Home Knowledge Base CCIE Security Pursuit CCIE Security - Core Knowledge Questions - Summary Sheet

CCIE Security - Core Knowledge Questions - Summary Sheet

Information presented in this article will serve well in preparations or reviews of the CCIE Core Knowledge section.

Security Features

Private VLANs

Private VLANs - this feature prevents inter host communication providing port-based security among adjacent ports within PVLAN.

PVLAN Ports:

  • Promiscous port - can communicate with all interfaces, including isolated and community ports withing Private VLAN.
  • Isolated - can communicate onlu with promiscus and not with each other.
  • Community - can communicate with each other and "promiscous"


PVLAN Types:

  • Primary VLAN - carries trafic from promiscous port to isolated, community and other promiscous ports
  • Isolated VLAN - carries traffic from isolated to promiscous ports
  • Community VLAN - carries traffic between community ports within same community VLAN and promiscous ports.

 

Dynamic ARP Inspection

This feature allows to prevent man in the middle attacks in L2 environment.
It can work with DHCP or non-DHCP setup:
Configure non-dynamic interface with:

int G0/1
 ip arp inspection trust

Then enable DAI globally on the switch for VLAN 55.

ip arp inspection vlan 55


In non-DHCP environment, we need to create ARP database and it comes in user-defined ARP acl:

arp access-list ARP_ACL
 permit ip host 10.1.1.1 mac host 1111.1111.1111
ip arp inspection filter arpacl vlan 55
int G0/1
 no ip arp inspection

To verify:

show ip arp inspection vlan 55


DoS - To limit floody of ARP packets use:

ip arp inspection limit <pps>

 

802.1x Authentication and ACS supported authentication protocols


Generally there are 3 participants in 802.1x authentication:

  1. Supplicant/Client (Windows XP)
  2. Authenticator (L2 Switch/Access Point)
  3. Authentication Server (Cisco ACS)


ACS supports following authentication protocols:

  • ASCII - single cleartext message, no username/password
  • PEAP - Password Authentication Protocol - unencrypted password, no challenge from the server
  • CHAP - Challenge Handshake Authentication Protocol - cleartext password, but requires reply to "challenge". Based on shared secret between hosts
  • EAP - is an authentication framework that defines message format for PEAP, and rest of the protocols in that framework.
  • PEAP - Protected Extensible Authentication Protocol. Encapsulates EAP messages within encrypted and encapsulated TLS.

In the scenario where user laptop is connected to 802.1x enabled network, the following occurs:

  1. XP sends EAPoLStart message to Switch
  2. Switch send "Login Request" to XP
  3. XP replies with "Login Response" to the Switch
  4. Switch encapsulates message from the client into EAP format and sends it over to ACS.
  5. ACS sends response to the switch
  6. Switch grants/denies access to the network.

Several RADIUS VSA attributes passed back from ACS to the switch:

On IETF RADIUS page enter:

[64] - Tunnel-Type = Tag 1 = "VLAN"
[65] - Tunnel-Medium = Tag 1 = "802"
[81] - Tunnel-Private-Group-ID = Tag 1  "301"


On Cisco IOS/PIX RADIUS page enter:

[009\001] cisco-av-pair
cisco-avpair="tunnel-type(#64)=VLAN(13)"
cisco-avpair="tunnel-medium-type(#65)= 802 media(6)"
cisco-avpair="tunnel-private-group-ID(#81)=301"

ASA Firewall

Firewall Modes

Router FW mode - RIP, OSPF, but only with single context

Transparent FW mode - only ARP is allowed by default

ASA 8.0 supports NAT

ASA 7.2 and earlier - no NAT support and it does not allow shared interface

Multiple context mode - no VPN or Multicast allowed

ASA 8.0(1) introduced Redundant interfaces

ASA supports up to 3 equal cost routes on the same interface for load balancing

Stateful Inspection for "NEW" connections takes "management path":

  • ACL Check
  • Route Lookup
  • Allocated NAT Translation (xlate table)
  • Establish session in the "fast path"


Steteful Inspection for "ESTABLISHED" connections takes "fast path":

  • IP Checksum verification
  • Session lookup
  • TCP sequence number check
  • NAT translation based on existing sessions
  • L3/L4 adjustments

 

NAT

NAT order:

  1. NAT exemption ( nat 0 acl)
  2. Policy NAT(using static with ACL)
  3. Static NAT (static)
  4. Static PAT (static)
  5. Policy NAT (using nat with ACL)
  6. Dynamic NAT (nat)
  7. Dynamic PAT (nat)

NAT types:

  • Dynamic NAT = many IP to many IP
  • Dynamic PAT = many IP to one IP
  • Static NAT = one IP to one IP
  • Static PAT = many IP to one port
  • Policy NAT - like static NAT, but translates dynamically based on source and destination pattern.

 

access-list POLICYNAT permit ip 10.1.1.0 255.255.255.0 10.2.2.2.0 255.255.255.0
nat (inside) 1 access-list POLICYNAT
global(outside) 1 209.165.202.1

Routing and Route Tracking

route outside 0 0 track 100
sla monitor 1
 type echo protocol ipIcmpEcho 172.16.1.1 interface outside
 sla monitor schedule 1 life forever start-time now
track 100 rtr 1 reachability

"Tunneled" Route - feature allows to append "tunneled" keyword to static routes which will force all the encrypted traffic to use that particular route.

Equal Cost Multiple Path (ECMP) Forwarding - feature allows to forward data along 3 (three) equal-cost routes. This include different default routes.
OSPF Cost = 100,000,000 /bandwidth (in bps)

"rip outside passive" - allows only "receive" on outside interface

Modular Policy Framework

TCP Normalization feature will drop any packets that exceed maximum segment size (MSS). To disable this feature and allow packets, use MPF

access-list 100 permit tcp any any
tcp-map PERMIT_MSS_PACKETS
 exceed-mss allow
class-map TCP_TRAFFIC
 match access-list 100
policy-map TCP_POLICY
 set connection advanced-options PERMIT_MSS_PACKETS
service-policy TCP_POLICY interface outside

Same will work for "checksum-verification", etc.

Application Layer Protocol Inspection are established using "Modular Policy Framework" (MPF):

SRC -> ACL -> XLATE -> INSPECTION -> (Decision to allow/drop) -> DST

Failover

Active/Standby - provides redundancy in both single and multi mode
Active/Active - provides load balancing in multi mode only

Requirements:

  • same model
  • same number and type of interfaces
  • same flash and RAM
  • same mode
  • same major and minor version
  • only sub-minor version may vary (8.0(2) and 8.0(3) are OK)
|-------------------------------------------------------------|
|          Stateful Failover Replication Information          |
|-------------------------------------------------------------|
|      PASSED                 |       NOT PASSED              |
|-------------------------------------------------------------|
| NAT Translations            |  User authentication          |
| TCP/UDP connection states   |  Routing Tables               |
| ARP Entries                 |  Multicast Info               |
| ISAKMP and IPSEC SA         |  State Information for        |
|                             |  SSC (Service Security Card)  |
|-------------------------------------------------------------|

How to configure LAN Failover with stateful failover replication

failover lan unit primary
failover lan interface failover Ethernet 2
failover link state Ethernet 3
failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover interface ip state 10.1.2.1 255.255.255.0 standby 10.1.2.2
failover lan enabled

L3 Attack Mitigation

SMURF and FRAGGLE Attacks

SMURF - source (spoofed) -> destination (broadcast) -> type (ICMP Echo Request - ICMP Type 8)
FRAGGLE -> source (spoofed) -> destination (broadcast) -> type (UDP Echo Request)

To discover and mitigate this attack perform:

Create ACL to match ICMP traffic and apply it to the interface:

# match ICMP type 8  (echo-request for Windows)
access-list 100 permit icmp any any echo
# match UDP ports 33434-33464 (echo-request for UNIX)
access-list 100 permit udp any any range 33434-33464
# match ICMP type 0
access-list 100 permit icmp any any echo-reply

The important thing is to watch when you execute "show access-list 100" is the difference in counts between "echo" and "echo-reply". If you are under the attack number of "echo-reply" packets will be significantly larger.

In order to mitigate you can use one of the following techniques:

  • CAR (Committed Access Rate)
  • uRPF (Unicast Reverse Path Forwarding)
  • IP Source Guard

Or you can block broadcasts on the router's interface:

int E0/0
no ip directed-broadcast

SYN Attacks

SYN attacks come in two flavors: Spoofed Address and Non-Spoofed address.

Usually Cisco devices look at SYN RTT (Interval between "SYN+ACK" and "ACK") and if it exceeds certain value, device will start dropping embryonic connections.

To detect SYN attack, create access list:

access-list 100 permit tcp any any syn
access-list 100 permit tcp any any

Apply it on the interface and see if the first line increases fast enough. If it does then you are under SYN attack.

To mitigate this type of attack, use:

  • CBAC
  • TCP Intercept
  • CAR
  • RTHB

The below configuration uses CAR to limit WWW traffic to 2 Mbps with normal burst of 16000 bytes and excess burst of 24000 bytes, and any remaining traffic will be limited to 4 Mbps.

access-list 101 permit tcp any any eq www
int E0/1 
 rate-limit output access-group 101 2000000 16000 24000 
  conform-action continue
  exceed-action drop
 rate-limit ouput 4000000 16000 24000
  conform-action continue
  exceed-action drop

IP Source Tracket Feature

IP Source Tracket Feature allows to identify source interface for the traffic that destined to specific network address.
Why is this important?
Main reason is that a lot of times network attacks come from spoofed addresses, so the only way to find offending source is to track it hop by hop. "SrcIF" field will point you to the segment where the traffic originates from.

RFC2827

This RFC defines Network Ingress Filtering

  • deny incoming packets if source are on inside
  • deny outgoing packets if source is on outside

NBAR

Network Based Application Recognition is:

  • feature to recognize application and protocol patterns
  • must have Protocol Discovery enabled
  • signatures for this feature come in ".pdlm" format

Cisco IPS

Cisco IPS acts in two mode:

  • IDS - promiscous mode
  • IPS - inline mode

Both modes look for the following patterns of misuse:

  • "Atomic Pattern" - malicious content is contained within single packet
  • "Composite Pattern" - is a sequence of operations distributed accross multiple hosts over an arbitary period of time

Types of alerts:

  • False Negative - malicious activity => sensor fails to report
  • True Negative - legitimate traffic => sensor fails to report
  • False Positive - legitimate traffic => sensor reports
  • True Positive - malicious activity => sensor reports

Types of operation:

  • Signature-based
  • Policy-based - statistical evaluation of the traffic flow. Looks at protocol compliance, SYN,SYN+ACK,ACK
  • Anomaly-based - learns normal traffic behaviour and reports deviations. Network behaviour analysis and heuristics analysis.

Types of Signature Engines:

  • ATOMIC - inspects simple packets (ICMP, TCP, UDP)
  • SERVICE - inspects services (L4-L7 inspections) and protocol compliance
  • STRING - pattern matching signatures
  • MULTI-STRING - flexible pattern matching and TrendLab

 

Cisco IOS Firewall

General

List of features:

  • Stateful Packet Inspection (SPI)
  • CBAC
  • IOS IPS
  • Authentication Proxy
  • PAM (Port to application mapping)
  • NAT
  • Zone-Based Policy Firewall

Firewall ACL Check:

  1. ACL-IN
  2. NAT
  3. ROUTING
  4. NAT
  5. ACL-OUT

Virtual Fragment Reassembly

VFR - Virtual Fragment Reassembly - is an IOS Firewall feature that works in conjunction with CBAC. Before VFR, CBAC was not able to identify content of fragmented packets, this allowed all fragmented packets to bypass CBAC inspection.

To enable VFR:

ip virtual-reassembly

If all fragments are not received within specific interval, then fragments will be dropped.
RFC1858 covers security considerations for IP fragment filtering.

When CBAC is enabled to allow traffic originated from the router itself, use "router-traffic" keyword.
Outbound ACL on the router checks only traffic passing through, and not traffic originated from the router.

Lock and Key ACL

This feature allows dynamic opening of ports based on client's authentication. Prerequisites:

  • permit telnet to router
  • configure extended ACL
  • configure username with "access-enable" option
username test password test
username test autocommand access-enable host timeout 10
access-list 102 dynamic INSIDE_IN timeout 15 permit ip any any
access-list 102 permit tcp any host 1.1.1.1 eq 23 // 1.1.1.1 router's IP
int E0/0 // inside interface
 ip access-group 102 in


How to debug traffic with ACL:

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
access-list 101 permit ip host 2.2.2.2 host 1.1.1.1
debug ip packet detail 101

Banner Types:

  • motd banner - when connected
  • login banner - when connected, after motd
  • exec banner - presented when logged in to ">" user exec mode

Privilege Levels:

  • 0 => disable, enable, exit, help
  • 1 => User Exec ">"
  • 2 => Privilege Exec "#"

Control Plane Policing (CoPP)

Control Plane Policing (CoPP) is used to protect control and management plane against attacks using MQC and limiting transfer rates.

control plane
 service-policy input <policy-map>

shell:cli-view-name=xyzview

 

ACS

RADIUS

is successor of DIAMETER

RADIUS Header

|----------------------------|
| Code | Identifier | Length |
|----------------------------|
|      Authenticator         |
|----------------------------|
|------------------------------|
| Code                         |
|------------------------------|
| 1    | Access-Request        |
| 2    | Access-Accept         |
| 3    | Access-Reject         |
| 4    | Accounting-Request    |
| 5    | Accounting-Response   |
| 11   | Access-Challenge      |
|------------------------------|

Identifier value is used to match request/reply pair. This way router knows to which RADIUS request to match reply from ACS server
Authenticator - is a random value generated by the router. ACS replies wtih md5hash(original message + shared secret).

RADIUS provides authentication and authorization in one packet. Uses udp/1645 (authentication and authorization) and udp/1646 (accounting).

TACACS+

TACACS Header

|--------------------------------------------------|
| Major | Minor | Packet Type | Sequence # | Flags |
|--------------------------------------------------|
|                        Lenght                    |
|--------------------------------------------------|
|                      Authenticator               |
|--------------------------------------------------|

Major/Minor - are TACACS server versions. This way you will be able to identify what version ACS server is running.
Flags - defines encryption and additional fields.
Sequence - starts with #1 at Router, #2 at ACS, #3 at Router, etc.

|-----------------------|
| Packet Type           |
|-----------------------|
| 0x01 | Authentication |
| 0x02 | Authorization  |
| 0x03 | Accounting     |
|-----------------------|

Shared Profile Components:
- Downloadable ACL - supports (Routers/VPN/ASA/PIX)
- NAF (Network Access Filter) - different level of access per device or device group (provider more granularity

|--------------------------------------------------|
|             Authentication                       |
|--------------------------------------------------|
| FROM     | MESSAGE                     | TO      |
| Router   | START                       | ACS     |
| ACS      | GETUSER(username)           | Router  |
| Router   | CONTINUE (username=user1)   | ACS     |
| ACS      | GETPASS                     | Router  |
| Router   | CONTINUE                    | ACS     |
| ACS      | FAIL/PASS                   | Router  |
|--------------------------------------------------| 
|              Authorization                       |
|--------------------------------------------------|
| Router   | START                       | ACS     |
| ACS      | RESPONSE                    | Router  |
|--------------------------------------------------|

 

 

EAP-MD5 is IETF standard

not secure, because of the MD5 brute-force attacks

  1. Client sends EAPoL (EAP over LAN) "Start" message
  2. Switch replies with EAP "Request Identity" message
  3. Switch then forwards requests to ACS

 

EAP-TLS is IETF standard developed by Microsoft

  • used primarely with PPP (Point-to-Point Protocol)
  • provides per-packet confidentiality and integrity
  • uses X.509 PKI
  • requires installing certificates on both Client and Server

Instead of password, the Certificate is send. They will need to be issued by trusted CA.

 

EAP-TTLS is Funk Software/Certicom product

  • same as EAP-TLS, but there is no need to install certificate on the client
  • authentication is based on username/password

 

EAP-FAST (EAP Flexible Authentication via Secure Tunnelling)

developed by Cisco

uses TLS, but does not require PKI infrastructure for user identity

secure tunnel is established using pre-shared key called PAC (Protected Access Credentials)

 

PEAP (Protected EAP) was developed by Cisco, Microsoft, RSA

 

Cisco NAC

Cisco NAC can be deployed in two ways:

  1. Cisco NAC Appliance (Cisco Clean Access)
  2. Cisco NAC Framework

NAC Appliance does not rely on 3rd party vendors, and offers assessment, policy management, and remediation services. (CSA, CCA agents and Clean Access Server/Manager)

NAC Framework integrates with third party vendors to provide endpoint clients and policy servers. On piece of Cisco device is ACS.

NAC Framework uses following protocols:

  1. RADIUS - authentication between NAD (Switch) and ACS
  2. EAP - for credentials exchange between endpoint and NAD. Utilizes following message types:
    • EAP-TLV - carry posture credentials
    • Status Query
    • EAPoverUDP (udp/21862)
  3. HCAP - Host Credential Authorization Protocol - is used to forward client's credentials to 3rd party vendors. HTTP from ACS to Policy Vendor Server (PVS or Posture)
  4. GAME - Generic Authorization Message Exchange - ACS uses this protocol to communicate with 3rd party vendor Audit Server (AS for Audit). HTTP from ACS to Audit server.

NAC Framework Admission Control

  • NAC-L3-IP - is triggered on L3 device via IP packet. NAD sends EAPoUDP frame for posture and credentials
  • NAC-L2-IP - is triggered by switch via DHCP/ARP request. Switch sends EAPoUDP frame. Uses L3/L4 to enforce
  • NAC-L2-802.1x - triggered on L2 device via 802.1x uses VLAN (quarantine) to enforce

 

Cryptography

Symmetric Keys:

  • stream cipher - encrypts plaintext digits one by one (RC4). Produces different ciphertext each time ran.
  • block cipher - encrypts plaintext on fixed-length group of bits. (DES,AES). Produces same ciphertext each time.
AlgorithmCipher TypeKey Size
DES block

56 bit
3DES block
3x56 bit
AES block
128/192/256 bit

Other algorithms: CAST-128/256, IDEA, RC4, Blowfish

Asymmetric Key Cryptography:

  1. RSA - provides data confidentiality and authentication. (used for authentication or digital signatures). RSA are RC1, RC2, RC3, RC4, RC5, RC6.
  2. DH - Deffie-Hellman - used for secret-key exchange
  3. DSA - Digital Signature Algorithm - used for digital signatures
  4. PKCS - Public-Key Cryptography Standards - total 15

Cryptographic VPN Technologies:

  • IPSec
  • L2TP
  • PPTP
  • GRE with IPSec Profiles

Non-cryptographic VPN Technologies:

  • GRE
  • MPLS VPN

 

IPSec Framework

IPSec Framework offers following services:

  1. Peer authentication
  2. Data confidentiality
  3. Data integrity
  4. Data origin authentication
  5. Replay detection
  6. Access-control
  7. Traffic Flow Confidentiality

 

IPSec Modes:

  • Tunnel - protects data LAN-to-LAN. It encapsulates and protect entire IP packet. New IP Header + IPSec Header are added.
  • Transport - protects hosts-to-host. It only protects payload. IPSec header is inserted between IP Header and payload.

 

Types of IPSec Headers:

ESP Header - Encapsulating Security Payload:

  • SPI - Security Parameter Index, which in combination with IP address  produces uniques SA.

AH Header - Authentication Header:

  • provides anti-replay, integrity and authenticity of data
  • does NOT offer confidentiality

IKE Framework consists of:

  1. ISAKMP - establish, negotiate, modify and delete SAs
  2. Oakley Key
  3. SKEME

IKE Phases:

  1. Phase 1:
    • peer authentication
    • establish Phase 1 SA (single bidirectional SA)
    • Main mode: 6 messages
    • Aggressive mode: 3 messages. Faster, but less secure. No identity protection.
  2. Phase 2:
    • protects user data
    • establishes Phase 2 SA (IPSEC, 2 unidirectional SAs)
    • negotiates "protected" networks aka "proxy identities"
    • negotiates protection suite: DES, 3DES, AES, SHA
    • Quick Mode only

Note: Multiple Phase 2 SAs can be established under the same phase 1 SA.

SA is agreement between two entities on a method to communicate securely.

 

IKEv2 vs IKE:

  • no aggressive mode
  • 4 kinds of message pairs
  • EAP support
  • NAT Traversal Support

"ISAKMP Profile" is used to configure MPLS VPNs, router certificate management and IPSec/QoS configurations.

When to use? When router has more than one IPSec tunnel requiring different Phase 1 parameters for different sites.

How it is applied? Router will select ISAKMP profile based on "match identity" criteria:

  • crypto isakmp profile vpn_profile
  • match identity group vpngroup
  • match identity address 22.22.22.22
  • match identity host domain cisco.com
  • match identity host r1.cisco.com

Where used?

  • DMVPN
  • IPSec VTI

User connects -> Physical Interface -> auth + authorization -> Virtual Access Interface <- Virtual Template Interface

 

Public Key Infrastructure

Certificate Enrollment - is a process of obtaining a certificate from a CA server.

Certificate Enrollment Methods:

  • SCEP
  • PKCS 12
  • IOS File System (IFS)
  • Manual (Cut and Paste)

Certificate Enrollment Process:

  1. Host initiates enrollment process by generating an RSA key pair
  2. Host generates Certificate Request and forwards it to CA
  3. CA receives request, approves it and signs the request with its private key
  4. CA issues certificate to the host

Public Key Certificate specs:

  • defined by the X.509 standard for PKI
  • X.509 digital certificate contains:
    • version
    • serial number
    • algorithm ID
    • issuer
    • validity
    • etc...

 

Cisco Easy VPN Client

Modes:

  • Client Mode (aka PAT Mode) - clients are hidden behind single IP address. That IP address can be used to SSH, telnet or Ping the device.
  • Network Extension - hosts at the remote site are given IP addresses that are fully routable and reachable by devices in the central site network.
  • Network Extension Plus - same as above, but allows to request IP address via mode configuration

Search

Moving your apps to Amazon or Miscrosoft Clouds?

We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.

Cloud Computing

Ready for IPv6 Migration?

The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.

The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.

IPv6 Migration

Are you fluent in "Linux"?

Learn Linux from a leading expert and quickly master you Linux skills.

Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.

Ideal training for Corporate IT Beginners and Advanced IT Admins alike.

Corporate Linux Training

Who's Online

We have 3 guests and no members online