Advanced IOS Security - Typepad · 2016. 8. 12. · Zone Based Firewall • Recommended IOS...
Transcript of Advanced IOS Security - Typepad · 2016. 8. 12. · Zone Based Firewall • Recommended IOS...
Advanced IOS Security
Jason Scobbie, Technical Leader, CISSP
BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
About the Presentation
• What is not covered?
• ISE configuration
• Content filtering in the enterprise
• Advanced IPv6 security
• Intrusion Prevention Systems
• VPN solutions
• Fundamental IOS Security
• Security Overview/IOS Hardening
• User Services
BRKSEC-2042 - Content Filtering in the Enterprise
BRKSEC-2007 – Fundamental IOS Security
BRKSEC-2003 - Introduction to IPv6 Security Threats and Mitigations
BRKSEC-2030 - Deploying Intrusion Prevention Systems
BRKSEC-2881 - Designing Remote-Access and Site-to-Site
IPSec networks with FlexVPN
BRKSEC-1050 - An Overview of Site-to-Site Cisco VPN
Technologies
3BRKSEC-3007
• Data Plane Security
• Zone Based Firewall
• User Based Features
• Authentication Proxy
• User/Security Group Tagging
• High Availability
• Control Plane Protection
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced IOS Security – Overview
• Data Plane Security
• Traffic that passes through the router
• User and Services traffic• HTTP traffic to webservers
• SIP traffic for voice phones
• RDP sessions
• “Through The Box”
• Control Plane Security
• Infrastructure traffic that maintains a network• Routing Protocols (BGP, EIGRP, OSPF)
• Management (SSH, HTTP)
• Monitoring (SNMP, Syslogs, NTP)
• “To The Box”
5BRKSEC-3007
Data Plane Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Protect data plane services
Log traffic
Allow tunneled/VPN traffic
• Build a comprehensive security solution to protect user services
• Using ZBFW provides standardized framework for all security based features
• Session will cover design considerations and the Appendix will have configuration examples
7BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security – Identifying Traffic
Client
Ethernet0/1Ethernet0/0
HTTP
SMTP
SMTP Server
HTTP Server
Internet
FTP
HTTP
SMTP SMTP
8BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access-lists (ACLs) as a Security SolutionIOS-FW(config)# ip access-list extended 100
IOS-FW(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
eq Match only packets on a given port number
fin Match on the FIN bit
match-all Match if all specified flags are present
match-any Match if any specified flag is present
rst Match on the RST bit
syn Match on the SYN bit
established Match established connections
fragments Check non-initial fragments
ttl Match packets with given TTL value
IOS-FW(config)# ipv6 access-list IN->OUT_IPv6
IOS-FW(config-ipv6-acl)#permit any any ?
routing Routing header (all types)
See Appendix for complete configuration example
ttl – restrict how far into the network traffic can pass
– prevent control traffic from leaving the network
established – Only matches on ACK and RST flag
– Not truly stateful
syn, fin, rst, ack – Only matches TCP flag
– Not truly stateful
fragments – prevent fragments from entering network
– heavy handed prevention of fragmentation attacks
routing – restrict loose source routing
– prevent clients from choosing their routing path
9BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access-group and Access-list Limitations
Client
Ethernet0/1Ethernet0/0
Webserver
Attacker
?
?
ip access-list extended OUT->IN
permit tcp any eq 80 host Client
ip access-list extended IN->OUT
permit tcp host Client any eq 80
How do we differentiate between Webserver
Response and Attackertraffic?
10BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall – Basic Functionality
Client Webserver
Attacker
SMTP Server
Internet
HTTP Request
SMTP
TRUSTED UNTRUSTED
Malicious
HTTP Response
Firewall prevents malicious traffic from entering the network by tracking connections
11BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Based Firewall
• Recommended IOS DataplaneSecurity solution
• Policies are applied to zones
• Zones are applied to interfaces
• Allows for scalable security policy
• Zone policies are directional
• Matches initial packet of the flow• TCP – matches SYN
• Non-TCP – matches any packet
• Default drop policy
• Tight security for unreferenced traffic
Overview
12BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Policy Assignment and Scalability
• Same zone can be assigned to multiple interfaces
• Zone-pair policy can be reused
• Interface can only be part of one zone
• Zone-pairs permit traffic between two zones
• Traffic between same zones requires policy as well
• Traffic is specific to a zone-pair which allows for directed control
Internet
See Appendix for complete configuration example
source USERS
Users
source USERS
destination INTERNET
destination USERS
Users
zone-member USERS
!
interface Ethernet0/0.100
zone-member security USERS
interface Ethernet0/0.200
zone-member security USERS
interface Ethernet0/0.300
zone-member security USERS
13BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Policy Assignment
• Pre-defined zone member
• Protects traffic to and from router
• Traffic sourced or destined to router
• Excludes NAT traffic
• Two differences
1. Cannot configure self zone• Pre-defined and available for use
2. Reverse functionality of zones• Explicit allow compared to explicit deny
• Use to protect management and control plane traffic
Self Zone
Self Zone
Management
traffic
• SSH
• Telnet
• HTTP
Monitoring traffic
• SNMP
• Syslogs
• Netflow
Routing Protocols
• EIGRP
• OSPF
• BGP
VPN
• ESP
• GRE
• NAT-T
• ISAKMP
14BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Based FirewallConfiguration Theory
Identify traffic using class-
map
• Access-list
• Protocols
Take action using
policy-map
• Inspect
• Drop
• Pass
Apply action using
zone-pair
• Service policy applied traffic
• Apply action to traffic
15BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identifying Traffic using Class-maps
• Class-maps identify traffic
• Access-lists for IP addresses and ports
• Protocols for Layer 7 matching
• Class-maps can be nested
• Scalability through reuse
• Directed match criteria
Class-map
Access-list
Protocol
Class-map
class-map type inspect match-all USERS_PROTOCOLS
match access-group name USER_ACL
match protocol http
See Appendix for complete configuration example
16BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identifying Traffic using Class-mapsMatch-Any vs Match-All
Access-list USER_ACL
HTTP
Access-list USER_ACL
HTTP
Access-list USER_ACL + HTTP
Access-list USER_ACL || HTTP
Match-Any
Match-All
See Appendix for complete configuration example
17BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identifying Traffic – Mixing and Matching
class-map type inspect match-all USERS->INTERNET_CMAP
match access-group name USER_ACL
match class-map USER_PROTOCOLS_CMAP
class-map type inspect match-any USER_PROTOCOLS_CMAP
match protocol http
match protocol ftp
ip access-list extended USER_ACL
permit ip 192.168.1.0 255.255.255.0 any
18BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Take Action using Policy-Map
Inspect
Pass
Drop
• Builds connections for traffic
• Statefully examines the flow
• Allows return packets that match connection
• Preferred action for traffic
Inspect
• Drops packets silentlyDrop
• Bypasses firewall checks
• Return traffic must be explicitly allowed
• Only for customized traffic
Pass
19BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Take Action using Policy-Map
• Class-maps are processed in order
• Always put more specific match conditions first
• Order matters when applying action/application inspection
Class-maps Order of Operation
policy-map type inspect INTERNET->APPLICATION_PMAP
class type inspect SMTP_TRAFFIC_CMAP
inspect
class type inspect TCP_TRAFFIC_CMAP
drop
policy-map type inspect INTERNET->APPLICATION_PMAP
class type inspect TCP_TRAFFIC_CMAP
drop
class type inspect SMTP_TRAFFIC_CMAP
inspect
20BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
policy-map type inspect USERS->INTERNET_PMAP
class type inspect DEVELOPMENT_TRAFFIC_CMAP
pass
class type inspect BLOCK_TRAFFIC_CMAP
drop
class type inspect ALLOWED_TRAFFIC_CMAP
inspect
class class-default
drop
Apply Action using Zone-PairApply Policy-map as Service-policy in Zone-pair
zone-pair security USERS->INTERNET_ZP source USERS destination INTERNET
service-policy type inspect USERS->INTERNET_PMAP
Customized traffic
Catch-all action
See Appendix for complete configuration example
Drop unwanted traffic
Enforce statefulsecurity checks
21BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Apply Action using Zone-Pair
• ZBFW builds a connection for inspected traffic
• Uptime and Bytes can be used to verify functionality
• Bytes sent are increasing = traffic is flowing successfully
• If Last heard is at 00:00:00 = traffic is flowing successfully
Verifying Traffic on Zone Based Firewall
IOS-FW# show policy-firewall session zone-pair USERS->INTERNET_ZP
Zone-pair: USERS->INTERNET_ZP
Service-policy inspect : USERS->INTERNET_PMAP
Class-map : USERS->INTERNET_CMAP(match-all)
Established Sessions = 1
Session B251B268 (192.168.1.100:59651)=>(4.2.2.2:80) http:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:08, Last heard 00:00:08
Bytes sent (initiator:responder) [164:5980]
Class-map : class-default(match-any)
Total sessions for zone-pair
ZP, SP, PM, CM
Uptime of connection
Bytes transferred
See Appendix for complete configuration example
22BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Apply Action using Zone-Pair
• Basic TCP inspection
• Layer 4 security checks
• Stateful tracking of connection
• Advanced Layer 7 inspection
• Permit or drop traffic based on Layer 7 information
• Layer 7 protocol compliance (ie. SIP)
• Dynamic opening of child connections (ie. SIP, H323, FTP)
Advanced Inspection – Protocol vs Application
Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB
Session B251B268 (192.168.1.100:59651)=>(4.2.2.2:80) http:tcp SIS_OPEN/TCP_ESTAB
What’s the difference?
23BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Out of Order Packet Handling
• Application inspection requires packets to arrive in order
• Out of Order (OoO) processing queues packets to be ordered
• Increasing the OoO size reduces inspection based packet loss
parameter-map type ooo global
tcp reassembly memory limit 1024
tcp reassembly queue length 16
tcp reassembly timeout 30
Increase to allow more OoO packets
Increase to compensate for latency in retransmission
Apr 3 10:40:30.662: %FW-6-DROP_PKT: Dropping tcp session 4.2.2.2:80
10.1.1.1:58899 on zone-pair INSIDE->OUTSIDE_ZP class USERS_CMAP due
to Out-Of-Order Segment with ip ident 0
24BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Port Application Mapping (PAM)
• Application inspection ports can be changed or modified
• Access-lists can be use to limit inspection ports
• Used for overlapping inspection ports
• View existing ports for application inspection
Router# show ip port-map | i http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8080 user defined
Default mapping: http tcp port 8888 in list 99 user defined
Router(config)# ip port-map http port 8080
Router(config)# ip port-map http port 8888 list 99
25BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Protect data plane services
Log firewall traffic
Allow tunneled/VPN traffic
26BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Aware
• What is an application?
• Are these applications or just ports?
• What about these?
HTTP
FTP
SMTP
IMAP
80
21
25
143
27BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Blocking Websites using Zone Based Firewall
• Block websites using local URL filtering
• Match URLs using a regex parameter-map
• URLs are in the Host field of the HTTP GET packet
• Sending reset is only action supported when URL is matched
Ethernet Header
IP Header
TCP Header
HTTP DATA
Source MAC Destination MAC
Source IP Destination IP
Source Port Destination Port
HTTP Request Method
Host URI
parameter-map type regex BLACKLIST_URLS
pattern .*cisco.*
pattern .*facebook.*
See Appendix for complete configuration example
28BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Blocking Websites – Results
• Number of regex is limited by the device
• 3925 with 250 URLs
• User gets no feedback
• Connection is reset
• May generate support calls from end clients
• Will not match HTTPS traffic
BRKSEC-2042 Content Filtering in the Enterprise
29BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Visibility and Control (AVC)
• AVC leverages NBAR2 protocol packs to identify complex traffic flows
• Application monitoring in addition to port monitoring
• Applied using MQC
• Feature operates independently of ZBFW
• Integrates with Flexible Netflow to monitor traffic
IP
TCP
HTTP
Application:
Youtube?
Facebook?
BRKSEC-2042 Content Filtering in the Enterprise
30BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 and Application Visibility Control
• NBAR2 can be leveraged to match traffic using MQC
class-map match-any P2P_APPLICATIONS
match protocol bittorrent
match protocol bittorrent-networking
match protocol dht
match protocol attribute sub-category p2p-file transfer
policy-map RATE_LIMIT_P2P
class P2P_APPLICATIONS
police 8000 conform-action transmit exceed-action drop
Interface Ethernet0/0
service-policy input RATE_LIMIT_P2P
31BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Scanning Configuration
• CWS integration provides
• User identification
• URL tracking
• Stateful TCP/HTTP enforcement
• Preferred solution for content scanning
• Scalability through offloaded URL filtering
• Monitoring through user identification integration
Cloud Web Security (CWS)
interface Ethernet0/0
ip nat outside
zone-member security OUTSIDE
content-scan out
…
IOS# show content-scan session active
Protocol Source Destination Bytes Time
HTTP 10.1.1.100:57152 209.222.159.185:80 (1635:331595) 00:00:12
URI: www.cisco.com
Username/usergroup(s): ciscouser10/ ciscogroup10
Total Data transferredWebsite visited User Identity integration
See Appendix for complete configuration example
IPv4 only feature
32BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Protect data plane services
Log firewall traffic
Allow tunneled/VPN traffic
33BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QoS Policy using Zone Based Firewall
5Mbps +
policy-map type inspect USERS->INTERNET_PMAP
class type inspect HTTP_CMAP
police rate 10000000 burst 250000
class type inspect BITTORRENT_CMAP
police rate 5000000 burst 500000
10Mbps
5Mbps
20Mbps
Matched traffic is rate limited to the specific value
• Simple traffic policer
5Mbps is reserved for voice traffic
34BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Defend data plane services
Log firewall traffic
Allow tunneled/VPN traffic
35BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Features to Protect Data Plane Services
• Connection limits within ZBFW
• Protects device and endpoints from resource exhaustion
• TCP Intercept to protect against SYN flood attacks
• uRPF to defend against spoofing attacks
• VFR to defend against fragmentation attacks
36BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced ZBFW Connection Limits
• ZBFW will send resets to both endpoints once timer expires
Timeouts
parameter-map type inspect CONN_TIMEOUT_PARAM
tcp idle-time 3600
tcp synwait-time 30
30 seconds
TCP SYN
Connection timeout
Half open session timeout
TCP RST TCP RST
See Appendix for complete configuration example
37BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced ZBFW Connection LimitsMaximums and Rates
parameter-map type inspect CONN_LIMIT_PARAM
sessions maximum 1000
max-incomplete high 100 low 75
one-minute high 50
one-minute low 25
1000 connections
1001st connection
Total sessions allowed
Total half open sessions with clamping
Rate of new connections on device
See Appendix for complete configuration example
38BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SYN Flood Attack Mitigation using TCP Intercept
Intercept
Mode
SYN
ACKSYN+ACK
SYN
ACK
SYN+ACK
SYN
ACK
SYN+ACK
RST RST
Watch
Mode
See Appendix for complete configuration example
39BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoofing AttacksUnicast Reverse Path Forwarding
Packet
Src Dst
Router# show ip route
C 10.1.1.0/24 directly connected, Ethernet0/0
C 192.168.1.0/24 directly connected, Ethernet0/1
S 20.1.1.0/24 via Ethernet0/0
Ethernet0/1 Ethernet0/0
20.1.1.100 10.1.1.200
See Appendix for complete configuration example
40BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoofing Attack Mitigation
• Strict mode
• The source address is in the Forwarding Information Base (FIB) and reachable only through the interface on which the packet was received
• Loose mode
• If the source address is in the FIB and reachable through any interface on the router
• Used for asymmetric routing or multi-homed ISP connections
• uRPF configuration example
Router(config)# interface Ethernet0/1
Router(config-if)# ip verify unicast source reachable-via rx
Router(config)# interface Ethernet0/1
Router(config-if)# ip verify unicast source reachable-via any
41BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Fragmentation Attacks
Data
TCP
HeaderIP Header
TCP
Header
DataTCP HeaderIP Header
Fragment 1
DataTCP HeaderIP Header
Fragment 2
DataIP Header
IP Header
Fragment 1
DataTCP HeaderIP Header
Fragment 2
DataIP Header
Tiny Fragment
Overlapping Fragments
Buffer Overflow
Original Packet
Buffer
42BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Fragmentation Attack Mitigation
• Enabling VFR
• Restricting the number of concurrent IP datagrams
• Limiting the number of fragments per IP datagram
• Drop all IP fragments
IP Virtual Fragment Reassembly (VFR) Configuration
Router(config)# interface Ethernet0/0
Router(config-if)# ip virtual-reassembly in max-reassemblies 64
Router(config)# interface Ethernet0/0
Router(config-if)# ip virtual-reassembly in
Router(config)# interface Ethernet0/0
Router(config-if)# ip virtual-reassembly in max-fragments 16
Router(config)# interface Ethernet0/0
Router(config-if)# ip virtual-reassembly in drop-fragments
See Appendix for log information
43BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
44BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logging Dropped Packets
• Dropped logging is enabled in two ways:1. Parameter-map globally
• Does not affect drop actions
2. With drop action• Logs only traffic in class-map
• Dropped packet logging is rate limited after first hit• Logs summarized and rate limited to 256 flows every 30 seconds
• Used for troubleshooting, unreliable for global monitoring
policy-map type inspect USERS->INTERNET_PMAP
class class-default
drop log
parameter-map type inspect global
log dropped-packets enable
log summary rate 30 flows 256
%FW-6-DROP_PKT: Dropping tcp session 192.168.1.100:29201 4.2.2.2:81 on zone-
pair INSIDE->OUTSIDE_ZP class class-default due to DROP action found in
policy-map with ip ident 0
See Appendix for complete functionality example
45BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logging New Connections
• Logging new connections is not on by default
• Processor intensive
• Interrupt driven messages can cause high CPU
• Similar to log keyword on ACLs
• Used for troubleshooting
• Not recommended for monitoring
parameter-map type inspect LOG_CONNECTION_PARAM
audit-trail on
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Start tcp
session: initiator (192.168.1.100:34166) -- responder (4.2.2.2:80)
%FW-6-SESS_AUDIT_TRAIL: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Stop tcp session:
initiator (192.168.1.100:34166) sent 164 bytes -- responder (4.2.2.2:80) sent 5980 bytes
See Appendix for complete configuration example
46BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitoring Traffic
config# show access-list 100
Extended IP access list 100
permit icmp any any echo (2 matches)
permit icmp any any echo-reply (2 matches)
permit tcp any any eq www (21374 matches)
Permit udp any any (15 matches)
permit ip any any (45 matches)
Ethernet0/1 Ethernet0/0
Router(config)# interface Ethernet0/1
Router(config-if)# ip access-group 100 in
Router(config-if)# ip flow ingress
47BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tracking Source of DoS attacks
Router# show ip cache flow
...
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 255 0.0 1 64 255.0 4.0 15.5
...
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/1 203.0.113.102 Et0/0 10.1.1.10 06 CDF7 0050 1
Et0/1 203.0.113.103 Et0/0 10.1.1.10 06 CDF7 0050 1
Et0/1 203.0.113.104 Et0/0 10.1.1.10 06 CDF7 0050 1
Et0/1 203.0.113.105 Et0/0 10.1.1.10 06 CDF7 0050 1
...
Incrementing attacker IP Same victim IPSame TCP ports
Single packet per attack
48BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
49BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security of Tunneled Traffic using ZBFW
• Tunneled traffic can be encrypted
• Tunnel traffic is control plane vs Transit traffic is data plane
• Tunnels are used to connect remote locations
• Connect to all remote locations using a VPN to allow secure connectivity
• Traffic should still be subjected to ZBFW because it may not be trusted
Tunneled traffic Unencapsulated traffic
• Self-to-Out zone-pair will identify
Tunnel (ESP/GRE/6in4) traffic
• Pass as an action
• Inside-to-Tunnel zone-pair will
identify the data plane traffic
• Inspect as an action to allow
return traffic through
50BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ZBFW and Tunneling
• Remote zone depends on Tunnel configuration
• Crypto map on interface
• VTI
• VPN packet is always sourced from self zone since it is generated by the router
Client Packet
SRC A DST B
VPN Packet
SRC X DST Y
Local Zone Remote Zone Self Zone Internet Zone
A X Y
B
Tunnel
51BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ZBFW and Tunneling Design Considerations
• Firewall policies should be applied on device before encapsulation or encryption occurs
• 6in4 tunneling is becoming more common and is an easy way to circumvent established security policies
• ZBFW can be used to protect both IPv6 and IPv4 stacks if positioned and deployed correctly
IPv6 IPv6
A X Y
B
interface Tunnel0
zone-member security REMOTE
tunnel mode [ipsec|gre|ipv6ip]
source SELF destination OUTSIDE
source LOCAL destination REMOTE
Tunnel
IPv4
LOCAL OUTSIDE REMOTE
interface WAN
zone-member security OUTSIDE
52BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
53BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ZBFW Interaction with Other Features
Interface ACL
ZBFW NAT QoS VPN
interface Ethernet0/1
ip access-group name IN_ACL in
zone-member security INSIDE
ip nat inside
service-policy input QoS
crypto map CRYPTO_MAP
See Appendix for complete configuration example
54BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary of ZBFW features
Feature ZBFW IOSAccess Control Zone members/Zone Pairs
• Stateful
• Scalable
Interface access-lists
• Not stateful
• Cannot integrate with VPN
Application Aware Policies Layer 7 inspection policy
• Integrated into inspection
• Utilizes NBAR for matching
NBAR/AVC using MQC
• Independent configuration
• Not stateful
Quality of Service (QoS) Policing integrated with ZBFW
policy-map
• Simple policing
Traffic shaping with interface QoS
policy
• Optimizes traffic flow
Monitoring Audit-trail in global parameter-
map
• Interrupt driven connection
information
ACL log hits
• Simplified packet counting
Netflow
• Connection oriented packet
counting
55BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Insurance
• If router is compromised
• How to mitigate the impact?
• Restore device back to last known working condition?
• Mitigating the impact of configuration changes
• Configuration Archive
• IOS Resiliency
• Tracking down the source of the change
• Command Accounting
56BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuration Backup and Rollback
• Stores configuration periodically to destination location
• Force a configuration archive
• Rollback configuration
• Introduced 12.3(7)T
archive
path disk0:myconfig_backup
maximum 5
time-period 1440
Router# configure replace disk0:myconfig_backup-<date>
Router# archive configuration
57BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Saves a copy of the running-config and system image onto local storage
• This is called the primary bootset
• Primary bootset can be used to restore a previous image and config
• Feature can only be disabled by a console session
• Can be initially enabled via any CLI session
• Introduced in 12.3(8)T
IOS Resiliency
Running Config
System Image
Primary Bootset
See Appendix for complete configuration example
58BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Accounting
• Log command history to location
• Local archive
• ACS
• Tracks configuration changes
• Per-session
• Per-user
• Introduced 12.4(11)T
See Appendix for complete configuration example
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
Router#show archive log config all
idx sess user@line Logged command
1 8 NOC@vty0 |interface Ethernet0/2
2 8 NOC@vty0 | shutdown
59BRKSEC-3007
User Identity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity Concepts
• What happens when a user moves within a network?
• Effective security policies track users throughout the network
• Tracking can be done using:
• IP address
• Username
• OS/Application/etc
?
See Appendix for address assignment information
61BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Types of AuthenticationActive Passive Transparent
Definition
• Router learns user
credentials directly
from Client
• Username and
password are
verified against
ACS/ISE/AD
• User provides
credentials to a
third-party device
• Router learns user
information from
third-party device
• Router learns user
credentials directly
from Client
• Not checked
against external
server
• Router just trusts
user information
Example
• Authentication
Proxy using ACS
• Browser based
NTLM
• Security Group
Tagging using
Dot1x
• Do Not Use!
62BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy Overview
• Client prompted for credentials by login prompt
• Username and password are checked
• Local
• Radius
• Radius can pass down attributes
• Downloadable ACL
• User Groups
• Security Group Tagging
IPv4 only feature
63BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy Traffic Flow – User Challenge
Who are you?
I am UserA
HTTP Connection
ACS/ISE
64BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy Traffic Flow – Consult ACS
ip access-list extended DACL
permit tcp any any eq 80
permit tcp any any eq 443
permit icmp any any
What should I do
with UserA? Permit UserA,
BUT restrict their access
using this ACL.
ACS/ISE
65BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS/ISE
Authentication Proxy Traffic Flow – Apply Action
ip access-list extended UserA_DACL
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 21
See Appendix for complete configuration example
UserA
UserB
ip access-list extended UserB_DACL
permit tcp any any eq 80
permit tcp any any eq 443
permit icmp any any
66BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Consent Parameter-map
• User is forced to accept terms of use before logging in
• Login success only if terms are accepted
• Terms of use can be regularly updated through on device HTML file
• Legal requirements for certain environments
See Appendix for complete configuration example
67BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Group Tagging – Consult ACS/ISE
Cisco Avpair:
Supplicant Group = ENG
SGT = 3
What should I do
with UserA? Permit UserA,
BUT mark them with this
special Cisco user tag.• Routers will ask the ACS/ISE for group
information of the user
• Group information is known as tags/SGT
• Router will apply specific configuration
based on these tags
• Configuration on each router is known as
template ACS/ISE
68BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Group Tagging – Traffic Processing
UserA
class-map type inspect INSIDE->OUTSIDE_CMAP
match user-group ENG
match security-group source tag 4
class-map type inspect INSIDE->OUTSIDE_CMAP
match user-group MKT
match security-group source tag 3
User Groups/SGT render identity features stateful
ACS/ISE
User Group MKT
SGT 3
UserB
User Group ENG
SGT 4
69BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Tagging – Traffic PathPassive Authentication
Dot1x
HTTP
Connection
Client =
SGT 3
SGT 3
class-map type inspect INSIDE->OUTSIDE_CMAP
match security-group source tag 3
• All devices need to be
supported platforms on
supported versions
• Comprehensive SGT requires a
full end-to-end integration
ACS/ISE
70BRKSEC-3007
High Availability
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
High Availability (HA)
• Device and interface level redundancy ensure no connectivity loss
• Traffic must always pass through the Active Device
• Configurations are not replicated between units
• Example of independent features• Routing tables
• Interface configurations
• Firewall features
• Traffic is mapped using Redundant Interface Identifier (rii)
• Interfaces on units do not have to be the same
HA control
interface
See Appendix for complete configuration example
72BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connection Replication
• Connection state information is replicated across HA control interface
• Interfaces are mapped between units using rii number
ZBFW2#show policy-firewall session
Session B2601288 (10.1.1.100:52980)=>(203.0.113.100:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:51, Last heard never
Bytes sent (initiator:responder) [0:0]
HA State: STANDBY, RG ID: 1
Established Sessions = 1
ZBFW1#show policy-firewall session
Session B2704178 (10.1.1.100:52980)=>(203.0.113.100:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:31, Last heard 00:00:30
Bytes sent (initiator:responder) [37:79]
HA State: ACTIVE, RG ID: 1
Established Sessions = 1
73BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LAN interfaces
• Traffic is routed to a VIP address
• Active unit always processes traffic
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
10.1.1.3
74BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Active
Standby
WAN interfaces
• Traffic is routed independently to each unit
• Active unit always processes traffic
• SLA route tracking ensures traffic is sent to Active unit
Internet-Router# show ip route
S* 10.1.1.0/24 [1/0] via 172.16.1.1
via 192.168.1.1
10.1.1.0/24
192.168.1.1
172.16.1.1
75BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Asymmetric Routing
• Standby forwards traffic to Active across dedicated Asymmetric interface
• Source rii is provided so Active knows what zone-pair to process against
• Do not route traffic on Asymmetric interface
• Potential for routing loops
Active
Standby
ISP1
ISP2
See Appendix for complete configuration example
76BRKSEC-3007
Control Plane Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing Protocol Security
• Restrict neighbor relationships
• Neighbor authentication
• Neighbor definition
• Hop count and TTL Checks
• Establish network scope for routes and neighbors
• Routing process consumption
• Restrict LSA memory consumption
OSPF
EIGRP
BGP
EIGRP
BGP
OSPF
78BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Restrict Neighbor Relationships
• EIGRP uses md5 authentication
• OSPF uses md5 authentication
• BGP uses md5 authentication
Router(config)# key chain EIGRP_AUTH
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string EIGRP_PASSWORD
Router(config)# interface Ethernet0/0
Router(config-if)# ip authentication mode eigrp 100 md5
Router(config-if)# ip authentication key-chain eigrp 100 EIGRP_AUTH
Router(config)# router ospf 100
Router(config-router)# area 0 authentication message-digest
Router(config) interface Ethernet0/0
Router(config-if)# ip ospf message-digest-key 1 md5 OSPF_PASSWORD
Router(config)# router bgp 100
Router(config-router)# neighbour 10.1.1.1 password BGP_PASSWORD
79BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hop count, TTL checks and LSA database size
• EIGRP installs routes less than the maximum hops
• BGP sets TTL maximum for peer
• OSPF limits number of total LSA installed in database
Router(config)# router eigrp EIGRP
Router(config-router)# address-family ipv4 unicast autonomous-system 100
Router(config-router-af)# topology base
Router(config-router-af-topology)# metric maximum-hops 100
Router(config)# router bgp 100
Router(config-router)# neighbour 10.1.1.1 ttl-security hops 2
Router(config)# router ospf 100
Router(config-router)# max-lsa 100
80BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ICMP and the Control Plane
• ICMP Redirects inform clients when the gateway to the network is on the same subnet
• ICMP Unreachables sent when interface ACL drops traffic
• Router can be experience CPU impact if too many unreachables are generated
Router(config) interface Ethernet0/0
Router(config-if)# no ip redirects
Router(config-if)# no ip unreachables
81BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Diagram
• All traffic that requires special handling will go through the routers control plane
• This traffic will be processed by the Route Processor, leaving the router vulnerable to resource exhaustion
Aggregate
Control Plane
Host
Transit
CEF Exception
Queue Threshold
Port Filter
Policing
Policing
Policing
Input Forwarding Path
82BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Policing (CPP)
• Rate limit traffic to CPU using quality of service (QoS) policy
• Protect against control plane oversubscription
Actions for
traffic
Permit
Rate Limit
Drop
83BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Protection (CoPPr)
See Appendix for additional information
Aggregate Control Plane
Host
• Traffic destined to the router
• Management
• Routing Protocols
• Tunnel Traffic
Transit
• Traffic traversing router
CEF Exception
• Traffic redirected to RP
• Features that require additional processing
• Packets with special attributes
84BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Protection Example
• Problem
• Router receiving too much traffic to process on
non-listening ports
• Solution
• Preemptively drop all traffic destined to closed ports
• Router should only process traffic to open ports
• Services for management
• Services for monitoring
• Ephemeral ports opened for applicationsInternet Map of Closed Ports
85BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane ProtectionPort Filtering
class-map type port-filter match-all PORTFILTER_CMAP
match closed-ports
!
policy-map type port-filter PORTFILTER_PMAP
class PORTFILTER_CMAP
drop
!
control-plane host
service-policy type port-filter input PORTFILTER_PMAP
Match all closed ports
Drop any traffic to a closed port
Apply to host subinterface
86BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Protection
• Only telnet is enabled on the router
• Traffic destined to any other port on the router will be early dropped
• Before CPU processing
Viewing Open Ports
Router#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
See Appendix for complete configuration example
87BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
• Protect data plane using ZBFW configuration
• Application aware features allow deep packet inspection
• Logging traffic successfully
• Track users using identity features
• Authentication proxy with consent option provides legal enforcement
• User groups and SGT allow for stateful user tracking
• High Availability of firewall features
• LAN and WAN interfaces provide solutions for each routing environment
• Asymmetrically routed traffic is supported through traffic redirection
• Protect router services from resource exhaustion using Control Plane Protection
88BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Readings
89BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
90BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
91BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92Presentation ID
Security Joins the Customer Connection ProgramCustomer User Group Program
19,000+
Members
Strong• Who can join: Cisco customers, service
providers, solution partners and training partners
• Private online community to connect with peers & Cisco’s Security product teams
• Monthly technical & roadmap briefings via WebEx
• Opportunities to influence product direction
• Local in-person meet ups starting Fall 2016
• New member thank you gift* & badge ribbon when you join in the Cisco Security booth
• Other CCP tracks: Collaboration & Enterprise Networks
Join in World of Solutions
Security zone Customer Connection stand
Learn about CCP and Join
New member thank-you gift*
Customer Connection Member badge ribbon
Join Online
www.cisco.com/go/ccp
Come to Security zone to get your new member gift*
and ribbon
* While supplies last
Please join us for the Service Provider Innovation Talk featuring:
Yvette Kanouff | Senior Vice President and General Manager, SP Business
Joe Cozzolino | Senior Vice President, Cisco Services
Thursday, July 14th, 2016
11:30 am - 12:30pm, In the Oceanside A room
What to expect from this innovation talk
• Insights on market trends and forecasts
• Preview of key technologies and capabilities
• Innovative demonstrations of the latest and greatest products
• Better understanding of how Cisco can help you succeed
Register to attend the session live now or
watch the broadcast on cisco.com
Thank you
Appendix
Fundamental Security Review
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fundamental Security
• Infrastructure security is the core of network security
• Protecting devices which pass traffic
• Securing network infrastructure
• Management security
• Login security
• Insurance: What to do in case something happens?
• Accounting and monitoring
• IOS Resiliency
98BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Security
• Controlling method of access for management
99BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login Methods
• Why SSH over Telnet?
• SSH encrypts data
• Telnet is clear text
• Requirements for SSH
• RSA keypair must be created on router
• IOS image must support encryption
• Management application must support SSH access
line vty 0 4
transport input ssh
100BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Restricting Management Access
• Only allow trusted IP addresses for management connections
• Configure access-list (ACL) to restrict login access
• Management plane security
ip access-list extended LOGIN_ACL
permit tcp host 10.1.1.100 any eq 22
!
line vty 0 4
access-class LOGIN_ACL in
transport input ssh
Router(config)# control-plane host
Router(config-cp-host)# management-interface Fastethernet0/0 allow ssh
101BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Security Tiers
• Transport method
• VTY access control
• Management plane security
102BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login Security
• Banner on login prompts
• Password Security
• Restrict connection attempts
103BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login Banner
Welcome to Cisco’s Router! Unauthorized access is not allowed.
104BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login Banner in Use[User]$ telnet 10.1.1.1
**Unauthorized access to this network device is prohibited.**
You must have explicit permission to access or configure this
device. All activities performed on this device are logged and
violations of this policy may result in disciplinary action.
Username: cisco
Password: cisco
***By successfully logging in, you acknowledge that you have
explicit permission to access and configure this device. You
accept that all activities performed on this device are logged
and violations of this policy may result in disciplinary action.
Router#
Warns user that they should back out now if they are not authorized to access the system.
Acknowledges that user has successfully logged in and is responsible for actions.
105BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring a Banner
• Language matters
• Requirements from legal department
• Laws based on country and state
• The below example uses the ‘%’ symbol as the message delineatorRouter(config)# banner login %
Enter TEXT message. End with the character ‘%’.
This is a LOGIN banner %
Router(config)# banner exec %
Enter TEXT message. End with the character ‘%’.
This is a EXEC banner %
106BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhanced Password Security
• 500,000 devices on internet have default password of root
• Password Restriction
• Password Encryption methods
1. Password Encryption service
2. SHA256/MD5 hash
107BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Password Restriction
• Cisco IOS routers do not restrict passwords by default
• Password restriction ensures local passwords adhere to the following rules
• Must contain characters from at least three of the following classes:1. lowercase letters
2. uppercase letters
3. digits
4. special characters
• Cannot have a character repeated more than three times consecutively.
• Cannot be the same as the associated username.
• Cannot be variant of the word “cisco”.
Router(config)# aaa new-model
Router(config)# aaa password restriction
108BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Password Encryption
• Service encryption uses a Cisco proprietary encryption algorithm
• Encryption is based on a Vigenere cipher
• Weak security because is it a polyalphabetic substitution
Router(config)# enable password cisco
Router# show run | include enable
enable password cisco
Router(config)# service password-encryption
Router# show run | include enable
enable password 7 02050D480809
109BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Password-Encryption
• Below is a tool from the first hit on Google
• Search term: cisco service password-encryption cracker
110BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SHA/MD5 Password Protection
• One way hash algorithm that is not reversible
• SHA256 is the default encryption for IOS routers (Starting in 15.0.1S)
Router(config)# enable secret ?
0 Specifies an UNENCRYPTED password will follow
4 Specifies an SHA256 ENCRYPTED secret will follow
5 Specifies an MD5 ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
Router(config)# enable secret cisco
enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
enable password cisco
See Appendix for functionality
111BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Type 4 versus Type 5 vulnerability
• Password-Based Key Derivation Function version 2 (PBKDF2)
• Hash algorithm = SHA-256
• Password = the user-provided plaintext password
• Salt = 80 bits (generated by calling a cryptographically secure random number generator)
• Iteration count = 1,000 (one thousand)
• Due to an implementation issue, the Type 4 password algorithm does not use PBKDF2 and does not use a salt, but instead performs a single iteration of SHA-256 over the user-provided plaintext password. This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.
112BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Password Cracking
• ArsTechnica case study cracked 45% of a 17,000 hashed password list in 90 seconds using above technique
• SHA256/MD5 hashes are protected using a salt
• Salt is a random sequence of characters added to end of password before hash
Hashed Password
Word List
Algorithm
Unencrypted Password
HashCat
113BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Server (ACS) Integration
• Passwords are only as safe as their storage medium
• ACS integration provides a centralized service to store passwords
• Compromised configurations provide no insight into passwords
• Configuring ACS server
See Appendix for configuration examples and best practices
114BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS Integration
• Configure ACS server information on IOS router
• Create authentication list to use ACS server
• Apply authentication list to management sessions
• Configuration Example
Router(config)#tacacs server MYTACACS
Router(config-server-tacacs)# address ipv4 10.1.1.100
Router(config-server-tacacs)# key Cisco12345
Router(config)#aaa authentication login MANAGEMENT group TACACS local
Router(config)#line vty 0 4
Router(config-line)#login authentication MANAGEMENT
115BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS Integration
• Local fallback ensures that the router is still accessible when ACS is unavailable
• Test ACS configuration before applying to avoid being locked out of the router
• Using a reliable source interface will ensure that consistent access to ACS server
• Best Practices
Router#test aaa group MYTACACS username password new-code
User Rejected
Router(config)#ip tacacs source-interface Loopback0
Router(config)#aaa authentication login MANAGEMENT group TACACS local
116BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
One Time Passwords (OTP)
• One time passwords are used to restrict access for temporary users
• Introduced in 12.4
• ACS OTP provides two tier authentication
• Use secure token to generate password
• New password for login each session
Router(config)#username TAC one-time secret cisco
RSA Token
Generator
RSA Token
Password RSA Token
Cisco12345 457AE59H
117BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Password Security Tiers
• Simple unencrypted password
• Hashed password (MD5/SHA256)
• Password restrictions
• Centralized storage of passwords (ACS)
• One time use passwords
118BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Limits
• Configuring restrictions on brute force attacks will mitigate the effectiveness of the attack by delaying success
• Login block for failed login attempts
Password Length Time to Crack
12 digit password 6 months
12 digit password +
login restriction
758 billion years
See Appendix for configuration examples
login block-for 30 attempts 3 within 10
119BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example on login blocking and timeouts
• Login block configuration
• Session timeouts
line vty 0 4
login authentication MANAGEMENT
transport input telnet
login block-for 30 attempts 3 within 10
line vty 0 4
exec-timeout 5
120BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login Security Tiers
• Management Access Restriction
• Login Banner
• Password Security
• Session Limits
121BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Functionality Based User Security
View Configuration
Edit
ConfigurationTroubleshooting
Commands
NOC
Admin
Contractor
TAC
122BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Command Based User Security
Configure Interface
Configure Access Control
Configure
Routing Protocols
Routing
Protocols
Admin
Security
123BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User EXEC Mode
• Privilege Level 0
• Can only enable
Privileged EXEC Mode
• Privilege Level 1
• View status of router
Global Configuration
Mode
• Privilege Level 15
• Configuration commands
Privilege Levels
Router>
Router#
Router(config)#
See Appendix for complete configuration example
124BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Changing Privilege Levels of Commands
• Commands can be moved down to different privilege levels
• Provide restricted configuration access
• User NOC can shut and no shut interfaces
• Cannot configure any interface features
username NOC privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J.
!
privilege interface all level 7 shutdown
privilege interface all level 7 no shutdown
privilege configure level 7 interface
privilege exec level 7 configure terminal
125BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Changing Privilege Levels of Commands
Level 15
Level 7
Level 1
interface ethernet0/0
shutdown
username NOC
See Appendix for complete configuration example
126BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role Based Access Control
• Creates views so users can only view a subset of commands in the parser
• Provides more detailed control over CLI access
• Assigned views to each user with restriction
• Commands seen in parser
• Commands allowed to be issued
• Superviews can be used to aggregate functionality
• Introduced in 12.3(7)
parser view INTERN
secret
commands exec include show version
commands exec include show
See Appendix for complete configuration example
127BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role Based Access Control• Configuration Example
parser view INTERN
secret
commands exec include show version
commands exec include show
!
parser view NOC
secret
commands interface include shutdown
commands configure include interface
commands configure include interface FastEthernet0/1
commands exec include configure terminal
commands exec include configure
!
parser view ADMIN superview
secret
view INTERN
view NOC
128BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remote Command Authorization
• Centralized server to verify commands before execution
• User gets command authorization set based on device
• Scalable solution for large network environments
• Router will communicate with ACS to verify command before execution
Will IOS allow user issue command?
• Privilege level of user and command
• Local command authorization
Is the user authorized to run the command?
• ACS server command list
• Remote command authorization
See Appendix for complete configuration example
129BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACS Command Authorization
• ACS authentication must be enabled so users are correctly mapped
• Router will communicate with ACS to verify command before execution
• This provides scalability
• Same users can be allowed the same commands on all devices
aaa new-model
!
aaa authentication login default group tacacs+ local
!
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands
130BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Security Tiers
• Privilege Levels
• Role Based Access Control
• ACS Command Authorization
131BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assigning Privilege Levels
aaa new-model
!
username admin privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY
username NOC privilege 1 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY
!
aaa authentication login AUTHENTICATION_MANAGEMENT local
aaa authorization exec AUTHORIZATION_MANAGEMENT local
!
line vty 0 4
login authentication AUTHENTICATION_MANAGEMENT
authorization exec AUTHORIZATION_MANAGEMENT
132BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Privilege Levels in Use
[User]$ telnet 10.1.1.1
Trying 10.1.1.1...
Connected to 10.1.1.1
Escape character is '^]'.
This is the LOGIN banner
Username: NOC
Password:
This is the EXEC banner
Router> show privilege
Current privilege level is 1
[User]$ telnet 10.1.1.1
Trying 10.1.1.1...
Connected to 10.1.1.1
Escape character is '^]'.
This is the LOGIN banner
Username: admin
Password:
This is the EXEC banner
Router# show privilege
Current privilege level is 15
133BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role Based Access Control
• Apply the view setting to the username to force that user into that view
• User authorization must be enabled
• User Setup
username DAFFY privilege 15 view NOC secret DUCK
aaa new-model
!
aaa authorization exec EXEC_AUTHORIZATION_LIST local
134BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Accounting
• Configure router to send command accounting history to ACS
• Configuration Example
aaa new-model
!
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
135BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fundamental Security
• Cisco IOS can automate security implementation
• AutoSecure
• Secures a router by using a single CLI command
• Disables common IP services that can be exploited
• Enables IP services and features to defend the network
• AutoSecure can be enabled per feature or all features
• AutoSecure
136BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AutoSecure• Feature Options
Router#auto secure ?
firewall AutoSecure Firewall
forwarding Secure Forwarding Plane
full Interactive full session of AutoSecure
login AutoSecure Login
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
ntp AutoSecure NTP
ssh AutoSecure SSH
tcp-intercept AutoSecure TCP Intercept
<cr>
137BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AutoSecure• Securing LoginRouter#auto secure login
Gathering information about the router for AutoSecure
Enter the new enable password:
Confirm the enable password:
Configuration of local user database
Enter the username: cisco
Enter the password:
Configuring AAA local authentication
Configuring console, Aux and vty lines for
local authentication, exec-timeout, transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 30
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 10
138BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AutoSecure• Login configuration
enable password 7 02250D4808095E731F1A5C
username cisco password 7 02250D4808095E731F1A5C
aaa new-model
aaa authentication login local_auth local
!
line vty 0 4
login authentication local_auth
transport input telnet
login block-for 30 attempts 3 within 10
!
end
139BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall – Basic Functionality
Client Webserver
Attacker
SMTP Server
Internet
HTTP Request
SMTP
TRUSTED UNTRUSTED
Malicious
HTTP Response
Firewall prevents malicious traffic from entering the network by tracking connections
140BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Policy Assignment and Scalability
Internet
See Appendix for complete configuration example
source USERS destination INTERNET
Users
zone-member USERS
!
interface Ethernet0/0.100
zone-member security USERS
interface Ethernet0/0.200
zone-member security USERS
interface Ethernet0/0.300
zone-member security USERS
zone-member INTERNET
!
interface Ethernet0/1
zone-member security INTERNET
zone-pair security USERS->INTERNET source USERS destination INTERNET
service-policy type inspect USER->INTERNET_PM
141BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Based Firewall (ZBFW) – Zone Members
Untrusted
Zone
Trusted
Zone
zone-pair security INSIDE->OUTSIDE_ZP source INSIDE destination OUTSIDE
service-policy type inspect INSIDE->OUTSIDE_PMAP
zone-member INSIDE
!
Interface Ethernet0/0
zone-member security INSIDE
zone-member OUTSIDE
!
Interface Ethernet0/1
zone-member security OUTSIDE
• ZBFW uses zones as the foundation for all policies
• The same zone can be applied to multiple interfaces
• Each interface can only be part of one zone
142BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Zone-pairs
InternetUsers
Application
Database
143BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Member Scalability
InternetUsers
• Zone policies are directional
• Initiated traffic matches from SOURCE to DESTINATION
• Return traffic matches existing connection
• ZBFW scales when there are multiple zone
See Appendix for complete configuration example
Application
Userssource USERS
destination USERS
source USERS
destination APPLICATION
144BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intrazone policies
• On IOS 12.X releases, traffic between interfaces belonging to the same zone was allowed to pass without inspection.
• On IOS 12.X release it was not possible to define Intrazone ZFW policies:
• Starting on IOS 15.0(1)M, intrazone traffic is blocked by default
• IOS 15.X allows the creation of Intrazone Policies (source and destination of traffic in the same zone)
zone-pair security APPLICATION->APPLICATION_ZP source APPLICATION
destination APPLICATION
145BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Private VLANs vs. Intrazone Communication
• Isolated cannot speak with anyone but Promiscuous
• Community can speak with other ports in same community and Promiscuous
• Promiscuous can speak with everything
vlan 11
private-vlan isolated
!
vlan 12
private-vlan community
!
vlan 20
private-vlan primary
private-vlan association 11-12
!
interface FastEthernet 1/1
description *** Port in Isolated VLAN ***
switchport mode private-vlan host
switchport private-vlan host-association 20 11
!
interface FastEthernet 1/2
description *** Port in Community VLAN ***
switchport mode private-vlan host
switchport private-vlan host-association 20 12
!
interface FastEthernet 1/12
description *** Promiscuous Port ***
switchport mode private-vlan promiscuous
switchport private-vlan mapping 20 add 11-12
146BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Topology
InternetClients
Application
Database
zone-pair security USERS->APPLICATION_ZP source USERS destination APPLICATION
zone-pair security USERS->DATABASE_ZP source USERS destination DATABASE
zone-pair security USERS->INTERNET_ZP source USERS destination INTERNET
147BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identifying Traffic – Class-Map Theory
•ip access-list extended USER_ACL
•permit tcp any any eq 80Class-map using Access-list
•protocol HTTPClass-map using
Protocol
•class-map USER_PROTOCOLSClass-map using
Nested
148BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identifying Traffic using Class-Map
• Example 1
• ACL matching
• Example 2
• Protocol matching
• Example 3
• Nested class-map matching
Examplesip access-list extended USER_ACL
permit ip 192.168.1.0 255.255.255.0 any
!
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-1
match access-group name USER_ACL
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-2
match protocol http
class-map type inspect match-any USER_PROTOCOLS_CMAP
match protocol http
match protocol ftp
!
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-3
match class-map USER_PROTOCOLS_CMAP
149BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applying Policy-map
InternetClients
Application
Database
zone-pair security USERS->APPLICATION_ZP source USERS destination APPLICATION
service-policy type inspect USERS->APPLICATION_PMAP
zone-pair security USERS->DATABASE_ZP source USERS destination DATABASE
service-policy type inspect USERS->DATABASE_PMAP
zone-pair security USERS->INTERNET_ZP source USERS destination INTERNET
service-policy type inspect USERS->INTERNET_PMAP
150BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inspect Traffic – Protocol vs Applicationip access-list extended USER_ACL
permit ip 192.168.1.0 255.255.255.0 any
!
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-1
match access-group name USER_ACL
class-map type inspect match-any USER_PROTOCOLS_CMAP
match protocol http
!
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-3
match class-map USER_PROTOCOLS_CMAP
Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB
Session B251B268 (192.168.1.100:59651)=>(4.2.2.2:80) http:tcp SIS_OPEN/TCP_ESTAB
151BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Allowing Inbound Traffic
• Zone-pairs are unidirectional
• Any traffic must be explicitly allowed in the opposite direction
class-map type inspect SMTP_SERVER_CMAP
match access-list SMTP_SERVER_ACL
match protocol SMTP
policy-map type inspect INTERNET->APPLICATION_PMAP
class type inspect SMTP_SERVER_CMAP
inspect
class class-default
drop
zone-pair security INTERNET->APPLICATION_ZP source INTERNET destination APPLICATION
service-policy type inspect INTERNET->APPLICATION_PMAP
152BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Parameter-Map Overview
Router(config)# parameter-map type ?
consent Parameter type consent
content-scan Content-scan parameter-map
inspect inspect parameter-map
ooo TCP out-of-order parameter-map for FW and IPS
protocol-info protocol-info parameter-map
regex regex parameter-map
urlf-glob URLF glob parameter-map
urlfpolicy Parameter maps for urlfilter policy
waas WAAS Parameter Map
153BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Layer Inspection – HTTP Example
class-map type inspect http match-all BLACK_LIST_CMAP
match request header host regex BLACK_LIST_PARAM
policy-map type inspect http BLACK_LIST_PMAP
class type inspect http BLACK_LIST_CMAP
reset
policy-map type inspect USERS->INTERNET_PMAP
class type inspect USERS->INTERNET_HTTP_CMAP
inspect
service-policy http BLACK_LIST_PMAP
parameter-map type regex BLACK_LIST_PARAM
pattern .*cisco.*
type inspect
• General ZBFW configuration
• Match on ports and protocols
type inspect http
• Application specific ZBFW configuration
• Match on application specific header information
154BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Filtering
• Current technologies
• WCCP
• Scansafe
• Old technologies
• Websense
• Trend Micro Content Scanning
155BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scansafe Content Scanning – Request
Scansafe Proxy
Server
www.cisco.com
Client Packet
Client Webserver
CWS Redirect Packet
Router CWS Server
CWS Packet
CWS Server Webserver
156BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scansafe Content Scanning – Response
Scansafe Proxy
Server
www.cisco.com
Client Packet
Webserver Client
Scansafe Redirect Packet
Scansafe Router
Server Packet
Webserver Scansafe
157BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Scanning Configurationparameter-map type content-scan global
server scansafe primary name proxy2261.scansafe.net port http 8080 https 8080
license 0 ABCDEF1234567890ABCDEFABCDEFFFFF
source interface Ethernet0/0
timeout server 30
user-group CISCOGROUP username CISCOUSER
server scansafe on-failure block-all
interface Ethernet0/0
ip nat outside
zone-member security OUTSIDE
content-scan out
…
interface Ethernet0/1
ip nat inside
zone-member security INSIDE
…
158BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Scanning OutputsRouter# show content-scan statistics
Current HTTP sessions: 0
Current HTTPS sessions: 0
Total HTTP sessions: 83
Total HTTPS sessions: 8
White-listed sessions: 0
Time of last reset: never
Router# show content-scan summary
Primary: 201.94.155.42 (Up)*
Secondary: 70.39.231.99 (Up)
Interfaces: Ethernet0/0
IOS# show content-scan session active
Protocol Source Destination Bytes Time
HTTP 10.1.1.100:57152 209.222.159.185:80 (1635:331595) 00:00:12
URI: www.cisco.com
Username/usergroup(s): ciscouser10/ ciscogroup10
159BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrating User Identity with Scansafeaaa new-model
aaa authentication login default group radius
aaa authorization network default group radius
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip admission AUTHPROXYip admission name AUTHPROXY ntlm
aaa group server ldap LDAP_GROUP
server DC01
ldap attribute-map ldap-username-map
map type sAMAccountName username
ldap server DC01
ipv4 192.168.1.100
attribute map ldap-username-map
bind authenticate root-dn CN=Users,DC=cisco,DC=com password cisco
base-dn dc=cisco,dc=com
search-filter user-object-type top
authentication bind-first
160BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Masking SMTP MessagesEthernet Header
IP Header
TCP Header
SMTP DATA
Source MAC Destination MAC
Source IP Destination IP
Source Port Destination Port
EHLO
PIPELINING STARTTLS
Mask specific SMTP messages from presented to clients
Filtering PIPELINING prevents client from sending batches of commands without waiting for response from server
161BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Layer Inspection – SMTP Example
class-map type inspect smtp match-all SMTP_CMAP
match reply ehlo PIPELINEING
policy-map type inspect smtp SMTP_PMAP
class type inspect smtp SMTP_CMAP
mask
policy-map type inspect INTERNET->APPLICATIONS_PMAP
class type inspect INTERNET->APPLICATIONS_SMTP_CMAP
inspect
service-policy smtp SMTP_PMAP
• Select the message to be masked
• Apply the mask action for the messages selected above
162BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Layer Inspection – SIP Example
class-map type inspect sip match-all SIP_CMAP
match protocol-violation
policy-map type inspect sip SIP_PMAP
class type inspect sip SIP_CMAP
reset
policy-map type inspect INTERNET->APPLICATIONS_PMAP
class type inspect INTERNET->APPLICATIONS_SIP_CMAP
inspect
service-policy sip SIP_PMAP
• Identify traffic that violates the SIP RFC
• Drop any packets that violate RFC
• TCP SIP results in RESET packet
• UDP SIP results in dropped packets
163BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Based Inspections
IOS-FW(config)# class-map type inspect ?
h323
http
imap
pop3
sip
smtp
sunrpc
Voice inspections
• Controls how calls can be placed
• Controls how phones can register
eMail inspections
• Controls how email can be sent
inspections
• Controls how email can be sent
164BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enabling Connection Limits for Resource Protection
• Router has a fixed amount of memory for connections
• Connection limitations will prevent DoS attacks from exhausting resources
• Protects device
• Protects endpoint services
• Connection limits can protect:
• Memory exhaustion• Limit total number of connections
• Idle timer of established and half-open connections
• Processor/CPU exhaustion• Limit rate of connection builds
Resource Limits on IOS
165BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applying Connection Limits to Traffic
policy-map type inspect CLIENT->INTERNET_PMAP
class type inspect CLIENT->INTERNET_CMAP
inspect CONN_LIMIT_PARAM
parameter-map type inspect CONN_LIMIT_PARAM
sessions maximum 100
max-incomplete high 1000 low 500
one-minute high 50
one-minute low 25
166BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attack Security
Denial of Service Attack
TCP SYN Flood
IP Fragmentation Attack
Tiny Fragment
Overlapping Fragment
Buffer Overflow
Spoofing Attack
Reflection Flood
167BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TCP Intercept
• TCP intercept is enabled because the one minute rate exceeded 1500 embryonic connection attempts
• TCP Intercept was disabled because the one minute rate fell below 900 embryonic connection attempts
access-list 101 permit any
!
ip tcp intercept list 101
ip tcp intercept mode intercept
ip tcp intercept drop-mode random
ip tcp intercept max-incomplete low 2000 high 3000
ip tcp intercept one-minute low 1000 high 1500
Jan 1 12:00:01 EST: %TCP-6-INTERCEPT: getting aggressive, count (2700/3000) 1 min 100
Jan 1 12:05:01 EST: %TCP-6-INTERCEPT: calming down, count (1800/2000) 1 min 900
168BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Fragmentation Attack MitigationFragments keyword in ACL
ip access-list extended FRAGMENTS_ACL
deny ip any host 192.168.1.100 fragments
permit tcp any host 192.168.1.100 eq 80
deny ip any any
See Appendix for complete configuration example
Ethernet0/1 Ethernet0/0
Fragment 1
DataTCP Header
Fragment 2
Data
IP Header
IP Header
169BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Fragmentation Attack Mitigation
• Basic features of enabling VFR
• Max-reassemblies
• Maximum number of concurrent IP datagrams that can be reassembled
• Max-fragments
• Maximum number of fragments for the same IP datagram
• Drop-fragments
• Drops all fragments
IP Virtual Fragment Reassembly (VFR) Logs
VFR-4_FRAG_TABLE_OVERFLOW
VFR-4_TOO_MANY_FRAGMENTS
VFR-3-OVERLAP_FRAGMENT
VFR-3-TINY_FRAGMENTS
170BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
uRPF Advanced Features
• Old configuration (DO NOT USE)
• Above command was replaced by below command in 12.0(15)S
• Cisco Express Forwarding (CEF) must be enabled (on by default)
• Allow default route for uRPF verification
Router(config)# ip cef
Router(config)# interface Ethernet0/0
Router(config-if)# ip verify unicast source reachable-via allow-default
Router(config)# interface Ethernet0/0
Router(config-if)# ip verify unicast reserve-path
Router(config)# interface Ethernet0/0
Router(config-if)# ip verify unicast source reachable-via [rx|any]
171BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logging dropped packets and summarizationActions Log drop-pkt disable
Log summary disable
Log drop-pkt disable
Log summary enable
Log drop-pkt enable
Log summary disable
Log drop-pkt enable
Log summary enable
Drop Drop and summary logs not to be printed
Drop and summary logs not to be printed
Drop and summary logs not to be printed
Drop and summary logs not to be printed
Drop log Only drop logs printed and no summary logs
Since log option is configured with drop action, both the drop and summary logs for the traffic that matches the action ‘drop log’ under the class is rinted.
Only drop logs printed and summary logs not printed
Since log option is configured with drop action, both the drop and summary logs for the traffic that matches the action ‘drop log’ under the class is printed.
Inspect/zone
to non-zone
Drop and summary logs not printed
Drop and summary logs not printed
Only drop logs printed and summary logs are not printed
Drop due to inspect action and summary logs are printed
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logging New Connections
• Cannot be applied globally
• Enable on a per class-map basis
policy-map type inspect USERS->INTERNET_PMAP
class type inspect USER->INTERNET_CMAP
inspect LOG_CONNECTION_PARAM
parameter-map type inspect LOG_CONNECTION_PARAM
audit-trail on
173BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitoring ZBFW StatisticsRouter# show policy-firewall stats drop-counters
DROP action found in policy-map 4
Router# show policy-firewall stats all
Global Stats:
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
174BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ZBFW and VPN
Client Packet
SRC A DST B
VPN Packet
SRC X DST Y
A X Y B
SRC X DST Y
ESP Header
IP Protocol 50SRC A DST B
IP Header
IP Protocol 1
175BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN using Crypto-Map
Client Packet
SRC A DST B
VPN Packet
SRC X DST Y
A X Y
B
zone-pair security LOCAL->OUTSIDE_ZP source LOCAL destination OUTSIDE
service-policy type inspect LOCAL->REMOTE_PMAP
zone-pair security SELF->OUTSIDE_ZP source SELF destination OUTSIDE
service-policy type inspect SELF->OUTSIDE_ZP
See Appendix for complete configuration example
interface Ethernet0/0
zone-member security OUTSIDE
crypto-map IPSEC_TUNNEL
• Crypto map are bound to tunnel terminating interface
• Original and VPN traffic have same destination zone
VPN
176BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN using Virtual Tunnel Interface (VTI)A
X Y B
zone-pair security SELF->OUTSIDE_ZP source SELF destination OUTSIDE
service-policy type inspect SELF->OUTSIDE_ZP
See Appendix for complete configuration example
zone-pair security LOCAL->REMOTE_ZP source LOCAL destination REMOTE
service-policy type inspect LOCAL->REMOTE_PMAP
Client Packet
SRC A
VPN Packet
SRC X DST Y
interface Ethernet0/0
zone-member security OUTSIDE
interface Tunnel0
zone-member security REMOTE
tunnel mode ipsec ipv4
• VTI are independent interfaces with their own zone member
• Original and VPN traffic have different destination zone
DST B
VPN
177BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Tunneling Design Considerations
Client Packet
SRC AIPv6 DST BIPv6
IPv6-in-IPv4 Tunnel Packet
SRC XIPv4 DST YIPv4
IPv6 IPv4 IPv6
A X Y
B
interface Ethernet0/0
zone-member security OUTSIDE
interface Tunnel0
zone-member security REMOTE
tunnel mode ipv6ip
zone-pair security SELF->OUTSIDE_ZP source SELF destination OUTSIDE
service-policy type inspect SELF->OUTSIDE_ZP
zone-pair security LOCAL->REMOTE_ZP source LOCAL destination REMOTE
service-policy type inspect LOCAL->REMOTE_PMAP
• IPv6 networks can be connected by using a 6in4 tunnel
• ZBFW should be configured on the IPv6/IPv4 edge
• IPv6 tunneling protocols could bypass security policies
6-in-4
178BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ZBFW and VPN configuration
class-map type inspect match-any VPN_CMAP
match access-group name VPN_ACL
policy-map type inspect SELF->OUTSIDE_PMAP
class type inspect VPN_CMAP
pass
zone-pair security SELF->OUTSIDE_ZP source SELF destination OUTSIDE
service-policy type inspect SELF->OUTSIDE_PMAP
ip access-list extended VPN_ACL
permit esp any any
permit udp any any eq 500
permit udp any any eq 4500
179BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating from an Existing Policyip access-list extended OUTSIDE-IN
permit tcp any any eq 25
!
interface Ethernet0/0
ip access-group name OUTSIDE-IN
ip access-list extended OUTSIDE-IN
permit tcp any any eq 25
!
class-map type inspect match-any OUTSIDE-IN_CMAP
match access-group name OUTSIDE-IN
!
policy-map type inspect OUTSIDE-IN_CMAP
class type inspect OUTSIDE-IN_CMAP
inspect
180BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ZBFW configuration exampleZone security INSIDE
Zone security OUTSIDE
!
Interface Ethernet0/0
zone-member security INSIDE
Interface Ethernet0/1
zone-member security OUTSIDE
!
class-map type inspect INSIDE_OUTBOUND_CMAP
match protocol http
!
policy-map type inspect INSIDE_OUTBOUND_PMAP
class INSIDE_OUTBOUND_CMAP
inspect
!
zone-pair security IN2OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_OUTBOUND_PMAP
181BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS Resiliency
• From console session
• From telnet session
Router(config)#secure boot-config
*Feb 25 18:56:18.458: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured
config archive
[disk0:.runcfg-20130225-185618.ar]
Router(config)#no secure boot-config
*Feb 25 18:56:24.745: %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure
config archival [removed disk0:.runcfg-20130225-185618.ar]
Router(config)#no secure boot-config
%You must be logged on the console to apply this command
182BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stateful Address Assignment
• Centralized server performs all addressing tasks
• Assigns IP addresses
• Keeps track of Client to address mapping
• Provides additional network information• DNS server
• Default gateway
• Examples of Stateful Address protocols
• DHCP
• Client dynamically takes on addressing tasks
• Chooses own IP address• EUI-64
• DAD used to avoid address duplication
• Additional network information not provided by default
• Provided by supporting server
• Examples of Stateless Address protocols
• SLAAC (StateLess Address AutoConfiguration)
Stateless Address Assignment
183BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy - Configurationaaa new-model
aaa authentication login default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
radius-server vsa send authentication
radius server ISE
address ipv4 192.168.1.100 auth-port 1645 acct-port
1646
key cisco
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip admission AUTHPROXY
ip admission name AUTHPROXY proxy http
ip http server
184BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy Traffic Flow – Apply Action
1. Interface ACL
2. Consent ACL
3. AuthProxy ACL
185BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy - DebugsMar 23 14:27:54.571: RADIUS/ENCODE(00000015):Orig. component type = Auth Proxy
Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IPv6: ::
Mar 23 14:27:54.571: RADIUS/ENCODE(00000015): acct_session_id: 11
Mar 23 14:27:54.571: RADIUS(00000015): sending
Mar 23 14:27:54.575: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250
Mar 23 14:27:54.575: RADIUS(00000015): Send Access-Request to 14.36.112.250:1645 id 1645/11, len 110
Mar 23 14:27:54.575: RADIUS: authenticator 54 01 93 F4 17 F1 93 7D - EB 44 A3 05 FA 49 79 24
Mar 23 14:27:54.575: RADIUS: User-Name [1] 7 "cisco"
Mar 23 14:27:54.575: RADIUS: User-Password [2] 18 *
Mar 23 14:27:54.575: RADIUS: Service-Type [6] 6 Outbound [5]
Mar 23 14:27:54.575: RADIUS: Vendor, Cisco [26] 29
Mar 23 14:27:54.575: RADIUS: Cisco AVpair [1] 23 "service-type=Outbound"
Mar 23 14:27:54.575: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.575: RADIUS: 53 E1 38 E5 A2 93 DD 40 61 88 99 60 A6 70 2D 2E [ S8@a`p-.]
Mar 23 14:27:54.575: RADIUS: NAS-Port-Type [61] 6 Async [0]
Mar 23 14:27:54.575: RADIUS: NAS-IP-Address [4] 6 14.36.112.40
Mar 23 14:27:54.575: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 23 14:27:54.575: RADIUS(00000015): Started 5 sec timeout
Mar 23 14:27:54.591: RADIUS: Received from id 1645/11 14.36.112.250:1645, Access-Accept, len 287
Mar 23 14:27:54.591: RADIUS: authenticator C0 07 BB 4F 81 FC B8 33 - CB 2A 22 98 23 C0 6E 58
Mar 23 14:27:54.591: RADIUS: User-Name [1] 7 "cisco"
Mar 23 14:27:54.591: RADIUS: State [24] 40
Mar 23 14:27:54.591: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]
Mar 23 14:27:54.591: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 35 35 33 [2470fa0000003553]
Mar 23 14:27:54.591: RADIUS: 32 45 45 44 36 44 [ 2EED6D]
Mar 23 14:27:54.591: RADIUS: Class [25] 54
Mar 23 14:27:54.591: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]
Mar 23 14:27:54.591: RADIUS: 30 30 30 33 35 35 33 32 45 45 44 36 44 3A 72 61 [00035532EED6D:ra]
Mar 23 14:27:54.591: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]
Mar 23 14:27:54.591: RADIUS: 36 2F 35 34 [ 6/54]
Mar 23 14:27:54.591: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.591: RADIUS: 3E F1 DA B1 22 AB 23 26 12 0E 54 83 2C 96 C1 AF [ >"#&T,]
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 25
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 30
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 32
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 61
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 55 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.591: RADIUS(00000015): Received from id 1645/11
186BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy - DebugsMar 23 14:27:54.591: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Mar 23 14:27:54.591: RADIUS(00000000): Config NAS IP: 0.0.0.0
Mar 23 14:27:54.591: RADIUS(00000000): sending
Mar 23 14:27:54.591: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250
Mar 23 14:27:54.591: RADIUS(00000000): Send Access-Request to 14.36.112.250:1645 id 1645/12, len 133
Mar 23 14:27:54.591: RADIUS: authenticator 86 69 58 02 68 24 B8 7D - 52 A6 74 12 C6 34 5E 85
Mar 23 14:27:54.591: RADIUS: NAS-IP-Address [4] 6 14.36.112.40
Mar 23 14:27:54.591: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 32
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 30
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Mar 23 14:27:54.591: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.591: RADIUS: FA 55 AC 1F E1 57 22 F9 0F 77 4B A6 F4 19 42 5E [ UW"wKB^]
Mar 23 14:27:54.591: RADIUS(00000000): Sending a IPv4 Radius Packet
Mar 23 14:27:54.591: RADIUS(00000000): Started 5 sec timeout
Mar 23 14:27:54.595: RADIUS: Received from id 1645/12 14.36.112.250:1645, Access-Accept, len 327
Mar 23 14:27:54.595: RADIUS: authenticator CD CB 43 D2 51 C4 A2 46 - 80 0C E3 03 10 57 52 4C
Mar 23 14:27:54.595: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.595: RADIUS: State [24] 40
Mar 23 14:27:54.595: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]
Mar 23 14:27:54.595: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 36 35 33 [2470fa0000003653]
Mar 23 14:27:54.595: RADIUS: 32 45 45 44 36 44 [ 2EED6D]
Mar 23 14:27:54.595: RADIUS: Class [25] 54
Mar 23 14:27:54.595: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]
Mar 23 14:27:54.595: RADIUS: 30 30 30 33 36 35 33 32 45 45 44 36 44 3A 72 61 [00036532EED6D:ra]
Mar 23 14:27:54.595: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]
Mar 23 14:27:54.595: RADIUS: 36 2F 35 35 [ 6/55]
Mar 23 14:27:54.595: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.595: RADIUS: C4 80 ED 58 1A 8C 7E 7A 60 C2 BC 2E 5C CF 66 5B [ X~z`.\f[]
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 43
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80"
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 44
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 38 "ip:inacl#2=permit tcp any any eq 443"
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 43
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#3=permit udp any any eq 53"
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 38
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 32 "ip:inacl#4=permit icmp any any"
Mar 23 14:27:54.595: RADIUS(00000000): Received from id 1645/12
187BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy - Outputsradar-CLUS#show ip admission cache
Authentication Proxy Cache
Client Name cisco, Client IP 14.38.112.250, Port 41699, timeout 60, Time Remaining 60,
state ESTAB
radar-CLUS#show epm session summary
EPM Session Information
-----------------------
Total sessions seen so far : 5
Total active sessions : 1
Session IP Address :
-------------------
14.38.112.250
radar-CLUS#show epm session ip 14.38.112.250
Admission feature : Authproxy
AAA Policies :
ACS ACL : xACSACLx-IP-dACL-532eed4c
Supplicant-Group : ENG
188BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Proxy with Consent – Configuration
ip admission name AUTHPROXY proxy http
ip admission auth-proxy-banner file flash:banner.html
ip admission auth-proxy-banner http ^C You have logged in^C
ip admission name AUTHPROXY consent list 100 param-map CONSENT_PMAP
parameter-map type consent CONSENT_PMAP
copy tftp://14.36.112.254/banner.html flash:banner.html
logging enabled
authorize accept identity IDENTITY_POLICY
timeout file download 3600
file flash:html.html
identity policy consent_identity_policy
access-group consent_access_group
189BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Group – Tag and Template
• User credentials are stored on a central ACS
• Each user is bound to a different group
• MKT, ENG, FIN, HRC, etc
• This is the “tag”
• Routers will ask the ACS for group information of the user
• Routers will apply specific action based on the tags
• Template is the configuration on each router
190BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Tagging – Active Authentication
Cisco Avpair: SGT = 3
What should I do with
UserA? Permit UserA,
BUT mark them with this Security
Group Tag.• Security Group Tagging functionality is
similar to Tag/Template configuration
• Policies are created using SGT number
instead of tag name
• This specific implementation of SGT is
local to the router
• SGT information is not exchanged
with other devices ACS
191BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Group Tagging – Active Authentication
UserA = 3
UserB = 4
class-map type inspect INSIDE->OUTSIDE_CMAP
match security-group source tag 4
class-map type inspect INSIDE->OUTSIDE_CMAP
match security-group source tag 3
ACS
192BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
High Availabilityparameter-map type inspect global
redundancy
redundancy
application redundancy
group 1
name ZBFW_HA
preempt
priority 200
control Ethernet0/2 protocol 1
data Ethernet0/2
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
193BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verifying High Availability
Router# show redundancy application group 1
Group ID:1
Group Name:ZBFW_HA
Administrative State: No Shutdown
Aggregate operational state : Up
My Role: ACTIVE
Peer Role: STANDBY
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes
RF Domain: btob-one
RF state: ACTIVE
Peer RF state: STANDBY-HOT
194BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Asymmetric Routing
redundancy
application redundancy
group 1
asymmetric-routing interface Ethernet0/3 interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
redundancy asymmetric-routing enable
ISP1
ISP2
195BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Protection (CoPPr)
• Extends protection against DoS attacks on infrastructure routers by providing a mechanism for finer policing of control plane traffic that allows you to rate-limit each type individually
• Provides a mechanism for early dropping of packets that are directed to closed or nonlistened Cisco IOS TCP/UDP ports
• Provides ability to limit protocol queue usage such that no single protocol flood can overwhelm the input interface
Provides QoS control for packets that are destined to the control plane of Cisco routers
• Provides better platform reliability, security, and availability
• Provides CPU protection so it can be used for important jobs, such as routing
Benefits
196BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane ProtectionMonitoring Drops
Router#show control-plane counters
Feature Path Packets processed/dropped/errors
Aggregate 3/0/0
Host 3/3/0
Transit 0/0/0
Cef-exception 0/0/0
Router#show control-plane host counters
Control plane host path counters :
Feature Packets Processed/Dropped/Errors
--------------------------------------------------------
TCP/UDP Portfilter 3/3/0
--------------------------------------------------------
197BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane ProtectionMonitoring DropsRouter#show policy-map type port-filter control-plane all
Control Plane Host
Service-policy port-filter input: PORTFILTER_PMAP
Class-map: PORTFILTER_CMAP (match-all)
3 packets, 180 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: closed-ports
drop
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
198BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Protection Example 2
• Problem
• SNMP is exhausting control plane resources, preventing the router from executing certain core functions such as routing and management
• Solution
• Limit the number of packets allowed on the input queue
• Solution is to use queue-limits
• Prevent a single function from overwhelming all resource
• Create tiered policy to ensure functionality
199BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane ProtectionQueue Threshold
class-map type queue-treshold match-all SNMP_QUEUE
match protocol snmp
class-map type queue-treshold match-all OTHER_QUEUE
match protocol host-protocols
!
policy-map type port-filter QUEUELIMIT_PMAP
class SNMP_QUEUE
queue-limit 50
class-map OTHER_QUEUE
queue-limit 150
!
control-plane host
service-policy type queue-limit input QUEUELIMIT_PMAP
Match SNMP
Limit packets to prevent oversubscription
Apply to host subinterface
Match all other protocols
200BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Protection
• Only telnet is enabled on the router
• The queue threshold processes packets until the limit is exceeded
• Excess unprocessed packets beyond the limit are dropped to protect control-plane resources
Viewing Current Queue
See Appendix for complete configuration example
Router#show control-plane host counters
Control plane host path counters :
Feature Packets Processed/Dropped/Errors
--------------------------------------------------------
Port Queue Threshold 150/30/0
--------------------------------------------------------
201BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet of Things (IoT) Cisco Education OfferingsCourse Description Cisco Certification
NEW! IMINS2 An associate level instructor led training course designed to prepare you
for the CCNA Industrial certification
CCNA® Industrial
Managing Industrial Networks with
Cisco Networking Technologies (IMINS)
This curriculum addresses foundational skills needed to manage and
administer networked industrial control systems. It provides plant
administrators, control system engineers and traditional network engineers
with an understanding of the networking technologies needed in today's
connected plants and enterprises
Cisco Industrial
Networking Specialist
Control Systems Fundamentals
for Industrial Networking (ICINS)
For IT and Network Engineers, covers basic concepts in Industrial Control
systems including an introduction to automation industry verticals,
automation environment and an overview of industrial control networks
Networking Fundamentals
for Industrial Control Systems (INICS)
For Industrial Engineers and Control System Technicians, covers basic IP
and networking concepts, and introductory overview of Automation
industry Protocols.
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
203BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Business Transformation Cisco Education OfferingsCourse Description Cisco Certification
For IT and Network Professionals:
Building Business Specialist Skills • Builds non-technical skills key to ensure business impact and influence.
Topics include: business analysis, finance, technology adoption and
effective communications.
• Bridges IT and business impacts of mature and emerging solutions
including cloud plus Internet of Everything
Cisco Enterprise IT
Business Specialist
For Technology Sellers:
Applying Cisco Specialized Business Value
Analysis Skills
Builds skills to discover and address technology needs using a business-
focused, consultative sales approach
Cisco Business Value Specialist
Executing Advanced Cisco Business Value
Analysis and Design Techniques
Enables customer transformation through business architecture and
solution selling expertise
Cisco Certified Business
Value Practitioner
Performing Cisco Business-Focused
Transformative Architecture Engagements
Provides skills and an approach to build a strategic roadmap of IT
initiatives, aligned to business priorities
Cisco Transformative
Architecture Specialist
204
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Cisco Education OfferingsCourse Description Cisco Certification
CCIE Security Expert Level certification in Security, for comprehensive understanding of security
architectures, technologies, controls, systems, and risks.
CCIE® Security
Implementing Cisco Edge Network Security Solutions
(SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions
(SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
CCNP® Security
Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive
security policy, using Cisco IOS security features
CCNA® Security
Securing Cisco Networks with Threat Detection and
Analysis (SCYBER)
Designed for security analysts who work in a Security Operations Center, the
course covers essential areas of security operations competency, including event
monitoring, security event/alarm/traffic analysis (detection), and incident response
Cisco Cybersecurity Specialist
Network Security Product Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
205BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
R&S Related Cisco Education OfferingsCourse Description Cisco Certification
CCIE R&S Advanced Workshops (CIERS-1 &
CIERS-2) plus
Self Assessments, Workbooks & Labs
Expert level trainings including: instructor led workshops, self
assessments, practice labs and CCIE Lab Builder to prepare candidates
for the CCIE R&S practical exam.
CCIE® Routing & Switching
• Implementing Cisco IP Routing v2.0
• Implementing Cisco IP Switched
Networks V2.0
• Troubleshooting and Maintaining
Cisco IP Networks v2.0
Professional level instructor led trainings to prepare candidates for the
CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
self study eLearning formats with Cisco Learning Labs.
CCNP® Routing & Switching
Interconnecting Cisco Networking Devices:
Part 2 (or combined)
Configure, implement and troubleshoot local and wide-area IPv4 and IPv6
networks. Also available in self study eLearning format with Cisco Learning
Lab.
CCNA® Routing & Switching
Interconnecting Cisco Networking Devices:
Part 1
Installation, configuration, and basic support of a branch network. Also
available in self study eLearning format with Cisco Learning Lab.
CCENT® Routing & Switching
206
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wireless Cisco Education Offerings
Course Description Cisco Certification
• Designing Cisco Wireless Enterprise Networks
• Deploying Cisco Wireless Enterprise Networks
• Troubleshooting Cisco Wireless Enterprise
Networks
• Securing Cisco Wireless Enterprise Networks
Professional level instructor led trainings to prepare candidates to conduct
site surveys, implement, configure and support APs and controllers in
converged Enterprise networks. Focused on 802.11 and related
technologies to design, deploy, troubleshoot as well as secure Wireless
infrastructure. Course also provide details around Cisco mobility services
Engine, Prime Infrastructure and wireless security.
CCNP® Wireless Version 3.0
(Available March 22nd, 2016)
Implementing Cisco Unified Wireless Network
Essential
Prepares candidates to design, install, configure, monitor and conduct
basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.
CCNA® Wireless
(Available Now)
Deploying Basic Cisco Wireless LANs (WDBWL)
Understanding of the Cisco Unified Wireless Networking for enterprise
deployment scenarios. In this course, you will learn the basics of how to
install, configure, operate, and maintain a wireless network, both as an
add-on to an existing wireless LAN (WLAN) and as a new Cisco Unified
Wireless Networking solution.
1.2
Deploying Advanced Cisco Wireless LANs
(WDAWL)
The WDAWL advanced course is designed with the goal of providing
learners with the knowledge and skills to successfully plan, install,
configure, troubleshoot, monitor, and maintain advanced Cisco wireless
LAN solutions such as QoS, “salt and pepper” mobility, high density
deployments, and outdoor mesh deployments in an enterprise customer
environment.
1.2
Deploying Cisco Connected Mobile Experiences
(WCMX)
WCMX will prepare professionals to use the Cisco Unified Wireless
Network to configure, administer, manage, troubleshoot, and optimize
utilization of mobile content while gaining meaningful client analytics.2.0
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
207BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Design Cisco Education OfferingsCourse Description Cisco Certification
Designing Cisco Network Service Architectures
(ARCH) Version 3.0
Provides learner with the ability to perform conceptual, intermediate, and
detailed design of a network infrastructure that supports desired capacity,
performance, availability required for converged Enterprise network
services and applications.
CCDP® (Design Professional)
(Available Now)
Designing for Cisco Internetwork Solutions
(DESGN) Version 3.0
Instructor led training focused on fundamental design methodologies used
to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.
CCDA® (Design Associate)
(Available Now)
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
208BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Provider Cisco Education OfferingsCourse Description Cisco Certification
Deploying Cisco Service Provider Network Routing
(SPROUTE) & Advanced (SPADVROUTE)
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE)
Edge Network Services (SPEDGE)
SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP),
route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;
SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,
QoS mechanisms, and transport technologies;
SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.
CCNP Service Provider®
Building Cisco Service Provider Next-Generation
Networks, Part 1&2 (SPNGN1), (SPNGN2)
The two courses introduce networking technologies and solutions, including OSI
and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).
CCNA Service Provider®
Implementing Cisco Service Provider Mobility UMTS
Networks (SPUMTS);
Implementing Cisco Service Provider Mobility CDMA
Networks (SPCDMA);
Implementing Cisco Service Provider Mobility LTE
Networks (SPLTE)
The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills
required to understand products, technologies, and architectures that are found in
Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple
Access (CDMA) packet core networks, plus their migration to Long-Term Evolution
(LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Radio Access Networks (RANs).
Cisco Service Provider Mobility
CDMA to LTE Specialist;
Cisco Service Provider Mobility UMTS
to LTE Specialist
Implementing and Maintaining Cisco Technologies
Using IOS XR (IMTXR)
Service Provider/Enterprise engineers to implement, verification-test, and optimize
core/edge technologies in a Cisco IOS XR environment.
Cisco IOS XR Specialist
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
209BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collaboration Cisco Education OfferingsCourse Description Cisco Certification
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex
collaboration networks
CCIE® Collaboration
Implementing Cisco Collaboration Applications
(CAPPS)
Understand how to implement the full suite of Cisco collaboration
applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.
CCNP® Collaboration
Implementing Cisco IP Telephony and Video
Part 1 (CIPTV1)
Implementing Cisco IP Telephony and Video
Part 2 (CIPTV2)
Troubleshooting Cisco IP Telephony and Video
(CTCOLLAB)
Learn how to implement Cisco Unified Communications Manager, CUBE,
and audio and videoconferences in a single-site voice and video network.
Obtain the skills to implement Cisco Unified Communications Manager in a
modern, multisite collaboration environment.
Troubleshoot complex integrated voice and video infrastructures
CCNP® Collaboration
Implementing Cisco Collaboration Devices
(CICD)
Implementing Cisco Video Network Devices
(CIVND)
Acquire a basic understanding of collaboration technologies like Cisco Call
Manager and Cisco Unified Communications Manager.
Learn how to evaluate requirements for video deployments, and implement
Cisco Collaboration endpoints in converged Cisco infrastructures.
CCNA® Collaboration
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
210BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Cisco Education OfferingsCourse Description Cisco Certification
Understanding Cloud Fundamentals
(CLDFND)
Learn how to perform foundational tasks related to Cloud computing, and the essentials
of Cloud infrastructureCCNA Cloud
Introducing Cloud Administration
(CLDADM)
Learn the essentials of Cloud administration and operations, including how to provision,
manage, monitor, report and remediate.
Implementing and Troubleshooting the
Cisco Cloud Infrastructure (CLDINF)
Learn how to implement and troubleshoot Cisco Cloud infrastructure: compute,
network, storage.
CCNP Cloud
Designing the Cisco Cloud (CLDDES)*Learn how to design private and hybrid Clouds including infrastructure, automation,
security and virtual network services
Automating the Cisco Enterprise Cloud
(CLDAUT)*
Learn how to automate Cloud deployments – provisioning IaaS (private, private with
network automation and hybrid) and applications, life cycle management
Building the Cisco Cloud with Application
Centric Infrastructure (CLDACI)*
Learn how to build Cloud infrastructures based on Cisco Application Centric
Infrastructure, including design, implementation and automation
UCS Director Foundation (UCSDF)Learn how to manage physical and virtual infrastructure using orchestration and
automation functions of UCS Director.
211
* Available Q2CY2016
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center / Virtualization Cisco Education OfferingsCourse Description Cisco Certification
Introducing Cisco Data Center Networking (DCICN);
Introducing Cisco Data Center Technologies (DCICT)
Learn basic data center technologies and skills to build a
data center infrastructure.
CCNA® Data Center
Implementing Cisco Data Center Unified Fabric (DCUFI);
Implementing Cisco Data Center Unified Computing (DCUCI)
Designing Cisco Data Center Unified Computing (DCUDC)
Designing Cisco Data Center Unified Fabric (DCUFD)
Troubleshooting Cisco Data Center Unified Computing
(DCUCT)
Troubleshooting Cisco Data Center Unified Fabric (DCUFT)
Obtain professional level skills to design, configure,
implement, troubleshoot data center network infrastructure.
CCNP® Data Center
Product Training Portfolio: DCNMM, DCAC9K, DCINX9K,
DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K
Gain hands-on skills using Cisco solutions to configure,
deploy, manage and troubleshoot unified computing, policy-
driven and virtualized data center network infrastructure.
Designing the FlexPod® Solution (FPDESIGN);
Implementing and Administering the FlexPod® Solution
(FPIMPADM)
Learn how to design, implement and administer FlexPod
solutions
Cisco and NetApp Certified
FlexPod® Specialist
212
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKSEC-3007
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Programmability Cisco Education OfferingsCourse Description Cisco Certification
Integrating Business Applications with Network
Programmability (NIPBA);
Integrating Business Applications with Network
Programmability for Cisco ACI (NPIBAACI)
Learn networking concepts, and how to deploy and troubleshoot
programmable network architectures with these self-paced courses.
Cisco Business Application
Engineer Specialist Certification
Developing with Cisco Network Programmability
(NPDEV);
Developing with Cisco Network Programmability
for Cisco ACI (NPDEVACI)
Learn how to build applications for network environments and effectively
bridge the gap between IT professionals and software developers.
Cisco Network Programmability
Developer Specialist Certification
Designing with Cisco Network Programmability
(NPDES);
Designing with Cisco Network Programmability
for Cisco ACI (NPDESACI)
Learn how to expand your skill set from traditional IT infrastructure to
application integration through programmability.
Cisco Network Programmability
Design Specialist Certification
Implementing Cisco Network Programmability
(NPENG);
Implementing Cisco Network Programmability
for Cisco ACI (NPENGACI)
Learn how to implement and troubleshoot open IT infrastructure
technologies.
Cisco Network Programmability
Engineer Specialist Certification
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
213BRKSEC-3007