Download CCIE Security Written Exam Study Guide

4.0
For questions: www.securityie.com
cciesecurityv4
CCBOOTCAMP’s Study Guide for the Cisco CCIE Security 4.0 Written Exam
Authors: Brad Ellis, Edwin Marin
Copyright© 2014 Network Learning, Inc.
Published by:
CCBOOTCAMP (Cisco Learning Solutions Partner)
375 N Stephanie Building 21
Henderson, NV 89014 USA
All rights reserved. No part of this book may be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying, recording,
or by any information storage and retrieval system, without written permission from
the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America
Warning and Disclaimer
This book is designed to provide information the Cisco Security written exam. Every
effort has been made to make this book as complete and as accurate as possible, but
no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, editors, and
CCBOOTCAMP, shall have neither liability nor responsibility to any person or entity
with respect to any loss or damages arising from the information contained in this
book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily
those of CCBOOTCAMP.
Trademark Acknowledgements
All terms mentioned in this book that are known to be trademarks or service marks
have been appropriately capitalized. CCBOOTCAMP cannot attest to the accuracy of
this information. Use of a term in this book should not be regarded as affecting the
validity of any trademark or service mark.
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
ii
For questions: www.securityie.com
cciesecurityv4
Feedback Information
At CCBOOTCAMP our goal is to create advanced technical material of the highest
quality and value. Each book is authored with attention to detail, undergoing
strenuous development that involves input from a variety of technical experts.
For technical support on this book, please visit: www.securityie.com
Readers’ feedback is a natural part of this process. If you have any comments
regarding how we could improve the quality of our materials, or otherwise change it
to better suit your needs, you can contact us through e-mail at
[email protected]. Please make sure to include the book title and ISBN
number in your message. Also, feel free to visit our website: www.ccbootcamp.com
for information on many more great products!
Thank you for your input
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
iii
For questions: www.securityie.com
cciesecurityv4
About the contributors:
Author – Brad Ellis
Brad Ellis (CCIE #5796, CCSI #30482, CSS1, CCDP, CCNP, MCNE, MCSE) works as a
network engineer and is CEO of CCBOOTCAMP. He has been dedicated to the
networking industry for over 12 years. Brad has worked on large scale security
assessments and infrastructure projects. He is currently focusing his efforts in the
security and voice fields. Brad is a dual CCIE (R&S / Security) #5796
Contributing Author – Edwin Marin
Edwin Marin (CCNP Security, CCDA, CCNA) is a full-time instructor and Network
Operations Manager for CCBOOTCAMP, a training subsidiary of Network Learning,
Inc. Edwin has over 10 years of LAN/WAN/MAN experience. While at CCBOOTCAMP
he upgraded the version 3 security technology infrastructure to meet the
requirements of version 4. These upgrades included: ASA 8.4, IPS 4200, ACS 5,
Ironport, ISE, and more.
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
iv
For questions: www.securityie.com
cciesecurityv4
(This page intentionally left blank)
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
v
For questions: www.securityie.com
cciesecurityv4
Table of Contents
Introduction ....................................................................xxiv
Chapter 1 Security Protocols ............................................... 1
Authentication, Authorization and Accounting ............................... 1
AAA Overview ........................................................................ 1
Overview: AAA Security Services ........................................... 1
AAA Terminology .................................................................... 3
Benefits of Using AAA............................................................. 3
AAA Configuration Process – Overview .................................. 4
AAA Request for Comments (RFCs) ........................................ 4
Remote Authentication Dial-In User Service (RADIUS) .................. 4
Introduction ........................................................................... 4
Background Information ........................................................ 5
Authentication and Authorization ........................................... 6
Accounting ............................................................................. 7
Radius Packet Format ............................................................ 7
Radius Packet Types .............................................................. 8
Radius Files ............................................................................ 9
Radius Attributes ................................................................... 9
IETF Attributes vs. VSAs............................................................... 23
RADIUS Configuration Task List ................................................... 24
AAA and RADIUS IOS Configuration ............................................. 25
Named Method Lists for Authorization ......................................... 26
Terminal Access Controller Access Control System plus (TACACS+)27
Introduction ......................................................................... 27
TACACS+ Packet Format ...................................................... 27
TACACS+ Encryption ............................................................ 29
TACACS+ Authentication ...................................................... 29
TACACS+ Authentication Example Sequence ........................ 30
TACACS+ Authorization ........................................................ 30
TACACS+ Authentication and Authorization Attributes ........ 31
TACACS+ Accounting............................................................ 38
TACACS+ Accounting Attributes ........................................... 39
Attribute ...................................................................................... 39
RADIUS and TACACS+ Compared ................................................. 43
Web Cache Communication Protocol (WCCP) ............................... 43
SGT Exchange Protocol over TCP (SXP) ........................................ 44
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
vi
For questions: www.securityie.com
cciesecurityv4
MACsec ......................................................................................... 46
Downlink MACsec ................................................................. 48
Uplink MACsec ...................................................................... 49
Domain Name System Security Extensions (DNSSEC) .................. 50
Records ................................................................................ 50
Cryptographic Algorithms ............................................................ 51
Introduction ......................................................................... 51
Symmetric Algorithms .......................................................... 52
Types ................................................................................. 53
Computation Speed .............................................................. 53
Asymmetric Algorithms ........................................................ 53
Postal System – An Analogy .................................................. 53
Hash Functions ..................................................................... 54
Digital Signatures................................................................. 54
Advanced Encryption Standard (AES)................................... 54
How secure is AES? .............................................................. 55
Performance ........................................................................ 55
Further Reading – AES RFCs and Books .................................. 55
Data Encryption Standard (DES) .......................................... 56
Triple DES (3DES) ................................................................ 56
Performance ........................................................................ 56
Wireless Security Protocols .......................................................... 57
Introduction ......................................................................... 57
Extensible Authentication Protocol (EAP) ............................ 57
EAP Packer Format ............................................................... 57
EAP Message Types .............................................................. 57
EAP Flavors ......................................................................... 58
EAP-FAST (TEAP) ................................................................. 58
Protected Extensible Authentication Protocol (PEAP) .......... 58
Temporal Key Integrity Protocol (TKIP) ............................... 58
802.11i ................................................................................. 59
VPN Protocols .............................................................................. 59
Introduction ......................................................................... 59
Virtual Private Networks Defined ......................................... 60
Virtual Private Networks Goals ............................................ 61
Types of Virtual Private Networks ........................................ 62
VPN Types – Based on Security .............................................. 62
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
vii
For questions: www.securityie.com
cciesecurityv4
VPN Types – Based on Business Model .................................... 63
VPN Types – Based on the OSI Model ..................................... 63
VPN Types – Based on Network Connectivity and End-Points ..... 64
Benefits of Virtual Private Networks .................................... 65
VPN Security Protocols – IPSEC ........................................... 66
IPSec Standards and Protocols ............................................... 67
IPSec Terminology ............................................................... 67
Anti-Replay ......................................................................... 67
Data Authentication .............................................................. 68
Data Confidentiality .............................................................. 68
Data Flow ............................................................................ 68
Peer ................................................................................... 68
Perfect Forward Secrecy (PFS) ............................................... 68
Security Association ............................................................. 69
Security Parameter Index (SPI) ............................................. 69
Transform ........................................................................... 69
Tunnel ................................................................................ 69
IPSec Functionality .............................................................. 70
IPSec Modes and Packet Encapsulation ................................ 71
Encapsulating Security Payload (ESP) ..................................... 71
Authentication Header (AH) ................................................... 72
Tunnel Mode ........................................................................ 73
Transport Mode .................................................................... 74
Authentication Header vs. ESP ............................................... 74
Further Reading ................................................................... 75
VPN Security Protocols – Internet Key Exchange (IKE) ....... 75
IKE Benefits ........................................................................ 76
IKE Protocols ....................................................................... 76
IKE Phases .......................................................................... 77
IKE Main Mode and Aggressive Mode ...................................... 77
IKE Authentication ............................................................... 78
IKEv2 ........................................................................................... 79
Creating IKE Policies .................................................................... 80
Diffie Hellman .............................................................................. 81
IPSEC and Fragmentation .................................................... 82
IPSEC and GRE ..................................................................... 83
IPSEC and QoS ..................................................................... 84
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
viii
For questions: www.securityie.com
cciesecurityv4
Point to Point Tunneling Protocol ......................................... 86
Configuration Summary: PPTP ............................................. 86
Configuration Sample: Basic PAC Setup: ............................. 87
Layer 2 Tunneling Protocol................................................... 88
L2TP Benefits....................................................................... 89
L2TP Implementation Topologies ............................................ 90
L2TP Security ...................................................................... 90
Multi Protocol Label Switching (MPLS) ......................................... 94
Forwarding Equivalence Class (FEC) .................................... 95
Architectural Blocks of MPLS ................................................ 95
Control plan: ........................................................................ 95
Data plane: ........................................................................... 95
Label Switch Router (LSR) ................................................... 95
Label Switched Path (LSP) ................................................... 96
Label definition .................................................................... 97
Label Format ........................................................................ 97
Label imposition/disposition ................................................ 98
Penultimate Hop Popping: .................................................... 98
Label allocation in Frame-Mode MPLS Networks .................. 99
Label allocation in Cell-Mode MPLS networks ..................... 100
Label Distribution ............................................................... 100
Label Distribution Protocol (LDP):...................................... 101
MPLS Virtual Private Networks ........................................... 101
VPN Operation .................................................................... 102
VPN Route Target Communities ......................................... 102
MPLS Forwarding ............................................................... 103
Route distinguisher (RD) ................................................... 104
MPLS VPN Virtual Routing/Forwarding Tables ................... 106
Distribution of VPN Routing Information in an MPLS VPN .. 107
BGP Distribution of VPN Routing Information .................... 107
MPLS Forwarding ............................................................... 108
Major Components of MPLS VPNs ....................................... 108
Mobile IP .................................................................................... 112
Components of a Mobile IP Network .................................. 113
How Mobile IP Works ......................................................... 114
Agent Discovery ................................................................. 114
Registration ....................................................................... 115
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
ix
For questions: www.securityie.com
cciesecurityv4
Tunneling ........................................................................... 116
Security .............................................................................. 118
Solution to Network Mobility .............................................. 118
Chapter 1 Questions ................................................................... 119
Chapter 1 Answers ..................................................................... 134
Chapter 2 Application Protocols....................................... 136
Domain Name System (DNS) ...................................................... 136
Trivial File Transfer Protocol (TFTP) ........................................... 139
File Transfer Protocol (FTP) ....................................................... 141
Hypertext Transfer Protocol (HTTP) ........................................... 142
Secure Socket Layer (SSL) ......................................................... 145
Simple Mail Transfer Protocol (SMTP) ........................................ 146
Network Time Protocol (NTP) .................................................... 149
Secure Shell (SSH) ..................................................................... 151
Simple Network Management Protocol (SNMP) .......................... 154
Netlogon, NetBIOS, and SMB ...................................................... 156
Remote Prodecure Call (RPC) ..................................................... 157
Lightweight Directory Access Protocol (LDAP) ........................... 158
Active Directory ......................................................................... 158
Remote Desktop ......................................................................... 159
Remote Desktop Protocol (RDP) ........................................ 159
Virtual Network Computing (VNC) ..................................... 159
PC-over-IP (PCoIP) ............................................................ 160
Remote Data Exchange Protocol (RDEP) .................................... 160
OWASP ....................................................................................... 160
OWASP CSRF Guard ............................................................ 160
Unnecessary Services ................................................................. 161
Chapter 2 Questions ................................................................... 162
Chapter 2 Answers ..................................................................... 168
Chapter 3 General Networking ........................................ 169
Networking Basics / OSI Model .................................................. 169
TCP/IP Model ............................................................................. 170
Routing and Switching Concepts ................................................ 171
Cisco Hierarchical Internetworking Model .................................. 171
Distance-Vector Routing Protocols ............................................. 172
Link-State Routing Protocols ...................................................... 173
Hybrid Routing Protocols ........................................................... 174
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
x
For questions: www.securityie.com
cciesecurityv4
Routing Loops ............................................................................ 174
Methods for Avoiding Routing Loops .................................. 174
Route Summarization ................................................................. 175
Tunnels ...................................................................................... 177
Networking Standards................................................................ 178
IEEE 802.x Protocols .......................................................... 178
More 802.x standards......................................................... 178
Cabling and connector standards ....................................... 179
Protocol Mechanisms ................................................................. 179
Connection-Oriented and Connectionless Service............... 179
Maximum Transmission Unit (MTU) ................................... 180
Transmission Control Protocol (TCP).......................................... 180
TCP Sliding Window (Data Transfer) .................................. 181
TCP Flags (Control Bits) ..................................................... 182
User Datagram Protocol (UDP)................................................... 182
Address Resolution Protocol (ARP) ............................................ 182
Passive Interface ............................................................... 183
Jam Signal .......................................................................... 184
Bridged Environment.......................................................... 184
Routed Environment........................................................... 185
General Bridging Rules ............................................................... 185
LAN Switching ............................................................................ 185
Routing Information Protocol (RIP) & RIP V2 ............................ 186
Split Horizon in a Hub and Spoke Network ......................... 187
Interior Gateway Routing Protocol (IGRP) ................................. 188
Open Shortest Path First (OSPF) ................................................ 189
Other OSPF Features: ......................................................... 189
OSPF Traffic Types: ............................................................ 190
OSPF Area Types: ............................................................... 190
Stub and Totally Stubby Area Similarities: ......................... 191
Stub and Totally Stubby Area Differences: ......................... 191
OSPF Peer Relationships: ................................................... 191
Router Types: ..................................................................... 193
LSA Types: ......................................................................... 194
LSA Options Field: .............................................................. 195
OSPF Summarization .......................................................... 195
OSPF Metrics ...................................................................... 196
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xi
For questions: www.securityie.com
cciesecurityv4
Passive OSPF Interface ...................................................... 197
OSPF Multicast Addresses .................................................. 198
Default Routes ................................................................... 198
OSPF Timers ....................................................................... 198
OSPF Redistribution ........................................................... 198
Basic OSPF Configuration: .................................................. 198
Configuring Stub and Totally Stubby Areas: ....................... 199
Configuring a Totally Stubby Network (ABR only): ............. 199
Enhanced Interior Gateway Routing Protocol (EIGRP) ............... 199
Types of EIGRP Successors ................................................ 200
Feasibility Condition ........................................................... 200
Attributes of EIGRP ............................................................ 201
EIGRP Tables...................................................................... 201
Choosing routes ................................................................. 201
Init Flag ............................................................................. 203
EIGRP Stub Routing ........................................................... 204
Simple Hub and Spoke Network ......................................... 205
Route Summary.................................................................. 206
Auto-Summarization .......................................................... 206
Process ID for an Autonomous System .............................. 206
Show IP Route EIGRP ........................................................ 206
Show Ip Eigrp Topology ..................................................... 207
Show Ip Eigrp Neighbor ..................................................... 209
Border Gateway Protocol (BGP) ................................................. 210
Situations that may require BGP: ....................................... 211
Interior Border Gateway Protocol (IBGP) .......................... 211
Exterior Border Gateway Protocol (EBGP) .......................... 212
BGP Attributes ................................................................... 212
Weight Attribute ................................................................ 212
Local Preference Attribute ................................................. 213
Multi-Exit Discriminator Attribute ...................................... 214
Origin Attribute .................................................................. 215
AS_path Attribute .............................................................. 215
Next-Hop Attribute ............................................................. 216
Community Attribute .......................................................... 217
Cluster-List ........................................................................ 217
Originator ID ...................................................................... 218
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xii
For questions: www.securityie.com
cciesecurityv4
BGP Neighbor Connectivity................................................. 218
Synchronization/Full Mesh ................................................. 219
Next-Hop-Self Command .................................................... 219
Private AS numbers ............................................................ 219
BGP Path Selection ............................................................. 220
Scalability Problems with Internal BGP (IBGP) .................. 220
Peer Groups ....................................................................... 220
Confederations ................................................................... 221
Route Reflectors ................................................................. 221
Route Summary.................................................................. 221
BGP Clusters ...................................................................... 222
Implement Routing Protocol Authentication .............................. 222
Protocols That Use Neighbor Authentication ...................... 223
How Neighbor Authentication Works ................................. 223
Key Management (Key Chains) .......................................... 223
RIP Authentication ............................................................. 224
OSPF Authentication .......................................................... 224
EIGRP Authentication ......................................................... 225
BGP Authentication ............................................................ 226
Tunneling Protocols ................................................................... 226
Configuring GRE Tunnel ..................................................... 227
NHRP .................................................................................. 228
Automatic IPv4-Compatible IPv6 Tunnels .......................... 231
ISATAP ............................................................................... 232
Configuration Examples: .................................................... 232
Manual IPv6 Tunnels Example............................................ 232
6to4 Tunnels Configuration Example: ................................. 235
IPv4-Compatible IPv6 Tunnels Configuration Example: ..... 236
ISATAP Tunnels Configuration Example: ............................ 237
High-Level Data Link Control (HDLC) ......................................... 237
Point-to-Point Protocol (PPP) .................................................... 238
Modems and Async ..................................................................... 239
IP Multicast ................................................................................ 239
Benefits of IP Multicast .............................................................. 240
Multicast ............................................................................ 240
Protocol Independent Multicast (PIM) ....................................... 241
PIM Commands .................................................................. 242
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xiii
For questions: www.securityie.com
cciesecurityv4
Bidirectional PIM ................................................................ 242
Rendezvous Points ............................................................. 243
Auto-RP .............................................................................. 244
Sparse-Dense Mode for Auto-RP ........................................ 245
Bootstrap Router ................................................................ 245
Multicast Source Discovery Protocol (MSDP).............................. 245
IGMP and CGMP Multicast Protocols ........................................... 246
Designated Querier ............................................................ 247
IGMP Versions 1, 2, and 3 .......................................................... 248
Multicast Addressing .......................................................... 249
Implement IPv6 Multicast .......................................................... 250
IPv6 Multicast Groups ........................................................ 250
Multicast Listener Discovery Protocol for IPv6 ................... 251
Wireless Standards .................................................................... 251
Wireless/802.11b ...................................................................... 252
Wireless Networking Terms ....................................................... 253
802.1x Authentication ................................................................ 254
802.11 On Its Own is Inherently Insecure ................................. 255
Prevention.......................................................................... 255
Detection............................................................................ 255
Wireless Networks Are Targets for Intruders ............................. 255
Interference and Jamming ................................................. 256
MAC Authentication ............................................................ 256
Ad Hoc versus Infrastructure Modes .................................. 257
Service Denial or Degradation ............................................ 257
Wireless Networks Are Weapons ........................................ 257
Authentication.................................................................... 258
Key Management ................................................................ 258
802.11 Wired Equivalent Privacy (WEP) ..................................... 258
Security Extensions to WEP Are Required .......................... 259
IPsec in a WLAN Environment .................................................... 259
802.1x/EAP ................................................................................ 260
EAP Authentication Protocols ..................................................... 262
Lightweight Extensible Authentication Protocol (LEAP) ..... 263
Extensible Authentication Protocol-Transport Level Security (EAP-TLS)
........................................................................................... 263
Protected Extensible Authentication Protocol (PEAP) ........ 265
WEP Enhancements ............................................................ 266
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xiv
For questions: www.securityie.com
cciesecurityv4
Cisco TKIP: Per-Packet Keying ........................................... 267
Cisco TKIP—Message Integrity Check ................................ 268
EAP Authentication Summary ..................................................... 268
Chapter 3 Answers ..................................................................... 279
Chapter 4 Security Technologies ..................................... 280
Firewalls and Access Control ...................................................... 280
Introduction ....................................................................... 280
Choosing the Right Firewall ............................................... 280
Redundancy and Resiliency.................................................. 280
High Throughput Support .................................................... 281
Ease of Configuration .......................................................... 281
Detailed Logging and Notification Support ............................. 281
Types of Firewalls .............................................................. 281
Packet-filtering Firewalls ..................................................... 282
Stateful Firewalls................................................................ 283
Application Gateways .......................................................... 284
Host-Based Firewalls .......................................................... 286
Anti-Virus and Anti-Spyware Solutions ...................................... 286
Anti-Virus Software ............................................................ 286
Anti-Spyware Software ...................................................... 287
Content Filtering ................................................................ 287
QoS Attacks ................................................................................ 289
Network Address Translation ..................................................... 291
Introduction ....................................................................... 291
Benefits .............................................................................. 291
Terminology ....................................................................... 293
More NAT Terminology ....................................................... 298
Summary of NAT Commands .............................................. 299
NAT Order of Operation ...................................................... 299
Configuring IPSec-Based VPNs (Pre-Shared Keys) ..................... 301
Configuring Scalable IPSec-Based VPNs Using Digital Certificates312
What are Digital Certificates? ............................................. 312
Introduction to Certificate Authorities (CA) ....................... 313
Certificate Authority Support on Cisco Routers .................. 313
Implementing IPSEC without CA Support........................... 315
Implementing IPSEC with CA Support ................................ 316
Implementing IPSEC with Multiple Root CAs ...................... 316
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xv
For questions: www.securityie.com
cciesecurityv4
How CA Certificates are used by IPSec Devices? ................ 317
Registration Authorities ..................................................... 317
CA Configuration Steps on Cisco Routers ........................... 317
Verifying Keys and Certificates .......................................... 324
CA Configuration Example .................................................. 326
Configuring NAT & IPSec Together ............................................. 329
Configuration for Router 3640-2b ...................................... 329
Configuration for Router 3640-2b ...................................... 331
Intrusion Detection and Prevention ........................................... 334
Introduction ....................................................................... 334
What is Intrusion Detection?.............................................. 335
Intrusion Detection Terminology........................................ 335
Attack Identification and Analysis ...................................... 336
Anomaly Detection ............................................................. 336
Misuse Detection ................................................................ 337
Protocol Analysis ................................................................ 337
IDS placement.................................................................... 338
Network-Based Intrusion Detection Systems (NIDS) ............... 338
Host-Based Intrusion Detection Systems (HIDS) .................... 339
TCP Reset ......................................................................... 340
Blocking ............................................................................ 341
Logging............................................................................. 341
Intrusion Detection – Evasion Techniques ......................... 341
Encryption ......................................................................... 341
Flooding ............................................................................ 342
Fragmentation ................................................................... 342
Obfuscation ....................................................................... 343
Cisco Threat Response (CTR) ............................................. 343
Introduction ...................................................................... 343
Benefits ............................................................................ 344
Threat Response Investigation Levels ................................... 345
Threat Response Predefined Policies ..................................... 345
Multiphase Analysis ............................................................ 347
Attack Scenarios ................................................................ 348
EOL Status ........................................................................ 350
Network-Based Application Recognition .................................... 351
Identity Technologies................................................................. 352
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xvi
For questions: www.securityie.com
cciesecurityv4
Introduction ....................................................................... 352
Authentication Factors ....................................................... 352
Some Identity Technologies ............................................... 352
Static Usernames and Passwords ......................................... 353
Aging Passwords ................................................................ 353
One-Time Passwords (OTPs) ................................................ 353
Smart Cards ...................................................................... 354
Public Key Infrastructure (PKI)............................................. 354
Kerberos ........................................................................... 354
Biometrics ......................................................................... 356
PGP and S/MIME ................................................................ 356
802.1x .............................................................................. 357
Chapter 4 Questions ................................................................... 358
Chapter 4 Answers ..................................................................... 378
Chapter 5 Security Applications ....................................... 380
Cisco Secure ACS ........................................................................ 380
Introduction ....................................................................... 380
Benefits .............................................................................. 380
Cisco Secure ACS for Windows Architecture ....................... 381
ACS Version 3.3 .................................................................. 383
Software Requirements ....................................................... 384
ACS Version 4.0 .................................................................. 384
System Requirements ......................................................... 384
Software Requirements ....................................................... 384
Network and Port Requirements ........................................... 385
Features and Benefits of version 4.0 .................................. 385
Installing Cisco Secure ACS ................................................ 387
Administration of Cisco Secure ACS............................................ 389
Reports and Activity ........................................................... 390
Positioning ACS in your Network ........................................ 391
Network Topology .............................................................. 391
Remote-Access Policy ......................................................... 396
Database .......................................................................... 396
Network Speed and Reliability.............................................. 397
ACS Version 5 ..................................................................... 398
Cisco Secure ASA Firewall .......................................................... 402
Introduction ....................................................................... 402
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xvii
For questions: www.securityie.com
cciesecurityv4
Stateful Inspection Firewall Features ................................. 402
Intrusion Detection ............................................................. 403
URL Filtering ...................................................................... 404
Access Control Lists (ACLs) ................................................. 404
Routing Options ................................................................. 405
Customizable Administrative Roles ....................................... 405
Customizable Syslog ........................................................... 405
MANAGEMENT .................................................................... 406
Cisco ASA Device Manager .................................................. 406
Cisco Secure Policy Manager ................................................ 407
Large-Scale Management Solutions ...................................... 408
Two Key Components of Cisco ASA Firewalls ..................... 408
Cut-Through Proxy ............................................................. 408
Adaptive Security Algorithm ................................................ 409
How Adaptive Security Algorithm works in ASA ...................... 410
Cisco ASA 5500 Series Adaptive Security Appliances............... 412
Cisco Adaptive Security Device Manager ............................ 414
Routing and Multicast ........................................................ 415
Egress Interface Selection Process .................................... 415
Next Hop Selection Process ................................................ 416
Supported Internet Protocols for Routing .......................... 416
Multicast Support ............................................................... 417
Firewall Modes ................................................................... 418
Using Security Contexts ..................................................... 419
NAT Operation .................................................................... 419
Context-Aware Firewall ...................................................... 421
Configuring Cisco ASA Firewalls ......................................... 422
Two Interfaces with NAT and PAT ...................................... 433
Site-to-Site VPN Configuration ........................................... 434
Configuring Overlapping Networks .................................... 438
Application Inspection Using MPF ...................................... 440
Identity-based Services ..................................................... 441
Failover .............................................................................. 443
Hardware Requirements .................................................... 444
Software Requirements ...................................................... 444
License Requirements ........................................................ 444
The Failover and Stateful Failover Links ............................. 445
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xviii
For questions: www.securityie.com
cciesecurityv4
Failover Link....................................................................... 445
LAN-Based Failover Link..................................................... 446
Stateful Failover Link ......................................................... 447
Failover Interface Speed for Stateful Links ........................ 448
Active/Active and Active/Standby Failover ........................ 449
Active/Standby Failover ..................................................... 449
Active/Standby Failover Overview ..................................... 449
Primary/Secondary Status and Active/Standby Status ...... 449
Device Initialization and Configuration Synchronization .... 450
Command Replication......................................................... 451
Failover Triggers ................................................................ 452
Failover Actions.................................................................. 452
Active/Active Failover ........................................................ 454
Active/Active Failover Overview ........................................ 454
Primary/Secondary Status and Active/Standby Status ...... 455
Device Initialization and Configuration Synchronization .... 455
Command Replication......................................................... 456
Failover Triggers ................................................................ 457
Failover Actions.................................................................. 457
Determining Which Type of Failover to Use ........................ 459
Syslog Messages ................................................................ 460
Cisco IOS Firewall ...................................................................... 463
Cisco IOS Firewall Features ................................................ 464
Authentication Proxy.................................................................. 465
Introduction ....................................................................... 465
Working ............................................................................. 465
Authentication Proxy Screens ............................................ 466
Compatibility ...................................................................... 468
Configuring Authentication Proxy ...................................... 468
Cisco IOS Firewall TCP Intercept ................................................ 472
Modes................................................................................. 472
Configuration Sample ......................................................... 473
Cisco Context-Based Access Control (CBAC) .............................. 473
Introduction ....................................................................... 473
Traffic Filtering .................................................................. 473
Traffic Inspection and DoS Attack Protection ..................... 474
Limitations of CBAC ............................................................ 474
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xix
For questions: www.securityie.com
cciesecurityv4
CBAC - Working .................................................................. 475
CBAC Deployment Scenarios .............................................. 476
The CBAC Process............................................................... 477
CBAC - Supported Protocols ............................................... 478
Generic Inspection ............................................................. 478
Application Specific Inspection ............................................. 478
CBAC - Limitations.............................................................. 479
Configuring CBAC ............................................................... 479
Generic TCP/UDP Inspection ................................................ 484
Port to Application Mapping ................................................. 487
Cisco Identity Services Engine (ISE) .................................. 489
Cisco Scansafe ................................................................... 500
Cisco Email Security Appliance ........................................... 501
Cisco Prime ........................................................................ 503
Cisco Secure Intrusion Detection System ........................... 504
Introduction ....................................................................... 504
IDS/IPS Software .............................................................. 505
New Features in Cisco IPS Software Version 7.0 ..................... 505
Cisco IDS 4.1 Software Architecture ..................................... 507
Cisco Intrusion Detection Sensors - Models ....................... 509
Cisco Intrusion Detection Solution for Routers and Switches513
Cisco IDS / IPS Network Interfaces ........................................... 513
Cisco Intrusion Detection Signatures ................................. 514
Signature Categories .......................................................... 514
Signature Engines .............................................................. 515
Cisco IDS Alarm Levels ....................................................... 517
Tuning IDS Signatures ....................................................... 517
Cisco Intrusion Detection Management .............................. 517
Cisco IDS MC & IPS MC ....................................................... 518
Cisco Intrusion Detection Event Monitoring ....................... 520
Cisco IDS Management and Monitoring – Ports and Protocols522
Cisco IOS Intrusion Prevention System (IPS) .................... 523
Cisco IOS IPS Overview ..................................................... 525
SDEE Overview ................................................................... 539
Cisco Catalyst Service Modules................................................... 541
Benefits .............................................................................. 543
Firewall Services Module (FWSM) ...................................... 544
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xx
For questions: www.securityie.com
cciesecurityv4
Intrusion Detection System Service Module (IDSM)........... 545
IPSEC VPN Services Module (VPNSM) ................................ 546
SSL Services Module (SSLSM) ............................................ 546
Cisco VMS – Security Management System ................................ 547
Introduction ....................................................................... 547
Application ......................................................................... 548
Current Status .................................................................... 549
Cisco Router and Security Device Manager (SDM) ...................... 549
SDM enabling a IOS Router ................................................ 553
CoPP........................................................................................... 554
CPPr ................................................................................... 556
MPP .................................................................................... 561
ZFW .................................................................................... 562
Chapter 5 Questions ................................................................... 576
Chapter 5 Answers ..................................................................... 600
Chapter 6 Security General .............................................. 603
Security Policy Best Practices ............................................ 603
Standards Bodies and Security Organizations .................... 606
Vulnerabilities .................................................................... 611
Know Your Enemy .............................................................. 612
Hacking Methodology ......................................................... 614
Common Attacks ........................................................................ 615
Countermeasures ............................................................... 629
Information Security Standards ......................................... 632
ISO 17799 ........................................................................ 632
ISO 27001 ........................................................................ 633
BS7799 ............................................................................. 634
BCP 38 ............................................................................. 635
Security and Attack Tools ................................................... 636
Chapter 6 Questions ................................................................... 639
Chapter 6 Answers ..................................................................... 646
Chapter 7 Cisco General .................................................. 647
Access Control Lists (ACLs) ................................................ 647
Basic IP Extended ACL ........................................................ 650
ICMP ................................................................................ 651
TCP .................................................................................. 651
UDP .................................................................................. 651
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xxi
For questions: www.securityie.com
cciesecurityv4
Logging .............................................................................. 656
Show and Debug Commands .............................................. 660
Controlling Access to a Cisco Router .................................. 671
Line Authentication ............................................................. 671
Local Authentication ........................................................... 672
AAA Authentication ............................................................. 672
Privilege Levels .................................................................. 673
Enable and Enable Secret .................................................... 674
Password Recovery ............................................................ 676
Older Routers .................................................................... 676
Newer Routers ................................................................... 679
Encrypting Cisco Passwords ............................................... 679
Disable Unnecessary Services ............................................ 680
TCP and UDP Small Services ................................................ 680
Finger ............................................................................... 680
NTP .................................................................................. 680
CDP .................................................................................. 680
DHCP ................................................................................ 681
Layer-2 Switching Security Features .................................. 681
Media Access Control (MAC) Address Flooding........................ 681
Port Security ..................................................................... 683
VLAN “Hopping” ................................................................. 684
VLAN Best Practices ............................................................ 685
Address Resolution Protocol (ARP) Attacks ............................ 685
DHCP Snooping and Dynamic ARP Inspection ........................ 685
Spanning Tree Protocol (STP) Protection ............................... 687
Chapter 7 Questions ................................................................... 688
Chapter 7 Answers ..................................................................... 698
Chapter 8 New Topics ...................................................... 699
Network Access Control (NAC) ................................................... 699
Deployment modes ............................................................ 702
NAC in Band ...................................................................... 702
NAC Out of Band ................................................................ 704
Cisco Trust Agent (CTA) ...................................................... 704
CTA Features ..................................................................... 705
Adaptive threat defense (ATD) ........................................... 706
Host Intrusion-prevention system (HIPS) .......................... 707
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xxii
For questions: www.securityie.com
cciesecurityv4
Cisco Security Agent (CSA) ................................................. 708
Cisco Security Agent Management Architecture ...................... 708
Cisco Security Agent for IP Communication ........................... 709
Easy Virtual Private Network (EZVPN) ............................... 710
Easy VPN Client .................................................................. 711
Easy VPN Remote ............................................................... 711
Easy VPN Server ................................................................. 712
Secure Socket Layer Virtual Private Network (SSLVPN) ..... 713
Cisco IOS IPS ..................................................................... 714
Key Benefits ...................................................................... 714
Actions for Detected Signatures ........................................... 715
Handling Distributed Denial of Service (DDOS) attacks ...... 715
Cisco Traffic Anomaly Detectors ........................................... 716
Cisco Traffic Anomaly Detector Module.................................. 717
Cisco Guard DDoS Mitigation Appliance ................................. 718
Cisco Anomaly Guard Module ............................................... 719
Cisco Security Management ............................................... 720
Cisco Adaptive Security Device Manager (ASDM) .................... 720
Cisco Router & Security Device Manager (SDM) ..................... 722
Cisco Security Manager (CSM) ............................................. 728
IDM .................................................................................... 733
IME .................................................................................... 733
CCP .................................................................................... 734
ACS SE................................................................................ 734
AnyConnect ........................................................................ 734
FPM .................................................................................... 743
GETVPN .............................................................................. 755
Key Server Configuration ................................................... 758
Group Member Configuration ............................................. 760
VRF-aware Technologies .................................................... 762
VXLAN ................................................................................ 762
Netflow .............................................................................. 767
Chapter 8 Questions: .................................................................. 770
Chapter 8 Answers: .................................................................... 777
INDEX .............................................................................. 779
www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected]
Copyright ©2014, Network Learning, Incorporated
xxiii