5 DAY BOOTCAMP !!!!

Notes are here as per day and dates and they are in reverse order
(stacked up )…

Happy reading ~ 

Network Attacks

VLAN Hopping

 DTP to form a trunk

 Double tagged 802.1Q frames
 Hardcode switchports
 Do NOT use vlan 1
 Unused ports assigned to vlan other than 1
 Change native vlan

CAM Table attacks

 When table is full, unknown entries treated as broadcast

 Attacker can glood table with random addresses
 Port-security

DHCP starvation

 Pull out all IP addresses of DHCP scope

 DHCP implementations look at Hardware Address field
 Attacker could only change that address and keep MAC address the same so port-security
only sees 1 MAC
 DHCP snooping
 Listens to traffic between client and server
 IP to MAC binding per interface kept
 Additional requests are dropped
 Trunk links also need to be configured as a trusted port! Where to expect the DHCP reply
needs to be configured as trusted
 Rogue DHCP server, advertise attackers IP as Default Gateway and/or DNS server,
letting all traffic flow through the attacker and being a Man in the middle
 DHCP port mapping, so when reply comes back it’s unicasted to the client that requested
it and not flooded (as it’s broadcast traffic)

ARP attacks / Arp Poisoning!

  Attacker replying to ARPs
 DHCP snooping and Dynamic ARP inspection
 ARP uses EtherType 0×806 IP uses EtherType 0×800
 ARP can be filtered in MAC ACL’s

Source Guard (IPSG)

 Also looking at IP traffic

 Looking at IP to MAC entries instead of ARP
 Also uses DHCP snooping

Control-plane Security = Routing Protocols

Management-plane Security = SSH/Telnet/SNMP/Logging

Data-Plane = Transit traffic

Control-Plane

 Attacker could inject routing information

 Authenticate routing protocols
 Limit number of prefixes per BGP peer
 Make client facing interfaces passive in IGPs

IP Spoofing

 RFC 1918 , RFC 2827, RFC 3330, BOGON

 BOGON not tested on lab as it changes
 uRPF
o Takes load-balancing and EIGRP unequal LB in account
o CEF required
o RFC 1918
 10.0.0.0/8
 172.16.0.0/12
 192.168.0.0/16
 RFC 3330
 First and last of every class (A, B, C)
 RFC1918
 0.0.0.0/8
 127.0.0.0/8
 128.0.0.0/16
 191.255.0.0/16
 192.0.0.0/24
 223.255.255.0/24
 224.0.0.0/4
 240.0.0.0/4
  14.0.0.0/8
 24.0.0.0/8
 39.0.0.0/8
 192.0.2.0/24
 192.98.99.0/24
 198.18.0.0/15
 169.254.0.0/16
 RFC 2827
 Address spoofing in general
 Deny OWN address-space ingress on network as source
 uRPF can handle this (via rx)
 Only ALLOW own address-space egress on network as source
 Watch for added IP addresses and Pools (remote access users)
 SMURF attack
o Source sends ICMP ping with source IP address of victim (target) and destination
of directed broadcast
o RFC 2644 says always disable directed broadcast
 Default in IOS
 Fraggle attack is same as SMURF, but with UDP echo’s
 Since spoofed IP is used, uRPF would resolve
 Policing ICMP/UDP echo’s
 Blackhole filtering
 Blackhole Filtering
o Forward traffic to null0 at ingress
o Can deny traffic to legitimate hosts
o Destination based = destination IP static to null0
o Source based = source IP static to null0
o Generally done with BGP

SYN attacks

 Flooding a victim with SYN packets

 Victim replies, but attacker doesn’t
 Leaving embryonic connections (half-open)
 TCP intercept, bad idea, since victim is now router
 IOS CBAC has possibilities
 ASA MPF has connection limits
 SYN policing
 Bigger servers

Network Scanning

 Close services
 Thread detection / shunning

Disabled Services
  No ip finger
 No ip bootp server
 No cdp run /cdp enable
 No ip proxy-arp
 No ip redirects
 No ip directed-broadcast (defaut)
 No ip unreachables
 Possible to rate-limit unreachables on IOS globally

Detection

 NBAR protocol discovery

 ACL logging
 IP accounting
 NetFlow
 Classification ACLs (lot of permits, looking at matches)
 ASA Threat Detection

IP Options

 Ip options drop (global)

 Selective drop with ACL and deny ip any any option ….
o Required to have a NAMED ACL

VFR Virtual Fragmentation Reassembly

 Tiny Fragment attack, Overlapping Fragment Attack, Buffer Overflow

 Ip virtual-reassembly (enabled by some features)
 Options to configure maximum fragments (ASA fragment chain, ACL drop non-initial
fragments at end of line)

Lab point estimate

ASA – 12 points

IOS FW – 3-6 points

VPN– 4 VPNs, DMVPN/GETVPN is probably a troubleshooting task – 15 points

IPS – 8-10 points

Attacks – 10 points

Adv Sec – 10 points

AAA – 8 points

Control-plane – 4-6 points

DMVPN / GETVPN comparison

DMVPN GETVPN
Tunnel to hub Tunnel-less
Support multicast Support multicast
One logical tunnel interface No logical interface
Crypto map or tunnel protection Crypto map
Hub KeyServer
ISAKMP UDP 500 GDOI UDP 848

All the fun stuff!

IPS

Different modes

 Promiscuous
o Catch traffic out-of-path
o SPAN (monitor) port or RSPAN
o Only return traffic from IPS is TCP resets
o Possible to define multiple VLANs, traffic can be dot1q tagged
o Inline
 Passing traffic through the device
 Bridging between 2 VLANs
 VLAN pairs
  Trunk to IPS
 Interface pairs
o Switch config having 2 access ports

Setup

 CLI basic parameters

o IP address and Gateway
 Host-ip IP/subnet.gw
 ACL for allowing access
 User
o Service, only CLI
o Viewer, GUI view
o Operator, some configuration
o Admin = full config
o VLAN groups is group vlans together as 1 side
o Traffic bypass mode
 Auto = bypassed if engine or device stops
 On = always bypassed
 Missed packet = faulty port, congested port,
 Interface Idle = no packets coming in and generate event
 Be familiar with Engines
 Atomic IP = IP packet
 Swap Attacker Victim
 Return traffic
 Summarization
 Fire Once = Fire event once
 Fire All = Every packet fire signature
 Summarize = At intervals, summarize events
 Global Summarize = Same at interval
 Fire All is easiest way to see every event
 Signatures need to be enabled!!! Disabled by
default
 Retired needs to be No
 Manual Signatures
 Select 1 or multiple actions
 Select Direction of traffic (placement
of IPS)
 Fidelity differs per medium
 Don’t get too fancy on Regular
Expressions as they can be different
and not all rules apply on the IPS
 Drop traffic based on risk rating is
on by default people forget to disable
it
 Target Value Rating (TVR)
  Up to mission critical
 It’s factored in the risk rating
 Subtract a specific action for
a specific
signature/attacker/victim
 Override always overrides!
 Miscellaneous features,
attacker duration
 IPS can push ACL’s to
devices (IOS, ASA, Cat 6k)

 Configured under
Blocking properties
 Can apply an ACL
pre-block and post-
block
 After event fired a
post-block is applied
to the device
 ACLs need to be pre-
configured on the
device!! IPS applies
the name to the
interface
 On monitoring page a
manual block can be
applied

IOS IPS

 Enable IPS
 Load signatures
 Load ifconf
 Not too much to adjust, limited features

Control Plane Policing

 Control-plane handles control traffic

o Virtual interface for all traffic hitting the router
o Management, SNMP, Syslog, HTTP, SSH, Telnet
o Routing protocols
o ICMP
o Subinterface under control-plane host/transit/cef-exception
 Falls under Control-Plane Protection
  Once IP options are set in a packet, traffic is handled by the control-plane
even if it’s transit traffic!
 Control-plane host
 Port filter
 Can only be applied inbound
 Early dropping of packets
 MQC type port-filter
 Queue-threshold sets queues for specific control-plane protocols,
once queue is full, traffic dropped
 MQC type queue-threshold
 Anything else falls under host-protocols
 Able to get additional logging for control-plane traffic
 MQC type logging
 CoPP takes presence over other filtering

Flexible Packet Matching

 ACL on steroids
 Match raw traffic, protocols, regex, offset, headers
 Class-map type access-control or class-map type stack
 Policy-map type access-control
 NOT looking at flows or state information, just raw traffic
 Load protocol system:/fpm/phdf/<>.phdf
 Stack is building protocol stack
 Access-control is matching on specifics in headers
 Affects CPU and could crash the router when configured wrong!!
 Policy-map for access-control class-maps always nested to stacks
 When loaded protocol is removed from the configuration any reference to it will be
removed from the configuration.

SNMP

 First SNMP community strings, only security was ACL for source
 SNMP views
o Give access to specific branches of the tree
o SNMP version 3
 Different security levels
noAUthNoPriv, AuthNoPriv, AuthPriv
 No authentication, no encryption, authentication no ecryption,
authentication and encryption
 Authentication MD5, SHA1, Encryption DES, 3DES, AES
 Groups have common security model, users have different credentials
within a single group
 Users linked to groups, groups linked to views, views linked to SNMP
objects
 SNMP users NOT stored in configurations
  Show snmp users shows the configured users

RMON

 Custom logs and traps when certain SNMP values reach thresholds
 Rmon ? shows you enough information

NetFlow

 Flow monitor
 Show flow monitor

Accounting

 IP accounting
 Show ip accounting

Classification ACL

 Specify a bunch of permits in an ACL, you can see on the hits what happens on the
network (syn, fragments, traffic types)

Misc

 Capture on ASA, see live traffic (real-time or logging)

 Packet-tracer = test traffic flows, what will be done with it

Layer 2 Security

 Port-security
 Default is go to err-disable
 Restrict is send SNMP/Syslog message
 Things that use more than 1 MAC
o HSRP, Contexts, Redundant interface
o Trunk, Bridges <- Transparant ASA, Inline IPS
o Phones, VMware
o Static CAM entries can go to null0 interface
o Storm-control level is percentage of negotiated bandwidth
o Protected ports, deny ports in same vlan talk to each other on 1 switch
o VACL’s never deny implicit ARP and CLNS traffic
o Private VLANs
 Require transparent VTP mode
  Similar to secondary VLAN tag

EtherType 0×806 is ARP

Here are my notes from today:

GETVPN

 Tunnel-less, original IP header goes through the network

 UDP 848 = GDOI, Protocol 50 = ESP
 The whole network needs to know encrypted subnets, as original header is preserved
 Create a key-server
o Responsible for maintaining policies
o Keeping track of things
o GDOI messages to create, maintain and delete SA’s
o Group Member
 End device doing the encryption, registers with key server
 Group member sends request (register) to keyserver and authorizez
 Key server pushes policies to group member
 All registration traffic is UDP 848
 Key server only needs access to group members, doesn’t need to know
remote subnets
 Key server handles re-keying, traffic from KS to GM
 Allow UDP 848 in both directions
 Unicast and multicast re-keying
 Multicast needs to be enabled for multicast re-keying
 Configuration for KS
 ISAKMP Policy needed, Keys for any KS and GM, Transform set,
IPsec profile for attaching transform set
 GDOI group configuration
 Identify and rekey parameters
 SA definition (ACL)
 Allow both directions in ACL, to encrypt it
 Can be 10/8 to 10/8 to encrypt all traffic
 Address of key servers
 Bind IPsec profile
 GM configuration
 GDOI group with identity and KS address
 Crypto map applied with group
 ISAKMP keys for KS only
 Single SPI for both encryption and decryption (same ACL)
 DMVPN has different SPI for EVERY direction
 GETVPN has 1 SPI for all communication
  Key Encryption Key = KEK and Traffic Encryption
Key = TEK
 Both handed out by the keyserver
 Key-server determines proxy IDs (ACL)
 KS holds ALL settings for GDOI group,
GM only specified server address
 Key-pair needs to be generated BEFORE
configuration
 Only see that after SA timeout
 After re-key a new SPI is generated
(Same inbound/outbound)
 Configuration is NOT replicated
between redundant keyservers
 Make sure ACL is the same
on both KSs
 On GMs possible to
configure traffic exclusion
ACL on crypto map

 Permit ip any any on

the end falls back to
KS ACL

AAA

 Minimal information needed on ACS for user = username/password

 Shared Components = share things between users and groups
 Also choose for Submit+Apply, else services have to be restarted
 Interface Configuration = Interface for ACS, wat items are available
o Leave protocol field blank when adding services
o Dot1x = 64,65,81 RADIUS attributes
o Need a RADIUS client for other types configured, before options become
available for configuring cisco-av-pair stuff
o When configured IETF, then NO av-pair is pushed, make sure configured as
CISCO type
o Per-user RADIUS attributes disabled by default!
o No LDAP or Windows AD now in the lab and no plans for adding
o External Databases can be asked to be configured (fake DB)
o When configuring users, watch order of operation
 Configure password before privilege level, else not applied

AAA authorization = command authorization

 Exec = shell session

 Commands = privilege level 0 – 15, need to match on ALL levels to allow all
commands, only 15 is not enough
  Command authorization only available through TACACS+
 Aaa authorization complies to order, so servers can be preferred over locally configured
username privilege command

AAA accounting

 Same privilege (command) levels

Lock-n-Key, login to device, dynamic ACL entry, activated when auth.

 Impossible to derive specific commands, all dynamic entries are activated when any user
is logged in

Auth-proxy way more specific

 HTTP, user opens browser and logs in

 Ip auth-proxy name XYZ
interface Fa0/0
ip auth-proxy XYZ
 On ACS, enable auth-proxy
Priv-lvl=15
proxyacl#1=permit tcp any any
proxyacl#2=permit icmp any any
 Using RADIUS
cisco-avpair = “auth-proxy:priv-lvl=15”
 Source ‘any’ is replaced with host address of user
 AAA in place
 Only works with the default AAA authentication list
 HTTP server needs to be enabled (could be default)
 HTTP to the router interface pops up GUI, needs to be traffic THROUGH the router to
pop-up auth-proxy

Cut-through proxy on ASA

 Similar to auth-proxy on IOS

 Traffic going through the firewall to match it
 Configure ACL to specify what traffic to look at
 AAA configured (aaa-server (outside) host)
 Aaa authentication match ACL inside AAASERVER
 Only to use for Telnet, FTP and HTTP, as those are the only ones that are matched
through the box
 Can use a virtual address
virtual telnet/http 10.10.10.15
 ACL can then match other traffic
 Then telnet/http to the box and authenticate to enable ACL
  When ACL is restrictive on the outside, a per-user-override can be entered so the ACL
still matches and gets ACL entries pushed back and enables those on the OUTSIDE_IN
ACL.

With privilege command, move around commands

 Authorization/Accounting depends on the level of the command, user level doesn’t

matter
 Show run only shows you the items you are allowed to configure

Role Based CLI

 Parser view one

secret
commands exec show clock
 Parser view two
commands exec show interface
 Parser view three superview
secret
view one
view two
 Root view, pre-defined name
o Full access to device
o Requires AAA!
o Enable view <view>, nothing = rootview
o Is smart, adds config t or enters full commands automatically
o Username <bla> view root/one/two <- automatically enables view

Documentation

 4 Configuration Guides with LOTS of examples available

o Secure Connectivity = VPN
o Control Plane =
o Data Plane = Flexible Packet Matching and Firewalling
o User Services = AAA, auth-proxy
ASA labs

Question: NOT possible to specify ICMP types in policy NAT, no matches!

Answer: True, not matched against packet types, only protocols, doesn’t even work with static
NAT.

BGP with authentication in ASA (TCP option 19), traffic allowing is usually not needed as it’s
allowed from higher-to-lower interfaces and state table would allow return traffic. After allowing
TCP Option 19 a ‘invalid MD5’ message is shown on the BGP peer. This is caused by sequence
number randomization.

By default TCP Options are cleared out on the ASA!!!

Allow BGP traffic in ACL

tcp-map BGP

tcp-options range 19 19 allow

class-map BGP

match access-list BGP_R1_R5

class BGP

set connection random-sequence-number disable

set connection advanced-options BGP

IOS Firewall labs

Question: All packets contain their own routing information???

Answer: No ip source-route

Zone Based Firewall

Problems with CBAC

  Misconfigured ACL
 Breaking sections

Zone Based Firewall Changes

 Be aware of traffic flows!

 Draw out traffic flows, take notes what is allowed where, could easily break earlier
sections
 Addition of a logical layer meaning zones
 Group interfaces together
 Not necessary to configure ALL interfaces in a zone

Default Behaviors

 Zones configured BEFORE interfaces assigned (more configuration checks)

 Interface can be part of a single zone
 Traffic to and from an interface is blocked
 Traffic to and from the same zone between interfaces is allowed
 Traffic from a zone to a router interface address is allowed by default
 Traffic between zones needs a inspect policy
 Traffic to the ‘self’ zone is always allowed (self = router interfaces)
 Traffic can NOT flow between zone interface and non-zone interface
 Non-zone interfaces are considered ‘classical’
 Pass action = let the traffic pass
 Inspect action = Inspect session, create state table, allow return traffic
 Drop = drop packets

Configuration

 Class-map to match traffic

 Policy-map to match class and define actions
 Define zones
 Define zone-pair (source, destination)
 Service-policy to attach a policy to a zone-pair
 Assign interface to zone

IPSEC VPN

IKE

 UDP 500 for both source and destination

 Main Mode
o 6 messages
o Hides party identites
 o Aggressive mode
 3 messages
 Does not hide the pary identity
 Pre-shared keys
 RSA-signatures, little more confusing
 RSA nonces (IOS only) (locally generated keys)
 ISAKMP SA
 Authentication
 Encryption
 Hash
 DH-group (longer keylengths)
 IOS 1 is default
 ASA 2 is default
 Lifetime
 IPSEC SA
o Encryption (AH/ESP), transform-set
o Proxy identites (ACL mirrored on both sides)
o Rekeying, affects CPU, shorter = more secure, can include PFS, which generates
a new DH key
o In the Security lab almost always ESP is used
o AH
 IP Protocol 51
 Origin and Integrity
 Only header authentication
 NO ENCRYPTION
 IPv6 OSPFv3 uses AH for neighbor authentication
 ESP
 IP Protocol 50
 Origin, Integrity, Authentication, Anti-reply, Encryption!!
 Tunnel vs Transport mode, tunnel is additional IP header, transport
is encrypting payload
 Going through NAT transport mode is preferred
 MTU and fragmenting could cause issues
 ISAKMP can fall back to default policy (different on IOS and
ASA)
 Crypto map applied to egress interface <- Different paths are
possible
 Lot’s of things can go wrong with VPN configurations
 Possible to configure ‘wildcard’ PSK with 0.0.0.0 address
 Requirements <- Tends to go wrong a lot
 Route to peer
 Route to remote (encrypted) subnet
 Interesting traffic flowing
 Phase 1 debug: Debug crypto isakmp
 When successful state is QM_IDLE
  ISAKMP enabled by default on IOS, disabled on
ASA
 Check crypto map (correct interface or even
applied)
 Check routing information, physical links,
interesting traffic
 Logging turned on and at correct level
 Forgetting ISAKMP policy configuration
 Missing/wrong key
 Asymmetric routing
 Certificate problems or communication to CA
 Blocked traffic in the path, watch return traffic!
 Phase 2 debug: Debug crypto ipsec
 Show crypto ipsec sa
 Newer versions of IOS will always show
pre-populated info
 Watch encrypted/decrypted packets
 Watch SPI information
 What are you seeing? Both sides need to be
the same

Certificates

 Setup a trustpoint (Mscep.dll)

 Crl (revocation) forced or optional, check with CA
o Revocation check none or crl optional is the same
o Lab focusing more on IOS CA than on Microsoft CA
o Traffic to CA is another traffic flow! Watch for firewalls (port 80)
o Synchronized time important! Needs to be same as CA
 Manual or NTP (another traffic flow)
 Generate domain-name (doesn’t need to match)
 Crypto ca authenticate <trustpoint> (authenticate CA)
 Crypto ca enroll <trustpoint> (enroll with the CA)

IOS CA

 Crypto pki server <name>, grant auto, no shut

 http server enabled
 If router is used as CA and endpoint, needs to authenticate and enroll for itself

GRE

 GRE encrypted in IPsec

 Routes to remote subnets need to be routed through the tunnel
 Multicast support (Routing protocols)
 Can be member of a zone (firewall)
Static VTI (site-to-site)

 IPsec tunnel interface (tunnel mode ipsec ipv4)

 Less overhead, no GRE header
 Similar to DMVPN
 Multicast support (Routing protocols)
 Can be member of a zone (firewall)

Dynamic VTI (Remote Access)

 Logical endpoint for IPsec traffic to land

 Virtuel-template configured with interface type tunnel
 Tunnel mode ipsec ipv4 and configure IPsec profile
 Allowed remote-access to be interface aware

IPsec profile

 Grouping of parameters
 Crypto map (match address, set transform-set, set peer)
 Being interface aware, removes need of ACL (traffic on interface is encrypted), no peer
needed (could be multiple)
 Bound transform-set to a IPsec profile (only remaining item)

IPSEC HA

 Use loopbacks to overcome link-failures or device-in-the-middle failures

 Multiple peers or HSRP to overcome endpoint device failure
 Dynamic routing (tunnel interfaces), so rerouting can occur
 Even possible to do stateful failover

QoS

 QoS matching on encrypted traffic (ESP/AH/GRE)

 Qos matching on unencrypted traffic (based on original source packet)
o Qos pre-classify on crypto map, virtual-template or tunnel
o Matching done on original source packet values
o Set bandwidth or set DSCP

ISAKMP key encryption

 Reversible type 6 (AES encryption)

 Password encryption aes
 Key config-key password-encrypt (specify key)
 Username/passwords still at type 7 encryption, only ISAKMP keys type 6

Certificate maps
  Additional restrictions on device name, date, serialnumber
 Certificate Based Access Control
 Can ignore CRL’s!!
 Crypto pki certificate map TEST 10
name eq/contains/gt/lt router.cisco.com
crypto pki trustpoint TRUSTPOINT 10
match certificate TEST
 Match certificate TEST allow expired-certificate/skip revocation-check
 Want to allow that to reach CA to renew certificate once it’s expired

Fragmentation

 Clear DF bit, possible to remove DF bit on IPsec traffic

 Crypto ipsec df-bit clear/set/copy (global or per interface)
 Fragmentation before or after encryption (global or per interface)
 Crypto ipsec fragmentation before-encryption/after-encryption
 Most cases, before encryption fragmentation is better, some Ethernet endhosts don’t
support reassembling correctly, so better to let VPN routers do it.

Anti-reply

 Keep track of sequence numbers, default window of 64

 Possible windows of 64 to 1024 (exponential values)
 Anthing outside of window is dropped
 Crypto ipsec security-association reply disable/window
 Under crypto map: set security-association reply window-size

ASA IPsec config

 ACLs as IOS
 ISAKMP Policy also processed by number
 Tunnel-type
o Tunnel-group <peer> type ipsec-l2l/ipsec-ra
o Tunnel-group <peer>ipsec-attributes for authentication
o Isakmp enable <- Not enabled by default
o Crypto map <name> interface <- apply crypto map
o IPsec is subject to firewall rules!!
 Sysopt connection permit-vpn <- enabled by default
 Keep in mind debugging level, default is 1, pick something (127)

DMVPN

 On-demand full mesh IPsec tunnels

 Multipoint GRE tunnel interface
 Next Hop Resolution Protocol (NHRP)
o Hub is server, spokes are clients
o Client registers public and tunnel IP address to server
o Clients query server about public IP of other client
o Crypto profile, since only transform-set needs to be specified (no peer needed, as
there are many)
 Can be applied to multiple interfaces with 1 command
 Phase 1 still necessary with wildcard PSK or CA
 Spokes having static connection to hub
 Spokes learn subnets of other spokes with IGP
 Spoke-to-spoke connectivity setup when needed
 NHRP dynamic multicast mapping on hub, so multicast is replicated to all
reporting spokes
 NHRP map multicast <hub public IP>
 NHRP map <hub public IP> <hub tunnel source>
 NHRP nhs <hub public IP>
 Tunnel protection ipsec profile <- command to bind IPsec profile to tunnel
interface
 Show ip nhrp <- verify NHRP resolution
 EIGRP has split-horizon issue, advertisements not send out same interface
as received on
 EIGRP also has next-hop issue. Sends all updates out as itself as next-hop.
With exceptions (no ip eigrp next-hop-self)
 Recursive routing <- Learning public address through tunnel
 ONLY tunnel and encrypted subnets need to be in new IGP, public
address should NOT be advertised through the tunnel
 No redistribution!
 Possible troubleshooting scenario
 OSPF has DR/BDR issue, DR needs to be the Hub, Spokes Prio 0
 OSPF Point to point NOT going to work
 OSPF Point to Multipoint advertises /32’s
 OSPF Broadcast / non-broadcast have DR election, but don’t have
/32
 Non-broadcast requires neighbors
 Tunnel interface has default 9k or 100k bandwidth
 Phase 1 = Hub to Spoke tunnels
 Static
 Phase 2 = Spoke to Spoke tunnels
 Dynamic
 Phase 3 = Modifying NHRP entries, ip nhrp
redirect and ip nhrp shortcut
 Static entry for the hub and dynamic
entries for spokes
 P3 is dynamic entries for remote
subnets
 In phase 3, next-hop information is
not relevant
  Hub can push summary’s out, NHRP
resolves more specific
 Build multi-tier setups
 Ip nhrp interest <ACL>
 Restrict certain traffic to
build a spoke-to-spoke tunnel
 Make sure this configuration
is the same (mirrored) on
spokes as it could cause
asymmetric routing/tunnels
 DMVPN Groups

 Ip nhrp group A
 Apply QoS policies
on specific
connections to
different spokes

My notes from day 1:

OEQ

 30 minutes
 4 questions
 3 correct
 5/6 words max
 21 points
 No access to documentation
 If you are working with it, should be doable
 Example: Looking at output, was it main mode or aggressive mode?
 Example: How many shared interfaces between contexts? 1
 Example: What features are not available in context or transparent mode?

Configuration / Troubleshooting

 7h 30min
 79 points, not made clear
 60 needed to pass
 Troubleshooting questions included in the lab
  Example: VPN partially configured. 3 or 4 errors, could be VPN related or blocking the
traffic flow in the middle
 DMVPN/GETVPN probably pre-configured but broken, since it’s a lot of commands
 1 or more diagram(s)
o Physical L2
o Logical L3
o Tasks / Configuration items / Requirements
o Terminal server settings
 Terminal Server for accessing consoles
 Test PC = RDP
 AAA Server = Browser port 2002
 IPS GUI/CLI possible, CLI preferred
 ASA ASDM is NOT possible, only CLI
 4 switches are in the lab
 All devices can be pre-configured, routers/switches will have stuff pre-
configured
 Plan is to have a separate troubleshooting section and may add IPv6 by the
end of 2010 in the Security lab
 May not be allowed to save configs to flash in the lab

Working through the lab

 Draw own diagram on anything that can block your traffic

o VPNs
o Firewalls
o ACLs
o Be selective on what you do after 2pm, read through the lab again and be careful
about any major changes
o Security lab can break a lot of stuff along the way
o No ‘core’ sections, smaller sections like firewalling/VPN more
applications/features

Issues

 Crash/reload
 Mis-cabled
 Wrong IOS
 Errors on interface
 Be familiar with different versions and multiple ways of configuring stuff, it could
change between versions. Be able to adapt to the situation

Verification

 Configured fine, but not verifying correctly

 Source traffic from the correct interface to generate interesting traffic
 Extra configuration is allowed unless it doesn’t break another section
Documentation

 Anything from the same ASA page is reachable

 Including configuration examples and TechNote

ASA

 Not testing modules on the lab

 8.x more IOS-like
o nat-control disabled by default
o Transparant firewall (L2 firewall)
o Virtual Firewalls (context)
o MPF = MQC like
 Replacement for fixup
 Now tiered structure
 Security-levels
 0 and 100 can NOT be configured for anything else than inside and
outside
 task could be detailed, so wrong security-level could mark question
wrong
 Higher to lower traffic permited (return traffic inspection needed)
 Same-security-level traffic NOT permitted (can be enabled)
 Intra-interface (same interface in and out)
 Inter-interface (traffic between interfaces)
 Subinterfaces
 Vlan command
 802.1Q ALWAYS, no ISL possible
 Lab will tell you if limitation on the switchport
trunk configuration

Device initialization

Firewall Mode (routed/transparent)

Contexts (single/multiple)

Read through the lab in advance, since configuration conversion doesn’t work 100% and requires
a reload.

Not told in the lab. Depends on requirements of tasks to switch these features

Interfaces aren’t pre-assigned a security level, depends on nameif

ASA 8.x has Redundant interfaces

 Interface failures
 Grouped together as 1 logical interface
 Ensure physical interfaces have the same settings on local and remote end
 Active interface is the one that is configured first, could change after reload, shouldn’t
matter though
 Namif inside defaults to 100, others to 0
 SSH requires RSA keys of 768 bits or higher
 ASDM NOT allowed in the lab
 Can’t telnet to outside interface unless configured
 Can’t telnet to the least secure interface, could be more than 1
 Building IPsec tunnel to the outside would work around that
 ASA Filtering

 Traffic from higher to lower is inspected

 All TCP & UDP traffic inspected by default, are exceptions
 ICMP NOT by default
 Inspection via MPF
 Read lab thoroughly and ask for clarification about ICMP and
pinging
 An ACL with any any is typically wrong, be as specific as
possible
 NO wildcardmask, all subnetmask
 ACLs
o Lab will not be explicit about all things, AAA can be on
inside and you could have to authenticate stuff on the
outside, this will not work and you have to configure an
ACL
o Inspect ipsec-pass, sysopt connection vpn to allow VPN
through or on the box respectively
o Deny any any log for testing, take it off on the end of
the day

Object-groups

Show access-list shows every line, including grouped entries, shows all separate entries

Show run access-list shows as configured with fewer lines due to groups

Fewest number of lines configured usually refers to object-groups, NOT to network masks

Newer IOS versions also support service and network objects.

Routing
Static, RIP, OSPF, EIGRP

BGP is supported, but not on the lab blueprint

Routing is probably pre-configured on routers, not on the ASA

Multi-context or transparent firewall does NOT support dynamic routing

NAT

Nat 0 is exemption

Identity number to tie NAT to Global statement

Nat-control = NAT everything, rule for any traffic

Require translation to pass traffic for different security-levels. Traffic between same-security
interfaces not needed

 Static (from,to) to from

 Misc
o Maximum connections
o TCP Half-open connections
o DNS rewrite
 Need to change translated addresses in DNS packets
 Sequence number randomization
 By default it does, can be disabled
 Transparant Mode
 Bump in the wire
 Briding between VLANs
 Global IP address
 Nameif still required
 Security-levels may be the same or different
 When NO IP address is configured, traffic is not flowing
 Default inspection still going on when sec levels different
 Multiple ACLs on interface
 1 IP and 1 EtherType
 EtherType ACL
o By default IP and ARP is allowed, unless a specific block
o Not required to allow spanning-tree traffic
o Tools
 Capture traffic
 Realtime, default log
 Check ACL traffic
 Packet-tracer
o Check by inspection rules
 o Contexts
 VPN and dynamic routing NOT supported anymore
 Allocate-interfaces
 Could be given aliases, seen in the context
 Admin context required! Can be any context, named anything
 Config-file required! Config-url to save configuration of context
o When config-file is already on the disk, COULD use it in context, depends on the
mode and setup
o Point of attention in the lab! Things could be automatically there.
 Resources can be applied, number of connections, etc.
o Able to place this is classes (member to apply to context)
o Failover
 Active/Active
 Both devices handle traffic
 Requires multiple context mode!!
 Active/Standby
o One device passing traffic
o Not required to have multi context mode, possible though!
 Failover-group
o Which context is active on which device?
o Primary/secondary keywords on local box, preemption with priority possible
o Join-failover-group under context config
 Failover-link = Configuration and same status of device
o Failover lan
 State-link = xlates, exchange connections and state
o Failover link
 Using failover and statelink as SAME interface
o Use folink keyword in failover config
o Subinterfaces
 Secondary box only needs a failover link configured, even state link will be learned
through the sync, only failover interface needs to be no shut

IOS Firewall

 Extensive matching on packets (extended ACL)

 Log options, log-input also logs L2 information (L2 for trans. Fw)
 Enable logging on level 6 Informational to see it
 Lock-n-Key
o Access-list dynamic
o User base (autocommand access-enable)
o Access-enable gives you NO CLI, just enabled dynamic ACLs
o ‘host’ keyword enables a ‘permit ip any any’ line to host specific
o Reflexive ACLs
 First stateful inspection
  Outbound ACL has ‘reflect’ keyword on lines
 Inbound ACL has ‘evaluate <keyword>’ above deny
 Locally originated traffic not hitting outbound ACL, so routing protocols
are not required to permit.
 Only looking at state, not catching locally generated traffic
 No RFC compliance check like with CBAC
 TCP intercept
 Tracks half-open or embryonic connections
 CBAC
 True inspection
 Context based Access Control
 Checking RFC compliance
 Includes TCP intercept features
 Deep protocol inspection
 Required to deny traffic coming in outside interface
 Setup on inbound on inside interface or outbound on
outside int
 State table is inserted as ACL entries inbound on outside
 Inspection rules matched starting on most specific!!
 Things to watch for:
 Traffic originated on the outside
 Traffic originated/terminated on the router
 Router-traffic keyword behind inspect rules
 Ip port-map and ip nbar port-map NOT the same
o Ip port-map used for IOS firewall and ZBF, NBAR = MQC
o Differentiate default ports to another port
o Option for a standard ACL, destination ‘server’ specified which uses that other
port
o On the nbar port-map multiple ports can be specified