Beruflich Dokumente
Kultur Dokumente
Understanding Network and Information Security Basics About: Knowing the basics of security. Main Ideas:
CIA
Confidentiality allows only authorized users to view sensitive data. Unauthorized users will not have any access to the data. For data in motion, it must be encrypted. Integrity means only authorized users can modify the data. Unauthorized modification is a result of corrupt data and loss of integrity. Resources must be available to authorized users. Loss of availability could be loss of revenue.
Classifying Assets
Why is data classified? To take specific action on data in a given class. What are the different asset classifications? Governmental Unclassified Sensitive but unclassified Confidential Secret Top Secret Private sector Public Sensitive Private Confidential Classification critera Value Age Replacement cost Useful lifetime Classification roles Owner Custodian
User
Classifying Vulnerabilities
Why are vulnerabilities classified? To use an appropriate countermeasure to mitigate the threat against those vulnerabilities. Where do vulnerabilities come from? Policy flaws Design errors Protocol weaknesses Misconfiguration Software vulnerabilities Human factors Malicious software Hardware vulnerabilities Physical access to network resources Vulnerabilities can be found online from the Common Vulnerabilities and Exposures and National Vulnerability Database.
Classifying Countermeasures
Countermeasures are introduced after identifying the asset and its risks. Countermeasures are placed in the following categories: Administrative: Such as a written policy. Physical: Such as a locked door or key fob entry. Logical: Such as a firewall or password.
Recognizing Current Network Threats About: Network Threats and strategies to stay ahead of those threats. Main Ideas:
Potential Attackers
Types of adversaries behind attacks are: Terrorists Criminals Government agencies Nation-states Hackers Disgruntled employees Competitors Anyone with access to a computing device Reasons for attacks could be for the sole purpose of attention, financial gain, or recreational.
Attack Methods
Methods which attackers use to gain access to a network or to information: Reconnaissance - discovery process. Gathering more information on the target such as finding IP addresses and vulnerabilities. Social engineering - exposing the user into leaking out information. Tricking the user into giving information. Privilege escalation - the act of gaining higher privileges which result in greater access to resources. Back doors - method for attacker to easily regain entry into the system.
Attack Vectors
Attackers can come from outside the network and from within. Implement security policies and mitigate risk at different levels.
Man-in-the-Middle Attacks
An attacker places themselves in between two devices communicating and intercepts data in transit. The attacker can perform reconnaissance or manipulate the data and forward it on. Ways to mitigate this is encrypting the data in transit. For management data, use SSH instead of Telnet or HTTPS instead of HTTP. Other Attack Methods Not an end all list but some other attack methods include: Covert channel - the act of using a protocol in an illegitimate manner. Hiding traffic or data within another protocol. Trust exploitation - using one attack vector to attack the real target by going through a trusted source of the target. Password attacks Botnet DoS and DDoS
Summary: There are various types of attackers with different reasons for attacking targets. Different attack methods are used to gather information on the target such as gathering IP addresses and vulnerabilities and using social engineering to get information out of employees. Once an attacker exploits vulnerabilities they can escalate their privileges to get access to more resources then leave a way for the attacker to regain entry without notice. Other attack methods include sniffing data as it is in transit. Encryption must and should be used instead of clear text communication.
Applying Fundamental Security Principles to Network Design About: Improving security posture Main Ideas:
Guidelines
Some guidelines to follow to improve your security posture overall: Rule of least privilege - Minimal access required for users or services. Defense in depth - Implement security at every point in your network. Separation of duties - Individuals with specific roles for checks and balances. Auditing - Keeping record of what happens on the network.
Business requirements Checklist for new assets where risk has not been calculated: Qualitative/quantitative analysis of risk Action regarding risk - transferring risk, accepting risk, or reducing risk using countermeasures. Monitor risk Compliance Consider impact of not complying. Implement whatever regulatory compliance is required.
Security Policies
WWW (Who, What, Why) Who creates the security policies? Senior management team is responsible for creating the overall security policy. This is the overall goals or the high-level security policy (governing policy). What is in a security policy? Incorporates many aspects of risk management. Should have a general overview of why the policy was written and what it covers and what it doesn't cover. Why do we have security policies? It is used to educate workers and become a baseline for security. Types of Policies Guideline - AUP, password policy, etc. Email - forwarding policies, spam, etc. Telephony - AUP of telephony services. Application - security requirements, etc. Network - AUP, etc. Standards, Procedures, and Guidelines Standards - use of specific tech as a countermeasure. Procedures - detailed doc about standards and guidelines that help implement security for the network. Guidelines - suggestions but not mandatory. Policies - high level policies set forth by senior management. Testing the Security Architecture Testing security can be done by using techniques such as: network scanning vulnerability scanning password cracking
penetration testing social engineering Responding to an Incident If an attack succeeds there needs to be a policy that documents how to handle this incident. An incident policy should: Help in recovery of business operations. Document details of the incident. Prevent further incidents from happening. Collecting Evidence If attacker is detected then preserving evidence is important such as taking a snapshot of data, having logs correlated, pictures of the equipment and a chain of evidence. Reasons for Not Being an Attacker You can be punished. Don't be an attacker. Liability Company may have a liability if revenue is lost, if company data is stolen, if customer data is stolen or lost, etc. Money is spent on security to minimize the risk to lower their liability. DR and BCP Many companies require minimal downtime. Factors into Business Continuity are: Maximum tolerable downtime (MTD) Recovery time objective (RTO) - number of hours or days set as the objective for resuming the business process in the event of a disaster. Recovery point objective (RPO) - state at which the data is being restored.
Securing Borderless Networks About: Goes over the current strategies for securing borderless networks. Main Ideas:
Logical Boundaries
Traditional infrastructure is made up of switch blocks. Users connect to access layer switches which are Layer 2. The access layer connects to distribution switches which is Layer 2 and 3. Multiple blocks can be connected by core switches. Borderless Network Components: Borderless end zone - where devices connect to the network. Borderless data center - represents where the services are provided. Borderless Internet - which is.. the Internet. Policy management point - the enforcement of policies and secure management.
Main Ideas:
An Ounce of Prevention
ASA firewalls - provides perimeter security such as packet filtering, stateful filtering, and VPN. Integrated Services Routers (ISR) - building additional security into routers. Intrusion prevention systems (IPS) - performs signature matching to identify malicious traffic and prevents attacks. IronPort Email Security Appliances and IronPort Web Security Appliances (WSA) - enforcing security over email and web traffic. ScanSafe - Filtering web traffic.
Secure Management
When managing devices, should use SSH or HTTPS for secure management. GUIs include: ASDM, CCP, IDM (IPS Device Manager), and IDM Express (IME).
Using Network Foundation Protection to Secure Networks About: Approaches to hardening the network. Main Ideas:
Interdependence
Interdependence exists between planes. Such as a control plane failure will impact the data plane as users' traffic will not be forwarded to its destination.
Implementing NFP
Components of a threat control and mitigation strategy: Plane Security Measures Protection Objectives Authenticate and authorized administrators. Use encrypted protocols, limit what an individual can see on a network device. Control plane tools used to limit damaged caused by an attacker. Routing protocol updates are authenticated to mitigate an attacker manipulating the routing updates. Filtering traffic, protecting network from rogue switch affecting data plane, firewall filtering.
Management AAA, NTP, SSH, SSL, syslog, SNMP, parser views. Control Control plane policing (CoPP), Control plane protection (CPPr), authenticated routing protocol updates. ACL, private VLANs, STP, IOS IPS, Zone-based firewall
Data
NFP is built on three components to protect a network. Command line auto secure implements security measures from each plane. Understanding the Management Plane
About: What can be done to protect management access and protocols. Main ideas:
Understanding the Control Plane About: Protecting network devices involving nontransit traffic directed to the network device. Main ideas:
Understanding the Data Plane About: Implementing policy to transit traffic going through network devices Main ideas:
Introducing Cisco Configuration Professional Can be located locally on the computer or on the router. Used to configure routing, firewalls, IPS, VPNs, UC, and other features on an IOS router using a GUI. Can monitor a group of routers using a device community. Understanding CCP Features and the GUI
The Toolbar
Home button - Clicking goes to the Community View page. Configure button - Make a change to the configuration or view an existing configuration of a router. Monitor button - Shows router and security features that can be monitored. Manage community icon - View, edit or add new communities. Refresh icon - Gets current running configs from specified device. Provide feedback to Cisco icon - Feedback for Cisco. Help icon - Looks like a question mark, click to get help. Search icon - Opens a browser window to search the help documents.
Content Pane
Right of the navigation pane, where parameters are entered or changed.
Status Bar
Located at the bottom and displays info about CCP. A router preinstalled with Cisco Configuration Profession Express can be browsed to 10.10.10.1 (default IP of CCP Express). Required for CCP: Supports HTTP or HTTPS. Authentication for HTTPS set to local database. Username with privilege 15. How to prepare the router for http/https connections: R1(config)# ip http server R1(config)# ip http secure-server R1(config)# username admin priv 15 secret cisco R1(cofnig)# ip http authentication local
Setting Up New Devices About: Required basic configuration to allow CCP to communicate with a router.
CCP Building Blocks About: Tools used for security policy deployment and configuration. Main Ideas:
Communities
A community must be created before administering a router using CCP. A community is a group of routers that share something in common. The max number of routers in a community is 10. To create a community and add devices: 1. Use the Manage Community dialog box to create the community. Click Manage Community in the toolbar. From the menu bar, click Application | Manage Community. 2. In the Manage Community dialog box, enter the IP address or hostname of the router, including the username and password. 3. To connect securely to the router, check the Connect Securely check box. 4. To change the default port information, click the down arrow to the right of the device. 5. To discover all the devices in the community, check the Discover All Devices check box. 6. Click OK and the Community View page opens.
Templates
Templates are used to copy configuration to another router or device. Certain parameters will be changed, such as the hostname. To create and apply a template: 1. Select Application from the menu bar, and from the drop-down select Template, and then Create. 2. You can then select a discovered router or select a file from your local computer. 3. Highlight the items that need to be replaced before applying the configuration to another router. After highlighting each item, click the Parameterize button. This identifies each item as a variable that would be replaced before applying the configuration to another router. Click Finish. 4. Save the file. 5. Apply the configuration to another router by selecting Application from the menu bar, and from the drop-down select Template, then Apply. 6. Browse for the previously saved template file and click Next. Click the Find Parameterized Attribute button to search for and identify the variables to replace them with the new values. Then click Next. 7. From the drop-down list select a discovered router that you want to apply the configuration to. Click Next to continue, followed by Finish.
User Profiles
You can restrict which features are shown as available by using user profiles. User profiles only restrict information from CCP and not SSH. To create and implement a user profile: 1. 2. 3. 4. Select Applications then select Create User Profile. Click Next. Select the routers that the user profile will have an effect on then click Next. Expand each content by clicking on the triangle to the left of each item. Select the permissions by clicking on the icon and selecting what level of permissions to this item you want to give to the user. When done, click Next. Green = Full Permissions, Blue = View Only, Red = Not Available 5. Click Save User Profile, then click Finish. 6. On the computer using the user profile, click Application menu and select Import User Profile. 7. Click Browse, select the previously saved user template, and click Next. Confirm the settings for the template and click Next then Finish.
CCP Audit Features About: How to use the Security Audit feature in CCP. Based on the command line auto secure, The Security Audit feature will evaluate the configuration and make recommendations on how to make the router more secure.
To perform a security audit: 1. On the toolbar click Configure then go to Security > Security Audit 2. Click Perform Security Audit and then click Next. 3. For each interface listed, check either the Inside or Outside check box to indicate where the interface connects then click Next. 4. Security Audit Wizard checks the configuration to find any security problems. 5. Check the Fix It boxes next to any problems you want CCP to fix then click Next. 6. Enter any information required and click Next 7. On the summary page, click Finish to deliver the changes to the router. One-Step Lockdown Addresses several features that do not require an administrator to provide input. Provides a subset of security measures that the interactive Security Audit feature can perform.
Securing Management Traffic About: Classifying and describing management traffic, their vulnerabilities and how to protect it. Main ideas:
Password Recommendations
Use a minimum of eight characters. Longer the better. Use alphanumeric characters, symbols, phrases, etc. Change passwords regularly.
AAA Components Authentication - proving who users claim to be. Specify authentication with a "method list" that says how to authenticate a user. Authorization - after authentication, authorization is used to determine which resources an individual has and what they can do to the resource. Authorization method lists are created to specify how to authorize an individual. Accounting and auditing - once a user is authenticated and authorized, an audit trail keeps track of what resources were accessed and what was performed on those resources. Options for Storing Usernames, Passwords, and Access Rules Cisco Secure ACS Solution Engine Cisco Secure ACS for Windows Server Current flavors of ACS functionality Self-contained AAA Authorizing VPN Users - authenticate the user and determine what access they have by the authorization method list. Router Access Authentication - must use authentication first before using authorization. AAA Method List - can specify individual lists of ways we want to authenticate, authorize, and account for users. A default list applies to the whole router or switch. A custom list can be created. Syntax: aaa type {default | list-name} method-1 [method-2 method-3 method-4] type = identifies the type of list being created. Either authentication, authorization, or accounting. default = specifies the default list of methods to be used based on the methods that follow this argument. list-name = Used to create a custom method list. method = at least one method must be specified. To use the local database you can use the local keyword. Other methods include: enable - the enable password is used. krb5 - kerberos 5 is used. krb5-telnet - kerberos 5 telnet is used when using telnet to connect. line - the line password is used. local - the local username database is used. local-case - requires a case-sensitive local username. none - no authentication is used. group radius - a radius server is used. group tacacs+ - a tacacs server is used. group group-name - Uses either a subset of radius or tacacs+ servers
Understanding NTP
Network time protocol uses UDP port 123. Used to synchronize time between devices. Network devices should connect to a trusted time server using NTP version 3 to support cryptographic authentication.
Implement Security Measures to Protect the Management Plane About: Implementing best practices to protect the management plane. Main Ideas:
password $ecr3t login exit line vty 0 4 password $secr3t$ login Encrypt all plain text passwords: service password-encryption
Configure | Router | AAA | Authentication Policies | Login To see the method lists applied to the vty lines: Configure | Router | Router Access | VTY
commands exec include all show commands exec include configure commands configure include access-list exit exit To use the view: R1> enable view New_VIEW Password: New_VIEW_PW To associate a user with a parser view: username tsadmin view New_VIEW secret Cisco123
SNMP Features
Components SNMP manager - runs the management application. Called the Network Management Server (NMS). SNMP agent - software that runs on a managed device. Management Information Base - collection of unique numbers associated with each of the individual components of a router. Information about the device's resources and activity is defined by a series of objects. Categories of SNMP message types GET - used to retrieve info from a managed device. SET - used to set a variable in a managed device or to trigger an action. Trap - an unsolicited message sent from a managed device to the SNMP manager. Security models and security levels: Security Model SNMPv1 SNMPv2c SNMPv3 Security Level noAuthNoPriv noAuthNoPriv noAuthNoPriv authNoPriv authPriv Authentication Strategy Community string Community string Username MD5 or SHA MD5 or SHA Encryption Type None None None None CBC-DES (DES-56)
Configure SNMP using CCP: Configure | Router | SNMP CLI to configure SNMPv1 snmp-server location 10.1.10.26 snmp-server contact Admin snmp-server community super-secret RW snmp-server host 10.1.10.26 trap Cisco
Configuring NTP
To configure using CCP: Configure | Router | Time | NTP and SNTP then click ADD To configure using CLI: ntp update-calendar ntp authentication-key 1 md5 S3cret! ntp authenticate ntp trusted-key 1 ntp server 55.1.2.3 key 1 source FastEthernet0/0 prefer Verify NTP: show ntp status
Cisco Secure ACS, RADIUS, and TACACS About: How to use ACS for centralized authentication of clients. Main Ideas:
What is ISE?
Identity Services Engine (ISE) is an identity and access control policy platform. Used to do posturing and policy-compliance checking for hosts.
Protocol Choices Between the ACS Server and the Client (the Router)
TACACS+ versus RADIUS
TACACS+ Functionality Separates AAA functions into distinct elements. Authentication is separate from authorization, and both are separate from accounting. Cisco proprietary. TCP
RADIUS Combines many of the functions of authentication and authorization together. Has detailed accounting capability when accounting is configured for use. Open standard. UDP Possibly Diameter Only password is encrypted between ACS and router No explicit command authorization checking rules can be implemented
Standard L4 protocol
Replacement None officially planned. coming Confidentiality All packets encrypted between ACS and router Granular Supported command by command authorization Accounting Supported
Supported
Configuring Routers to Interoperate with an ACS Server About: Configuring ACS Main Ideas:
To troubleshoot TACACS use command: debug tacacs debug aaa authentication debug aaa authorization Task list for configuring router to use ACS via TACACS+ Decide what the policy should be - part of the planning process for developing concept for authentication and authorization. Enable AAA - use command aaa new-model. Specify the ACS server to use - use the tacacs-server host command. Create a method list for authentication and authorization - each method list is created in global configuration mode. Apply the method lists to the location that should use those methods.
Configuring the ACS Server to Interoperate with a Router About: Configuring the ACS using the GUI interface. Main Ideas:
Network device groups - Used to group network devices with similar functions managed by the same administrators. Network devices - Individual network devices that go into device groups. Identity groups - Groups of admins. User accounts - Individual admins which are placed into identity groups. Authorization profiles - Controls what rights are permitted. Create device groups: Network Resources | Network Device Groups | Device Type | click Create Add a single router and add to a device group: Network Resources | Network Devices and AAA Clients | click Create Create a user group: Users and Identity Stores | Identity Groups | click Create Create individual users: Users and Identity Stores | Internal Identity Stores | Users | Click Create Create authorization policies: Access Policies | Access Services | Default Device Admin | Authorization | click Create
Verifying and Troubleshooting Router-to-ACS Server Interactions About: Commands that can be used to troubleshoot and verify AAA when using ACS. Main Ideas:
Verification
Verify ping, make sure device is powered on, in the correct VLAN, has correct switchport configuration, etc. Testing AAA between router and the ACS use command: test aaa group tacacs+ admin cisco123 legacy On the ACS server, view the reports: Monitoring & Reports | Reports | Favorites | select Authentications - TACACS - Today
VLAN and Trunking Fundamentals About: The basics of how VLANs and trunking operate. Main Ideas:
What is a VLAN?
A VLAN is a virtual LAN where devices on the same VLAN have the same layer 3 IP address and are on the same layer 2 broadcast domain. From the switch, a switchport is assigned to a VLAN. Creating a new VLAN: conf t vlan 10 int f0/1 switchport mode access switchport access vlan 10
device connects to the switch and is placed on the native VLAN, it can send a broadcast which would be transmitted to the other switches on the native VLAN.
Inter-VLAN Routing
Devices can communicate with each other on the same VLAN. If two devices wanted to communicate from different VLANs, a default gateway needs to be configured for both VLANs for routing the packets to the destination VLAN.
Spanning-Tree Fundamentals About: How STP avoids loops at layer 2 and how STP works. Main Ideas:
Whenever there are parallel connections between layer 2 devices there will be layer 2 loops. STP solves that problem.
Common Layer 2 Threats and How to Mitigate Them About: Security threats at Layer 2 and mitigation. Main Ideas:
Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too
If an attacker can disrupt the layer 2 forwarding of data then they can attack the upper layer protocols.
Root Guard
Helps prevent switch from learning about a new root switch. conf t int f0/24 spanning-tree guard root
Port Security
Used to control how many MAC addresses can be learned on a switch port. Implemented on a port-by-port basis. Also prevents a client from depleting DHCP server resources. Can configure three violation options: shutdown the port protect the port - will not shut down but will deny any frames from new MAC addresses. restrict the port - same as protect but generates a syslog message as well. conf t int f0/2 switchport switchport switchport switchport
Understanding and Configuring IPv6 About: Reviews IPv6 basics and how to configure it. Main Ideas:
Why IPv6?
Move to IPv6 because: More address space available Running out of public IPv4 addresses Differences between IPv4 vs IPv6 IPv4 IPv6
32-bit address; supports 232,4,294,967,296 128-bit address; supports 3.4 x 1038 addresses addresses Can use NAT to extended space limitations Uses DHCP or static configuration to assign IP addresses to hosts IPsec support is optional Multiple pieces in an IPv4 header Uses broadcast for several functions Supports common Layer 4 protocols Supports common application protocols Supports common Layer 2 technologies Contains two parts in an IP address: network and host Uses a network mask to identify which part of the address is the network and which is the host Doesn't support NAT by design Hosts can use stateless address autoconfiguration to assign an IP address to themselves but can also use DHCP IPsec support is supposed to be required Simplified IPv6 header Doesn't use broadcasts and doesn't use ARP. Uses NDP. Supports common Layer 4 protocols Supports common application protocols Supports common Layer 2 technologies Contains two parts in an IP address: network and host Uses a network mask to identify which part of the address is the network and which is the host
Groupings: Segmented into eight groups of four hex characters. Separation of groups: Each group is separated by a colon (:). Length of mask: Usually 50% (64 bits) for a network ID, 50% (64 bits) for interface ID (using a 64 bit mask). Number of networks: 2^64 (1.8 x 1019).
Moving to IPv6
Moving to IPv6 will be a transition. Support for IPv6 and IPv4 coexistence is necessary. Router or device can run both IPv4 and IPv6 or tunneling can be used.
Developing a Security Plan for IPv6 About: Security threats common to both IPv4 and IPv6 (some specific to IPv6) and how to address them. Main Ideas:
Designing Threat Mitigation and Containment About: Guiding principals to follow and implement to mitigate threats. Main Ideas:
Securing a Network via Hardware/Software/Services About: High level look into how to achieve network security. Main Ideas:
Switches
Security features on switches: Port security. Limit number of MAC addresses learned on a port. This protects against CAM overflow. DHCP snooping. Allow only server responses from specifically trusted ports.
Dynamic Address Resolution Protocol (ARP) inspection. Protecting against an attacker from performing layer 2 spoofing by confirming that traffic includes accurate MAC address. IP source guard. Verifies the client on port is not doing Layer 3 spoofing. Root guard, BPDU guard, BGDU filtering. Control spanning-tree topology by resisting a rogue switch's attempt to become root. Storm control. Clamps down on traffic at configurable levels. Additional modules. The additional of additional modules such as IPS, VPN, firewall..
Routers
Router security features: Reflexive access lists. Allow traffic from the outside unless if it is initiated from the inside. Not used much anymore. Context-based access control (CBAC). To support stateful filtering without creating reflexive access lists. Zone-Based Firewall. Replaced CBAC. Uses class maps to identify traffic, policy maps to specify actions on that traffic, and a service policy to put policy in place. Packet-filtering ACLs. Uses standard and extended ACLs, can implement policy of what traffic is allowed or denied. AAA. Authentication, authorization, and accounting. VPNs. Remote access using SSL or IPsec VPNs. IPS. Intrusion prevention system. Routing protocol authentication. Prevents unauthorized router from being trusted. Control plane protection and control plane policing. Sets thresholds and limits for traffic that is directed to the router. Secure management protocols. SSH and SSL.
ASA Firewall
Security features: Stateful filtering. ASA remembers state of a connection and dynamically allows the return traffic.
Modular policy framework (MPF). Used via class maps, policy maps, and service policy rules to perform simple protocol and application layer inspection and policy enforcement. URL filtering. Control which URLs are allowed to be accessed through the firewall. Packet-filtering ACLs. Using standard and extended ACLs to allow or deny traffic. AAA. Authentication, authorization, and accounting. VPNs. SSL or IPsec VPN remote access. IPS. Intrusion prevention system. Routing protocol authentication. Prevents unauthorized rogue router from being trusted. Secure management protocols. SSH and SSL.
Access Control List Fundamentals and Benefits About: Use of ACLs focusing on the function of filtering. Main Ideas:
Options Yes for using names for the ACL instead of numbers
What Source IP only of the packet Source or destination IP, plus most Layer 4 protocols, they can compared to the list including items in the Layer 4 header of the packet being match on compared Where to Relatively close to the place destination. Applying too close to the source may limit that source from reaching other destinations that were not intended to be limited. Because of the granularity of the matching on specific source and destination, you can place these very close to the source of the host who is generating the packet, because it will only deny the traffic to the specific destination and will not cause a loss of service to other destinations that are still being permitted.
Wildcard Masks
A wildcard mask is a binary representation that says wherever there is a bit on in the wildcard mask, the corresponding bit from the IP address being looked at does not have to match. IP address that is 32 bits long and has a wildcard mask of 0.0.0.255 means that the last 8 bits of the IP address being checked are not being compared.
Object Groups
Can be created to include various devices, even if they are all on different subnets. An example is grouping 15 different servers to allow 2 protocols to those servers.
Implementing IPv4 ACLs as Packet Filters About: How to implement ACLs using CCP and CLI. Main Ideas:
Implementing IPv6 ACLs as Packet Filters About: Implementing IPv6 access lists. Main Ideas:
Firewall Concepts and Technologies About: Concept of firewalls, their strengths and weaknesses, and why they are used. Main Ideas:
Firewall Technologies
Function is to primarily deny unwanted traffic. Could be implemented by the following: A router or other layer 3 forwarding device that has access lists or other method to filter traffic. Switch that has two VLANs w/o any routing between them to keep traffic from the two networks separated. Hosts/servers running software that prevents certain types of received traffic from being processed.
Firewall Justifications
Protective Measures Provided by a Firewall Exposure of sensitive systems to untrusted individuals Permitting certain individuals/traffic to services. Exploitation of protocol flaws Inspection of protocols. Unauthorized users Using authentication methods. Malicious data Detect and block. Potential Firewall Limitations
Having a firewall is a mitigation step to reduce risks but doesn't completely eliminate the risk. Configuration mistakes have serious consequences Not all network applications were written to survive going through the firewall Individuals who are forced to go through a firewall might try to engineer a way around it Latency being added by the firewall
Defense-in-Depth Approach
Don't rely on a single firewall to provide security. Take a layered approach to security. Utilize security at all levels of the network including routers, switches, and servers.
Have a minimal impact on network performance Doesn't filter fragmented packets w/ the same accuracy as nonfragmented packets Are simple to implement Configurable on most routers Can perform many basic filtering needs w/o requiring expense of high-end firewall Extremely long access control lists are difficult to maintain Stateless Some applications jump around and use many ports, some of which are dynamic
More difficult to implement an attack against an Not all applications are supported end device Can provide very detailed logging May be implemented on common hardware Special client software may be needed Memory and disk intensive. Could be single point of failure
Application Inspection
Can analyze and verify protocols up to Layer 7 of the OSI model. But doesn't act as a proxy between the client and server. Advantages of an Application Inspection Firewall Feature Can see deeper into conversations Awareness of the details at the application layer Can prevent more kinds of attacks than stateful filtering on its own Explanation Could analyze the conversation and dynamically allow connection from server to allow it through firewall and to the client If there is a protocol anomaly, application layer firewall could identify and either correct or deny packet
Transparent Firewalls
More about how we inject the firewall into the network. Implemented at Layer 2. Traditional firewalls are implemented as a Layer 3 hop in the network. Interfaces of the transparent firewall do not have IP addresses and act more like a bridge.
Using Network Address Translation About: Look at options that exist for NAT Main Ideas:
Outside If performing NAT on outside devices, local this is the mapped address of the outside device. If not doing outside NAT on the router, this appears as the normal outside device's IP address to the inside devices. Outside The real IP configured on an outside global host, such as the IP on Server A
NAT Options
Static NAT One-to-one permanent mapping. Dynamic NAT Pool of global addresses, and only mapping those global addresses to inside devices when those inside devices need to go out to the Internet. Dynamic PAT (NAT w/ overload) Used for most users who access the Internet. Dynamically assigning global addresses only when needed, uses overload so thousands of inside devices use the same global IP address by tracking all ports and IP addresses in use. Policy NAT/PAT Based on a set of rules. Creating and Deploying Firewalls About: Best practices for implementing a firewall. Main Ideas:
Based on knowing who the user is and what that user is authorized to do. Rules based on behavior control How a particular service is used.
Cisco IOS Zone-Based Firewall About: Logic and structural components of the IOS-based Zone-Based Firewall (ZBF). Main Ideas:
Drop Log
Deny the packet Traffic you don't want to allow between the zones where this policy map is applied. Log the packets If you want to see log info about packets that were dropped because of policy, add this option.
Service Policies
Service policies are applied to a zone pair. Only one service policy can be assigned to a zone pair. Ingress = packets going into an interface of the router. Egress = packets being sent out of an interface of the router. Traffic Interaction Between Zones Ingress Interface Member of Zone No Egress Interface Member of Zone No Zone Pair Result Exists, w/ Applied Policy Doesn't Traffic is forwarded
No
Traffic is dropped. Traffic is forwarded. Traffic is dropped. Policy is applied. If policy inspects or pass, the initial traffic is forwarded. If policy is drop, initial traffic is dropped.
Yes (Zone Yes (Zone Doesn't A) A) matter Yes (Zone Yes (Zone No A) B) Yes (Zone Yes (Zone Yes A) B)
int g1/0 description Belongs to inside zone zone-member security inside exit
Zone A
Self
No
Self Zone A
Zone A Self
Yes Yes
Configuring and Verifying Cisco IOS Zone-Based Firewall About: Configuring IOS ZBF from CCP and CLI Main Ideas:
A level of security needs to be selected. Three security levels when configuring the ZBF Wizard High Security - Firewall identifies and drops IM and peer-to-peer traffic. Performs application inspection for web and email traffic and drops noncompliant traffic. Does generic inspection of TCP and UDP applications. Medium Security - Similar to High Security but does not check web and email traffic for protocol compliance. Low Security - Doesn't perform any application layer inspection. Does generic TCP and UDP inspection. 5. Configure DNS if needed. 6. Finish configuration wizard.
ip nat outside exit int g1/0 ip nat inside exit ! Create NAT statement matching access list 2 ip nat inside source list 2 interface g3/0 overload
The ASA Appliance Family and Features About: Various models and offerings of the ASA. Main Ideas:
ASA Firewall Fundamentals About: Logic used by the ASA, ways to manage the firewall, and components used to implement policy. Main Ideas:
Configuring the ASA About: Using the ASDM GUI to implement and verify a security policy on the ASA. Main Ideas:
Connect the console cable to the firewall and boot it up. Use setup to configure ASDM access.
int e0/1 switchport exit int e0/2 switchport exit int e0/3 switchport exit int e0/4 switchport exit int e0/5 switchport exit
acc vlan 4
acc vlan 2
acc vlan 2
acc vlan 2
acc vlan 2
IPS Versus IDS About: Platforms used for intrusion detection/prevention and explains the differences between IPS and IDS. Main Ideas:
What Sensors Do
A sensor is a device that looks at traffic on the network and makes a decision based on a set of rules.
Promiscuous mode, out Inline mode. of band. None added. Small amount added.
Ability to prevent malicious By itself, cannot stop the IPS can drop the packet traffic from going into the original packet. on its own because it is network inline. Normalization ability Cannot manipulate any original inline traffic. Can normalize (manipulate or modify) traffic inline.
Sensor Platforms
Options included for implementing an IPS/IDS sensor:
Dedicated IPS appliance. Software running on IOS. Module in an IOS router, such as the AIM-IPS or NME-IPS modules. Module on an ASA. Blade that works in a 6500 switch.
True/False Negatives/Positives
It is desired to receive accurate information from an IPS/IDS. If information from the IPS/IDS is false, that is not the desired outcome.
Positive/Negative Terminology
Terms for IPS/IDS: False positive False negative True positive True negative False positive is an alert generated by the IPS/IDS for traffic that is not malicious. False negative is when malicious traffic is on the network but the IPS/IDS failed to trigger an alert. True positive is when malicious traffic was picked up by the IPS/IDS. True negative is when non-malicious traffic is not picked up by the IPS/IDS.
Identifying Malicious Traffic on the Network About: Techniques used by IPS and IDS sensors. Main Ideas:
Methods
There are different methods sensors can be configured to identify malicious traffic: Signature-based Policy-based Anomaly-based Reputation-based
Signature-Based IPS/IDS
Policy-Based IPS/IDS
Can be configured according to a network policy such as no telnet traffic should be used.
Anomaly-Based IPS/IDS
Used to catch instances that are not normal or do not align with a baseline.
Reputation-Based IPS/IDS
Information collected all over the world that a local sensor can use.
Reputation Leverages enterprise & global Requires timely updates, and based correlation. requires participation in the correlation process.
Risk Rating (RR) Calculation Factors Factor Description influencing risk rating Target Value that the administrator has value rating assigned (TVR) Signature fidelity rating (SFR) Attack severity rating (ASR) Attack relevancy (AR) Global correlation Accuracy of the signature by the person who created that signature
How critical the attack is as determined by the person who created the signature A minor contributor to the risk rating. Sensor participating in global correlation and receives information about specific source addresses
Circumventing an IPS/IDS
IPS/IDS evasion techniques Evasion Method Traffic fragmentation Traffic substitution & insertion Description Cisco AntiEvasion Techniques
Attacker splits malicious traffic Complete session into multiple parts to avoid reassembly detection Attacker substitutes characters in the data using different formats to have the same final meaning Data normalization & de-obfuscation techniques
Protocol level Attacker attempts to cause a IP TTL analysis, misinterpretation sensor to misinterpret the end- TCP checksum to-end meaning of a network validation protocol Timing attacks Sending packets at a low rate to not trigger a signature Configurable intervals and use of third-party
correlation Encrypted traffic cannot be inspected. Dynamic and configurable event summarization
Managing Signatures About: How signatures are manipulated and managed. Main Ideas:
Service
String or Supports flexible pattern matching, multistring and can be identified in a single packet or group of packets, such as a session Other Miscellaneous signatures that may not specifically fit into other categories
Monitoring and Managing Alarms and Alerts About: Options for working with sensor-generated alarms and alerts Main Ideas:
Security Intelligence
Having multiple sensors into various parts of the network will provide a clear understanding to an attack through correlation. Cisco offers Security Intelligence Operations (SIO) service, which facilitates global threat information, reputation-based services, and sophisticated analysis.
Understanding and Installing an IOS-Based IPS About: Features of Cisco IPS included in IOS implementation of IPS. Main Ideas:
Regular Enables creation of string expression patterns using variables string pattern matching Response actions Enables sensor to take action in response to a triggered event
Alarm Helps prevent resource summarization exhaustion by summarizing events that are all the same Threshold configuration Identifies thresholds, which if exceeded may trigger events
Anti-evasive techniques
Designed to interpret actual data regardless if it is fragmented or using a combination of character sets Calculated between 0-100 associated with an alert. Higher the number, the more risk is presumed
Risk ratings
Viewing/Modifying Signatures
To view/modify signatures in CCP: Configure | Security | Intrusion Prevention and click the Edit IPS tab. Then click Signatures option to view all the signatures.
No memory No memory consumption consumption Consumes memory, is considered during packet analysis Consumes memory, no action related to signature during packet analysis
A signature is enabled once you click on Enable, and also Unretire, then click on Apply Changes. A green checkmark appears on the signature rule.
retired true exit ! Enables the basic signature category category ios_ips basic retired false exit exit ! apply the IPS rule inbound on the interface int f1/0 ip ips sdm_ips_rule in exit ! specify location of custom or tuned signatures ip ips config location ftp://10.0.0.2/ips5 ! enable signature 2004 to ensure it is both enabled and not retired ip ips signature-definition signature 2004 status enabled true retired false exit exit exit ! verify configuration show ip ips configuration ! verify signature show ip ips signatures sigid 2004 subid 0 ! view the number of active signatures show ip ips signatures count
Managing and Monitoring IPS Alarms About: Options for viewing alerts and alarms and demonstrating how to do it via CCP and CLI.
Main Ideas:
Understanding VPNs and Why We Use Them About: Why VPNs are important and what types of VPNs are available. Main Ideas:
What is a VPN?
A VPN is a virtual private network connecting two endpoints together to provide a secure and confidential connection between the two.
Types of VPNs
IPsec Can be used for site-to-site VPNs or remote-access VPNs. Implements security of IP packets at Layer 3. SSL Implements security of TCP sessions at Layer 4. Can be used for remote-access. MPLS Multiprotocol Label Switching and MPLS Layer 3 VPNs provided by a service provider. No encryption by default. IPsec can be used on top of MPLS to add confidentiality.
Confidentiality
Only the intended parties can understand the data this is sent.
Data Integrity
Ensuring the data is accurate from end to end.
Authentication
Verifying the other end of the connection using pre-shared keys, public and private key pairs, or user authentication.
Antireplay
Attacker capturing traffic with the intent of replaying it back to fool one of the VPN peers into believing that the peer trying to connect is a legitimate peer.
Cryptography Basic Components About: Basic components of cryptography, algorithms for hashing, encryption, and key management. Main Ideas: Confidentiality is a function of encryption. Data integrity is a function of hashing. Authentication is the process of proving the identity of the other side of the tunnel.
Ciphers
A cipher is a set of rules, which is also an algorithm, about how to perform encryption and decryption. Common methods that ciphers include: Substitution - substituting one character for another. Polyalphabetic - similar to substitution but instead of using a single alphabet, could use multiple alphabets. Trasposition - uses many different options, including the rearrangement of letters.
Keys
An example of a key is a one-time pad which can only be used once.
Block Ciphers
A symmetric key (same key to encrypt and decrypt) that operates on a group of bits called a block. May take a 64bit block of plain text and generate a 64bit block of cipher text. Examples of symmetrical block cipher algorithms: Advanced Encryption Standard (AES) Triple Digital Encryption Standard (3DES) Blowfish Digital Encryption Standard (DES) International Data Encryption Algorithm (IDEA)
Stream Ciphers
A symmetric key cipher where each bit of plaintext data to be encrypted is done 1 bit at a time against the bits of the key stream, also called a cipher digit stream.
Symmetric Algorithm
Uses the same key to encrypt the data and decrypt the data. Common examples: DES 3DES AES IDEA RC2, RC4, RC5, RC6 Blowfish Much faster to use as it takes less CPU.
Asymmetric Algorithm
Example is public key algorithms. Instead of using the same key for encrypting and decrypting, two different keys mathematically work together as a pair. Uses a private key and a public key. Together they are a key pair. High CPU cost when using key pairs to lock and unlock data.
Hashes
Hashing is a method used to verify data integrity. A cryptographic hash function takes a block of data and creates a small fixed-sized hash value. This is a one-way function.
The result is a fixed-length string of data referred to a digest, message digest, or hash. Most popular types of hashes: Message digest 5 (MD5): Creates 128-bit digest. Secure Hash Algorithm 1 (SHA-1): Creates a 160-bit digest. Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
Digital Signatures
A way of proving that you are who you say you are. Three core benefits: Authentication Data integrity Nonrepudiation
IPsec
A collection of protocols and algorithms used to protect packets at Layer 3. Core benefits of confidentiality through encryption, data integrity through hashing and HMAC, authentication using digital signatures or pre-shared key (PSK). ESP and AH Two primary methods for implementing IPsec. Encapsulating Security Payload and Authentication Header. Encryption algorithms for confidentiality DES 3DES AES Hashing algorithms for integrity MD5 SHA Authentication algorithms PSK RSA digital certificates Key management Diffie-Hellman (DH) Internet Key Exchange (IKE)
SSL
VPN Components
Component Symmetrical encryption algorithms Function Uses the same key for encrypting and decrypting data Examples of Use DES, 3DES, AES, IDEA
Asymmetrical Uses a public and RSA, encryption private key. One key Diffieencrypts the data, Hellman and the other key in the pair is used to decrypt. Digital signature Encryption of hash using private key, and decryption of hash with the sender's public key. RSA Signatures
Diffie-Hellman Uses a public-private key exchange key pair asymmetrical algorithm, but creates final shared secrets (keys) that are then used by symmetrical algorithms. Confidentiality Encryption algorithms provide this by turning clear text into cipher text. Data integrity Validates data by comparing hash values. Authentication Verifies the peer's identity to the other peer.
DES, 3DES, AES, RSA, IDEA MD5, SHA-1 PSKs, RSA signatures
Public Key Infrastructure About: Moving parts and pieces involved with the PKI. Main Ideas:
RSA Algorithm, the Keys, and Digital Certificates Who Has Keys and a Digital Certificate?
With RSA digital signatures, both parties have a public-private key pair. They are also both enrolled with a CA.
Certificate Authorities
A CA is a computer or entity that creates and issues digital certificates. Inside a digital certificate is information about the identity of a device such as its IP address, FQDN, and the public key of the
device. The CA takes all the information and generates a digital certificate, assigns a serial number and signs the certificate with its own digital signature.
Identity Certificate
Similar to a root certificate but describes the client and contains the public key of the client.
Date the certificate became valid Valid to Expiration date of the certificate Key usage Functions for which the public key in the certificate may be used Public key Public portion of the public and private key pair Thumbprint algorithm Hash algorithm used for data integrity Thumbprint The actual hash Certificate revocation list location URL used to see whether the serial number of any certificates issued by the CA have been revoked
Revoked Certificates
To check if a certificate has been revoked due to security concern. Device checks a URL that has a list of revoked certificates. Three basic ways to check: Certificate Revocation List (CRL) List of certificates, based on serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted. Online Certificate Status Protocol (OSCP) Alternative to CRLs. Client sends a request to find the status of a certificate and gets a response. Authentication, authorization, and accounting (AAA) Cisco AAA services provide support for validating digital certificates.
Cross-Certifying CAs
A CA with a horizontal trust relationship over to a second CA so that clients of either CA could trust the signatures of the other CA.
Putting the Pieces of PKI to Work About: How to implement components Main Ideas:
certificates and root certificates which is under the Certificate Management section.
enrollment url http://192.168.1.105 exit ! Retrieve and install the root cert. crypto ca authenticate New-CA-to-Use noninteractive ! Request and install identity cert from CA crypto ca enroll New-CA-to-Use noconfirm
Digital signature
Public and Used as a pair to private keys encrypt and decrypt data in an asymmetrical fashion. Certificate authority CA's job is to fulfill certificate requests and generate digital certificates for its clients to use. Maintain valid certs that have been issued and a CRL list. Common certificate format used today
X.509v3
Subordinate Assistant to the CA, CA/RA can issue certs to clients. Used in hierarchal PKI topology. PKCS Public Key
Cryptography Standards.
19 Fundamentals of IP Security
No t e b o o k: C re at e d : T ag s: CCNA Security 11/6/2012 6:10 AM ccna security U p d at e d : 11/6/2012 6:55 AM
IPsec Concepts, Components, and Operations About: Moving parts and pieces of IPsec. Main Ideas:
3DES AES Diffie-Hellman group to use Refers to the modulus size (length of the key) to use for the DH key exchange. Group 1 = 768 bits Group 2 = 1024 bits Group 5 = 1536 bits Purpose is to generate a shared secret keying material (symmetric keys) Authentication method Used to verify the identity of the VPN peer on the other side PSK or RSA signatures Lifetime How long until IKE Phase 1 tunnel is torn down. Default is 1 day (in seconds). Only parameter that doesn't have to match. How to remember the five items to negotiate IKE Phase 1 HAGLE H - Hash A - Authentication method G - DH group L - lifetime E - Encryption algorithm
Step 2: Run the DH Key Exchange After agreeing to the IKE Phase 1 policy of the peer, both devices run the DH key exchange. The DH group agreed upon is used.
Step 3: Authenticate the Peer Authentication is used from the agreed upon item. After authentication, the tunnel is now bidirectional.
Summary of IPsec
VPN peers negotiate an IKE Phase 1 tunnel using Aggressive or Main mode, then use Quick mode to establish an IKE Phase 2 tunnel. The IKE Phase 2 tunnel is used to encrypt and decrypt user traffic. IKE Phase 2 really creates two one-way tunnels: one from Device A to Device B, and one from Device B to Device A. These tunnels are referred to as security agreements between two VPN peers or security associations (SA). Each SA is assigned a unique number for tracking.
Then verify that the Create a Site-to-site VPN option is selected. Then click Launch the Selected Task Select Step by Step Wizard and click Next Select the interface facing the Internet (interface facing toward its peer), configure the IP address of the peer, select an option for authentication using PSK and configure the key. Then click Next . Then select the IKE Phase 1 proposals to be used Click Add to create a new IKE Phase 1 policy, enter desired IKE Phase 1 policies and then click OK. After creating the new IKE Phase 1 policy, select it and then click Next . Now select the transform set used for encryption and hashing for the IKE Phase 2 tunnels. Click Add and specify the IKE Phase 2 policies and click OK. Verify the new transform set is selected and click Next . Now specify the traffic that should be encrypted. Packets not matched for IPsec protection will be forwarded as normal packets.
! Configure the crypto map. ipsec-isakmp means the router will automatically negotiate IKE Phase 2 tunnel using isakmp (Internet security association key management protocol). "1" represents sequence number 1. crypto map SDM_CMAP_1 1 ipsec-isakmp ! Tells crypto map to pay attention to ACL 100 match address 100 ! If traffic matches ACL, device should use transform-set named MY-SET to negotiate IKE Phase 2 tunnel with peer. set transform-set My-SET set peer 43.0.0.2 exit ! Apply crypto map to the interface int g1/0 crypto map SDM_CMAP_1 exit
Planning and Preparing an IPsec Site-to-Site VPN About: Identifying a customer's need for VPN services and plan the details to implement the VPN. Main Ideas:
Layer 4 protocol 50
Layer 4 protocol 51
AH
Pre-shared Key RSA-sigs (digital (PSK) signatures) 1,2 86400 seconds 3DES 5 Shorter than 1 day, 3600 AES-128 (or 192, or
256) These parameters are used for the IKE Phase 1 policy, specified using the command crypto isakmp policy
Crypto ACL, Extended ACL not applied to an referred to in interface but is referenced in the the crypto map crypto map. Should only reference outbound traffic, which should be protected by IPsec.
Encryption Transform set, DES, 3DES, AES are options. method referred to in crypto map Hashing (HMAC) method Lifetime Transform set MD5 and SHA HMACs may be used and need to match the Phase 2 policy of the peer. Should match between peers.
Perfect Crypto map Forward Secrecy (PFS) (run DH again or not) Which interface used to peer with the other VPN device Crypto map applied to the outbound interface
DH is run during IKE Phase 1, and Phase 2 reuses that same keying material that was generated.
About: Implementing, verifying, and troubleshooting the VPN using a combination of CCP and CLI. Main Ideas:
Configure IKE Phase 1 policy on CCP: Configure | Security | VPN | Site-to-Site VPN | click Launch the selected task Choose the Step-by-Step Wizard | then click Next Select PSK or Digital Certificates then click Next Add a new policy, click Add After adding the new policy, click OK and then Next Add the IKE Phase 2 policy by clicking on Add then OK Confirm the ACL info by clicking OK
! debug the IKE phase 1 process debug crypto isakmp If no debug output is shown for debug crypto isakmp it may mean the IKE Phase 1 process is already up or it is not currently up because there is not interesting traffic triggering it. ! Verify IKE Phase 1 tunnel already in place: show crypto isakmp sa
! Verify the IPsec (IKE Phase 2) tunnel: show crypto ipsec sa ! Bird's eye view of the cryptography: show crypto engine connections active
Functions and Use of SSL for VPNs About: Alternative to IPsec for implementing secure VPN tunnels. Main Ideas:
Encryption
Authentication Moderate, one-way or Strong, two-way two-way authentication authentication using shared secrets or digital certificates. Ease of use Very High Moderate. Can be challenging for nontechnical users, and deployment is more time consuming. Strong. Only specific devices with specific configurations can connect.
Overall security
More weaknesses Stronger implementation identified in older SSL because of the standards versions process.
User experience Feels like accessing Some applications can run Full access to the corporate resources through locally with output network. Local computer feels a web browser redirected through the like part of the network. VPN Servers that can IOS w/ correct be used software, ASA w/ correct license. How the user looks from the corporate network Clients supported IOS w/ correct software, ASA w/ correct license IOS w/ correct software, ASA w/ correct license Clients are assigned their own virtual IP address while accessing corporate network Most computers that support SSL
Configuring SSL Clientless VPNs on ASA About: Using the ASDM to configure clientless SSL VPN Main Ideas: High level tasks used to implement the SSL clientless VPN: Launch wizard for SSL VPN inside ASDM. Configure SSL VPN url and interface. Configure user authentication. Configure user group policy. Configure bookmark lists. Verify that the config is what was intended, and verify it works.
Digital Certificates
By default, ASA uses self-signed digital certificate.
Authenticating Users
We specify how we're going to authenticate individuals using two general options, AAA or local database. When clicking Next to continue, you are asked what group profile you want to use for these users. By default all users belong to a default group. Specific groups inherit policies from the default group. When clicking Next you are prompted as to whether you want to provide these authenticated SSL VPN users with a convenient list of links that go to specific services on the corporate network. After you have confirmed using the Add, OK, and or Edit buttons the bookmarks that you want to provide to users, and click Next to continue to view a summary of what is about to be deployed.
Logging In
Users browse to the configured URL and log in with their username and password.
Configuring the Full SSL AnyConnect VPN on the ASA About: Implementing a full-tunnel VPN using AnyConnect and the SSL Functionality Main Ideas:
Object network NETWORK_OBJ_10.0.0.0 _25 subnet 10.0.0.0 255.255.255.128 ! Create DHCP pool for VPN users ip local pool POOLS-for-AnyConnect 10.0.0.51-10.0.0.100 mask 255.255.255.0 ! Create an internal group on the name below group-policy GroupPolicy_SSL_AnyConnect internal ! Specify attributes of this group group-policy GroupPolicy_SSL_AnyConnect attributes vpn-tunnel-protocol ssl-client dns-server value 8.8.8.8 wins-server none default-domain value cisco.com exit ! Specify that SSL is enabled, and which packages from flash are available for client images webvpn enable outside anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 ! Enable AnyConnect, provided group list (so users can select their group) anyconnect enable tunnel-group-list enable ! Create a tunnel group and specify the type of tunnel group tunnel-group SSL_AnyConnect type remote-access ! Specify what group policy is used by this tunnel group and what DHCP pool is used tunnel-group SSL_AnyConnect general-attributes default-group-policy GroupPolicy_SSL_AnyConnect address-pool POOLS-for-AnyConnect ! Enable the URL used to access the server tunnel-group SSL_AnyConnect webvpn-attributes group-alias SSL_AnyConnect enable ! Provide exception for NAT for VPN traffic from the inside network if it is going to the address range used by the AnyConnect clients nat (inside,outside) 3 source static inside interface destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
Split Tunneling
Split-tunneling is the act of tunneling only if the packets are destined to a specific subnetwork at the internal site. To enable split tunneling on the ASA: Configuration | Remote Access VPN | Network(Client) Access | Group Policies Edit the group policy by going to Advanced | Split Tunneling Specify the networks for which you want to tunnel traffic.
To monitor VPN sessions: Monitoring | VPN | VPN Statistics | Sessions Click on Details to see more information.