Beruflich Dokumente
Kultur Dokumente
Notes are here as per day and dates and they are in reverse order
(stacked up )…
Happy reading ~
Network Attacks
VLAN Hopping
DHCP starvation
Control-Plane
IP Spoofing
SYN attacks
Network Scanning
Close services
Thread detection / shunning
Disabled Services
No ip finger
No ip bootp server
No cdp run /cdp enable
No ip proxy-arp
No ip redirects
No ip directed-broadcast (defaut)
No ip unreachables
Possible to rate-limit unreachables on IOS globally
Detection
IP Options
Attacks – 10 points
AAA – 8 points
DMVPN GETVPN
Tunnel to hub Tunnel-less
Support multicast Support multicast
One logical tunnel interface No logical interface
Crypto map or tunnel protection Crypto map
Hub KeyServer
ISAKMP UDP 500 GDOI UDP 848
IPS
Different modes
Promiscuous
o Catch traffic out-of-path
o SPAN (monitor) port or RSPAN
o Only return traffic from IPS is TCP resets
o Possible to define multiple VLANs, traffic can be dot1q tagged
o Inline
Passing traffic through the device
Bridging between 2 VLANs
VLAN pairs
Trunk to IPS
Interface pairs
o Switch config having 2 access ports
Setup
Configured under
Blocking properties
Can apply an ACL
pre-block and post-
block
After event fired a
post-block is applied
to the device
ACLs need to be pre-
configured on the
device!! IPS applies
the name to the
interface
On monitoring page a
manual block can be
applied
IOS IPS
Enable IPS
Load signatures
Load ifconf
Not too much to adjust, limited features
ACL on steroids
Match raw traffic, protocols, regex, offset, headers
Class-map type access-control or class-map type stack
Policy-map type access-control
NOT looking at flows or state information, just raw traffic
Load protocol system:/fpm/phdf/<>.phdf
Stack is building protocol stack
Access-control is matching on specifics in headers
Affects CPU and could crash the router when configured wrong!!
Policy-map for access-control class-maps always nested to stacks
When loaded protocol is removed from the configuration any reference to it will be
removed from the configuration.
SNMP
First SNMP community strings, only security was ACL for source
SNMP views
o Give access to specific branches of the tree
o SNMP version 3
Different security levels
noAUthNoPriv, AuthNoPriv, AuthPriv
No authentication, no encryption, authentication no ecryption,
authentication and encryption
Authentication MD5, SHA1, Encryption DES, 3DES, AES
Groups have common security model, users have different credentials
within a single group
Users linked to groups, groups linked to views, views linked to SNMP
objects
SNMP users NOT stored in configurations
Show snmp users shows the configured users
RMON
Custom logs and traps when certain SNMP values reach thresholds
Rmon ? shows you enough information
NetFlow
Flow monitor
Show flow monitor
Accounting
IP accounting
Show ip accounting
Classification ACL
Specify a bunch of permits in an ACL, you can see on the hits what happens on the
network (syn, fragments, traffic types)
Misc
Layer 2 Security
Port-security
Default is go to err-disable
Restrict is send SNMP/Syslog message
Things that use more than 1 MAC
o HSRP, Contexts, Redundant interface
o Trunk, Bridges <- Transparant ASA, Inline IPS
o Phones, VMware
o Static CAM entries can go to null0 interface
o Storm-control level is percentage of negotiated bandwidth
o Protected ports, deny ports in same vlan talk to each other on 1 switch
o VACL’s never deny implicit ARP and CLNS traffic
o Private VLANs
Require transparent VTP mode
Similar to secondary VLAN tag
GETVPN
AAA
AAA accounting
Impossible to derive specific commands, all dynamic entries are activated when any user
is logged in
Documentation
Answer: True, not matched against packet types, only protocols, doesn’t even work with static
NAT.
BGP with authentication in ASA (TCP option 19), traffic allowing is usually not needed as it’s
allowed from higher-to-lower interfaces and state table would allow return traffic. After allowing
TCP Option 19 a ‘invalid MD5’ message is shown on the BGP peer. This is caused by sequence
number randomization.
tcp-map BGP
class-map BGP
class BGP
Answer: No ip source-route
Default Behaviors
Configuration
IPSEC VPN
IKE
Certificates
IOS CA
GRE
IPsec profile
Grouping of parameters
Crypto map (match address, set transform-set, set peer)
Being interface aware, removes need of ACL (traffic on interface is encrypted), no peer
needed (could be multiple)
Bound transform-set to a IPsec profile (only remaining item)
IPSEC HA
QoS
Certificate maps
Additional restrictions on device name, date, serialnumber
Certificate Based Access Control
Can ignore CRL’s!!
Crypto pki certificate map TEST 10
name eq/contains/gt/lt router.cisco.com
crypto pki trustpoint TRUSTPOINT 10
match certificate TEST
Match certificate TEST allow expired-certificate/skip revocation-check
Want to allow that to reach CA to renew certificate once it’s expired
Fragmentation
Anti-reply
ACLs as IOS
ISAKMP Policy also processed by number
Tunnel-type
o Tunnel-group <peer> type ipsec-l2l/ipsec-ra
o Tunnel-group <peer>ipsec-attributes for authentication
o Isakmp enable <- Not enabled by default
o Crypto map <name> interface <- apply crypto map
o IPsec is subject to firewall rules!!
Sysopt connection permit-vpn <- enabled by default
Keep in mind debugging level, default is 1, pick something (127)
DMVPN
Ip nhrp group A
Apply QoS policies
on specific
connections to
different spokes
OEQ
30 minutes
4 questions
3 correct
5/6 words max
21 points
No access to documentation
If you are working with it, should be doable
Example: Looking at output, was it main mode or aggressive mode?
Example: How many shared interfaces between contexts? 1
Example: What features are not available in context or transparent mode?
Configuration / Troubleshooting
7h 30min
79 points, not made clear
60 needed to pass
Troubleshooting questions included in the lab
Example: VPN partially configured. 3 or 4 errors, could be VPN related or blocking the
traffic flow in the middle
DMVPN/GETVPN probably pre-configured but broken, since it’s a lot of commands
1 or more diagram(s)
o Physical L2
o Logical L3
o Tasks / Configuration items / Requirements
o Terminal server settings
Terminal Server for accessing consoles
Test PC = RDP
AAA Server = Browser port 2002
IPS GUI/CLI possible, CLI preferred
ASA ASDM is NOT possible, only CLI
4 switches are in the lab
All devices can be pre-configured, routers/switches will have stuff pre-
configured
Plan is to have a separate troubleshooting section and may add IPv6 by the
end of 2010 in the Security lab
May not be allowed to save configs to flash in the lab
Issues
Crash/reload
Mis-cabled
Wrong IOS
Errors on interface
Be familiar with different versions and multiple ways of configuring stuff, it could
change between versions. Be able to adapt to the situation
Verification
ASA
Device initialization
Contexts (single/multiple)
Read through the lab in advance, since configuration conversion doesn’t work 100% and requires
a reload.
Not told in the lab. Depends on requirements of tasks to switch these features
Interface failures
Grouped together as 1 logical interface
Ensure physical interfaces have the same settings on local and remote end
Active interface is the one that is configured first, could change after reload, shouldn’t
matter though
Namif inside defaults to 100, others to 0
SSH requires RSA keys of 768 bits or higher
ASDM NOT allowed in the lab
Can’t telnet to outside interface unless configured
Can’t telnet to the least secure interface, could be more than 1
Building IPsec tunnel to the outside would work around that
ASA Filtering
Object-groups
Show access-list shows every line, including grouped entries, shows all separate entries
Show run access-list shows as configured with fewer lines due to groups
Fewest number of lines configured usually refers to object-groups, NOT to network masks
Routing
Static, RIP, OSPF, EIGRP
NAT
Nat 0 is exemption
Require translation to pass traffic for different security-levels. Traffic between same-security
interfaces not needed
IOS Firewall