLANscanoccuronlythrougharouter,ACLscanbeusedtocontrolthetrafficallowedbetweenVLANs.

TheseVLANscanalsospanmultipleswitches,meaningthatdevicesconnectedtoswitchesindifferentpartsofanetworkcanbeplacedinthesameVLANregardlessofphysicallocation.

SummaryThischaptercoveredcommonsecurityprinciplessuchastheCIAtriad,thegoalsofwhichshouldguideallsecurityinitiatives.Italsodiscussedcommonsecuritytermssuchasrisk,vulnerability,andthreat,aswellastheproperapplicationofcommonsecurityzones,suchasIntranet,DMZ,andextranets.ThischapteralsodiscussednetworktopologiesasseenfromtheperspectiveoftheCiscocampusareanetwork.Finally,thechapterdiscussedothermethodsofnetworksegmentationsuchasVLANs.

ExamEssentialsDescribetheCIAtriad.Everysecuritymeasureyouimplementshouldcontributetotheachievementofoneofthreegoals.Thethreefundamentalsofsecurityareconfidentiality,integrity,andavailability(CIA),oftenreferredtoastheCIAtriad.

Defineimportantsecurityterms.Securityprofessionalsshouldbecomefamiliarwithtermssuchasassets,vulnerabilities,threats,threatagent,risk,exposure,andcountermeasures.

Identifycommonsecurityzones.Describeintranet,extranet,DMZ,andtheInternet.Explaintheirproperuse.

Describecommonnetworktopologies.ExplainvarioustopologiesasseenfromtheperspectiveoftheCiscocampusareanetworksuchastheenterprisecore,enterprisecampus,

intranetdatacenter,WANedge,andintranetedge.Describethecommonsecurityissuesfoundineach.

ReviewQuestions1. WhichofthefollowingisnotoneoftheCIAtriad?

A. Confidentiality

B. Integrity

C. Availability

D. Accountability

2. Whichofthefollowingrequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask?

A. Leastprivilege

B. Separationofduties

C. Jobrotation

D. Mandatoryvacation

3. Whichofthefollowingoccurswhenavulnerabilityisidentifiedorexploited?

A. Risk

B. Threat

C. Exposure

D. Countermeasure

4. AccordingtoNISTSP800-30,whatisthefirststepintheriskmanagementprocess?

A. Identifythreats

B. Identifyimpact

C. Identifyvulnerabilities

D. Identifytheassetsandtheirvalue

5. Whichofthefollowingisameasureofhowfreelydatacanbehandled?

A. Criticality

B. Sensitivity

C. Integrity

D. Value

6. Whichofthefollowingisnotatypicalcommercialdataclassificationlevel?

A. Sensitive

B. Confidential

C. Secret

D. Public

7. WhichofthefollowingrepresentsdatasharedonlywithinameetingintheTLPsystem?

A. Amber

B. White

C. Red

D. Green

8. Whichofthefollowingisastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues?

A. TLP

B. CIA

C. SCAP

D. CAN

9. WhichofthefollowingisnotametricgroupintheCommonVulnerabilityScoringSystem?

A. Base

B. Accessvector

C. Temporal

D. Environmental

10. Whichofthefollowingisthemonetaryimpactofeachthreatoccurrence?

A. ALE

B. AV

C. ARO

D. SLE

11. Whichmethodofhandlingriskinvolvesdefiningtheacceptableriskleveltheorganizationcantolerateandreducingtherisktothatlevel?

A. Avoidance

B. Mitigation

C. Acceptance

D. Transfer

12. WhatpartofthecampusareanetworkincludestheenddevicesandprovidesthemwithaccesstotheoutsideworldandtotheIntranetdatacenterthroughtheenterprisecore?

A. Intranetdatacenter

B. Enterprisecampus

C. Enterprisecore

D. EnterpriseWANedge

13. Whichofthefollowingisanareawhereyoucanplaceapublicserverforaccessbyanyone?

A. Intranet

B. DMZ

C. Internet

D. Extranet

14. Whichofthefollowingisalogicalsubdivisionofaswitchthatsegregatesportsfromoneanother?

A. VLAN

B. VPN

C. DMZ

D. STP

15. Whichofthefollowingreferstothedatabeingunalteredbyunauthorizedindividuals?

A. Confidentiality

B. Integrity

C. Availability

D. Accountability

16. Whichofthefollowingreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers?

A. Defaulttonoaccess

B. Defenseindepth

C. Separationofduties

D. Jobrotation

17. Whichofthefollowingistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout?

A. Risk

B. Threat

C. Exposure

D. Countermeasure

18. Whichofthefollowingisasystemthatusestrafficlightcolorstoclassifyinformationassets?

A. DLP

B. VLAN

C. TLP

D. VTP

19. WhichcomponentofSCAPreferstovulnerabilitiesinpublishedoperatingsystemsandapplicationssoftware?

A. CWE

B. CVE

C. CCE

D. CPE

20. Whichofthefollowingisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs?

A. SLE

B. AV

C. EF

D. ALE

Chapter2UnderstandingSecurityThreatsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

1.2Commonsecuritythreats

Identifycommonnetworkattacks

Describesocialengineering

Identifymalware

Classifythevectorsofdataloss/exfiltration

Tosecureanetwork,youmusthaveaclearunderstandingofthethreatsthatthenetworkfaces.Thesethreatscomefromallsortsofsourcesandhaveavarietyofgoals.Inthischapter,youwillcontinueyourinvestigationofcommonsecuritythreatsandtheirassociatedthreatvectors.


Commonsecuritythreats

CommonNetworkAttacksWhilenewattacksandnewmotivationsforthoseattacksseemtobearrivingalmostdaily,therearesomecommonattacksandcommonmotivationsforthoseattacks.Inthischapter,you’llfirstlearnaboutcommonmotivationsforattacksandcommonattackvectorsthataresimplyvariouswaysinwhichtheattacksareimplemented.Followingthat,you’lllearnaboutsomespecificattacksthatarequitecommon.

MotivationsHackershackformanydifferentreasons.Whenyoureallygetdowntoit,theywantoneoffourthings:

Financialgain

Disruption

Geopoliticalchange

Notoriety

TheFederalBureauofInvestigation(FBI)hasidentifiedthreecategoriesofthreatactors.

Organizedcrimegroupsprimarilythreateningthefinancialservicessectorandexpandingthescopeoftheirattacks

Statesponsors,usuallyforeigngovernments,interestedinpilferingdata,includingintellectualpropertyandresearchanddevelopmentdatafrommajormanufacturers,governmentagencies,anddefensecontractors

TerroristgroupsthatwanttoimpactcountriesbyusingtheInternetandothernetworkstodisruptorharmtheviabilityofourwayoflifebydamagingourcriticalinfrastructure

Whilethereareotherlessorganizedgroupsoutthere,thesethreegroupsareconsideredtobetheprimarythreatactorsbylawenforcement.However,organizationsshouldnottotallydisregardthethreatofanythreatactorsthatfalloutsidethesethreecategories.Loneactorsorsmallergroupsthatusehackingasameanstodiscoverandexploitanydiscoveredvulnerabilitycancausedamagejustlikethelarger,moreorganizedgroups.

HacktivistsThisincludesthosewhohacknotforpersonalgainbuttofurtheracause.AnexampleistheAnonymousgroupthathacksfromtimetotimeforvariouspoliticalreasons.

ThrillhackersTheseguysdoitforthenotoriety.Theydefacewebsitesandbragabouttheirconqueststotheirfellowthrillhackersonwebsiteswheretheysharetoolsandmethods.

Hackerandcrackeraretwotermsthatareoftenusedinterchangeablyinmediabutdonotactuallyhavethesamemeaning.Hackersareindividualswhoattempttobreakintosecuresystemstoobtainknowledgeaboutthesystemsandpossiblyusethatknowledgetocarryoutpranksorcommitcrimes.Crackers,ontheotherhand,areindividualswhoattempttobreakintosecuresystemswithoutusingtheknowledgegainedforanynefariouspurposes.

Inthesecurityworld,thetermswhitehat,grayhat,andblackhataremoreeasilyunderstoodandlessoftenconfusedthanthetermshackersandcrackers.Awhitehatdoesnothaveanymaliciousintent.Ablackhathasmaliciousintent.Agrayhatisconsideredsomewhereinthemiddleofthetwo.Agrayhatwillbreakintoasystem,notifytheadministratorofthesecurityhole,andoffertofixthesecurityissuesforafee.

ClassifyingAttackVectorsAfterassetshavebeenclassifiedwithregardtosensitivityandcriticality(seeChapter1),thenextstepistoidentifythreats.Whendeterminingvulnerabilitiesandthreatstoanasset,consideringthethreatagentsfirstisofteneasiest.Threatagentscanbegroupedintothefollowingsixcategories:

Humanincludesbothmaliciousandnonmaliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel.

Naturalincludesfloods,fires,tornadoes,hurricanes,earthquakes,orothernaturaldisasterorweatherevent.

Technicalincludeshardwareandsoftwarefailure,maliciouscode,andnewtechnologies.

PhysicalincludesCCTVissues,perimetermeasuresfailure,andbiometricfailure.

OperationalincludesanyprocessorprocedurethatcanaffectCIA.

Examplesofthethreatactorsincludebothinternalandexternalactorsandincludethefollowing:

Internalactors

Recklessemployee

Untrainedemployee

Partner

Disgruntledemployee

Internalspy

Governmentspy

Vendor

Thief

Externalactors

Anarchist

Competitor

Corruptgovernmentofficial

Dataminer

Governmentcyberwarrior

Irrationalindividual

Legaladversary

Mobster

Activist

Terrorist

Vandal

SpoofingSpoofing,alsoreferredtoasmasquerading,occurswhencommunicationfromanattackerappearstocomefromtrustedsources.Thegoalofthistypeofattackistoobtainaccessby

pretendingtobethattrustedsource.Spoofingcanbeattemptedbasedonthefollowing:

IPaddresses

MACaddresses

Emailaddressees

Let’slookateachoneofthesetypesofspoofing.

IPAddressSpoofingIPaddressspoofingisoneofthetechniquesusedbyhackerstohidetheirtrailortomasqueradeasanothercomputer.ThehackeralterstheIPaddressasitappearsinthepacket.ThiscansometimesallowthepackettogetthroughanACLthatisbasedonIPaddresses.ItalsocanbeusedtomakeaconnectiontoasystemthattrustsonlycertainIPaddressesorrangesofIPaddresses.

MACAddressSpoofingMACaddressescanalsobespoofedandusedtogetthroughMACaddressfilters.Thesefiltersaretypicallyappliedtocontrolaccesstowirelessaccesspointsatlayer2.Theycanalsobeusedtoimpersonateanotherdeviceconnectedtothesameswitch.Inthatscenario,itenablestheimpersonatingdevicetoreceivetrafficintendedforthelegitimatedevice.InChapters4and5youwilllearnaboutmethodstopreventtheseswitch-basedattacks.

EmailSpoofingEmailspoofingistheprocessofsendinganemailthatappearstocomefromonesourcewhenitreallycomesfromanother.ItismadepossiblebyalteringthefieldsofemailheaderssuchasFrom,ReturnPath,andReply-to.Itspurposeistoconvincethereceivertotrustthemessageandreplytoitwithsomesensitiveinformationthatthereceiverwouldnothavesharedunlessitwasatrustedmessage.

Oftenthisisonestepinanattackdesignedtoharvestusernamesandpasswordsforbankingorfinancialsites.Thisattackcanbemitigatedinseveralways.OneisSMTPauthentication,which,whenenabled,disallowsthesendingofanemailbyauserwhocannotauthenticatewiththesendingserver.

AnotherpossiblemitigationtechniqueistoimplementtheSenderPolicyFramework(SPF).SPFisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.

PasswordAttacksApasswordattackisonethatattemptstodiscoveruserpasswords.Thetwomostpopularpasswordthreatsaredictionaryattacksandbrute-forceattacks.

Thebestcountermeasuresagainstpasswordthreatsaretoimplementcomplexpassword

policies,requireuserstochangepasswordsonaregularbasis,employaccountlockoutpolicies,encryptpasswordfiles,andusepassword-crackingtoolstodiscoverweakpasswords.

DictionaryAttackAdictionaryattackoccurswhenattackersuseadictionaryofcommonwordstodiscoverpasswords.Anautomatedprogramusesthehashofthedictionarywordandcomparesthishashvaluetoentriesinthesystempasswordfile.Althoughtheprogramcomeswithadictionary,attackersalsouseextradictionariesthatarefoundontheInternet.

Youshouldimplementasecurityrulethatsaysthatapasswordmustnotbeawordfoundinthedictionarytoprotectagainsttheseattacks.

Brute-ForceAttackBrute-forceattacksaremoredifficulttocarryoutbecausetheyworkthroughallpossiblecombinationsofnumbersandcharacters.Abrute-forceattackisalsoreferredtoasanexhaustiveattack.Itcarriesoutpasswordsearchesuntilacorrectpasswordisfound.Theseattacksarealsoverytime-consuming.

ReconnaissanceAttacksReconnaissanceattacksarecarriedouttogatherinformationabouttheorganizationalnetworkasapreludetoalargerattack.Itisalsosometimescalledfingerprintingthenetwork.Itisthefirststepthatapenetrationtesterwilltakebecauseitmimicsthefirststepofarealattacker.Thereareseveralwaysinwhichinformationcanbegatheredaboutthenetworktopology.Let’stakealookatthethreemostcommon.

PingScansPingscansinvolveidentifyingthelivehostsonanetworkorinadomainnamespace.Nmapandotherscanningtools(ScanLine,SuperScan)canbeusedforthis.Itrecordsresponsestopingssenttoeveryaddressinthenetwork.Itcanalsobecombinedwithaportscanbyusingtheproperargumentstothecommand.

Toexecutethisscanfromnmap,thecommandisnmap-sP192.168.0.0-100(0-100istherangeofIPaddressestobescannedinthe192.168.0.0network).Figure2.1showsanexampleoftheoutput.Alldevicesthatareonwillbelisted.ForeachtheMACaddresswillalsobelisted.

FIGURE2.1Pingscanwithnmap

PortScansAsoperatingsystemshavewell-knownvulnerabilities,sodocommonservices.Bydeterminingtheservicesthatarerunningonasystem,theattackeralsodiscoverspotentialvulnerabilitiesoftheserviceofwhichhemayattempttotakeadvantage.Thisistypicallydonewithportscansinwhichall“open”or“listening”portsareidentified.Onceagain,thelion’sshareoftheseissueswillhavebeenmitigatedwiththepropersecuritypatches,butthatisnotalwaysthecase,anditisnotuncommonforsecurityanalyststofindthatsystemsthatarerunningvulnerableservicesaremissingtherelevantsecuritypatches.Consequently,whenperformingservicediscovery,patchesshouldbecheckedonsystemsfoundtohaveopenports.Itisalsoadvisabletocloseanyportsnotrequiredforthesystemtodoitsjob.

Nmapisoneofthemostpopularportscanningtoolsusedtoday.Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived.TheseflagsareusedtocontroltheTCPconnectionprocess,sotheyarepresentonlyinthosepackets.Figure2.2showsaTCPheader.TheflagsofwhichIspeakarecircled.Normallytheflagsthatare“turnedon”willbedoneasaresultofthenormalTCPprocess,butahackercancraftpacketswiththeflagscheckedthatthehackerdesires.

FIGURE2.2TCPheader

Thesearetheflagsshown:

URG:Urgentpointerfieldsignificant

ACK:Acknowledgmentfieldsignificant

PSH:Pushfunction

RST:Resettheconnection

SYN:Synchronizesequencenumbers

FIN:Nomoredatafromsender

Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived

Nmapexploitsweaknesseswiththreescantypes.

ANULLscanisaseriesofTCPpacketsthatcontainasequencenumberof0andnosetflags.BecausetheNULLscandoesnotcontainanysetflags,itcansometimespenetratefirewallsandedgeroutersthatfilterincomingpacketswithparticularflags.Whenthispacketissent,theseresponsesarepossible:

Noresponse:Theportisopenonthetarget.

RST:Theportisclosedonthetarget.

Figure2.3showstheresultofthisscanusingthecommandnmap-sN.Inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.

AFINscansetstheFINbitset.Whenthispacketissent,theseresponsesarepossible.


RST/ACK:Theportisclosedonthetarget.

Thefollowingissampleoutputofthisscanusingthecommandnmap-sF.Iadded-vforverboseoutput.Again,inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.

FIGURE2.3NULLscan

#nmap-sF-v192.168.0.7

Startingnmap3.81at2016-01-2321:17EDT

InitiatingFINScanagainst192.168.0.7[1663ports]at21:17

TheFINScantook1.51stoscan1663totalports.

Host192.168.0.7appearstobeup...good.

Interestingportson192.168.0.7:

(The1654portsscannedbutnotshownbelowareinstate:closed)

PORTSTATESERVICE

21/tcpopen|filteredftp

22/tcpopen|filteredssh

23/tcpopen|filteredtelnet

79/tcpopen|filteredfinger

110/tcpopen|filteredpop3

111/tcpopen|filteredrpcbind

514/tcpopen|filteredshell

886/tcpopen|filteredunknown

2049/tcpopen|filterednfs

MACAddress:00:03:47:6D:28:D7(Intel)

Nmapfinished:1IPaddress(1hostup)scannedin2.276seconds

Rawpacketssent:1674(66.9KB)|Rcvd:1655(76.1KB)

AnXMASscansetstheFIN,PSH,andURGflags.Whenthispacketissent,theseresponsesarepossible:



Figure2.4showstheresultofthisscanusingthecommandnmap-sX.Inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.

FIGURE2.4XMASscan

Thesethreescans(NULL,FIN,andXMAS)allservethesamepurpose(todiscoveropenportsandportsblockedbyafirewall)anddifferonlyintheswitchused.Whiletherearemanymorescantypesandattacksthatcanbelaunchedwiththistool,thesescantypesarecommonlyusedduringenvironmentalreconnaissancetestingtodiscoverwhatthehackermightdiscoverbeforethehackerdoesandtakestepstocloseanygapsinsecurity.

OSFingerprintingOperatingsystemfingerprintingissimplytheprocessofusingsomemethodtodeterminetheoperatingsystemrunningonahostoraserver.ItsvaluetothehackeristhatbyidentifyingtheOSversionandbuildnumber,commonvulnerabilitiesofthatoperatingsystemcanbeidentifiedusingreadilyavailabledocumentationfromtheInternet.Whilemanyoftheissueswillhavebeenaddressedinsubsequentservicepacksandhotfixes,theremightbezero-dayweaknesses(thosethathavenotbeenwidelypublicizedoraddressedbythevendor)thehackermaybeabletoleverageintheattack.Moreover,ifanyoftherelevantsecuritypatcheshavenotbeenapplied,theweaknessesthepatchwasintendedtoaddresswillexistonthemachine.Therefore,thepurposeofattemptingOSfingerprintingduringassessmentistoassesstherelativeeasewithwhichitcanbedoneandidentifyingmethodstomakeitmoredifficult.

BufferOverflowBuffersareportionsofsystemmemorythatareusedtostoreinformation.Abufferoverflowisanattackthatoccurswhentheamountofdatathatissubmittedtodataislargerthanthebuffercanhandle.Typically,thistypeofattackispossiblebecauseofpoorlywrittenapplicationoroperatingsystemcode.Thiscanresultinaninjectionofmaliciouscode,primarilyeitheradenial-of-serviceattackoraSQLinjection.

Toprotectagainstthisissue,organizationsshouldensurethatalloperatingsystemsandapplicationsareupdatedwiththelatestservicepacksandpatches.Inaddition,programmersshouldproperlytestallapplicationstocheckforoverflowconditions.Hackerscantakeadvantageofthisphenomenonbysubmittingtoomuchdata,whichcancauseanerrororinsomecasesexecutecommandsonthemachineifthehackercanlocateanareawherecommandscanbeexecuted.Notallattacksaredesignedtoexecutecommands.AnattackmayjustlockthecomputerasinaDoSattack.

Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.Thekeytopreventingmanybufferoverflowattacksisinputvalidation,inwhichanyinputischeckedforformatandlengthbeforeitisused.Bufferoverflowsandboundaryerrors(wheninputexceedstheboundariesallottedfortheinput)areafamilyoferrorconditionscalledinputvalidationerrors.

DoSAdenial-of-service(DoS)attackoccurswhenattackersfloodadevicewithenoughrequeststodegradetheperformanceofthetargeteddevice.SomepopularDoSattacksincludeSYNfloods,pingsofdeath,andsmurfattacks.Let’sexplorehowtheseattackswork.

TCPSYNFloodTounderstandaTCPSYNfloodattack,youmustunderstandthethree-wayTCPhandshake,whichoccurswheneveraTCPconnectionismade.Figure2.5displaystheprocess.

FIGURE2.5TCPhandshake

OneimportantfactnotevidentinthefigureisthatwhentherecipientoftheinitialSYNpacket

receivesthatpacketandrespondsbysendingaSYN/ACKpacket,itwillreserveasmallpieceofmemoryfortheexpectedresponse(ACK).IntheattacktheattackersendsthousandsoftheseSYNpacketsandneveranswerstheSYN/ACKpacketswithanACKpacket.Atsomepoint,therecipientwillfillupitsmemory,reservingspacefortheresponsesthatnevercome.Thenthetargetwillbeunabletodoanythingandisthusthedenialofservice.Figure2.6showstheattack.AtthepointinthediagramwhereitsaysTCPQueueFull,thetargetmemoryisfull.

FIGURE2.6SYNflood

PingofDeathApingofdeathiswhenanoversizedICMPpacketissenttothetarget.ThemaximumallowableIPpacketsizeis65,535bytes,includingthepacketheader,whichistypically20bytes.AnICMPechorequestisanIPpacketwithapseudoheader,whichis8bytes.Therefore,themaximumallowablesizeofthedataareaofanICMPechorequestis65,507bytes(65,535–20–8=65,507).

AgrosslyoversizedICMPpacketcantriggerarangeofadversesystemreactionssuchasDoS,crashing,freezing,andrebooting.Figure2.7showssuchapacket.Thepacketwillbefragmentedenroute,andwhenthetargetattemptstoreassemblethepacket,itwillcrashsomesystems.

FIGURE2.7Ping-of-deathpacket

DDoSAdistributedDoS(DDoS)attackisaDoSattackthatiscarriedoutfrommultipleattacklocations.Vulnerabledevicesareinfectedwithsoftwareagents,calledzombies.Thisturnsthevulnerabledevicesintobotnets,whichthencarryouttheattack.

Becauseofthedistributednatureoftheattack,identifyingalltheattackingbotnetsisvirtuallyimpossible.Thebotnetsalsohelptohidetheoriginalsourceoftheattack.Theseattackscanbedirect,reflected,andamplified.Let’slookatexamplesofeach.

DirectDDoSInadirectDDoSattack,theattackerlaunchestheattackbysendingtheattacksignaltothehandlers,whichinturnsignalthezombiestoattack,asshowninFigure2.8.Theattackisgreatlyamplifiedbytheuseofthezombies.So,adirectattackisalsoanamplifiedattack.

FIGURE2.8DirectDDoS

ReflectionInareflectedDDoSattack,theattackisbouncedoffalargenumberofdeviceswithoutactuallyrecruitingthedevicesaszombies.AgoodexampleofthereflectiontypeofDDoSisthesmurf

attack.Inthesmurfattack,theattackersendsanICMPpackettothebroadcastaddressofthenetworkinwhichthetargetresides.However,thehackercreatesthisICMPpacketwithaspoofedsourceaddressandthatspoofedaddressisthatofthetarget.Wheneverydeviceinthenetworkanswersthepingrequests,theanswerswillgotothetarget.Typically,thehackerwillsetthenumberofpingstoaveryhighnumbersothatthiscontinuesforsometimeandusesalltheresourcesofthewebserver,asshowninFigure2.9.

FIGURE2.9Smurfattack

Man-in-the-MiddleAttackAman-in-the-middle(MITM)attackiswhenanactiveattackerlistenstothecommunicationbetweentwocommunicatorsandchangesthecontentsofthiscommunication.Whileperformingthisattack,theattackerpretendstobeoneofthepartiestotheotherparty.ThemostcommontypeofMITMattackisdoneatlayer2andusesthetechniquedescribedinthenextattacktopollutetheARPcacheofthetargets.

ARPPoisoningOneofthewaysaman-in-themiddleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthisARPpoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswiththeirownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placingtheattacker“inthemiddle.”

TwomitigationtechniquesareavailableforpreventingARPpoisoningonaCiscoswitch.

DynamicARPInspection(DAI)ThissecurityfeatureinterceptsallARPrequestsand

responsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThistableisbuiltbyalsomonitoringallDHCPrequestsforIPaddressesandmaintainingthemappingofeachresultingIPaddresstoaMACaddress(whichispartofDHCPsnooping).Ifanincorrectmappingisattempted,theswitchrejectsthepacket.

DHCPSnoopingThemainpurposeofDHCPsnoopingistopreventapoisoningattackontheDHCPdatabase.Thisisnotaswitchattackperse,butoneofitsfeaturescansupportDAI.ItcreatesamappingofIPaddressestoMACaddressesfromatrustedDHCPserverthatcanbeusedinthevalidationprocessofDAI.

YoumustimplementbothDAIandDHCPsnoopingbecauseDAIdependsonDHCPsnooping.BothconfigurationswillbecoveredinChapter6.

SocialEngineeringSocialengineeringattacksoccurwhenattackersusebelievablelanguageandusergullibilitytoobtainusercredentialsorsomeotherconfidentialinformation.Inthissectionwearegoingtofocusourattentiononasocialengineeringattackthathasbeeninthenewsquiteabitlately:phishing.

Phishing/PharmingPhishingisasocialengineeringattackinwhichattackerstrytolearnpersonalinformation,includingcreditcardinformationandfinancialdata.Thistypeofattackisusuallycarriedoutbyimplementingafakewebsitethatverycloselyresemblesalegitimatewebsite.Usersenterdata,includingcredentialsonthefakewebsite,allowingtheattackerstocaptureanyinformationentered.Spearphishingisaphishingattackcarriedoutagainstaspecifictargetbylearningaboutthetarget’shabitsandlikes.Spearphishingattackstakelongertocarryoutthanphishingattacksbecauseoftheinformationthatmustbegathered.

Pharmingissimilartophishing,butpharmingactuallypollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite.

PreventionThebestcountermeasureagainstsocialengineeringthreatsistoprovideusersecurityawarenesstraining.Thistrainingshouldberequiredandmustoccuronaregularbasisbecausesocialengineeringtechniquesevolveconstantly.

Cautionusersagainstusinganylinksembeddedine-mailmessages,evenifthemessageappearstohavecomefromalegitimateentity.UsersshouldalsoreviewtheaddressbaranytimetheyaccessasitewheretheirpersonalinformationisrequiredtoensurethatthesiteiscorrectandthatSSLisbeingused,whichisindicatedbyanHTTPSdesignationatthebeginningoftheURLaddress.

MalwareMalicioussoftware,alsocalledmalware,isanysoftwarethatisdesignedtoperformmaliciousacts.Thefollowingarethefourclassesofmalwareyoushouldunderstand:

VirusAnymalwarethatattachesitselftoanotherapplicationtoreplicateordistributeitself

WormAnymalwarethatreplicatesitself,meaningthatitdoesnotneedanotherapplicationorhumaninteractiontopropagate

TrojanHorseAnymalwarethatdisguisesitselfasaneededapplicationwhilecarryingoutmaliciousactions

SpywareAnymalwarethatcollectsprivateuserdata,includingbrowsinghistoryorkeyboardinput

Thebestdefenseagainstmalicioussoftwareistoimplementantivirusandanti-malwaresoftware.Todaymostvendorspackagethesetwotypesofsoftwareinthesamepackage.Keepingantivirusandanti-malwaresoftwareup-to-dateisvital.Thisincludesensuringthatthelatestvirusandmalwaredefinitionsareinstalled.

DataLossandExfiltrationDataexfiltrationistheunauthorizedtransferofdatafromacomputerorfromastoragedevice.Atitsmostseriouslevel,itistheultimategoalofadvancedpersistentthreats(APTs),whicharethosethatcontinueonalong-termbasisandarecarriedoutbyhighlyskilledcybercriminals.Thesegroupsarenotinterestedinthevacationphotosofthereceptionist.Theyareinterestedinthreetypesofdatathattheycanmonetize.Let’slookatthesedatatypes.

IPIntellectualpropertyispropertythatisconsideredtobeauniquecreationofthemindandincludesbooks,music,logos,inventions,andslogans.Theseitemscanbeprotectedbycopyrights,patents,trademarks,andregistrations.However,italsoincludesthingsthatcannotbeprotectedwiththesemechanismssuchasorganizationalplans,formulas,recipes,customerlists,andothertypesofdatathatcannotbedisclosedbecauseitmighteliminateorreducetheeffectivenessofabusinessadvantage.AttackvectorsforIPincludedisgruntledemployees,competitorsperformingcorporateespionage,andinadvertentreleasesthoughsocialmedia.

PIIPersonallyidentifiableinformation(PII)isanypieceofdatathatcanbeusedaloneorwithotherinformationtoidentifyasingleperson.AnyPIIthatanorganizationcollectsmustbeprotectedinthestrongestmannerpossible.PIIincludesfullname,identificationnumbers(includingdriver’slicensenumberandSocialSecuritynumber),dateofbirth,placeofbirth,biometricdata,financialaccountnumbers(bothbankaccountandcreditcardnumbers),anddigitalidentities(includingsocialmedianamesandtags).

KeepinmindthatdifferentcountriesandlevelsofgovernmentcanhavedifferentqualifiersforidentifyingPII.Securityprofessionalsmustensurethattheyunderstandinternational,national,state,andlocalregulationsandlawsregardingPII.Asthetheftofthisdatabecomesevenmoreprevalent,youcanexpectmorelawstobeenactedthatwillaffectyourjob.

CreditCardWhilePIIcanbeusedtoperformidentitytheft,stealingcreditcardinformationprovidesamuchquickerpathtomonetizingmaliciousactivities.Manyofthemosthigh-profiledatabreacheshaveinvolvedtheharvestingofthousandsofcreditcardnumbersandtherelatedinformationthatmakesthemusable.Whenanorganizationsuffersthistypeofdisclosure,ithurtstheirreputationbecausetheymustinformeveryuserwhosedatawasdisclosed.Theywillalsoberesponsibleforanyharmsufferedbythedisclosure,sothisisarealnightmarewhenitoccurs.ThebestmitigationforthisistoadoptallrecommendationsofthePaymentCardIndustryDataSecurityStandard(PCI-DSS).

SummaryThischaptercoveredcommonnetworkattacksandtheirmotivations.Italsodiscussedvariousattackvectors,suchasmaliciousandnonmaliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel.Thechapteralsolookedatvariousmethodsusedtoperformnetworkreconnaissance,suchaspingscansandportscans.Finally,thechaptercoveredtypesofmalwareandtheexfiltrationofsensitivedatasuchasIP,PII,andcreditcarddata.

ExamEssentialsDescribeattackmotivations.Theseincludefinancialgain,disruption,geopoliticalchange,andnotoriety.Theymaybeattemptedbyorganizedcrimegroups,statesponsors,terroristgroups,hacktivists,andthrillhackers.

Identifycommonnetworkattacks.TheseincludebutarenotlimitedtoIPaddressspoofing,MACaddressspoofing,andemailspoofing.Theyalsoincludepasswordattackssuchasdictionaryandbrute-forceattacks.Finally,explainreconnaissanceattackssuchaspingscans,portscans,andSYNscans.

Explainsocialengineeringattacks.Describephishingandpharmingattacksandhowtheseattackscanleadtomalwaresuchasviruses,worms,andTrojanhorses.

Definethetypesofinformationmostsusceptibletodataexfiltration.Theseincludepersonallyidentifiableinformation(PII),intellectualproperty,andcreditcardinformation.Provideexamplesforeachtypeofdata.

ReviewQuestions

1. Whatisthetypicalmotivationofahacktivist?

A. Financialgain

B. Disruption

C. Geopoliticalchange

D. Notoriety

2. WhichofthefollowingattackshasasitsgoaltogetthroughanACLonarouter?

A. IPaddressspoofing

B. MACaddressspoofing

C. Emailspoofing

D. Bufferoverflow

3. Whichofthefollowingisnotaformofpasswordattack?

A. Bruteforce

B. Dictionary

C. Portscan

D. Socialengineering

4. WhenexecutingaNULLscan,whichresponseindicatestheportisclosedonthetarget?

A. Noresponse

B. Destinationunreachable

C. RST

D. ACK

5. Whichofthefollowingisameasureusedtopreventbufferoverflows?

A. Inputvalidation

B. Multifactorauthentication

C. Complexpasswords

D. Sensitivitylabels

6. WhichofthefollowingisnotaDDoSattack?

A. SYNflood

B. Pingofdeath

C. Smurfattack

D. Man-in-the-middle

7. Whichofthefollowingistypicallyusedtosetupaman-in-the-middleattack?

A. ARPpoisoning

B. DynamicARPinspection

C. Rogueswitches

D. MACoverflow

8. WhichofthefollowingismitigationforARPpoisoning?

A. Inputvalidation

B. DAI

C. Multifactorauthentication

D. Rootguard

9. WhichofthefollowingmustbeimplementedtouseDAI?

A. DTP

B. AuthenticatedARP

C. DHCPsnooping

D. NAT

10. Whichofthefollowingattachesitselftoanotherapplicationtoreplicateordistributeitself?

A. Worm

B. Rootkit

C. Spyware

D. Virus

11. Whichofthefollowingisconsideredtobeauniquecreationofthemind?

A. PII

B. IP

C. PHI

D. IPS

12. Whichofthefollowingprovidesrecommendationsforsecurelyhandlingcreditcarddata?

A. HIPAA

B. SOX

C. PCI-DSS

D. GLBA

13. AtwhatOSIlayerdoesMACaddressspoofingoccur?

A. 1

B. 2

C. 3

D. 4

14. Whichofthefollowingismitigationforemailspoofing?

A. SPF

B. DAI

C. DNSSec

D. DHCPsnooping

15. Whichofthefollowingisacommontoolusedforpingandportscans?

A. Metasploit

B. Nmap

C. Netstat

D. Snort

16. WhichofthefollowingisnotaflagsetinanXMASscan?

A. FIN

B. PSH

C. SYN

D. URG

17. WhichofthefollowingattacksusesanoversizedICMPpacket?

A. Pingofdeath

B. Smurf

C. Fraggle

D. SYNflood

18. WhichofthefollowingisareflectedDDoSattack?

A. Pingofdeath

B. Smurf

C. Bufferoverflow

D. XXS

19. WhichattacktypedoesDAIaddress?

A. IPspoofing

B. MACoverflow

C. ARPpoisoning

D. Pingofdeath

20. Whichofthefollowingpollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite?

A. Phishing

B. Pharming

C. Vishing

D. Whaling

Chapter3UnderstandingCryptographyCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

1.3Cryptographyconcepts

Describekeyexchange

Describehashalgorithm

Compareandcontrastsymmetricandasymmetricencryption

Describedigitalsignatures,certificates,andPKI

Cryptographyistheuseofmathematicalalgorithmstoscrambledatasoitcannotbereadifcaptured.Inthatrolecryptographyprovidesconfidentiality,butthatisnottheonlysecuritygoalitcanachieve.Throughtheuseofhashvaluesanddigitalsignatures,itcanalsoprovideassuranceofdataintegrityandoriginauthentication.Thischapterwillcoverthetypesofcryptography,theirstrengthsandweaknesses,andsomeoftheservicesthatcryptographycanprovide.


Cryptographyconcepts

SymmetricandAsymmetricEncryptionTherearetwotypesofcryptographyalgorithmsthatyoumustunderstand,symmetricandasymmetric.Abitlaterinthissectionyouwilllearnthedifferencesbetweenthesetwosystemsandtheadvantagesanddisadvantagesofboth.You’llalsolearnwhentoapplythesealgorithmstosecurebothdataatrestanddataintransit.

Butfirstlet’slookatsomebasicconceptsusedincryptography.Firstyou’llbeintroducedtosomeofthevariouswaysalgorithmsscramblethedata.Thenyou’lllearnabouttwodifferentwaysencryptionalgorithmsoperateonthedata.

CiphersCryptographicalgorithmsareoftencalledciphersforshort,andtheseciphersare

mathematicalformulasthatmovethedataaroundinvariouswaystoscrambleit.Thetwomainmethodsaresubstitutionandtransposition.I’llcovertheseinthissection,alongwithamethodofaddressingshortcomingsofsubstitution.Ciphersalsodifferintheamountofdatathatisencryptedatatime.Thetwomaintypesofalgorithmswithrespecttothisissueareblockandstreamciphers,whichwillalsobecoveredinthissection.

SubstitutionAsubstitutioncipherusesakeytosubstitutecharactersorcharacterblockswithdifferentcharactersorcharacterblocks.TheCaesarcipherandtheVigenèrecipheraretwooftheearliestformsofsubstitutionciphers.Figure3.1showstheROT13,whichisaCaesarcipher.Itrotatesthealphabet13positions.Therefore,themessage“Hello”encryptstotheciphertextURYYB.

FIGURE3.1ROT13Caesarcipher

Oneoftheissueswithsubstitutionciphersisifthemessageisofsufficientlength,patternsintheencryptionbegintobecomenoticeable,whichmakesitvulnerabletoafrequencyattack.Afrequencyattackiswhentheattackerusestheserecurringpatternstoreverseengineerthemessage.Forthisreason,thepolyalphabeticalgorithmwascreated.

PolyalphabeticToincreasethedifficultyofperformingafrequencyattack,polyalphabeticalgorithmswerecreated.Theyusemultipleinstancesofthealphabetshiftedina26×26tablecalledatableau,showninFigure3.2.ThefigureshowstheVigenèrecipher,anexampleofapolyalphabeticcipher.

FIGURE3.2Vigenèrecipher

AsanexampleofamessageonwhichtheVigenèrecipherisapplied,let’susethesecuritykeySYBEXandtheplaintextmessageofWEATTACKATFIVE.ThefirstletterintheplaintextmessageisW,andthefirstletterinthekeyisS.WeshouldlocatetheletterWacrosstheheadingsforthecolumns.WefollowthatcolumndownuntilitintersectswiththerowthatstartswiththeletterS,resultingintheletterO.ThesecondletteroftheplaintextmessageisE,andthesecondletterinthekeyisY.Usingthesamemethod,weobtaintheletterC.Wecontinueinthissamemanneruntilwerunoutofkeyletters,andthenwestartoverwiththekey,whichwouldresultinthesecondAintheplaintextmessageworkingwiththeletterSofthekey.

So,applyingthistechniquetotheentiremessageofWEATTACKATFIVE,theplaintextmessageconvertstotheOCBXQSALEQXGWIciphertextmessage.

TranspositionAtranspositioncipherscramblesthelettersoftheoriginalmessageinadifferentorder.Thekeydeterminesthepositionstowhichthelettersaremoved.

Thefollowingisanexampleofasimpletranspositioncipher:

OriginalmessageSNOWFLAKESWILLFALL

BrokenintogroupsSNOWFLAKESWIFALL

Key4231231442312314

CiphertextmessageWONSLAFKIWSEALFL

Withthisexample,theoriginalmessageisSNOWFLAKESWILLFALL,andthekeyis42312314.TheciphertextmessageisWONSLAFKIWSEALFL.So,youtakethefirstfourletters

oftheplaintextmessage(SNOW)andusethefirstfournumbers(4231)asthekeyfortransposition.Thekeydescribestherelativepotionsofthesamecharactersintheciphertext.Inthenewciphertext,theletterswouldbeWONS.Thenyoutakethenextfourlettersoftheplaintextmessage(FLAK)andusethenextfournumbers(2314)asthekeyfortransposition.Inthenewciphertext,theletterswouldbeLAFK.Thenyoutakethenextfourlettersoftheoriginalmessageandapplythefirstfournumbersofthekeybecauseyoudonothaveanymorenumbersinthekey.Continuethispatternuntilcomplete.

AlgorithmsWhilecryptographicalgorithmscandeployeithersubstitutionortransposition,thereisanotherkeycharacteristicthatdifferentiatestwomainclassesofalgorithms:symmetricandasymmetric.Inthenexttwosections,I’lltalkabouthowtheyaredifferent.

SymmetricSymmetricalgorithmsuseaprivateorsecretkeythatmustremainsecretbetweenthetwoparties.Eachpartypairrequiresaseparateprivatekey.Therefore,asingleuserwouldneedauniquesecretkeyforeveryuserwithwhomshecommunicates.

Consideranexamplewherethereare10uniqueusers.Eachuserneedsaseparateprivatekeytocommunicatewiththeotherusers.Tocalculatethenumberofkeysthatwouldbeneededinthisexample,youwouldusethefollowingformula:

#ofusers×(#ofusers–1)/2

Usingourexample,youwouldcalculate10×(10–1)/2,or45neededkeys.

Withsymmetricalgorithms,theencryptionkeymustremainsecure.Toobtainthesecretkey,theusersmustfindasecureout-of-bandmethodforcommunicatingthesecretkey,includingcourierordirectphysicalcontactbetweentheusers.

Aspecialtypeofsymmetrickeycalledasessionkeyencryptsmessagesbetweentwousersduringonecommunicationsession.Symmetricalgorithmscanbereferredtoassingle-key,secret-key,private-key,orshared-keycryptography.

Symmetricsystemsprovideconfidentialitybutnotauthenticationornonrepudiation.Ifbothusersusethesamekey,determiningwherethemessageoriginatedisimpossible.SymmetricalgorithmsincludeDES,AES,3DES,andRC4.Table3.1liststhestrengthsandweaknessesofsymmetricalgorithms.

TABLE3.1Symmetricalgorithmstrengthsandweaknesses

Strengths WeaknessesCheapertoimplementthanasymmetric

Keycompromisecanoccurmoreeasilythanwithasymmetric

Fasterthanasymmetric DifficultyinperformingsecurekeydistributionHardtocrack Keycompromiseoccursifonepartycompromised,thereby

allowingimpersonation

Thetwobroadtypesofsymmetricalgorithmsarestream-basedciphersandblockciphers.Initializationvectors(IVs)areanimportantpartofblockciphers.Thesethreecomponentswillbediscussedinthenextsections.

BlockAnotherwayinwhichcipherscandifferisintheamountofdatathatisencryptedatatime.Blockciphersperformencryptionbybreakingthemessageintofixed-lengthunits.Amessageof1,024bitscouldbedividedinto16blocksof64bitseach.Eachofthose16blocksisprocessedbythealgorithmformulas,resultinginasingleblockofciphertext.

Advantagesofblockciphersincludethefollowing:

Theimplementationiseasierthanstream-basedcipherimplementation.

Theyaregenerallylesssusceptibletosecurityissues.

Theyaregenerallyusedmoreinsoftwareimplementations.

Blockciphersemploybothsubstitutionandtransposition.

StreamStream-basedciphersperformencryptiononabit-by-bitbasisandusekeystreamgenerators.ThekeystreamgeneratorscreateabitstreamthatisXORedwiththeplaintextbits.TheresultofthisXORoperationistheciphertext.

Asynchronousstream-basedcipherdependsonlyonthekey,andanasynchronousstreamcipherdependsonthekeyandplaintext.ThekeyensuresthatthebitstreamthatisXORedtotheplaintextisrandom.

Anexampleofastream-basedcipherisRC4.

Advantagesofstream-basedciphersincludethefollowing:

Theygenerallyhavelowererrorpropagationbecauseencryptionoccursoneachbit.

Theyaregenerallyusedmoreinhardwareimplementation.

Theyusethesamekeyforencryptionanddecryption.

Theyaregenerallycheapertoimplementthanblockciphers.

Theemployonlysubstitution.

InitializationVectorsSomemodesofsymmetrickeyalgorithmsuseinitializationvectorstoensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.WithoutusingIVs,arepeatedphrasewithinaplaintextmessagecouldresultinthesameciphertext.Attackerscanpossiblyusethesepatternstobreaktheencryption.

DigitalEncryptionStandard(DES)DigitalEncryptionStandard(DES)usesa64-bitkey,8bitsofwhichareusedforparity.Therefore,theeffectivekeylengthforDESis56bits.DESdividesthemessageinto64-bitblocks.Sixteenroundsoftranspositionandsubstitutionareperformedoneachblock,resultingina64-bitblockofciphertext.

DEShasmostlybeenreplacedby3DESandAES,bothofwhicharediscussedlaterinthischapter.

3DESBecauseoftheneedtoquicklyreplaceDES,TripleDES(3DES),aversionofDESthatincreasessecuritybyusingthree56-bitkeys,wasdeveloped.Although3DESisresistanttoattacks,itisuptothreetimesslowerthanDES.3DESdidserveasatemporaryreplacementtoDES.However,theNationalInstituteofStandardsandTechnology(NIST)hasactuallydesignatedtheAdvancedEncryptionStandard(AES)asthereplacementforDES,eventhough3DESisstillinusetoday.

DEScanoperateinanumberofdifferentmodes,butthetwomostcommonareElectronicCodeBook(ECB)andCipherBlockChaining(CBC).InECB,64-bitblocksofdataareprocessedbythealgorithmusingthekey.Theciphertextproducedcanbepaddedtoensurethattheresultisa64-bitblock.Ifanencryptionerroroccurs,onlyoneblockofthemessageisaffected.ECBoperationsruninparallel,makingitafastmethod.

AlthoughECBistheeasiestandfastestmodetouse,ithassecurityissuesbecauseevery64-bitblockisencryptedwiththesamekey.Ifanattackerdiscoversthekey,alltheblocksofdatacanberead.Ifanattackerdiscoversbothversionsofthe64-bitblock(plaintextandciphertext),thekeycanbedetermined.Forthesereasons,themodeshouldnotbeusedwhenencryptingalargeamountofdatabecausepatternswouldemerge.ECBisagoodchoiceifanorganizationneedsencryptionforitsdatabasesbecauseECBworkswellwiththeencryptionofshortmessages.

Figure3.3showstheECBencryptionprocess.

FIGURE3.3ECBprocess

InCBC,each64-bitblockischainedtogetherbecauseeachresultant64-bitciphertextblockisappliedtothenextblock.So,plaintextmessageblock1isprocessedbythealgorithmusinganIV.Theresultantciphertextmessageblock1isXORedwithplaintextmessageblock2,resultinginciphertextmessage2.Thisprocesscontinuesuntilthemessageiscomplete.

UnlikeECB,CBCencryptslargefileswithouthavinganypatternswithintheresultingciphertext.IfauniqueIVisusedwitheachmessageencryption,theresultantciphertextwillbedifferenteverytimeevenincaseswherethesameplaintextmessageisused.

Figure3.4showstheCBCencryptionprocess.

FIGURE3.4CBCprocess

AdvancedEncryptionStandard(AES)AdvancedEncryptionStandard(AES)isthereplacementalgorithmforDES.AlthoughAESisconsideredthestandard,thealgorithmthatisusedintheAESstandardistheRijndaelalgorithm.TheAESandRijndaeltermsareoftenusedinterchangeably.

ThethreeblocksizesthatareusedintheRijndaelalgorithmare128,192,and256bits.A128-bitkeywitha128-bitblocksizeundergoes10transformationrounds.A192-bitkeywitha192-bitblocksizeundergoes12transformationrounds.Finally,a256-bitkeywitha256-bitblocksizeundergoes14transformationrounds.

Rijndaelemploystransformationscomposedofthreelayers:nonlinearlayer,keyadditionlayer,andlinear-maxinglayer.TheRijndaeldesignisverysimple,anditscodeiscompact,whichallowsittobeusedonavarietyofplatforms.ItistherequiredalgorithmforsensitivebutunclassifiedU.S.governmentdata.

RC4AtotalofsixRCalgorithmshavebeendevelopedbyRonRivest.RC1wasneverpublished,RC2wasa64-bitblockcipher,andRC3wasbrokenbeforerelease.RC4,alsocalledARC4,isoneofthemostpopularstreamciphers.ItisusedinSSLandWEP.RC4usesavariablekeysizeof40to2,048bitsandupto256roundsoftransformation.

AsymmetricAsymmetricalgorithmsusebothapublickeyandaprivateorsecretkey.Thepublickeyisknownbyallparties,andtheprivatekeyisknownonlybyitsowner.Oneofthesekeysencryptsthemessage,andtheotherdecryptsthemessage.

Inasymmetriccryptography,determiningauser’sprivatekeyisvirtuallyimpossibleevenifthepublickeyisknown,althoughbothkeysaremathematicallyrelated.However,ifauser’sprivatekeyisdiscovered,thesystemcanbecompromised.

Asymmetricalgorithmscanbereferredtoasdual-keyorpublic-keycryptography.

Asymmetricsystemsprovideconfidentiality,integrity,authentication,andnonrepudiation.Becausebothusershaveoneuniquekeythatispartoftheprocess,determiningwherethemessageoriginatedispossible.

Ifconfidentialityistheprimaryconcernforanorganization,amessageshouldbeencryptedwiththereceiver’spublickey,whichisreferredtoasasecuremessageformat.Ifauthenticationistheprimaryconcernforanorganization,amessageshouldbeencryptedwiththesender’sprivatekey,whichisreferredtoasanopenmessageformat.Whenusingopenmessageformat,themessagecanbedecryptedbyanyonewiththepublickey.

PerhapsthemostwidelyknownandusedasymmetricalgorithmisRSA.OherasymmetricalgorithmsincludeRSA,ElGamal,DSA,andEllipticCurveCryptography(ECC).

RSARSAisthemostpopularasymmetricalgorithmandwasinventedbyRonRivest,AdiShamir,andLeonardAdleman.RSAcanprovidekeyexchange,encryption,anddigitalsignatures.ThestrengthoftheRSAalgorithmisthedifficultyoffindingtheprimefactorsofverylargenumbers.RSAusesa1,024-to4,096-bitkeyandperformsoneroundoftransformation.

Asakeyexchangeprotocol,RSAencryptsaDESorAESsymmetrickeyforsecuredistribution.RSAusesaone-wayfunctiontoprovideencryption/decryptionanddigitalsignatureverification/generation.Thepublickeyworkswiththeone-wayfunctiontoperformencryptionanddigitalsignatureverification.Theprivatekeyworkswiththeone-wayfunctiontoperformdecryptionandsignaturegeneration.Theseprocesseswillbecoveredindetailinthesection“PublicKeyInfrastructure(PKI).”

HashingAlgorithms

Ahashfunctionrunsdatathroughacryptographicalgorithmtoproduceaone-waymessagedigest.Thesizeofthemessagedigestisdeterminedbythealgorithmused.Themessagedigestrepresentsthedatabutcannotbereversedinordertodeterminetheoriginaldata.Becausethemessagedigestisunique,itcanbeusedtocheckdataintegrity.

Aone-wayhashfunctionreducesamessagetoahashvalue.Acomparisonofthesender’shashvaluetothereceiver’shashvaluedeterminesmessageintegrity.Iftheresultanthashvaluesaredifferent,thenthemessagehasbeenalteredinsomeway,providedthatboththesenderandthereceiverusedthesamehashfunction.Hashfunctionsdonotpreventdataalterationbutprovideameanstodeterminewhetherdataalterationhasoccurred.

Hashfunctionsdohavelimitations.Ifanattackerinterceptsamessagethatcontainsahashvalue,theattackercanaltertheoriginalmessagetocreateasecondinvalidmessagewithanewhashvalue.Iftheattackerthensendsthesecondinvalidmessagetotheintendedrecipient,theintendedrecipientwillhavenowayofknowingthathereceivedanincorrectmessage.Whenthereceiverperformsahashvaluecalculation,theinvalidmessagewilllookvalidbecausetheinvalidmessagewasappendedwiththeattacker’snewhashvalue,nottheoriginalmessage’shashvalue.Topreventthisfromoccurring,thesendershoulduseMessageAuthenticationCode(MAC).

EncryptingthehashfunctionwithasymmetrickeyalgorithmgeneratesakeyedMAC.Thesymmetrickeydoesnotencrypttheoriginalmessage.Itisusedonlytoprotectthehashvalue.Figure3.5showsthebasicstepsofahashfunction.

FIGURE3.5Hashprocess

Twomajorhashfunctionvulnerabilitiescanoccur:collisionsandrainbowtableattacks.Acollisionoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages.Arainbowtableattackoccurswhenrainbowtablesareusedtoreverseahashbycomputingallpossiblehashesandlookingupthematchingvalue.

Becauseamessagedigestisdeterminedbytheoriginaldata,messagedigestscanbeusedtocomparedifferentfilestoseewhethertheyareidenticaldowntothebitlevel.Ifacomputedmessagedigestdoesnotmatchtheoriginalmessagedigestvalue,thendataintegrityhasbeencompromised.

Passwordhashvaluesareoftenstoredinsteadoftheactualpasswordstoensurethattheactualpasswordsarenotcompromised.

Whenchoosingwhichhashingfunctiontouse,itisalwaysbettertochoosethefunctionthatusesalargerhashvalue.Todeterminethehashvalueforafile,youshouldusethehashfunction.Asanexample,let’ssupposeyouhaveadocumentnamedcrypto.docthatyouneedtoensureisnotmodifiedinanyway.Todeterminethehashvalueforthefileusingthemd5hashfunction,youwouldenterthefollowingcommand:

md5crypto.doc

Thiscommandwouldresultinahashvaluethatyoushouldrecord.Later,whenusersneedaccesstothefile,theyshouldalwaysissuethemd5commandlistedtorecalculatethehashvalue.Ifthevalueisthesameastheoriginallyrecordedvalue,thefileisunchanged.Ifitisdifferent,thenthefilehasbeenchanged.

MD5TheMD5algorithmproducesa128-bithashvalue.Itperformsfourroundsofcomputations.ItwasoriginallycreatedbecauseoftheissueswithMD4,anditismorecomplexthanMD4.However,MD5isnotcollisionfree.Forthisreason,itshouldnotbeusedforSSLcertificatesordigitalsignatures.TheU.S.governmentrequirestheusageofSHA-2insteadofMD5.However,incommercialusage,manysoftwarevendorspublishtheMD5hashvaluewhenreleasingsoftwarepatchessocustomerscanverifythesoftware’sintegrityafterdownload.

SHA-1SHA-1producesa160-bithashvalueafterperforming80roundsofcomputationson512-bitblocks.SHA-1correctedtheflawinSHA-0thatmadeitsusceptibletoattacks.

SHA-2SHA-2isactuallyafamilyofhashfunctions,eachofwhichprovidesdifferentfunctionallimits.TheSHA-2familyisasfollows:

SHA-224:Producesa224-bithashvalueafterperforming64roundsofcomputationson512-bitblocks.

SHA-256:Producesa256-bithashvalueafterperforming64roundsofcomputationson512-bitblocks.

SHA-384:Producesa384-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.

SHA-512:Producesa512-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.

SHA-512/224:Producesa224-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.The512designationhereindicatestheinternalstatesize.

SHA-512/256:Producesa256-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.Onceagain,the512designationindicatestheinternalstatesize.

HMACAhashMAC(HMAC)isakeyed-hashMessageAuthenticationCode(MAC)thatinvolvesahashfunctionwithsymmetrickey.HMACprovidesdataintegrityandauthentication.AnyofthepreviouslylistedhashfunctionscanbeusedwithHMAC,withtheHMACnamebeingappendedwiththehashfunctionname,asinHMAC-SHA-1.ThestrengthofHMACisdependentuponthestrengthofthehashfunction,includingthehashvaluesizeandthekeysize.

HMAC’shashvalueoutputsizewillbethesameastheunderlyinghashfunction.HMACcanhelptoreducethecollisionrateofthehashfunction.Figure3.6showsthebasicstepsofanHMACprocess.

FIGURE3.6HMACprocess

DigitalSignaturesAdigitalsignatureisahashvalueencryptedwiththesender’sprivatekey.Adigitalsignatureprovidesauthentication,nonrepudiation,andintegrity.Ablindsignatureisaformofdigitalsignaturewherethecontentsofthemessagearemaskedbeforeitissigned.Figure3.7showstheprocess.

FIGURE3.7Digitalsignatureprocess

Theprocessforcreatingadigitalsignatureisasfollows:

1. Thesignerobtainsahashvalueforthedatatobesigned.

2. Thesignerencryptsthehashvalueusinghisprivatekey.

3. Thesignerattachestheencryptedhashandacopyofhispublickeyinacertificatetothedataandsendsthemessagetothereceiver.

Theprocessforverifyingthedigitalsignatureisasfollows:

1. Thereceiverseparatesthedata,encryptedhash,andcertificate.

2. Thereceiverobtainsthehashvalueofthedata.

3. ThereceiververifiesthatthepublickeyisstillvalidusingthePKI.

4. Thereceiverdecryptstheencryptedhashvalueusingthepublickey.

5. Thereceivercomparesthetwohashvalues.Ifthevaluesarethesame,themessagehasnotbeenchanged.

Publickeycryptography,whichisdiscussedlaterinthischapter,isusedtocreatedigitalsignatures.Usersregistertheirpublickeyswithacertificationauthority(CA),whichdistributesacertificatecontainingtheuser’spublickeyandtheCA’sdigitalsignature.Thedigitalsignatureiscomputedbytheuser’spublickeyandvalidityperiodbeingcombinedwith

thecertificateissueranddigitalsignaturealgorithmidentifier.

TheDigitalSignatureStandard(DSS)isafederaldigitalsecuritystandardthatgovernstheDigitalSecurityAlgorithm(DSA).DSAgeneratesamessagedigestof160bits.TheU.S.federalgovernmentrequirestheuseofDSA,RSA,orEllipticCurveDSA(ECDSA)andSHAfordigitalsignatures.

DSAisslowerthanRSAandprovidesonlydigitalsignatures.RSAprovidesdigitalsignatures,encryption,andsecuresymmetrickeydistribution.

KeyExchangeAsyouhavelearned,symmetrickeyalgorithmsaresignificantlymoreefficientatencryptinganddecryptingdatathanareasymmetricalgorithms.However,thebestwaytoillustratethehybridcryptosystemistoexplorethefunctionofSSH.

Application:SSHSecureShell(SSH)isanapplicationandprotocolthatisusedtoremotelylogintoanothercomputerusingasecuretunnel.Afterasessionkeyisexchangedandasecurechannelisestablished,allcommunicationbetweenthetwocomputersisencryptedoverthesecurechannel.SSHisasolutionthatcouldbeusedtoremotelyaccessdevices,includingswitches,routers,andservers.

SSHoffersagoodillustrationoftheuseofasymmetricalgorithmstogenerateandexchangeasymmetrickeyandthereaftertousethatkeyfordataencryption.Thestepsareasfollows:

1. Theclientconnectstotheserver,andtheserverpresentsitspublickeytotheclient.

2. Theclientandservernegotiateagroupofsettingsthatmustmatchonbothends.Itincludesthesymmetricalgorithmtheywilluse.

3. Theclientcreatesarandomsessionkeyandencryptsitwiththeserver’spublickey.

4. Theclientsendsthisencryptedsessionkeytotheserver,andtheserverdecryptsitusingitsprivatekey.

Usingthesymmetrickey,whichtheybothnowpossess,thetwostartencryptingeverythingthatgoesonfromthispoint,includingtheauthenticationprocess.

PublicKeyInfrastructureApublickeyinfrastructure(PKI)includessystems,software,andcommunicationprotocolsthatdistribute,manage,andcontrolpublickeycryptography.APKIpublishesdigitalcertificates.BecauseaPKIestablishestrustwithinanenvironment,aPKIcancertifythatapublickeyistiedtoanentityandverifythatapublickeyisvalid.Publickeysarepublishedthroughdigitalcertificates.

TheX.509standardisaframeworkthatenablesauthenticationbetweennetworksandovertheInternet.APKIincludestimestampingandcertificaterevocationtoensurethatcertificatesaremanagedproperly.APKIprovidesconfidentiality,messageintegrity,authentication,andnonrepudiation.

ThestructureofaPKIincludesCAs,certificates,registrationauthorities,certificaterevocationlists,andcross-certification.ThissectiondiscussesthesePKIcomponentsaswellasafewotherPKIconcepts.

PublicandPrivateKeysInpublickeycryptography,twokeysareused,apublickeyandaprivatekey.Thesetwokeysarenotthesame,buttheyaremathematicallyrelatedinsuchawaythatifyouencryptdatawithoneofthem,youcandecryptitwiththeother.Usersanddevicesareissuedpublic/privatekeypairsthatareboundtoadigitaldocumentcalledadigitalcertificate.Thiscertificate(morespecificallythekeystowhichitisbound)canbeusedforavarietyofthingsincludingthefollowing:

Encryptingdata

Asaformofauthentication

Encryptingemail

Digitallysigningsoftware

PrivateKeyTheprivatekeythatisgeneratedaspartofthekeypairismadeavailableonlytotheuserordevicetowhichitwasissued.Thiskeymaybestoredonsoftwareintheuser’scomputer,oritmightbestoredonasmartcardifitistobeusedforauthentication.Atanyrate,thekeyconcepthereisthatitisavailableonlytotheuserordevicetowhichitwasissued.

PublicKeyThepublickeythatisgeneratedaspartofthekeypairismadeavailabletoanyonetowhomthecertificateispresentedbecauseitispartoftheinformationcontainedinthisdigitaldocument.Insomecases,publickeysmaybekeptinarepositorysotheycanberequestedbyanentityifrequired.Regardlessofthemethodusedtoobtainthepublickey,thekeyconcepthereisthatitisavailabletoanyone.

PuttingItTogetherThesekeysworktogethertoperformbothencryptionanddigitalsignatures.Toprovideencryption,thedataisencryptedwiththereceiver’spublickey,whichresultsinciphertextthatonlythereceiver’sprivatekeycandecrypt.Figure3.8showsthisprocess.

FIGURE3.8PKIencryption

Todigitallysignadocument,thesendercreateswhatiscalledahashvalueofthedatabeingsent,encryptsthatvaluewiththesender’shisprivatekey,andsendsthisvaluealongwiththemessage.Thereceiverdecryptsthehashusingthesender’spublickey.Thereceiverthen,usingthesamehashingalgorithm,hashesthemessage.Thesenderthencomparesthedecryptedhashvaluetotheonejustgenerated.Iftheyarethesame,thesignature(andtheintegrityofthedata)hasbeenverified.Figure3.9showsthisprocess.

FIGURE3.9PKIdigitalsignature

CertificatesAdigitalcertificateprovidesanentity,usuallyauser,withthecredentialstoproveitsidentityandassociatesthatidentitywithapublickey.Atminimum,adigitalcertificationmustprovidetheserialnumber,theissuer,thesubject(owner),andthepublickey.

AnX.509certificatecomplieswiththeX.509standard.AnX.509certificatecontainsthefollowingfields:

Version

SerialNumber

AlgorithmID

Issuer

Validity

Subject

SubjectPublicKeyInfo

PublicKeyAlgorithm

SubjectPublicKey

IssuerUniqueIdentifier(optional)

SubjectUniqueIdentifier(optional)

Extensions(optional)

RevocationCertificateshaveadefinedlifetime.Whenthevalidityperiodends,thecertificatemustberenewedtocontinuetobevalid.Therearecaseswhenacertificatemustberevokedbeforeitslifetimeends.Reasonsforcertificaterevocationincludethefollowing:

Compromiseoftheassociatedkeys

Improperissuance

CompromiseoftheissuingCA

Ownerofthecertificatenolongerowningthedomainforwhichitwasissued

Ownerofthecertificateceasingoperationsentirely

Originalcertificatebeingreplacedwithadifferentcertificatefromadifferentissuer

Acertificaterevocationlist(CRL)isalistofdigitalcertificatesthataCAhasrevoked.Tofindoutwhetheradigitalcertificatehasbeenrevoked,eitherthebrowsermustchecktheCRLortheCAmustpushouttheCRLvaluestoclients.ThiscanbecomequitedauntingwhenyouconsiderthattheCRLcontainseverycertificatethathaseverbeenrevoked.

Oneconcepttokeepinmindistherevocationrequestgraceperiod.ThisperiodisthemaximumamountoftimebetweenwhentherevocationrequestisreceivedbytheCAandwhentherevocationactuallyoccurs.Ashorterrevocationperiodprovidesbettersecuritybutoftenresultsinahigherimplementationcost.

UsesCertificatescanbeusedforvarietyofoperations.Thiscanincludeauthentication,encryption,digitalsignatures,andemailtonameafew.VeriSignfirstintroducedthefollowingdigitalcertificateclasses:

Class1:Forindividualsintendedforemail.Thesecertificatesgetsavedbywebbrowsers.

Class2:Fororganizationsthatmustprovideproofofidentity.

Class3:ForserversandsoftwaresigninginwhichindependentverificationandidentityandauthoritycheckingisdonebytheissuingCA.

Class4:Foronlinebusinesstransactionsbetweencompanies.

Class5:Forprivateorganizationsorgovernmentalsecurity.

Application:SSL/TLSCertificatesareoftenusedwhenusingSSL/TLS.MostmodernsystemstodayuseTLS,butthe

termSSLisoftenstillusedtorefertotheconnection.SSLisusedtoprotectmanytypesofapplications,themostcommonbeingHTTPS(asHTTPiscalledwhenusedwithSSL).

AnSSLsessionisformedbetweenawebserverandthewebbrowseroftheclient.Figure3.10depictstheprocess.

CertificateAuthoritiesAcertificationauthority(CA)istheentitythatcreatesandsignsdigitalcertificates,maintainsthecertificates,andrevokesthemwhennecessary.EveryentitythatwantstoparticipateinthePKImustcontacttheCAandrequestadigitalcertificate.ItistheultimateauthorityfortheauthenticityforeveryparticipantinthePKIandsignseachdigitalcertificate.Thecertificatebindstheidentityoftheparticipanttothepublickey.

Anyparticipantthatrequestsacertificatemustfirstgothroughtheregistrationauthority(RA),whichverifiestherequestor’sidentityandregisterstherequestor.Aftertheidentityisverified,theRApassestherequesttotheCA.Inmanycases,theCAandtheRAarethesameserver.

TherearedifferenttypesofCAs.OrganizationsexistthatprovideaPKIasapayableservicetocompaniesthatneedthem.AnexampleisVeriSign.SomeorganizationsimplementtheirownprivateCAssothattheorganizationcancontrolallaspectsofthePKIprocess.Ifanorganizationislargeenough,itmightneedtoprovideastructureofCAs,withtherootCAbeingthehighestinthehierarchy.

BecausemorethanoneentityisofteninvolvedinthePKIcertificationprocess,certificationpathvalidationallowstheparticipantstocheckthelegitimacyofthecertificatesinthecertificationpath.

WhenimplementingaPKI,mostorganizationsrelyonahierarchicalchain-of-trustmodelthatusesthreecomponentsatminimum:certificateauthorities(CAs),registrationauthorities(RAs),andacentraldirectory/distributionmanagementmechanism.

FIGURE3.10SSLprocess

ACAissuescertificatesthatbindapublickeytoaspecificdistinguishedname(DN)issuedtothecertificateapplicant(user).Beforeissuingacertificate,however,theCAvalidatestheapplicant’sidentity.

Whenasubject’spubliccertificateisreceived,thesystemmustverifyitsauthenticity.Becausethecertificateincludestheissuer’sinformation,theverificationprocesscheckstoseewhetheritalreadyhastheissuer’spubliccertificate.Ifnot,itmustretrieveit.

ArootCAisatthetopofthecertificatesigninghierarchy.VeriSign,Comodo,andEntrustareexamplesofpublicrootCAs.FororganizationsthatmaintaintheirownPKI,thefirstCAcreatedwillbetherootCA.

Usingtherootcertificate,thesystemverifiestheissuersignatureandensuresthatthesubjectcertificateisnotexpiredorrevoked.Ifverificationissuccessful,thesystemacceptsthesubjectcertificateasvalid.

RootCAscandelegatesigningauthoritytootherentities.TheseentitiesareknownasintermediateCAs.IntermediateCAsaretrustedonlyifthesignatureontheirpublickeycertificateisfromarootCAorcanbetraceddirectlybacktoaroot.BecausearootCAcandelegatetointermediateCAs,alengthychainoftrustcanexist.

Anysystemreceivingasubjectcertificatecanverifyitsauthenticitybysteppingupthechainoftrusttotheroot.

PKIStandardsPublicKeyCryptographyStandards(PKCS)werecreatedbyRSASecurity.WhiletheywerecreatedtohelppromotetechniquesforwhichRSAhadpatents,manyofthesestandardshavebecomestandardsbytheIETF.Table3.2showsthestandardsthathavenotsincebeenabandonedorobsoleted.

TABLE3.2PKIstandards

Standard Version Name DescriptionPKCS#1 2.2 RSA

CryptographyStandard

DefinesthemathematicalpropertiesandformatofRSApublicandprivatekeysandthebasicalgorithmsandencoding/paddingschemesforperformingRSAencryptionanddecryptionandforproducingandverifyingsignatures.

PKCS#3 1.4 Diffie-HellmanKeyAgreementStandard

Acryptographicprotocolthatallowstwopartiesthathavenopriorknowledgeofeachothertojointlyestablishasharedsecretkeyoveraninsecurecommunicationschannel.

PKCS#5 2.0 Password-BasedEncryptionStandard

Providesrecommendationsfortheimplementationofpassword-basedcryptography,coveringkeyderivationfunctions,encryptionschemes,message-authenticationschemes,andASN.1syntaxidentifyingthetechniques.

PKCS#7 1.5 CryptographicMessageSyntaxStandard

Usedtosignand/orencryptmessagesunderaPKI.FormedthebasisforS/MIME.Oftenusedforsinglesign-on.

PKCS#8 1.2 Private-KeyInformationSyntaxStandard

Usedtocarryprivatecertificatekeypairs(encryptedorunencrypted).

PKCS#9 2.0 SelectedAttributeTypes

DefinesselectedattributetypesforuseinPKCS#6extendedcertificates,PKCS#7digitallysignedmessages,PKCS#8private-keyinformation,andPKCS#10certificate-signingrequests.

PKVS#10

1.7 CertificationRequestStandard

Formatofmessagessenttoacertificationauthoritytorequestcertificationofapublickey.

PKCS#11

2.4 CryptographicTokenInterface

AlsoknownasCryptoki.AnAPIdefiningagenericinterfacetocryptographictokens(seealsohardwaresecuritymodule).Oftenusedinsinglesign-on,public-keycryptographyanddiskencryption.

PKCS#12

1.1 PersonalInformationExchangeSyntaxStandard

Definesafileformatcommonlyusedtostoreprivatekeyswithaccompanyingpublickeycertificates,protectedwithapassword-basedsymmetrickey.

PKCS#15

1.1 CryptographicTokenInformationFormatStandard

Definesastandardallowingusersofcryptographictokenstoidentifythemselvestoapplications,independentoftheapplication’sCryptokiimplementation(PKCS#11)orotherAPI.

PKITopologiesAPKIcanconsistofasingleserverthatoperatesasRAandCAandistherootcertificateserver.Butinverylargeenvironments,youmaybeadvisedtocreateahierarchyofCAs.Whenthisisdone,asingleCAwillbetherootCAandthetopofthehierarchy.UnderneaththiswouldbeanumberofsubordinateCAsthatactuallyissuethecertificatestotheentities.TherootCAcreatesandsignsthecertificatesofthesubordinateCAs,whichcreatesatrustpathuptotheroot.Figure3.11showsthisarrangement.

FIGURE3.11PKIhierarchy

Insomecases,twoorganizationsmayhaveaneedtotrustoneanother’scertificates.Thiscan

bedonebyconfiguringcrosscertification.Incrosscertification,atrustiscreatedbetweenthetworootCAs,whichenablebothsystemstotrustallcertificates,asshowninFigure3.12.

FIGURE3.12Crosscertification

CertificatesintheASATheCiscoAdaptiveSecurityAppliance(ASA)makesuseofcertificatesandtheassociatedkeystoprotecttheconnectionoftheadministratortotheASAusingtheAdaptiveSecurityDeviceManager(ADSM)andtosupportSSLVPNclients.Inthissection,you’lllearnaboutthedefaultcertificatethatispresentintheASA,theprocessofaddingacertificateandviewingthecertificatesthatarepresent,andtheuseoftheSimpleCertificateEnrollmentProtocol(SCEP).

DefaultCertificateTheASAhasaself-signeddefaultcertificatethatcanbeusedfortheoperationslistedintheprevioussection.Theissuewithaself-signedcertificateisthatnobrowsersordeviceswillhavetheASAlistedasatrustedCA.Becauseofthis,anyHTTPSconnectionstotheASAwillgenerateawarningmessagethatthecertificatebeingpresentedisnottrusted.Toavoidthisissue,youcaninstallarootcertificateoftheCAwhosecertificateisfoundinthebrowsersanddevicesthatwillinteractwiththeASA(eitherthatyouownorapublicCA).

ViewingandAddingCertificatesintheASDMToviewthecurrentcertificatesintheADSM,selectConfigurationatthetopoftheADSMconsoleandDeviceManagementfromthetabsontheleftsideoftheconsole,asshowninFigure3.13.Asyoucansee,thisASAcurrentlyhasnocertificatesinstalledotherthanthedefault.

FIGURE3.13Viewingcertificates

Toaddacertificate,followthesesteps:

1. IntheCiscoASDMConfigurationTool,selectConfiguration DeviceManagementCertificateManagement CACertificates.

2. ClickAdd.TheInstallCertificatedialogboxappears.Youhavethreeoptions:installfromafile,pastetheinformation,oruseSCEP.IftherootCArepresentedbytherootcertificatesupportsSCEP,choosethatoption.Otherwise,usethenexttwosteps.

3. Enteratrustpointnameorusethedefaultnamethatappearsinthebox.

4. ClicktheInstallFromAFileradiobuttonandbrowsetothelocationoftheRoot.crtfilethatyouareinstalling.

5. ClicktheMoreOptionsbutton,andhereyoucanconfigurehowcertificaterevocationwillbechecked,theprotocolstobeusedforcertificateverification,andothersettings.

SCEPSimpleCertificateEnrollmentProtocolisaprotocolusedforenrollmentandotherPKIoperations.ItissupportedonmostCiscodevices.Itsimplifiestheprocessofobtainingand

installingboththerootandtheidentitycertificates.TheprocesstouseSCEPisasfollows:

1. ChooseConfiguration DeviceManagement CertificateManagement IdentityCertificatesandclickAdd.

2. ClicktheAddANewIdentityCertificateradiobuttonandclicktheAdvancedbutton.

3. IntheAdvancedbox,ontheEnrollmentModetab,selectRequestFromACAandthenentertheIPaddressoftheCAthatsupportsSCEP.ClickOK.

4. IntheAddANewIdentityCertificatedialogbox,selectAddCertificate.Iftheenrollmentissuccessful,youwillreceiveanEnrollmentSucceededmessage.

CryptanalysisIncryptanalysis,cryptographyattacksarecategorizedaseitherpassiveoractiveattacks.Apassiveattackisusuallyimplementedjusttodiscoverinformationandismuchhardertodetectbecauseitisusuallycarriedoutbyeavesdroppingorpacketsniffing.Activeattacksinvolveanattackeractuallycarryingoutsteps,suchasmessagealterationorfilemodification.Cryptographyisusuallyattackedviathekey,algorithm,execution,data,orpeople.Butmostoftheseattacksareattemptingtodiscoverthekeyused.

Ciphertext-OnlyAttackInaciphertext-onlyattack,anattackerusesseveralencryptedmessages(ciphertext)tofigureoutthekeyusedintheencryptionprocess.Althoughitisacommontypeofattack,itisusuallynotsuccessfulbecausesolittleisknownabouttheencryptionused.

KnownPlaintextAttackInaknownplaintextattack,anattackerusestheplaintextandciphertextversionsofamessagetodiscoverthekeyused.Thistypeofattackimplementsreverseengineering,frequencyanalysis,orbruteforcetodeterminethekeysothatallmessagescanbedeciphered.

ChosenPlaintextAttackInachosenplaintextattack,anattackerchoosestheplaintexttogetencryptedtoobtaintheciphertext.Theattackersendsamessagehopingthattheuserwillforwardthatmessageasciphertexttoanotheruser.Theattackercapturestheciphertextversionofthemessageandtriestodeterminethekeybycomparingtheplaintextversionheoriginatedwiththecapturedciphertextversion.Onceagain,keydiscoveryisthegoalofthisattack.

ChosenCiphertextAttackAchosenciphertextattackistheoppositeofachosenplaintextattack.Inachosenciphertextattack,anattackerchoosestheciphertexttobedecryptedtoobtaintheplaintext.Thisattackismoredifficultbecausecontrolofthesystemthatimplementsthealgorithmisneeded.

BruteForce

Aswithabrute-forceattackagainstpasswords,abrute-forceattackexecutedagainstacryptographicalgorithmusesallpossiblekeysuntilakeyisdiscoveredthatsuccessfullydecryptstheciphertext.Thisattackrequiresconsiderabletimeandprocessingpowerandisdifficulttocomplete.

BirthdayAttackAbirthdayattackusesthepremisethatfindingtwomessagesthatresultinthesamehashvalueiseasierthanmatchingamessageanditshashvalue.Mosthashalgorithmscanresistsimplebirthdayattacks.

Meet-in-the-MiddleAttackInameet-in-themiddleattack,anattackertriestobreakthealgorithmbyencryptingfromoneendanddecryptingfromtheothertodeterminethemathematicalproblemused.

SummaryInthischapter,youlearnedaboutsymmetricandasymmetrickeycryptographyandhowtheydiffer.Thechaptergaveexamplesofeachtypeofalgorithm,andyoulearnedhowtheycanworktogetherinahybridsystem.Youalsolearnedaboutthehashingprocessandlookedatthemajorhashingalgorithms.TherewascoverageofPKIandthecomponentsthatmakeitfunction.Finally,youlearnedaboutcommonattacksoncryptography.

ExamEssentialsDifferentiatebetweensymmetricandasymmetrickeycryptography.Thisincludesthetypesofkeysused,thescenariosinwhichtheyareused,andthedisadvantagesandadvantagesofeach.

Describethehashingprocess.Thisincludeshowhashingalgorithmswork,examplesofhashingalgorithms,andtheroleofhashingindigitalsignatures.

ExplaintheroleofaPKI.DescribethecomponentsofaPKI,thecertificateenrollmentprocess,andtheuseofpublicandprivatekeysintheprocess.

Definecryptanalyticattacks.Theseincludeciphertext-onlyattack,chosenplaintext,chosenciphertext,bruteforce,birthday,andmeet-in-the-middle.

ReviewQuestions1. Whichofthefollowingisnottrueofsymmetricalgorithms?

A. Theyuseapublickey.

B. Theyarefasterthanasymmetricalgorithms.

C. Theypresentkeyexchangeissues.

D. Theyaretypicallyusedfordataatrest.

2. Whichofthefollowingisnottrueofasymmetricalgorithms?

A. Theyprovideautomatickeyexchange.

B. Theyaretypicallyusedfordataatrest.

C. Theyuseaprivateandpublickey.

D. Theyareslowerthansymmetricalgorithms.

3. Whichofthefollowingisnotanadvantageofblockciphers?

A. Theimplementationiseasierthanstream-basedcipherimplementation.

B. Generallytheyarelesssusceptibletosecurityissues.

C. Generallytheyareusedmoreinsoftwareimplementations.

D. Theyemployonlysubstitution.

4. Whichofthefollowingciphersperformencryptiononabit-by-bitbasis?

A. Block

B. Stream

C. Asymmetric

D. Polyalphabetic

5. Whichofthefollowingisusedtoensurethatpatternsarenotproducedduringencryption?

A. IVs

B. HMAC

C. RC4

D. Salting

6. InwhichofthefollowingmodesofDESisevery64-bitblockencryptedwiththesamekey?

A. CBC

B. ECB

C. ECC

D. CFB

7. Whichofthefollowingisthereplacementalgorithmfor3DES?

A. Blowfish

B. AES

C. IDEA

D. RC4

8. Whichofthefollowingisthemostpopularasymmetricalgorithm?

A. RSA

B. ElGamal

C. DSA

D. ECC

9. Whichofthefollowingoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages?

A. Birthdayattack

B. Keyexposure

C. Collision

D. Substitution

10. WhichofthefollowinghashingalgorithmsisrequiredbytheU.S.government?

A. MD4

B. MD5

C. SHA1

D. SHA2

11. Whichofthefollowingcanhelptoreducethecollisionrateofthehashfunction?

A. MAC

B. HMAC

C. Digitalsignatures

D. Substitution

12. Whichofthefollowingisahashvalueencryptedwiththesender’sprivatekey?

A. Salt

B. Nonce

C. Digitalsignature

D. HMAC

13. Whichofthefollowingistrueofahybridcryptosystem?

A. Asymmetricalgorithmsareusedforthekeyexchange.

B. Symmetrickeysareusedforthekeyexchange.

C. Asymmetrickeysareusedforthedataencryption.

D. Asymmetrickeysareexchangeautomatically.

14. Whichofthefollowingisadigitaldocumentbindingakeypairtoanentity?

A. Certificate

B. Nonce

C. Salt

D. IV

15. Whichofthefollowingisthestandardfordigitalcertificates?

A. X.500

B. X.509

C. IEEE509

D. RFC500

16. WhichofthefollowingisalistofdigitalcertificatesthataCAhasrevoked?

A. OSCP

B. CRL

C. SCEP

D. REVC

17. Whichofthefollowingcertificateclassesisforindividualsintendedforemail?

A. 1

B. 2

C. 3

D. 4

18. WhichofthefollowingPKIcomponentsverifiestherequestor’sidentity?

A. CA

B. RA

C. DN

D. CN

19. WhichofthefollowingcanbeusedtoallowonerootCAtotrustanotherrootCA’s

certificates?

A. Subordination

B. Crosscertification

C. Certlink

D. Trust

20. WhattypeofcertificatedoestheASAuseoutofthebox?

A. Public

B. Self-signed

C. Globallytrusted

D. Locallytrusted

Chapter4SecuringtheRoutingProcessCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

4.1SecurityonCiscorouters

Configuremultipleprivilegelevels

ConfigureCiscoIOSrole-basedCLIaccess

ImplementCiscoIOSresilientconfiguration

4.2Securingroutingprotocols

ImplementroutingupdateauthenticationonOSPF

4.3Securingthecontrolplane

Explainthefunctionofcontrolplanepolicing

Toprovidesecureroutingandswitching,theroutersandswitchesthemselvesmustbesecured.Leavingtheminavulnerablestatecanrenderallothersecurityimplementationsuselessbecauseunauthorizedaccesscanallowamaliciousindividualtoalterallthesecuritysettingsthatareinplace.Additionally,whenroutersareexchangingroutingupdates,anyunauthenticatedupdatescanrevealimportantinformationaboutyournetworktoanyonewhoconvincesyourroutertoperformaroutingupdate.Inthischapter,youwillexplorefunctionalityyoushouldtakeadvantageoftosecureaccesstothedevices,tosecureroutingupdates,andtosecurethecontrolplane.


SecuringCiscorouters

Securingroutingprotocols

SecuringRouterAccessSecuringadministrativeaccesstotherouteristhefirststepinsecuringtheroutingprocess.Thispreventsunauthorizedaccesstotherouter,whichwillensurethattheconfigurationoftheroutercannotbealtered.Inthissection,you’lllearnaboutconfiguringsecureadministrative

accessusingseveraltools.

FirstI’lldiscusshowtoconfigureanencryptedsessionwiththerouterusingSSHratherthanTelnet(whichtransmitsincleartext).NextI’lltalkaboutcontrollingtheoperationsofeachindividualtechnicianbyassigningprivilegelevels.Asprivilegelevelsdonotmeettheneedsofallenvironments,you’llalsolookatawaytogetmoregranularwiththeassignmentoftasksbyauthorizingfunctionsviaacommand-lineinterface(CLI)withrole-basedCLI.Finally,I’lldiscusshowtoprotecttheconfigurationoftherouterusingtheCiscoIOSresilientconfigurationfeature.

ConfiguringSSHAccessWhileTelnetcancertainlybeusedtomanagearouter,thisremoteaccesstechnologytransmitseverythingincleartext,makingitunsuitableintoday’senvironments.Forthisreason,youshouldalwaysuseSecureShell(SSH)forsecureremoteaccess.TheSSHserverontherouterwillrequireanRSApublic/privatekeypairtouseintheprocessofencryptingthetraffic.Itcangeneratethiskeypairbutmusthavecertaininformationconfiguredbeforeitcandosobecauseitusesthisinformationasthelabelforthekeypair.

Therefore,thehigh-levelstepstosetupSSHareasfollows:

1. Settheroutername.

2. Settherouterdomainname.

3. GeneratetheRSAkey.

Herearetheactualcommands:

Router(config)#hostnameR63

R63(config)#ipdomain-namemcmillan.com

R63(config)#cryptokeygeneratersa?

encryptionGenerateageneralpurposeRSAkeypairforsigningand

encryption

exportableAllowthekeytobeexported

general-keysGenerateageneralpurposeRSAkeypairforsigningand

encryption

labelProvidealabel

modulusProvidenumberofmodulusbitsonthecommandline

oncreatekeyonspecifieddevice.

redundancyAllowthekeytobesyncedtohigh-availabilitypeer

signatureGenerateageneralpurposeRSAkeypairforsigningand

encryption

storageStorekeyonspecifieddevice

usage-keysGenerateseparateRSAkeypairsforsigningandencryption

R63(config)#cryptokeygeneratersamodulus1024

Thenameforthekeyswillbe:R63.mcmillan.com

%Thekeymodulussizeis1024bits

%Generating1024bitRSAkeys,keyswillbenon-exportable...

[OK](elapsedtimewas2seconds)

R63(config)#

*Mar2818:32:09.095:%SSH-5-ENABLED:SSH1.99hasbeenenabled

Inthesesteps,youcanseeIcreatedaname,R63;setthedomainnametomcmillan.com;andgeneratedakey.ThemoduluskeywordIusedsetsthelengthofthekey,whichinthiscaseis1,024bits.NoticethesyslogmessagethatindicatesSSHversion1.99hasbeenenabled.Thisindicatesitisaversion2server,whichcanacceptconnectionsfromSSHversion1devices.

Nextyouneedtodothefollowing:

1. CreateausernameandpasswordforeachuserwhoneedsSSHaccess.

2. ConfigurelinevtytoonlyacceptSSHconnections.

R63(config)#usernametroysecretmac

R63(config)#linevty?

<0-1114>FirstLinenumber

R63(config)#linevty01114

R63(config-line)#loginlocal

R63(config-line)#transportinputssh

R63(config-line)#

NoticethatIcreatedausernamedtroywithapasswordofmac.Youcancreateasingleaccounttobesharedbyallauthorizedtechniciansandnameitsomethinglikeadmin,oryoucancreateseparateaccountsforeachuser.Separateaccountswillprovideaccountability.

AlsonoticethatwhenIenteredlinevtymode,IcheckedtoseehowmanyvtylinesthisdevicehassothatwhenIrunthecommandtoenterthatmode,thecommandsIapplywillapplytoalllines.Thecommandloginlocaltellstherouterthatalluseraccountswillbefoundlocallyonthisrouterandnotonaremoteserver.That’swhyIneededtocreatethelocalaccountthatIdid.Finally,IsettheroutertoonlyacceptSSHconnectionswiththelastcommand.

ConfiguringPrivilegeLevelsinIOSPrivilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththelevelthetechnicianhasbeenassigned.Thereare16levels,from0to15.Whenyouareinusermode(router>),youareatPrivilegelevel1.Whenyouareinprivilegedmode(router#),youareatlevel15.

Youcanassignlevelsbetween0and15,andbylinkingtheselevelswithcommands,youcancontroltheactivitiesofeachtechnician.ThiscanbedoneonbothIOSdevicesandontheCiscoAdaptiveSecurityAppliance(ASA),althoughthedetailsofeachprocessareslightlydifferent.Privilegelevelsarecreatedattheglobalconfigurationpromptrouter(config)#.Whenaleveliscreated,youalsoaddacommandatthesametime,whichmeansifyouareaddingmultiplecommandstothelevel,youwillruntheprivilegecommandseveraltimes.Oncealeveliscreated,accesstothatlevelisobtainedbyenteringapasswordassignedtothat

level.Fromahighlevel,herearethestepsrequired:

1. Createthelevelandassignacommandtothatlevel.

2. Assignanyadditionalcommandstothelevel.

3. Setapasswordforthelevel.

4. Providethelevelnumberandpasswordtothetechnician(ortechnicians)whowilluseit.

FirstIwillcreatealevelnumbered12,andIwillassigntheshowinterfacescommandtoit.NoticethatwhenIdothis,Ihavetoassignthecommandtothelevelwhereitisusuallyexecuted,inthiscaseprivilegeexeclevel.

router(config)#privilegeexeclevel12showinterfaces

Todemonstratehowtoassignacommandthatisexecutedatadifferentlevel,Iamnowgoingtoaddtheinterfaceconfigurationcommand,andsincethatcommandisexecutednormallyattheglobalconfigurationmode,IwillusetheconfigurekeywordwhenIaddit.

router(config)#privilegeconfigurelevel12interface

MyintentistoallowthistechniciantochangeIPaddressesoninterfaces,soIneedtoassignhimthatcommand.Sincetheipcommand(alongwiththeparameteraddress)isexecutedafterenteringinterfaceconfigurationmode,Ihavetoreferenceinterfaceinthecommand,asshownhere:

router(config)#privilegeinterfacelevel12ip

NowI’mreadytoassignapasswordforlevel12thatIjustcreated.Thatisdonethesamewayanyenablesecretpasswordiscreated,addingtheleveltowhichitappliesasshownnext(otherwiseitwillapplytolevel15asitusuallydoes).ThepasswordIsetiswordpass.

router(config)#enablesecretlevel12wordpass

OnceIprovidethelevelnumberandpasswordtothetechnician,hewillusethepasswordtoentertheprivilegelevelasshownhere,makingitpossibletousethosecommandsandnoothers.Toverifytheapplicationofthelevel,hecantypeshowprivilegeasisalsoshown.

router#enable12

password:wordpass

router#showprivilege

Currentprivilegelevelis12

Ifheattemptstouseanyothercommands,hewillreceivetheerrormessageshownhere:

router#showrun

^

%invalidinputdetectedat‘^’marker.

ConfiguringIOSRole-BasedCLI

Anotheroptionyoucanusetocontroltheoperationsoftechniciansisarole-basedCLI.Usingthisapproach,youcancreateroles,implementedassetsofoperationscalledparserviews.Theonlyviewthatexistsbydefaultiscalledroot,whichasyouwouldexpectallowsaccesstoallcommands.Accesstothisviewisprovidedwhenyousubmittheenablesecretpassword.

Onceaparserviewiscreated,youcanpermitaccesstotheviewwithapassword.Thismakesitsimpletoonboardanewtechnicianbyassigninghimtherolehewillplayinthenetwork.Everytechniciangrantedtherolewillhavethesamesetofoperationsavailable.

Fromahighlevel,herearethestepsrequired:

1. Createandnametheparserview.

2. Assignapasswordtotheparserview.

3. Assigncommandstotheparserview.

4. Providetheparserviewnameandpasswordtotechniciansintherole.

FirstIwillcreateaviewcalledOSPFAdmin.

R63(config)#parserviewOSPFAdmin

R63(config-view)#

Noticetheprompthaschanged,andnowanycommandsIrunwillaffectonlythisview.AtthispromptIcanbothsetapasswordandassigncommandstotheview.FirstI’llassignapassword.

R63(config-view)#secretOSPFp@$$

R63(config-view)#

NowIwillassigncommands.Iwon’tassignallcommandsrequiredtomanageOSPF,justenoughtoshowyouhowit’sdone.Youmustensurethatyouhaveprovidedallcommandsrequiredfortherole.

R63(config-view)#commandsexecincludeallshow

R63(config-view)#commandsexecincludealldebugipospf

R63(config-view)#commandsexecincludeallnodebug

R63(config-view)#commandsexecincludeallundebug

R63(config-view)#commandsconfigureincluderouterospf

Ihaveallowedaccessinexecmodetoallshowcommandsandtothedebugipospfcommandsrequired.ThenIallowedaccesstotherouterospfcommand,whichwillincludeallcommandwithinthatcontext.Afteratechnicianhasbeenassignedthisrole,hewillaccesstheroleusingthefollowingcommands.Noticethatyoucanverifytheapplicationoftherolebyusingtheshowparserviewcommand.

R63#enableviewOSPFAdmin

Password:OSPFp@$$

R63#showparserview

R63#currentviewis‘OSPFAdmin’

ImplementingCiscoIOSResilientConfigurationWhilesecuringaccesstotheroutershouldbeenoughtoeffectivelyprotecttheconfigurationoftherouter,thereisanadditionalwaytopreventunwantedchangestotheconfiguration.TheIOSresilientconfigurationfeaturecanprovideawaytoeasilyrecoverfromanattackontheconfiguration,anditcanalsohelptorecoverfromanevenworseattackinwhichtheattackerdeletesnotonlythestartupconfigurationbutalsothebootimage.

Theconfigurationofthisfeaturecanbedonewithtwocommands.Oneenablesprotectionofthebootimage,andtheotherenablesprotectionofthestartupconfiguration.Toenableprotectionofthebootimage,issuethefollowingcommand:

R64(config)#secureboot-image

*April214:24:50.231:%IOS_Resilience-5-IMAGE_RESIL_ACTIVE:Successfully

securedrunningimage

Noticethesystemmessageindicatingthebootimageisprotected.Toenableprotectionofthestartupconfiguration,issuethefollowingcommand:

R64(config)#secureboot-config

*April214:24:50.231:%IOS_Resilience-5-CONFIG_RESIL_ACTIVE:Successfully

securedconfigarchive[flash:.runcfg-20140131-14259.ar]

Oncethesetwoitemsaresecured(calledthesecurebootset),youcannotupdatethestartupconfigurationwithoutremovingthesecureconfigurationlongenoughtomakethechangeandthenresecuringitaswasdoneinthefirstplace.Toremovethesecurestartupconfiguration,executethefollowingcommand:

R64(config)#nosecureboot-config

*April214:34:50.231:%IOS_Resilience-5-CONFIG_RESIL_INACTIVE:Disabled

secureconfigarchive[removedflash:.runcfg-20140131-14259.ar]

Whenfinishedmakingchanges,executethesecureboot-configcommandtosecuretheconfigurationagain.

Butwhatdoyoudoiftheworsthappensandthestartupconfigurationisdeleted?Itcanberestored,butyoumustknowthelocationofthesecurebootconfiguration,andyoumustreferenceitinthecommand.Toidentifyitsnameandlocation,executethefollowingcommand:

R64#showsecurebootset

IOSresiliencerouteridFTX1125A67x

IOSimageresilienceversion12.4activatedat14:24:50UTCMonApril2

2017

Securearchiveflash:/c2800nm-advipservicesk9-mz.124-25e.bintypeisimage

(elf)[]Runnableimage,entrypoint0x8000F000,runfromram

IOSimageresilienceversion12.4activatedat14:24:50UTCMonApril2

2017

Securearchiveflash:.runcfg-20140131-14259.artypeisconfig

Configurationarchivesize4060bytes

Withthelocationofthesecureconfigurationsinhand,nowrunthefollowingcommandtorestoretheconfiguration:

R64(config)#secureboot-configrestoreflash:.runcfg-20140131-14259.ar

iosresilience:configurationsuccessfullyrestoredasflash:.runcfg-

20140131-14259.ar

Incaseyouwerealreadywonderingwhatwouldstopahackerfromusingthesecommands,itisworthknowingthatthesecommandscanberunonlyfromtheconsoleconnection.

ImplementingOSPFRoutingUpdateAuthenticationOneofthewaysinwhichamaliciousindividualmayattempttogatherinformationaboutyournetworkistoenabletheroutingprotocolinuseonaworkstationandconvinceyourrouterstoallowtheworkstationtobecomearoutingneighbor,allowingthemaliciousindividualtoreceiveroutingupdatesfromyourrouters.Asifthisisn’tenoughtobeconcernedabout,hemayalsoconvinceyourrouterstoacceptamaliciousroutingupdatefromhisworkstation,whichcouldpollutetheroutingtablesofyourrouters.Ifthisoccurs,itcouldresultinaninabilityoftherouterstoproperlyroute,whichwouldbeaformofdenial-of-serviceattack.Moreover,hecouldinjectroutesthatcausetraffictobedirectedtohimasapreludetoaman-in-the-middleattack.

Topreventthis,youcanconfiguretherouterstoauthenticateoneanotherwhenperformingroutingupdates.Inthefollowingtwosections,you’lllearnhowtodothisforthetwomostcommonlyusedinteriorroutingprotocols,OSPFandEIGRP.

ImplementingOSPFRoutingUpdateAuthenticationOSPFroutingupdatesaresecuredusingahashingalgorithm.YoucanuseeitherMD5orSHA-256HMAC.Beaware,however,thatsomedevicesmaysupportonlyMD5.Thefollowingarethehigh-levelstepstoconfiguringthis:

1. Defineakeychain(akeychaincanbeusedtoholdmultiplekeysifrequired).

2. Defineakeybynumberthatwillresideonthekeychain.

3. Specifythekeycharactersofthekey.

4. Specifythehashingalgorithm.

5. Applythekeychaintoaninterface.

Whilekeychainnamesandthekeynumbersdonothavetomatchonthetwo

routersoneitherendofthelink,thekeystringsandthehashingalgorithmsmustmatch!

Inthisfollowingexample,I’mgoingtouseMD5fortheconfiguration.Iwillfirstconfigure

routerR64andthenrouterR65ontheotherendofthelink.Thefirststepistoconfigurethekeychainasshownhere.ThekeychainonR64willbeospf-keys.

R64(config)#key-chainospf-keys

R64(config-keychain)#

Noticetheprompthaschanged,andIamnowinkeychainconfigurationmode,whichiswhereIwilldefinethekeynumberasfollows.ThenumberIamusingis1.

R64(config-keychain)#key1

R64(config-keychain-key)#

Again,theprompthaschanged,andIaminkey1configurationmode,whichiswhereIdefinethecharactersinthekey,calledthekeystring.ThestringIamusingistroymac.

R64(config-keychain-key)#key-stringtroymac


Thenextstepistotelltherouterthealgorithm(MD5)touseforthiskey,whichisdoneatthesamekey1prompt.

R64(config-keychain-key)#cryptographic-algorithmmd5


ThefinalstepistoapplythekeychaintotheinterfacethatconnectstorouterR65.

R64(config-if)#ipospfauthenticationkey-chainospf-keys

R64(config-if)#

Keepinmindthatwhileoneoftheroutersissettouseauthenticationandthe

otherhasnotyetbeenconfigured,routingupdateswillfail,andthedeviceswillnolongerbeOSPFneighbors.Thiswillresolveitselfassoonastheotherrouteriscorrectlyconfigured.

TheconfigurationcanbethesameonrouterR65,butI’mgoingtochangetwoofthevaluesthatdonothavetomatchjusttoshowthattheydon’thavetomatch,whilekeepingthevaluesthatdohavetomatch(thekeystringandthehashingalgorithm)thesame.ThefollowingistheentiresetofcommandsonR65:

R65(config)#key-chainrouter-keys



R65(config-keychain-key)#cryptographic-algorithmmd5

R65(config-keychain-key)#end

R65(config)#intg0/1

R65(config-if)#ipospfauthenticationkey-chainrouter-keys

ImplementingEIGRPRoutingUpdateAuthenticationConfiguringEIGRProutingupdateauthenticationissimilartoOSPF.However,OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring,butinEIGRPyouspecifythatontheinterface.ThefollowingarethecommandsforR64andR65.Additionally,whenyouspecifythealgorithm,youspecifytheEIGRPASnumberinthesamecommand.Inthefollowingexamples,thatASnumberis66.Noticethat,again,thekeychainnamesandkeynumbersdonothavetomatch,whilethekeystringandhashingalgorithmsdohavetomatch.

R64(config)#key-chainrouter-keys




R64(config)#intg0/2

R64(config-if)#ipauthenticationkey-chainrouter-keys

R64(config-if)#upauthenticationmodeeigrp66md5

R65(config)#key-chainEIGRP-keys




R65(config)#intg0/1

R65(config-if)#ipauthenticationkey-chainEIGRP-keys

R65(config-if)#ipauthenticationmodeeigrp66md5

SecuringtheControlPlaneTherearefourtypesofpacketsthataroutermayencounter,andtheyoperateinfour“planes”oftherouter.Thefourplanesandthetypesofpacketsthatoperateintheseplanesareasfollows:

DataPlanePacketsTheseareend-station,user-generatedpacketsthatarealwaysforwardedbynetworkdevicestootherend-stationdevices.

ControlPlanePacketsThesearenetworkdevice–generatedorreceivedpacketsthatareusedforthecreationandoperationofthenetworkitself.ExamplesincludeprotocolssuchasARP,BGP,andOSPF.

ManagementPlanePacketsThesearenetworkdevice–generatedorreceivedpacketsormanagementstation–generatedorreceivedpacketsthatareusedtomanagethenetwork.ExamplesareTelnet,SSH,TFTP,SNMP,FTP,NTP,HTTP,HTTPSandotherprotocolsusedtomanagethedeviceand/ornetwork.

ServicesPlanePacketsAsubsetofdataplanepackets,servicesplanepacketsarealsouser-generatedpacketsthatareforwardedbynetworkdevicestootherend-stationdevices.ExamplesincludesuchfunctionsasGREencapsulation,QoS,MPLSVPNs,andSSL/IPsecencryption/decryption.

Theconcerninthissectioniswiththeprotectionofaccesstothecontrolplane,whichincludes

thehardwareandsoftwarethatsupportsroutingandthemanagementofthedevice.Packetsinthecontrolplanearethosethatareeitherdestinedfortherouteritselforgeneratedbytherouter.Ifaccesstothecontrolplaneisnotprotected,routingtablecorruption,changestotherouterconfiguration,andDoSattacksontheroutermayresult.

ControlPlanePolicingControlplanepolicing(CoPP)isaCiscoIOSfeaturethatcanbeimplementedtopreventtheseissues.Itsimplementationisanadvancedtopicnotcoveredintheexamobjectives;however,anunderstandingofitsuseisincludedintheexamobjectives.

CoPPtreatsthecontrolplaneasastand-aloneentitywithitsowningressandegressports.Itallowsfortheimplementationofcontrolsattheingressporttothecontrolplane.Figure4.1showstherelationshipbetweenthosecontrolplaneingressandegressportsandthephysicalinterfaces.Italsoshowsthepathstakenbythefourtypesoftrafficdiscussedintheprevioussection.

FIGURE4.1CoPP

NoticethatthreetypesoftrafficcanbecontrolledbyCoPP,thatis,management,control,andservicestraffic.Alsonoticethatwhenaccesscontrollists(ACLs)areappliedtotheingressphysicalinterfaceandCoPPhasalsobeenapplied,CoPPcomesintoplayonlyfortrafficthatwasallowedthroughtheingressphysicalinterfaceACL.Asyoucansee,ultimatelyCoPPisdesignedtoprotecttherouteprocessor.Controlscanbeimplementedthatallowanddisallowcertaintypesoftrafficandcanalsobeusedtorate-limitthetrafficsoastopreventaDoSattack.

WhenCoPPisconfigured,theconfigurationfollowstheCiscoModularQoSCLI(MQC).Inthismodel,threemechanismsareused.

ClassMapsUsedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetraffic,andthentheACLisreferencedintheclassmap.

PolicyMapsUsedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbe

specifiedareallow,block,andrate-limit.

ServicePoliciesUsedtospecifywherethepolicymapshouldbeimplemented.

Figure4.2showstherelationshipbetweenthesemechanisms.

FIGURE4.2Modularpolicyframework

Thisframeworkisusedforotherfeaturesaswell,suchasQoSandtrafficshaping.

SummaryInthischapter,youlearnedaboutmethodsforsecuringadministrativeaccesstotherouterorswitch.YoualsolearnedhowIOSprivilegelevelsandIOSrole-basedCLIcanbeusedtospecifyallowedactions.TheCiscoIOSresilientconfigurationfeatureanditsbenefitswereintroduced.YoualsolearnedhowtoconfigureauthenticationforrouterupdatesforbothOSPFandEIGRP.Finally,thechapterdiscussedhowcontrolplanepolicingcanbeusedtocontrolaccesstothecontrolplane.

ExamEssentials

Secureadministrativeaccesstotherouter.CompletethestepsrequiredtouseSecureShelltoadministertherouter.ThesestepsincludesettingtherouternameanddomainnameandgeneratingtheRSAkey.ItalsoincludesspecifyingtheuseofSSHonthevtylines.

Controladministrativeactions.ConfigureIOSprivilegelevelsandIOSrole-basedCLItospecifyactionsallowedbytechnicianswhenmaintainingtherouter.

ImplementCiscoIOSresilientconfiguration.ProtecttheintegrityandavailabilityofboththeIOSandthestartupconfigurationbyconfiguringtheCiscoIOSresilientconfigurationfeature.

ImplementOSPFroutingupdateauthentication.DescribethestepsinvolvedinconfiguringauthenticationbetweentwoOSPFroutersthatisinvokedateachroutingupdate.

ImplementEIGRProutingupdateauthentication.DescribethestepsinvolvedinconfiguringauthenticationbetweentwoEIGRProutersthatisinvokedateachroutingupdate.

Describethebenefitsofsecuringthecontrolplane.Understandthedangersthatconfrontthecontrolplaneofarouterandhowcontrolplanepolicingcanbeusedtocontrolaccesstothecontrolplaneandpreventattacksonit.

ReviewQuestions1. WhichofthefollowingisnotarequiredstepwhenconfiguringarouterforSSHaccess?

A. Settheroutername.

B. GeneratetheRSAkey.

C. Settherouterdomainname.

D. SettherouterloopbackIPaddress.

2. Whichofthefollowingstatementsistrueofthefollowingsystemmessage?

R63(config)#

*Mar2818:32:09.095:%SSH-5-ENABLED:SSH1.99hasbeenenabled

A. ThisrouterwillacceptconnectionsonlyfromSSHversion1devices.

B. ThisrouterwillacceptconnectionsonlyfromSSHversion2devices.

C. ThisrouterwillacceptconnectionsfromSSHversion1orSSHversion2devices.

D. ThisrouterisanSSHversion1device.

3. Whichstatementisfalsewithregardtothisconfiguration?


R63(config-line)#loginlocal

R63(config-line)#transportinputssh

R63(config-line)#

A. vtyline67isaffectedbythisconfiguration.

B. Theuseraccountsforaccesstothevtylinesarecontainedonthisrouter.

C. OnlySSHisallowedtobeusedonthevtylines.

D. SSHaccesswillbecontrolledbyaTACACS+server.

4. WhichofthefollowingstatementsistruewithregardtoprivilegelevelsintheIOS?

A. Thereare16privilegelevels.

B. Level16isusermode.

C. Level0isprivilegedmode.

D. PrivilegelevelscanbedefinedonroutersbutnotASAdevices.

5. WhichofthefollowingcommandsallowsthetechniciantowhomtheprivilegelevelwillbeassignedtoonlychangeIPaddresses?

A. privilegeexeclevel12showinterfaces

B. privilegeconfigurelevel12interface

C. privilegeinterfacelevel12ip

D. enablesecretlevel12wordpass

6. Whichofthefollowingistheonlyparserviewthatexistsbydefault?

A. admin

B. root

C. exec

D. priv

7. Whichofthestatementsistruewithregardtothefollowingconfiguration?

R64(config)#secureboot-image

*April217:24:50.231:%IOS_Reslience-5-IMAGE_RESIL_ACTIVE:Successfully

securedrunningimage

A. Itsecuresthestartupconfiguration.

B. ItsecurestheIOSimage.

C. ItsecuresboththeIOSimageandthestartupconfiguration.

D. Itsecuresnothinguntilanadditionalcommandisrun.

8. WhichofthefollowingstatementsisfalsewithregardtotheCiscoIOSresilientconfiguration?

A. TheIOSimageandthestartupconfigurationarecalledthesecurebootsetwhenprotected.

B. Oncesecured,theconfigurationcannotberemoved.

C. Torestorethebootset,youmustknowitslocation.

D. Torestorethebootset,youmustknowitsname.

9. Whichofthefollowingcanbedoneonlyfromaconsoleconnection?

A. SetupSSH.

B. Removeasecurebootsetconfiguration.

C. Createaprivilegelevel.

D. GenerateanSSHkey.

10. WhichofthefollowinghashingalgorithmsareusedtoimplementOSPFroutingupdateauthentication?

A. MD4

B. MD5

C. SHA1

D. SHA2

11. WhichofthefollowingconfigurationsettingsmustmatchinthetworouterswhenconfiguringOSPFroutingupdateauthentication?

A. Keychainname

B. Keynumber

C. Keystring

D. Routerpasswords

12. TowhichcomponentisthekeychainappliedwhenconfiguringOSPFroutingupdateauthentication?

A. Routingprotocol

B. Hashingalgorithm

C. Interface

D. Key

13. TowhichcomponentisthekeyappliedwhenconfiguringOSPFroutingupdateauthentication?

A. Routingprotocol

B. Hashingalgorithm

C. Interface

D. Keychain

14. TowhichcomponentisthehashingalgorithmappliedwhenconfiguringOSPFroutingupdateauthentication?

A. Key

B. Hashingalgorithm

C. Interface

D. Keychain

15. HowisconfiguringEIGRProutingupdateauthenticationdifferentfromOSPF?

A. OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring;inEIGRP,thatisspecifiedontheinterface.

B. EIGRPspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring;inOSPF,thatisspecifiedontheinterface.

C. OSPFspecifiesthekeychaininthesamemodewhereyouspecifythekeystring:inEIGRP,thatisspecifiedontheinterface.

D. OSPFspecifiesthekeychaininthesamemodewhereyouspecifythekeystring;inEIGRP,thatisspecifiedonthehashingalgorithm.

16. WhenyouspecifythealgorithmforEIGRProuteupdateauthentication,youalsospecifywhatvalueinthesamecommand?

A. ProcessID

B. ASnumber

C. AreaID

D. Interfacenumber

17. Whichpackettypecomesfromendstationstobeforwardedbytherouter?

A. Dataplane

B. Controlplane

C. Managementplanepackets

D. Servicesplanepackets

18. Whichofthefollowingisanexampleofcontrolplanepackets?

A. Datatoberouted

B. OSPFupdates

C. Telnetpackets

D. Packetsforwardedbynetworkdevicestootherend-stationdevices

19. Packetsthatareeitherdestinedfortherouteritselforgeneratedbytherouterareinwhich

plane?

A. Dataplane

B. Servicesplane

C. Controlplane

D. Servicesplane

20. WhenCoPPisconfigured,theconfigurationfollowstheCiscoModularQoSCLI(MQC).Inthismodel,whichmechanismspecifiestheactionstobetakenonthespecifiedtraffictype?

A. Classmap

B. Policymap

C. Servicepolicy

D. Actionmap

Chapter5UnderstandingLayer2AttacksCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

4.4CommonLayer2attacks

DescribeSTPattacks

DescribeARPspoofing

DescribeMACspoofing

DescribeCAMtable(MACaddresstable)overflows

DescribeCDP/LLDPreconnaissance

DescribeVLANhopping

DescribeDHCPspoofing

Topreventacertaintypeofattack,youmustunderstandtheattack.AttackscanoccuratanumberofdifferentlayersoftheTCP/IPmodel.WhenIdiscusslayer2attacks,Iamtalkingaboutattacksthatuselayer2addresses(MACaddresses)orthatareaimedatprotocolsthatoperateatlayer2.Finally,somelayer2attackstakeadvantageoflayer3servicessuchasDHCP,buttheydosowithinalocalsubnetandthusarealsocalledlayer2attacks.Inthischapter,I’lldescribehowanumberoflayer2attacksoccur.Inthenextchapter,I’lldiscussmitigationsfortheseattacks.


Commonlayer2attacks

UnderstandingSTPAttacksSpanningTreeProtocol(STP)isusedtopreventswitchingloopsthatcanoccurwhenthereisredundancybuiltintotheswitchingnetwork.Sinceredundancyisadesirabledesignconcept,STPisafeaturethatyoucannotlivewithout.Unfortunately,thereisanattackontheswitchingnetworkthattakesadvantageoftheoperationsofSTP.ThegoodnewsisthatCiscohasdevelopedseveralresponsestotheseattacks,butyoumustunderstandtheattacksandhowthefeaturesaddressthevulnerabilitiestoproperlyimplementthesesafeguards.Inthischapter,I’ll

discusstheattacksandhowtheywork,andinChapter6I’llcovertheimplementationofthemitigations.

STPattackstargettheloop-freeswitchingtopologythatiscreatedbytheswitchesusingthebridgeprotocoldataunits(BPDUs)uponwhichSTPisbased.TheseBPDUsareusedbytheswitchestoselecttherootbridgeandthereaftertoselecttheswitchportsthatareforwardingandthosethatareblocking.TheseBPDUsarealsousedwhenachangeinthetopologyoccurs(suchasalinkgoingdown)toestablishanewloop-freetopologybasedupontheremaininglinks.

Whilelinkissuescancauseachangeinthetopology,anothereventcancausethisaswell,andthatistheintroductionofanewswitchinthenetworkthatpossessesahigherbridgepriority(sometimescalledasuperiorBPDU)thanthecurrentrootbridge.WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUthantheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.

Sincethetopologyoftheswitchingnetworkdependsonthepositionoftherootbridgeandtherelativepositionoftheotherswitchestotherootbridge,thisaltersthetopologyinwaysthatnotonlymayimpactperformancebutmaycausealltraffictotraversethenewrogueswitch,whichwillbeunderthemanagementoftheattacker.Toseehowthiscanimpactthetopology,lookatFigure5.1.

FIGURE5.1STPattack

Again,mitigationstothisattackwillbecoveredinChapter6.

UnderstandingARPAttacks

AnARPpoisoningattackisonethattakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses.BeforeIcovertheARPpoisoningattack,I’llreviewtheARPbroadcastprocess.

AddressResolutionProtocol(ARP),oneoftheprotocolsintheTCP/IPsuite,operatesatlayer3oftheOSImodel.Theinformationitderivesisutilizedatlayer2,however.ARP’sjobistoresolvethedestinationIPaddressplacedintheheaderbyIPtoalayer2orMACaddress.Remember,whenframesaretransmittedonalocalsegment,thetransferisdoneintermsofMACaddresses,notIPaddresses,sothisinformationmustbeknown.

Wheneverapacketissentacrossthenetwork,ateveryrouterhopandagainatthedestinationsubnetthesourceanddestinationMACaddresspairschange,butthesourceanddestinationIPaddressesdonot.TheprocessthatARPusestoperformthisresolutioniscalledanARPbroadcast.

FirstanareaofmemorycalledtheARPcacheisconsulted.IftheMACaddresshasbeenrecentlyresolved,themappingwillbeinthecache,andabroadcastisnotrequired.Iftherecordhasagedoutofthecache,ARPsendsabroadcastframetothelocalnetworkthatalldeviceswillreceive.ThedevicethatpossessestheIPaddressrespondswithitsMACaddress.ThenARPplacestheMACaddressintheframeandsendstheframe.Figure5.2illustratesthisprocess.

FIGURE5.2ARPprocess

InanARPpoisoningattack,theattackersendsapackettypecalledagratuitousARPtothetargetdevicewithanincorrectIPaddresstoMACaddressmapping.

What’saGratuitousARP?

AgratuitousARPiscalledgratuitousbecausetheARPmessagesentisananswertoaquestionthatthetargetneverasks.InthenormalARPprocess,adeviceneverannouncesitsMACaddresstoanotherdeviceunlessaskedtodoso.ThismeansthereisanARPrequestthatgoesfromdeviceAtodeviceBandthenanARPreplyfromdeviceBtodeviceA.InthecaseofthegratuitousARP,theARPmessageisareplytoarequestneversentbythetargetthatcausesamalicious(andincorrect)updatetothereceiver’sARPcache.

Inaclassicman-in-themiddleattack,theattackerwillsendthesegratuitousARPrequeststothetwotargetdevicesbetweenwhichhewouldliketobe“inthemiddle.”InthescenariosshowninFigure5.3,thetwotargetsaretheVictimlaptopandthedefaultgatewayoftheVictimlaptop.

FIGURE5.3ARPcachepoisoning

AfterthegratuitousARPmessagesaresentandprocessedbythetwotargets,theVictimlaptopandtherouterinterfacewouldbesendingtraffictotheattackerwhileboththinkingtheyaresendingtooneanother.MitigationsforthisattackwillbepresentedinChapter6.Stayedtuned!

UnderstandingMACAttacksMACspoofingattacksoccurwhenanattackerchangeshisMACaddresssothathisdeviceappearstobeanotherdevice.Asisthecasewithallspoofingattacks,theultimateaimistoreceivesomethingintendedfortherealdeviceortogetpastaccesscontrolsbasedonaMACaddress.

AMACaddressattackisalsoconsideredaswitchattackbecauseitleveragestheMAC

addresstableintheswitchtoaccomplishthegoalofreceivingtrafficdestinedforanotherdevice.Asyouknow,theMACaddresstableispopulatedasframesaresentandreceivedbytheswitch.OntheleftsideofFigure5.4,theMACtablepriortotheattackisshown.

FIGURE5.4MACspoofing

Priortotheattack,theswitchhastheMACaddressA(shortenedforsimplicity)recordedonportFa0/1wheretherealholderofthatMACaddressresides.WhentheattackersendsaframewithaspoofedMACaddressofA,thentheswitchdoeswhataswitchissupposedtodo.ItremovestheMACaddressfromitscurrentlistingofportFa0/1andmovesittoportFa0/4,wheretheattackerresides.NowtheattackerwillreceivealltrafficdestinedforthedeviceonportFa0/1.ThiswillcontinueuntilthedeviceonportFa0/1sendsaframe.However,bycontinuallysendingframes,theattackerwillbeabletocontinuallyupdatethetabletohisadvantage.Butfearnot!Therearewaystodealwiththis,andIwillcovertheminChapter6.You’llgettheresoon.Don’tpeek!

UnderstandingCAMOverflowsAsyouknow,theMACaddresstable,alsocalledthecontentaddressablememory(CAM)table,ispopulatedbytheswitchasframesareswitchedthroughit.TheswitchrecordsthesourceMACaddressofeveryframeenteringeachport.Thereisalimitedamountofmemoryspacethatisavailableforthistable.InaCAMoverflowattack,theattackerfloodstheswitchwithframesthathaveinvalidsourceMACaddresses.Thisiseasierthanitsoundsbyusingatoolsuchasmacof.

Atsomepoint,theCAMtableisfullandcanholdnootherMACaddresses.AnyMACaddressesthatwereinthetablepriortotheattackwillstillbethere,andthosedeviceswillstillbeabletoreceivetraffic.However,itisnottheaimoftheattackertopreventaccesstothesedevices.WhenthetableisfullandframesdestinedtoMACaddressesthatarenotcurrentlyinthetablearereceived,theywillbefloodedoutallports.Ifyouthinkaboutit,thisisthenormaloperationofaswitchwhenitreceivesaframewithanunknowndestination

MACaddress.Figure5.5showsthisattack,withthestepsintheprocessnumbered.

FIGURE5.5CAMoverflow

Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahub,notaswitch.InChapter6I’lldiscusshowtopreventthisattack.

UnderstandingCDP/LLDPReconnaissanceCiscoDiscoveryProtocol(CDP)anditsstandards-basedalternativeLinkLayerDiscoveryProtocol(LLDP)areusefultools.Theycanbeusedtodisplayinformationaboutdirectlyconnecteddevices.Thiscanbeespeciallyusefulwhenyouhavenolayer3connectivitytoaneighboringdevicebecausetheprotocolsoperateatlayer2andthuscanbeusedtoextractinformationevenwhenIPisnotfunctional.Unfortunately,asisoftenthecase,thereisadarksidetothesetools.

Whenamaliciousindividualisattemptingtohackyournetwork,thefirstthingthehackerdoesisperformnetworkreconnaissance.Thisoperationadmitstogatheringallinformationpossibleaboutthelayoutofthenetworkandthedevicesinthenetwork.BycapturingtheCDPorLLDPpacketsthatareusedbyCiscodevicestoexchangeinformation,awealthofinformationcanbeobtained.

Forthisreason,manyorganizationschoosetoforgotheadvantagesofusingCDPandLLDPanddisabletheoperationofbothonCiscodevices.Disablingthesefeaturescanbedoneonaninterfacebasisorgloballyonallinterfaces.ThistimeIwon’tmakeyouwaituntilChapter6forthesolution.

TodisableCDPonaninterface,usethefollowingcommandininterfaceconfigurationmode:

Router67(config-if)#nocdpenable

TodisableCDPglobally,runthefollowingcommandinglobalconfigurationmode:

Router67(config)#nocdprun

TodisableLLDPonaninterface,runthefollowingcommandsininterfaceconfigurationmode:

Router67(config-if)#nolldpreceive

Router67(config-if)#nolldptransmit

TodisableLLDPglobally,runthefollowingcommandinglobalconfigurationmode:

Router67(config)#nolldprun

UnderstandingVLANHoppingAvirtualLAN(VLAN)securityissueyoushouldbeawareofiscalledVLANhopping.Bydefault,aswitchportisanaccessport,whichmeansitcanbeamemberofonlyasingleVLAN.PortsthatareconfiguredtocarrythetrafficofmultipleVLANs,calledtrunkports,areusedtocarrytrafficbetweenswitchesandrouters.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.Thiscanbedoneintwoways,coverednext.

SwitchSpoofingSwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.Figure5.6showsaswitchspoofingattack.

FIGURE5.6Switchspoofing

ThepreventionofthisattackwillbecoveredinChapter6.

DoubleTaggingTrunkportsuseanencapsulationprotocolcalled802.1qtoplaceaVLANtagaroundeachframetoidentifytheVLANtowhichtheframebelongs.Whenaswitchattheendofatrunklinkreceivesan802.1qframe,itstripsthisoffandforwardsthetraffictothedestinationdevice.Inadoubletaggingattack,thehackercreatesaspecialframethathastwotags.The

innertagistheVLANtowhichthehackerwantstosendaframe(perhapswithmaliciouscontent),andtheoutertagistherealVLANofwhichthehackerisamember.Iftheframegoesthroughtwoswitches(whichispossiblesinceVLANscanspanswitches),thefirsttaggetstakenoffbythefirstswitch,leavingthesecond,whichallowstheframetobeforwardedtothetargetVLANbythesecondswitch.

Figure5.7showsthisprocess.Inthisexample,thenativeVLANnumberbetweentheCompanySwitchAandCompanySwitchBswitcheshasbeenchangedfromthedefaultof1to10.

FIGURE5.7Doubletagging

Doubletaggingisonlyanissueonswitchesthatuse“native”VLANs.AnativeVLANisusedforanytrafficthatisstillamemberofthedefaultVLAN,orVLAN1.ThemitigationofthisattackwillbecoveredinChapter6.

UnderstandingDHCPSpoofingDynamicHostConfigurationProtocol(DHCP)isusedtoautomatetheprocessofassigningIPconfigurationstohosts.Whenconfiguredproperly,itreducesadministrativeoverload,reducesthehumanerrorinherentinmanualassignment,andenhancesdevicemobility.Butitintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andcanresultinpeer-to-peerattacks.

WhenanillegitimateDHCPserver(calledarogueDHCPserver)isintroducedtothenetwork,unsuspectinghostsmayacceptDHCPofferpacketsfromtheillegitimateDHCPserver,ratherthanthelegitimateDHCPserver.Whenthisoccurs,therogueDHCPserverwillnotonlyissuethehostanincorrectIPaddress,subnetmask,anddefaultgatewayaddress(whichmakesapeer-to-peerattackpossible)butcanalsoissueanincorrectDNSserveraddress,whichwillleadtothehostrelyingontheattacker’sDNSserverfortheIPaddressesofwebsites(suchasmajorbanks)thatleadtophishingattacks.Figure5.8showsanexampleofhowthiscanoccur.

FIGURE5.8DHCPspoofing

InFigure5.8,afterreceivinganincorrectIPaddress,subnetmask,defaultgateway,andDNSserveraddressfromtherogueDHCPserver,theDHCPclientusestheattacker’sDNSservertoobtaintheIPaddressofhisbank.Thisleadshimtounwittinglyconnecttotheattacker’scopyofthebank’swebsite.Whenthecliententershiscredentialstologin,theattackernowhashisbankcredentialsandcanproceedtoemptyouthisaccount.Itsoundsscary,butluckilyIwillcovermitigationforthisattackinChapter6!

SummaryInthischapter,youlearnedaboutSTPattackssuchasrogueswitches.ThechapterdiscussedhowanARPspoofingattackworksandhowitleadstoaman-in-the-middleattack.MACspoofinganditsuseinaccessingtraffictowhichanattackerisnotauthorizedwasalsocovered.YoulearnedhowaCAMoverflowattackworksanditseffectonaswitch.YoulookedatboththevalueandthedangerofusingCDPandLLDP.Finally,youlearnedhowVLANhoppingattacksareperformed.

ExamEssentialsExplainSTPattacks.Describehowanattackercanintroducearogueswitchintothenetwork

andaltertheloop-freeswitchingtopologycreatedbySTP.

DescribeARPspoofingattacks.ExplainhowanARPspoofingattackissetupandwhattheendresultofasuccessfulARPspoofingattackcanbe.

UnderstandMACspoofing.DescribethepurposeofaMACspoofingattackandhowitmightenableanattackertoreceivetraffictowhichsheisnotauthorized.

ExplaintheCAMoverflowattack.ListthestepsthatcancauseaCAMoverflowanddescribethepotentialbenefittoamaliciousindividual.

UnderstandtheissueswithCDPandLLDP.DescribethereasonfordisablingCDPandLLDPandexplainhowtoimplementthis.

DescribeaVLANhoppingattack.ListthewaystoaccomplishaVLANhoppingattackandexplainthepurposeofthisattack.

ExplainDHCPsnooping.DescribeaDHCPspoofingattackandunderstandtheattackstowhichitcanlead.

ReviewQuestions1. WhichofthefollowingistrueofanSTPattack?

A. Itoccurswiththeintroductionofanewswitchinthenetworkthatismorepowerfulthanthecurrentrootbridge.

B. ItoccurswiththeintroductionofanewswitchinthenetworkthatpossessesaninferiorBPDUthanthecurrentrootbridge.

C. ItoccurswiththeintroductionofanewswitchinthenetworkthatpossessesasuperiorBPDUthanthecurrentrootbridge.

D. Itmaycausealltraffictobypassthenewrogueswitch,whichwillbeunderthemanagementoftheattacker.

2. WhichofthefollowingtakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses?

A. CAMoverflow

B. ARPpoisoningattack

C. DHCPspoofing

D. STPattack

3. WhichofthefollowingisusedbyanattackertopollutetheARPcacheofhosts?

A. GratuitousARP

B. SuperiorBPDU

C. InferiorBPDU

D. DTP

4. WhichofthefollowingischeckedpriortoahostperforminganARPbroadcast?

A. CAMtable

B. Hostfile

C. ARPcache

D. LMhostsfile

5. Whichofthefollowingoccurswhenanattackerchangeshisphysicaladdresssothathisdeviceappearstobeanotherdevice?

A. DHCPspoofing

B. CAMoverflow

C. MACspoofing

D. Switchspoofing

6. Whichofthefollowingisalsoconsideredaswitchattack?

A. MACspoofing

B. DHCPspoofing

C. RogueDHCP

D. ARPspoofing

7. Thecontentaddressablememorytableisalsoknownaswhichofthefollowing?

A. ARPcache

B. DNSresolvercache

C. MACtable

D. DHCPscope

8. WhichofthefollowingattacksfloodstheswitchwithframesthathaveinvalidsourceMACaddresses?

A. Smurfattack

B. CAMoverflow

C. SYNflood

D. Fraggleattack

9. Whichofthefollowingattackscausesaswitchtobasicallyoperateasahubandnotaswitch?

A. Smurfattack

B. CAMoverflow

C. SYNflood

D. Fraggleattack

10. Whichofthefollowingisstandardsbased?

A. LLDP

B. CDP

C. EIGRP

D. DTP

11. WhichofthefollowingcommandsdisablesCDPonallinterfaceswhenappliedattheglobalconfigurationprompt?

A. cdpdisable

B. nocdpenable

C. nocdprun

D. nocdpreceive

12. WhichofthefollowingcommandsdisablesLLDPreceptiononaninterfacewhenappliedattheinterfaceconfigurationprompt?

A. lldpdisable

B. nolldpenable

C. nolldprun

D. nolldpreceive

13. Whichattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember?

A. CDPreconnaissance

B. VLANhopping

C. DHCPsnooping

D. STPattack

14. WhichofthefollowingisanexampleofaVLANhoppingattack?

A. Switchspoofing

B. Man-in-the-middle

C. LLDPreconnaissance

D. ARPspoofing

15. WhatprotocoldoestheattackerleverageinaswitchspoofingattackusedtoperformVLANhopping?

A. CDP

B. LLDP

C. DTP

D. STP

16. Whichattackisonlyanissueonswitchesthatuse“native”VLANs?

A. Switchspoofing

B. Doubletagging

C. ARPpollution

D. CAMoverflow

17. Whichserviceintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andpeer-to-peerattacks?

A. DHCP

B. DNS

C. DTP

D. NAT

18. Whichofthefollowingattackscanleadtoaphishingattack?

A. DHCPspoofing

B. CAMoverflow

C. Doubletagging

D. Switchspoofing

19. Whichattackoccursontrunklinks?

A. Doubletagging

B. ARPpollution

C. CAMoverflow

D. DHCPspoofing

20. Whatprotocolisusedtonegotiatetheformationofatrunklink?

A. CDP

B. NTP

C. DTP

D. VTP

Chapter6PreventingLayer2AttacksCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

4.5Mitigationprocedures

ImplementDHCPsnooping

ImplementDynamicARPInspection

Implementportsecurity

DescribeBPDUguard,rootguard,loopguard

Verifymitigationprocedures

Nowthatyouunderstandsomeofthelayer2attacksthatcanbeaimedatyourswitchinginfrastructure,youarereadytolearnaboutthemitigationsthatareavailabletoaddresseachoftheseattacks.ThischapterwilldiscusshowtopreventSTPattacks,ARPpollution,MACspoofing,andCAMoverflows.ThechapterwillalsodiscussthepreventionofVLANhoppingattacksandrogueDHCPservers.Finally,thechapterwilldiscusshowtoverifytheproperapplicationofthemitigationsdiscussedinthechapter.


Mitigationsforcommonlayer2attacks

ConfiguringDHCPSnoopingInChapter5youlearnedthatarogueDHCPservercancreatesignificantsecurityissuesforyourenvironment.WhenarogueDHCPserverissuesanincorrectIPaddress,anincorrectsubnetmask,andincorrectdefaultgatewayinformationtothehost,itcanpreventpropercommunicationsforthosehosts,amountingtoaDoSattack.Moreover,itcanalsoresultintrafficbeingdirectedthroughthisdevicesothatitcapturesalltraffic.Finally,iftherogueDHCPserverissuesanincorrectDNSserveraddress,itcanresultinarogueDNSserverrespondingtoqueriesforsensitivewebsiteIPaddressessuchasbankswithincorrectinformationthat,whenusedbyunsuspectingusers,canleadtothecaptureofusercredentials.

Thereisawaytopreventallofthis,however,byimplementingafeaturecalledDHCP

snooping.ThisfeatureworksbyfilteringtheDHCPmessagessentbytherogueDHCPserversothattheyareneverreceivedbytheunsuspectinghosts.ItalsousesthemessagessenttoandfromthelegitimateDHCPservertobuildabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.

DHCPsnoopingisimplementedontheswitchesinthenetwork,soitisalayer2solution.Theswitchportsontheswitcharelabeledeithertrustedoruntrusted.TrustedportsarethosethatwillallowaDHCPmessagetotraverse.TheonlyaccessportsontheswitchthatshouldbelabeledastrustedarethoseleadingtolegitimateDHCPservers.

AllinterswitchportsshouldalsobelabeledastrustedsincetheymightbeusedtosendtheDHCPmessagefromthelegitimateservertohostslocatedonaswitchtowhichthelegitimateDHCPserverisnotcommitted.Allotheraccessportsontheswitchesshouldbelabeledasuntrusted(orleftunlabeled,inwhichcasetheywillbeconsidereduntrusted).ThispreventsarogueDHCPserverconnectedtooneoftheseportsfromrespondingtotheDHCPdiscoverpacketssentbythehosts.Asamatteroffact,anyserverresponsepackets(DHCPOFFER,DHCPACK,orDHCPNACK)willbedroppedbytheseinterfaces.

Figure6.1showsanexampleofhowtheseportsshouldbeconfiguredinasamplenetworkcontainingbothalegitimateandrogueDHCPserver.NoticeinthisscenariothatthelegitimateDHCPserverislocatedontheothersideofanetworkoflayer3switches;therefore,allportsleadingfromthelayer2switchestowardthelegitimateDHCPserverarelabeledastrustedsothatanyoftheseportscanbeusedforcommunicationbythelegitimateDHCPserver.Alsonoticethatallaccessportsonthetwolayer2switcheshavebeenleftunlabeled,whichmakesthemuntrusted.ThispreventstherogueDHCPserverfromrespondingtoanyDHCPdiscoverpackets.

FIGURE6.1DHCPsnooping

Fromahighlevel,thestepsthatarerequiredtoimplementDHCPsnoopingareasfollows:

1. EnableDHCPsnoopinggloballyoneachswitch.

2. EnableDHCPsnoopingexplicitlyforeachVLANwithmembersontheswitch.

3. LabelallaccessportsthatconnecttolegitimateDHCPserversastrusted.

4. Leaveallotheraccessportsunlabeled,whichmakesthemuntrusted.

5. Labelanyinterswitchportsastrusted.

AnoptionalstepyoumaywanttotakeistospecifyafileinflashmemorytoholdtheDHCPsnoopingdatabasethatiscreatedby“snooping”onlegitimateDHCPservertraffic.Intheabsenceofdoingthis,thedatabasewillbestoredinRAM.So,ifyouwantthedatabasetopersistthroughaswitchreload,configureafileinflashforthispurpose.

Let’sgoovereachofthesestepsusingFigure6.1asourguide.Firstlet’senableDHCPsnoopinggloballyonthelayer2switches.I’llcallthemSW67andSW68.

SW67(config)#ipdhcpsnooping

SW68(config)#ipdhcpsnooping

Thisisnotindicatedonthediagram,butlet’sassumeyouhavefourVLANs,VLANs2–5,onthetwoswitches.Nowlet’sexplicitlyenableDHCPsnoopingonthoseVLANs.

SW67(config)#ipdhcpsnoopingvlan2-5

SW68(config)#ipdhcpsnoopingvlan2-5

Therearenoaccessportsonthetwolayer2switchesthatcontainlegitimateDHCPservers,soyoucanleavethemallunlabeled,whichwillmakethemuntrustedbydefault.However,youwillneedtomarkallfouroftheinterfacesleadingfromthelayer2switchestothelayer3switchesastrusted.Whilenotlabeledonthediagram,let’sidentifythisasgi0/1andgi0/2onSW67andgi0/3andgi0/4onSW68.

SW67(config)#intgi0/1-2

SW67(config-if-range)#ipdhcpsnoopingtrust

SW68(config)#intgi0/3-4

SW68(config-if-range)#ipdhcpsnoopingtrust

Finally,justtoseehowit’sdone,let’sconfigureafileinflashfortheDHCPsnoopingdatabase.Theniftheswitchesreloadforsomereason,theywillretainthisdatabase.Callthefilemysnooperonbothdevices.

SW67(config)#ipdhcpsnoopingdatabaseflash:/mysnooper

SW68(config)#ipdhcpsnoopingdatabaseflash:/mysnooper

Inthenextsection,I’llshowyouanadditionalusefortheDHCPsnoopingdatabase.Staytuned!

ConfiguringDynamicARPInspectionAsyoulearnedinChapter5,ARPattacksaretargetedattheARPcachethatisusedbyalldevicestostorerecentlyresolvedIPaddresstoMACaddressmappings.ThesemappingsbecomeknowntothehoststhroughtheARPbroadcastprocessandstoredintheARPcacheforashortperiodoftimetoeliminatetheneedtorepeattheARPbroadcastprocessforeverypacketinalargestreamofpackets.Eachtimeanentryinthecacheisused,thetimerthatagesitoutofthecacheisupdated.ARPpollutionattacksusegratuitousARPpacketstoforceincorrectentriesintotheARPcache,withtheaimofsendingtraffictotheattackerthatshouldbesentelsewhere.

TheattackcanbepreventedbyimplementingafeatureontheswitchescalledDynamicARPInspection(DAI).ThisfeaturerequiresthatDHCPsnoopingalsobeenabledbecauseitdependsontheDHCPsnoopingdatabasethatiscreatedwhenDHCPsnoopingisenabled.Whenenabled,itallowstheswitchtointerceptARPpacketsonportsthatyoudesignateasuntrustedandwillverifythateachinterceptedpackethasavalidMACtoIPaddressmappingbeforeupdatingtheARPcacheandforwardingthepacket.ThisvalidationisperformedbyusingtheDHCPsnoopingdatabase.

Whenproperlyconfigured,DAIoperatesasshowninFigure6.2.Anattackersendsa

gratuitousARPmessagetopollutetheARPcacheofthehostat10.1.1.2.Whentheswitchreceivesthismessage,itconsultstheDHCPsnoopingdatabase,andwhendiscoveringthatthepacketcontainsanincorrectMACtoIPaddressmapping,itdropsthepacket.

FIGURE6.2DAIinaction

InthescenarioshowninFigure6.2,theDAIimplementationwouldrequirethattheportsontheswitchconnectedtothehostsbelabeledasuntrusted(forthepurposesofDAI)andallinterswitchportsbelabeledastrusted.BypassingthesecuritycheckbetweenswitchesissafeifDAIisenabledonalloftheswitchesbecausetheswitcheswillonlybesendingpacketstooneanotherthathavealreadybeencheckedwhenreceivedbytheswitch.

IncaseswhereinterfaceswithstaticIPaddressesarepresent(suchasdefaultgatewaysonrouters),additionalstepsarerequiredbecausethoseinterfacesandtheirIPtoMACaddressmappingswillnotbefoundintheDHCPsnoopingdatabasebecausethat’snothowthoseinterfacesgottheirIPaddresses.TheseinterfaceswillrequirethatyoucreateatypeofACLontheswitchcalledanARPACL.ThisACLidentifiesthecorrectIPtoMACaddressmappingfortheinterface,andtheACLisreferencedasafilterintheDAIconfiguration.ThismakestheACLavailabletotheDAIprocessasanadditiontotheDHCPsnoopingdatabase.

ToenableDAI,thehigh-levelstepsareasfollows:

1. EnableDAIforeachVLAN.

2. Specifyinterswitchportsastrusted.

3. Leaveallotherportstothedefaultofuntrusted.

4. ForanyinterfacessuchasdefaultgatewaysthathavestaticIPaddresses,createanARPACLthatmapstheIPaddressoftheinterfacetoitsMACaddressoftheinterface.

5. ReferenceanyARPACLsthathavebeencreatedwhenenablingDAI.

UsingthediagraminFigure6.2,let’sperformeachstep.Firstlet’senableDAIontheswitchforVLAN3.

SW69(config)iparpinspectionvlan3

Whilenotshowninthediagram,let’spretendtheswitchhasanuplinkcalledgi/04,which

connectstoanotherswitch.Youneedtomarkthisinterfaceastrusted,solet’sdoit.

SW69(config)#intgi0/4

SW69(config-if)#iparpinspectiontrust

Allotherportsneedtobelabeleduntrusted,whichisthedefault,soyoucanleavethemastheyare.SincethedefaultgatewayontherouterhasastaticIPaddressof10.1.1.1,youneedtocreateanARPACLthatcreatestheIPtoMACaddressmapping.Let’sdothisandusetheMACaddressaaaa.bbbb.cccc.ItsnamewillbeStatic-IP-VLAN3.NoticethatthisisaninstancewhereanACLisusednottoalloworblocktrafficbuttoidentifyanitem(inthiscasetheIPtoMACaddressmapping)forspecialtreatment.

SW69(config)#arpaccess-listStaticIP-VLAN3

SW69(config-arp-acl)#permitiphost10.1.1.1machostaaaa.bbbb.cccc

ThelastitemyouneedtotakecareofistoreferencethenameoftheARPACLintheDAIconfiguration.Whenyoudothis,youalsohavetoreferencetheVLANtowhichitapplies.

SW69(config)#iparpinspectionfilterStaticIP-VLAN3vlan3

WhileyouusedtheVLANnumberinthenameoftheACL,thatisnotwhattiesittoVLAN.ItistheexplicitreferencetoVLAN3attheendofthecommandthatdoesit.

ConfiguringPortSecurityInChapter5youlearnedhowamaliciousindividualcoulduseaCAMoverflowattacktofilltheCAMtableoftheswitch,resultingintheswitchfloodingalltrafficoutallports.Thisbasicallyturnstheswitchintoahubandtherebyallowstheattackertoreceivealltraffic,regardlessoftheVLANtowhichtheframebelongs.However,youcanpreventthisbyusingafeaturecalledportsecurity.Thisfeaturecancontrolthefollowing:

ThemaximumnumberofMACaddressesthatcanbeseenonaport(whichwillsolvetheCAMoverflowissue)

ExactlywhichMACaddressescantransmitonaport(preventingunauthorizedaccesstothenetwork)

Let’slookathowyoumightpreventaCAMoverflowattackbylimitingthenumberofMACaddressesthatcanbeseenonaninterface.Fromahighlevel,thesearethestepsrequired.Thecommandswillfollowlater.

1. Specifytheportasanaccessport(ifnotalreadydone).

2. Enableportsecurityontheport.

3. SpecifythemaximumnumberofMACaddressesallowedontheport.

4. Specifytheactiontobetakenwhenaviolationoccurs.

Let’sconfigurethesestepsonaCiscoswitch.Firstspecifytheportgi0/2asanaccessport.


SW70(config-if)#switchportmodeaccess

Thenextstepistoenableportsecurityontheinterface.Thatisdonewiththefollowingcommand:

SW70(config-if)#switchportport-security

TospecifythemaximumnumberofMACaddressesthatcanbeseenontheport,usethefollowingcommand.Inthiscase,youareallowingtwobecausetheuserhasbothaPCandanIPphoneconnectedtothesameport.

SW70(config-if)#switchportport-securitymaximum2

Finally,let’sspecifythatifaviolationoccurs,theportwillbeshutdown.Youcanalsochoosethefollowingactionsusingalternativekeywordstotheshutdownkeyword:

protect:Theoffendingframewillbedropped.

restrict:TheframeisdroppedandanSNMPtrapandasyslogmessagearegenerated.

SW70(config-if)#switchportport-securityviolationshutdown

Withthisconfigurationinplace,theportwillbeprotectedbyaCAMoverflowattack.Ifoneoccurs,theportwillbeshutdown.

PortsecuritycanalsobeusedtospecifytheexactMACaddressesthatareallowedontheport.Thiswillpreventanunauthorizeddevicefromusingtheport.YoucanspecifytheMACaddress(oraddresses)manually,oryoucanuseacoolcommandoptioncalledmac-addressstickythattellstheporttolearntheMACaddressesofthedevicescurrentlyconnectedtotheportandmakethoseMACaddressestheonlyonesallowedontheport.Assumingyouhavespecifiedtheportasanaccessportandenabledportsecurityontheport,thisiseasilydonewiththissinglecommand:

SW70(config-if)#switchportport-securitymac-addresssticky

Withtheportconfiguredlikethis,theportisprotectedbothfromunauthorizeddevicesandfromCAMoverflowattacks.

ConfiguringSTPSecurityFeaturesInChapter5youwereintroducedtoanattackaimedattheSpanningTreeProtocol(STP).WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUcomparedtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.

Sincethetopologyoftheswitchingnetworkdependsonthepositionoftherootbridgeandtherelativepositionoftheotherswitchestotherootbridge,thisaltersthetopologyinwaysthatnotonlymayimpactperformancebutmaycausealltraffictotraversethenewrogueswitch,

whichwillbeunderthemanagementoftheattacker.Topreventthisfromoccurring,youcanmakeuseofthreefeatures:BPDUGuard,RootGuard,andLoopGuard.Let’slookatallthreefeatures.

BPDUGuardTheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesontheaccessport.Itshouldbeimplementedonlyonaccessports,becauseifimplementedontrunks,itwouldinterferewiththenormaloperationofSTP,whichdependsontheseframesforitsoperation.However,itshouldbeimplementedonallaccessports.Whenimplemented,ithastheeffectshowninFigure6.3.ByblockingthesuperiorBPDUsentbytheattacker,theSTPtopologyremainsunchanged.

FIGURE6.3BPDUGuardinaction

TheimplementationofBPDUGuardcanbedoneattheinterfaceleveloritcanbedoneglobally,whichwillimplementthefeatureonallaccessportsontheswitch.Let’simplementitfirstattheinterfacelevel.Thisisdonewiththefollowingcommand:


SW71(config-if)#spanning-treebpduguardenable

Toenablethisfeatureonallaccessports,executethefollowingcommandattheglobalconfigurationprompt.YoumustensurebeforeyourunthiscommandthatallaccessportsareconfiguredwithPortFast.ThisfeatureallowsaccessportstoimmediatelyproceedtotheforwardingstatewithoutgoingthroughtheinterimportstatesofSTPaswouldbedoneonatrunkport.

ThefollowingcommandwillenablebothPortFastandBPDUGuardonallaccessports:

SW71(config)#spanning-treeportfastbpduguarddefault

Whenaviolationoccurs,theportwillbeplacedinanerr-disabledstateandwillnotpasstrafficuntilitisenabledagainmanually.

RootGuardAnotherfeaturethatisdesignedtopreventachangeintherootbridgeisRootGuard.Thisfeatureisalsoimplementedonaccessports.Itisimplementedonallportsoftherootbridge.ItpreventsthereceptionofsuperiorBPDUsonly,notallBPDUs.Moreover,whenaviolationoccurs,theportisnoterr-disabledasinthecasewithBPDUGuard.Rather,itisplacedinaninconsistentstateandwillrecoverandreturntoanormalstatewhenthereceptionofsuperiorBPDUsceases.Thisfeatureisimplementedonlyattheinterfacelevel,asshownhere:


SW71(config-if)#spanning-treeguardroot

LoopGuardAnSTPloopcanbecreatedwhenablockingportinaredundanttopologyerroneouslytransitionstotheforwardingstate.ThisusuallyhappensbecauseoneoftheportsnolongerreceivesSTPBPDUs.Initsoperation,STPreliesoncontinuousreceptionortransmissionofBPDUsbasedontheportrole.TheSTPLoopGuardfeatureprovidesadditionalprotectionagainstlayer2forwardingloops(STPloops).

TopreventthisanomalyfromalteringtheSTPtopology,usetheLoopGuardfeature.ThisfeaturemakesadditionalchecksifBPDUsarenotreceivedonanondesignatedport.WithLoopGuardenabled,thatportmovesintotheSTPloop-inconsistentblockingstate,insteadofthelistening/learning/forwardingstate.WithouttheLoopGuardfeature,theportassumesthedesignatedportrole,movestotheSTPforwardingstate,andcreatesaloop.

ToenableLoopGuard,usethefollowingcommand:

SW77(config)#interfacegigabitEthernet1/1

SW77(config-if)#spanning-treeguardloop

DisablingDTPInChapter5youlearnedthatarogueswitchaddedtoyournetworkbyamaliciousindividualcanalteryourSTPtopologyandmayevencausetherogueswitchtobecometherootbridge.IfDynamicTrunkingProtocol(DTP)isenabledonyourswitchinterfacesandiftheinterfaceissettoeitherdynamicdesirableordynamicauto,itispossibleforarogueswitchconnectedtosuchaconfiguredinterfacetobecomepartoftheSTPtopology.Bysettingtheportstateoftherogueswitchtodynamicdesirable,atrunklinkwillautomaticallybeformed.

Topreventthis,disableDTPonallswitchinterfaces.Settheportstatesofallinterfacesto

eithertrunkoraccessasrequiredbysettingtheirportstatestotrunkoraccess.TodisableDTPonallports,usethefollowingcommand:

SW71(config)#intfa0/1-24

SW71(config-if)#switchportnonegotiate

VerifyingMitigationsWhenusingtheconfigurationscoveredinthischapter,itisalwaysagoodideatoverifythesuccessfulapplicationofeach.Itisalsohelpfultoknowhowtocheckfortheseconfigurationswhenyouareunfamiliarwithaspecificswitch.Thissectionwillcovertheseverifications.

DHCPSnoopingToverifytheconfigurationofDHCPsnooping,usetheshowipdhcpsnoopingcommand,asshownhere.Theoutputistruncatedtoshowthecriticalparts.

SW72#shipdhcpsnooping

SwitchDHCPsnoopingisenabled

DHCPsnoopingisconfiguredonfollowingVLANs:

1-200

Insertionofoption82isenabled

InterfaceTrustedRatelimit(pps)

——————————–—————–

FastEthernet0/1yesunlimited

SW72#

Notethefollowing:

DHCPsnoopingisgloballyenabled.

ItisoperationalonVLANs1–200.

FastEthernet0/1isthetrustedinterface.

DAIToverifytheconfigurationofDAI,usetheshowiparpinspectioncommand,asshownhere:

Switch73#showiparpinspection

SourceMacValidation:Disabled

DestinationMacValidation:Disabled

IPAddressValidation:Disabled

VlanConfigurationOperationACLMatchStaticACL

–––––––––––––––––––––––––––––––––––––––––––––

10EnabledActive

VlanACLLoggingDHCPLoggingProbeLogging

––––––––––––––––––––––––––––––––––––––––

10DenyDenyOff

VlanForwardedDroppedDHCPDropsACLDrops

–––––––––––––––––––––––––––––––––––––––

10010100

VlanDHCPPermitsACLPermitsProbePermitsSourceMACFailures

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

100000

VlanDestMACFailuresIPValidationFailuresInvalidProtocolData

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

10000

Notethefollowing:

ItisenabledforVLAN10.

TenpacketshavebeendroppedbyDAI.

PortSecurityToverifytheconfigurationofportsecurity,usetheshowportsecuritycommand,asshownhere:

SW74#showport-security

SecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurity

Action

(Count)(Count)(Count)

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Fa5/111110Shutdown

Fa5/51550Restrict

Fa5/11540Protect

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

TotalAddressesinSystem:21

MaxAddresseslimitinSystem:128

Notethefollowing:

PortssecurityisenabledontheFa5/1,Fa5/5,andFa5/11interfaces.

Therehavebeennoviolationsthusfar.

Ifaviolationoccurs,thefa5/1interfacewillnotforwardtheoffendingtraffic,willshutdown,willsendanSNMPtrapandsyslogmessage,andwillincrementtheviolationcounter.

Ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willsendan

SNMPtrapandsyslogmessage,andwillincrementtheviolationcounter,butitwillstillpasslegitimatetraffic.

Ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounter,butitwillstillpasslegitimatetraffic.

STPFeaturesInthissection,you’lllearnhowtoverifytheproperapplicationofBPDUGuard,RootGuard,LoopGuard,andDTP.

BPDUGuardToverifythatBPDUGuardhasbeenconfiguredcorrectly,executetheshowspanning-treesummarytotalscommand.NotethatPortFastBPDUGuardisenabledgloballyonthisswitch.

SW75#showspanning-treesummarytotals

Rootbridgefor:none.PortFastBPDUGuardisenabled

UplinkFastisdisabled

BackboneFastisdisabled

Spanningtreedefaultpathcostmethodusedisshort

NameBlockingListeningLearningForwardingSTPActive

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

1VLAN00011

RootGuardToverifythatRootGuardhasbeenconfiguredcorrectly,executetheshowspanning-treeinterface<intid>detailcommand.NotethatRootGuardisenabledonthisport.

SW76#showspanning-treeintfa0/22detail

Port24(FastEthernet0/22)ofVLAN0001isbroken(RootInconsistent)

Portpathcost19,Portpriority128,PortIdentifier128.24.

Designatedroothaspriority4097,address000d.bc51.6d00

Designatedbridgehaspriority24577,address0018.1820.2700

Designatedportidis128.24,designatedpathcost57

Timers:messageage3,forwarddelay0,hold0

Numberoftransitionstoforwardingstate:2

Linktypeispoint-to-pointbydefault

Rootguardisenabledontheport

BPDU:sent502,received1701

LoopGuardToverifythatLoopGuardhasbeenconfiguredcorrectly,executetheshowspanning-tree

summarycommand.NotethatLoopGuardisenabled.

Router#showspanning-treesummary

Switchisinpvstmode

Rootbridgefor:none

EtherChannelmisconfigguardisenabled

ExtendedsystemIDisdisabled

PortfastDefaultisdisabled

PortFastBPDUGuardDefaultisdisabled

PortfastBPDUFilterDefaultisdisabledLoopguardDefaultis

enabled

UplinkFastisdisabled

BackboneFastisdisabled

Pathcostmethodusedisshort

NameBlockingListeningLearningForwardingSTPActive

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Total00000

DTPToverifythatDynamicTrunkingProtocolhasbeenproperlydisabled,executetheshowinterfacesswitchportcommand,asshownhere:

SW1#showinterfacesfastEthernet0/24switchport

Name:Fa0/24

Switchport:Enabled

AdministrativeMode:staticaccess

OperationalMode:staticaccess

AdministrativeTrunkingEncapsulation:negotiate

OperationalTrunkingEncapsulation:nativeNegotiationofTrunking:Off

Notethefollowing:

DTPnegotiationisdisabled(seethelastline).

Thisisanaccessport.

SummaryInthischapter,youlearnedtoconfigureDHCPsnoopingtopreventtheintroductionofrogueDHCPservers.Thechapteralsodiscussedhow,whencombinedwithDHCPsnooping,DAIcanpreventARPpoisoningattacks.YoulearnedhowtopreventMACoverflowattacksandlearnedabouthowunauthorizeddevicescanswitchportsbyusingportsecurity.Finally,thechapterdiscussedBPDUGuard,RootGuard,andLoopGuard,allSTPfeaturesdesignedtopreventchangestotheSTPtopology.

ExamEssentials

ImplementDHCPsnooping.ConfigureandverifyDHCPsnoopingtopreventtheissuescausedbyarogueDHCPserverandtosupporttheapplicationofDynamicARPInspection.

DeployDAI.ImplementDynamicARPInspectiontopreventARPpollution,whichcanleadtoaman-in-the-middleattack.

Configureportsecurity.PreventMACoverflowattacksandtheintroductionofunauthorizeddevicestoswitchportsbysecuringtheportusingtheportsecurityfeature.

DescribethebenefitsofSTPsecurityfeatures.ThesefeaturesincludeBPDUGuard,RootGuard,andLoopGuard.

ReviewQuestions1. WhichofthefollowingistrueofDHCPsnooping?

A. Itpreventstheintroductionofrogueswitches.

B. Itisimplementedonrouters.

C. ItbuildsabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.

D. Whenimplementingit,allportsshouldbeuntrusted.

2. WhichDHCPpackettypesaredroppedonuntrustedinterfacesprotectedbyDHCPsnooping?

A. DHCPACK

B. DHCPOFFER

C. DHCPNACK

D. Alloftheabove

3. WhichofthefollowingfeaturesmustbeconfiguredfortheoperationofDAI?

A. LoopGuard

B. DHCPsnooping

C. RootGuard

D. BPDUGuard

4. WhatisrequiredtoenableDAIonaninterfacewithastaticIPaddress?

A. AnACL

B. LoopGuard

C. PortFast

D. RootGuard

5. Whichofthefollowingcommandscausestheswitchtodroptheoffendingtrafficwhenaviolationoccursbutneithershutsdowntheinterfacenorsendssyslogmessages?

A. switchportport-securityviolationshutdown

B. switchportport-securityviolationrestrict

C. switchportport-securityviolationdeny

D. switchportport-securityviolationprotect

6. Whichattackdoestheswitchportport-securitymaximum2commandprevent?

A. MACspoofing

B. CAMoverflow

C. RogueDHCP

D. ARPspoofing

7. Whichofthefollowingshouldbeimplementedonlyonaccessports?

A. BPDUGuard

B. RootGuard

C. LoopGuard

D. DTP

8. WhichtypeoftrafficispreventedonportswhereRootGuardisenabled?

A. Alltraffic

B. AllBPDUs

C. SuperiorBPDUs

D. InferiorBPDUs

9. WhatstatedoesaportconfiguredwithLoopGuardenterwhenthereceptionofBPDUsstops?

A. Shutdown

B. Loop-inconsistent

C. Err-disabled

D. Blocking

10. Whichfeatureisdisabledwiththecommandswitchportnonegotiate?

A. STP

B. DTP

C. VTP

D. CDP

11. Inthefollowingconfiguration,whichportwillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounterbutwillstillpasslegitimatetraffic?

SW74#showport–security

SecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction

(Count)(Count)(Count)

Fa5/111110Shutdown

Fa5/51550Restrict

Fa5/11540Protect

Fa5/12320Shutdown

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

TotalAddressesinSystem:21

MaxAddresseslimitinSystem:128

A. Fa5/1

B. Fa5/5

C. Fa5/11

D. Fa5/12

12. Whichofthefollowingfeaturespreventstheintroductionofarogueswitch?

A. BPDUGuard

B. DAI

C. DHCPsnooping

D. LoopGuard

13. WhichcommandshouldbeconfiguredonaportwherethelegitimateDHCPserverresides?

A. ipdhcpsnoopingtrust

B. ipdhcpsnoopingenable

C. ipdhcpsnooping

D. ipdhcpsnoopinguntrust

14. Whatisthepurposeofthecommandipdhcpsnoopingdatabaseflash:/mysnooper?

A. Theswitchwillretainthedatabasethroughareboot.

B. Theswitchwillsharethedatabasewithdirectlyconnectedswitches.

C. TheswitchwillapplythedatabasetoallVLANs.

D. Theswitchwilldeletethefileduringareboot.

15. WhatisthedefaultstateofaportwithrespecttoDAI?

A. Trusted

B. Untrusted

C. Null

D. Nonegotiate

16. Inthefollowingcommand,whatisthenameoftheACL?SW69(config)#iparpinspectionfilterStaticIP-VLAN3vlan3

A. vlan3

B. 3

C. StaticIP-VLAN3

D. filterStaticIP

17. Whichcommandenablesportsecurityonaninterface?

A. switchportport-security

B. switchportport-securitymaximum2

C. switchportport-securityviolationshutdown

D. switchportport-securitymac-addresssticky

18. WhichofthefollowingisnotamitigationtoSTPattacks?

A. RootGuard

B. BPDUGuard

C. DisablingDTP

D. DAI

19. WhenaviolationoccursonaBPDUGuard–enabledport,inwhatstateistheportplaced?

A. Shutdown

B. Portinconsistent

C. Err-disabled

D. Restrict

20. WhichportsshouldhaveDTPdisabled?

A. Accessports

B. Trunkports

C. Etherchannels

D. Allports

Chapter7VLANSecurityCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

4.6VLANsecurity

DescribethesecurityimplicationsofaPVLAN

DescribethesecurityimplicationsofanativeVLAN

VLANscanbeusedtosegmentaLANandcanspanmultipleswitches,providingbothsecurityandtheabilitytolocateusersinthesameVLANinphysicallydispersedlocations.TherearesecurityissueswithVLANs,asyoulearnedinChapter5.ThischapterwillexpandyourknowledgeofVLANissuesbyintroducingprivateVLANs(PVLANs)andthesecurityimplicationsofdeployingthem.IwillalsotalkaboutsecurityissueswithnativeVLANs.I’llwrapupthechapterbyintroducinghowtouseaccesslistsonswitches.


SecurityimplicationsofaPVLAN

SecurityimplicationsofanativeVLAN

SwitchACLs

NativeVLANsInChapter5youlearnedaboutdoubletaggingandhowanattackercancraftapacketwithtwo802.1qtagswiththeinnertagsettotheVLANtowhichhewouldliketosendtraffic.ThisattacktakesadvantageofthenativeVLAN.Iftheattacker’saccessportissettothesameVLANasthenativeVLAN,thisattackbecomespossible.

MitigationThesolutionistosetthenativeVLAN(number1bydefault)tooneinwhichnoneoftheaccessportsresides.Thisisdoneonlyonthetrunkports.TochangethenativeVLANofthetrunkportgi0/1to78,usethefollowingcommand:

Switch79(config)#intgi0/1

Switch79(config-if)#switchporttrunknativevlan78

AfterchangingthenativeVLANfrom1to78,simplyensurethatnoaccessportsaremembersofVLAN78.

PVLANsWhenhostsaresegregatedintoVLANs,theyarealsoplacedintoseparateIPsubnets.Serviceprovidersoftenfindthisarrangementtobeproblematic,especiallywhenthereisneedforadditionalsecurityacrossaVLANbeingsharedbymultiplecustomersandperhapsbytheISPserversthemselves.WhileaseparateVLANforeachcustomerisanoption,itpresentsthefollowingchallenges:

Therequirementofahighnumberofinterfacesonserviceproviderdevicestosupportthesubnets

Theincreasedmanagementcomplexityofdividingthenetworkaddressspaceandthepotentialwastingofaddressspace

ThemanagementofmultipleACLstomaintainsecurityacrosstheVLANs

AfeaturethatcanbeasolutioninthesecasesistheimplementationofprivateVLANs.TheseprovideseparationwithinaVLANatlayer2,whilestillleavingallmembersoftheoriginalVLAN(calledtheprimaryVLAN)inthesamesubnet.CommunicationbetweenportsintheprimaryVLANiscontrollednotwithACLsbutwiththeproperassignmentofoneofthreeporttypes.

PromiscuousportsTheseareportsthatcancommunicatewithaportofanyothertype.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.

IsolatedportsTheseareportsthatonlycommunicatewithapromiscuousport.TheseportsareusedtoisolateasinglehostfromallotherhostsintheprimaryVLAN.Sincetheseportscanonlycommunicatewithpromiscuousports,theonlywayanotherhostcancommunicatewithanisolatedportisthroughtherouter,whereanACLmightbeappliedforcontrol.

CommunityportsTheseareportsthatcancommunicatewithothermembersofthesamecommunityandwithpromiscuousports.Therefore,hostsconnectedtocommunityportscancommunicatewithothercommunitiesandwithisolatedportsonlythroughtherouter.

Figure7.1showsanexampleofaprimaryVLANthathasbeendividedintoPVLANs.Inthisexample,keepinmindthatallhostsconnectedtotheswitchareinthesameprimaryVLANandthesameIPsubnet.PortGe0/1isapromiscuousport,whiletheportsleadingtoSRV1andSRV2arecommunityportsthataremembersofPVLAN101.Noticetheycancommunicatewithoneanotherandwiththedefaultgatewaysinceitisapromiscuousport.

FIGURE7.1PVLANs

AlsonoticethattheportsleadingtoSRV3andSRV4areisolatedportsthataremembersofPVLAN102.NoticethateventhoughSRV3andSRV4resideinthesameprimaryVLANandthesamesecondaryVLAN(102),theycannotcommunicatewithoneanotherbecauseisolatedportscanonlycommunicatewiththepromiscuousport,whichinthiscaseisthedefaultgateway.

TosetupPVLANs,thestepsincludethefollowing:

1. ConfiguretheprimaryVLAN,specifyingitasaprimaryPVLAN.

2. ConfigureanyrequiredsecondaryPVLANs,specifyingthetype.

3. SpecifyeachinterfaceasaprivateVLANhostportandassociateitwithaprivateVLANpair.

ThefollowingarethestepstoconfigureVLAN10asaprimaryVLAN,VLAN201asanisolatedVLAN,andVLANs202and203ascommunityVLANs;toassociatetheminaprivateVLAN;andtoverifytheconfiguration:

Switch#configureterminal

Switch(config)#vlan10

Switch(config-vlan)#private-vlanprimary

Switch(config-vlan)#exit


Switch(config-vlan)#private-vlanisolated



Switch(config-vlan)#private-vlancommunity



Switch(config-vlan)#private-vlancommunity



Switch(config-vlan)#private-vlanassociation201-203

Switch(config-vlan)#end

Switch(config)#showvlanprivatevlan

PrimarySecondaryTypePorts

–––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––

10201isolated

10202community

10203community

10204non-operational

Noticethatthelastcommand,private-vlanassociation201-203,executedundertheVLAN10configurationiswhattiesthePVLANstotheprimaryVLAN.

TosetaporttoitspropertypeandPVLAN,usethiscommand:

Switch#configureterminal

Switch(config)#interfacegigatibethernet0/22

Switch(config-if)#switchportmodeprivate-vlanhost

Switch(config-if)#switchportprivate-vlanhost-association10202

Switch(config-if)#end

Inthepreviousconfiguration,portGi0/22wasassignedtoprimaryVLAN10andPVLAN202.SincePVLAN202wascreatedasacommunityVLAN,portGi0/22willbeacommunityport.

PVLANEdge

Insomecases,youmayfindthereisnoreasonforanycommunicationbetweenportsconnectedtothesameswitch.Whenthatisthecase,itmaybebeneficialtotakeadvantageofanotherfeaturecalledthePVLANEdgefeature.PreventingcommunicationsbetweenportswhenpossiblecanbothpreventattackssuchasARPpoisoningattacksandimpairtheabilityofahackertomovefromacompromisedhosttootherhosts.

WhenaporthasbeendesignatedasaPVLANEdgeport(calledaprotectedport),ithasthefollowingfeatures:

Notrafficwillbesentfromoneprotectedporttoanotherprotectedportonthesameswitch.Anydatatrafficmustgothroughtherouterfirst.

Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.

Thereisnoisolationbetweenprotectedportslocatedondifferentswitches.

WhilePVLANEdgeisonlyeffectivebetweenportsonthesameswitch,itissimplertoconfigurethanPVLANsandcanbethesolutionincertaincases.Tospecifyaportas“protected,”usethefollowingcommand:

Switch(config)#interfacefa0/1

Switch(config-if-range)#switchportprotected

PVLANProxyAttackAswithmanyfeatures,maliciousindividualshavefiguredoutawaytoattackPVLANconfigurations.InaPVLANproxyattack,anattackersendsapacket(usingthepromiscuousport)withthesourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.Whentherouterreceivesthepacket,therouterrewritesthedestinationMACaddresstothatofthetargetandsendsthepackettothetarget.ItisthepresenceoftheMACaddressoftherouterinthepacket,ratherthanthatofthetarget,thatcausesthistobepossible.Thiscausesthepackettobecomingfromtherouter,whichisallowedsincetherouterisonapromiscuousport.SincetherouterisbeingusedasthesourceMAC,therouterisconsidereda“proxy.”Figure7.2showstheattack.

FIGURE7.2PVLANproxyattack

MitigationTopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.Anexampleofsuchanaccesslist,appliedtotherouterinterface,wouldsolvetheissueshowninFigure7.2.

Router(config)#access-list101denyip172.16.0.00.0.255.255172.16.0.0

0.0.255.255

Router(config)#access-list101permitipanyany

Router(config)#intfa0/1

Router(config)#ipaccess-group101in

ACLsonSwitchesAccesslistscanbeappliednotonlytorouterinterfacesbutcanalsobeusedonlayer2interfacesonswitches.Whenusedonswitches,therearethreetypesofaccessliststhatcanbeused.

Portaccesslists(PACLs)Theseareappliedtolayer2interfaceseitheronalayer2switchoronamultilayerswitch.Whenappliedtoalayer2interfaceonamultilayerswitch,theycanbeappliedonlyinbound.TheselistscanbeeitherIPACLsorMACACLs.

VLANaccesslists(VACLs)TheseusemapstocontroltrafficonaVLAN.TheycanbeappliedeithertotrafficroutedintooroutofaVLANortoalltrafficbridgedwithinaVLAN.

RouterACLsUsedtocontroltrafficbetweenVLANs,routerACLscanbeappliedeithertoarouterinterfaceortoaswitchedvirtualinterface(SVI)onamultilayerswitch.

Firstlet’slookatconfiguringportACLs.

PortACLsPortsACLscanbeappliedeitherasIPaccesslistsorasMACaccesslists.Theproceduretocreateandapplybothtypesisasfollows:

Switch(config)#ipaccess-listextendedsimple-ip-acl

Switch(config-ext-nacl)#permithost10.0.0.1any

Switch(config)#intgi0/22

Switch(config-if)#ipaccess-groupsimple-ip-aclin

Switch(config)#macaccess-listextendedsimple-mac-acl

Switch(config-ext-nacl)#permithost0000.aaaa.bbbbany

Switch(config)#intgi0/22

Switch(config-if)#macaccess-groupsimple-ip-aclin

VLANACLsVLANaccesslistsapplytoalltrafficinaVLANandarenotconfiguredwithadirection.Theseaccesslistsusemapstodefineboththetrafficinquestionandtheactiontobetaken.Themapscanreferenceotheraccesslistswhenspecifyingthesevalues.Fromahighlevel,thestepstosetupaVACLareasfollows:

1. CreateanACLthatdefinesthespecifiedtraffictype.

2. Createamapthatreferencestheaccesslistandspecifiesanaction.

3. ApplytheaccessmaptotheappropriateVLAN.

HereisthecreationofanaccesslistdefiningthetrafficasHTTPS(port443):

Switch(config)ipaccess-listextendedpermit_HTTPS

Switch(config-ext-nacl)#permittcpanyanyeq443

ThenextstepistocreatethemapreferencingtheACLandspecifyinganaction:

Switch(config)#vlanaccess-mapAllow_HTTPS

Switch(config-access-map)#matchipaddresspermit_HTTPS

Switch(config-access-map)#actionforward

Finally,hereisthecommandtoapplytheaccessmaptoaVLAN,inthiscaseVLAN403:

Switch(config)#vlanfilterAllow_HTTPSvlan-list403

NotethatyouuseaVLANlisttospecifytheVLANstowhichthemapapplies,evenwhenthelistconsistsofonlyoneVLAN.

SummaryInthischapter,youlearnedaboutpreventingVLANhoppingattacksthattakeadvantageofthenativeVLAN.YoualsolookedathowtobreakupaVLANintoprivateVLANs.YoulearnedthatconfiguringPVLANsisamatterofsettingportsaspromiscuous,community,andisolated.

ThechapterdiscussedthePVLANEdgefeatureasanotherwayofprovidingisolationbetweenswitchports.Finally,youlearnedhowtouseACLstopreventaPVLANproxyattack.

ExamEssentialsMitigatenativeVLANsecurityissues.PreventVLANhoppingattacksthatusedoubletaggingbysettingthenativeVLANnumbertooneinwhichnoneoftheaccessportsreside.

DescribethebenefitsofPVLANs.TheseincludetheabilitytosegregatewithinaprimaryVLAN,whilesavingIPaddressspace,decreasingmanagementcomplexity,andreducingtheneedformultipleACLstomaintainsecurityacrosstheVLANs.

IdentifytheporttypesusedinPVLANs.Theseincludepromiscuous,community,andisolatedports.TheyallowforgroupingdeviceswithaVLAN(community),forisolatingdeviceswithinaVLAN(isolated),andforprovidingaccesstoalldevicesbacktotherouter(promiscuous).

ExplainthefunctionalityofthePVLANEdgefeature.Thisfeatureisusedtoprovideisolationbetweenprotectedportslocatedonthesameswitch.

MitigateaPVLANproxyattack.TopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.

ReviewQuestions1. WhichofthefollowingattackstakesadvantageofthenativeVLAN?

A. Doubletagging

B. ARPpoisoning

C. Bufferoverflow

D. PVLANproxy

2. HowshouldthenativeVLANbeconfiguredtothwartadoubletaggingattack?

A. Itshouldbedisabled.

B. ItshouldbethesameVLANnumberwherehostsreside.

C. ItshouldbethesameasthemanagementVLAN.

D. ItshouldbesettoaVLANnumberinwhichnoneoftheaccessportsreside.

3. WhichofthefollowingisnottrueaboutserviceprovidersprovidingaseparateVLANpercustomer?

A. Itrequiresahighnumberofinterfacesonserviceproviderdevicestosupportthesubnets.

B. Itincreasesmanagementcomplexityofdividingthenetworkaddressspaceandthepotentialwastingofaddressspace.

C. MultipleACLsmustbemanagedtomaintainsecurityacrosstheVLANs.

D. Itdecreasessecurity.

4. Whatfeatureallowsforprovidinglayer2separationwithinaVLAN?

A. PVLANs

B. LoopGuard

C. DAI

D. RootGuard

5. WhichofthefollowingcommandschangesthenativeVLANfrom1to78?

A. switchporttrunknativevlan78

B. switchportnativevlan78

C. switchportnativevlantrunk78

D. switchportvlan78

6. WhichtypeofPVLANportcancommunicatewithaportofanyothertype?

A. Promiscuous

B. Isolated

C. Community

D. Private

7. WhichofthefollowingisnotastepinsettingupPVLANs?

A. ConfiguringtheprimaryVLAN,specifyingitasaprimaryPVLAN

B. SpecifyingeachinterfaceasaprivateVLANhostportandassociatingitwithaprivateVLANpair

C. ConfiguringanyrequiredsecondaryPVLANs,specifyingthetype

D. SettingthenativeVLANnumbertooneinwhichnoneoftheaccessportsresides

8. WhichofthefollowingcommandsconfigurestheprimaryPVLAN?

A. primary-vlanprimary

B. private-vlanprivate

C. private-vlanprimary

D. vlanprimary

9. Towhatportstateshouldthedefaultgatewayportbeset?

A. Promiscuous

B. Isolated

C. Community

D. Private

10. WhichcommandassociatestwoprivateVLANswiththeprimaryVLAN?

A. vlanassociation501-503

B. private-vlan501-503

C. private-vlanassociation501-503

D. private-vlan501-503associate

11. WhichcommandsetsaportasaPVLANport?

A. switchportmodeprivate-vlanhost

B. switchportprivate-vlanhost-association10202

C. switchporthost-association10202

D. switchportmodehost-association10202

12. WhichofthefollowingcommandsassignsaPVLANporttoitsPVLAN?

A. switchportmodeprivate-vlanhost

B. switchportprivate-vlanhost-association10202

C. switchporthost-association10202

D. switchportmodehost-association10202

13. WhichtypeofattackcanbepreventedbythePVLANEdgefeature?

A. Doubletagging

B. ARPpoisoning

C. Bufferoverflow

D. PVLANproxy

14. Whatisthepurposeofthefollowingsetofcommands?


Switch(config-vlan)#private-vlanassociation501

A. TiesthePVLAN10totheprimaryVLAN501

B. TiesthePVLAN501tothePVLAN10

C. TiesPVLAN501totheprimaryVLAN10

D. TiesthePVLAN10tothesecondaryVLAN501

15. WhatstatementisfalseaboutthePVLANEdgefeature?

A. Notrafficwillbesentfromoneprotectedporttoanotherprotectedportonthesameswitch.

B. Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.

C. Thereisnoisolationbetweenprotectedportslocatedondifferentswitches.

D. Forwardingbetweenaprotectedportandunprotectedportsisnotpermitted.

16. WhatisaportprotectedbythePVLANEdgefeaturecalled?

A. Isolated

B. Protected

C. Hidden

D. Promiscuous

17. WhichcommandspecifiesaportasPVLANEdge?

A. switchportprotected

B. switchportedge

C. switchportsecurityedge

D. switchportprotectededge

18. WhichofthefollowingdescribesapacketsentbyanattackerattemptingthePVLANproxyattack?

A. ItcontainsasourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andadestinationMACaddressoftherouter.

B. ItcontainsasourceMACaddressoftheattackerandsourceIPaddressofthetarget,adestinationIPaddressofthetarget,andtheIPaddressandMACaddressoftherouter.

C. ItcontainsasourceIPaddressoftheattackerandsourceMACaddressofthetarget,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.

D. ItcontainsasourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.

19. InaPVLANproxyattack,whichdeviceisactingastheproxy?

A. Thetarget

B. Theattacker

C. Therouter

D. Theswitch

20. HowareVLANproxyattacksprevented?

A. ImplementACLsontherouterinterfacethatallowtrafficfromthelocalsubnettothelocalsubnet

B. ImplementACLsontherouterinterfacethatdenytrafficfromremotesubnetstothelocalsubnet

C. ImplementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettoremotesubnets

D. ImplementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet

Chapter8SecuringManagementTrafficCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

2.1Securemanagement

Comparein-bandandout-of-band

Configuresecurenetworkmanagement

ConfigureandverifysecureaccessthroughSNMPv3usinganACL

ConfigureandverifysecurityforNTP

UseSCPforfiletransfer

Controllingaccesstothemanagementinterfaceofarouterorswitchiscriticaltoensuringthatthereisnounauthorizedaccessthatcanintroducemaliciouschangestotheconfigurationofthedevice.Moreover,whennetworkmanagementandtimesynchronizationprotocolssuchasSMTPandNTPareinuse,accesstothisinformationmustbesecured.Finally,asatechnician,youshouldusesecureprotocolswhenperformingfiletransfers.Thischapterwillcoverallofthesesecuremanagementtopics.


Comparingin-bandandout-of-band

Configuringsecurenetworkmanagement

ConfiguringandverifyingsecureaccessthroughSNMPv3usinganACL

ConfiguringandverifyingsecurityforNTP

UsingSCPforfiletransfer

In-BandandOut-of-BandManagementManyoptionsareavailabletoconnecttoaCiscodeviceformanagingthedevice.Methodscanbeclassifiedaseitherin-bandorout-of-band.Anin-bandconnectionisonethatusesthenetworkasitstransmissionmedium.In-bandconnectiontypesincludeSNMP,virtualterminal(VTY),andHTTPSconnections.Out-of-bandconnectionsincludetheconsoleportandthe

AUXport,bothphysicalconnectionsthatdonotusethenetworkasthetransmissionmedium.Itisgoodpracticetohavebothin-bandandout-of-bandmethodsavailableforredundancy.

AUXPortTheAUXportcomprisesadirectserialconnectiontothedeviceandisconsideredanout-of-bandmethodofmanagingthedevice.OneoptionistoconnectamodemtotheAUXportanddialintothemodemwhenaccesstotheCLIisrequiredandwhennetworkaccessisnotavailable.TosetuptheAUXportforthisandtoalsosetapasswordfortheAUXport,youneedtoknowthelinenumberusedbytheAUXport.Thiscanbedeterminedwiththeshowlinecommand,asshownhere:

R1#showline

TtyTypTx/RxAModemRotyAccOAccIUsesNoiseOverrunsInt

*0CTY-----000/0

-

65AUX9600/9600-----010/0

-

66VTY-----000/0

-

67VTY-----000/0

-

Inthepreviousoutput,theAUXportisusingline65,whichyouwillneedtoreferenceinthefollowingsetofcommands,whichsettheAUXporttouseamodemwithaspeedof1115200.Thecommandsalsosettheflowcontroltohardwareandsetthepasswordtocisco.Don’tforgetthelogincommand,whichisthecommandthatspecifiesaskingforapasswordatconnectiontime!

R1#conft

R1(config)#line65

R1(config-line)#modeminout

R1(config-line)#speed115200

R1(config-line)#transportinputall

R1(config-line)#flowcontrolhardware

R1(config-line)#login

R1(config-line)#passwordcisco

R1(config-line)#end

VTYPortsThevirtualterminal(VTY)portsareconsideredanin-bandmethodastheseconnectionsusethenetworkasthetransmissionmedium.Theseportscanuseseveralprotocols,amongthemTelnetandSSH.Whileyouwilllearnlaterinthechaptertoconfigurethesecurealternativetoclear-textTelnet,hereIwillcoversecuringthelineswithpasswordsandaddingphysicalredundancytotheconnectionsbysettingaloopbackaddress.WhenaloopbackaddressisconfiguredandusedasthemanagementIPaddress,anyphysicalinterfaceonthedevicecanaccepttheconnectionattemptiftheloopbackaddressisincludedindynamicroutingadvertisementsoradvertisedviaastaticroute.Whenmanagementaccessistiedtoaphysical

IPaddress,thedevicewillbeunreachablewhenthatphysicalinterfaceisdown.

Toconfigurealoopbackaddressformanagement,usethefollowingcommand:

R1(config)#intloopback0

R1(config-if)#ipaddress192.168.5.5255.255.255.0

R1(config-if)#noshut

ToincludetheIPaddressinEIGRPorOSPFroutingadvertisements,usethefollowingcommands.Thiswillensurethatyoucanreachthisaddressfromaremotenetwork.

R1(config)#routereigrp10

R1(config-rtr)#network192.168.5.00.255.255.255

R1(config)#routerospf1

R1(config-rtr)#network192.168.5.00.255.255.255

BeforesettingapasswordontheVTYlines,youshoulddeterminehowmanyoftheselinesexistonthedevice(whichvaries)sothatyousecurethemall.UsethiscommandtolearnthenumberofVTYlines:

R1(config)#linevty?

R1(c0nfig)#linevty<015>

Nowyouknowthereare16linesonthisdevice,soreferto16lineswhenyouexecuteanycommanddesignedtoapplytoallVTYlines.TosetapasswordontheVTYlines,usethefollowingsetofcommands:




HTTPSConnectionManyCiscodevicesoffertheoptionofmanagingthedevicefromaGUIinterface.Thiswouldbeconsideredanin-bandconnectionasitusesthenetwork.WhiletheinitialconfigurationmustbecompletedattheCLI,onceaninterfacehasbeenassignedanIPaddressandisfunctionalandtheHTTPorHTTPSserverhasbeenenabled,thesedevicescanbemanagedusingthisinterface.WhiletheHTTPserveriscertainlyfunctional,whenmanagingthedevice,youshouldalwaysuseasecureconnectionasprovidedwithHTTPS.

Laterinthischapter,youwilllearnhowtoconfigureHTTPS.

SNMPAnotheroptionforconfigurationmanagementisSNMP.Aswithothermethodsthatusethenetworkasatransmissionmedium,itisalsoconsideredanin-bandmethod.SMTPstoresthesettingsinaMIB.Thisisarepositorywithahierarchicalstructurewithstandardizedlocationsforeachpieceofconfigurationorstatusinformation.TheselocationsandtheirassociateddataarecalledOIDs.TheOIDnumberdescribesthepaththroughthetree-likestructurewherethespecificpieceofinformationislocated.Figure8.1showsaportionoftheMIB.Anexampleof

anOIDwouldbe1.3.6.1.2.1.1.5(systemname),whichwouldbeoneofthesubsectionsofsysDescr(1.3.6.2.1.1).

FIGURE8.1PartialMIB

Noticealsothatthereisaprivatebranchinthetreewherevendorscanincludesettingsandstatusinformationthatmightbeuniquetotheirproducts.Therefore,thepathtoCisco-specificdatais1.3.6.1.4.1.9.Accesstoinformationstoredbyanindividualdeviceisdoneusinggetorsetcommands,whilereferencingtheOID.getcommandsretrieveinformation,whilesetcommandsmakeconfigurationchangestoIODsthatcanbechanged.SNMPalsoallowsforthecreationoftrapsondevices,whichcantriggeramessagetothemanagementstationwhenathresholdismetoraneventoccurs.InSMTPversion2,thesetrapmessagesarecalledinforms.

SNMPhasundergonethreeversionchangesovertheyears.Versions1and2usedtheknowledgeofacommunitystringastheaccesscontrolmechanismtotheMIBsofthedevices.Asthisisquiteaflimsysecuritysystem,version3adoptedauser-basedsecuritymodelthatprovidesforauthentication,integrityhashing,andencryptionoftransmissions.Thesefunctionscanbeconfiguredusingthreemodesthatrepresentvariouscombinationsofthesecapabilities.

noAuthNoPriv:Nohashingtosecureauthenticationorencryptionofdata(referencedasnoauthinthecommand)

AuthNoPriv:Hashingtosecureauthenticationbutnoencryptionofdata(referencedasauthinthecommand)

AuthPriv:Hashingtosecureauthenticationandencryptionofdata(referencedasprivin

thecommand)

Laterinthischapter,youwilllearnhowtoconfigureSNMPv3.

ConsolePortTheconsoleportalsocomprisesaserialconnectionthatisconsideredanout-of-bandconnection.Accesscontrolcanbeappliedtothisinterfacebyusingthelineconsole0command.Forexample,hereIhaveappliedapasswordinthissinglelineandbyusingthelogincommandhavespecifiedthatthepasswordisrequired:

R83(config)lineconsole0



SecuringNetworkManagementRegardlessoftheinterfacewithwhichyoumanageaCiscodevice,youshouldensurethatthemethodusedissecure.Inthissection,you’lllookatsecuringVTYportsandHTTPconnectionsandusingACLsasafurtherlineofdefenseinprotectingthesecriticalmanagementinterfaces.Finally,I’lldiscussbannermessagesandtheroletheycanplayinsecuringmanagementinterfaces.

SSHWhenaccessingadeviceusingtheVTYports,youshouldalwaysconfigureanduseSSHratherthanTelnetfortheconnection.FormoreinformationonconfiguringSSH,seeChapter4.

HTTPSTodisabletheHTTPserverandenabletheHTTPSserver,executethefollowingcommands:

R81(config)#noiphttpserver

R81(config)#iphttpssecure-server

R81(config)#copyrunstart

Oncethesecommandsareexecuted,thedevicewillgenerateanRSAkeyandwillusethekeytoencryptalltransmissions.

ACLsAnadditionallayerofsecuritythatcanbeappliedtoanymanagementinterfaceistheapplicationofACLs.AftertheACLhasbeencreated,itcanbeappliedtotheVTY,HTTPS,andSNMPv3processes.Forexample,considerthefollowingaccesslistthatallowsaccessonlytoandfromhostsinthe192.168.5.0/24network(presumablyonethatcontainsonlymanagementstations).

R84(config)#access-list99permit192.168.5.00.0.0.255

ThisACLcanbeappliedtoeachofthesemanagementinterfacesasfollows:

SSH


R84(config-line)#access-class99in

HTTPS

R84(config)#iphttpaccess-class99

SNMPv3ToapplyACL99atthegrouplevel,usethiscommand,whichreferstothegrouptest-groupusingtheprivsecuritypolicywithwriteaccesstoaviewcalledwrite-view:

R84(config)#snmp-servergrouptest-groupv3privwritewrite-viewaccess99

ToapplyACL99attheuserlevel,usethefollowingcommand,whichreferstoausernamednms-userwhoisamemberofthegroupnms-groupusingtheauthsecuritypolicy.ThispolicyusesSHAhashingforauthenticationwithasharedsecretofauth-pass.Ituses128-bitAESforencryptionusingasharedsecretofpriv-pass.The99attheendofthecommandisthereferencetocontrollingaccesswithACL99.

R84(config)#snmp-serverusernms-usernms-groupv3authshaauth-passpriv

aes128priv-pass99

BannerMessagesWhilebannermessageswillneverpreventunauthorizedaccesstoadevice,theyshouldbeimplementedtoprovidelegalnoticetounauthorizedindividualsthattheyarebreakingthelawwhenattemptingtoachieveunauthorizedaccess.Whilethespecificwordingrequiredforthisvariesfromjurisdictiontojurisdiction,therearesomegeneralguidelinesregardingthiswording.

UseofwordssuchasWelcomemaybeusedlaterasadefensethataccesswasencouraged.

IfyouplantouseAAAaccountingrecordsinanysubsequentlegalproceeding,youmustinformintruderstheyarebeingaudited.

Youshouldalwaysstatetheownerofthesystemsotherewillbenolaterdefensethattheintruderwasunawareofthesystemowner.

Topreventanyfuturedefensethatpermissionwasimplied,alwaysstate“authorizedaccessonly.”

Therearethreetypesofbannermessage,andtheydifferinwhentheyaredisplayed.Let’slookatconfiguringeachtypeanddiscusswhentheywillappear.Themessagesuseddonotconstituteanyrecommendationsastowording.

MessageoftheDay(MOTD)

Amessageoftheday(MOTD)appearsatconnectiontimeandbeforetheloginbanner(ifconfigured).Theymaybeusedtocommunicatescheduledmaintenancewindowsorothergeneralinformation.Tocreateamessagethatsays“Wewillbedownfor2hoursat12p.m.,”usethefollowingcommand.Themessagecanbesurroundedwithanycharacter(inthiscase')aslongasthatcharacterdoesnotappearinthemessage.

R85(config)#bannermotd'

Entertextmessage,Endwithcharacter'''

Wewillbedownfor2hoursat12PM.'

EXECBannerThisbannerappearsaftersuccessfulauthenticationbutbeforethefirstcommandpromptappears.ToconfiguretheEXECbannertosay“Thisisyourlastchancetoleaveifyouareunauthorized,”usethiscommand:

R85(config)#bannerexec'


Thisisyourlastchancetoleaveifyouareunauthorized.'

LoginBannerThisbannerappearsaftertheMOTDbanner(ifconfigured),beforetheloginprompt,andbeforetheEXECbanner(ifconfigured).Toconfiguretheloginbannertosay“Thisisyourfirstchancetoleaveifyouareunauthorized,”usethiscommand:

R85(config)#bannerlogin'


Thisisyourfirstchancetoleaveifyouareunauthorized.'

VerificationTocheckyourwork,let’sconnectfromR86usingTelnetandseewhatyouget:

R86#telnet10.10.10.10

Trying10.10.10.10...Open

Wewillbedownfor2hoursat12PM

Thisisyourfirstchancetoleaveifyouareunauthorized

Username:Admin

Password:<hidden>

Thisisyourlastchancetoleaveifyouareunauthorized

Asyoucansee,youreceivedthemessagesasconfiguredintheorderyouexpected.

SecuringAccessthroughSNMPv3ConfiguringSNMPrequiresyoutosetanengineIDforanydeviceusedtomanageSNMP.ThisisanIDnumbercomposedof24hexcharacters.Wheninformmessagesaresenttostations,itistheengineIDthatidentifiesthestation.Itisenteredasa12-characterstring.SettingtheSNMPv3engineIDforthemanagementstationonarouterisdoneasfollows:

R82(config)#snmp-serverengineIDlocal000010000203

OncetheengineIDhasbeendefined,thehigh-levelstepstocontrolaccesstoSNMPareasfollows:

1. DefineanSNMPgroupandspecifythecryptographicpolicytobeusedbythegroup.Inthissamecommand,youcanassignanMIBview.

2. DefineSNMPusersandassignthemausergroup,aview,anauthenticationhashingalgorithmandsharedsecret,andwhenusedanencryptionalgorithm.

3. DefineSNMPviews,eachofwhichwillcontroltheinformationthatcanbeaccessedbyuserswhohavebeenassignedtheview.

4. DefinetheSNMPhostthatwillbetherecipientoftraps.Youwillalsospecifyinthesamecommandtheuseraccount(andthealgorithmsandkeysassociatedwiththataccount)underwhosesecuritycontextthetrapswillbesent.

Firstlet’sdefineanSMTPgroupnamedsnmp-group,specifyversion3,andsetittousetheprivsecuritypolicyandtohaveread-onlyaccesstotheviewnamedread-view(tobecreatedinalaterstep).

R82(config)#snmp-servergroupsnmp-groupv3privreadread-view

Nextlet’sdefineanSNMPusernamedread-user,assigntheusertothegroupsnmp-group,settheversionasversion3,configureSHAastheauthenticationalgorithmusingasharedkeyoftroy-key,andconfigure128-bitAESastheencryptionalgorithmusingmac-keyasthesharedkeyforAES.

R82(config)#snmp-serveruserread-usersnmp-groupv3authshatroy-keypriv

aes128mac-key

Nowlet’sdefinetheviewthatyoureferencedinthecommandcreatingthegroup.TheviewwillonlyallowreadaccesstotheOID1.3.6.1.2.1andbelow.

R82(config)#snmp-serverviewread-view1.3.6.1.2.1included

Finally,let’ssettheIPaddressofthemanagementstationtowhichanytrapsshouldbesentalongwiththeversionnumber,acryptographicpolicyofauth,andauseraccountnamedtest-userunderwhosesecuritycontextthetrapswillbesent.Thisisanaccountyoudidnotcreateinthisexample.

R82(config)#snmp-serverhost10.10.10.10version3privtest-user

SecuringNTPSynchronizationoftimeamonginfrastructuredeviceshasbecomemoreandmorecriticaltotheproperoperationofnetworks.Digitalcertificateshaveexplicitvalidityperiods,certainWindowsoperationsrequirestricttimesynchronization,andanalysisofintegratedlogfiles

becomesanightmarewhenthedevicesfromwhichthelogfilescomehavenotbeensynchronized.Moreover,somecompliancestandardscallforstricttimesynchronization.

WhiletheneedtouseNTPiswithoutquestion,networkattacksleveragingNTPhaveappearedthatnowrequireyoutosecuretheoperationofNTPtopreventsuchattacks.TheseattackscanbepreventedbyconfiguringNTPauthentication.ThisinvolvessettingasharedsecretbetweentheNTPclientsandtheNTPserverthatwillbeusedtocomputeahashvalueoftheupdatesenttotheclient.Theclientwillperformahashcalculationoftheupdateusingthesamesharedkeyandwillcomparetheresults.AmatchservesasassurancethattheupdatecamefromthelegitimateNTPserver.Itisimportanttonotethatthisdoesnotencrypttheupdate;itonlyverifiesitsoriginandtrustworthiness.Figure8.2showstheprocess.

FIGURE8.2NTPauthenticationprocess

ToconfigureNTPauthentication,thehigh-levelsteps(tobeperformedonbothserverandclient)areasfollows:

1. ConfigureanNTPauthenticationkeynumberandMD5string(sharedsecret).

2. Specifyatleastonetrustedkeynumberreferencingthekeynumberinstep1.

3. EnableNTPauthentication.

Forthefirststep,let’sconfigureanNTPkeynumbered87withanassociatedMD5string(thesharedsecret)ofmykeyontworouters.

R88(config)#ntpauthentication-key87md5mykey

R89(config)#ntpauthentication-key87md5mykey

Nowlet’sspecifytheuseofkeynumber87anditsassociatedMD5stringtobeusedforNTPauthentication.

R88(config)#ntptrusted-key87

R89(config)#ntptrusted-key87

Finally,allyouneeddoisenableNTPauthentication.

R88(config)#ntpauthenticate

R89(config)#ntpauthenticate

UsingSCPforFileTransferWhileFTPandTFTPcanbeusedtotransferconfigurationsandIOSimagesacrossthenetwork,theseprotocolslacktheabilitytoencryptthetransmission.AbetteralternativeisSecureCopyProtocol(SCP).ThisisanimplementationoftheRemoteCopyProtocol(RCP)thatoperatesoveranSSHconnection.TheserverthatisusedtostoreimagesandconfigurationsmustbeconfiguredasanSCPserverwithakeythatcanbevalidatedbytheCiscodevices.Thatsetupisbeyondthescopeofthisbook;however,wewillcoverthecommandstobeusedontheCiscodevicestoperformanSCPtransfer.

Withtheserversetupinplace,yousimplyreferencetheSCPserverbyURLinthecopycommand.Forexample,iftheserverwerenamedscp-srvandyouwantedtocopytherunningconfigurationtoitunderthesecuritycontextofanaccountnamedAdminwithapasswordofmypass,whilenamingthefileR88-config.txt,youwouldusethefollowingcommand:

R88#copyrunscp://scp-srv/admin:mypass/r88-config.txt

Torestorethatfiletothestartupconfiguration,youwouldusethefollowingcommand:

R88#copyscp://scp-srv/admin:mypass/r88-config.txtstart

SummaryInthischapter,youlearnedaboutthesecuritydifferencesinmanagingdevicesfromin-bandandout-of-bandinterfaces.Youalsolearnedthatin-bandinterfacesincludeHTTP,VTY,andthephysicalinterfacesonthedeviceandthatout-of-bandinterfacesincludetheconsoleandAUXports.ThechapteralsodiscussedmethodsofsecuringmanagementinterfacesincludingenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagement.AmongtheothertopicscoveredinthischapterwerethetypesofbannermessagethatcanbeconfiguredandthesecuringoftheNTPprotocol.

ExamEssentialsIdentifyin-bandandout-of-bandinterfaces.In-bandinterfacesincludeHTTP,VTY,andthephysicalinterfacesonthedevice.Out-of-bandinterfacesincludetheconsoleandAUXports.

Describemethodstosecuremanagementinterfaces.TheseincludedisablingtheHTTPserverandenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagementratherthanTelnet.ItalsoincludesapplyingACLstoallmanagementinterfaces.

Identifythetypesofbannermessagesandtheiruse.Theseincludethemessageofthedaybanner,whichappearswhenaconnectionismade,andloginbanners,whichappearafterauthentication,aftertheMOTDandEXECbannersthatappear.

ListthethreesecuritypoliciesthatcanbeappliedtoSNMPv3.TheseincludeAuthNoPriv,whichisnohashingtosecureauthenticationorencryptionofdata;AuthNoPriv,whichishashingtosecureauthenticationbutnoencryptionofdata;andAuthPriv,whichishashingtosecureauthenticationandencryptionofdata.

DescribethestepstoconfigureNTPauthentication.ThesestepsareconfiguringanNTPauthenticationkeynumberandMD5string(sharedsecret),specifyingatleastonetrustedkeynumberreferencingthekeynumberinthefirststep,andenablingNTPauthentication.

ReviewQuestions1. Whichofthefollowingisanout-of-bandconnection?

A. HTTP

B. Con0

C. Gi0/1

D. VTY

2. WhatinformationisrequiredtosetupamodemontheAUXport?

A. Linenumber

B. AUXpassword

C. Transmissionrate

D. Modemmodel

3. Whichofthefollowingisavalidreasonforconfiguringaloopbackinterfaceasthemanagementinterface?

A. Itismoresecure.

B. Itprovidesbetterperformance.

C. Itisalwaysup.

D. Itispreconfigured.

4. WhatcommandenablesyoutoidentifythetotalnumberofVTYportsinthedevice?

A. R1(config)#line?

B. R1(config)#linevty?

C. R1#line?

D. R1#linevty?

5. HowarethelocationsofinformationcontainedinSNMPidentified?

A. MIB

B. OID

C. Informs

D. Traps

6. WhichSNMPsecuritypolicyprovideshashingtosecureauthenticationbutnoencryptionofdata?

A. noAuthNoPriv

B. AuthNoPriv

C. AuthPriv

D. Priv

7. Whichinterfacesshouldbeprotectedbypasswords?

A. VTY

B. Console

C. HTPS

D. Alloftheabove

8. WhichofthefollowingcommandsenablesencryptionofHTTPtransfers?

A. R81(config)#iphttpssecure

B. R81(config)#iphttpsserver

C. R81(config)#iphttpssecure-server

D. R81(config-line)#iphttpssecure-server

9. WhichcommandappliesACL99atthegrouplevel,whilereferringtothegrouptest-groupusingtheprivsecuritypolicywithwriteaccesstoaviewcalledwrite-view?

A. R84#snmp-servergrouptest-groupv3privwritewrite-viewaccess99

B. R84(config)#snmp-servertest-groupv3privwritewrite-viewaccess99

C. R84(config)#snmp-servergrouptest-groupv3privwrite-viewaccess99

D. R84(config)#snmp-servergrouptest-groupv3privwritewrite-viewaccess99

10. Whichofthefollowingisnotarecommendationforbannermessagewording?

A. UseofwordssuchasWelcomeshouldbeencouraged.

B. IfyouplantouseAAAaccountingrecordsinanysubsequentlegalproceeding,youmustinformintruderstheyarebeingaudited.

C. Youshouldalwaysstatetheownerofthesystemsotherewillbenolaterdefensethattheintruderwasunawareofthesystemowner.

D. Topreventanyfuturedefensethatpermissionwasimplied,alwaysstate“authorizedaccessonly.”

11. Whichofthefollowingisnotabannertype?

A. MOTD

B. EXEC

C. Login

D. Maintenance

12. Whichofthefollowingbannermessagesappearsatconnectiontime?

A. MOTD

B. EXEC

C. Login

D. Maintenance

13. WhenSNMPinformmessagesaresenttostations,whatvalueidentifiesthestation?

A. ProcessID

B. MACaddress

C. EngineID

D. RouterID

14. WhichofthefollowingstepsinconfiguringSNMPv3securityisoptional?

A. DefineanSNMPgroup

B. AssignanMIBview

C. Specifythecryptographicpolicytobeusedbythegroup

D. DefineSNMPusersandassignthemausergroup

15. Whatstatementisfalsewithregardtothefollowingcommand?R82(config)#snmp-serverviewread-view1.3.6.1.2.1included

A. Theviewisnameread-view.

B. read-viewisthegroupname.

C. 1.3.6.1.2.1istheOID.

D. Thiscommanddefinesaview.

16. HowisMD5usedinNTPauthentication?

A. Encryptsthedata

B. Hashestheupdate

C. Hashesthepassword

D. Encryptsthesharedsecret

17. WhichstepisnotpartofconfiguringNTPauthentication?

A. ConfigureanNTPauthenticationkeynumberandMD5string

B. Specifyatleastonetrustedkeynumberreferencingthekeynumber

C. Encryptthekeynumber

D. EnableNTPauthentication

18. WhichofthefollowingshouldbeusedasasecurealternativetoTFTPorFTP?

A. SCP

B. RTP

C. VTP

D. STP

19. WhenusingSCPtocopyfilestoanSCPserver,howdoyoureferencetheSCPserverinthecopycommand?

A. MACaddress

B. IPaddress

C. URL

D. Portnumber

20. InwhatrepositoryisSNMPdatacontained?

A. OID

B. MIB

C. Registry

D. Hardwareregister

Chapter9Understanding802.1xandAAACISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

2.2AAAconcepts

DescribeRADIUSandTACACS+technologies

ConfigureadministrativeaccessonaCiscorouterusingTACACS+

VerifyconnectivityonaCiscoroutertoaTACACS+server

ExplaintheintegrationofActiveDirectorywithAAA

DescribeauthenticationandauthorizationusingACSandISE

2.3802.1xauthentication

Identifythefunctionsof802.1xcomponents

Whileaccesstothenetworkandtonetworkresourcescanbecontrolledbyperforminguserauthenticationatthepointofentryintothenetwork,thisapproachcreatesalargerandlargermanagementheadacheasthenumberofnetworkentrydevicesgrows.Infact,creatingandmanaginguseraccountsanduserpasswordsacrossmultiplewirelessaccesspoints,RASservers,andVPNserversbecomesalmostunworkable.The802.1xstandardwascreatedtoaddressthisissue.Inthischapter,you’llexplore802.1xandtwocloselyrelatedtechnologiesthatmakeitpossible.


UnderstandingAAA802.1xcomponents

UsingRADIUSandTACACS+technologies

ConfiguringadministrativeaccesswithTACACS+

VerifyingrouterconnectivitytoTACACS+

IntegratingActiveDirectorywithAAA

PerformingauthenticationandauthorizationusingACSandISE

802.1xComponentsThe802.1xstandarddefinesaframeworkforcentralizedport-basedauthentication.Itcanbeappliedtobothwirelessandwirednetworksandusesthreecomponents.

Supplicant:Theuserordevicerequestingaccesstothenetwork

Authenticator:Thedevicethroughwhichthesupplicantisattemptingtoaccessthenetwork

Authenticationserver:Thecentralizeddevicethatperformsauthentication

Theroleoftheauthenticatorcanbeperformedbyawidevarietyofnetworkaccessdevices,includingremoteaccessservers(bothdial-upandVPN),switches,andwirelessaccesspoints.TheroleoftheauthenticationservercanbeperformedbyaRemoteAuthenticationDial-inUserService(RADIUS)orTerminalAccessControllerAccessControlSystem+(TACACS+)server.Theauthenticatorrequestscredentialsfromthesupplicantand,uponreceiptofthosecredentials,relaysthemtotheauthenticationserver,wheretheyarevalidated.Uponsuccessfulverification,theauthenticatorisnotifiedtoopentheportforthesupplicanttoallownetworkaccess.

Figure9.1illustratesthisprocess.

FIGURE9.1802.1x

RADIUSandTACACS+TechnologiesWhileRADIUSandTACACS+performthesameroles,theyhavedifferentcharacteristics.Thesedifferencesmustbetakenintoconsiderationwhenchoosingamethod.KeepinmindalsothatwhileRADIUSisastandard,TACACS+isCiscoproprietary.Table9.1comparesthem.

TABLE9.1RADIUSandTACACS+

Protocol TransportProtocol

Confidentiality Authentication,Authorization,andAccounting

SupportedLayer3Protocols

Devices Traffic

RADIUS UDP Passwordonly Combinesthethreeprocesses

AllbutRAS,NetBIOS,orX.25

NosupportforsecuringCiscocommands

Less

TACACS+ TCP EntirebodyexceptTACACs+header

Separatesthethreeprocesses

All SupportforsecuringCiscocommands

More

Manyconsiderenabling802.1xauthenticationonalldevicestobethebestprotectionyoucanprovideanetwork.

ConfiguringAdministrativeAccesswithTACACS+EarlieryoulearnedhowtosecureadministrativeaccesstoaCiscodeviceusingSSHovertheVTYlines.Youalsolearnedhowtocontroltheactivitiesofthosewithadministrativeaccessusingprivilegelevels.BothoperationscanalsobedoneusingAAAservices.Asyounowknow,theusernamesandpasswordscanbelocatedonanAAAserverratherthanonthelocaldevice.Havingsaidthat,itisalsopossibletotakeadvantageoftheseserviceswhilelocatingtheusernamesandpasswordonthelocaldevice.Regardingcontrollingtheactivitiesofthosewithadministrativeaccess,usinguseraccountsratherthanprivilegelevelsprovidesmoreaccountability.Inthissection,you’lllookathowusingAAAserviceschangestheseconfigurations.

LocalAAAAuthenticationandAccountingLocalAAAauthenticationandaccountingisaformofAAAinwhichtheuseraccountsarelocatedonthedeviceratherthanonanAAAserver.TouseAAAservicesforanytypeofauthentication,itmustbeenabledonthedevice.Includingthisstep,thehigh-levelstepstoconfigurelocalAAAauthenticationandaccountingareasfollows:

1. Createuseraccountswithanassignedprivilegelevelandpassword.

2. EnableAAAservices.

3. Configureanauthenticationmethodthatspecifieslocalauthentication.

4. ConfigureanauthorizationmethodforaccesstotheCLIthatspecifieslocalauthentication.

Let’sbeginbycreatingauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass.

R89(config)#usernameadminsrprivilege7secretsrpass

Nowlet’senableAAAservicesontherouter.

R89(config)#aaanew-model

Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:

R89(config)#aaaauthenticationlogindefaultlocal

Finally,let’sconfigureanauthorizationmethodthatprovidesaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword).

R89(config)#aaaauthorizationexecdefaultlocal

TheconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.

SSHUsingAAAInChapter8,youlearnedhowtoconfigureSSHaccessontheVTYlines.Whenyoudidthat,youcreatedlocalaccountsandpasswordstoauthenticatethoseconnectingwithSSH.YoualsolearnedinChapter8howtoassignprivilegelevelstouseraccounts.IfyouuseAAAauthenticationforSSH,thenyoucanuseAAAtoauthorizetheassignedprivilegelevelofthesameaccountwhenauthenticationoccurs.Laterinthischapter,youwilllearnhowtouseaTACACS+serverastheauthenticationmethod.Inthisexample,youwillcontinuetousealocalAAAdatabase.Todothis,completethefollowingtasks:

1. EnableAAAservices.

2. Configureanauthenticationmethodthatspecifieslocalauthentication.

3. ConfigureanauthorizationmethodforaccesstotheCLIthatspecifieslocalauthentication.

ThesecommandsareexecutedmuchthesameaswhenyouweresettinguplocalAAAauthenticationandaccountingintheprevioussection.

ToenableAAAservicesontherouter,usethiscommand:

R89(config)#aaanew-model

Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:

R89(config)#aaaauthenticationlogindefaultlocal

ToconfigureanauthorizationmethodthatprovideaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword),usethiscommand:

R89(config)#aaaauthorizationexecdefaultlocal

Again,theconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.

UnderstandingAuthenticationandAuthorizationUsingACSandISETofullyrealizethebenefitsofthe802.1xsecuritysolution,useraccountsandthesecuritypolicessurroundingthoseaccountsshouldbeinacentralizeddatabaseavailabletoalldevicesoperatingasauthenticators.Thedeviceoperatingastheauthenticationserverinthe802.1xframeworkistheAAAserver.

CiscoofferstwoAAAserversthatcanfulfilltheroleofauthenticatingserver.TheCiscoSecureAccessControlServer(ACS)canoperateeitherasaRADIUSserverorasaTACACS+server.TheCiscoIdentityServicesEngine(ISE)supportsonlyRADIUSatthetimeofthiswriting.However,itsupportsfunctionalitynotpresentintheCiscoACS.Additionalfeaturesincludethefollowing:

Profilingtodeterminethetypeofdevicefromwhichanetworkaccessrequestoriginatesandtoapplyasetofaccesspoliciesspecifictotheprofileattachedtothatdevice.Thismeansausermighthavemultipleprofileseachattachedtothevariousdevicestheyuse.

Postureassessmenttoverifytheminimumsecurityrequirementsofadevicebeforeallowingaccess.IfissuesarisesuchasmissingOSorsecurityupdates,thedevicemaybeeitherremediatedordeniedentry.

Centralizedwebaccessforguestaccesstothenetwork.

UnderstandingtheIntegrationofActiveDirectorywithAAABothCiscoAAAofferingssupportthecentralizationofuseraccountsandcredentialsontheAAAserver.However,inmostcases,doingsowouldconstituteaduplicationofeffortssincethissameinformationisalreadycontainedinadirectoryservicesserversuchasMicrosoftActiveDirectory.BothCiscoACSandCiscoISEcanconsultotherdatabasesforinformation.

TheabilityofthesetwoofferingstoutilizeanexternalenterpriseuserIDrepositoryisakeyfeature.WhilesomeCiscodevices,suchastheCiscoAdaptiveSecurityAppliance(ASA),cancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes,mostdonot.Therefore,thedeploymentofanAAAserverservesasanimportantlinkbetweentheauthenticatorsinthe802.1xframeworkandtheexternalenterprisedirectoryservice.Inthenextsection,you’lllearnhowanauthenticatormightspeaktoanexternalenterprisedatabasethroughtheAAAserver,andyou’lldiscoverhowtosetupaCiscoroutertouseaTACACs+-basedAAAserver.

TACACS+onIOS

WhileanAAAservercanbepopulatedwithusernamesandcredentials,anAAAservercanalsoutilizethesameinformationthatresidesinanenterprisedirectoryservicesuchasActiveDirectory.Whenthisisthecase,theprocessthatoccursduringarequestfornetworkaccessoccursasfollows.Inthiscase,aTACACS+serverisinuse.

1. Thesupplicantestablishesaconnectionwiththeauthenticator(router,WAP,VPNserver).

2. Theauthenticatorchallengesthesupplicantforcredentials.

3. Thesuppliantrespondswithcredentials.

4. Theauthenticatorpassesthecredentialstotheauthenticationserver(AAAserver).

5. TheTACACS+serverconsultstheLDAPserver.

6. TheLDAPserverperformsauthentication.

7. Theauthenticatorpassestheresulttothesupplicant.

ConfiguringaRoutertoUseaTACACS+ServerThestepstoconfigurearoutertouseaTACACS+serverareasfollows:

1. EnableAAAauthentication.

2. SpecifytheTACACs+servername.

3. SpecifytheTACACs+serverIPaddressandtype(IPv4orIPv6).

4. SpecifythekeystringusedasasharedsecretbetweentherouterandtheTACACS+server.

5. SpecifytheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.

6. CreatelocalusernamesandcredentialsforuseincaseoflossofaccesstotheTACACS+server.

7. Enableper-commandauthorization(optional).

8. Enableaccountingofadministrativesessionsandoftheuseofspecificcommands(optional).

First,let’senableAAAasyouhavedonebefore.

R90(config#)AAAnew-model

Next,youmustdothefollowing:

R90(config)#tacacsserverservertac

R90(config-server-tacacs)#addressipv4192.168.56.6

R90(config-server-tacacs)#keymysecetkey

R90(config-server-tacacs)#exit

Next,let’sspecifytheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.Inthiscase,thebackupislocalauthentication.

R90(config)#aaaauthenticationlogindefaultgrouptacacs+local

R90(config)#aaaauthorizationexecdefaultgrouptacacs+local

Asyouareusinglocalauthenticationasabackup,youneedtocreateanaccountforthatprocessshoulditbenecessary.Thisprocessisthesameasyoulearnedearlier.

R90(config)#usernameadminsrprivilege7secretsrpass

Optionally,youcanenableper-commandauthorization.Inthefollowingexample,therouterwillconsulttheTACACS+serverwheneveranadministratorentersanyprivilegelevel15commandsoranyconfigurationcommands.Iftheaccountlackstheauthorization,itwillbedenied,andanerrormessagewillappear.Again,youhavespecifiedlocalasthebackupmethodhere.

R90(config)#aaaauthorizationcommands15defaultgrouptacacs+local

R90(config)#aaaauthorizationconfig-commands

Optionally,youcanalsoenableaccountingofadministrativesessionsandoftheuseofspecificcommands.Inthefollowingexample,anaccountingrecordwillbesentatthestartofanadministrativesessiontotheEXECprocess,andanotherwillbesentattheendofthesession.

R90(config)#aaaaccountingexecdefaultstart-stopgrouptacacs+

Finally(againoptionally),thefollowingcommandcausesanaccountingrecordtobesentforeveryprivilegelevel15commandandeveryconfigurationcommand:

R90(config)#aaaaccountingcommands15defaultstop-onlygrouptacacs+

VerifyRouterConnectivitytoTACACS+OnceyouhaveconfiguredtherouterwiththeIPaddressoftheTACACS+server,youshouldverifythatyouhaveconnectivitybetweenthedevices.ThiscanbedonebyusingthetestcommandtotestanauthenticationusingtheTACACS+server.Forexample,totesttheusernamemytestwithapasswordofmypass,usethefollowingcommand:

R99(config)#testaaagrouptacacsmytestmypassnew-code

Sendingpassword

Usersucessfullyauthenticated

USERATTRIBUTES

Username0"mytest"

Reply-message0"Password:"

Asyoucansee,theauthenticationsucceeded,whichindicatesthatyouhaveconnectivitytotheTACACS+server.

SummaryInthischapter,youlearnedabouttheAAAservicethatcanbeprovidedbyTACACS+andRADIUSservers.Youalsolookedatconfiguringadministrativeaccesstoarouterusing

TACACS+.YoulearnedhowAAAcanbeintegratedwithActiveDirectory.YoulookedattheCiscoimplementationsofaRADIUSserverincludingtheCiscoSecureAccessControlServer(ACS)andtheCiscoIdentityServicesEngine(ISR).Finally,youlearnedaboutthefunctionsofvarious802.1xcomponents.

ExamEssentialsDescribetheRADIUSandTACACS+technologies.Understandthebenefitsofthesetechnologies,whichincludecentralizationofauthenticationandreductionofadministrativeoverhead.Alsoidentifythedifferencesbetweenthesetechnologies,whichincludetheportsusedandthewayintheyhandleauthentication,authorization,andaccountingfunctions.

ConfigureandverifyadministrativeaccesstoarouterusingTACACS+.ThisincludesenablingAAAservices,specifyingtheTACACs+servername,specifyingtheTACACs+serverIPaddressandtype(IPv4orIPv6),specifyingthekeystringusedasasharedsecretbetweentherouterandtheTACACS+server,andspecifyingtheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.

ExplaintheintegrationofActiveDirectorywithAAA.DescribehowanActiveDirectoryservercanbeusedbyanAAAserverasarepositoryforusernamesandcredentials.

IdentifyCiscoimplementationsofAAAservers.TheseincludetheCiscoSecureAccessControlServer(ACS),whichcanoperateeitherasaRADIUSserverorasaTACACS+server.TheCiscoIdentityServicesEngine(ISR)supportsonlyRADIUSatthetimeofthiswriting.However,itsupportsfunctionalitynotpresentintheCiscoACS.

Identifythefunctionsof802.1xcomponents.Theseincludethesupplicant(thedevicerequestingaccess),theauthenticator(thenetworkaccessdevicetowhichyouareconnecting),andtheauthenticationserver(AAAserver).

ReviewQuestions1. Whichofthefollowingisanexampleoftheauthenticatorinthe802.1xstandard?

A. WirelessAP

B. TACACS+server

C. Userlaptop

D. AAAserver

2. WhichofthefollowingistrueaboutTACACs+?

A. Encryptsonlythepassword

B. SeparatesthethreeAAAprocesses

C. UsesUDP

D. CreateslesstrafficthanRADIUS

3. WhichofthefollowingcommandsenablesAAAservicesonarouter?

A. aaaenable

B. aaanew-model

C. enableaaa

D. aaaauthentication

4. Whatcommandconfiguresanauthenticationmethodthatspecifieslocalauthentication?

A. aaaauthenticationdefaultlocal

B. aaaauthenticationloginlocaldefault

C. aaaauthenticationlogindefaultlocal

D. aaalogindefaultlocal

5. WhenconfiguringanauthorizationmethodthatprovidesaccesstotheCLI,towhichlinedoestheconfigurationnotapply?

A. VTY0

B. CON0

C. AUX0

D. VTY1

6. WhichofthefollowingisaCiscoimplementationofanAAAserver?

A. SDM

B. ACS

C. PIX

D. ASA

7. WhichdevicecancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes?

A. SDM

B. VTP

C. PIX

D. ASA

8. WhichofthefollowingcommandsspecifiestheTACACS+serverforarouter?

A. tacacsserverservername

B. serverservername

C. tacacsserveripaddress

D. serveripaddress

9. WhichcommandteststheauthenticationprocessandverifiesconnectivitytotheTACACS+server?

A. testaaagrouptacacsusernamepasswordnew-code

B. testaaagrouptacacspasswordnew-code

C. testaaagrouptacacsusernamenew-codepassword

D. testaaagrouptacacsusernamepassword

10. WhichofthefollowingcommandsspecifiestheuseofTACACS+inamethodlistforauthorizationwhilealsospecifyingabackupmethod?

A. aaaauthorizationdefaultgrouptacacs+local

B. aaaauthorizationexecdefaultgrouptacacs+local

C. aaaauthorizationexecdefaulttacacs+local

D. aaaauthorizationexecgrouptacacs+local

11. WhichofthefollowingstepsinconfiguringaroutertouseaTACACS+serverisoptional?

A. EnableAAAauthentication

B. SpecifytheTACACs+servername

C. Enableper-commandauthorization

D. SpecifytheTACACs+serverIPaddressandtype

12. WhenAAAservicesmakeuseofanLDAPserver,whichcomponentperformstheauthentication?

A. AAAserver

B. LDAPserver

C. Networkaccessdevice

D. Supplicant

13. Whichofthefollowingistheabilitytoverifyminimumsecurityrequirementsofadevicebeforeallowingaccess?

A. Profiling

B. Postureassessment

C. Supplication

D. Authorization

14. WhichofthefollowingcommandsconfiguresalocalauthorizationmethodthatprovidesaccesstotheCLIonalllines?

A. aaaauthorizationdefaultlocal

B. aaaauthorizationdefaultexeclocal

C. aaaauthorizationexecdefaultlocal

D. aaaauthorizationexecdefault

15. Whichcommandcreatesauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass?

A. usernameadminsrprivilege7secretsrpass

B. usernameadminsrprivilegesecret7srpass

C. usernameadminsrprivilegesrpass7secret

D. usernameprivilege7adminsrsecretsrpass

16. Regardingcontrollingtheactivitiesofthosewithadministrativeaccess,whyshouldyouuseuseraccountsratherthanprivilegelevels?

A. Betterperformance

B. Moreaccountability

C. Simplerconfiguration

D. Encryptedprocesses

17. WhichofthefollowingisfalseofRADIUS?

A. Industrystandard

B. UsesUDP

C. SupportsCiscocommands

D. Protectsonlythepassword

18. Whichstandardprovidesasecurityframeworkthatincludesasupplicant,authenticator,andauthenticationserver?

A. 802.11

B. 802.3

C. 802.1x

D. 802.5

19. Inthe802.1xframework,whichdevicecanoperateastheauthenticationserver?

A. RADIUS

B. WirelessAP

C. Userlaptop

D. VPNserver

20. Whichofthefollowingistheabilitytodeterminethetypeofdevicefromwhichanetworkaccessrequestisoriginating?

A. Postureassessment

B. Profiling

C. Classification

D. Contextualawareness

Chapter10SecuringaBYODInitiativeCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

2.4BYOD

TheBYODarchitectureframework

Describethefunctionofmobiledevicemanagement(MDM)

Despitethesecuritychallenges,usersareincreasinglydemandingtherighttousetheirpersonalmobiledevicesintheenterprise.Somewhatliketheclamorforwirelessaccesswitnessedmorethanadecadeago,thisoutcryforabringyourowndevice(BYOD)initiativehasreachedthepointwhereitcannolongerbeignored.Ithasgivenrisetothedevelopmentofmobilemanagementsoftwaretogaincontroloverthesepersonaldevices.


TheBYODarchitectureframework

Thefunctionofmobiledevicemanagement(MDM)

TheBYODArchitectureFrameworkToenablethesecuredeploymentofaBYODinitiative,Ciscohascreatedanarchitecturalframeworkthatprovidesthecomponentsrequiredtoallowuseofpersonaldeviceswhileensuringthatthesedevicesaresecureandfreefrommalwareeverytimetheyaccessthenetwork.Theframeworkmayincludethefollowingfunctions:

The802.1xframework

Mobiledevicemanagementsoftware

TheCiscoIntegratedServicesEngine

TheCiscoTrustSecprovisioningandmanagementplatform

Whileyoualreadyunderstandtherolethatthe802.1xframeworkplays,inthefollowingsections,therolethateachoftheotherfeaturesplaysintheCiscoBYODarchitecturalframeworkwillbediscussed.

CiscoISETheCiscoIntegratedServicesEngine(ISE)isacentralizedidentity-basedpolicyplatformthatprovidescontext-basedaccesscontrolforwired,wireless,andVPNconnections.ItcombinesAAA,postureassessmentandprofiling,andguestaccessmanagement.Thenetworkaccessdevices(NADs)canbewiredswitches,VPNservers,wirelessaccesspoints,andcontrollersandrouters.

ISEcantakemanyitemsintoaccountwhenassessingaconnectionrequest.Moreover,itcantakethesamecontext-baseditemintoaccountwhenaccessingauthorizationrequests.AsshowninFigure10.1,thefollowingcanbeconsideredduringboththeaccessrequestandtheauthorizationrequest:

Whoistheindividual?

Whatdevicearetheyusing?

Wherearetheyconnectingfrom?

Whenaretheyconnecting?

Howaretheyconnecting?

FIGURE10.1ISEcontext-basedaccess

TheISEcanmakeuseofseveraladvancedfeaturestoprovidegranularanddynamicaccesscontrolpolicies.Amongthesearethefollowing:

DownloadableACLs(dACLs):IP-basedACLsthatareimplementedondeviceswhenthepolicycallsforit

AutomaticVLANassignment:Toanemployee,guest,or,inthecaseofafailedhealthcheck,aremediationVLAN

SecurityGroupAccess(SGAs):Appliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology

Changeofauthorization(COA)updates:TheabilityofISEtochangetheauthorizationpolicyinrealtimeaftertheadministratormakesachangewithoutrequiringalog-offforthechangetotakeeffect

Postureassessment:Cancheckthehealthofadevicebeforeallowingaccessandifthecheckfailscanremediatethedevice

Finally,theISEcanacceptmanyauthenticationmechanisms,includingthefollowing:

802.1x:TheISEisafullyfunctionalAAAserver.

MACauthenticationbypass(MAB):Thisisaport-basedaccesscontrolusingtheMACaddressoftheendpoint.

Webauthentication(WebAuth):ThisenablesnetworkaccessforendhoststhatdonotsupportIEEE802.1Xauthentication.

Laterinthischapter,you’llseehowISEintegrateswithmobiledevicemanagementtomakesuccessfulandsecureBYODpossible.

CiscoTrustSecAnothercomponentintheCiscoBYODarchitectureframeworkisCiscoTrustSec.ItworksinconcertwithISEandothersecuritydevicestousesecuritygrouptagsandsecuritygroupACLs(SACLs)toprovideimprovedvisibilityintoanaccessrequest.Ituseslogicalpolicygroupingstodefinepoliciesthatcontrolbothaccessandauthorization.ThethreemainfunctionsofTrustSecaretodothefollowing:

Classifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress.

Transportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(forthosenetworkingdevicesthatsupportinlinetagging)orbyusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot.

EnforcementofaccessrulesthroughtheexaminationoftheSGTs.

Let’slookathowTrustSecdoesthis.

SGTClassificationClassificationofadeviceisdonethroughtheSGTclassificationusingSGTtags.Thesetags,whichare16bitsinlength,canbeapplieddynamicallyorstatically.DynamictaggingisappliedthroughtheCiscoISE.Dynamictaggingispossiblewhentheauthenticationmethodis802.1x,MACbypass,orthroughwebauthentication.Indynamictagging,theISEpushestheSGTtothenetworkaccessdevice(NAD).

Statictaggingcanalsobeperformed,andwhendone,itcanbedoneeitherontheISEordirectlyintheNAD.ExamplesofthiscouldbetomapanentiresubnettoanSGTortomapaVLANtoanSGT.

InlineSGTTransport

Forthosedevicesthatsupportthefeature,inlineSGTtransportcanbeusedtopropagateSGTsthroughoutthenetwork.ThesendingdevicewillembedtheSGTintotheEthernetframeonegress.Thistagwillbereadbythereceivingdeviceandpropagatedtothenextdevice.TheSGTwillbeinanewsectionoftheEthernetheadercalledtheCiscoMetadata(CMD)header.ItslocationisshowninFigure10.2.Asyoucansee,theCMDholdsotherinformationbesidestheSGT.Overall,thisadds20bytestothesizeoftheheader.

FIGURE10.2CMD

Onethingtonoteisthatincaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),theadditionofthe802.1aeheaderandICVfieldwillresultinatotaladditiontotheEthernetheaderof40bytes.

SGTExchangeProtocolForthosedevicesthatdonotsupportinlineSGTtransport,theSGTeXchangeProtocol(SXP)canbeusedtotransporttheSGTmappings.Thegoalistogettheclassificationinformation(intheformofSGTs)appliedtothetraffictotheupstreamdevicesthatmustenforcethesecurity.

SXPconnectionsareusedforthispurposeandarepoint-to-pointTCP-basedconnectionscreatedbetweentwoendpoints,oneofwhichmustbedesignatedasthespeakerandtheotherasthelistener(anyothercombinationofthetworoleswillfail).InFigure10.3,the2960switchontheleftiscapableofSXPandusesittosendtheSGTinformationandanupstreamdevice(the3750switch)thatisSGTcapable,sowhenthe3560sendstotheCAT6500(whichisalsoSGTcapable),thetrafficistaggedasdescribedintheprevioussection.

FIGURE10.3SXPandSGT

AlsonoticeinFigure10.3thatattheCAT6500anenforcementactionhasoccurred,blockingtrafficatthatpointasresultoftheSGTinformation.ThefourversionsofSXPcanbedescribedasfollows:

Version1:SupportsonlyIPv4bindingpropagation.

Version2:SupportsbothIPv4andIPv6bindingpropagation.

Version3:AddssupportforsubnettoSGTmappings.Ifspeakingtoalower-versionlistener,thespeakerwillexpandthesubnet.

Version4:Addsloopdetectionandprevention,capabilityexchange,andabuilt-inkeep-alivemechanism.

EnforcingSGACLsTrustSecmaintainsapermissionmatrixwithsourcegroupnumbers(SGTs)ononeaxisanddestinationgroupnumbers(SGTs)ontheother.Eachcellorintersectionofarowandcolumncontainsanorderedlistofrules(SAGLs)controllingtheaccessbetweenthosetwoentities.Thesecuritygroupaccesslists(SGACLs)donotcontainreferencestotheSGTs.Theactionlistedineachcellisincorporatedintotheaccesslistforapplication.ThisallowsasingleACLtobeappliedtomanycellswithapotentiallydifferentresultbasedonthecellcontents.Figure10.4showsanexampleofapermissionmatrix.

FIGURE10.4Permissionmatrix

EnforcementUsingSGFWTheCiscoAdaptiveSecurityApplianceandseveralotherroutingplatformsuseadifferentmethodtoenforceTrustSec.WhileISEmanagesSGACLscentrally,thesedevicesareconfiguredindividuallywithACLsthatreferencetheSGTnumbersorsecuritygroupnames.FortheASAtobeabletousetheseSGTsorsecuritygroupnames,theASAmustalsobeconfiguredwithasecuritygrouptabletomapsecuritygroupnamestotags,andanSGTtoIPaddressmappingexists.

BenefitsIntheabsenceofTrustSectechnology,accesscontrollists(ACLs)mustbeupdatedwheneverthefollowingeventsoccur:

Newbuildingonthecampus

Newbranchoffice

Newbusinesspartner

Expansionofwirelesscoverage

Additionofnewservers

SincetheseACLsareeachtiedtoadeviceandmustbewrittenfromthenetworkperspectiveofthatdevice,keepingtheseACLsupdatedandmaintainedcanbeanightmare.ThisisalleasiertomanagewiththeTrustSectechnology.

UsingTrustSec,anynewdevicesmustsimplybeclassifiedattheingresspointofthenetwork,andthesecurityforthatdeviceismaintainedthroughoutthenetworkbytheassociatedsecuritygroupACL(SAGL).Incaseswheretheintroductionofanewdevicemightrequirethecreationofanewsecuritygroup,ratherthantheadditiontoanexistinggroup,anewrowandcolumnareaddedtotheaccessmatrix.ThismatrixisupdatedandmaintainedbytheISE,andchangesaredynamicallypropagatedacrosstheTrustSecdomain.

TheFunctionofMobileDeviceManagementMobiledevicemanagementsoftwareisdesignedtomakeitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork.WhenusedinconjunctionwithISE,thecombinationcanbeapowerfulandsecureidentityandauthenticationsolutionforbothcompany-ownedandnon-company-owneddevices.

InthecontextofaBYODarchitecture,theISEwhenworkingincombinationwithamobilemanagementpolicytiestogethertheprovisioningofmobiledevicesalongwithahealthcheckofthedeviceateachconnectionrequest,asshowninFigure10.5.

FIGURE10.5MDMwithIDE

IntegrationwithISEAuthorizationPoliciesBeyondthehealthcheckthatcanbeperformed,asdescribedintheprevioussection,anMDMsolutioncanintegratewithISEauthorizationpolicies.Forexample,let’sconsiderascenariowhereanorganizationusesEAP-TLSfortheauthenticationofcompany-owneddevices.AsEAP-TLSisamechanismthatrequiresacertificateonboththeauthenticationserverandthesupplicant,company-owneddeviceswillpossesssuchacertificatewhileemployee-onboardeddeviceswillnot.

Usingthisinformation,ISEcanperformanassessment(asshowninFigure10.6),identifythedevicetype,andapplyauniqueauthorizationprofileforbothgroupsofdevices.

FIGURE10.6ISEauthorizationpolicyintegration

SummaryInthischapter,youlearnedaboutthechallengesinvolvedinsupportingaBYODinitiative.ThechapterdiscussedthecomponentsprovidedbyCiscoforthis,includingtheCiscoIntegratedServicesEngine(ISE)andtheCiscoTrustSecprovisioningandmanagementplatform.YoualsolearnedabouttheadvancedfeaturesofCiscoISE,includingdownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGA),changeofauthorization(COA),andpostureassessment.Further,thechapterdiscussedtheauthenticationmechanismsISEcanaccept,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).Finally,thechapterendedbycoveringthethreemainfunctionsofTrustSec.

ExamEssentialsIdentifythepossiblecomponentsofaBYODarchitecturalframework.Theframeworkmayincludethefollowingfunctions:the802.1xframework,mobiledevicemanagementsoftware,theCiscoIntegratedServicesEngine(ISE),andtheCiscoTrustSecprovisioningandmanagementplatform.

DescribetheadvancedfeaturesofCiscoISE.TheseservicesincludedownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGAs),changeofauthorization(COA),andpostureassessment.

IdentifytheauthenticationmechanismsISEcanaccept.TheISEcanacceptmanyauthenticationmechanisms,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).

IdentifythethreemainfunctionsofTrustSec.ThethreemainfunctionsofTrustSecaretoclassifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress,totransportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(fornetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot,andtoenforceaccessrulesthroughtheexaminationoftheSGTs.

ReviewQuestions1. Whichofthefollowingisacentralizedidentity-basedpolicyplatformthatprovides

context-basedaccesscontrolforwired,wireless,andVPNconnections?

A. BYOD

B. TACACS+server

C. ISE

D. TrustSec

2. UsingISE,whichofthefollowingcannotbeconsideredduringboththeaccessrequestandthefollowingauthorizationrequest?

A. Whyaretheyconnecting?

B. Whatdevicearetheyusing?

C. Whoistheindividual?

D. Wherearetheyconnectingfrom?

3. Whichofthefollowingareimplementedondeviceswhenapolicycallsforit?

A. dACLs

B. SAGs

C. COA

D. Postureassessment

4. WhichISEfeatureappliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology?

A. dACLs

B. SAGs

C. COA


5. WhichISEfeatureprovidestheabilityofISEtochangetheauthorizationpolicyinrealtime?

A. dACLs

B. SAGs

C. COA


6. WhichofthefollowingISEfeatureschecksthehealthofadevicebeforeallowingaccess

and,ifthecheckfails,canremediatethedevice?

A. dACLs

B. SAGs

C. COA


7. WhichISEauthenticationmechanismenablesnetworkaccessforendhoststhatdonotsupportIEEE802.1Xauthentication?

A. WebAuth

B. MACbypass

C. WEP

D. WPA

8. WhichofthefollowingisnotamainfunctionofTrustSec?

A. Classificationofdevices

B. Assessmentofdevices

C. Transportofclassificationinformation

D. Enforcementofaccessrules

9. Whichofthefollowingisusedtoclassifyadevice?

A. SGA

B. SGT

C. SXP

D. NAD

10. Whichofthefollowingisusedtotransportorcommunicateclassificationinformationforthosenetworkingdevicesthatdonotsupportinlinetagging?

A. SXP

B. SGA

C. SGT

D. SGFW

11. Withwhichofthefollowingauthenticationmethodsisdynamictaggingnotpossible?

A. WEP

B. 802.1x

C. WebAuth

D. MACbypass

12. WhereistheSGTfoundwhenusinginlinetransport?

A. CMDheader

B. IPheader

C. 802.1aeheader

D. ICV

13. HowmuchdoestheCMDaddtothesizeoftheEthernetheader?

A. 16bytes

B. 18bytes

C. 20bytes

D. 22bytes

14. Incaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),whatwillbethetotaladditiontotheEthernetheader?

A. 20bytes

B. 28bytes

C. 30bytes

D. 40bytes

15. WhichisthefollowingistheonlycombinationofSXProlesthatwillresultinasuccessfulSXPconnectionbetweentwodevices?

A. Speakerandspeaker

B. Listenerandspeaker

C. Transmitterandreceiver

D. Speakerandreceiver

16. WhichSXPversionaddedsupportforsubnettoSGTmappings?

A. 1

B. 2

C. 3

D. 4

17. WhichmethodofenforcementdoestheASAuse?

A. SGFW

B. Inline

C. SXP

D. 802.1x

18. Whichofthefollowingmakesitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork?

A. MDM

B. 802.11i

C. VTP

D. DTP

19. WhatadditionalfunctionalitydoestheadditionofISEtoMDMprovidefordevicesconnecting?

A. Postureassessment

B. IPidentification

C. TACACS+

D. NAT

20. Whichofthefollowingisexaminedtoenforceaccessrules?

A. NAT

B. SGT

C. SXP

D. MAC

Chapter11UnderstandingVPNsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

3.1VPNconcepts

DescribeIPsecprotocolsanddeliverymodes(IKE,ESP,AH,tunnelmode,transportmode)

Describehairpinning,splittunneling,always-on,NATtraversal

Virtualprivatenetwork(VPN)connectionsarewidelyusedtoprovideasecuremethodofremoteaccesstotheenterprisenetwork.Asthesophisticationoftheseconnectiontypeshasevolved,manyadditionaluseshavebeenfoundforthisconcept.TodayweusetheseconnectionsbetweenofficesintheplaceofWANconnectionsforwhichweoncepaid.Inthischapter,wewillintroducetheunderlyingconceptsthatmakeVPNsfunctionalandsecure.


TheprotocolsthatcompriseIPsecandthedeliverymodesinwhichIPseccanbeconfigured

AdvancedfeaturesofVPNconnectionsincludinghairpinning,splittunneling,andalways-onVPNsandNATtraversal

UnderstandingIPsecWhileIPsecisaprotocol,itisalsoaframeworkthatprovidesmanychoicestopeopleconfiguringanIPsecconnection.Theframeworkdoesnotlockoneintoacertainencryptionalgorithm,hashingalgorithm,orauthenticationmechanism.DependingonthechoiceofcomponentsthatarepartoftheIPsecprotocolsuite,youcangetseveraldifferentsecurityservices.Inthissection,you’lllearnaboutthoseservicesandtheprotocolsandcomponentsthatmakethempossible.You’llalsolearnaboutthepossibledeliverymodesofIPsecandaboutIPsec’srelationshiptotheIPv6protocol.

SecurityServices

ThesecurityservicesofferedbyIPsecareimpressive,whichiswhyithasbecomesowidelyembraced.OneofitsmorefrequentimplementationsisitsuseinVPNconnections.Theseconnectionscanbeoftwotypes:remoteaccessVPNsinwhichthetraditionaldial-upconnectionisupdatedtocreateasecure(andfree)pathwaythroughthemostuntrustednetworkthereis(theInternet),andsite-to-siteVPNs,whichcanreplaceWANconnectionsthatcostmoneywithsecure(andfree)tunnelsforalltraffictraversingthesites.Let’slookatthesecurityservicesthathavemadeIPsecsoubiquitous.

ConfidentialityConfidentialitycanbeprovidedwithIPsecandrepresentsoneofthechoicesthatcanbemadewhensettingupaconnection.Asyouwilllearnlaterinthechapter,whenyouchoosetouseESP,oneoftheprotocolsinthesuite,attheleastthedatapayloadwillbeencrypted,and,dependingonthedeliverymode,theentirepacketincludingtheheadermaybeencrypted.

DataIntegrityIPsecwillalwaysprovidedataintegrity,whichmeansyoucanbeassuredthatthedatahasnotbeenchangedorcorruptedintransit.Itdoesthisbyusingthehashingalgorithmyouselectduringimplementation.Thisiscalledhash-basedmessageauthentication(HMAC).

OriginAuthenticationIPsecwillalsoalwaysprovidethissecurityserviceaswell.Originauthenticationmeansthatyoucanbeassureditcamefromwhoitappearstocomefrom.IPsecwillauthenticatetheconnectionbyusingthefollowing:

PSKs

Digitalcertificates

RSA-encryptednonces

Whiletheseprocessesauthenticatethesystemconnecting,extendedauthenticationprovidesauthenticationoftheuserbehindthesystemandisoptional.

Anti-ReplayIPsecsupportsanti-replay.Topreventthereplayofauthenticationpackets,IPsecexaminessequencenumbersinthepackets.Ifapacketarriveslateorisaduplicateofanearlierpacket,itwillbedropped.

KeyManagementThekeymanagementprocessinIPsecprovidesforthedynamicgenerationofkeystobeusedforencryptionandfortheirsecureexchangeoveranuntrustednetwork,suchastheInternet.IftheDiffie-Hellmankeyexchangealgorithmisused,anasymmetricalgorithmisusedtocreateandexchangesymmetrickeysforthisprocess.ThisispartofalargerprocesscalledtheInternetKeyExchange(IKE).Figure11.1showsasimplifiedversionofthekeygenerationand

exchangeprocess.AformulaisusedtogeneratebothBobandAlice’ssecretintegerbasenumbers(thefirststep,whichtheyperformindependentofoneanother).Theyexchangethosevaluesandusethemwithanalgorithminthesecondstep,whichresultsinthemgeneratingkeystobeusedforencryption.

FIGURE11.1Diffie-Hellman

AvariantofthisprocesscalledtheEllipticalCurvedigitalsignaturealgorithm(ECDSA)isalsoavailableandispartoftheSuiteBstandard.

SuiteBCryptographicStandardIn2005,theNSAidentifiedasetofcryptographicalgorithmsthatarethepreferredmethodforsecurityofinformation.ItcalledthesealgorithmsSuiteB.Thesealgorithmsuseaminimumkey

lengthofatleast128bits.TheuseofthesealgorithmshelpstoensurecompliancewithmanystandardssuchasPCI-DSS,HIPAA,andFIPS.

SuiteBcryptographyusesthefollowingalgorithms:

AESencryptionwitheither128-or256-bitkeys

SHA-2hashing

EllipticalCurvedigitalsignaturealgorithm(ECDSA)fordigitalsignaturesusing256-and384-bitprimemoduli

KeyexchangeusingECDHECDSA

ProtocolsTherearefourprotocolsusedintheIPsecprocess.Oneofthem,theInternetKeyExchange,hastwoversions.Inthenextsections,wewilldiscusseachoftheseprotocolsandtheroleeachplaysintheprocess.

IKEv1TheInternetKeyExchange(IKE)protocolisusedformanyfunctionsintheIPsecframework.

Automatickeygeneration:ThishappensasdiscussedearlierwithDiffie-Hellman.

Automatickeyrefresh:Thisincludesthegenerationofnewkeysperiodically.

Negotiationofthesecurityassociation(SA):Asecurityassociationisnegotiatedsuccessfullyifcertainconfigurationselectionsmatchonbothendsoftheconnection.

TherearetwoversionsofIKE.IKEv2wasdesignedtoovercomelimitationsinherentinIKEv1.IKEv2willbecoveredlaterinthissection.IKEoperatesintwophases.

Phase1Inphase1,IKEnegotiatesthepolicysets(theconfigurationselectionsmadeoneitherend),authenticatesthepeerdevicestooneanother,andsetsupasecurechannel.Thisphasecanbeperformedintwodifferentmodes,MainandAggressive.Achoicemustbemadebetweenthetwo,andusuallythischoiceisbasedonwhetherthemainconcernisperformanceorsecurity.WhileMainmoderequiresmoremessages,itdoesnotexposetheidentityofthepeers.WhileAggressivemoderequiresfewermessages,peeridentitiesareexposedbeforethesecurechanneliscreated.

MainModeMainmodeconsistsofthreeexchanges.

Peersnegotiatetheencryptionandhashingalgorithmstobeused.

TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.

TheSAisbuilt,andthenthepeersauthenticateoneanotherwithintheSA.

Figure11.2showsthisprocess.

FIGURE11.2IKEphase1

AggressiveModeInAggressivemode,thereareonlytwomessages.TheinitiatorpassesallinformationrequiredfortheSA,andtherespondersendstheproposalkeymaterialandIDandperformsauthenticationinthenextmessage.Thismakesnegotiationquicker.WhileAggressivemoderequiresfewermessages,peeridentitiesareexposedbeforethesecurechanneliscreated.

Phase2Whilethepurposeofphase1istocreateasecurechannelforthephase2operations;inphase2,theparametersthatdefinetheIPsecconnectionarenegotiated.Inphase2,thefollowingfunctionsareperformed:

TheIPsectransformsetisnegotiated.

TheSAisestablished.

PeriodicallytheSAisrenegotiated.

OptionalDHkeyexchangesthathavebeenconfiguredwillbeperfumed.

TherewillbetwoSAscreatedbecausetheseareunidirectional.

IKEv2TheenhancementsprovidedwithIKEv2areasfollows:

Fewertransactions,whichresultsinincreasedspeed

IncorporatesextensionssuchasNATtraversalanddeadpeerdetection

Strongersecuritythroughdenial-of-serviceprotection

Morereliabilityusingsequencenumbersandacknowledgments

SupportsmobilitythroughtheIKEv2MobilityandMultihomingProtocol(MOBIKE)

ISAKMPInternetSecurityAssociationKeyManagementProtocol(ISAKMP)istheframeworkwithinwhichIKEperformsthedynamicgenerationofkeys.UsingIKEandDiffie-Hellman,theresultisasecurityassociation.Thisassociationisbasedonthesuccessfulnegotiationofsecurityparameters.InFigure11.3,theparametersthatmustmatchbetweentwodevices,R1andR2,areshown,andinthiscase,theymatch.

FIGURE11.3MatchingISAKMPparameters

AHWhenconfidentialityofanIPsecconnectionisnotrequired,theAuthenticationHeaders(AH)protocolcanbeused.Whileitdoesprovidedataintegrityandoriginauthenticationandanti-replayprotection,thedataissentincleartext.Toprovidethesefeatures,thefollowingstepsareused:

1. TheimmutablefieldsoftheIPheader,thedata,andthesharedkeyaresentthroughahashingalgorithm.

2. Theresultinghashvalueisprependedtotheoriginalpacket.

3. Thepacketistransmittedtothepeer.

4. Thepeercalculatesahashvaluefromthereceivedpacketandcomparesthisvaluetotheonereceived.Iftheymatchdataintegrityandorigin,authenticationisvalidated.

Figure11.4showsthisprocess.

FIGURE11.4AHprocess

ESPWhenEncryptingSecurityPayload(ESP)isselected,yougetalltheprotectionsprovidedbyAHplusencryption.Theextentofthisencryptiondependsonthedeliverymodeselected.

DeliveryModesTherearetwomodesofdeliveryavailablewithIPsec,andthedifferencebetweenthetwomodesiswithpartsofthepacketthatareprotectedbyAHandESP.Let’slookathowthesetwomodesoperateinbothAHandESP.

TunnelModeIntunnelmode,theentireoriginalpacketisprotectedbyeitherencryptionorauthentication.Inaddition,inbothAHandESP,whentunnelmodeisused,anewIPheaderiscreatedthatincludesthetunnelsourceanddestinationaddress.Firstlet’sseehowtunnelmodelookswhenusingAH.

AHWhenAHisusedintunnelmode,theentirepacketisauthenticated,andanewIPheaderisadded,asshowninFigure11.5.

FIGURE11.5AHintunnelmode

ESPWhenESPisusedintunnelmode,theentirepacketisencrypted,andanewIPheaderisadded,asshowninFigure11.6.AnewESPheaderisaddedandencapsulatedwiththeoriginalpacket.Finally,anewIPheaderisadded.NoticethatallbutthenewIPheaderisalsoauthenticated.

FIGURE11.6ESPintunnelmode

TransportModeIntransportmode,onlythepayloadisprotectedbyeitherencryptionorauthentication.Firstlet’sseehowtransportmodelookswhenusingAH.

AHWhenAHisusedintransportmode,onlythepayloadisauthenticated,asshowninFigure11.7.

FIGURE11.7AHintransportmode

ESPWhenESPisusedintransportmode,onlythepayloadisencrypted,asshowninFigure11.8.NoticeagainthatallbuttheIPheaderisalsoauthenticated.

FIGURE11.8ESPintransportmode

IPsecwithIPV6WhiletheuseofIPsecisnotrequiredwhenusingIPv6,theIPv6packetstructurewasredesignedtoaccommodateitsuse.InIPv4,AHandESPwereimplementedasIPprotocolheaders.InIPv6,extensionheadersareusedinstead.Theseheaders,whenused,comeaftertheoriginalIPv6header.ThenextheaderfieldintheoriginalIPv6headerisusedtoindicatewhethertheextensionheaderisAHorESP.Itusestheprotocolvalueof50forESPand51forAH.Figure11.9showstheIPv6header.Notethenextheaderfield.AlsonotethattheextensionheaderliesbetweentheIPv6headerandthepayload.

FIGURE11.9IPv6headerwithextensions

UnderstandingAdvancedVPNConceptsWhenimplementingIPsec,somescenariosmaypresentchallenges.Inthissection,you’lllearnhowtoovercomespecificissuesandlearnaboutsomeadditionaladvancedconfigurations

topics.

HairpinningWhenusingaremoteaccessVPN,twodefaultbehaviorscancauseissues.

Onceatunnelisoperational,alltrafficleavingtheVPNclientmustpassthroughthetunnel.

Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.

Thiscancauseconnectivityissues.InthescenarioshowninFigure11.10,thereisaVPNtunnelbetweentheR1andtheASA1.Becauseofthesetworules,theInternetPCcannotreachSRV1(becauseofrule2)orresourcesinsite3(becauseofrule1forcingthetrafficthroughtheendofthetunnelandrule2becauseitcannotreenterthatinterface).

FIGURE11.10Theneedforhairpinning

Tosolvethisissue,youmustenableanoptioncalledEnableTrafficBetweenTwoOrMoreHostsConnectedToTheSameInterface.Thisiscommonlyreferredtoashairpinning.ThisoptionisfoundbynavigatingintheASDMtoConfiguration DeviceSetup Interfaces.ThisselectionmustbemadeontheASAthatterminatestheVPNconnection.You’llfindthisselectionatthebottomoftheInterfacepage,asshowninFigure11.11.Youshouldhavetheinterfaceinquestionhighlightedwhenyoumaketheselection.

FIGURE11.11Hairpinconfiguration

SplitTunnelingAnotheradvancedoptionyoucanenableiscalledsplittunneling.Whenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.Whenthisisdone,anACLisusedtodeterminethetrafficthatgoesthroughthetunnel(alltrafficexceptforInternettraffic)andthetrafficthatdoesnotgothroughthetunnel(Internet).

Tomakethispossible,followthesesteps:

1. NavigateintheADSMtoConfiguration RemoteAccessVPN Network(Client)Access GroupPolicies.Thepoliciesthathavebeendefinedwillappear.SelectthepolicythatwascreatedwhenyousetuptheremoteaccessVPNconnectionandselectEdit.

2. IntheEditInternalGroupPolicywindow,navigatetoAdvanced SplitTunneling.DeselecttheInheritboxfortheNetworkListfield.Thispreventsthepolicyfrominheritingthecurrentpolicy.NextclicktheManagementbuttontotherightofthefield.TheACLManagerwindowwillappear.

3. SelecttheStandardACLtabandthenselectAdd AddACL.

4. IntheAddACLbox,givethisACLaname,suchasRA-split-tunnel.

5. ClickOKandthenhighlighttheACLandselectAdd AddACE.HereaddthenetworkIDofthedestinationLANandselectPermit.

Thatdefinesthetraffictogothroughthetunnel.Allundefinedtrafficwillnotgothroughthetunnelandwillthereforenotbeimpactedbythetworulesdiscussedearlier.Fromaconceptualview,whatwillnowbeallowedisshowninFigure11.12.

FIGURE11.12Splittunneling

Always-onVPNWhentheCiscoAnyConnectisusedtocreateaVPNconnection,itispossibletohavetheconnectionbroughtupanytimetheuserlogsontohisdevice.ThisiscalledAlways-OnVPN.

ToenableAlways-OnVPN,youmustfirstenableTrustedNetworkDetectioninaprofilethatappliestotheuser.ThisfeatureenablesthedevicetoknowwhenitisconnectedtothecorporateLANandwhenitisnot.ThenyouspecifythatwhennotconnectedtothecorporateLAN,theVPNconnectionshouldbestarted.

1. IntheASDM,navigatetoConfiguration RemoteAccessVPN NetworkAnyConnectClientProfile.Inthisconfigurationmode,youcanaddanewAnyConnectprofile.ClicktheAddbuttonandchooseaprofilenameandprofilelocation.YoucanalsoapplythisprofiletoaGroupPolicy.Butthiscouldbealsoaddedlaterwiththecommand.ClickOKandApply.

2. SelectthenewprofileandthenontheleftselectPreferencesPart2.YouwillseethescreenshowninFigure11.13.

3. CheckAutomaticVPNPolicyandselectDisconnectonTrustedNetworkPolicyandConnectonUntrustedNetworkPolicy.YoumustalsoentertheDNSdomainnameforyourtrustednetwork,andyoushouldalsoaddDNSservers.

FIGURE11.13Preferences(Part2)window

NATTraversalAsESPdoesnotutilizetheconceptofsourceanddestinationports,NAThasdifficultyoperatingwhenIPsectrafficarrivesattheNATdevice.NATtraversalencapsulatesIPsecwithinUDP,providingtherequisiteportsforNAT.

ConfiguringNATtraversalorNAT-TisdonewithasimplecheckboxfoundintheGlobalParameterssectionofIKEintheASDM.NavigatetoConfiguration VPN IKE GlobalParametersintheASDM.

SelecttheinterfaceintheenableIKEboxandthenselectEnableIPSecOverNAT-T,asshowninFigure11.14.

FIGURE11.14NATtraversal

SummaryInthischapter,youlearnedaboutIPsecandthesecurityservicesitprovides.ThechapterdiscussedthecomponentsofIPsecsuchasISAKMP,IKE,AH,andESP.YoualsolearnedhowtousehairpinningtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface.Finally,splittunnelinganditsbenefitswerediscussed.

ExamEssentialsIdentifythesecurityservicesprovidedbyIPsec.Theyincludeconfidentiality,integrity,originauthentication,anti-replay,andkeymanagement.

ListthecomponentsanddeliverymodesofIPsec.TheseincludeISAKMP,IKE,AH,andESP.Deliverymodesincludetransportandtunnelmode.

Describetheoperationofhairpinning.HairpinningcanbeusedtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface.ItisrequiredbecauseofthedefaultrulethatanASAwillnotforwardpacketsbackoutthesameinterfaceinwhichtheywerereceived.

Describetheoperationofsplittunneling.Whenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.

ReviewQuestions1. WhichIPseccomponentprovidesconfidentiality?

A. AH

B. IKE

C. ESP

D. ISAKMP

2. WhichIPseccomponentprovidesintegrity?

A. HMAC

B. IKE

C. ESP

D. ISAKMP

3. WhichIPseccomponentprovidesonlydataintegrity,originauthentication,andanti-replayprotection?

A. HMAC

B. AH

C. ESP

D. ISAKMP

4. WhichIPseccomponentprovideskeyexchange?

A. HMAC

B. AH

C. Diffie-Hellman

D. ISAKMP

5. WhatistheminimumkeylengthforSuiteBalgorithms?

A. 64-bit

B. 80-bit

C. 128-bit

D. 160-bit

6. WhathashingalgorithmisrequiredbytheSuiteBstandard?

A. MD5

B. SHA-1

C. SHA-2

D. AES

7. WhichofthefollowingisnotafunctionofIKE?

A. Automatickeygeneration

B. Automatickeyrefresh

C. keyexchange

D. Negotiationofthesecurityassociation(SA)

8. Whichofthefollowingdoesnotoccurinphase1ofIKE?

A. Negotiatesthepolicysets.

B. Setsupasecurechannel.

C. Authenticatesthepeerdevicestooneanother.

D. TheIPsectransformsetisnegotiated.

9. WhichofthefollowingistrueoftheMainandAggressiveIKEmodes?

A. Mainmodeusestwomessages,andAggressivemodeusesthree.

B. Mainmodeusesthreemessages,andAggressivemodeusestwo.

C. Bothmodesusethreemessages.

D. Bothmodesusetwomessages.

10. WhichofthefollowingisnotperformedduringIKEphase2?

A. PeriodicrenegotiationoftheSA.

B. TheSAisestablished.

C. TheIPsectransformsetisnegotiated.

D. TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.

11. WhichofthefollowingisnottrueofIKEv2whencomparedwithIKEv1?

A. Moretransactionsthatresultindecreasedspeed

B. Strongersecuritythroughdenial-of-serviceprotection

C. SupportsEAPasanauthenticationmethod

D. IncorporatesextensionssuchasNATtraversalanddeadpeerdetection

12. WhenusingAHintransportmode,whichpartsofthepacketareauthenticated?

A. Onlytheheader

B. Onlythepayload

C. Headerandpayload

D. None

13. WhenusingESPintunnelmode,whichpartsofthepacketareencrypted?

A. Onlytheheader

B. Onlythepayload

C. Headerandpayload

D. None

14. WhichifthefollowingisnottrueofIPsecinIPv6andIPv4?

A. IPsecisrequiredinIPv6.

B. InIPv4,AHandESPareimplementedasIPprotocolheaders.

C. InIPv6,extensionheadersareusedtoimplementIPsec.

D. InIPv6,theextensionheaderliesbetweentheIPv6headerandthepayload.

15. Whichofthefollowingistrue?

A. Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.

B. Bydefault,anASAwillforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.

C. Onceatunnelisoperational,alltrafficleavingtheVPNclientneednotpassthroughthetunnel.

D. InIPv4,AHandESPareimplementedasIPprotocolheaders.

16. Whichofthefollowingfeaturescanbeusedtoallowtraffictore-entertheendofanIPsectunnel?

A. Splithorizon

B. Hairpinning

C. Splittunnel

D. Poisonreverse

17. Whichfeature,whenenabled,allowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel?

A. Splithorizon

B. Hairpinning

C. Splittunnel

D. Poisonreverse

18. WhichadditionalfeaturemustbeenabledtouseAlways-onVPN?

A. MDM

B. Trustednetworkdetection

C. Hairpinning

D. STP

19. WhatfeatureencapsulatesIPsecwithinUDP?

A. NAT-T

B. DNSSec

C. Splittunnel

D. Trustednetworkdetection

20. WhatprotocolnumberisusedforESP?

A. 48

B. 49

C. 50

D. 51

Chapter12ConfiguringVPNsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

3.2RemoteaccessVPN

ImplementbasicclientlessSSLVPNusingASDM

Verifyclientlessconnection

ImplementbasicAnyConnectSSLVPNusingASDM

VerifyAnyConnectconnection

Identifyendpointpostureassessment

3.3Site-to-siteVPN

ImplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonCiscoroutersandASAfirewalls

VerifyanIPsecsite-to-siteVPN

Virtualprivatenetwork(VPN)connectionscanbeconfiguredintwobasicforms,asremoteaccessVPNsorassite-to-siteVPNs.Whileoneisdesignedtoprovideasecureremoteaccessconnectionforatelecommuterorremoteuser,theotherisdesignedtoprovideasecuretunneltocarryalltrafficbetweentwolocations.Inthischapter,you’lllearnhowtoconfigureandverifybothVPNtypes.Moreover,you’lllearnabouttwodifferentwaystoimplementtheremoteaccessVPN.


HowtoconfigureandverifyaclientlessSSLVPNusingASDM

HowtoimplementandverifyanAnyConnectSSLVPNusingASDM

HowaCiscoendpointpostureassessmentcanhelpprotectthenetworkfrommalwareandothertypesofattacks

HowtoimplementandverifyanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonCiscoroutersandASAfirewalls

ConfiguringRemoteAccessVPNsCiscoremoteaccessVPNscanbedeployedeitherbyinstallingtheAnyConnectclientontheuser’sdeviceorbyconfiguringtheclientlessSSLVPNsolutioninwhichnoclientisrequiredontheuserdevice.Additionally,youcanuseaCiscoclientlessconnectiontodeploytheAnyConnectclienttotheuserdevice.Finally,whencombinedwithaCiscoendpointpostureassessment,thesecuritypostureofthedevicecanbeverifiedbeforeallowingtheremotedevicetoaccessthenetwork,helpingtoprotectthenetworkfrommalwareandotherthreats.Inthissection,you’lllearnhowtoimplementthesetwotypesofremoteaccesssolutionsandexaminethebenefitsofutilizingaCiscoendpointpostureassessment.

BasicClientlessSSLVPNUsingASDMWhiletheclientlessSSLVPNcanbedeployedontheCiscoAdaptiveSecurityApplianceusingthecommandline,itissimplertodosousingtheCiscoAdaptiveSecurityDeviceManager(ASDM).Beforedivingintotheconfiguration,itishelpfultolookattheprotocolthatprovidesconfidentiality,integrity,andauthenticationservicesfortheconnection.

SSL/TLSTransportLayerSecurity(TLS)isusedtoprovidesecurityservicesforboththeclientlessSSLVPNandtheAnyConnectVPN.WhileitspredecessorisSecureSocketsLayer(SSL),thetermSSLVPNhaspersistedandisstillusedtodescribetheconnectioneventhoughmostmodernsystemsuseTLS.Theseprotocolsusepublickeycryptographyanddigitalcertificatesintheiroperation.Whilecertificatescanbedeployedonboththeclientandtheservertoenablemutualauthentication,inmostcasesacertificateisdeployedonlyontheserverbecausethatcansecuretheconnectionaswellaswhencertificatesaredeployedonbothends.

SSL/TLShasagreatdealofflexibilityregardingtheencryptionalgorithms,hashingalgorithms,authenticationmechanisms,andkeymanagementprotocolsthatcanbeused.Figure12.1depictsthechoicesavailableforeachofthesecomponents.

FIGURE12.1SupportedSSL/TLSalgorithms

Itisalsohelpfultounderstandtheprocessthatoccurswhenoneoftheseconnectionsisestablishedbetweentheclientandtheserver.Thestepsthatoccurareasfollows:

1. TheclientinitiatestheprocessbystartingtheexchangeofhellopacketsbetweentheclientandtheVPNgateway(theASA).Thisstepallowsthetwotonegotiateandagreeontheencryptionalgorithms,hashingalgorithms,authenticationmechanisms,andkeymanagementprotocolstobeused.

2. Theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).IftheRSAkeyexchangealgorithmisinuse,theclientsendsapremasterkeytotheserverusingthepublickeyoftheservertoprotectthetransmission.

3. Ifmutualauthenticationisrequired,theclientthensendsitscertificatetotheserver,asessionkeyiscalculated,andtheciphersuiteisactivated.Integritywillbeprovidedbytheselectedhashingalgorithm(MD5orSHA-1),andencryptionwillbeprovidedbytheselectedcipher(RC4,3DES,AES,orIDEA).

4. Oncethesessionkeysareexchanged,thedatatransferbegins.WhenthetrafficgetsbeyondtheASA,theinformationwillbeincleartextbutwillbeencryptedbetweentheclientandtheASA.

ConfigurationWhenusingtheCiscoclientlessSSLVPN,theremotedeviceusesthebrowsertoconnecttoanSSL-enabledwebsiteontheASAoronaCiscorouter.Oncethesecurityappliancehasauthenticatedtheuser,theservercertificateisusedtoestablishtheSSLtunnel.Thenthesecurityappliancepresentstheuserwithawebportalthatcontainsalinktotheinternalresourcesthathavebeenmadeavailable.

Fromahighlevel,thestepstobecompletedtoconfiguretheCiscoclientlessSSLVPNareasfollows:

1. EnableclientlessSSLVPNtrafficterminationonanASAinterface.

2. ConfigureclientlessSSLserverauthenticationbyprovisioninganidentitycertificateandattachingittotheinterface.

3. Configureuserauthentication,whichcomprisesthreesubtasks.

a. CreateaccountsfortheVPNusers.

b. ConfigureagrouppolicyfortheVPNusersspecifyinginthepolicyclientlessSSLVPNasthetunnelingprotocol.

c. CreateaconnectionprofilefortheVPNusersandconnectthepolicytotheprofile.

4. Setupbookmarksthatwillappearwhentheusersconnecttothewebportal.

ConfiguringClientlessSSLVPNInthisprocedure,youwillconfigureaclientlessSSLVPNusingthelocaluserdatabaseoftheASA.

1. IntheASDM,navigatetoWizards VPNWizards ClientlessSSLVPNWizard.

2. OntheStep1pageofthewizard,provideaninformationaldescriptionfortheconnectionandclickNext.

3. WhentheStep2pageappears,givetheconnectionprofileanameintheConnectionProfileNamebox.Justbelowthat,selecttheinterfacethatwillhosttheconnectionandclickNext.

4. IntheStep3dialogbox,selecttheAuthenticateUsingTheLocalUserDatabaseradiobutton.ClicktheAddbuttonandcreateauseraccountfortheuser,specifyingbothausernameandapassword.ThenclickNext.

5. OntheStep4pageofthewizard,createagrouppolicyfortheuserbyselectingtheCreateANewGroupPolicyradiobuttonandgivethepolicyaname.ThenclickNext.

6. IntheStep5dialogbox,youwillcreateabookmarklistandthenaddbookmarkstothelist.JusttotherightoftheBookmarksListfield,clicktheManagebutton.TheConfigureGUIcustomizationdialogboxappears.ClicktheAddbutton,andwhentheAddBookmarkListdialogboxappears,givethebookmarklistaname.ThenclicktheAddbuttoninthisdialogbox.WhentheSelectBookmarkTypedialogboxappears,accepttheURLwiththeGETorPOSTmethodoptionandclickOK.

7. Nowyouwilladdabookmarkforawebresourceyouwillmakeavailable.IntheAddBookmarkdialogbox,givethebookmarkaname,selecttheHTTPprotocol,andentertheIPaddressoftheserverprovidingthisresource.Whenyouhaveaddedallthebookmarksyouneedonthispage,clickOK.

8. OntheConfigureGUICustomizationpage,clickOK.

9. IntheStep5window,ensurethatyourbookmarklistisselectedandclickNext.

10. ReviewthesummaryPage6windowandclickFinish.

VerifyaClientlessConnectionNaturallythemosteffectivewaytoverifytheproperconfigurationoftheclientlessSSLVPNistoensurethataconnectioncanbemade.Thisinvolvesthefollowing:

1. ConnectingtothesiteURL

2. Specifyingthegroupconfiguredfortheuser

3. Enteringthenameandthepasswordfortheuser

4. Verifyingthatthebookmarksappearwhenauthenticationiscomplete

5. Testingthebookmarkstoensurethattheyconnecttothecorrectresource

BasicAnyConnectSSLVPNUsingASDMToutilizeaCiscoAnyConnectSSLVPN,aVPNclientcalledtheAnyConnectclientmustbeinstalledontheuserdevice.Whenconfiguringtheconnection,youwillmakethisclientavailabletobedownloadedandinstalledontheuserdevicethefirsttimetheuserconnects,makingamanualinstallationoftheclientunnecessary.

Fromahighlevel,thestepstobecompletedtoconfiguretheCiscoAnyConnectSSLVPNareasfollows:

1. CreateaconnectionprofileandattachittotheexternalinterfaceoftheASA.

2. Generateaself-signedcertificatefortheASA(oruseanexistingoneifitexistsalready).

3. MaketheAnyConnectclientavailablefordownloadwhentheuserconnects.

4. CreateanaccountandpasswordfortheuserontheASA.

5. CreateapoolofIPaddressesthatcanbeissuedtoAnyConnectclients.

6. ExempttheinternalnetworkfromtheNATprocess.

7. SelecttoallowtheweblaunchoftheAnyConnectclient.

8. Createagrouppolicyfortheremoteaccessconnectionandassignittotheuser.

ConfiguringAnyConnectSSLVPNInthisprocedure,youwillconfigureanAnyConnectSSLVPNusingthelocaluserdatabaseoftheASA.

1. IntheASDMwindow,navigatetoWizards VPNWizards AnyConnectVPNWizard.Whenthewizardopens,clickNextonthefirstpage.

2. Next,ontheConnectionProfileIdentificationpage,enteraprofilenamefortheconnectionprofileandensurethatVPNAccessInterfaceissettotheInternetinterface.

3. OntheVPNProtocolpage,selectSSL.IntheDeviceCertificateWithRSAKeydrop-downbox,selectanexistingcertificateorclickManageandgenerateacertificate.

4. OntheClientImagespage,clicktheAddbutton.IntheAddAnyConnectClientImagewindow,clicktheUploadbutton.BrowsetothelocationoftheAnyConnectimagefileandselectthe.pkgversion.VerifytheselectionbyclickingSelect,UploadFile,OK,andOK.

5. OntheAuthenticationMethodspage,createausernameandpasswordfortheuser.

6. OntheClientAddressAssignmentpage,clickNewandcreateascopeofIPaddressestobeavailabletotheAnyConnectclients.

7. OntheNetworkResolutionpage,entertheIPaddressofaDNSserver.

8. OntheNATExemptpage,iftheASAisalsoperformingNAT,selecttheExemptVPMTrafficFromNetworkAddressTranslationcheckbox.ClickNext.

9. FortheAnyConnectClientDeploymentstep,selectAllowWebLaunch.

10. OntheSummarypage,reviewyoursettingsandclickFinish.

VerifyanAnyConnectConnectionAgain,themosteffectivewaytoverifytheproperconfigurationoftheAnyConnectSSLVPNistoensurethataconnectioncanbemadeandthattheclientinstallsandallowsfullVPNaccess.Thisinvolvesthefollowing:

1. ConnectingtothesiteURL

2. Specifyingthegroupconfiguredfortheuser

3. Enteringthenameandthepasswordfortheuser

4. EnsuringthattheuserisofferedtheoptiontoinstalltheAnyConnectclient

5. Ensuringtheclientsuccessfullyinstalls

6. EnsuringthattheuserisgivenfulltunnelVPNaccesstothenetwork

EndpointPostureAssessment

TheCiscoAnyConnectclientalsoincludesmodulesthatcanenhanceitscapabilities.TwoofthesemodulesaretheASAPosturemoduleandISEPosturemodule.Bothmodulesoffertheabilitytoaccessanendpoint’scompliancewithrequirementsregardingoperatingsystemversion,antivirusupdates,andothersecurity-relatedissuesthroughanendpointpostureassessment.Thisgivesyoutheabilitytoverifythesecurityposturebeforeallowingthedeviceaccesstothenetwork.

WhiletheASAmoduleperformsaserver-sideassessment,ISEsendsthepolicyrequirementstotheendpoint,wheretheassessmentthenoccurs.TheASAmodulecollectsthehealthinformationintheformofattributesandsendsthemtotheASA,wheretheassessmentoccurs.

Bothsystemscandenyaccesstotheendpointsthatfailtheassessment,andbothofferremediationcapabilitiesaswell.RemediationwiththeASAmoduleislimitedtoworkingwiththesoftwarepresentontheendpoint,meaningitcanenable,disable,orupdatethatsoftware.ISEquarantinesthedeviceanddirectsittoserversthatremediatetheissues.Onlythenistheendpointallowedfullaccesstothenetwork.

ConfiguringSite-to-SiteVPNsSite-to-siteVPNconnectionshaveanendpointinonelocationorofficeandanotherendpointinanotheroffice.WhilebothSSLandIPseccanbeusedfortheseVPNs,thissectionwillfocusontheIPsecsite-to-siteVPN.Also,whiletheauthenticationcanbedonewithothermeans,wewillfocusontheuseofapresharedkey.

ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationACiscoIPsecsite-to-siteVPNcanbeconfiguredonanASAusingtheASDM,oritcanbesetuponaCiscorouter.Youwilllearnaboutbothmethodsinthefollowingsections.Followingthis,youwilllearnhowtoverifytheconfiguration.Forbothprocesses,thehigh-levelstepsrequiredareasfollows:

1. EnsurethatallACLsarecompatiblewithIPsec.

2. ConfigureanISAKMPpolicythatcontainstheISAKMPparameters.

3. DefinetheIPsectransformset,whichincludestheencryptionandintegrityalgorithms.

4. CreateacryptoACLthatdefinesthetraffictypestobesentandprotectedthroughthetunnel.

5. Createacryptomapthatdefinesthepeers,appliestheparametersofthecryptoACLtothem,andappliesthecryptoACLtotheinterface.

CiscoRoutersHereyouwilllearnhowtodotheimplementation.

ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationwithaCiscoRouterInthisprocedure,youwillimplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationwithaCiscorouter.

1. Executetheshowruncommandandlocatethesectionfortheinterfacewheretheconnectionwillbeconfigured.ExaminetheACLappliedtothatinterfaceifoneexists.Ensurethatthefollowingpermitstatementsarepresentand,ifnotpresent,applythemtothelist,takingcaretosequencethemintheproperlocation:

permitahphostipaddressofthepeerrouterhostipaddressofthe

localrouter

permitesphostipaddressofthepeerrouterhostipaddressofthe

localrouter

permitudphostipaddressofthepeerrouterhostipaddressofthe

localroutereqisakmp

permitudphostipaddressofthepeerrouterhostipaddressofthe

localroutereqnon500-isakmp

2. NowdefineanISAKMPpolicyandnumberit111.Whenyouaredone,thepromptwillchange,andthenextcommandswillbepartofthepolicy.

Router70(config)#cryptoisakmppolicy111

3. Nowcompletethepolicyspecifyingthefollowingsettings:

Authentication:presharedkey

Encryptionalgorithm128-bitAES

1024-bitDiffie-Hellmanforkeyexchange(specifygroup5)

SHAalgorithmforintegrity

SecurityAssociationlifetime1day(86400seconds)

Usethefollowingcommandsforthis:

Router70(config-isakmp)#authenticationpre-share

Router70(config-isakmp)#encryptionaes128

Router70(config-isakmp)#group5

Router70(config-isakmp)#hashsha

Router70(config-isakmp)#lifetime86400

EnsurethatthepeerrouterhasatleastoneISAKMPpolicythatincudesthesesettings.RememberthatpolicynamesandPSKsarecase-sensitive.

4. SpecifytheISAKMPkeyandtheIPaddressofthepeerrouterattheglobalconfigurationprompt.Inthiscase,thepeerisat102.168.5.3,andthePSKisMAC321.

Router70(config)#cryptoisakmpMAC321102.168.5.3

5. ConfiguretheIPsectransformsetbyspecifyingthefollowing:

Transformsetname:AES_SHA

Mechanismforpayloadauthentication:ESPHMAC

Mechanismforpayloadencryption:ESP

IPsecmode:tunnel(defaultstotunnel)

Usethefollowingcommandsforthis:

Router70(config)#cryptoipsectransform-setAES_SHAesp-aesesp-sha-

hmac

6. CreateacryptoACL(anextendedaccesslist)thatspecifiestheinboundandoutboundtrafficthatIPsecshouldprotect.Inthiscase,protectallTCPtraffic.ItwillbespecifiedusingthesourcenetworkIDandthedestinationnetworkIDusingwildcardmasks.Thesourcenetworkis10.0.2.0/24,andthedestinationis10.0.1.0/24.

Router70(config)#access-list110permittcp10.0.2.00.0.0.255

10.0.1.00.0.0.255

7. CreateacrytpomapthatspecifiestheACLnumber110,thetransformsetname,andtheIPsecpeer.UseamapnameofmymapandsettheSAlifetimeto86400.

Router70(config)#cryptomapmymap10ipsec-isakmp

Router70(config-crypto-map)#matchaddress110

Router70(config-crypto-map)#setpeer102.168.5.3

Router70(config-crypto-map)#settransform-setAES_SHA

Router70(config-crypto-map)#setsecurity-associationlifetime86400

8. ApplythecryptomaptotheinterfaceSerial0/1.

Router70(config)#ints0/1

Router70(config)#cryptomapmymap

ASAFirewallsWhenconfiguringasite-to-siteVPNbetweentwoASAfirewalls,youwillinmostcasesmakeuseoftheASDM.Therefore,youwilllearntheprocedurefordoingthis.

ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationonASAwiththeASDMInthisprocedure,youwillimplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonASA.

1. IntheASDM,navigatetoWizards VPNWizards Site-to-SiteVPNWizard.OntheIntroductionscreen,clickNext.

2. OnthePeerDeviceIdentificationscreen,entertheIPaddressofthepeerASAdeviceandselecttheexternalinterfaceleadingtothepeer.ClickNext.

3. OntheTrafficToProtectscreen,enterthenetworkIDofthelocalnetworkintheLocalNetworkfieldandthenetworkIDoftheremotenetworkintheRemoteNetworkfield.ClickNext.

4. IntheSecuritypanel,selectSimpleConfigurationandenterthepresharedkeyfortheconnection.

5. OntheNATExemptpage,iftheASAisalsoperformingNAT,selecttheExemptVPNTrafficFromNetworkAddressTranslationcheckbox.ThenclickNext.

6. IntheSummarywindow,verifyyourselections.Whensatisfied,selectFinish.

VerifyanIPsecSite-to-SiteVPNRegardlessofthemethodusedtosetupthesite-to-siteVPN,theverificationmethodisthesame.Youneedtogenerateinterestingtrafficfromoneofthesitestotheotherandverifythattheconnectionisfunctional.Inthesetwoexamples,alltrafficisinterestingtraffic,soallyouneeddoispingfromadeviceinonelocationtoadeviceintheotherlocation.Ifthepingsucceeds,theconnectionisworking.Ifthefirstpingfails,tryagainandkeepinmindthatittakessometimetonegotiatethesecurityoftheSA.

SummaryInthischapter,youlearnedthevalueoftheCiscoclientlessSSLVPNandthestepsrequiredtoconfigureit.ThechapteralsodiscussedanalternativetothisVPNtype,theCiscoAnyConnectSSLVPN,whichprovidesafull-tableexperiencebutrequiresclientsoftwareontheuser’sdevice.YoualsolearnedaboutmodulesintheCiscoAnyConnectclientthatcanprovideendpointpostureassessment.Finally,thechaptercoveredhowtoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.

ExamEssentialsIdentifythestepstobecompletedtoconfiguretheCiscoclientlessSSLVPN.ThesestepsarefirsttoenableclientlessSSLVPNtrafficterminationonanASAinterfaceandthento

configureclientlessSSLserverauthenticationbyprovisioninganidentitycertificateandattachingittotheinterface.Nextconfigureuserauthenticationandfinallycreatebookmarksforthelinkstotheresourcesthatwillappearwhentheusersconnecttothewebportal.

ListthestepstobecompletedtoconfiguretheCiscoAnyConnectSSLVPN.Thesestepsincludethefollowing:CreateaconnectionprofileandattachittotheexternalinterfaceoftheASA.Generateaself-signedcertificatefortheASA(oruseanexistingoneifitexistsalready).GenerateanidentitycertificatefortheASAandattachittothekeypair.MaketheAnyConnectclientavailablefordownloadwhentheuserconnects.CreateanaccountandpasswordfortheuserontheASA.CreateapoolofIPaddressesthatcanbeissuedtoAnyConnectclients.ExempttheinternalnetworkfromtheNATprocess.SelecttoallowtheweblaunchoftheAnyConnectclient.Createagrouppolicyfortheremoteaccessconnectionandassignittotheuser.

Describethecomponentsthatprovideendpointpostureassessment.TheCiscoAnyConnectclientalsoincludesmodulesthatcanenhanceitscapabilities.TwoofthesemodulesaretheASAPosturemoduleandtheISEPosturemodule.Bothmodulesoffertheabilitytoaccessanendpoint’scompliancewithrequirementsregardingoperatingsystemversion,antivirusupdates,andothersecurity-relatedissues.Thisgivesyoutheabilitytoverifythesecurityposturebeforegivingthedeviceaccesstothenetwork.

ListthestepstoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.Thesestepsincludethefollowing:EnsurethatallACLsarecompatiblewithIPsec.ConfigureanISAKMPpolicythatcontainstheISAKMPparameters.DefinetheIPsectransformset,whichincludestheencryptionandintegrityalgorithms.CreateacryptoACLthatdefinesthetraffictypestobesentandprotectedthroughthetunnel.Createacryptomapthatdefinesthepeers,appliestheparametersofthecryptoACLtothem,andappliesthecryptoACLtotheinterface.

ReviewQuestions1. WhichconfidentialityalgorithmisnotsupportedforanSSL/TLSVPN?

A. DES

B. 3DES

C. AES

D. RC4

2. InanSSL/TLSVPN,whatfunctioncantheDSAalgorithmbeusedfor?

A. Authentication

B. Integrity

C. Confidentiality

D. Keymanagement

3. IntheSSLconnectionprocess,whichstepoccurslast?

A. Sessionkeysareexchanged.

B. Theservertransmitsitscertificatetotheclient.

C. Theclientsendshellopackets.

D. Theclientsendsitscertificatetotheserver.

4. WhichofthefollowingisnotasubtaskofconfiguringuserauthenticationforaCiscoclientlessSSLVPNconnection?

A. CreateaconnectionprofilefortheVPNusers

B. ConfigureagrouppolicyfortheVPNusers

C. CreateaccountsfortheVPNusers

D. Createbookmarksforthelinkstotheresources

5. Whichofthefollowingisfalseregardinganendpointpostureassessment?

A. TheISEmoduleperformsaserver-sideassessment.

B. BothISEandASAposturemodulesoffertheabilitytoaccessanendpoint’scompliance.

C. Bothsystemscandenyaccesstotheendpointsthatfailtheassessment,andbothofferremediationcapabilities.

D. TheISEquarantinesanoncompliantdeviceanddirectsittoserversthatremediatetheissues.

6. WhenimplementinganIPsecsite-to-siteVPN,inwhichsteparetheencryptionandintegrityalgorithmsdefined?

A. Creatingacryptomap

B. CreatingacryptoACL

C. DefiningtheIPsectransformset

D. SpecifyingtheISAKMPkey

7. Whichofthefollowingcommandsspecifiedthedetailsofthekeyexchangealgorithm?

A. Router70(config-isakmp)#lifetime86400

B. Router70(config-isakmp)#encryptionaes128

C. Router70(config-isakmp)#group5

D. Router70(config-isakmp)#authenticationpre-share

8. Inthefollowingcommand,whatdoesthenumber10represent?

Router70(config)#cryptomapmymap10ipsec-isakmp

A. Sequencenumber

B. ACLnumber

C. Mapname

D. SAlifetime

9. Whichofthefollowingispossiblewhencertificatesarepresentonboththeclientandtheserver?

A. Hairpinning

B. Mutualauthentication

C. Onlinecertificateverification

D. Splittunneling

10. WhichofthefollowingisnotapossibleauthenticationmechanismavailableintheSSLVPN?

A. RSA

B. CHAP

C. DSA

D. EC

11. Whichofthefollowingwillbeincludedinthecertificatetheserverpresentstotheclient?

A. PSK

B. Privatekey

C. Transformset

D. Publickey

12. Whatstepmakessecuredataexchangepossible?

A. Exchangeofhellos

B. Exchangeofsessionkeys

C. Exchangeofcertificates

D. Exchangeofcredentials

13. InwhichtypeofVPNdoestheuserusethebrowsertoconnecttoanSSL-enabledwebsite?

A. AnyConnect

B. Clientless

C. IPsecwithpresharedkey

D. IPsecsite-to-site

14. WhatisthefunctionoftheMD5algorithmintheSSLVPNprocess?

A. Authentication

B. Integrity

C. Confidentiality

D. Keyexchange

15. Whichofthefollowingdefinesthetraffictypestobesentandprotectedthroughthetunnel?

A. Cryptomap

B. CryptoACL

C. IPsectransformset

D. ISAKMPkey

16. Whatdoesthefollowingcommandcontrol?Router70(config-isakmp)#lifetime86400

A. Authenticationtimeout

B. SAlifetime

C. PSKlifetime

D. Inactivitytimer

17. Inthefollowingcommand,whatdoesAES_SHAdefine?Router70(config)#cryptoipsectransform-setAES_SHAesp-aesesp-sha-hmac

A. Thenameofthetransformset

B. Themechanismforthepayloadauthentication

C. Themechanismforthepayloadencryption

D. Thetunnelmode

18. WhichofthefollowingisnotasupportedkeymanagementalgorithminanSSLVPN?

A. MD5

B. Quantum

C. DH

D. ECC

19. WhatVPNmethodrequiressoftwareontheuserdevice?

A. IPsecsite-to-site

B. AnyConnect

C. Clientless

D. IPsecwithPSK

20. Whatstatementisfalseregardingendpointpostureassessment?

A. TheISEmodulequarantinesanoncompliantdeviceanddirectsittoserversthatremediatetheissues.

B. TheISEmoduleislimitedtoworkingwiththesoftwarepresentontheendpoint.

C. Bothsystemscandenyaccesstotheendpointsthatfailtheassessment.

D. TheASAmoduleperformsaserver-sideassessment.

Chapter13UnderstandingFirewallsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

5.1Describeoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies

Proxyfirewalls

Applicationfirewall

Personalfirewall

5.2Comparestatefulvs.statelessfirewalls

Operations

Functionofthestatetable

Firewallsarepartofthefoundationofsecurityinanetwork.Theyprotectthenetworkperimeterandcontrolaccessbetweensecurityzoneswithinyournetworks.Youwillalsotypicallydeployfirewallsinlayers,meaningyouwillplacefirewallsoneachdevice.Firewallsdifferinthewaytheyexaminethetraffictheyaredesignedtocontrolandintheeffecttheyhaveonnetworkperformance.


Theoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies

Thefunctionsofstatefulandstatelessfirewalls

UnderstandingFirewallTechnologiesFirewallscomewitharangeofabilitiesandgoabouttheirjobsindifferentwaysdependingonthejobforwhichtheyweredesigned.TheycandifferintheOSIlayeronwhichtheyoperateandinthetypesofactionstheycantakeandtheattacktypestheycanmitigate.Inthissection,you’lllearnaboutavarietyofthesedevices.Inthesectionfollowingthisone,you’lllookatonefirewallcapabilitythatdeservesasectionallitsown.

PacketFiltering

PacketfilteringfirewallsaretheleastdetrimentaltothroughputbecausetheyonlyinspecttheheaderofthepacketforallowedIPaddressesorportnumbers.Althoughevenperformingthisfunctionwillslowtraffic,itinvolvesonlylookingatthebeginningofthepacketandmakingaquickallowordisallowdecision.

Althoughpacketfilteringfirewallsserveanimportantfunction,theycannotpreventmanyattacktypes.TheycannotpreventIPspoofing,attacksthatarespecifictoanapplication,attacksthatdependonpacketfragmentation,orattacksthattakeadvantageoftheTCPhandshake.Moreadvancedinspectionfirewalltypesarerequiredtostoptheseattacks.

ProxyFirewallsProxyfirewallsstandbetweeneachconnectionfromtheoutsidetotheinsideandmaketheconnectiononbehalfoftheendpoints.Therefore,thereisnodirectconnection.Theproxyfirewallactsasarelaybetweenthetwoendpoints.ProxyfirewallscanoperateattwodifferentlayersoftheOSImodel.Botharediscussedshortly.

Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.Becausetheydonotdodeeppacketinspection(atlayer7ortheApplicationlayer),theyareconsideredapplication-independentandcanbeusedforwiderangesoflayer7protocoltypes.

ASOCKSfirewallisanexampleofacircuit-levelfirewall.ThisrequiresaSOCKSclientonthecomputers.ManyvendorshaveintegratedtheirsoftwarewithSOCKStomakeusingthistypeoffirewalleasier.

Akernelproxyfirewallisanexampleofafifth-generationfirewall.ItinspectsthepacketateverylayeroftheOSImodelbutdoesnotintroducetheperformancehitthatanApplicationlayerfirewallwillbecauseitdoesthisatthekernellayer.Italsofollowstheproxymodelinthatitstandsbetweenthetwosystemsandcreatesconnectionsontheirbehalf.

Proxyserverscanbeappliances,ortheycanbesoftwarethatisinstalledonaserveroperatingsystem.Theseserversactlikeaproxyfirewallinthattheycreatethewebconnectionbetweensystemsontheirbehalf,buttheycantypicallyallowanddisallowtrafficonamoregranularbasis.Forexample,aproxyservermightallowtheSalesgrouptogotocertainwebsiteswhilenotallowingtheDataEntrygroupaccesstothesesamesites.ThefunctionalityextendsbeyondHTTPtoothertraffictypes,suchasFTPandothers.

Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.

ApplicationFirewallApplication-levelproxiesperformdeeppacketinspection.Thistypeoffirewallunderstands

thedetailsofthecommunicationprocessatlayer7fortheapplicationofinterest.Anapplication-levelfirewallmaintainsadifferentproxyfunctionforeachprotocol.Forexample,forHTTPtheproxywillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands.Operatingatthislayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.

PersonalFirewallPersonalfirewallsmaybethosethatcomewithanoperatingsystemliketheWindowsFirewall,ortheymaybethird-partyhostfirewallssuchasKasperskyInternetSecurityorZoneAlarmProFirewall.Thesefirewalls,calledeitherhostorpersonalfirewalls,protectonlythedeviceonwhichthesoftwareisinstalled.

Whileneverareplacementforproperlypositionednetworkfirewalls,theyareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.Thisconceptprescribesthatyoushouldalwaysdeploymultiplebarrierstounauthorizedaccess.

Onekeyfeaturethatapersonalfirewallcanprovide(althoughinmanycasesthisisnotconfiguredbydefault)istheabilitytocontrolegresstraffic.Thisistrafficleavingthedeviceandcanhelptopreventmalwarethat“callshome”toacommand-and-controlserverfromfunctioning.Thesefirewallscanalsohelpprotectsystemsfromothersystemsinsidethenetworkperimeter.

Statefulvs.StatelessFirewallsOnekeytypeoffirewallthatwesavedfortheendofthischapterisastatefulfirewall.StatefulfirewallsarethosethatareawareoftheproperfunctioningoftheTCPhandshake,keeptrackofthestateofallconnectionswithrespecttothisprocess,andcanrecognizewhenpacketsaretryingtoenterthenetworkthatdon’tmakesenseinthecontextoftheTCPhandshake.Justasareview,Figure13.1showstheprocess.

FIGURE13.1TCPthree-wayhandshake

Inthisprocess,apacketshouldneverarriveatafirewallfordeliverythathasboththeSYNflagandtheACKflagsetunlessitispartofanexistinghandshakeprocess,anditshouldbeinresponsetoapacketsentfrominsidethenetworkwiththeSYNflagset.Thisisthetypeofpacketthatthestatefulfirewallwoulddisallow.Italsocanrecognizeotherattacktypesthatattempttomisusethisprocess.Itdoesthisbymaintainingastatetableaboutallcurrentconnectionsandthestatusofeachconnectionprocess.Thisallowsittorecognizeanytrafficthatdoesn’tmakesensewiththecurrentstateoftheconnection.Ofcourse,maintainingthistableandreferencingthetablecausesthisfirewalltypetohavemoreofaneffectonperformancethanapacketfilteringfirewall.

OperationsFigure13.2showstheoperationofastatefulfirewall.

FIGURE13.2Statefulfirewalloperation

ThedeviceC1ontherightissendingaSYNpackettothedeviceH1.Thefirewallpermittedandrecordedthatoperationinitsstatetableandwillmonitorthattablewheneverapacketarrivesatthefirewalltoensurethatanypacketspermittedeitherareconnectionrequestsfromtheinside(SYNpacketsonly)orarepartofanexistingconnectionandthatallrulesofthehandshakeareenforced.Forexample,inthescenario,apacketfromtheoutsidedestinedforC1fromH1withanACKflagsetwouldberejectedbecausethenextexpectedpackettypeinthehandshakewouldbeapacketwiththeSYNandACKflagsset.

StateTableThestatetableisusedtomonitorallallowedconnections.Thefollowingarethekeyitemsthataretypicallyrecordedbyastatefulfirewallwithrespecttoeachconnection:

SourceIPaddress

Sourceportnumber

DestinationIPaddress

Destinationportnumber

IPProtocol

Flags

Timeout

SummaryInthischapter,youlearnedaboutvariousfirewalltechnologiessuchasproxy,application,personal,andstatefulfirewalls.Youlearnedtheirstrengthandweaknesses.Youalsolearned

aboutstatefulfirewallsingreaterdetailanddescribedtherelationshipbetweentheoperationofthesefirewallsandtheTCPthree-wayhandshake.Finally,youlearnedwhatiscontainedinthestatetableofastatefulfirewall.

ExamEssentialsIdentifytheoperationalstrengthandweaknessesoffirewalltechnologies.Theseincludeproxy,application,personal,andstatefulfirewalls.Describeeachtechnology’simpactonperformanceandthefeaturesthateachprovides.

DescribetherelationshipbetweentheTCPthree-wayhandshakeandstatefulfirewalls.Statefulfirewallsunderstandthethree-wayhandshakeandcanrecognizeillegalpacketsthatdon’tmakesenseintheTCPconnectionprocess.

Identifycontentsofastatetable.Keyitemsthataretypicallyrecordedbyastatefulfirewallwithrespecttoeachconnectionaresourceportnumber,destinationIPaddress,destinationportnumber,IPprotocol,flags,andtimeout.

ReviewQuestions1. Whichfirewalltechnologyistheleastdetrimentaltoperformance?

A. Proxy

B. Stateful

C. Packetfiltering

D. SOCKS

2. Whichfirewalltypeoperatesatthesessionlayer?

A. Circuit-levelproxy

B. Stateful

C. Packetfiltering

D. SOCKS

3. Whichstatementistrueofakernel-levelproxy?

A. OperatesattheTransportlayer

B. Consideredafifth-generationfirewall

C. Maintainsastatetable

D. Examinesonlytheheader

4. Whichofthefollowingisnotaproxyfirewall?

A. Kernel

B. Circuit-level

C. SOCKS

D. Application

5. WhichtypeoffirewallisZoneAlarmProFirewall?

A. Personal

B. Stateful

C. Packetfiltering

D. SOCKS

6. Whichvalueforeachconnectionisnotcontainedinthestatetableofastatefulfirewall?

A. DestinationMACaddress

B. SourceIPaddress

C. DestinationIPaddress

D. Flags

7. Youhaveselectedafirewallthatperformsdeeppacketinspectionbutalsocreatesaperformancehitonthroughput.Whattypedidyouselect?

A. Personal

B. Applicationlevel

C. Packetfiltering

D. SOCKS

8. Whichalsooffersthebenefitofwebpagecaching?

A. Personalfirewalls

B. Application-levelfirewalls

C. Proxyservers

D. SOCKSfirewalls

9. AtwhatlayeroftheOSImodeldocircuit-levelproxiesoperate?

A. Network

B. Transport

C. Application

D. Session

10. WhichofthefollowingismostsusceptibletoIPspoofingattacks?

A. Packet-filteringfirewalls


C. Proxyservers

D. SOCKSfirewalls

11. WhichofthefollowingwillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands?



C. Proxyservers

D. SOCKSfirewalls

12. WhatistheonlylegitimateresponsetoapacketwiththeSYNflagset?

A. SYN/FIN

B. ACK

C. SYN/ACK

D. FIN

13. ApacketwasjustreceivedwiththeSYN/ACKflagsset.Whatdatastructurewillastatefulfirewallusetodeterminewhetherthispacketisallowed?

A. ARPcache

B. Routingtable

C. DNSresolvercache

D. Statetable

14. Installingbothpersonalandnetworkfirewallsisanexampleofexercisingwhatconcept?

A. Defenseindepth

B. Separationofduties

C. Leastprivilege

D. Needtoknow

15. ASOCKSfirewallisanexampleofwhichfirewalltechnology?


B. Circuit-levelfirewall

C. Proxyservers

D. Statefulfirewalls

16. Whichtraffictypewouldbeacceptedbyastatefulfirewall?

A. ASYN/ACKpacketthatisnotrelatedtoacurrentconnection

B. AnACKpacketthatisinresponsetoaSYNpacketinacurrentconnectionsetup

C. ASYN/ACKpacketinresponsetoaSYNpacketinacurrentconnectionsetup

D. AnACKpacketthatisnotrelatedtoacurrentconnection

17. Whichofthefollowingisnotaproxyfirewall?

A. SOCKSfirewalls

B. Circuit-levelfirewalls

C. Statefulfirewalls

D. Kernel-levelfirewalls

18. Whichstatementisnottrueofpersonalfirewalls?

A. MaybethosethatcomewithanoperatingsystemliketheWindowsFirewallormaybethird-partyhostedfirewalls

B. Protectonlythedeviceonwhichthesoftwareisinstalled

C. Cancontrolegresstraffic

D. Canbeareplacementforproperlypositionednetworkfirewalls

19. Whichfirewalltechnologyisthemostdetrimentaltoperformance?

A. Applicationlevel

B. Stateful

C. Packetfiltering

D. SOCKS

20. WhichfirewalltypeoperatesattheNetworkandTransportlayers?

A. Circuit-levelproxy

B. Packetfiltering

C. Stateful

D. SOCKS

Chapter14ConfiguringNATandZone-BasedFirewallsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

5.3ImplementNATonCiscoASA9.x

Static

Dynamic

PAT

PolicyNAT

VerifyNAToperations

5.4Implementzone-basedfirewall

Zonetozone

Self-zone

NetworkAddressTranslation(NAT)isafeaturefoundinfirewallsandmanyrouterplatformsthatallowsforthetranslationofprivateIPaddressestopublicIPaddressesatthenetworkedge.WhileoneofthedrivingforcesbehindthedevelopmentofNATwastheconservationofpublicIPv4addressspace,NATalsohasasecuritycomponentinthattheprocesshelpstohidetheinterioraddressingscheme.Zone-basedfirewallingisanapproachthatmakestrafficfilteringdecisionsbetweenzonesratherthanbyspecificIPaddresses.Inthischapter,youwilllearnhowtoimplementseveraltypesofNATandconfigurezone-basedfirewalling.


HowtoimplementNATonCiscoASA9.xplatforms

Howtoimplementzone-basedfirewalls

ImplementingNATonASA9.xTherearethreetypesofNATthatcanbeimplemented.Thissectiondiscusseshowthesethreetypesoperate,andyou’lllearnhowtoimplementeachtypeontheAdaptiveSecurity

Appliance(ASA).

InstaticNAT,eachprivateIPaddressismappedtoapublicIPaddress.WhilethisdoesnotsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.

IndynamicNAT,apoolofpublicIPaddressesisobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation.However,ratherthanmappingtheprivateIPaddressestothepublicIPaddresses,theNATdevicemapsthepublicIPaddressesfromthepoolonadynamicbasismuchlikeaDHCPserverdoeswhenassigningIPaddresses.

Finally,PortAddressTranslation(PAT)isaformofNATinwhichallprivateIPaddressesaremappedtoasinglepublicIPaddress.ThisprovidesbothbenefitsofsavingtheIPv4addressspaceandhidingthenetworkaddressscheme.ThissystemiscalledPATbecausetheephemeralportnumbersthatdeviceschooseasthesourceportforaconnection(whicharechosenrandomlyfromtheupperrangesoftheportnumbers)areusedtoidentifyeachsourcecomputerinthenetwork.ThisisrequiredsincealldevicesaremappedtothesamepublicIPaddress.

WhenconfiguringNATontheASA,youneedtounderstandthatitusesanobject-orientedapproach.Inotherwords,anobjectiscreatedforeachhost,foreachtranslatedaddress,andforeachservicethatisusedinthetranslationprocess.Translationsareconfiguredasnetworkobjects.AnetworkobjectisdefinedasasingleaddressorasanetworkID.

TheresultinghostornetworkdefinedinanetworkobjectisusedtorepresenttheprivateIPaddresspriortotranslation.WhenACLsareusedtodefinetrafficallowedfromalower-securityinterfacetoahigher-securityinterface,thesepretranslationobjectsarereferenced.

TheASAusesaNATtabletoholdthetranslations.Thistablehasthreesections.WhenanoutgoingpacketarrivesattheASA,thesectionsarereadfromtoptobottom,andthefirsttranslationmatchisapplied.Thethreesectionsareasfollows:

ManualNATThiscontainstranslationsthathavebeendefinedtobeappliedbytheappliancebeforetheothersectionsareconsulted.ThesetranslationsaretypicallyveryspecificandmayindicateatranslationonboththesourceanddestinationIPaddresses.

AutoNATInthissection,alsocalledobjectNAT,translationsthataredefinedontheobjectitselfarecontained.Thesetranslations,oneforeachobject,aretypicallyeitherstatictranslationsforserversthatmustbereachedfromtheoutsideworld(andrequirethesamepublicIPaddressalways)ordynamictranslationsforclientstryingtoreachtheInternet.

ManualNATafterAutoNATThiscontainsmoregeneraltranslationsnothandledbythefirsttwosections.Theseareusedonlywhennotranslationmatchesinthefirsttwosections.

Ifapacketdoesn’tmatchanyofthemappingsfoundinanyofthethreetables,thepacketsaresentuntranslated.

Static

ToconfigureastaticNATtranslation,followthestepsinthenextprocedure.

ConfiguringStaticNATInthisprocedure,youwillcreateastaticNATmappingforadevice.

1. ConnecttotheASAusingtheAdaptiveSecurityDeviceManager(ASDM).

2. NavigatetoConfiguration Firewall NetworkObjects Groups.SelectAddNetworkObject.Definetheparametersofthisobject.EnterthetypeandtheIPaddressofthedevicetobetranslatedwiththestaticmapping.EnsurethatthisisthepretranslationIPaddress.

3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectStaticasthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.

4. Justbelowthedrop-downboxwhereyouselectStaticistheTranslatedAddrfield.IntheTranslatedAddrfield,clicktheBrowsebutton.Youcanbrowseforobjectsthathavebeencreatedhere,butyouwillbecreatinganewobject,soclicktheAddbuttonatthetopofthepage.

5. WhentheAddNetworkObjectdialogboxappears,enteranameforthetranslatedobjectandtheaddresstypeandpublicIPaddresstowhichthedeviceshouldbetranslated.ThenclickOK.

6. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,clicktheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesontheASA.Youwillchoosethesefromadrop-downbox.

7. ClickOKandthenApply.Theconfigurationisnowcomplete.

DynamicToconfiguredynamicNATtranslation,followthestepsinthenextprocedure.

ConfiguringDynamicNAT

1. ConnecttotheASAusingtheASDM.


3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectDynamicasthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.

4. Justbelowthedrop-downboxwhereyouselectStaticistheTranslatedAddrfield.IntheTranslatedAddrfield,clicktheBrowsebutton.Youcanbrowseforobjectsthathavebeencreatedhere,butyouwillbecreatinganewobject,soclicktheAddbuttonatthetopofthepage.

5. Inthiscase,theobjectyouwillbecreatingwillbearangeofpublicIPaddresses,whichyouwillnameTranslatedPool.EnterarangeofaddressesusingtheStartAddressandEndAddressfields.Whileyouarecreatingonlyonemappingtothepoolinthisexercise,intherealworldensurethatyouhaveenoughpublicIPaddressesinthepoolfortheprivateaddresstobetranslated.

6. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,choosethenewnetworkobjectbydouble-clickingitandthenclicktheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesontheASA.Youwillchoosethesefromadrop-downbox.


PATToconfigurePATtranslation,followthestepsinthenextprocedure.

ConfiguringPAT



3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectDynamicPAT(Hide)asthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.

4. Inthiscase,youarenotmappingtoanindividualIPaddressortoapoolofIPaddresses;youwillbemappingtotheInternet-facinginterfaceoftheASA.WhenyoudothiswithPAT(Hide)selected,allmappingswillusethepublicaddressconfiguredonthatInternetinterface.UsetheBrowsebuttontobrowsetotheInternet-facinginterfaceontheASA.Ifanobjecthasnotbeencreatedfortheinterface,dosonowbyspecifyingitspublicIPaddress.

5. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,choosethenewnetworkobjectbydouble-clickingitandthenclickingtheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesoftheASA.Youwillchoosethesefromadrop-downbox.


PolicyNATInsomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT(asyouwillseeinthenextprocedure),oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.Thissectionalsohastheadvantageofbeingcheckedforatranslationmatchbeforetheothertwosections.Whenyoudothis,itisalsocalledPolicyNAT.ItisalsosometimescalledTwiceNATbecausethesamerulecanperformtranslationinbothdirections(translatingnotonlytheaddressinthedeviceinsidethenetworkoutgoingbutalsotheIPaddressoftheexteriordeviceincoming).

Inthescenarioyouwilluseinthenextprocedure,youwillusePolicyNATtocreateamappingforaninternaldevicethatiseffectiveonlywhentheinternaldeviceiscommunicatingwithonespecificexteriordeviceandnoteffectiveotherwise.

ToconfigurePolicyNATtosupportthisscenario,followthestepsinthenextprocedure.

ConfiguringPolicyNAT


2. NavigatetoConfiguration Firewall Objects NetworkObjects/Groups.SelectAddNetworkObject.

3. Createthreenetworkobjects:onefortheprivateIPaddressoftheinternaldevice,oneforthepublicIPaddresstowhichtheinternaldevicewillbemapped,andonefortheprivateIPaddresstowhichtheexternaldevicewillbemappedincoming.Definetheparametersofeachobject.Whenyouarefinished,clickApply.

4. Nowyouwilldefinethemanualtranslationthatwillapplyonlybetweenthesetwosystems.NavigatetoConfiguration Firewall NATRules.

5. TheNATRulestableappears.WhenyouconfiguremanualNATentries,theycanbeappliedeitherbeforeorafterNetworkObjectNATrulessuchasthoseyouconfiguredintheearlierprocedures.Inthiscase,youwantthisruletoapplybeforethoserulesdo,soclickAddandthenAddNATRulebefore“NetworkObject”NATRules.TheAddNATRuleboxappears.

6. ThetopsectionoftheAddNATRuledialogboxiswhereyouconfigurehowthepacketwillbeidentifiedfortransitionusingthisrule.IntheSourceInterfacefield,selectAnyfromthedrop-downbox,andintheSourceAddressfieldusethedrop-downboxtoselecttheobjectyoucreatedinstep3representingtheprivateIPaddressoftheinternaldevice.

7. IntheDestinationInterfacefield,selectAnyfromthedrop-downbox,andintheDestinationAddressfieldusethedrop-downboxtoselecttheobjectyoucreatedinstep3representingthepublicIPaddressoftheexternaldevice.

8. Nowthatyouhavedefinedthematchparametersforthetranslation,youneedtoconfigurethetranslation.IntheAction:TranslationPacketsectionintheSourceNATTypedrop-downbox,selectStatic.IntheSourceAddressdrop-downbox,selecttheobjectyoucreatedinstep3representingthepublicIPaddresstowhichtheinternaldeviceshouldbetranslated.IntheDestinationAddressfield,selectOriginalfromthedrop-downbox.

9. SelectOKandthenApply.Theconfigurationisnowcomplete.

VerifyingNATOperationsThereareseveralwaystoverifythatNATisoperatingcorrectly.TheyincludeviewingtheNATtranslationsinthetranslationtableusingtheshowxlatecommand,andincaseswhere

youarenotgettinganyNATtranslations,youcanviewtheconfigurationandcheckforerrorsusingtheshownatcommand.

ViewingTranslationsUsingtheshowxlatecommandonanASAonwhichPAThasbeenconfigured,youcanseeinthefollowingoutputthatthreetranslationshaveoccurred.AsPATisinuse,allthreehavereceivedthesamepublicIPaddress.

hostname#showxlate

3inuse,3mostused

PATGlobal103.61.3.9(0)Local10.1.1.15ICMPid340

PATGlobal103.61.3.9(1024)Local10.1.1.15(1028)

PATGlobal103.61.3.9(1024)Local10.1.1.15(516)

Thefollowingissampleoutputfromtheshowxlatedetailcommand.ItshowsthetranslationtypeandinterfaceinformationwiththreeactivePATs.

TherflagindicatesthatthetranslationisPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.

hostname#showxlatedetail

3inuse,3mostused

Flags:D-DNS,d-dump,I-identity,i-inside,n-norandom,

r-portmap,s-static

TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri

UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri

ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri

ViewingtheConfigurationUsingtheshownatcommand,youcanviewtheconfiguration.Inthefollowingoutput,thereisasinglestatictranslationconfiguredintheinsideinterfacethattranslatesthehostat192.168.5.6to128.10.6.2.Youcanalsoseethattherehavebeennotranslations(hits)ineitherdirectionusingthisconfiguration.

hostname(config)#shownat

NATpoliciesonInterfaceinside:

matchipinsidehost192.168.5.6outsideany

statictranslationto128.10.6.2

translate_hits=0,untranslate_hits=0

ConfiguringZone-BasedFirewallsZonesarecollectionsofnetworksreachableoverarouterinterface.Zonepairsareusedtodefineaunidirectionalfirewallpolicy.Thedirectionisindicatedbyspecifyingthesourceanddestinationzones.Thereisonespecialtypeofzonethatwillbecoveredinthenextsection.

Whenzone-basedfirewallingisused,eachinterface(includingbothphysicalandvirtualinterfaces)isassignedtoazone,andapolicyisappliedtotrafficmovingbetweenzones.TheseconfigurationsuseasyntaxknownastheCiscoCommonClassificationPolicyLanguage.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.Finally,servicepoliciesareusedtoactivatepolicymapsonzonepairs.

Whileonlyasingleservicepolicycanbeusedonazonepair,thepolicymapswithincanincludemultipleclassmaps.Theseclassmapswillbecheckedforatrafficmatchintheorderinwhichtheyareconfigured.Ifamatchisnotfoundinthefirstmap,thesecondwillbeconsulted.Whentherearenomatches,thedefaultpolicywillbeappliedtothetraffic.Figure14.1showsthislogic.

FIGURE14.1Multipleclassmaps

Moreover,theseclassmapscanbeusedinmorethanoneservicepolicy.InFigure14.2,twoclassmapshavebeencreated,andtheyhavebothbeenusedintwodifferentservicepolices.

FIGURE14.2Reuseofclassmaps

ClassMapsClassmapshavetwoparts;thefirstidentifiesthetraffic,andthesecondspecifiesanaction.Amatchstatementisusedtospecifythetrafficandcanmatchtrafficbasedonthefollowing:

AnACL

Aprotocol

Anotherclassmap

Theactionsthatcanbedefinedusingactionstatements.Theactionscanbeasfollows:

Inspect:Triggersstatefulpacketinspection

Drop:Deniestraffic

Pass:Permitstraffic

DefaultPoliciesWhennoclassmapmatchesthetraffictype,thedefaultpolicyisinvoked.Thispolicy’sactionsdependonwhethertheinterfacehasbeenassignedtoazoneand,ifso,whatpolicyiscurrentlyineffectforthatzonepairifitexists.Soundcomplicated?Itcanbe.Figure14.3showstherules.

FIGURE14.3Defaultpolicies

Figure14.3appliestotrafficthatisnotcomingfromordestinedtotherouter(self-zone).Whenthatisthecase,therulesareasshowninFigure14.4.

FIGURE14.4Defaultpolicies(self-zone)

UnderstandingtheSelf-ZoneTheself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.AnexampleofthistypeoftrafficwouldbetraffictomanagethedeviceusingSSH.Italsoappliestotrafficgeneratedbytherouter.ThetrafficgoingfromtherouterbacktothedevicemakingtheSSHconnectiontomanagethedevicewouldbeanexampleofsuchrouter-generatedtraffic.

ConfiguringZone-to-ZoneAccessThefirewallyouwilluseinthefollowingprocedurehasthreeinterfaces:oneconnectedtotheInternet,oneconnectedtotheLAN,andanotherconnectedtotheDMZ.Toconfigurezone-

basedpoliciestosupportthisscenario,followthestepsinthenextprocedure.

ConfiguringZone-BasedFirewallInthisprocedure,youwillconfigureapolicythatperformsstatefulinspectionofHTTPandFTPtrafficcomingtotheDMZfromtheInternet.

1. Definethreesecurityzones:Inside,Outside,andDMZ.Usethefollowingcommandstodoso:

RTR64(config)#zonesecurityinside

RTR64(config)#zonesecurityoutside

RTR64(config)#zonesecuritydmz

2. Assigneachinterfacetoitsproperzone.

RTR64(config)#intgi0/1

RTR64(config-if)#zone-memberinside


RTR64(config-if)#zone-memberoutside


RTR64(config-if)#zone-memberdmz

3. Createaclassmapthatdefinesthetraffic.Inthiscase,thattrafficwillbeHTTPorFTP.ThemapwillbenamedHTTP_FTP_filterandwillperformstatefulinspectionoftheHTTPtraffic.

RTR64(config)#class-maptypeinspectmatch-anyHTTP_FTP_filter

RTR64(config-cmap)#matchprotocolhttp

RTR64(config-cmap)#matchprotocolftp

4. DefineapolicymapnamedDMZ_inspectthatspecifiestrafficthatmatchestheHTTP_FTP_filterclassmap.

RTR64(config)#policy-maptypeinspectDMZ_inspect

RTR64(config-pmap)#classtypeinspectHTTP_FTP_filter

RTR64(config-pmap-c)#inspect

5. Defineazonepaircalledoutside_to_DMZwiththeoutsidezonebeingthesourceandtheDMZzonebeingthedestination.

RTR64(config)#zone-pairsecurityoutside_to_DMZsourceoutside

destinationdmz

6. ApplytheDMZ_inspectpolicytothezonepaircalledoutside_to_DMZ.

RTR64(config-sec-zone-pair)#service-policytypeinspectDMZ_inspect

Theconfigurationisnowcomplete.

SummaryInthischapter,youlearnedaboutthethreeformsofNAT:staticNAT,dynamicNAT,andPAT.YoualsolearnedabouttheNAToptionsavailableintheASA.YoulearnedaboutthebenefitsofNATandhowtoconfigureitandverifyitsoperation.Classmaps,policymaps,andservicepoliciesandtheirrespectivefunctionsinazone-basedfirewallwerecoveredaswell.Finally,thestepstoconfigureandverifyazone-basedfirewallendedthechapter.

ExamEssentialsIdentifytheformsofNetworkAddressTranslation(NAT).TheseincludestaticNAT,dynamicNAT,andPortAddressTranslation(PAT).

DescribethethreesectionsoftheNATtableintheASA.TheManualNATsectionrepresentstranslationsthathavebeendefinedtobeappliedbytheappliancebeforetheothersectionsareconsulted.TheAutoNATsectionrepresentstranslationsthataredefinedontheobjectitself.TheManualNATAfterAutoNATsectioncontainsmoregeneraltranslationsnothandledbythefirsttwosections.

IdentifybenefitsofpolicyNAT.Insomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT,oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.Thissectionalsohastheadvantageofbeingcheckedforatranslationmatchbeforetheothertwosections.

VerifyNAToperations.ThereareseveralwaystoverifythatNATisoperatingcorrectly.TheyincludeviewingtheNATtranslationsinthetranslationtableusingtheshowxlatecommand,andincaseswhereyouarenotgettinganyNATtranslations,youcanviewtheconfigurationandcheckforerrorsusingtheshownatcommand.

Describethecomponentsofazone-basedfirewallconfiguration.Classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.Finally,servicepoliciesareusedtoactivatepolicymapsonzonepairs.

Listthestepstoconfigurezone-to-zoneaccess.Fromahighlevel,toconfigurezone-to-zoneaccess,thefollowingstepsmustbeperformed:1)definezones,2)definezonepairs,3)defineclassmapsthatdefinetraffic,4)definepolicymapsthatapplyactionstotheclassmaps,5)applypolicymapstozonepairs,and6)assigninterfacestozones.

ReviewQuestions1. InwhichtypeofNATiseachprivateIPaddressmanuallymappedtoapublicIPaddress?

A. Dynamic

B. Static

C. PAT

D. SAT

2. WhichsectionoftheNATtableintheASAisreadlast?

A. AutoNAT

B. ManualNAT

C. DynamicNAT

D. ManualNATAfterAutoNAT

3. Youneedtocreateamappingforaninternaldevicethatiseffectiveonlywhentheinternaldeviceiscommunicatingwithonespecificexteriordeviceandnoteffectiveotherwise.WhattypeofNATmustyouuse?

A. AutoNAT

B. StaticNAT

C. DynamicNAT

D. PolicyNAT

4. Whatcommandgeneratedthefollowingoutput?

3inuse,3mostused

PATGlobal103.61.3.9(0)Local10.1.1.15ICMPid340

PATGlobal103.61.3.9(1024)Local10.1.1.15(1028)

PATGlobal103.61.3.9(1024)Local10.1.1.15(516)

A. shownat

B. shownatdetail

C. showxlate

D. showpat

5. Inthefollowingcommandoutput,whatdoestherstandfor?




A. Routed

B. Remote

C. PortAddressTranslation

D. Reverse

6. Whichofthefollowingarecollectionsofnetworks?

A. Zonepairs

B. Zones

C. Policymaps

D. Classmaps

7. Amatchstatementcanbebasedonallofthefollowingexceptwhichone?

A. AnACL

B. Protocol

C. Anotherclassmap

D. Devicename

8. Whichofthefollowingactionstriggersstatefulinspectionofthetraffic?

A. Drop

B. Permit

C. Inspect

D. Pass

9. Whichzonehasnointerfacemembers?

A. DMZ

B. Self

C. Inside

D. Outside

10. InwhichtypeofNATareallprivateIPaddressesmappedtoasinglepublicIPaddress?

A. Dynamic

B. Static

C. PAT

D. SAT

11. Inthefollowingcommandoutput,whatdoesthevalue21505represent?




A. Destinationportnumber

B. Sequencenumber

C. Sourceportnumber

D. Acknowledgmentnumber

12. Whichofthefollowingisusedtodefinetrafficclasses?

A. Servicepolicy

B. Zones

C. Policymaps

D. Classmaps

13. Whatcommanddefinesasecurityzone?

A. Zonemember

B. Zonesecurity

C. Setzone

D. Zone

14. TraffictomanagethedeviceusingSSHwouldbelongtowhatzone?

A. Inside

B. DMZ

C. Self

D. Outside

15. Whatcommandassignsaninterfacetoazone?

A. zone-member

B. zone-security

C. setzone

D. zone

16. Whichofthefollowingisusedtoapplyactionstotrafficclasses?

A. Servicepolicy

B. Zones

C. Policymaps

D. Classmaps

17. Whichofthefollowingisusedtodefineaunidirectionalfirewallpolicy?

A. Zonepairs

B. Zones

C. Policymaps

D. Classmaps

18. Inthefollowingcommandoutput,whatdoestheistandfor?




A. Insideaddressport

B. Interior

C. IGP

D. StaticNAT

19. InwhichsectionsoftheNATtableintheASAaretranslationsdefinedontheobjectitself?

A. AutoNAT

B. ManualNAT

C. DynamicNAT

D. ManualNATAfterAutoNAT

20. InwhichtypeofNATisapoolofpublicIPaddressesobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation?

A. Dynamic

B. Static

C. PAT

D. SAT

Chapter15ConfiguringtheFirewallonanASACISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

5.5FirewallfeaturesontheCiscoAdaptiveSecurityAppliance(ASA)9.x

ConfigureASAaccessmanagement

Configuresecurityaccesspolicies

ConfigureCiscoASAinterfacesecuritylevels

ConfiguredefaultCiscoModularPolicyFramework(MPF)

Describemodesofdeployment(routedfirewall,transparentfirewall)

Describemethodsofimplementinghighavailability

Describesecuritycontexts

Describefirewallservices

Therearemanyadditionalfirewallconceptsyoualsoshouldunderstandbeyondconfiguringzone-basedfirewallingandnetworkaddresstranslation.Inthischapterwe’lllookatsomeotherfirewallservicesaswellasdiscussthedifferencebetweenaroutedandatransparentfirewall.Moreover,we’llcoversecuritycontextsandconfiguringASAmanagementaccess.Finally,towardtheendofthischaptertheModularPolicyFrameworkapproachtoconfigurationwillbecovered.


ConfiguringASAaccessmanagement

Configuringsecurityaccesspolicies

ConfiguringCiscoASAinterfacesecuritylevels

ConfiguringthedefaultCiscoModularPolicyFramework(MPF)

Modesofdeployment(routedfirewall,transparentfirewall)

Methodsofimplementinghighavailability

Securitycontexts

Firewallservices

UnderstandingFirewallServicesTheCiscoASA9.xfirewallseries(whichisthefirewalltestedintheCCNASecurityexam)hasarichsetoffeaturestooffer.Whileitcertainlycanperformthefirewalldutieswehavecometoexpectfromanyenterprise-levelfirewall,suchastrafficfilteringandcontrol,italsooffersmanyotherfunctions.Amongtheseare:

ApplicationInspectionControl(AIC)—Alsocalledapplicationprotocolcontrol,thisfeatureverifiestheconformanceofmajorapplicationlayerprotocoloperationstoRFCstandards.Itcanhelppreventmanyofthetunnelingattemptsandapplicationlayerattacksthatviolateprotocolspecifications.

NetworkAddressTranslation(NAT)—AsyoulearnedinChapter14,theASAsupportsmanyimplementationsofNATincludingpolicyNAT,insideandoutsideNAT,one-to-oneandone-to-manyNAT,andportforwarding(staticNAT)

IPRouting—TheASAhasroutingcapabilitiesincludingstaticanddynamicroutingwithsupportforallmajorroutingprotocolssuchasEIGRP,RIP,OSPF,andBGP.

IPv6support—TheASAsupportsIPv6networkingnativelyandcancontrolaccessbetweenIPv6securitydomains.

DHCP—TheASAcanbeintegratedaseitheraDHCPserveroraDHCPclient.

Multicastsupport—TheASAnativelyintegrateswithmulticastnetworkssupportingInternetGroupManagementProtocol(IGMP)andbothProtocolIndependentMulticastSparseMode(PIM-SM)andbidirectionalProtocolIndependentMulticast(PIM).

UnderstandingModesofDeploymentTheASAcanbedeployedinoneoftwomodes,routedandtransparent.Themodeyouchoosewilldependonrequirementsandneeds.Inthissection,wedifferentiatethesetwomodesofoperation.

RoutedFirewallInroutermode,theASAisservingasarouterandthuseachofitsinterfaceswillresideinaseparateIPsubnet.ItcanuseallmajorroutingprotocolsincludingRIP,EIGRP,OSPF,andBGP.Inenvironmentswherestaticroutingisinuse,itcanuseIPSLAtoperformstaticroutetrackingtodetectwhenonestaticrouteisunavailableandthereforeswitchtoasecondstaticroute.

TransparentFirewallIntransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasa

switchdoes.ThismakestheASAtransparenttodevicesoneitherside(fromalayer3perspective);thusthenametransparentmode.Aswithaswitch,however,itispossibletoconfiguretheASAwithamanagementIPaddressforconnectingtoandmanagingtheASA.

UnderstandingMethodsofImplementingHighAvailabilityRegardlessofwhethertheASAisoperatinginroutedortransparentmode,itisprovidingvaluableservicestothenetwork.Therefore,providinghighavailabilityfortheASAandthusfortheservicesitprovidesishighlydesirable.TheASAhasseveralredundancyoptionsavailabletosatisfythisneed.Inthissectionwe’llcoverthreewaysthatmultipleASAscanbedeployedtoprovidethisredundancy.

Active/StandbyFailoverInActive/Standbyfailovertwosecurityappliancesaredeployedwithonlyoneoftheappliancesprocessingtrafficwhilethesecondoneservesasahotstandby.ThisdeploymentmodelisshowninFigure15.1.

FIGURE15.1Active/Standbyfailover

Active/ActiveFailoverInActive/Activefailovertwosecurityappliancesaredeployedwithbothappliancesprocessingtrafficwiththeabilitytosurviveasingledevicefailure.ThisdeploymentmodelisshowninFigure15.2.

FIGURE15.2Active/Activefailover

ClusteringInClustering,threeormoresecurityappliancesaredeployedasasinglelogicaldevice.ThisallowsforthemanagementofthemultipleASAsasaunit.Itprovidesincreasedthroughputandredundancy.ThisdeploymentmodelisshowninFigure15.3.

FIGURE15.3Clustering

UnderstandingSecurityContextsTheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.ThisresultsfunctionallyinmultiplevirtualfirewallsasshowninFigure15.4,wheremultiplecontextsarebeingusedtosupportmultiplecustomers.

FIGURE15.4Securitycontexts

ConfiguringASAManagementAccessWhilemanyadministratorschoosetomanageandconfiguretheASAusingtheAdaptiveSecurityDeviceManager(ASDM),whenyoudeployanewASAyouwillhavetobeginbysettinguptheASAusingtheCLI.OnlyafteraninterfacewithanIPconfigurationisenabledwillyoubeabletoconnecttothedeviceusingtheASDM.WewillfirstcoverthisinitialconfigurationandwillthenfollowwiththecommandsrequiredtoallowconnectionsfortheASDM.

InitialConfigurationToperformtheinitialconfigurationoftheASA,connecttothedevicefromtheconsoleportandperformtheoperationscoveredinthenextprocedure.

InitialConfigurationoftheASAInthisprocedure,youwillconfiguretheinterfacesoftheASAwithIPaddresses,subnetmasks,andsecuritylevels.Finally,youwillenablethoseinterfaces.

1. ConnecttotheASAusingaconsolecable.

2. Enterinterfaceconfigurationmodefortheexternal(Internetfacing)interface.

asa70(config)#intGi0/1

asa70(config-if)#

3. ConfigureanIPaddressandsubnetmaskfortheinterface.

asa70(config-if)#ipaddress201.16.5.5255.255.255.0

4. Givetheinterfaceaname.Inthiscase,nameitoutside.

asa70(config-if)#nameifoutside

5. Enabletheinterface.

asa70(config-if)#noshutdown

6. Usingthesamecommandsconfigureandenabletwootherinterfaces,namingtheinterfaceleadingtotheDMZasdmzandtheinterfaceleadingtotheprivatenetwork(theLAN)inside.

asa70(config)#intgi0/2

asa70(configif)#ipaddress172.168.5.5255.255.255.0

asa70(configif)#nameifdmz

asa70(configif)#noshutdown


asa70(configif)#ipaddress192.168.5.5255.255.255.0

asa70(configif)#nameifinside

asa70(configif)#noshutdown

7. NowweneedtoenabletheHTTPserverontheASA,whichisrequiredtoconnecttothedeviceusingtheASDM.

asa70(config)#httpserverenable

8. NowwewilldefineanIPaddressontheinsidenetworkthatwillbeallowedtoconnecttotheASAusingeitherSSHorHTTPtomanagetheASA.

asa70(config)#http192.168.5.20255.555.255.255inside

asa70(config)#ssh192.168.5.20255.555.255.255inside

9. Finallywe’llcreatealocalaccountontheASAforthetechnicianwhowillconnectusingHTTPorSSHandenablelocalauthenticationontheASA.TheusernamewillbeBobandthepasswordpassbob.Givehimlevel15(admin)access.

asa70(config)#usernamebobpasswordpassbobencryptedprivilege15

10. Normallyatthispointonewouldalsoconfigureasecuritylevel.Wewilldothatinthenextexerciseafterwediscusssecuritylevels.

ConfiguringCiscoASAInterfaceSecurityLevelsBeforewegetintointerfaceconfigurationweneedtodiscussaconceptthatmaybenewtoyou

ifyouhaveonlyconfiguredrouters.IntheASAinterfaceshavesecuritylevels.ThesesecuritylevelsareoneofthewaystheASAcontrolsaccessfromoneinterfacetoanother.Securitylevelsdefinethetrustworthinessoftheinterface.Thehigherthelevelthemoretrustedtheinterface.

SecurityLevelsThemostcommonconfigurationistosettheexteriorinterface(Internet)toalevelofzero(orsomethingverylowinrelationtotheotherinterfaces)andtheinteriorinterface(LAN)toaveryhighsecuritylevelvalue.Anyotherinterfaces(suchasaDMZ)canbesettoalevelthatproperlyreflectsthetrustplacedinthatinterface.Withthisconfigurationinplacethetypicaltrafficflowsinyournetworkwillbeasfollows:

Inboundtrafficwillflowfromalow-securityinterfacetoahigh-securityinterface.Anotherwayofsayingthisisthatitwillflowfromalesstrustedinterfacetoamoretrustedinterface.

Outboundtrafficwillflowfromahigh-securityinterfacetoalow-securityinterface.Anotherwayofsayingthisisthatitwillflowfromamoretrustedinterfacetoalesstrustedinterface.

Bydefault,theASAusestheserulestocontroltrafficbetweeninterfaces:

Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.

Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.

Thereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.

Ofcourse,thesedefaultscanbechangedandoftenarechanged.Figure15.5showshowthiswouldworkusingsecuritylevelvalues0,50,and100.Greenlinesrepresentallowedtrafficwhiletheredlinesrepresentdeniedtraffic.

FIGURE15.5Securitylevelsinaction

SettingSecurityLevels

Inthisprocedure,youwillconfiguretheinterfacesoftheASAsecuritylevelsreflectingtherelativetrustworthinessoftheinside,outside,anddmzinterfaces.Theinterfacesinthisprocedurealignwiththelastprocedure,NOTwithFigure15.5,whichisadifferentexample.

1. Enterinterfaceconfigurationmodefortheinside,outside,anddmzinterfacesandassignthesecuritylevels100,50,and0respectively.


asa70(config)#security-level100





AtthispointyoushouldbeabletoconnecttotheASAusingtheASDMasBobfromthemachineat192.168.5.20.

ConfiguringSecurityAccessPoliciesInitsroleasafirewalltheASAusessecurityaccesspoliciestocontroltraffictypesallowedtoflowfromoneinterfacetoanother.Theseaccesspoliciescanbeconfiguredasinterfaceaccessrules(muchliketheACLsyoumayhaveexperiencewithonarouter)orbycreatingandlinkingobjectgroups.Inthissection,we’lldiscussbothmethods.

InterfaceAccessRulesIfyouapplynointerfaceaccessrulesontheASAthedefaultrules(ascoveredearlier)are:

Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.

Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.

Thereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.

Thismeansthatyouwillneedtocreateanaccessruletoallowtrafficineachofthefollowingscenarios:

Betweeninterfacesofthesamesecuritylevel

Trafficfromalower-securityinterfacetoahigher-securityinterface

WhenUsingNAT!

ACLsthatpermittrafficfromalower-securityinterfacetoahigher-security

interfacemustreferencethe“real”ornon-translatedIPaddressoftheinsidehostratherthanthetranslatedormappedIPaddress.

WhileinterfacerulesoperatelikeACLsyoumay(dependingonyourCLIexperiencewiththeASA)finditeasiertocreatetheserulesintheASDMratherthanatthecommandline.Inthenextprocedure,youwillseehowthisisdoneintheASDM.

CreatingInterfaceAccessRulesinASDMInthisprocedure,youwillconfiguretwointerfaceaccessrulesintheASDM.TheASAyoumanagehasthreeinterfacesthatyouhavelabeledinside(LAN),outside(Internet),anddmz.Thesecuritylevelsyouhaveassignedare100,0,and50respectively.Currentlytheonlyrulesinplacearetheglobaldefaultrulesdiscussedinthefirstsetofbulletpointsinthesection“InterfaceAccessRules”earlierinthissection.

Youneedtoconfigurethefollowingrules:

AllowonlyHTTPaccessfromtheoutsideinterfacetothedmz.

AllowonlyHTTPfromtheinsidetothedmz.

1. ConnecttotheASAwiththeASDM.

2. NavigatetoConfiguration Firewall AccessRules.

3. ClickAdd,andchooseAddAccessRule.

4. WewillfirstcreatetheruleallowingonlyHTTPaccessfromtheoutsideinterfacetothedmz.IntheAddAccessRuledialogbox,selectoutsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selectANY.Inthedrop-downboxfordestinationIPaddress,selectANY.IntheServicebox,typeorselectHTTP.ClickOK.OntheASDMmainpage,clickApply.


6. WewillnextcreatetheruleallowingonlyHTTPaccessfromtheinsideinterfacetothedmz.IntheAddAccessRuledialogbox,selectinsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selectANY.Inthedrop-downboxfordestinationIPaddress,selectANY.IntheServicebox,typeorselectHTTP.ClickOK.OntheASDMmainpage,clickApply.


ObjectGroupsWhilethepreviousprocedureusedthekeywordANYtoselectsourceanddestinationandHTTPforservice,notverymanyconfigurationsarethatsimple.Inmanycasesweneedtoallowonlyaselectgroupofdevicesratherthanalldevices,orweneedonlyallowdevicesonaspecificnetworktosendtrafficonaninterfacewhentherearemultiplenetworksthatmightbetraversingthatinterface.Tomakethecreationandapplicationofruleseasier,theASAcanalsouseanobject-basedmodelforcertainrules.

Objectscanbecreatedtorepresentanyofthefollowing:

Networks

Individualhosts

Groupsofservices

Resources

Oncetheseobjectshavebeencreated,theycanbelinkedtogethertocreaterulesaswedidinthepreviousprocedureandsimplyusethebrowsebuttonnexttoeachofthedrop-downboxesintheAddAccessRuledialogboxtolinkthemtogether.Inthenextprocedure,youwillcreateobjectsandthenusetheminanaccessrule.

CreatingandUsingObjectsinanAccessRuleInthisprocedure,youwillcreatethreeobjectsandusetheminanaccessrule.YouneedtoallowHTTPtrafficfromthe192.168.5.0/24networkinsidetheLANtoawebserverwiththeIPaddressof201.3.3.3intheDMZ.Therefore,youwill

Createanetworkobjecttorepresentthe192.168.5.0/24network

CreateaserviceobjecttorepresentHTTP

Createahostobjecttorepresenttheserverat201.3.3.3

Linktheseobjectsinanaccessruleandapplyittotheinsideinterface

Note:interfaceobjectshavebeencreatedandnamedinside,outside,anddmzwithsecuritylevelsof100,0,and50.


2. NavigatetoConfiguration Firewall Objects NetworkObjects/Groups.

3. SelectAdd,thenNetworkObject.

4. IntheNamefield,enterHTTP_group_internal.

5. IntheIPaddressandnetworkmasksections,enter192.168.5.0and255.255.255.0.ThenselectOK.

6. SelectAdd,thenNetworkObjects/Groups.

7. IntheNamefield,enterDMZ_web.

8. IntheIPaddresssection,enter201.3.3.3.ThenselectOK.

9. SelectObject,thenServiceObjects/GroupsandfinallyAddServiceGroup.

10. IntheAddServiceGroupdialogbox,enteranameforDMZ_services.

11. IntheExistingservicegroupsection,selectTCP-HTTPandTCP-HTTPSandselectAdd.ThenclickOK.

12. InthemainASDMwindow,selectApplytocreatetheobjects.

13. NavigatetoConfiguration Firewall AccessRules.


15. IntheAddAccessRuledialogbox,selectinsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selecttheobjectyoucreatedcalledHTTP_group_internal.Inthedrop-downboxfordestinationIPaddress,selecttheobjectyoucreatedcalledDMZ_web.IntheServicebox,selecttheobjectyoucreatedcalledDMZ_services.ClickOK.OntheASDMmainpage,clickApply.


ConfiguringDefaultCiscoModularPolicyFramework(MPF)InChapters4and14youlearnedabouttheCiscoModularPolicyFramework(MPF).Asreview,therearethreecomponentsthatareusedasbuildingblockstoimplementpoliciesinthisframework:

Classmapsareusedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetrafficandthentheACLisreferencedintheclassmap.

Policymapsareusedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbespecifiedareallow,block,andrate-limit.

Servicepoliciesareusedtospecifywherethepolicy-mapshouldbeimplemented.

Inthenextprocedure,youwillusethisframeworktocreateanewpolicybycreatingaclassmapthatidentifiesTelnetasthetrafficandapolicymapthatidentifiesanactionofdenyandapplythetwotoallinterfaceswithaservicepolicy.

ConfiguringDefaultCiscoModularPolicyFramework(MPF)Inthisexercise,youwillcreateanewpolicybycreatingaclassmapthatidentifiesTelnetasthetrafficandapolicy-mapthatidentifiesanactionofdenyandapplythetwotoallinterfaceswithaservicepolicy.


2. NavigatetoConfiguration Firewall ServicePolicyRulesandclickAdd,thenServicePolicyrule.

3. NametheservicepolicyNo_telnetandselecttheGlobalradiobutton(whichappliesittoallinterfaces).ClickNext.

4. IntheTrafficClassCriteriadialogbox,selectCreateANewTrafficClass.NametheclassTelnet_deny.

5. IntheTrafficMatchCriteriasection,checktheboxforTCPOrUDPDestinationPortandselectNext.

6. IntheservicefieldofthenextboxenterTCP/23inboththeSourceandDestinationfields.ClickNext.

7. SelectFinish.Theconfigurationiscomplete.

SummaryInthischapter,youlearnedhowtosetuptheASAsoyoucanremotelyadministeritusingtheASDM.Youalsolearnedthedefaultsecuritypoliciesthatareinplaceandhowthedefaultglobalpolicyinteractswithconfiguredpolicies.Youalsolearnedaboutinterfacesecuritylevelsandtheeffecttheyhaveontrafficflows.ThechapterreviewedtheCiscoModularPolicyframeworkandhowitisusedtocreatepolicies.Italsodiscussedthedifferencebetweenatransparentandroutedfirewall.Finally,high-availabilitysolutionswereintroducedincludingactive-active,active-passive,andclusteringapproaches.

ExamEssentialsIdentifyfirewallservicesprovidedbytheASA.TheseincludeApplicationInspectionControl(AIC),NetworkAddressTranslation(NAT),IPRouting,IPv6support,DHCP,andMulticastsupport.

DescribethetwomodesofdeployingtheASA.TheASAcanbedeployedinoneoftwomodes,routedandtransparent.Inroutermode,theASAisservingasarouterandthuseachofitsinterfaceswillresideinaseparateIPsubnet.Intransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasaswitchdoes.

IdentifyASAhigh-availabilitymethods.TheseincludeActive/Standbyfailover,

Active/Activefailover,andclustering.

DefinesecuritycontextsintheASA.TheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.

DescribethestepsrequiredforinitialsetupoftheASA.ThesestepsincludeassigninganIPaddressandmasktointerfaces,enablinginterfaces,andenablingtheHTTPserver.TheyalsoincludepermittingtheremotemanagementtrafficgeneratedwhenconnectingwiththeASDM.

ListthedefaulttrafficrulesintheASA.Bydefault,theASAusestheserulestocontroltrafficbetweeninterfaces:thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface,thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface,andthereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.

IdentifyexamplesofitemsforwhichobjectscanbecreatedintheASA.Objectscanbecreatedtorepresentanyofthefollowing:networks,individualhosts,groupsofservices,orresources.

DescribethecomponentsoftheCiscoModularPolicyFramework(MPF).Therearethreecomponentsthatareusedasbuildingblockstoimplementpoliciesinthisframework:classmaps,usedtocategorizetraffictypesintoclasses(ACLsaretypicallyusedtodefinethetrafficandthentheACLisreferencedintheclassmap);policymaps,usedtodefinetheactiontobetakenforaparticularclass(actionsthatcanbespecifiedareallow,block,andrate-limit);andservicepolicies,usedtospecifywherethepolicymapshouldbeimplemented.

ReviewQuestions1. Whichfirewallfeaturecanhelppreventmanytunnelingattemptsandapplicationlayer

attacks?

A. AIC

B. NAT

C. DHCP

D. PIM-SIM

2. InwhichmodedoestheASAassumealayer2identity?

A. Switch

B. Transparent

C. Active/Standby

D. Routed

3. Inwhichhigh-availabilityapproacharethreeormoresecurityappliancesdeployedasa

singlelogicaldevice?

A. Active/Active

B. Stackwise

C. Clustering

D. Active/Standby

4. WhatisitcalledwhentheASAispartitionedintomultiplevirtualfirewalls?

A. securitycontexts

B. securitydomains

C. securityrealms

D. securityareas

5. WhichcommandisusedtoapplythenameoutsidetoaninterfaceontheASA?

A. asa70(config-if)#nameoutside

B. asa70(config-if)#nameifoutside

C. asa70(config-if)#outside

D. asa70(config)#nameifoutside

6. WhichcommandisrequiredtoconnecttothedeviceusingtheASDM?

A. asa70(config)#httpserver

B. asa70(config)#httpenable

C. asa70(config)#httpserverenable

D. asa70(config)#enablehttpserver

7. WhichcommanddefinesanIPaddressontheinsidenetworkthatwillbeallowedtoconnecttotheASAusingHTTPtomanagetheASA?

A. asa70(config)#http192.168.5.20255.555.255.255

B. asa70(config)#http192.168.5.20/32inside

C. asa70(config)#http192.168.5.20inside

D. asa70(config)#http192.168.5.20255.555.255.255inside

8. WhatvalueisusedtodeterminetheallowedtrafficflowsbetweentheinterfacesintheASA?

A. securitylevel

B. IPaddress

C. MACaddress

D. name

9. Thereisanimplicitpermitfortrafficflowingfroma_______securityinterfacetoasecurity________interface.

A. low,low

B. high,low

C. high,high

D. low,high

10. Whichcommandassignsthesecuritylevel100toaninterface?

A. asa70(config)#security100

B. asa70(config)#100security-level

C. asa70(config)#security-level100

D. asa70(config)#level100

11. Inwhichofthefollowingscenarioswillyouneedtocreateanaccessruletoallowtraffic?

A. betweeninterfacesofthesamesecuritylevel

B. traffictotheself-zone

C. trafficfromahigher-securityinterfacetoalower-securityinterface

D. inallscenarios

12. Whichofthefollowingisusedtorepresentaselectgroupofdevicesratherthanalldevicesinanetwork?

A. servicepolicy

B. objectgroup

C. policymap

D. securitygroup

13. WhichofthefollowingisusedtocategorizetraffictypesintheMPF?

A. zonepairs

B. zones

C. policymaps

D. classmaps

14. YouwouldliketoapplyaservicepolicytoallinterfacesoftheASA.WhatradiobuttondoyouchooseforthisintheASDM?

A. global

B. composite

C. self

D. all

15. YouneedtoallowHTTPtrafficfromthe192.168.5.0/24networkinsidetheLANtoawebserverwiththeIPaddressof201.3.3.3intheDMZ.WhattypeofobjectdoyoucreatetorepresenttheHTTPtraffic?

A. networkobject

B. serviceobject

C. hostobject

D. resourceobject

16. WhichofthefollowingisusedtospecifywhereapolicymapshouldbeimplementedintheMPF?

A. zonepairs

B. zones

C. servicepolicy

D. classmaps

17. TheASAyoumanagehasthreeinterfacesthatyouhavelabeledinside(LAN),outside(Internet),anddmz.Thesecuritylevelsyouhaveassignedare100,0,and50respectively.Currentlytheonlyrulesinplacearetheglobaldefaultrules.Whichtrafficisallowed?

A. insidetooutside

B. outsidetodmz

C. dmztooutside

D. insidetodmz

18. Inthefollowingcommandoutputwhatdoesinsiderepresent?asa70(config)#ssh192.168.5.20255.555.255.255inside

A. ACLname

B. securitylevel

C. interfaceIPaddress

D. trafficdirection

19. WhichofthefollowingisusedtodefinetheactiontobetakenforatraffictypeintheMPF?

A. zonepairs

B. zones

C. policymaps

D. classmaps

20. Thereisanimplicitdenyfortrafficflowingfroma________securityinterfacetoa________interface.

A. low,low

B. high,low

C. high,high

D. low,high

Chapter16IntrusionPreventionCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

6.1DescribeIPSdeploymentconsiderations

Network-basedIPSvs.host-basedIPS

Modesofdeployment(inline,promiscuous-SPAN,tap)

Placement(positioningoftheIPSwithinthenetwork)

Falsepositives,falsenegatives,truepositives,truenegatives

6.2DescribeIPStechnologies

Rules/signatures

Detection/signatureengines

Triggeractions/responses(drop,reset,block,alert,monitor/log,shun)

Blacklist(staticanddynamic)

Itisnolongeracceptabletositandwaitforthenextattackandreactafterward.Intoday’sthreat-filledlandscape,securityprofessionalsmusttakeaproactiveapproachtopreventingintrusions.Intrusionpreventionsystemsaredesignedtoidentifyandpreventattacksinrealtime.Inthischapter,youwillexploretheintrusionpreventioncapabilitiesoftheASA.


DeploymentoptionsofanIPS

AdvantagesanddisadvantagesofanHIPSandanNIPS

ProperpositioningofanIPS

Managementoffalsepositivesandnegatives

Threatidentificationmethods

Methodsofimplementinghighavailability

Triggeractions

IPSTerminologyTobeginthischapter,you’lllearnanumberoftermsandconceptsthatapplytotheprocessofintrusionprevention.Aclearunderstandingofthesewillhelpsupporttherestofthechapter.

ThreatAthreatisanidentifiedsecurityweaknesstowhichanyspecificenvironmentmayormaynotbevulnerable.Forexample,athreatmightexistintheformofanewattackonOracledatabaseservers,butifyouuseMicrosoftSQLServer,itisathreattowhichyouarenotvulnerable.Riskispresentonlywhenathreatandavulnerabilitytothethreatbothexist.

RiskRiskiscreatedwhenathreatexiststowhichasystemisvulnerable.Unlessthesetwoconditionsarebothpresent,noriskexists.

VulnerabilityAvulnerabilityisanysusceptibilitytoanexternalthreatthatadeviceorsystemmaypossess.Athreatbecomesavulnerabilityonlywhenthethreattargetispresentinyourenvironmentandisinthestaterequiredtotakeadvantageofthevulnerability.Forexample,ifathreattoafileserverexistsonlyifthefileserverislackingasecuritypatchandyourfileserverhasthepatchinstalled,thethreatisnotavulnerability.Examplesofvulnerabilitiesincludethefollowing:

Weakpasswords

Missingsecuritypatches

Lackofinputvalidation

ExploitAnexploitoccurswhenathreatandavulnerabilitybothexistandathreatactortakesadvantageofthesituation.Thetermexploitalsoreferstothespecifictoolorattackmethodologyused.Someexamplesincludethefollowing:

Scripts

Malware

Passwordcrackers

Zero-DayThreatAzero-daythreatisanythreatnotyetremediatedbymalwarevendorsorsoftwarevendors.Thistypeofthreatcannotbedetectedthroughattacksignature-basedmethodsandisusuallydiscoveredonlybymalwareorIPS/IDSsoftwarethatusesheuristics.Thisapproachidentifiesattacksbyidentifyingtrafficthatisconsistentwithanattackratherthanusingasignature.

ActionsActionsrefertotheoperationsthatanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.Someexamplesoftheseactionsareasfollows:

DropsmeanstheIPSquietlydropsthepacketsinvolved.

ResetsendsapacketwiththeRSTflagthatendsanyTCPconnection.

Shunaccomplishesthesamepurposeasaresetfornon-TCPconnections.

BlockiswhentheIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.

Network-BasedIPSvs.Host-BasedIPSThemostcommonwaytoclassifyanIPSisbasedonitsinformationsource:networkbasedandhostbased.Ahost-basedintrusiondetectionsystem(HIPS)isinstalledonthedevice(forthepurposesofthisdiscussion,aserver),andthesystemfocusessolelyonidentifyingattacksonthatdeviceonly.Thisisincontrasttoanetwork-basedsystem,whichmonitorsalltrafficthatgoesthroughitlookingforsignsofattackonanymachineinthenetwork.

Host-BasedIPSAnHIPScanbeconfiguredtoalsofocusonattacksthatmayberelevanttotherolethattheserverisperforming(forexample,lookingforDNSpollutionattacksonDNSservers).Buttherearedrawbackstothesesystems.

Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.

Constantupdatingofsignaturesisneeded.

There’salagtimebetweenthereleaseoftheattackandthereleaseofthesignature.

AnHIPScannotaddressauthenticationissues.

Encryptedpacketscannotbeanalyzed.

Insomecases,IPSsoftwareissusceptibleitselftoattacks.

Despitetheseshortcomings,anHIPScanplayanimportantroleinamultilayerdefensesystem.

Network-BasedIPSAnetwork-basedIPS(NIPS)monitorsnetworktrafficonalocalnetworksegment.Thisisincontrasttoahost-basedIPS(HIPS)thatmonitorsasinglemachine.

OneofthedisadvantagesofanNIPS(whichisanadvantageofanHIPS)isthatitcannotmonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal.

MostIPSsareprogrammedtoreactincertainwaysinspecificsituations.EventnotificationandalertsarecrucialtoIPSs.Thesenotificationsandalertsinformadministratorsandsecurity

professionalswhenandwhereattacksaredetected.

PromiscuousModeTomonitortrafficonthenetworksegment,thenetworkinterfacecard(NIC)mustbeoperatinginpromiscuousmode.Moreover,anNIPSisaffectedbyaswitchednetworkbecausegenerallyanNIPSmonitorsonlyasinglenetworksegment,andeachswitchportisaseparatecollisiondomain.

DetectionMethodsThesesystemscanuseseveralmethodsofdetectingintrusions.Thetwomainmethodsareasfollows:

SignatureBasedAnalyzestrafficandcomparespatterns,calledsignatures,thatresidewithintheIDSdatabase.Thismeansitrequiresconstantupdatingofthesignaturedatabase.

AnomalyBasedAnalyzestrafficandcomparesittonormaltraffictodeterminewhetherthetrafficisathreat.Thismeansanytrafficoutoftheordinarywillsetoffanalert.

EvasionTechniquesWhileIPSscandosomeamazingthings,theyarenotinfallible.SeveraltechniqueshavebeendevelopedovertheyearsbymaliciousindividualsthatallowthemtogetmaliciouscodepasttheIPS.Someofthemorecommonapproachesarecoveredinthissection.

PacketFragmentationPacketfragmentationistheprocessofbreakingapacketthatislargerthanthemaximumtransmissionunit(MTU)intosmallerpiecescalledfragmentsthatabidebythesizelimitsoftheMTU.VariousnetworkingtechnologiesenforcedifferentMTUs.Forexample,whiletheMTUinEthernetis1,500bytes,inanFDDInetworktheMTUis4,470bytes.

RoutersonthenetworkenforcetheMTUandperformfragmentationofpacketsasneededtomeettheMTU.Whenthefragmentsarriveatthedestination,theyarereassembled.Tocommunicateexactlyhowthereassemblyshouldoccur,severalheaderfieldsareusedintheIPheader.Figure16.1showstheIPheader.

FIGURE16.1IPheaderfragmentationflags

Threefieldsareofinterest.

Identificationprovidesanumberthatidentifiespacketsthatbelongtothesametransmissionthatneedtobereassembled.

Flagisafieldconsistingofthreebits.AsshowninFigure16.1,thefirstbitposition0isreservedandnotusedinthefragmentationprocess;thesecondpositionwhencheckedmeansdon’tfragmentthispacket,inwhichcaseifthepacketisoversized,anICMPmessagewillbesenttothesourceindicatingitcannotbesentwithoutfragmentation.Thethirdpositionwhencheckedmeansthispacketispartofaseriesoffragmentsandtherearemoretocome.Ifthisisthelastfragmentinaseriesoffragments,thisbitwillnotbechecked.

FragmentOffsetvaluesindicatestothereassemblinghostwherethisfragmentbelongs.Itdoessobyindicatinghowmanybytesawayfromthebeginningofthepayloadthefragmentis.

Thefragmentationprocessfollowsthissequence:

1. Aroutermakesthedecisionthatapacketmustbefragmented.

2. Theroutersplitsthepacketintofragments,eachwithanidenticalIPheaderapartfromtheflagbitsandtheoffsetvalues.

3. Thedestinationreassemblesthefragments.Itrecognizesthefirstfragmentbecauseithasanoffsetvalueof0.Itthenusestheoffsetvaluesofeachfragmenttoproperlypositionthefragments.ItrecognizesthelastfragmentbecausetheMoreFragmentsbitisoff.

ThisprocessisillustratedinFigure16.2,whereanMTUof3,300bytesisenforcedonapacketthatis11,980bytes.Asyoucansee,thefirstfragmentisgivenanOffsetof0andtheMoreFragmentsbitison,indicatingmorefragmentstothereceiver.Thesecondpackethasan

Offsetvalueof410andhastheMoreFragmentsbiton.ThethirdandfinalfragmenthasanOffsetvalueof820,andsinceitisthelastfragment,theMoreFragmentsbitisoff.

FIGURE16.2Fragmentationprocess

So,howdoesthefragmentationattackwork?TheattackerfragmentsthepacketcontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecodeinsuchafragmentedfashion.ThisprocessisshowninFigure16.3,whereamaliciousCGIscriptthat,asshownintheoriginalIPpacketatthetop,wouldprobablyberecognizedbytheIPSissplitintofragmentsthatmaynotberecognizedbytheIPS.(Itisnotimportanttounderstandthescript.)Inthiscase,atoolcalledfragroutewasusedtosplitthepacketintofragments.

FIGURE16.3Fragmentationattack

Themitigationstothisattackaretodothefollowing:

UseanIPSthatperformssignatureanalysisagainsttheentirepacketratherthanindividualfragments.Thisrequirestheabilitytoperformstreamreassembly.

Useprotocolanalysistoevaluatetheentirepacketforviolationofprotocolstandards.

InjectionAttacksInaninjectionattack,theattackerinsertsdatathatwillbeacceptedbytheIPSbutwillbeignoredbythetargetsystem.OneapproachtakesadvantageoftheTTLfeatureofIPandfragmentation.Thetime-to-live(TTL)valueisusedinIPtopreventapacketfromloopingendlessly.Whenapacket’sTTLvaluegoestozero(decrementedateachhop),itgetsdroppedbytherouter.

Intheattack(asshowninFigure16.4),theattackerinjectsabogusstringintotheattackcodeandthenbreakstheattackintothreefragments.ThenhemanipulatestheTTLvalueofthefragmentcontainingthebogusstringinsuchawaythatthefragmentdies(andnevergetsdelivered)beforeitreachesthedestination.IftheIPSdoesnotconsiderthefragmentoffsetvaluesorTTLvalues,itwilldetectthebogusstringratherthantheactualpayload.TheresultisthatafterinspectionbytheIPS,thebogusstringdoesnotgetdelivered.Theattackpayloaddoes.

FIGURE16.4Injectionattack

Mitigationstothisattackareasfollows:

UseanIPSthatperformsstreamreassembly,whichallowstheIPStorecognizetheattack.

UseanIPSthatperformsTTLvalueassessment,whichallowstheIPStorecognizethelowerTTLforthefragmentcontainingthebogusstring.

AlternateStringExpressionsInmanyprotocols,informationcanbecommunicatedorexpressedinmultipleways.Forexample,HTTPcanacceptstringsexpressedinhexadecimal,Unicode,orstandardtextexpressions.AttackerscanusethistoevadeanIPSsensor.IftheIPScannotperformprotocolnormalization(whichdecodesthepayloadtodiscoveritssignificance),thisattackmaysucceed.

Mitigationstothisattackareasfollows:

Protocolanalysis

Protocolnormalization

IntroducingCiscoFireSIGHT

CiscoFireSIGHToffersthreatprotectioncapabilitiesthatgobeyondmostIPSs.Itnotonlydetectsandtakesactiontopreventattacks,itenablesabetterunderstandingoftheexposuresyourenvironmentmaypossessandhelpsyoutotakecorrectiveactionstoeliminatethem.ThissectionsurveysthecapabilitiesofFireSIGHTandtheroleitcanplayatvariousstagesofanattack.

CapabilitiesTherearefourcategoriesoffunctionsofwhichFireSIGHTiscapable.

Detection:Attackdetectiontechnologiesincludethefollowing:

IPS:Monitorsformaliciousandsuspiciousactivity.

Discovery:Enablesvisibilityintoallhosts,services,andapplicationsrunningonthenetwork.Thisincludestrafficdiscoveryinwhichyoucanidentifythewaysinwhichresourcesarebeingutilized.

Learning:Reportsonthestateoftheenvironmentanddetectswhenchangesoccurinrealtime.

Adapting:Whenchangesaredetected,FireSIGHTcanadaptitsconfigurationtomitigatenewrisks.

Acting:Actionsthatareavailableincludethefollowing:

Block,alert,ormodifysuspicioustraffic

Remediatethroughcustomresponsessuchasblockingadownstreamrouterorscanningadevice

Automateresponseandreporting

FireSIGHTismanagedusingtheFireSIGHTManagementCenter.ThisapplicationcanbehostedonaFireSIGHTManagementCenterapplianceorhostedonavirtualapplianceonaVMwareserver.

ProtectionsTheoperationsandfeaturesofFireSIGHTarebestdescribedintermsofhowtheywouldbeutilizedduringanattack.Therefore,youwilllookattheseprotectionsinthisway.

BeforeanAttackThebestwaytomitigateattacksistoaddressthembeforetheyoccur.FireSIGHTprovidesthefollowingpreventativetechnologiesforthis:

Blacklisting:TraffictoandfromspecificIPaddressescanbeblacklisted,whichmeansthatyourtrafficwillbeneithersenttonorreceivedfromtheIPaddress.WhenyouidentifyproblematicIPaddresses,thisisanactionyoutake.Moreover,theFireSIGHTManagementCentercandynamicallydownloadatconfigurableintervalsacollectionofIP

addressesthathavebeenidentifiedbyathreatintelligenceteamcalledTalos(https://www.talosintelligence.com/)ashavingabadreputationinthisregard.Youcanchoosetoaddthesetothislistifdesired.AdvancedMalwareProtection(AMP):TwoAMPproductsareincluded.CiscoAMPforEndpointsiscomposedofconnectorsinstalledonendpoints.Itusesacloud-baseddetectionprocessthatoffloadsthedetectionburdentothecloud.CiscoAMPforNetworksusesFirePOWER(coveredindetaillaterinthischapter)appliancestodetectmalwareintransit.Italsocanutilizethecloudforthelatestmalware.ThesystemcanalsostoredetectedfilesforsubmissiontotheCiscoCollectiveSecurityIntelligenceCloudfordynamicanalysis.

DuringanAttackWhileFireSIGHTusestheaforementionedmethodstopreventattacks,preventionisnotalwayspossible.Onceanattackisunderway,theFireSIGHTIPSprimarilytakesactionsbyidentifyingandblockingmalicioustraffic.TheIPSisapolicy-basedfeaturethatallowsformonitoringandblockingoralteringmalicioustrafficwhentheIPSisdeployedinline(deploymentoptionsarecoveredinthenextsectionofthischapter).

FireSIGHTusesSnorttechnology(anIDS).Thistechnologymakesuseofpreprocessors,whichexaminetrafficandinsomecasesmodifythetrafficinsuchawaythatattacksthatcannotberecognizedbythesignaturecanberecognized.Forexample,onepreprocessorhelpstorecognizemaliciouscodehiddenbyanIPfragmentationattack.

AnIPSpolicyconsistsofthefollowing:

Rulesthatinspecttheheadercontent,packetsize,andpayload

RulestateconfigurationbasedonFireSIGHTrecommendations

Preprocessorsandotherdetectionfeatures

FireSIGHTalsogeneratesintrusioneventinformationinalogthatincludesdetailssuchasthefollowing:

Dateandtime

Eventpriority

Briefdescription

Nameofthedevice

SourceIPaddressandportfortheevent

DestinationIPaddressandportfortheevent

Nameofthelogged-inuser

Impactflag

https://www.talosintelligence.com/

AfteranAttackAftertheattack,FireSIGHTprovidesanassessmentoftheattack,containstheattack,andhelpsbringthenetworkbackintoanormalstate.Todothis,itusesseveralfeatures:

FireSIGHTdiscoveryandawareness:Thiscollectsinformationabouthosts,operatingsystems,applications,users,files,networks,geolocationinformation,andvulnerabilitiesthatisusedtoreportindicatorsofcompromise.

Dynamicfileanalysis:CapturedfilescanbesubmittedtotheCiscoCollectiveSecurityIntelligenceCloudforanalysis.ThecloudrunsatestandreturnsathreatscoretotheFireSIGHTManagementCenter.

Connectiondataandsummaries:Connectiondataisinformationaboutdetectedsessions,includingtimestamps,IPaddresses,geolocation,andapplications.

UnderstandingModesofDeploymentTheFireSIGHTManagementCentercanalsomanageothermonitoringdevicessuchasappliances,virtualappliances,andASAfirewallsrunningsoftwarereleaseASA9.2andlater.ItisalsocommonlydeployedinbranchofficesintheformoftheFireSIGHTmoduleintheASA.

ThedevicesmanagedbytheFireSIGHTManagementCenteractinginthesameroleaslegacyIPSsensorscanbedeployedintwomodes.

PassiveThesensorreceivesacopyofthenetworktraffictoanalyzewhiletheoriginaltrafficflowsthroughthenetwork.Becausethesensoronlyreceivesacopy,andbecausebythetimethecopyisanalyzed,theoriginaltrafficislonggone,FireSIGHTcanonlyfunctionasanintrusiondetectionsystem(IDS)whendeployedinthismode.Therearetwowaystoimplementpassivemode.

SPANFigure16.5illustratesthismode.ThesensorisconnectedtoaportontheswitchtowhichalltraffichasbeenmirroredbymakingtheportaSPANport.NoticethatthetrafficflowfromthedeviceinsidethenetworktoadeviceontheInternet(blackdashedline)andthenback(graydashedline)isnotinterrupted.

FIGURE16.5SPAN

TapInthisdeploymentmode,thesensorisimplementedasanetworktap,asshowninFigure16.6.Thetapisplacedbetweentherouterandthelayer3switch.Itprovidesfull-duplexconnectivitybetweenthedevicesandsplitsofftwosimplexmirrorsofthefull-duplextraffic.Alltrafficbetweenthetwodevicesmusttraversethesensor.

FIGURE16.6Tap

InlineInthismode,thesensingdeviceisplacedinthelineoftrafficandanalyzestheoriginaltraffic,notacopyinrealtime.Therefore,itcantakeactionsonthetrafficthatallowittooperateasatrueIPS.Figure16.7showsthismode’soperation.

FIGURE16.7Inlinemode

PositioningoftheIPSwithintheNetworkWhenmakingthiskeydecision,considerthefollowingfactors:

Thefeaturesyouareutilizing(attackdetection,policyenforcement,surveillance,anomalydetection,etc.)

Locationofcriticalassets

Bandwidthutilization

Topology

OutsideOneoftheoptionsistoplacethesensoroutsidetheperimeterfirewall(ASA).Whenplacedhere,thesensorwillgenerateaveryhighnumberofalarmsbecausethisisanexposuretothemostuntrustednetwork,theInternet.Itwillalsogeneratemanyalarmsthatyouwillassesstobefalsepositives(moreonfalsepositivesinthefinalsectionofthischapter)becauseitwillbecomposedoftrafficthattheASAwouldhaveneverallowedintothenetwork.Figure16.8showsthisoption.

FIGURE16.8Outsidedeployment

DMZServersintheDMZareexposedtotheInternetbydesign.Whileplacingasensorherewillhelptoidentifyattacksontheseexposeddevices,keepinmindthatiftheseserversarebeingdeployedaccordingtobestpractices,theywillcontainnosensitiveinformationandwillhavebeensignificantlyhardened.Figure16.9showsthisoption.

FIGURE16.9DMZdeployment

InsideThisisapositioningthatyieldsthemostbenefit.WhiletheperimeterASAcanprovideprotection,keepinmindthattheusersoftheseinteriordeviceshavevaryinglevelsofsecurityexpertise.Thisisalsowhereallcriticaldatawillbelocated.Therefore,thiswillbethebestplacetodeployasinglesensor.Figure16.10showsthisoption.Inthisoption,FireSIGHTisdeployedasamoduleintheASAandisexaminingtrafficdestinedfortheinternalnetwork.

FIGURE16.10Insidedeployment

UnderstandingFalsePositives,FalseNegatives,TruePositives,andTrueNegativesAllIPSsandIDSs,includingFireSIGHT,makeincorrectassessments.Insomecases,theyfailtoidentifyattacksormalicioustraffic.Inothercases,theyalertyouthatanattackisunderwaywhenthatisnotthecase.Theyalsomakecorrectassessments,alertingyoutoarealattackorignoringtrafficthatisnotanattack.Therearetermsusedtodescribeallfourofthesescenarios.Table16.1identifiestheseterms.KeepinmindthattruemeanstheIPSwascorrectinitsassessmentandfalsemeansitwasincorrectinitsassessment.

TABLE16.1Assessmentterms

Term MeaningTruepositive TheIPSalertedyoutoanattackthatisreal.Truenegative TheIPSdidnotalertyoutoanonexistentattack.Falsepositive TheIPSalertedyoutoanattackthatisnonexistent.Falsenegative TheIPSdidnotalertyoutoarealattack.

SummaryInthischapter,youlearnedaboutsomegeneralIPSconcepts,suchasnetwork-basedandhost-baseddeployments;modesofdeploymentsuchasinline,SPAN,andtap;andthepositioningoptionsavailable.Youalsowereintroducedtofalsepositivesandfalsenegativesandtheinterpretationofthese.Thechaptercoveredhowbothrulesandsignaturesareusedintheprocessofidentifyingpotentialattacks.Finallyassessmentterms(falsepositive,falsenegative,etc.)werediscussed.

ExamEssentialsDefineIPSterminology.Thesetermsincludethreat,risk,vulnerability,exploit,andzero-daythreat.

DescribetheactionsofwhichanIPSiscapable.Someexamplesoftheseactionsaredrops,whichmeanstheIPSquietlydropsthepacketsinvolved;reset,whichsendsapacketwiththeRSTflag,whichendsanyTCPconnection;shun,whichaccomplishesthesamepurposeasaresetfornon-TCPconnections;andblock,wheretheIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.

Differentiatenetwork-basedandhost-basedIPS.Ahost-basedintrusionpreventionsystem(HIPS)isinstalledonthedevice(forthepurposesofthisdiscussion,aserver),andthesystemfocusessolelyonidentifyingattacksonthatdeviceonly.Thisisincontrasttoanetwork-basedsystem,whichmonitorsalltrafficthatgoesthroughitlookingforsignsofattackonanymachineinthenetwork.

IdentifyevasiontechniquesemployedtodefeatanIPS.Theseincludepacketfragmentation,injectionattacks,andalternatestringexpressions.

ListfourcategoriesoffunctionsofwhichFireSIGHTiscapable.Thesefunctionsincludedetection,learning,adapting,andacting.

DescribethedeploymentmodesofanIPS.Theseincludepassivemodes,suchasSPANandtap,wherethedevicecanonlyoperateanIDS.Italsoincludesinlinemode,inwhichthedevicecantakeactionsontrafficasatrueIPS.

ReviewQuestions1. Whichofthefollowingisanidentifiedsecurityweaknesstowhichanyspecific

environmentmayormaynotbevulnerable?

A. Threat

B. Risk

C. Vulnerability

D. Exploit

2. UsingwhichactiondoestheIPSquietlydropthepacketsinvolved?

A. Drop

B. Reset

C. Shun

D. Block

3. Whichofthefollowingisnotadrawbackofahost-basedIPS?

A. Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.

B. Encryptedpacketscannotbeanalyzed.

C. Itcannotmonitoranyinternalactivitythatoccurswithinasystem.

D. Itcannotaddressauthenticationissues.

4. WhichevasiontechniquedividesthepacketintosmallerpiecescontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecode?

A. Packetfragmentation

B. Injectionattacks

C. Injectionattacks

D. Cross-sitescripting

5. WhichofthefollowingisnotoneofthefourcategoriesoffunctionsofwhichFireSIGHTiscapable?

A. Detection

B. Learning

C. Adapting

D. Block

6. Whichofthefollowingisanythreatnotyetremediatedbymalwarevendorsorsoftware

vendors?

A. Zero-dayattack

B. Risk

C. Vulnerability

D. Exploit

7. WhichcapabilityofFireSIGHTisaimedatmalware?

A. Blacklisting

B. AMP

C. SNORTtechnology

D. Discoveryandawareness

8. Whichdeploymentmodehasthesensorconnectedtoaportontheswitchtowhichalltraffichasbeenmirrored?

A. SPAN

B. Tap

C. Inline

D. Promiscuous

9. Whichevasiontechniquereliesonthefactthatmanyprotocols’informationcanbecommunicatedorexpressedinmultipleways?


B. Bufferoverflows

C. Injectionattacks


10. Whichofthefollowingissusceptibletoanexternalthreatthatadeviceorsystemmaypossess?

A. Zero-dayattack

B. Risk

C. Vulnerability

D. Exploit

11. UsingwhichactiondoestheIPSaccomplishthesamepurposeasaresetfornon-TCPconnections?

A. Drop

B. Reset

C. Shun

D. Block

12. Inwhichdeploymentmodeisthesensorplacedinthelineoftraffictoanalyzetheoriginaltraffic,notacopyinrealtime?

A. SPAN

B. Tap

C. Inline

D. Promiscuous

13. InwhichpositioningoptionwilltheIPSsensorgenerateaveryhighnumberofalarms?

A. Outside

B. DMZ

C. Inside

D. Remote

14. Whichofthefollowingoccurswhenathreatandavulnerabilitybothexistandathreatactortakesadvantageofthesituation?

A. Zero-dayattack

B. Risk

C. Vulnerability

D. Exploit

15. UsingwhichactiondoestheIPSdirectanotherdevice(arouterorfirewall)toblockthetraffic?

A. Drop

B. Reset

C. Shun

D. Block

16. Inwhichdeploymentmodeisthesensorplacedbetweentwolayer3devicesprovidingfull-duplexconnectivitybetweenthedevicesandsplittingofftwosimplexmirrorsofthefull-duplextraffic?

A. SPAN

B. Tap

C. Inline

D. Promiscuous

17. WhichevasiontechniqueinsertsdatathatwillbeacceptedbytheIPSbutwillbeignoredbythetargetsystem?


B. Bufferoverflow

C. Injectionattacks


18. Whichofthefollowingisadrawbackofnetwork-basedIPS?

A. Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.

B. Encryptedpacketscannotbeanalyzed.

C. Itcannotmonitoranyinternalactivitythatoccurswithinasystem.

D. Itcannotaddressauthenticationissues.

19. UsingwhichactiondoestheIPSendanyTCPconnection?

A. Drop

B. Reset

C. Shun

D. Block

20. Whichofthefollowingiscreatedwhenathreatexiststowhichasystemisvulnerable?

A. Zero-dayattack

B. Risk

C. Mitigation

D. Exploit

Chapter17ContentandEndpointSecurityCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:

7.1Describemitigationtechnologyforemail-basedthreats

Spamfiltering,anti-malwarefiltering,DLP,blacklisting,emailencryption

7.2Describemitigationtechnologyforweb-basedthreats

Localandcloud-basedwebproxies

Blacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,TLS/SSLdecryption

7.3Describemitigationtechnologyforendpointthreats

Anti-virus/anti-malware

Personalfirewall/HIPS

Hardware/softwareencryptionoflocaldata

Endpointdevicesinthenetworksuchaslaptops,printers,workstations,scanners,cameras,andothersuchdevicesrepresentoneofourbiggestchallengesinsecuringtheenvironment.First,therearesomanymoreofthesethanthereareinfrastructuredevices.Moreover,thesedevicesaremostlikelyinthehandsofuserswhoeitherlacksecurityknowledgeorjustdon’tcareaboutit.Inthischapter,you’lllearnhowtoovercomethesechallengesandsecuretheendpointsintheenvironment.


Mitigationtechnologyforemail-basedthreats,includingSPAMfiltering,anti-malwarefiltering,datalossprevention(DLP),blacklisting,andemailencryption

Mitigationtechnologyforweb-basedthreats,includinglocalandcloud-basedwebproxies,blacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,andTLS/SSLdecryption

Mitigationtechnologyforendpointthreats,includingantivirus/anti-malware,personalfirewall/HIPS,andhardware/softwareencryptionoflocaldata

MitigatingEmailThreatsThreatstoemailstrikeattheveryheartofyourenterprisecommunicationsystem.Ithasbecomeevidentthateventech-savvyuserscanfallpreytothesethreats.Inthissection,you’lllearnaboutafewmethodsyoucanusetomitigatethesethreats.Thesemethodsarenotmutuallyexclusive,andwhendeployedtogether,theystandasagoodexampleofexercisingtheprincipleofalayereddefenseordefenseindepth.Followingthat,you’lllearnaboutthewaystheCiscoEmailSecurityAppliance(ESA)canaddressthesethreats.

SpamFilteringSpamisbothanannoyancetousersandanaggravationtoemailadministratorswhomustdealwiththeextraspacethespamtakesupontheservers.Spamfiltersaredesignedtopreventspamfrombeingdeliveredtomailboxes.Theissuewithspamfiltersisthatoftenlegitimateemailismarkedasspam.Findingtherightsettingcanbechallenging.Usersshouldbeadvisedthatnofilterisperfectandthattheyshouldregularlycheckquarantinedemailforlegitimateemails.

Reputation-basedfilteringreliesontheidentificationofemailserversthathavebecomeknownforsendingspam.Whenasystemcandothis,itmustrelyonsomeservicefordevelopingthese“reputations.”Asyouwillseelater,anexampleistheCiscoSenderBase.ThisisthesystemtheCiscoEmailSecurityAppliance(ESA)uses.Thisrepositorymanagesreputation“scores”forserversbasedonanymaliciousactivityinwhichtheserverisreportedtohavebeeninvolved.

Context-BasedFilteringContext-basedfilteringfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting.Thesesystemsusealgorithmstoexaminetheseitemstoidentifyspam.

Anti-malwareFilteringEmailcanalsointroducemalwareintotheenvironmentthroughbothmaliciousattachmentsanddeceptivelinksinemails.Whileusertrainingisthebestapproachtopreventingemail-basedmalware,weknowthatitdoesn’talwayswork.Evensecurityprofessionalshaveinadvertentlyclickedmaliciouslinksandattachmentsbymistake.Toaugmenttraining,theexaminationofallemailformalwareandthefilteringofsuchmaliciousmailshouldbepartsofprovidingsecureemail.

DLPDataleakageoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently.Datalossprevention(DLP)softwareattemptstopreventdataleakage.Itdoesthisbymaintainingawarenessofactionsthatcanandcannotbetakenwithrespecttoadocument.Forexample,itmightallowprintingofadocumentbutonlyatthe

companyoffice.Itmightalsodisallowsendingthedocumentthroughemail.DLPsoftwareusesingressandegressfilterstoidentifysensitivedatathatisleavingtheorganizationandcanpreventsuchleakage.Anotherscenariomightbethereleaseofproductplansthatshouldbeavailableonlytothesalesgroup.Thepolicyyoucouldsetforthatdocumentisasfollows:

Itcannotbeemailedtoanyoneotherthansalesgroupmembers.

Itcannotbeprinted.

Itcannotbecopied.

TherearetwolocationsatwhichDLPcanbeimplemented.

NetworkDLPInstalledatnetworkegresspointsneartheperimeter,networkDLPanalyzesnetworktraffic.

EndpointDLPEndpointDLPrunsonend-userworkstationsorserversintheorganization.

Youcanusebothpreciseandimprecisemethodstodeterminewhatissensitive.

PrecisemethodsThesemethodsinvolvecontentregistrationandtriggeralmostzerofalse-positiveincidents.

ImprecisemethodsThesecanincludekeywords,lexicons,regularexpressions,extendedregularexpressions,metadatatags,Bayesiananalysis,andstatisticalanalysis.

ThevalueofaDLPsystemresidesinthelevelofprecisionwithwhichitcanlocateandpreventtheleakageofsensitivedata.

BlacklistingBlacklistingidentifiesbadsenders.Whitelistingoccurswhenalistofacceptablee-mailaddresses,Internetaddresses,websites,applications,orotheridentifiersareconfiguredasgoodsendersorasallowed.Graylistingissomewhereinbetweenthetwowhenanentitycannotbeidentifiedasawhitelistorblacklistitem.Inthecaseofgraylisting,thenewentitymustpassthroughaseriesofteststodeterminewhetheritwillbewhitelistedorblacklisted.Whitelisting,blacklisting,andgraylistingarecommonlyusedwithspamfilteringtools.

EmailEncryptionEmailtraffic,likeanyothertraffictype,canbecapturedinitsrawformwithaprotocolanalyzer.Iftheemailiscleartext,itcanberead.Forthisreason,encryptionshouldbeusedforallemailsofasensitivenature.Whilethiscanbedoneusingthedigitalcertificateoftheintendedrecipient,thisistypicallypossibleonlyiftherecipientispartofyourorganizationandyourcompanyhasapublickeyinfrastructure(PKI).Manyemailproductsincludenativesupportfordigitalsigningandencryptionofmessagesusingdigitalcertificates.

WhileitispossibletouseemailencryptionprogramslikePrettyGoodPrivacy(PGP),itisconfusingformanyuserstousetheseproductscorrectlywithouttraining.Anotheroptionistouseanencryptionapplianceorservicethatautomatestheencryptionofemail.Regardlessof

thespecificapproach,encryptionofmessagesistheonlymitigationforinformationdisclosurefromcapturedpackets.

CiscoEmailSecurityApplianceTheCiscoEmailSecurityAppliancecanaddresseachoftheseconcerns.ThefeaturesthataddressemailissuesintheESAarecoveredinthissection.AttheendofthesectionisadiscussionofthemessageflowwhenusingESA.

ReputationandContext-BasedFilteringESAperformsbothtypesoffiltering.WhenutilizingtheCiscoSenderBase,theactionstakenbyESAdependonthereputationscoreofthesource.Ifthesenderscoreisbetween–1and+10,theemailisaccepted.Ifitis–1and–3,theemailisacceptedbutadditionalemailsarethrottled.Ifitisbetween–10and–3,itisblocked.

VirusesandAnti-malwareESAusesamultilayerapproachtothisissue.Thethreelayersofdefenseareasfollows:

OutbreakFiltersDownloadedfromtheCiscoSenderBase.Thesefiltersaregeneratedbywatchingglobalemailtrafficpatternsandlookingforsignsofanoutbreak.Whenanemailisreceivedfromaserveronthelist,itisquarantineduntilantivirussignaturesareupdatedthataddresstherisk.

AntivirusSignaturesUsedinthesamewayanyanti-malwareproductusesthem:toidentifythepresenceofmalwareintheemail.

OutboundScanningScansemailthatisleavingforthepresenceofmalware.

EmailDataLossPreventionandEncryptionESA’sDLPfeaturesuserulesforidentifyingclassesofsensitiveinformationsuchaspersonallyidentifiableinformation(PII),paymentcardnumbers,bankroutingnumbers,financialaccountinformation,governmentIDnumbers,personalnames,addressesandphonenumbers,andhealthcarerecords.Moreover,youcandesignyourownclassesthatincludedatanotinthesecategories.Encryptionisalsopossibletoprotectanysensitiveinformationthatmustbesent.

AdvancedMalwareProtectionAdvancedMalwareProtection(AMP)isthemalwarecomponentinESAthatusesacombinationofseveraltechnologiestoprotectyoufromemail-basedmalware.

FileReputationAfingerprintofeveryfilethattraversestheCiscoemailsecuritygatewayissenttoAMP’scloud-basedintelligencenetworkforareputationverdict.Basedontheseresults,youcanblockmaliciousfilesidentifiedashavingabadreputation.

FileRetrospectionSometimesfilesenterthenetworkandarelateridentifiedasbeingathreat.

Thisallowsfortheidentificationandremovalofthesefileslater.Ifmaliciousbehaviorisspottedlater,AMPsendsaretrospectivealertsothatyoucancontainandremediatethemalware.ThisprocessisdepictedinFigure17.1.

FIGURE17.1Fileretrospection

FileSandboxingThisprovidestheabilitytoanalyzefilesthattraversethegateway.Theninthesafesandboxedenvironment,AMPcanobtaindetailsaboutthethreatlevelofthemalwareandcommunicatethatinformationtotheCiscoTalosintelligencenetworktoupdatetheAMPclouddataforall.

ESAMessageFlowESAperformsitsjobbyactingasamessagetransferagent(MTA)intheemailsystem.Anothernameforthisfunctionisemailrelay.Figure17.2showsanormalinboundmessageflow.

FIGURE17.2ESAinbound

Figure17.3showsanormaloutboundmessageflow.

FIGURE17.3ESAoutbound

PuttingthePiecesTogetherThevariouscomponentsthatESAbringstobearinitsroleasanemailsecurityutilityworktogetherinanintegratedfashion,asshowninFigure17.4,whichishowESAoperatesagainstincomingemail.

FIGURE17.4Incomingmailprocessing

Regardingemailthatisleavingtheorganization,theoperationsofthesecomponentsaredepictedinFigure17.5.

FIGURE17.5Outgoingmailprocessing

MitigatingWeb-BasedThreatsAnotherthreatthatpresentsitselftomostenterprisesisaimedattheirwebservices.Whilenoteveryorganizationhastheneedforane-commerceserver,almosteveryorganizationhasawebsiteorsometypeofwebpresence.Evenadefacingofapublicwebsite,whilenotcostlyfromamonetarystandpoint,hurtsthereputationandimageofanorganization.

Oneofthecommonwaysofaddressingthreatsagainstwebapplicationsandthewebserversoftwareuponwhichtheyoperateisawebproxy.ProxyserversingeneralstandbetweeninternalusersorinternalapplicationsandpotentiallymaliciousrequestscomingfromtheInternet.WebproxiesareatypeofproxythatstandsbetweenawebapplicationandwebrequestcomingfromtheInternet.Thissectiondiscusseswebproxiesandthefunctionstheyperform.

UnderstandingWebProxiesProxyserverscanbeappliances,ortheycanbeinstalledonaserveroperatingsystem.Theseserversactlikeaproxyfirewallinthattheycreatethewebconnectionbetweensystemson

theirbehalf,buttheycantypicallyallowanddisallowtrafficonamoregranularbasis.Forexample,aproxyservermayallowthesalesgrouptogotocertainwebsiteswhilenotallowingthedataentrygroupaccesstothosesamesites.ThefunctionalityextendsbeyondHTTPtoothertraffictype,suchasFTPtraffic.

Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.

Fromadeploymentperspective,webproxiescanbeimplementedintwoways.

LocalAlocalproxyisonethatisinstalledonthepremisesinwhichalloftheprocessingoccursonthelocalwebproxy.

Cloud-BasedAcloud-basedwebproxyisonethattransmitsthetraffictoacloudlocationwherealltheoperationsthatwouldoccuronalocalwebproxyoccurinthecloud.Insomecases,thisofferstheadvantageofadditionalintelligenceservicesthatcanaggregateandanalyzetelemetrydatafrombillionsofwebrequests,malwaresamples,andemergingattackmethods.

CiscoWebSecurityApplianceTheCiscoWebSecurityAppliance(WSA)isawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent.TrafficcanbedirectedtotheWSAexplicitlyontheendhostorbyusingWebCacheControlProtocolonaninlinedeviceliketheperimeterrouter.ThefeaturesitprovidesarecoveredinthissectionandwillbefollowedbyadescriptionoftrafficflowwhenusingaWSA.

BlacklistingBlacklistingandwhitelistingcanbeusedtocreateandsupporttheacceptableusepolicy(AUP)oftheorganization.Moreover,ithelpstopreventmalwarefrommalicioussitesfromenteringthenetwork.

URLFilteringTheWSAreputationfiltersoperatemuchlikethereputationfiltersusedinESA,withthedifferencebeingthattheyoperateagainstwebdomainsratherthanemailsources.ByleveragingCiscoSecurityIntelligenceOperations(SIO),CiscoIronportreputationfiltersanalyzemorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness.

MalwareScanning

TheWSAanti-malwaresystemusesmultiplescanningenginesinasingleappliance.ItusestheDynamicVectoringandStreamingEngineandverdictenginesfrombothWebRootandMcAfee.

URLCategorizationTheCiscoURLfilterscanalsobemanagedusingaccesspoliciesbasedon52predefinedcategoriesandanunlimitednumberofcustomercategoriesofsites.Thesecanbeusedalongwithtime-basedpolicestoaddadditionalflexibility.

WebApplicationFilteringWSAusesApplicationVisibilityandControl(AVC)toallowforthecontroloftheuseofwebapplications.GranularpolicycontrolallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebookwhileblockingusersfromactivitiessuchasuploadingdocumentsorclickingtheLikebutton.

TLS/SSLDecryptionInCiscoAsyncOS9.0.0-485,theoperatingsysteminWSA,youcannowenableanddisableSSLv3andvariousversionsofTLSforseveralservices.DisablingSSLv3forallservicesisrecommendedforbestsecurity.Youalsocanenableaprotocolfallbackoption.

MitigatingEndpointThreatsThissectiondiscussestheprotectionofendpoints.Manyoftheitemsdiscussedinthissectioncanbemanagedmanuallyorwiththird-partytools,butmanyoftheitemscanbemanagedautomaticallyusingtheIdentityServicesEngine(ISE).BeforewediscussthesecuritymeasuresinthissectionandtheirpotentialrelationshipwithISE,let’stakeabrieflookatISE.

CiscoIdentityServicesEngine(ISE)Finally,iftheorganizationisimplementingaBYODpolicy,itcanstreamlinethiswithself-serviceonboardingandmanagement.Whilemanyofthesefeaturesarebeyondthescopeofthisbook,wearegoingtodiscusshowitcanhandlethesettingsinthissection.

Antivirus/Anti-malwareTheCiscoISEpostureserviceinterrogatesadevicerequestingaccessforinformationregardingthepresenceofandproperconfigurationofantivirusand/oranti-malwaresoftware.Italsochecksforthepresenceofthelatestavailableupdates.Onlywhenthemachineisfullycompliantisitallowedfullaccesstothenetwork.

PersonalFirewallWhiletheCiscoISEpostureserviceverifiesthepresenceofandproperconfigurationofantivirusand/oranti-malwaresoftware,itdoesn’tstopthere.Itcanalsoverifythefunctionand

settingsofthepersonalfirewall.Itcancomparethiswithabaselineforcomplianceinthesamewayitverifiestheantivirusand/oranti-malwaresoftware.

Hardware/SoftwareEncryptionofLocalDataFinally,sensitivedatalocatedinendpointsshouldbesecuredwitheitherhardwareorsoftwareencryption.CiscoISEcanbeusedtoimplementamobilemanagementsolutionthatcanrequireencryptionofthestorageinbotheasilystolenmobiledevicesandotherdevicesthatmaycontainsensitiveinformation.

HIPSWhilenotafunctionthatcanbecontrolledthroughISEorTrustSec,ahost-basedIPS(HIPS)monitorstrafficonasinglesystem.Itsprimaryresponsibilityistoprotectthesystemonwhichitisinstalled.AnHIPStypicallyworkscloselywithanti-malwareproductsandhostfirewallproducts.Theygenerallymonitortheinteractionofsitesandapplicationswiththeoperatingsystemandstopanymaliciousactivityor,insomecases,asktheusertoapprovechangesthattheapplicationorsitewouldliketomaketothesystem.

Thesesystemscanuseseveralmethodsofdetectingintrusions.Thetwomainmethodsareasfollows:

Signaturebased:Analyzestrafficandcomparespatterns,calledsignatures,thatresidewithintheIDSdatabase.Thisrequiresconstantupdatingofthesignaturedatabase.

Anomalybased:Analyzestrafficandcomparesittonormaltraffictodeterminewhetherthetrafficisathreat.Thismeansanytrafficoutoftheordinarywillsetoffanalert.

SummaryInthischapter,youlearnedmitigationtechniquesavailablewhenusingtheCiscoEmailSecurityAppliance.Thisincludedreputationandcontext-basedfiltering.YoualsowereintroducedtotheCiscoWebSecurityAppliance,whichcanuseblacklisting,URLfiltering,andmalwarescanningtosecurewebtrafficandwebapplications.Finally,thechapterdiscussedendpointprotectionprovidedbytheCiscoIdentityServicesEngineandCiscoTrustSectechnology.

ExamEssentialsIdentifytheprocessesusedbyCiscoESAtoprotectemail.Theseprocessesincludespamfiltering,reputation-basedfiltering,context-basedfiltering,anti-malwarefiltering,datalossprevention,blacklisting,andemailencryption.

DescribetheactionsofwhichtheCiscoWebSecurityApplianceiscapable.Someexamplesoftheseactionsareblacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,andTLS/SSLdecryption.

Differentiateendpointthreats.Thesethreatsincludevirusesandmalware,datadisclosure,peer-to-peerattacks,andunauthorizedaccess.

IdentifytechniquesemployedbytheCiscoIdentityServicesEngine.Theseincludeaccessmanagement,802.1x,healthandpatchassessment,andverificationofsettingsinthepersonalfirewall.

ReviewQuestions1. Whichofthefollowingreliesontheidentificationofemailserversthathavebecome

knownforsendingspam?

A. Context-basedfiltering

B. Reputation-basedfiltering

C. Data-basedfiltering

D. Domain-basedfiltering

2. Whichofthefollowingoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently?

A. Dataleakage

B. Dataegress

C. Informationcorruption

D. Unintendedrelease

3. Whichofthefollowingisinstalledatnetworkegresspointsneartheperimeter?

A. ClientDLP

B. NetworkDLP

C. EndpointDLP

D. CompositeDLP

4. Whichofthefollowingtriggeralmostzerofalse-positiveincidents?

A. Precisemethods

B. Completemethods

C. Imprecisemethods

D. Sparsemethods

5. WithwhichsenderscoredoesESAacceptanemail?

A. Between–1and+10

B. Between–1and–3

C. Between–10and–3

D. Between+10and+20

6. WhichofthefollowingisthemalwarecomponentinESA?

A. AMP

B. MAP

C. CMP

D. EMP

7. WhichcapabilityofAMPsendsafingerprintofeveryfilethattraversestheCiscoemailsecuritygatewaytoAMP’scloud-basedintelligencenetwork?

A. Filereputation

B. Fileretrospection

C. Filesandboxing

D. Fileexamination

8. Whichofthefollowingusesreal-timeanalysisonavast,diverse,andglobaldatasettodetectURLsthatcontainsomeformofmalware?

A. SPAN

B. WBRS

C. WCCP

D. SIO

9. Whichofthefollowingisawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent?

A. ESA

B. AMP

C. WSA

D. ISE

10. Whichcomponentanalyzesmorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness?

A. CiscoIronport

B. DynamicVectoringandStreamingEngine

C. WebCacheControlProtocol

D. MessageTransferAgent(MTA)

11. WithwhichsenderscoredoesESAblocktheemail?




D. Between+10and+20

12. WhichcapabilityofAMPprovidestheabilitytoanalyzefilesthattraversethegateway?

A. Filereputation


C. Filesandboxing

D. Fileexamination

13. WhichofthefollowingusestheDynamicVectoringandStreamingEngine?

A. ESA

B. AMP

C. WSA

D. ISE

14. WhichofthefollowingallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebook?

A. ESA

B. AMP

C. WSA

D. AVC

15. WhichofthefollowingcanprovideAAAservicessothatyoucandeploy802.1xsecurity?

A. ESA

B. ISE

C. WSA

D. AVC

16. WhichcapabilityofAMPallowsfortheidentificationandremovalofthesefilesaftertheyareaccepted?

A. Filereputation


C. Filesandboxing

D. Fileexamination

17. WithwhichsenderscoredoesESAaccepttheemailbutadditionalemailsarethrottled?




D. Between+10and+20

18. Whichofthefollowingcanincludekeywords,lexicons,andregularexpressions?

A. Precisemethods

B. Completemethods

C. Imprecisemethods

D. Sparsemethods

19. Whichofthefollowingisinstalledonend-userworkstations?

A. ClientDLP

B. NetworkDLP

C. EndpointDLP

D. CompositeDLP

20. Whichofthefollowingfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting?

A. Context-basedfiltering

B. Reputation-basedfiltering

C. Data-basedfiltering

D. Domain-basedfiltering

AppendixAnswerstoReviewQuestions

Chapter1:UnderstandingSecurityFundamentals1. D.Accountability,althoughimportant,isnotpartoftheCIAtriad.TheCIAtriadincludes

confidentiality,integrity,andavailability.

2. A.Theprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.Itsmainpurposeistoensurethatusershaveaccessonlytotheresourcestheyneedandareauthorizedtoperformonlythetaskstheyneedtoperform.

3. B.Athreatoccurswhenvulnerabilityisidentifiedorexploited.Athreatwouldoccurwhenanattackeridentifiedthefolderonthecomputerthathasaninappropriateorabsentaccesscontrollist.

4. D.NISTSP800-30identifiesthefollowingstepsintheriskmanagementprocess:

1. Identifytheassetsandtheirvalue.

2. Identifythreats.

3. Identifyvulnerabilities.

4. Determinelikelihood.

5. Identifyimpact.

5. B.Sensitivityisameasureofhowfreelythedatacanbehandled.Somedatarequiresspecialcareandhandling,especiallywheninappropriatehandlingcouldresultinpenalties,identitytheft,financialloss,invasionofprivacy,orunauthorizedaccessbyanindividualormanyindividuals.

6. C.Thesearetypicalcommercialclassifications:

1. Confidential

2. Private

3. Sensitive

4. Public

7. C.TheTrafficLightProtocolclassificationsare:

Color MeaningRed SharedonlywithinameetingAmber SharedonlywiththoseintheorganizationwithaneedtoknowGreen SharedonlywithinacommunityWhite Norestrictionbutstillsubjecttocopyrightrules

8. C.SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues.It

standardizedthenomenclatureandformatsused.

9. B.Thesemetricgroupsaredescribedasfollows:

Base:Characteristicsofavulnerabilitythatareconstantovertimeanduserenvironments

Temporal:Characteristicsofavulnerabilitythatchangeovertimebutnotamonguserenvironments

Environmental:Characteristicsofavulnerabilitythatarerelevantanduniquetoaparticularuser’senvironment

10. D.TheSLEisthemonetaryimpactofeachthreatoccurrence.TodeterminetheSLE,youmustknowtheassetvalue(AV)andtheexposurefactor(EF).TheEFisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.ThecalculationforobtainingtheSLEisasfollows:

SLE=AV×EF

11. B.Mitigationistheprocessofselectingacontrolthatwillreducetherisktoanacceptablelevel.

12. B.TheenterprisecampusincludestheenddevicesandprovidesthemwithaccesstotheoutsideworldandtotheIntranetdatacenterthroughtheenterprisecore.

13. B.Ademilitarizedzone(DMZ)isanareawhereyoucanplaceapublicserverforaccessbypeopleyoumightnottrustotherwise.ByisolatingaserverinaDMZ,youcanhideorremoveaccesstootherareasofyournetwork.

14. A.Networksecurityzonescanalsobecreatedatlayer2.Virtuallocalareanetworks(VLANs)arelogicalsubdivisionsofaswitchthatsegregateportsfromoneanotherasiftheywereindifferentLANs.

15. B.Integrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfromunauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.

16. B.Adefense-in-depthstrategyreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers.Thefirstlayerofagooddefense-in-depthstrategyisappropriateaccesscontrolstrategies.

17. A.Ariskistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout.Theriskinthevulnerabilityexamplewouldbefairlyhighifthedataresidinginthefolderisconfidential.However,ifthefoldercontainsonlypublicdata,thentheriskwouldbelow.

18. C.ThisclassificationsystemcreatedbytheUnitedKingdom’sNationalInfrastructureSecurityCoordinationCentre(NISCC,nowCentreforProtectionofNationalInfrastructure)andsinceadoptedbytheISO/IECaspartoftheStandardonInformationsecuritymanagementforintersectorandinterorganizationalcommunicationsandbyCERTistheTrafficLightProtocol(TLP).Thissystemusestrafficlightcolorstoclassify

informationassets.

19. B.CommonVulnerabilitiesandExposures(CVE)isacompilationofcommonvulnerabilitiesfoundinoperatingsystemsandapplications.

20. C.Theexposurefactor(EF)isthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.

Chapter2:UnderstandingSecurityThreats1. C.Hacktivistsincludethosewhohacknotforpersonalgainbuttofurtheracause.An

exampleistheAnonymousgroupthathacksfromtimetotimeforvariouspoliticalreasons.

2. A.IPaddressspoofingisoneofthetechniquesusedbyhackerstohidetheirtrailortomasqueradeasanothercomputer.ThehackeralterstheIPaddressasitappearsinthepacket.ThiscansometimesallowthepackettogetthroughanACLthatisbasedonIPaddresses.

3. C.Portscanningisnotapasswordattack.Bydeterminingtheservicesthatarerunningonasystem,theattackeralsodiscoverspotentialvulnerabilitiesoftheserviceofwhichtheattackermayattempttotakeadvantage.Thisistypicallydonewithaportscaninwhichall“open”or“listening”portsareidentified.

4. C.Whenthispacketissent,theseresponsesarepossible:



5. A.Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.Thekeytopreventingmanybufferoverflowattacksisinputvalidation,inwhichanyinputischeckedforformatandlengthbeforeitisused.

6. D.Aman-in-the-middleattackislaunchedfromasinglemaliciousindividual,whileDDoSattackscomefrommultipledevices.

7. A.Oneofthewaysaman-in-the-middleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthispoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswiththeattacker’sownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placingtheattacker“inthemiddle.”

8. B.DynamicARPinspection(DAI)isasecurityfeaturethatinterceptsallARPrequestsandresponsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThistableisbuiltbyalsomonitoringallDHCPrequestsforIPaddressesandmaintainingthemappingofeachresultingIPaddresstoaMACaddress(whichispartofDHCPsnooping).Ifanincorrectmappingisattempted,theswitchrejectsthepacket.

9. C.ThemainpurposeofDHCPsnoopingistopreventapoisoningattackontheDHCPdatabase.Thisisnotaswitchattackperse,butoneofitsfeaturescansupportDAI.ItcreatesamappingofIPaddressestoMACaddressesfromatrustedDHCPserverthatcanbeusedinthevalidationprocessofDAI.

10. D.Avirusisanymalwarethatattachesitselftoanotherapplicationtoreplicateordistributeitself.

11. B.Intellectualpropertyispropertythatisconsideredtobeauniquecreationofthemindandincludesbooks,music,logos,inventions,andslogans.

12. C.ThebestmitigationforcreditdatatheftistoadoptallrecommendationsofthePaymentCardIndustryDataSecurityStandard(PCI-DSS).

13. B.MACaddressescanalsobespoofedandusedtogetthroughMACaddressfilters.Thesefiltersaretypicallyappliedtocontrolaccesstowirelessaccesspointsatlayer2.

14. A.ApossiblemitigationtechniqueistoimplementtheSenderPolicyFramework(SPF).SPFisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.

15. B.Nmapisoneofthemostpopularportscanningtoolsusedtoday.Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived.

16. C.AnXMASscansetstheFIN,PSH,andURGflags.Whenthispacketissent,theseresponsesarepossible:



17. A.Theping-of-deathattackisoneinwhichanoversizedICMPpacketissenttothetarget.ThemaximumallowableIPpacketsizeis65,535bytes,includingthepacketheader,whichistypically20bytes.AnICMPechorequestisanIPpacketwithapseudoheader,whichis8bytes.Therefore,themaximumallowablesizeofthedataareaofanICMPechorequestis65,507bytes(65,535–20–8=65,507).

18. B.InareflectedDDoSattack,theattackisbouncedoffalargenumberofdeviceswithoutactuallyrecruitingthedevicesaszombies.AgoodexampleofthistypeofDDoSisthesmurfattack.

19. C.ThedynamicARPinspectionsecurityfeatureinterceptsallARPrequestsandresponsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThispreventsARPpoisoningattacks.

20. B.Pharmingissimilartophishing,butpharmingactuallypollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite.

Chapter3:UnderstandingCryptography1. A.Asymmetrickeyalgorithmdoesnotuseapublickey.Itusesamatchingorprivatekey

forbothencryptionanddecryption.

2. B.Asymmetricalgorithmsarenottypicallyusedfordataatrestbecausetheyareveryslowinrelationtosymmetricalgorithmsatthistask.Asymmetricalgorithmsareusedfordataintransit.

3. D.Blockciphersemploybothsubstitutionandtransposition.

4. B.Stream-basedciphersperformencryptiononabit-by-bitbasisandusekeystreamgenerators.ThekeystreamgeneratorscreateabitstreamthatisXORedwiththeplaintextbits.TheresultofthisXORoperationistheciphertext.

5. A.Somemodesofsymmetrickeyalgorithmsuseinitializationvectors(IVs)toensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.

6. B.AlthoughElectronicCodebook(ECB)istheeasiestandfastestmodetouse,ithassecurityissuesbecauseevery64-bitblockisencryptedwiththesamekey.Ifanattackerdiscoversthekey,alltheblocksofdatacanberead.

7. B.AESisthereplacementalgorithmfor3DESandDES.AlthoughAESisconsideredthestandard,thealgorithmthatisusedintheAESstandardistheRijndaelalgorithm.TheAESandRijndaeltermsareoftenusedinterchangeably.

8. A.RSAisthemostpopularasymmetricalgorithmandwasinventedbyRonRivest,AdiShamir,andLeonardAdleman.RSAcanprovidekeyexchange,encryption,anddigitalsignatures.ThestrengthoftheRSAalgorithmisthedifficultyoffindingtheprimefactorsofverylargenumbers.

9. C.Acollisionoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages.

10. D.TheU.S.governmentrequirestheusageofSHA-2insteadofMD5.

11. B.AhashMAC(HMAC)isakeyed-hashMACthatinvolvesahashfunctionwithasymmetrickey.HMACcanhelpreducethecollisionrateofthehashfunction.

12. C.Adigitalsignatureisahashvalueencryptedwiththesender’sprivatekey.Adigitalsignatureprovidesauthentication,nonrepudiation,andintegrity.

13. A.Tousesymmetrickeyalgorithmsforencryptingdata,thetwopartiesmustshareanidenticalsymmetrickey.Thismeansweneedsomesecurewaytogetidenticalsymmetrickeysonthetwoendpoints.Thisisdonebyusingasymmetricalgorithmsforthekeyexchangeand,oncethekeysaregeneratedandexchanged,usingthesymmetrickeysandasymmetrickeyalgorithmfortheencryptionofthedata.Thisisoftencalledahybridcryptosystem.

14. A.Usersanddevicesareissuedpublic/privatekeypairsthatareboundtoadigitaldocumentcalledadigitalcertificate.Thiscertificate(morespecificallythekeystowhichitisbound)canbeusedforavarietyofthingsincluding:

Encryptingdata

Asaformofauthentication

Encryptingemail

Digitallysigningsoftware

15. B.AnX.509certificatecomplieswiththeX.509standard.

16. B.ACRLisalistofdigitalcertificatesthataCAhasrevoked.Tofindoutwhetheradigitalcertificatehasbeenrevoked,thebrowsermusteitherchecktheCRLorpushouttheCRLvaluestoclients.

17. A.VeriSignfirstintroducedthefollowingdigitalcertificateclasses:

Class1:Forindividualsintendedfore-mail.Thesecertificatesgetsavedbywebbrowsers.

Class2:Fororganizationsthatmustprovideproofofidentity.

Class3:ForserversandsoftwaresigninginwhichindependentverificationandidentityandauthoritycheckingisdonebytheissuingCA.

Class4:Foronlinebusinesstransactionsbetweencompanies.

Class5:Forprivateorganizationsorgovernmentalsecurity.

18. B.Anyparticipantthatrequestsacertificatemustfirstgothroughtheregistrationauthority(RA),whichverifiestherequestor’sidentityandregisterstherequestor.Aftertheidentityisverified,theRApassestherequesttotheCA.Inmanycases,theCAandtheRAarethesameserver.

19. B.Insomecases,twoorganizationsmayhaveaneedtotrustoneanother’scertificates.Thiscanbedonebyconfiguringcrosscertification.Incrosscertification,atrustiscreatedbetweenthetworootCAs,whichenablesbothsystemstotrustallcertificates.

20. B.TheASAhasaself-signeddefaultcertificatethatcanbeused,althoughinmostcasesitwillbedesirabletoinstallacertificatefromyourPKI.

Chapter4:SecuringtheRoutingProcess1. D.WhileconfiguringaloopbackIPaddresstobeusedformanagementaccessiscertainly

advisable,itisnotrequiredwhenconfiguringarouterforSSHaccess.

2. C.ThesyslogmessageindicatesthatSSHversion1.99hasbeenenabled.Thisindicatesthatitisaversion2serverthatcanacceptconnectionsfromSSHversion1devices.

3. D.Thelineintheconfigurationthatsaysloginlocalspecifiesthattheuseraccountswillbelocaltothisrouter.

4. A.Privilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththelevelthetechnicianhasbeenassigned.Thereare16levels,from0to15.Whenyouareinusermode(router>),youareatprivilegelevel0.Whenyouareinprivilegedmode(router#),youareatlevel15.

5. C.IftheintentistoallowthistechniciantochangeIPaddressesoninterfaces,assignhimthatcommand.Sincetheipcommand(alongwiththeparameteraddress)isexecutedafterenteringinterfaceconfigurationmode,youhavetoreferenceinterfaceinthecommand,asshownhere:router(config)#privilegeinterfacelevel12ip

6. B.Theonlyviewthatexistsbydefaultiscalledroot,whichasyouwouldexpectallowsaccesstoallcommands.Accesstothisviewisprovidedwhenyousubmittheenablesecretpassword.

7. B.Toenabletheprotectionofthebootimage,issuethefollowingcommand:R64(config)#secureboot-image

*April214:24:50.231:%IOS_Reslience-5-IMAGE_RESIL_ACTIVE:Successfully

securedrunningimage

Noticethesystemmessageindicatingthebootimageisprotected.

8. B.Asecureconfigurationcanberemoved.Oncethesetwoitemsaresecured(calledthesecurebootset),youcannotupdatethestartupconfigurationwithoutremovingthesecureconfigurationlongenoughtomakethechangeandresecuringitaswasdoneinthefirstplace.

9. B.Commandsthatremoveasecurebootsetconfigurationcanberunonlyfromtheconsoleconnection.

10. B.OSPFroutingupdatesaresecuredusingahashingalgorithm.YoucanuseeitherMD5orSHA-256HMAC.Beaware,however,thatsomedevicesmaysupportonlyMD5.

11. C.Whilekeychainnamesandthekeynumbersdonothavetomatchonthetworoutersoneitherendofthelink,thekeystringsandthehashingalgorithmsmustmatch!

12. C.Thefinalstepistoapplythekeychaintotheinterfacethatconnectstotheneighboringrouter.

13. A.Keychainconfigurationmodeisthemodeinwhichyouwilldefinethekeynumberasfollows.ThenumberIamusingis1.R64(config-keychain)#key1


14. A.Tellingtherouterthealgorithm(MD5)touseforthiskeyisdoneatthesamekeypromptasfollows:R64(config-keychain-key)#cryptographic-algorithmmd5


15. A.ConfiguringEIGRProutingupdateauthenticationissimilartoOSPF.However,OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring,butinEIGRP,thatisspecifiedontheinterface.

16. B.Whenyouspecifythealgorithm,youalsospecifytheEIGRPASnumberinthesamecommandasfollows,where66istheASnumber:R64(config-if)#upauthenticationmodeeigrp66md5

17. A.Therearefourtypesofpacketsthataroutermayencounter.Dataplanepacketsareend-station,user-generatedpacketsthatarealwaysforwardedbynetworkdevicestootherend-stationdevices.

18. B.Therearefourtypesofpacketsthataroutermayencounter.Controlplanepacketsarenetworkdevice–generatedorreceivedpacketsthatareusedforthecreationandoperationofthenetwork.ExamplesincludeprotocolssuchasARP,BGP,andOSPF.

19. C.Packetsinthecontrolplanearethosethatareeitherdestinedfortherouteritselforpacketsgeneratedbytherouter.

20. B.Inthismodel,threemechanismsareused.Classmapsareusedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetraffic,andthentheACLisreferencedintheclassmap.Policymapsareusedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbespecifiedareallow,block,andrate-limit.Servicepoliciesareusedtospecifywherethepolicymapshouldbeimplemented.

Chapter5:UnderstandingLayer2Attacks1. C.Whenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandthe

rogueswitchhasasuperiorBPDUtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.

2. B.AnARPpoisoningattackisonethattakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses.ByusingagratuitousARP,theARPcacheofotherdevicescanbepoisoned.

3. A.InanARPpoisoningattack,theattackersendsapackettypecalledagratuitousARPtothetargetdevicewithanincorrectIPaddresstoMACaddressmapping.

4. C.FirstanareaofmemorycalledtheARPcacheisconsulted.IftheMACaddresshasbeenrecentlyresolved,themappingwillbeinthecache,andabroadcastisnotrequired.Iftherecordhasagedoutofthecache,ARPsendsabroadcastframetothelocalnetworkthatalldeviceswillreceive.

5. C.MACspoofingattacksoccurwhenanattackerchangeshisMACaddresssothatheappearstobeanotherdevice,andasisthecasewithallspoofingattacks,theultimateaimistoreceivesomethingintendedfortherealdeviceortogetpastaccesscontrolsbasedonaMACaddress.

6. A.AMACaddressattackisalsoconsideredaswitchattackbecauseitleveragestheMACaddresstableintheswitchtoaccomplishthegoalofreceivingtrafficdestinedforanotherdevice.

7. C.TheMACaddresstableisalsocalledthecontentaddressablememory(CAM)tableandispopulatedbytheswitchasframesareswitchedthroughit.

8. B.ThereisalimitedamountofmemoryspacethatisavailablefortheCAMtable.InaCAMoverflowattack,theattackerfloodstheswitchwithframesthathaveinvalidsourceMACaddresses.Thisiseasierthanitsoundsbyusingatoolsuchasmacof.

9. B.Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahubandnotaswitch.

10. A.CiscoDiscoveryProtocol(CDP)anditsstandards-basedalternativeLinkLayerDiscoveryProtocol(LLDP)areusefultools.Theycanbeusedtodisplayinformationaboutdirectlyconnecteddevices.

11. C.TodisableCDPglobally,runthefollowingcommandinglobalconfigurationmode:Router67(config)#nocdprun

12. D.TodisableLLDPonaninterface,runthefollowingcommandininterfaceconfigurationmode:Router67(config-if)#nolldpreceive

13. B.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.

14. A.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.Itcanbedonetwoways:switchspoofinganddoubletagging.

15. C.SwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.

16. B.Doubletaggingisonlyanissueonswitchesthatuse“native”VLANs.AnativeVLANisusedforanytrafficthatisstillamemberofthedefaultVLAN,orVLAN1.

17. A.Whenconfiguredproperly,DHCPreducesadministrativeoverload,reducesthehumanerrorinherentinmanualassignment,andenhancesdevicemobility.Butitintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andcanresultinpeer-to-peerattacks.

18. A.AfterreceivinganincorrectIPaddress,subnetmask,defaultgateway,andDNSserveraddressfromtherogueDHCPserver,theDHCPclientmightusetheattacker’sDNSservertoobtaintheIPaddressofhisbank.Thisleadshimtounwittinglyconnecttotheattacker’scopyofthebank’swebsite.Whenthecliententershiscredentialstologin,theattackernowhashisbankcredentialsandcanproceedtoemptyouthisaccount.

19. A.Trunkportsuseanencapsulationprotocolcalled802.1qtoplaceaVLANtagaroundeachframetoidentitytheVLANtowhichtheframebelongs.Whenaswitchattheendofatrunklinkreceivesan802.1qframe,itstripsthisoffandforwardsthetraffictothedestinationdevice.Inadoubletaggingattack,thehackercreatesaspecialframethathastwotags.TheinnertagistheVLANtowhichthehackerwantstosendaframe(perhapswithmaliciouscontent),andtheoutertagistherealVLANofwhichthehackerisamember.Iftheframegoesthroughtwoswitches(whichispossiblesinceVLANscanspanswitches),thefirsttaggetstakenoffbythefirstswitch,leavingthesecond,whichallowstheframetobeforwardedtothetargetVLANbythesecondswitch.

20. C.SwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.

Chapter6:PreventingLayer2Attacks1. C.ThisfeatureworksbyfilteringtheDHCPmessagessentbytherogueDHCPserverso

thattheyareneverreceivedbytheunsuspectinghosts.ItalsousesthemessagessenttoandfromthelegitimateDHCPservertobuildabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.

2. D.Asamatteroffact,anyserverresponsepackets(DHCPOFFER,DHCPACK,orDHCPNACK)willbedroppedbytheseinterfaces.

3. B.TheDAIfeaturerequiresthatDHCPsnoopingalsobeenabledbecauseitdependsontheDHCPsnoopingdatabasethatiscreatedwhenDHCPsnoopingisenabled.

4. A.TheseinterfaceswillrequirethatyoucreateatypeofACLontheswitchcalledanARPACL.ThisACLidentifiesthecorrectIPtoMACaddressmappingfortheinterface,andtheACLisreferencedasafilterintheDAIconfiguration.ThismakestheACLavailabletotheDAIprocessasanadditiontotheDHCPsnoopingdatabase.

5. D.Youcanalsochoosethefollowingactionsusingalternativekeywordstotheshutdownkeyword:

protect:Theoffendingframewillbedropped.

restrict:Theframeisdropped,andanSNMPtrapandasyslogmessagearegenerated.

6. B.BylimitingthenumberofMACaddressesthatcanbeseenonaport,CAMoverflowattackscanbeprevented.

7. A.BPDUGuardshouldbeimplementedonlyonaccessportsbecauseifimplementedontrunks,itwouldinterferewiththenormaloperationofSTP,whichdependsontheseframesforitsoperation.

8. C.RootGuardpreventsthereceptionofsuperiorBPDUsonly,notallBPDUs.

9. B.ThisfeaturemakesadditionalchecksifBPDUsarenotreceivedonanondesignatedport.WithLoopGuardenabled,thatportmovesintotheSTPloop-inconsistentblockingstate,insteadofthelistening/learning/forwardingstate.

10. B.TodisableDTPonallports,usethefollowingcommand:SW71(config)#intfa0/1-24

SW71(config-if)#switchportnonegotiate

11. C.WiththeRestrictsetting,ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounter,butwillstillpasslegitimatetraffic.

12. A.TheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesontheaccessport.Bydoingso,itpreventstheintroductionofarogueswitch.

13. A.TheportwherethelegitimateDHCPserverresidesmustbemarkedastrustedsothatDHCPserverresponsesareallowedonthatport.

14. A.IfyouconfigureafileinflashmemoryfortheDHCPsnoopingdatabaseandtheswitchesreloadforsomereason,theywillretainthisdatabase.

15. B.Thedefaultstateisuntrusted.

16. C.WhiletheVLANnumberisusedinthenameoftheACL(StaticIP-VLAN3),thatisnotwhattiesittoVLAN.ItistheexplicitreferencetoVLAN3attheendofthecommandthatdoesit.

17. A.Beforetheothercommandsbecomeeffective,youmustenableportsecuritywiththeswitchportport-securitycommand.

18. D.WhileDAIcanpreventARPattacks,itcannotpreventSTPattacks.

19. C.Whenaviolationoccurs,theportwillbeplacedinanerr-disabledstateandwillnotpasstrafficuntilitisenabledagainmanually.

20. D.DTPshouldbedisabledonallports,bothtrunkandaccess.

Chapter7:VLANSecurity1. A.Inadoubletaggingattack,theattackercraftsapacketwithtwo802.1qtags,withthe

innertagsettotheVLANtowhichhewouldliketosendtraffic.ThisattacktakesadvantageofthenativeVLAN.Iftheattacker’saccessportissettothesameVLANasthenativeVLAN,thisattackbecomespossible.

2. D.ThesolutionistosetthenativeVLANnumbertooneinwhichnoneoftheaccessportsresides.Thisisdoneonlyonthetrunkports.TochangethenativeVLANofthetrunkportGi0/1to78,usethefollowingcommand:Switch79(config)#intgi0/1


3. D.TherearemanychallengestoprovidingaseparateVLANpercustomer,butadecreaseinsecurityisnotoneofthem.

4. A.PrivateVLANsprovideseparationwithinaVLANatlayer2,whilestillleavingallmembersoftheoriginalVLAN(calledtheprimaryVLAN)inthesamesubnet.

5. A.TochangethenativeVLANofthetrunkportGi0/1to78,usethefollowingcommand:Switch79(config)#intgi0/1


6. A.Promiscuousportscancommunicatewithaportofanyothertype.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.

7. D.Whileagoodideatopreventdoubletaggingattacks,settingthenativeVLANnumbertooneinwhichnoneoftheaccessportsresidesisnotastepinsettingupPVLANs.

8. C.ToconfiguretheprimaryVLANas10,specifyingitasaprimaryPVLAN,usethefollowingcommands:Switch#configureterminal


Switch(config-vlan)#private-vlanprimary

9. A.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.

10. C.ToassociateprivateVLANs501,502,and503withaprimaryVLAN10,usethefollowingcommands:Switch(config)#vlan10

Switch(config-vlan)#private-vlanassociation501-503

11. A.Thecommandswitchportmodeprivate-vlanhostmakestheportaPVLANport.

12. B.Thecommandswitchportprivate-vlanhost-association10202assignsa

porttoprimaryVLAN10andPVLAN202.

13. B.Insomecases,youmayfindthereisnoreasonforanycommunicationbetweenportsconnectedtothesameswitch.Whenthatisthecase,itmaybebeneficialtotakeadvantageofanotherfeaturecalledthePVLANEdgefeature.PreventingcommunicationsbetweenportswhenpossiblecanpreventattackssuchasARPpoisoningattacksandcanimpairtheabilityofahackertomovefromacompromisedhosttootherhosts.

14. C.Thecommandprivate-vlanassociation501executedundertheVLAN10configurationiswhattiesthePVLAN501totheprimaryVLAN10.

15. D.Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.

16. B.WhenaporthasbeendesignatedasaPVLANEdgeport,itiscalledaprotectedport.

17. A.Tospecifyaportas“protected,”usethefollowingcommand:Switch(config)#interfacefa0/1

Switch(config-if-range)#switchportprotected

18. D.InaPVLANproxyattack,anattackersendsapacket(usingthepromiscuousport)withthesourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.Whentherouterreceivesthepacket,therouterrewritesthedestinationMACaddresstothatofthetargetandsendsthepackettothetarget.ItisthepresenceoftheMACaddressoftherouterinthepacket,ratherthanthatofthetarget,thatcausesthistobepossible.

19. C.SincetherouterisbeingusedasthesourceMAC,therouterisconsidereda“proxy.”

20. D.TopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.

Chapter8:SecuringManagementTraffic1. B.In-bandconnectiontypesincludeSNMP,virtualterminal(VTY),andHTTPS

connections.Out-of-bandconnectionsincludetheconsoleportandtheAUXport,bothphysicalconnectionsthatdonotusethenetworkasthetransmissionmedium.

2. A.TosetuptheAUXport,youneedtoknowthelinenumberusedbytheAUXport.Thiscanbedeterminedwiththeshowlinecommand.

3. C.WhenaloopbackaddressisconfiguredandusedasthemanagementIPaddress,anyphysicalinterfaceonthedevicecanaccepttheconnectionattemptiftheloopbackaddressisincludedindynamicroutingadvertisementsoradvertisedviaastaticroute.WhenmanagementaccessistiedtoaphysicalIPaddress,thedevicewillbeunreachablewhenthatphysicalinterfaceisdown.

4. B.BeforesettingapasswordontheVTYlines,youshoulddeterminehowmanyoftheselinesexistonthedevice(whichvaries)sothatyousecurethemall.UsethiscommandtolearnthenumberofVTYlines:R1(config)#linevty?

R1(c0nfig)#linevty<015>

5. B.TheselocationsandtheirassociateddataarecalledOIDs.TheOIDnumberdescribesthepaththroughthetree-likestructurewherethespecificpieceofinformationislocated.

6. B.Thesefunctionscanbeconfiguredusingthreemodes,whichrepresentvariouscombinationsofthesecapabilities:noAuthNoPriv,whichisnohashingtosecureauthenticationorencryptionofdata(referencedasnoauthinthecommand);AuthNoPriv,whichishashingtosecureauthenticationbutnoencryptionofdata(referencedasauthinthecommand);andAuthPriv,whichishashingtosecureauthenticationandencryptionofdata(referencedasprivinthecommand).

7. D.Allmanagementinterfacesshouldbeprotectedbypasswords.

8. C.TodisabletheHTTPserverandenabletheHTTPSserver,executethefollowingcommands:R81(config)#nohttpserver

R81(config)#iphttpssecure-server

9. D.Thecommandsyntaxisasfollowsandisexecutedattheglobalconfigurationprompt:

snmp-servergroupgroup-namev3securitypolicyaccess-typeview-nameaccess-listnumber

10. A.UseofwordssuchasWelcomemaybeusedlaterasadefensethataccesswasencouraged.

11. D.Therearethreetypesofbannermessages:messageoftheday,EXEC,andlogin.

12. A.MOTDmessagesappearatconnectiontimeandbeforetheloginbanner(ifconfigured).

13. C.ConfiguringSNMPrequiresyoutosetanengineIDforanydeviceusedtomanageSNMP.ThisisanIDnumbercomposedof24hexcharacters.Wheninformmessagesaresenttostations,itistheengineIDthatidentifiesthestation.

14. B.Assigningviewsisoptional.Intheabsenceofthis,userswillbeabletoviewtheentireMIB.

15. C.read-viewisthenameoftheviewthatiscreatedbythecommand,notthegroupname.

16. B.MD5willbeusedtocomputeahashvalueoftheupdatesenttotheclient.Theclientwillperformahashcalculationoftheupdateusingthesamesharedkeyandwillcomparetheresults.AmatchinresultsservesasassurancethattheupdatecamefromthelegitimateNTPserver.

17. A.ToconfigureNTPauthentication,thehigh-levelsteps(tobeperformedonboththeserverandclient)areconfiguringanNTPauthenticationkeynumberandMD5string(sharedsecret),specifyingatleastonetrustedkeynumberreferencingthekeynumberinthefirststep,andenablingNTPauthentication.

18. A.WhileFTPandTFTPcanbeusedtotransferconfigurationsandIOSimagesacrossthenetwork,theseprotocolslacktheabilitytoencryptthetransmission.AbetteralternativeistheSecureCopyProtocol(SCP).ThisanimplementationoftheRemoteCopyProtocol(RCP)thatoperatesoveranSSHconnection.

19. C.Withtheserversetupinplace,yousimplyreferencetheSCPserverbyputtingtheURLinthecopycommand.Forexample,iftheserverwerenamedscp-srvandyouwantedtocopytherunningconfigurationtoitunderthesecuritycontextofanaccountnamedAdminwithapasswordofmypass,whilenamingthefileR88-config.txt,youwouldusethefollowingcommand:R88#copyrunscp://scp-srv/admin:mypass/r88-config.txt

20. B.SMTPstoresthesettingsinaMIB.Thisisarepositorywithahierarchicalstructure,withstandardizedlocationsforeachpieceofconfigurationorstatusinformation.

Chapter9:Understanding802.1xandAAA1. A.The802.1xstandarddefinesaframeworkforcentralizedport-basedauthentication.It

canbeappliedtobothwirelessandwirednetworksandusesthesethreecomponents:




2. B.WhileTACACS+doesseparatethethreeAAAprocesses,itusesTCPratherthanUDP;itcreatesmoretrafficthanRADIUSandencryptstheentirebodyexcepttheTACACs+header.

3. B.Thecommandaaanew-modelenablesAAAservices.

4. C.Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:aaaauthenticationlogindefaultlocal

5. B.TheconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.

6. B.TheCiscoSecureAccessControlServer(ACS)canoperateeitherasaRADIUSserverorasaTACACS+server.

7. D.WhilesomeCiscodevices,suchastheCiscoAdaptiveSecurityAppliance(ASA),cancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes,mostdonot.

8. C.SpecifyanamefortheTACACS+server.Thisnamedoesnotneedtomatchtheactualnameoftheserverandisonlylocallysignificant.Whenyouexecutethiscommand,thepromptwillchangeattheensuingpromptwhereyouwillentertheIPaddressandtypeandthesharedsecret.

9. A.ThiscanbedonebyusingthetestcommandtotestanauthenticationusingtheTACACS+server.Forexample,totesttheusernamemytestwithapasswordofmypass,usethefollowingcommand:R99(config)#testaaagrouptacacsmytestmypassnew-code

Sendingpassword

Usersuccessfullyauthenticated

USERATTRIBUTES

Username0"mytest"

Reply-message0"Password:"

10. B.TospecifytheuseofTACACS+inthemethodlistforauthorizationwhilealsospecifyingabackupmethod,usethefollowingcommand:

aaaauthorizationexecdefaultgrouptacacs+local

Inthiscase,thebackupislocalauthentication.

11. C.Enablingper-commandauthorizationisoptionaltotheprocess.

12. B.TheTACACS+serverconsultstheLDAPserver,theLDAPserverperformsauthentication,andtheAAAserverpassestheresulttothesupplicant.

13. B.Postureassessmentistheabilitytoverifytheminimumsecurityrequirementsofadevicebeforeallowingaccess.IfissuesarisesuchasmissingOSorsecurityupdates,thedevicemaybeeitherremediatedordeniedentry.

14. B.ThiscommandprovidesaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword).

15. A.Thiscommandcreatesauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass.

16. B.Controllingtheactivitiesofthosewithadministrativeaccessbyusinguseraccountsratherthanprivilegelevelsprovidesmoreaccountability.

17. C.WhileTACACS+supportsCiscocommands,RADIUSdoesnot.

18. C.802.1xisastandardthatdefinesaframeworkforcentralizedport-basedauthentication.Itcanbeappliedtobothwirelessandwirednetworksandusesthreecomponents.




19. A.TheroleoftheauthenticationservercanbeperformedbyaRemoteAuthenticationDial-inUserService(RADIUS)orTerminalAccessControllerAccessControlSystem+(TACACS+)server.

20. B.Profilingistheabilitytodeterminethetypeofdevicefromwhichanetworkaccessrequestisoriginatingandtoapplyasetofaccesspoliciesspecifictotheprofileattachedtothatdevice.Thismeansausermighthavemultipleprofileseachattachedtothevariousdevicestheyuse.

Chapter10:SecuringaBYODInitiative1. C.TheCiscoIntegratedServicesEngine(ISE)isacentralizedidentity-basedpolicy

platformthatprovidescontext-basedaccesscontrolforwired,wireless,andVPNconnections.ItcombinesAAA,postureassessmentandprofiling,andguestaccessmanagement.

2. A.Thefollowingcanbeconsideredduringboththeaccessrequestandthefollowingauthorizationrequest:

Whoistheindividual?

Whatdevicearetheyusing?

Wherearetheyconnectingfrom?

Whenaretheyconnecting?

Howaretheyconnecting?

3. A.TheISEcanmakeuseofseveraladvancedfeaturestoprovidegranularanddynamicaccesscontrolpolicies.AmongthesearedownloadableACLs(dACLs),whichareIP-basedACLsthatareimplementedondeviceswhenthepolicycallsforit.

4. B.Securitygroupaccess(SGAs)appliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology.

5. C.Changeofauthorization(COA)updatesprovidetheabilityofISEtochangetheauthorizationpolicyinrealtimeaftertheadministratormakesachangewithoutrequiringalog-offforthechangetotakeeffect.

6. D.Postureassessmentcancheckthehealthofadevicebeforeallowingaccessand,ifthecheckfails,canremediatethedevice.

7. A.Webauthentication(WebAuth)enablesnetworkaccessforendhoststhatdonotsupportIEEE802.1xauthentication.

8. C.ThethreemainfunctionsofTrustSecaretoclassifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress,totransportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(forthosenetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot,andtoenforceaccessrulesthroughtheexaminationoftheSGTs.

9. B.ClassificationofadeviceisdonethroughtheapplicationofanSGT.Thesetags,16bitsinlength,canbeapplieddynamicallyorstatically.

10. A.Transportationorcommunicationofthisclassificationinformationthroughoutthenetworkusesaprocesscalledinlinetagging(fornetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot.

11. A.Dynamictaggingispossiblewhentheauthenticationmethodis802.1x,MACbypass,orthroughwebauthentication.Indynamictagging,theISEpushestheSGTtothenetworkaccessdevice(NAD).

12. A.TheSGTwillbeinanewsectionoftheEthernetheadercalledtheCiscoMetadata(CMD)header.

13. C.TheCMDholdsotherinformationbesidestheSGT.Overall,thisadds20bytestothesizeoftheheader.

14. D.Onethingtonoteisthatincaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),theadditionofthe802.1aeheaderandICVfieldwillresultinatotaladditiontotheEthernetheaderof40bytes.

15. A.SXPconnectionsarepoint-to-pointTCP-basedconnectionscreatedbetweentwoendpoints;onemustbedesignatedasthespeakerandtheotherasthelistener(anyothercombinationofthetworoleswillfail).

16. C.Version1onlysupportsIPv4bindingpropagation.Version2supportsbothIPv4andIPv6bindingpropagation.Version3addedsupportforsubnettoSGTmappings.Ifspeakingtoalower-versionlistener,thespeakerwillexpandthesubnet.Version4addedloopdetectionandprevention,capabilityexchange,andabuilt-inkeep-alivemechanism.

17. A.TheCiscoAdaptiveSecurityApplianceandseveralotherroutingplatformsuseadifferentmethodtoenforceTrustSec.WhileISEmanagesSGACLscentrally,thesedevicesareconfiguredindividuallywithACLsthatreferencetheSGTnumbersorsecuritygroupnames.ThisiscalledSecurityGroupFirewall(SGFW).

18. A.Mobiledevicemanagementsoftwareisdesignedtomakeitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork.WhenusedinconjunctionwithISE,thecombinationcanbeapowerfulandsecureidentityandauthenticationsolutionforbothcompany-ownedandnon-company-owneddevices.

19. A.InthecontextofaBYODarchitecture,theISEwhenworkingincombinationwithmobilemanagementtiestogethertheprovisioningofmobiledevicesalongwithahealthcheckofthedeviceateachconnectionrequest.

20. B.OneofthethreemainfunctionsofTrustSecistheenforcementofaccessrulesthroughtheexaminationoftheSGTs.

Chapter11:UnderstandingVPNs1. C.WhenthechoiceismadetouseESP,oneoftheprotocolsinthesuite,attheleastthe

datapayloadwillbeencrypted,anddependingonthedeliverymode,theentirepacketincludingtheheadermaybeencrypted.

2. A.Itdoesthisbyusingthehashingalgorithmyouselectduringimplementation.Thisishash-basedmessageauthentication(HMAC).

3. B.WhenconfidentialityofanIPsecconnectionisnotrequired,theAuthenticationHeaders(AH)protocolcanbeused.Whileitdoesprovidedataintegrityandoriginauthenticationandanti-replayprotection,thedataissentincleartext.

4. C.ThekeymanagementprocessinIPsecprovidesforthedynamicgenerationofkeystobeusedforencryptionandfortheirsecureexchangeoveranuntrustednetwork,suchastheInternet.TheDiffie-Hellmankeyexchangealgorithmisused,andanasymmetricalgorithmisusedtocreateandexchangesymmetrickeysforthisprocess.

5. C.In2005,theNSAidentifiedasetofcryptographicalgorithmsthatarethepreferredmethodforsecuringinformation.ItcalledthesealgorithmsSuiteB.Thesealgorithmsuseaminimumkeylengthofatleast128bits.

6. C.SuiteBcryptographyusesthefollowingalgorithms:

AESencryptionwitheither128-or256-bitkeys

SHA-2hashing

EllipticalCurvedigitalsignaturealgorithm(ECDSA)fordigitalsignaturesusing256-bitand384-bitprimemoduli

KeyexchangeusingEllipticCurveDiffie-HellmanExchange(ECDHE)

7. C.ThekeyexchangeisperformedbytheDiffie-Hellmanalgorithm.

8. D.TheIPsectransformsetisnegotiatedinphase2ofIKE.

9. B.Mainmodeconsistsofthreeexchanges.

Peersnegotiatetheencryptionandhashingalgorithmstobeused.

TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.

TheSAisbuilt,andthenthepeersauthenticateoneanotherwithintheSA.

10. D.TheDiffie-HellmanprotocolisusedtogenerateasharedsymmetrickeyintheMainmodeofphase1.

11. A.IKEv2hasfewertransactions;thisresultsinincreasedspeed.

12. B.WhenAHisusedintransportmode,onlythepayloadisauthenticated.

13. C.WhenESPisusedintunnelmode,theentirepacketisencrypted,andanewIPheaderisadded.

14. A.WhiletheuseofIPsecisnotrequiredwhenusingIPv6,theIPv6packetstructurewasredesignedtoaccommodateitsuse.

15. A.WhenusingaremoteaccessVPN,therearetwodefaultbehaviorsthatcancauseissues.Thetwobehaviorsareasfollows:

Onceatunnelisoperational,alltrafficleavingtheVPNclientmustpassthroughthetunnel.

Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.

16. B.Tosolvethisissue,youmustenableanoptioncalledEnableTrafficBetweenTwoOrMoreHostsConnectedToTheSameInterface.Thisiscommonlyreferredtoashairpinning.ThisoptionisfoundbynavigatingintheASDMtoConfiguration DeviceSetup Interfaces.

17. C.Anotheradvancedoptionyoucanenableiscalledsplittunneling,andwhenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.Whenthisisdone,anACLisusedtodeterminethetrafficthatgoesthroughthetunnel(alltrafficexceptforInternet)andthetrafficthatdoesnotgothroughthetunnel(Internet).

18. B.ToenableAlways-On,youmustfirstenableTrustedNetworkDetectioninaprofilethatappliestotheuser.ThisfeatureenablesthedevicetoknowwhenitisconnectedtothecorporateLANandwhenitisnot.

19. A.AsESPdoesnotutilizetheconceptofsourceanddestinationports,NAThasdifficultyoperatingwhenIPsectrafficarrivesattheNATdevice.NATtraversalencapsulatesIPsecwithinUDP,providingtherequisiteportsforNAT.

20. C.InIPv6,extensionheadersareused.Theseheaders,whenused,comeaftertheoriginalIPv6header.ThenextheaderfieldintheoriginalIPv6headerisusedtoindicatewhethertheextensionheaderisAHorESP.Itusestheprotocolvalueof50forESPand51forAH.

Chapter12:ConfiguringVPNs1. A.Thesupportedalgorithmsare3DES,IDEA,RC4,andAES.

2. A.AnSSL/TLSVPNcanuseRSA,DSA,andECCforauthentication.

3. A.Thestepsareasfollows:

1. TheclientinitiatestheprocessbystartingtheexchangeofhellopacketsbetweentheclientandtheVPNgateway(theASA).

2. Theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).

3. Ifmutualauthenticationisrequired,theclientsendsitscertificatetotheserver.

4. Sessionkeysareexchanged,andthedatatransferbegins.

4. D.Configuringuserauthenticationcomprisesthreesubtasks:creatingaccountsfortheVPNusers,configuringagrouppolicyfortheVPNusersspecifyinginthepolicyclientlessSSLVPNasthetunnelingprotocol,andcreatingaconnectionprofilefortheVPNusersandconnectingthepolicytotheprofile.

5. A.TheISEmoduleperformsaclient-sideassessment.

6. C.DefiningtheIPsectransformsetincludesspecifyingtheencryptionandintegrityalgorithms.

7. C.Thegroup5commandspecifies1024-bitDiffie-Hellmanforkeyexchange.

8. A.Thenumber10referstothesequencenumberofthelineinthecryptomap.Thenameofthemapismymap.

9. B.Whilecertificatescanbedeployedonboththeclientandtheservertoenablemutualauthentication,inmostcasesacertificateisdeployedonlyontheserverbecausethatcansecuretheconnectionaswellaswhencertificatesaredeployedonbothends.

10. B.ThepossibleauthenticationmechanismsavailableareDSA,ECC,andRSA.

11. D.Inthesecondstep,theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).

12. B.Oncethesessionkeysareexchanged,thedatatransferbegins.WhenthetrafficgetsbeyondtheASA,theinformationwillbeincleartextbutwillbeencryptedbetweentheclientandtheASA.

13. B.WhenusingtheCiscoclientlessSSLVPN,theremotedeviceusesthebrowsertoconnecttoanSSL-enabledwebsiteontheASAoronaCiscorouter.

14. B.MD5isoneofthreeintegrityalgorithmsthatcanbeused,includingSHA1andSHA2.

15. B.AcryptoACLdefinesthetraffictypestobesentandprotectedthroughthetunnel.

16. B.Itdefinesasecurityassociationlifetimeof1day(86400seconds).

17. A.AES_SHAisthenameofthetransformset.ThemechanismforpayloadauthenticationisESPHMAC.ThemechanismforpayloadencryptionisESP,andtheIPsecmodeistunnel(defaultstotunnel).

18. B.ThekeyexchangemanagementalgorithmsavailableinanSSLVPNareDH,DSS,andRSA.

19. B.ToutilizeaCiscoAnyConnectSSLVPN,aVPNclientcalledtheAnyConnectclientmustbeinstalledontheuserdevice.

20. B.RemediationwiththeASAmodule,nottheISEmodule,islimitedtoworkingwiththesoftwarepresentontheendpoint,meaningitcanenable,disable,orupdatethatsoftware.

Chapter13:UnderstandingFirewalls1. C.Packetfilteringfirewallsaretheleastdetrimentaltothroughputbecausetheyonly

inspecttheheaderofthepacketforallowedIPaddressesorportnumbers.

2. A.Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.

3. B.Akernelproxyfirewallisanexampleofafifth-generationfirewall.ItinspectsthepacketateverylayeroftheOSImodelbutdoesnotintroducetheperformancehitthatanApplicationlayerfirewallwillbecauseitdoesthisatthekernellayer.

4. D.Applicationfirewallsoperateattheapplicationlayerandarenotconsideredproxyfirewalls.

5. A.PersonalfirewallseithermaybethosethatcomewithanoperatingsystemliketheWindowsFirewallormaybethird-partyhostfirewallssuchasKasperskyInternetSecurityorZoneAlarmProFirewall.Thesefirewallsarecalledeitherhostorpersonalfirewallsandprotectonlythedeviceonwhichthesoftwareisinstalled.

6. A.Thecontentsofthestatetableincludethefollowingforeachconnection:sourceIPaddress,sourceportnumber,destinationIPaddress,destinationportnumber,IPprotocol,flags,andtimeout.

7. B.Application-levelproxiesperformdeeppacketinspection.Operatingatthislayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.

8. C.Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.

9. D.Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.

10. A.Althoughpacketfilteringfirewallsserveanimportantfunction,theycannotpreventmanyattacktypes.TheycannotpreventIPspoofing,attacksthatarespecifictoanapplication,attacksthatdependonpacketfragmentation,orattacksthattakeadvantageoftheTCPhandshake.

11. B.Anapplication-levelfirewallmaintainsadifferentproxyfunctionforeachprotocol.Forexample,forHTTPtheproxywillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands.

12. C.ApacketshouldneverarriveatafirewallfordeliverythathasboththeSYNflagandtheACKflagsetunlessitispartofanexistinghandshakeprocess,anditshouldbein

responsetoapacketsentfrominsidethenetworkwiththeSYNflagset.

13. D.Thefirewallrecordsalloperationsinitsstatetableandwillmonitorthattablewheneverapacketarrivesatthefirewalltoensurethatanypacketspermittedeitherareconnectionrequestsfromtheinside(SYNpacketsonly)orarepartofanexistingconnectionandthatallrulesofthehandshakeareenforced.

14. A.Whileneverareplacementforproperlypositionednetworkfirewalls,personalfirewallsareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.Thisconceptprescribesthatyoualwaysdeploymultiplebarrierstounauthorizedaccess.

15. B.ASOCKSfirewallisanexampleofacircuit-levelfirewall.ThisrequiresaSOCKSclientonthecomputers.ManyvendorshaveintegratedtheirsoftwarewithSOCKStomakeusingthistypeoffirewalleasier.

16. B.ASYN/ACKpacketinresponsetoaSYNpacketinacurrentconnectionsetupisnormalandwouldbeallowed.

17. C.ProxyfirewallsincludeSOCKSfirewalls,circuit-levelfirewalls,andkernel-levelfirewalls.

18. D.Whileneverareplacementforproperlypositionednetworkfirewalls,theyareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.

19. A.OperatingattheApplicationlayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.

20. B.PacketfilteringfirewallsinspecttheheaderofthepacketforallowedIPaddressesorportnumbers.SincethesevaluesresideattheNetworkandTransportlayers,respectively,thesefirewallsoperateatthoselayers.

Chapter14:ConfiguringNATandZone-BasedFirewalls1. B.InstaticNAT,eachprivateIPaddressismappedtoapublicIPaddress.Whilethisdoes

notsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.

2. D.TheManualNATAfterAutoNATisreadlastandcontainsmoregeneraltranslationsnothandledbythefirsttwosections.Theseareusedonlywhennotranslationmatchesinthefirsttwosections.

3. D.Insomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT,oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.

4. C.TheshowxlatecommandonanASAshowsthetranslationsthathaveoccurred.

5. C.TherflagindicatesthatthetranslationisaPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.

6. B.Zonesarecollectionsofnetworksreachableoverarouterinterface.

7. D.AmatchstatementisusedtospecifythetrafficandcanmatchtrafficbasedonanACL,protocol,oranotherclassmap.

8. C.Theactionscanbedefinedusingactionstatements.Theactionscanbeinspect(triggersstatefulpacketinspection),drop(deniestraffic),orpass(permitstraffic).

9. B.Theself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.

10. C.InPAT,eachprivateIPaddressismappedtoapublicIPaddress.WhilethisdoesnotsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.

11. C.Thevalue21505isthesourceportnumberselectedbythedeviceat10.1.1.15fortheICMPsession.

12. D.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses.

13. B.Usethefollowingcommandstocreatethezonecalledinside.RTR64(config)#zonesecurityinside

14. C.Theself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.AnexampleofthistypeoftrafficwouldbetraffictomanagethedeviceusingSSH.Italsoappliestotrafficgeneratedbytherouter.ThetrafficgoingfromtherouterbacktothedevicemakingtheSSHconnectiontomanagethedevicewouldbeanexampleofsuchrouter-generatedtraffic.

15. A.Appliedattheinterfaceconfigurationprompt,thecommandtoassignaninterfacetotheoutsidezoneisasfollows:

RTR64(config-if)#zone-memberinside

16. C.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.

17. A.Zonepairsareusedtodefineaunidirectionalfirewallpolicy.Thedirectionisindicatedbyspecifyingthesourceanddestinationzone.

18. A.TherflagindicatesthatthetranslationisaPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.

19. A.Inthissection,alsocalledobjectNAT,translationsthataredefinedontheobjectitselfarecontained.Thesetranslations,oneforeachobject,aretypicallyeitherstatictranslationsforserversthatmustbereachedfromtheoutsideworld(andrequirethesamepublicIPaddressalways)ordynamictranslationsforclientstryingtoreachtheInternet.

20. A.IndynamicNAT,apoolofpublicIPaddressesisobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation.However,ratherthanmappingtheprivateIPaddressestothepublicIPaddresses,theNATdevicemapsthepublicIPaddressesfromthepoolonadynamicbasismuchlikeaDHCPserverdoeswhenassigningIPaddresses.

Chapter15:ConfiguringtheFirewallonanASA1. A.ApplicationInspectionControl(AIC)orapplicationprotocolcontrolasitisalsocalled

verifiestheconformanceofmajorapplicationlayerprotocolsoperationstoRFCstandards.

2. B.Intransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasaswitchdoes.ThismakestheASAtransparenttodevicesoneitherside(fromalayer3perspective);thusthenametransparentmode.

3. C.InClustering,threeormoresecurityappliancesaredeployedasasinglelogicaldevice.ThisallowsforthemanagementofthemultipleASAsasaunit.Itprovidesincreasedthroughputandredundancy.

4. A.TheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.

5. B.Thenameifcommandisusedattheinterfaceconfigurationprompt.

6. C.ThehttpserverenablecommandisrequiredtostarttheHTTPserviceontheASA.

7. D.ThecommandhttpipaddressmaskinterfaceisusedtodefineanIPaddressonthespecifiednetworkthatwillbeallowedtoconnecttotheASAusingHTTPtomanagetheASA.

8. A.Securitylevelsdefinethetrustworthinessoftheinterface.Thehigherthelevelthemoretrustedtheinterface.

9. B.Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.Highandlowaredefinedbythesecurityvalueassigned.

10. C.Thecommandsecurity-levelvalueisusedattheinterfaceconfigurationprompt.

11. A.Youwillneedtocreateanaccessruletoallowtrafficineachofthefollowingscenarios:betweeninterfacesofthesamesecuritylevel,andtrafficfromalower-securityinterfacetoahigher-securityinterface.

12. B.Inmanycasesweneedtoallowonlyaselectgroupofdevicesratherthanalldevices,orweneedonlyallowdevicesonaspecificnetworktosendtrafficonaninterfacewhentherearemultiplenetworksthatmightbetraversingthatinterface.Tomakethecreationandapplicationofruleseasier,theASAcanalsouseanobject-basedmodelforcertainrules.

13. D.IntheCiscoModularPolicyFramework,class-mapsareusedtocategorizetraffictypesintoclasses.

14. A.OntheServicePolicyrulepage,theGlobalradiobuttonappliesthepolicytoallinterfaces.

15. B.Youwillneedtocreateanetworkobjecttorepresentthe192.168.5.0/24network,createaserviceobjecttorepresentHTTP,andcreateahostobjecttorepresenttheserverat201.3.3.3.

16. C.IntheCiscoModularPolicyFramework,servicepoliciesareusedtospecifywherethepolicymapshouldbeimplemented.

17. B.Sinceoutsidehasasecuritylevelof0andthedmzhasalevelof50,trafficfromthelowerlevel(0)tothehigherlevel(50)willbedisallowed.

18. C.ThecommanddefinesanIPaddressontheinsidenetwork(definedbytheinterfacename)thatwillbeallowedtoconnecttotheASAusingeitherSSHorHTTPtomanagetheASA.

19. C.IntheCiscoModularPolicyFramework,policymapsareusedtodefinetheactiontobetakenforaclass.Actionsthatcanbespecifiedareallow,blockandrate-limit.

20. D.Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.Highandlowaredefinedbythesecurityvalueassigned.

Chapter16:IntrusionPrevention1. A.Athreatisanidentifiedsecurityweaknesstowhichanyspecificenvironmentmayor

maynotbevulnerable.Forexample,athreatmightexistintheformofanewattackonOracledatabaseservers,butifyouuseMicrosoftSQLServer,itisathreattowhichyouarenotvulnerable.

2. A.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognizedtoblockthetraffic.DropsmeanstheIPSquietlydropsthepacketsinvolved.

3. C.Theabilitytomonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal,isastrengthofhost-basedIPSandaweaknessofnetwork-basedIPS.

4. A.TheattackfragmentsthepacketcontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecodeinsuchafragmentedfashion.

5. D.TherearefourcategoriesoffunctionsofwhichFireSIGHTiscapable.Theyincludedetection,learning,adapting,andacting.Blockingisaformofacting.

6. A.Azero-daythreatisanythreatnotyetremediatedbymalwarevendorsorsoftwarevendors.Thistypeofthreatcannotbedetectedthroughattacksignature-basedmethodsandisusuallyonlydiscoveredbymalwareorIPS/IDSsoftwarethatusesheuristics.

7. B.CiscoAMPforEndpointsiscomposedofconnectorsinstalledonendpoints.Itusesacloud-baseddetectionprocessthatoffloadsthedetectionburdentothecloud.CiscoAMPforNetworksusesFirePOWERappliancestodetectmalwareintransit.

8. A.ThesensorisconnectedtoaportontheswitchtowhichalltraffichasbeenmirroredbymakingtheportaSPANport.

9. C.Manyprotocols’informationcanbecommunicatedorexpressedinmultipleways.Forexample,HTTPcanacceptstringsexpressedinhexadecimal,Unicode,orstandardtextexpressions.AttackerscanusethistoevadeanIPSsensor.IftheIPScannotperformprotocolnormalization(decodingthepayloadtodiscoveritssignificance),thisattackmaysucceed.

10. C.Avulnerabilityisanysusceptibilitytoanexternalthreatthatadeviceorsystemmaypossess.Athreatonlybecomesavulnerabilitywhenthethreattargetispresentinyourenvironmentandisinthestaterequiredtotakeadvantageofthevulnerability.

11. C.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.ShunsendsapacketwiththeRSTflagwhenanon-TCPconnectionisencountered.

12. C.Inthismode,thesensingdeviceisplacedinthelineoftrafficandanalyzestheoriginaltraffic,notacopyinrealtime.Therefore,itcantakeactionsonthetraffic,allowingittooperateasatrueIPS.

13. A.Oneoftheoptionsistoplacethesensoroutsidetheperimeterfirewall(ASA).Whenplacedhere,thesensorwillgenerateaveryhighnumberofalarmsbecausethisisanexposuretothemostuntrustednetwork,theInternet.

14. D.Anexploitoccurswhenathreatandvulnerabilitybothexistandathreatactortakesadvantageofthesituation.Thetermexploitalsoreferstothespecifictoolorattackmethodologyused.

15. D.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.Whenblocking,theIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.

16. B.Thetapisplacedbetweentherouterandthelayer3switch.Itprovidesfull-duplexconnectivitybetweenthedevicesandsplitsofftwosimplexmirrorsofthefull-duplextraffic.Alltrafficbetweenthetwodevicesmusttraversethesensor.

17. A.Theattackerinjectsabogusstringintotheattackcodeandbreakstheattackintofragments.ThenhemanipulatestheTTLvalueofthefragmentcontainingthebogusstringinsuchawaythatthefragmentdies(andnevergetsdelivered)beforeitreachesthedestination.IftheIPSdoesnotconsiderthefragmentoffsetvaluesorTTLvalues,itwilldetectthebogusstringratherthantheactualpayload.TheresultisthatafterinspectionbytheIPS,thebogusstringdoesnotgetdelivered;theattackpayloaddoes.

18. C.Theinabilitytomonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal,isastrengthofhost-basedIPSandaweaknessofnetwork-basedIPS.

19. B.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.ResetsendsapacketwiththeRSTflagthatendsanyTCPconnection.

20. B.Ariskiscreatedwhenathreatexiststowhichasystemisvulnerable.

Chapter17:ContentandEndpointSecurity1. B.Reputation-basedfilteringreliesontheidentificationofemailserversthathavebecome

knownforsendingspam.Whenasystemcandothis,itmustrelyonsomeservicefordevelopingthese“reputations.”

2. A.Dataleakageoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently.Datalossprevention(DLP)softwareattemptstopreventdataleakage.

3. B.NetworkDLPisinstalledatnetworkegresspointsneartheperimeter,whereitanalyzesnetworktraffic.

4. A.Precisemethodsinvolvecontentregistrationandtriggeralmostzerofalse-positiveincidents.

5. A.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.

6. A.AdvancedMalwareProtection(AMP)isthemalwarecomponentinESAthatusesacombinationofseveraltechnologiestoprotectyoufromemail-basedmalware.

7. A.FilereputationsendsafingerprintofeveryfilethattraversestheCiscoemailsecuritygatewaytoAMP’scloud-basedintelligencenetworkforareputationverdict.Basedontheseresults,youcanblockmaliciousfilesidentifiedashavingabadreputation.

8. B.TheCiscoWebReputationSystem(WBRS)usesreal-timeanalysisonavast,diverse,andglobaldatasettodetectURLsthatcontainsomeformofmalware.WBRSisacriticalpartoftheCiscosecuritydatabase,whichprotectscustomersfromblendedthreatsfromemailorwebtraffic.

9. C.TheCiscoWebSecurityAppliance(WSA)isawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent.TrafficcanbedirectedtotheWSAexplicitlyontheendhostorbyusingtheWebCacheControlProtocolonaninlinedeviceliketheperimeterrouter.

10. A.ByleveragingCiscoSecurityIntelligenceOperations(SIO),CiscoIronportreputationfiltersanalyzemorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness.

11. C.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.

12. C.Inthesafesandboxedenvironment,AMPcanobtaindetailsaboutthethreatlevelofthemalwareandcommunicatethatinformationtotheCiscoTalosintelligencenetworktoupdatetheAMPclouddataforall.

13. C.TheWSAanti-malwaresystemusesmultiplescanningenginesinasingleappliance.

ItusestheDynamicVectoringandStreamingEngineandverdictenginesfrombothWebRootandMcAfee.

14. D.WSAusesApplicationVisibilityandControl(AVC)toallowforthecontroloftheuseofwebapplications.GranularpolicycontrolallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebookwhileblockingusersfromactivitiessuchasuploadingdocumentsorclickingtheLikebutton.

15. B.ThemaintaskofCiscoISEistomanageaccesstothenetwork,butitsabilitiesgobeyondthat.ItcanprovideAAAservicessothatyoucandeploy802.1xsecurity.UsingCiscoTrustSectechnology,italsocanenforceendpointsecuritypoliciesthatensurethatmanyofthesecuritymeasuresinthissectionarecompliantwiththepolicy.

16. B.Fileretrospectionallowsfortheidentificationandremovalofthesefileslater.Ifmaliciousbehaviorisspottedlater,AMPsendsaretrospectivealertsothatyoucancontainandremediatethemalware.

17. B.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.

18. C.Imprecisemethodscanincludekeywords,lexicons,regularexpressions,extendedregularexpressions,metadatatags,Bayesiananalysis,andstatisticalanalysis.

19. C.EndpointDLPrunsonend-userworkstationsorserversintheorganization.

20. A.Context-basedfilteringfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting.Thesesystemsusealgorithmstoexaminetheseitemstoidentifyspam.

ComprehensiveOnlineLearningEnvironment

RegistertogainoneyearofFREEaccesstotheonlineinteractivelearningenvironmentandtestbanktohelpyoustudyforyourCCNASecuritycertificationexam—includedwithyour

purchaseofthisbook!

Theonlinetestbankincludesthefollowing:

AssessmentTesttohelpyoufocusyourstudytospecificobjectives

ChapterTeststoreinforcewhatyou’velearned

PracticeExamstotestyourknowledgeofthematerial

DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam

SearchableGlossarytodefinethekeytermsyou’llneedtoknowfortheexam

RegisterandAccesstheOnlineTestBankToregisteryourbookandgetaccesstotheonlinetestbank,followthesesteps:

1. Gotobit.ly/SybexTest.

2. Selectyourbookfromthelist.

3. Completetherequiredregistrationinformationincludingansweringthesecurityverificationprovingbookownership.Youwillbeemailedapincode.

4. Gotohttp://www.wiley.com/go/sybextestprepandfindyourbookonthatpageandclickthe“RegisterorLogin”linkunderyourbook.

5. Ifyoualreadyhaveanaccountattestbanks.wiley.com,loginandthenclickthe“RedeemAccessCode”buttontoaddyournewbookwiththepincodeyoureceived.Ifyoudon’thaveanaccountalready,createanewaccountandusethePINcodeyoureceived.

http://bit.ly/SybexTest

http://www.wiley.com/go/sybextestprep

http://testbanks.wiley.com

WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.

http://www.wiley.com/go/eula

ccna security study guide: exam 210-260

Documents