Advanced IOS Security - Typepad · 2016. 8. 12. · Zone Based Firewall • Recommended IOS...

Advanced IOS Security

Jason Scobbie, Technical Leader, CISSP

BRKSEC-3007

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

About the Presentation

• What is not covered?

• ISE configuration

• Content filtering in the enterprise

• Advanced IPv6 security

• Intrusion Prevention Systems

• VPN solutions

• Fundamental IOS Security

• Security Overview/IOS Hardening

• User Services

BRKSEC-2042 - Content Filtering in the Enterprise

BRKSEC-2007 – Fundamental IOS Security

BRKSEC-2003 - Introduction to IPv6 Security Threats and Mitigations

BRKSEC-2030 - Deploying Intrusion Prevention Systems

BRKSEC-2881 - Designing Remote-Access and Site-to-Site

IPSec networks with FlexVPN

BRKSEC-1050 - An Overview of Site-to-Site Cisco VPN

Technologies

3BRKSEC-3007

• Data Plane Security

• Zone Based Firewall

• User Based Features

• Authentication Proxy

• User/Security Group Tagging

• High Availability

• Control Plane Protection

Agenda


Advanced IOS Security – Overview

• Data Plane Security

• Traffic that passes through the router

• User and Services traffic• HTTP traffic to webservers

• SIP traffic for voice phones

• RDP sessions

• “Through The Box”

• Control Plane Security

• Infrastructure traffic that maintains a network• Routing Protocols (BGP, EIGRP, OSPF)

• Management (SSH, HTTP)

• Monitoring (SNMP, Syslogs, NTP)

• “To The Box”

5BRKSEC-3007

Data Plane Security


Data Plane Security using Zone Based Firewall

Permit trusted traffic

Create application aware policy

Apply QoS and rate limit

Protect data plane services

Log traffic

Allow tunneled/VPN traffic

• Build a comprehensive security solution to protect user services

• Using ZBFW provides standardized framework for all security based features

• Session will cover design considerations and the Appendix will have configuration examples

7BRKSEC-3007


Data Plane Security – Identifying Traffic

Client

Ethernet0/1Ethernet0/0

HTTP

SMTP

SMTP Server

HTTP Server

Internet

FTP

HTTP

SMTP SMTP

8BRKSEC-3007


Access-lists (ACLs) as a Security SolutionIOS-FW(config)# ip access-list extended 100

IOS-FW(config-ext-nacl)#permit tcp any any ?

ack Match on the ACK bit

eq Match only packets on a given port number

fin Match on the FIN bit

match-all Match if all specified flags are present

match-any Match if any specified flag is present

rst Match on the RST bit

syn Match on the SYN bit

established Match established connections

fragments Check non-initial fragments

ttl Match packets with given TTL value

IOS-FW(config)# ipv6 access-list IN->OUT_IPv6

IOS-FW(config-ipv6-acl)#permit any any ?

routing Routing header (all types)

See Appendix for complete configuration example

ttl – restrict how far into the network traffic can pass

– prevent control traffic from leaving the network

established – Only matches on ACK and RST flag

– Not truly stateful

syn, fin, rst, ack – Only matches TCP flag

– Not truly stateful

fragments – prevent fragments from entering network

– heavy handed prevention of fragmentation attacks

routing – restrict loose source routing

– prevent clients from choosing their routing path

9BRKSEC-3007


Access-group and Access-list Limitations

Client

Ethernet0/1Ethernet0/0

Webserver

Attacker

?

?

ip access-list extended OUT->IN

permit tcp any eq 80 host Client

ip access-list extended IN->OUT

permit tcp host Client any eq 80

How do we differentiate between Webserver

Response and Attackertraffic?

10BRKSEC-3007


Firewall – Basic Functionality

Client Webserver

Attacker

SMTP Server

Internet

HTTP Request

SMTP

TRUSTED UNTRUSTED

Malicious

HTTP Response

Firewall prevents malicious traffic from entering the network by tracking connections

11BRKSEC-3007


Zone Based Firewall

• Recommended IOS DataplaneSecurity solution

• Policies are applied to zones

• Zones are applied to interfaces

• Allows for scalable security policy

• Zone policies are directional

• Matches initial packet of the flow• TCP – matches SYN

• Non-TCP – matches any packet

• Default drop policy

• Tight security for unreferenced traffic

Overview

12BRKSEC-3007


Zone Policy Assignment and Scalability

• Same zone can be assigned to multiple interfaces

• Zone-pair policy can be reused

• Interface can only be part of one zone

• Zone-pairs permit traffic between two zones

• Traffic between same zones requires policy as well

• Traffic is specific to a zone-pair which allows for directed control

Internet


source USERS

Users

source USERS

destination INTERNET

destination USERS

Users

zone-member USERS

!

interface Ethernet0/0.100

zone-member security USERS





13BRKSEC-3007


Zone Policy Assignment

• Pre-defined zone member

• Protects traffic to and from router

• Traffic sourced or destined to router

• Excludes NAT traffic

• Two differences

1. Cannot configure self zone• Pre-defined and available for use

2. Reverse functionality of zones• Explicit allow compared to explicit deny

• Use to protect management and control plane traffic

Self Zone

Self Zone

Management

traffic

• SSH

• Telnet

• HTTP

Monitoring traffic

• SNMP

• Syslogs

• Netflow

Routing Protocols

• EIGRP

• OSPF

• BGP

VPN

• ESP

• GRE

• NAT-T

• ISAKMP

14BRKSEC-3007


Zone Based FirewallConfiguration Theory

Identify traffic using class-

map

• Access-list

• Protocols

Take action using

policy-map

• Inspect

• Drop

• Pass

Apply action using

zone-pair

• Service policy applied traffic

• Apply action to traffic

15BRKSEC-3007


Identifying Traffic using Class-maps

• Class-maps identify traffic

• Access-lists for IP addresses and ports

• Protocols for Layer 7 matching

• Class-maps can be nested

• Scalability through reuse

• Directed match criteria

Class-map

Access-list

Protocol

Class-map

class-map type inspect match-all USERS_PROTOCOLS

match access-group name USER_ACL

match protocol http


16BRKSEC-3007


Identifying Traffic using Class-mapsMatch-Any vs Match-All

Access-list USER_ACL

HTTP

Access-list USER_ACL

HTTP

Access-list USER_ACL + HTTP

Access-list USER_ACL || HTTP

Match-Any

Match-All


17BRKSEC-3007


Identifying Traffic – Mixing and Matching

class-map type inspect match-all USERS->INTERNET_CMAP


match class-map USER_PROTOCOLS_CMAP

class-map type inspect match-any USER_PROTOCOLS_CMAP

match protocol http

match protocol ftp

ip access-list extended USER_ACL

permit ip 192.168.1.0 255.255.255.0 any

18BRKSEC-3007


Take Action using Policy-Map

Inspect

Pass

Drop

• Builds connections for traffic

• Statefully examines the flow

• Allows return packets that match connection

• Preferred action for traffic

Inspect

• Drops packets silentlyDrop

• Bypasses firewall checks

• Return traffic must be explicitly allowed

• Only for customized traffic

Pass

19BRKSEC-3007


Take Action using Policy-Map

• Class-maps are processed in order

• Always put more specific match conditions first

• Order matters when applying action/application inspection

Class-maps Order of Operation

policy-map type inspect INTERNET->APPLICATION_PMAP

class type inspect SMTP_TRAFFIC_CMAP

inspect

class type inspect TCP_TRAFFIC_CMAP

drop


class type inspect TCP_TRAFFIC_CMAP

drop

class type inspect SMTP_TRAFFIC_CMAP

inspect

20BRKSEC-3007


policy-map type inspect USERS->INTERNET_PMAP

class type inspect DEVELOPMENT_TRAFFIC_CMAP

pass

class type inspect BLOCK_TRAFFIC_CMAP

drop

class type inspect ALLOWED_TRAFFIC_CMAP

inspect

class class-default

drop

Apply Action using Zone-PairApply Policy-map as Service-policy in Zone-pair

zone-pair security USERS->INTERNET_ZP source USERS destination INTERNET

service-policy type inspect USERS->INTERNET_PMAP

Customized traffic

Catch-all action


Drop unwanted traffic

Enforce statefulsecurity checks

21BRKSEC-3007


Apply Action using Zone-Pair

• ZBFW builds a connection for inspected traffic

• Uptime and Bytes can be used to verify functionality

• Bytes sent are increasing = traffic is flowing successfully

• If Last heard is at 00:00:00 = traffic is flowing successfully

Verifying Traffic on Zone Based Firewall

IOS-FW# show policy-firewall session zone-pair USERS->INTERNET_ZP

Zone-pair: USERS->INTERNET_ZP

Service-policy inspect : USERS->INTERNET_PMAP

Class-map : USERS->INTERNET_CMAP(match-all)

Established Sessions = 1

Session B251B268 (192.168.1.100:59651)=>(4.2.2.2:80) http:tcp SIS_OPEN/TCP_ESTAB

Created 00:00:08, Last heard 00:00:08

Bytes sent (initiator:responder) [164:5980]

Class-map : class-default(match-any)

Total sessions for zone-pair

ZP, SP, PM, CM

Uptime of connection

Bytes transferred


22BRKSEC-3007


Apply Action using Zone-Pair

• Basic TCP inspection

• Layer 4 security checks

• Stateful tracking of connection

• Advanced Layer 7 inspection

• Permit or drop traffic based on Layer 7 information

• Layer 7 protocol compliance (ie. SIP)

• Dynamic opening of child connections (ie. SIP, H323, FTP)

Advanced Inspection – Protocol vs Application

Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB


What’s the difference?

23BRKSEC-3007


Out of Order Packet Handling

• Application inspection requires packets to arrive in order

• Out of Order (OoO) processing queues packets to be ordered

• Increasing the OoO size reduces inspection based packet loss

parameter-map type ooo global

tcp reassembly memory limit 1024

tcp reassembly queue length 16

tcp reassembly timeout 30

Increase to allow more OoO packets

Increase to compensate for latency in retransmission

Apr 3 10:40:30.662: %FW-6-DROP_PKT: Dropping tcp session 4.2.2.2:80

10.1.1.1:58899 on zone-pair INSIDE->OUTSIDE_ZP class USERS_CMAP due

to Out-Of-Order Segment with ip ident 0

24BRKSEC-3007


Port Application Mapping (PAM)

• Application inspection ports can be changed or modified

• Access-lists can be use to limit inspection ports

• Used for overlapping inspection ports

• View existing ports for application inspection

Router# show ip port-map | i http

Default mapping: http tcp port 80 system defined

Default mapping: http tcp port 8080 user defined

Default mapping: http tcp port 8888 in list 99 user defined

Router(config)# ip port-map http port 8080

Router(config)# ip port-map http port 8888 list 99

25BRKSEC-3007







Log firewall traffic


26BRKSEC-3007


Application Aware

• What is an application?

• Are these applications or just ports?

• What about these?

HTTP

FTP

SMTP

IMAP

80

21

25

143

27BRKSEC-3007


Blocking Websites using Zone Based Firewall

• Block websites using local URL filtering

• Match URLs using a regex parameter-map

• URLs are in the Host field of the HTTP GET packet

• Sending reset is only action supported when URL is matched

Ethernet Header

IP Header

TCP Header

HTTP DATA

Source MAC Destination MAC

Source IP Destination IP

Source Port Destination Port

HTTP Request Method

Host URI

parameter-map type regex BLACKLIST_URLS

pattern .*cisco.*

pattern .*facebook.*


28BRKSEC-3007


Blocking Websites – Results

• Number of regex is limited by the device

• 3925 with 250 URLs

• User gets no feedback

• Connection is reset

• May generate support calls from end clients

• Will not match HTTPS traffic

BRKSEC-2042 Content Filtering in the Enterprise

29BRKSEC-3007


Application Visibility and Control (AVC)

• AVC leverages NBAR2 protocol packs to identify complex traffic flows

• Application monitoring in addition to port monitoring

• Applied using MQC

• Feature operates independently of ZBFW

• Integrates with Flexible Netflow to monitor traffic

IP

TCP

HTTP

Application:

Youtube?

Facebook?

BRKSEC-2042 Content Filtering in the Enterprise

30BRKSEC-3007


NBAR2 and Application Visibility Control

• NBAR2 can be leveraged to match traffic using MQC

class-map match-any P2P_APPLICATIONS

match protocol bittorrent

match protocol bittorrent-networking

match protocol dht

match protocol attribute sub-category p2p-file transfer

policy-map RATE_LIMIT_P2P

class P2P_APPLICATIONS

police 8000 conform-action transmit exceed-action drop

Interface Ethernet0/0

service-policy input RATE_LIMIT_P2P

31BRKSEC-3007


Content Scanning Configuration

• CWS integration provides

• User identification

• URL tracking

• Stateful TCP/HTTP enforcement

• Preferred solution for content scanning

• Scalability through offloaded URL filtering

• Monitoring through user identification integration

Cloud Web Security (CWS)

interface Ethernet0/0

ip nat outside

zone-member security OUTSIDE

content-scan out

…

IOS# show content-scan session active

Protocol Source Destination Bytes Time

HTTP 10.1.1.100:57152 209.222.159.185:80 (1635:331595) 00:00:12

URI: www.cisco.com

Username/usergroup(s): ciscouser10/ ciscogroup10

Total Data transferredWebsite visited User Identity integration


IPv4 only feature

32BRKSEC-3007









33BRKSEC-3007


QoS Policy using Zone Based Firewall

5Mbps +


class type inspect HTTP_CMAP

police rate 10000000 burst 250000

class type inspect BITTORRENT_CMAP

police rate 5000000 burst 500000

10Mbps

5Mbps

20Mbps

Matched traffic is rate limited to the specific value

• Simple traffic policer

5Mbps is reserved for voice traffic

34BRKSEC-3007






Defend data plane services



35BRKSEC-3007


Features to Protect Data Plane Services

• Connection limits within ZBFW

• Protects device and endpoints from resource exhaustion

• TCP Intercept to protect against SYN flood attacks

• uRPF to defend against spoofing attacks

• VFR to defend against fragmentation attacks

36BRKSEC-3007


Advanced ZBFW Connection Limits

• ZBFW will send resets to both endpoints once timer expires

Timeouts

parameter-map type inspect CONN_TIMEOUT_PARAM

tcp idle-time 3600

tcp synwait-time 30

30 seconds

TCP SYN

Connection timeout

Half open session timeout

TCP RST TCP RST


37BRKSEC-3007


Advanced ZBFW Connection LimitsMaximums and Rates

parameter-map type inspect CONN_LIMIT_PARAM

sessions maximum 1000

max-incomplete high 100 low 75

one-minute high 50

one-minute low 25

1000 connections

1001st connection

Total sessions allowed

Total half open sessions with clamping

Rate of new connections on device


38BRKSEC-3007


SYN Flood Attack Mitigation using TCP Intercept

Intercept

Mode

SYN

ACKSYN+ACK

SYN

ACK

SYN+ACK

SYN

ACK

SYN+ACK

RST RST

Watch

Mode


39BRKSEC-3007


Spoofing AttacksUnicast Reverse Path Forwarding

Packet

Src Dst

Router# show ip route

C 10.1.1.0/24 directly connected, Ethernet0/0

C 192.168.1.0/24 directly connected, Ethernet0/1

S 20.1.1.0/24 via Ethernet0/0

Ethernet0/1 Ethernet0/0

20.1.1.100 10.1.1.200


40BRKSEC-3007


Spoofing Attack Mitigation

• Strict mode

• The source address is in the Forwarding Information Base (FIB) and reachable only through the interface on which the packet was received

• Loose mode

• If the source address is in the FIB and reachable through any interface on the router

• Used for asymmetric routing or multi-homed ISP connections

• uRPF configuration example

Router(config)# interface Ethernet0/1

Router(config-if)# ip verify unicast source reachable-via rx


Router(config-if)# ip verify unicast source reachable-via any

41BRKSEC-3007


IP Fragmentation Attacks

Data

TCP

HeaderIP Header

TCP

Header

DataTCP HeaderIP Header

Fragment 1


Fragment 2

DataIP Header

IP Header

Fragment 1


Fragment 2

DataIP Header

Tiny Fragment

Overlapping Fragments

Buffer Overflow

Original Packet

Buffer

42BRKSEC-3007


IP Fragmentation Attack Mitigation

• Enabling VFR

• Restricting the number of concurrent IP datagrams

• Limiting the number of fragments per IP datagram

• Drop all IP fragments

IP Virtual Fragment Reassembly (VFR) Configuration


Router(config-if)# ip virtual-reassembly in max-reassemblies 64


Router(config-if)# ip virtual-reassembly in


Router(config-if)# ip virtual-reassembly in max-fragments 16


Router(config-if)# ip virtual-reassembly in drop-fragments

See Appendix for log information

43BRKSEC-3007






Establish connections limits



44BRKSEC-3007


Logging Dropped Packets

• Dropped logging is enabled in two ways:1. Parameter-map globally

• Does not affect drop actions

2. With drop action• Logs only traffic in class-map

• Dropped packet logging is rate limited after first hit• Logs summarized and rate limited to 256 flows every 30 seconds

• Used for troubleshooting, unreliable for global monitoring


class class-default

drop log

parameter-map type inspect global

log dropped-packets enable

log summary rate 30 flows 256

%FW-6-DROP_PKT: Dropping tcp session 192.168.1.100:29201 4.2.2.2:81 on zone-

pair INSIDE->OUTSIDE_ZP class class-default due to DROP action found in

policy-map with ip ident 0

See Appendix for complete functionality example

45BRKSEC-3007


Logging New Connections

• Logging new connections is not on by default

• Processor intensive

• Interrupt driven messages can cause high CPU

• Similar to log keyword on ACLs

• Used for troubleshooting

• Not recommended for monitoring

parameter-map type inspect LOG_CONNECTION_PARAM

audit-trail on

%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Start tcp

session: initiator (192.168.1.100:34166) -- responder (4.2.2.2:80)

%FW-6-SESS_AUDIT_TRAIL: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Stop tcp session:

initiator (192.168.1.100:34166) sent 164 bytes -- responder (4.2.2.2:80) sent 5980 bytes


46BRKSEC-3007


Monitoring Traffic

config# show access-list 100

Extended IP access list 100

permit icmp any any echo (2 matches)

permit icmp any any echo-reply (2 matches)

permit tcp any any eq www (21374 matches)

Permit udp any any (15 matches)

permit ip any any (45 matches)



Router(config-if)# ip access-group 100 in

Router(config-if)# ip flow ingress

47BRKSEC-3007


Tracking Source of DoS attacks

Router# show ip cache flow

...

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-WWW 255 0.0 1 64 255.0 4.0 15.5

...

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0/1 203.0.113.102 Et0/0 10.1.1.10 06 CDF7 0050 1

Et0/1 203.0.113.103 Et0/0 10.1.1.10 06 CDF7 0050 1

Et0/1 203.0.113.104 Et0/0 10.1.1.10 06 CDF7 0050 1

Et0/1 203.0.113.105 Et0/0 10.1.1.10 06 CDF7 0050 1

...

Incrementing attacker IP Same victim IPSame TCP ports

Single packet per attack

48BRKSEC-3007









49BRKSEC-3007


Data Plane Security of Tunneled Traffic using ZBFW

• Tunneled traffic can be encrypted

• Tunnel traffic is control plane vs Transit traffic is data plane

• Tunnels are used to connect remote locations

• Connect to all remote locations using a VPN to allow secure connectivity

• Traffic should still be subjected to ZBFW because it may not be trusted

Tunneled traffic Unencapsulated traffic

• Self-to-Out zone-pair will identify

Tunnel (ESP/GRE/6in4) traffic

• Pass as an action

• Inside-to-Tunnel zone-pair will

identify the data plane traffic

• Inspect as an action to allow

return traffic through

50BRKSEC-3007


ZBFW and Tunneling

• Remote zone depends on Tunnel configuration

• Crypto map on interface

• VTI

• VPN packet is always sourced from self zone since it is generated by the router

Client Packet

SRC A DST B

VPN Packet

SRC X DST Y

Local Zone Remote Zone Self Zone Internet Zone

A X Y

B

Tunnel

51BRKSEC-3007


ZBFW and Tunneling Design Considerations

• Firewall policies should be applied on device before encapsulation or encryption occurs

• 6in4 tunneling is becoming more common and is an easy way to circumvent established security policies

• ZBFW can be used to protect both IPv6 and IPv4 stacks if positioned and deployed correctly

IPv6 IPv6

A X Y

B

interface Tunnel0

zone-member security REMOTE

tunnel mode [ipsec|gre|ipv6ip]

source SELF destination OUTSIDE

source LOCAL destination REMOTE

Tunnel

IPv4

LOCAL OUTSIDE REMOTE

interface WAN


52BRKSEC-3007









53BRKSEC-3007


ZBFW Interaction with Other Features

Interface ACL

ZBFW NAT QoS VPN


ip access-group name IN_ACL in

zone-member security INSIDE

ip nat inside

service-policy input QoS

crypto map CRYPTO_MAP


54BRKSEC-3007


Summary of ZBFW features

Feature ZBFW IOSAccess Control Zone members/Zone Pairs

• Stateful

• Scalable

Interface access-lists

• Not stateful

• Cannot integrate with VPN

Application Aware Policies Layer 7 inspection policy

• Integrated into inspection

• Utilizes NBAR for matching

NBAR/AVC using MQC

• Independent configuration

• Not stateful

Quality of Service (QoS) Policing integrated with ZBFW

policy-map

• Simple policing

Traffic shaping with interface QoS

policy

• Optimizes traffic flow

Monitoring Audit-trail in global parameter-

map

• Interrupt driven connection

information

ACL log hits

• Simplified packet counting

Netflow

• Connection oriented packet

counting

55BRKSEC-3007


Insurance

• If router is compromised

• How to mitigate the impact?

• Restore device back to last known working condition?

• Mitigating the impact of configuration changes

• Configuration Archive

• IOS Resiliency

• Tracking down the source of the change

• Command Accounting

56BRKSEC-3007


Configuration Backup and Rollback

• Stores configuration periodically to destination location

• Force a configuration archive

• Rollback configuration

• Introduced 12.3(7)T

archive

path disk0:myconfig_backup

maximum 5

time-period 1440

Router# configure replace disk0:myconfig_backup-<date>

Router# archive configuration

57BRKSEC-3007


• Saves a copy of the running-config and system image onto local storage

• This is called the primary bootset

• Primary bootset can be used to restore a previous image and config

• Feature can only be disabled by a console session

• Can be initially enabled via any CLI session

• Introduced in 12.3(8)T

IOS Resiliency

Running Config

System Image

Primary Bootset


58BRKSEC-3007


Network Accounting

• Log command history to location

• Local archive

• ACS

• Tracks configuration changes

• Per-session

• Per-user

• Introduced 12.4(11)T


archive

log config

logging enable

logging size 200

hidekeys

notify syslog

Router#show archive log config all

idx sess user@line Logged command

1 8 NOC@vty0 |interface Ethernet0/2

2 8 NOC@vty0 | shutdown

59BRKSEC-3007

User Identity


User Identity Concepts

• What happens when a user moves within a network?

• Effective security policies track users throughout the network

• Tracking can be done using:

• IP address

• Username

• OS/Application/etc

?

See Appendix for address assignment information

61BRKSEC-3007


Types of AuthenticationActive Passive Transparent

Definition

• Router learns user

credentials directly

from Client

• Username and

password are

verified against

ACS/ISE/AD

• User provides

credentials to a

third-party device


information from

third-party device


credentials directly

from Client

• Not checked

against external

server

• Router just trusts

user information

Example

• Authentication

Proxy using ACS

• Browser based

NTLM

• Security Group

Tagging using

Dot1x

• Do Not Use!

62BRKSEC-3007


Authentication Proxy Overview

• Client prompted for credentials by login prompt

• Username and password are checked

• Local

• Radius

• Radius can pass down attributes

• Downloadable ACL

• User Groups

• Security Group Tagging

IPv4 only feature

63BRKSEC-3007


Authentication Proxy Traffic Flow – User Challenge

Who are you?

I am UserA

HTTP Connection

ACS/ISE

64BRKSEC-3007


Authentication Proxy Traffic Flow – Consult ACS

ip access-list extended DACL

permit tcp any any eq 80


permit icmp any any

What should I do

with UserA? Permit UserA,

BUT restrict their access

using this ACL.

ACS/ISE

65BRKSEC-3007


ACS/ISE

Authentication Proxy Traffic Flow – Apply Action

ip access-list extended UserA_DACL





UserA

UserB

ip access-list extended UserB_DACL



permit icmp any any

66BRKSEC-3007


Consent Parameter-map

• User is forced to accept terms of use before logging in

• Login success only if terms are accepted

• Terms of use can be regularly updated through on device HTML file

• Legal requirements for certain environments


67BRKSEC-3007


User Group Tagging – Consult ACS/ISE

Cisco Avpair:

Supplicant Group = ENG

SGT = 3

What should I do

with UserA? Permit UserA,

BUT mark them with this

special Cisco user tag.• Routers will ask the ACS/ISE for group

information of the user

• Group information is known as tags/SGT

• Router will apply specific configuration

based on these tags

• Configuration on each router is known as

template ACS/ISE

68BRKSEC-3007


User Group Tagging – Traffic Processing

UserA

class-map type inspect INSIDE->OUTSIDE_CMAP

match user-group ENG

match security-group source tag 4


match user-group MKT


User Groups/SGT render identity features stateful

ACS/ISE

User Group MKT

SGT 3

UserB

User Group ENG

SGT 4

69BRKSEC-3007


Security Group Tagging – Traffic PathPassive Authentication

Dot1x

HTTP

Connection

Client =

SGT 3

SGT 3



• All devices need to be

supported platforms on

supported versions

• Comprehensive SGT requires a

full end-to-end integration

ACS/ISE

70BRKSEC-3007

High Availability


High Availability (HA)

• Device and interface level redundancy ensure no connectivity loss

• Traffic must always pass through the Active Device

• Configurations are not replicated between units

• Example of independent features• Routing tables

• Interface configurations

• Firewall features

• Traffic is mapped using Redundant Interface Identifier (rii)

• Interfaces on units do not have to be the same

HA control

interface


72BRKSEC-3007


Connection Replication

• Connection state information is replicated across HA control interface

• Interfaces are mapped between units using rii number

ZBFW2#show policy-firewall session

Session B2601288 (10.1.1.100:52980)=>(203.0.113.100:23) tcp SIS_OPEN/TCP_ESTAB

Created 00:00:51, Last heard never


HA State: STANDBY, RG ID: 1


ZBFW1#show policy-firewall session

Session B2704178 (10.1.1.100:52980)=>(203.0.113.100:23) tcp SIS_OPEN/TCP_ESTAB

Created 00:00:31, Last heard 00:00:30


HA State: ACTIVE, RG ID: 1


73BRKSEC-3007


LAN interfaces

• Traffic is routed to a VIP address

• Active unit always processes traffic


ip address 10.1.1.1 255.255.255.0

redundancy rii 100

redundancy group 1 ip 10.1.1.3 exclusive


ip address 10.1.1.2 255.255.255.0

redundancy rii 100


10.1.1.3

74BRKSEC-3007


Active

Standby

WAN interfaces

• Traffic is routed independently to each unit

• Active unit always processes traffic

• SLA route tracking ensures traffic is sent to Active unit

Internet-Router# show ip route

S* 10.1.1.0/24 [1/0] via 172.16.1.1

via 192.168.1.1

10.1.1.0/24

192.168.1.1

172.16.1.1

75BRKSEC-3007


Asymmetric Routing

• Standby forwards traffic to Active across dedicated Asymmetric interface

• Source rii is provided so Active knows what zone-pair to process against

• Do not route traffic on Asymmetric interface

• Potential for routing loops

Active

Standby

ISP1

ISP2


76BRKSEC-3007

Control Plane Security


Routing Protocol Security

• Restrict neighbor relationships

• Neighbor authentication

• Neighbor definition

• Hop count and TTL Checks

• Establish network scope for routes and neighbors

• Routing process consumption

• Restrict LSA memory consumption

OSPF

EIGRP

BGP

EIGRP

BGP

OSPF

78BRKSEC-3007


Restrict Neighbor Relationships

• EIGRP uses md5 authentication

• OSPF uses md5 authentication

• BGP uses md5 authentication

Router(config)# key chain EIGRP_AUTH

Router(config-keychain)# key 1

Router(config-keychain-key)# key-string EIGRP_PASSWORD


Router(config-if)# ip authentication mode eigrp 100 md5

Router(config-if)# ip authentication key-chain eigrp 100 EIGRP_AUTH

Router(config)# router ospf 100

Router(config-router)# area 0 authentication message-digest

Router(config) interface Ethernet0/0

Router(config-if)# ip ospf message-digest-key 1 md5 OSPF_PASSWORD

Router(config)# router bgp 100

Router(config-router)# neighbour 10.1.1.1 password BGP_PASSWORD

79BRKSEC-3007


Hop count, TTL checks and LSA database size

• EIGRP installs routes less than the maximum hops

• BGP sets TTL maximum for peer

• OSPF limits number of total LSA installed in database

Router(config)# router eigrp EIGRP

Router(config-router)# address-family ipv4 unicast autonomous-system 100

Router(config-router-af)# topology base

Router(config-router-af-topology)# metric maximum-hops 100

Router(config)# router bgp 100

Router(config-router)# neighbour 10.1.1.1 ttl-security hops 2

Router(config)# router ospf 100

Router(config-router)# max-lsa 100

80BRKSEC-3007


ICMP and the Control Plane

• ICMP Redirects inform clients when the gateway to the network is on the same subnet

• ICMP Unreachables sent when interface ACL drops traffic

• Router can be experience CPU impact if too many unreachables are generated

Router(config) interface Ethernet0/0

Router(config-if)# no ip redirects

Router(config-if)# no ip unreachables

81BRKSEC-3007


Control Plane Diagram

• All traffic that requires special handling will go through the routers control plane

• This traffic will be processed by the Route Processor, leaving the router vulnerable to resource exhaustion

Aggregate

Control Plane

Host

Transit

CEF Exception

Queue Threshold

Port Filter

Policing

Policing

Policing

Input Forwarding Path

82BRKSEC-3007


Control Plane Policing (CPP)

• Rate limit traffic to CPU using quality of service (QoS) policy

• Protect against control plane oversubscription

Actions for

traffic

Permit

Rate Limit

Drop

83BRKSEC-3007


Control Plane Protection (CoPPr)

See Appendix for additional information

Aggregate Control Plane

Host

• Traffic destined to the router

• Management

• Routing Protocols

• Tunnel Traffic

Transit

• Traffic traversing router

CEF Exception

• Traffic redirected to RP

• Features that require additional processing

• Packets with special attributes

84BRKSEC-3007


Control Plane Protection Example

• Problem

• Router receiving too much traffic to process on

non-listening ports

• Solution

• Preemptively drop all traffic destined to closed ports

• Router should only process traffic to open ports

• Services for management

• Services for monitoring

• Ephemeral ports opened for applicationsInternet Map of Closed Ports

85BRKSEC-3007


Control Plane ProtectionPort Filtering

class-map type port-filter match-all PORTFILTER_CMAP

match closed-ports

!

policy-map type port-filter PORTFILTER_PMAP

class PORTFILTER_CMAP

drop

!

control-plane host

service-policy type port-filter input PORTFILTER_PMAP

Match all closed ports

Drop any traffic to a closed port

Apply to host subinterface

86BRKSEC-3007


Control Plane Protection

• Only telnet is enabled on the router

• Traffic destined to any other port on the router will be early dropped

• Before CPU processing

Viewing Open Ports

Router#show control-plane host open-ports

Active internet connections (servers and established)

Prot Local Address Foreign Address Service State

tcp *:23 *:0 Telnet LISTEN


87BRKSEC-3007


Summary

• Protect data plane using ZBFW configuration

• Application aware features allow deep packet inspection

• Logging traffic successfully

• Track users using identity features

• Authentication proxy with consent option provides legal enforcement

• User groups and SGT allow for stateful user tracking

• High Availability of firewall features

• LAN and WAN interfaces provide solutions for each routing environment

• Asymmetrically routed traffic is supported through traffic redirection

• Protect router services from resource exhaustion using Control Plane Protection

88BRKSEC-3007


Recommended Readings

89BRKSEC-3007


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

90BRKSEC-3007

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

91BRKSEC-3007

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92Presentation ID

Security Joins the Customer Connection ProgramCustomer User Group Program

19,000+

Members

Strong• Who can join: Cisco customers, service

providers, solution partners and training partners

• Private online community to connect with peers & Cisco’s Security product teams

• Monthly technical & roadmap briefings via WebEx

• Opportunities to influence product direction

• Local in-person meet ups starting Fall 2016

• New member thank you gift* & badge ribbon when you join in the Cisco Security booth

• Other CCP tracks: Collaboration & Enterprise Networks

Join in World of Solutions

Security zone Customer Connection stand

Learn about CCP and Join

New member thank-you gift*

Customer Connection Member badge ribbon

Join Online

www.cisco.com/go/ccp

Come to Security zone to get your new member gift*

and ribbon

* While supplies last

http://www.cisco.com/go/ccp

Please join us for the Service Provider Innovation Talk featuring:

Yvette Kanouff | Senior Vice President and General Manager, SP Business

Joe Cozzolino | Senior Vice President, Cisco Services

Thursday, July 14th, 2016

11:30 am - 12:30pm, In the Oceanside A room

What to expect from this innovation talk

• Insights on market trends and forecasts

• Preview of key technologies and capabilities

• Innovative demonstrations of the latest and greatest products

• Better understanding of how Cisco can help you succeed

Register to attend the session live now or

watch the broadcast on cisco.com

Thank you

Appendix

Fundamental Security Review


Fundamental Security

• Infrastructure security is the core of network security

• Protecting devices which pass traffic

• Securing network infrastructure

• Management security

• Login security

• Insurance: What to do in case something happens?

• Accounting and monitoring

• IOS Resiliency

98BRKSEC-3007


Management Security

• Controlling method of access for management

99BRKSEC-3007


Login Methods

• Why SSH over Telnet?

• SSH encrypts data

• Telnet is clear text

• Requirements for SSH

• RSA keypair must be created on router

• IOS image must support encryption

• Management application must support SSH access

line vty 0 4

transport input ssh

100BRKSEC-3007


Restricting Management Access

• Only allow trusted IP addresses for management connections

• Configure access-list (ACL) to restrict login access

• Management plane security

ip access-list extended LOGIN_ACL

permit tcp host 10.1.1.100 any eq 22

!

line vty 0 4

access-class LOGIN_ACL in

transport input ssh

Router(config)# control-plane host

Router(config-cp-host)# management-interface Fastethernet0/0 allow ssh

101BRKSEC-3007


Management Security Tiers

• Transport method

• VTY access control

• Management plane security

102BRKSEC-3007


Login Security

• Banner on login prompts

• Password Security

• Restrict connection attempts

103BRKSEC-3007


Login Banner

Welcome to Cisco’s Router! Unauthorized access is not allowed.

104BRKSEC-3007


Login Banner in Use[User]$ telnet 10.1.1.1

**Unauthorized access to this network device is prohibited.**

You must have explicit permission to access or configure this

device. All activities performed on this device are logged and

violations of this policy may result in disciplinary action.

Username: cisco

Password: cisco

***By successfully logging in, you acknowledge that you have

explicit permission to access and configure this device. You

accept that all activities performed on this device are logged

and violations of this policy may result in disciplinary action.

Router#

Warns user that they should back out now if they are not authorized to access the system.

Acknowledges that user has successfully logged in and is responsible for actions.

105BRKSEC-3007


Configuring a Banner

• Language matters

• Requirements from legal department

• Laws based on country and state

• The below example uses the ‘%’ symbol as the message delineatorRouter(config)# banner login %

Enter TEXT message. End with the character ‘%’.

This is a LOGIN banner %

Router(config)# banner exec %

Enter TEXT message. End with the character ‘%’.

This is a EXEC banner %

106BRKSEC-3007


Enhanced Password Security

• 500,000 devices on internet have default password of root

• Password Restriction

• Password Encryption methods

1. Password Encryption service

2. SHA256/MD5 hash

107BRKSEC-3007


Password Restriction

• Cisco IOS routers do not restrict passwords by default

• Password restriction ensures local passwords adhere to the following rules

• Must contain characters from at least three of the following classes:1. lowercase letters

2. uppercase letters

3. digits

4. special characters

• Cannot have a character repeated more than three times consecutively.

• Cannot be the same as the associated username.

• Cannot be variant of the word “cisco”.

Router(config)# aaa new-model

Router(config)# aaa password restriction

108BRKSEC-3007


Password Encryption

• Service encryption uses a Cisco proprietary encryption algorithm

• Encryption is based on a Vigenere cipher

• Weak security because is it a polyalphabetic substitution

Router(config)# enable password cisco

Router# show run | include enable

enable password cisco

Router(config)# service password-encryption

Router# show run | include enable

enable password 7 02050D480809

109BRKSEC-3007


Service Password-Encryption

• Below is a tool from the first hit on Google

• Search term: cisco service password-encryption cracker

110BRKSEC-3007


SHA/MD5 Password Protection

• One way hash algorithm that is not reversible

• SHA256 is the default encryption for IOS routers (Starting in 15.0.1S)

Router(config)# enable secret ?

0 Specifies an UNENCRYPTED password will follow

4 Specifies an SHA256 ENCRYPTED secret will follow

5 Specifies an MD5 ENCRYPTED secret will follow

LINE The UNENCRYPTED (cleartext) 'enable' secret

level Set exec level password

Router(config)# enable secret cisco

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

enable password cisco

See Appendix for functionality

111BRKSEC-3007


Type 4 versus Type 5 vulnerability

• Password-Based Key Derivation Function version 2 (PBKDF2)

• Hash algorithm = SHA-256

• Password = the user-provided plaintext password

• Salt = 80 bits (generated by calling a cryptographically secure random number generator)

• Iteration count = 1,000 (one thousand)

• Due to an implementation issue, the Type 4 password algorithm does not use PBKDF2 and does not use a salt, but instead performs a single iteration of SHA-256 over the user-provided plaintext password. This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.

112BRKSEC-3007


Password Cracking

• ArsTechnica case study cracked 45% of a 17,000 hashed password list in 90 seconds using above technique

• SHA256/MD5 hashes are protected using a salt

• Salt is a random sequence of characters added to end of password before hash

Hashed Password

Word List

Algorithm

Unencrypted Password

HashCat

113BRKSEC-3007


Access Control Server (ACS) Integration

• Passwords are only as safe as their storage medium

• ACS integration provides a centralized service to store passwords

• Compromised configurations provide no insight into passwords

• Configuring ACS server

See Appendix for configuration examples and best practices

114BRKSEC-3007


ACS Integration

• Configure ACS server information on IOS router

• Create authentication list to use ACS server

• Apply authentication list to management sessions

• Configuration Example

Router(config)#tacacs server MYTACACS

Router(config-server-tacacs)# address ipv4 10.1.1.100

Router(config-server-tacacs)# key Cisco12345

Router(config)#aaa authentication login MANAGEMENT group TACACS local

Router(config)#line vty 0 4

Router(config-line)#login authentication MANAGEMENT

115BRKSEC-3007


ACS Integration

• Local fallback ensures that the router is still accessible when ACS is unavailable

• Test ACS configuration before applying to avoid being locked out of the router

• Using a reliable source interface will ensure that consistent access to ACS server

• Best Practices

Router#test aaa group MYTACACS username password new-code

User Rejected

Router(config)#ip tacacs source-interface Loopback0

Router(config)#aaa authentication login MANAGEMENT group TACACS local

116BRKSEC-3007


One Time Passwords (OTP)

• One time passwords are used to restrict access for temporary users

• Introduced in 12.4

• ACS OTP provides two tier authentication

• Use secure token to generate password

• New password for login each session

Router(config)#username TAC one-time secret cisco

RSA Token

Generator

RSA Token

Password RSA Token

Cisco12345 457AE59H

117BRKSEC-3007


Password Security Tiers

• Simple unencrypted password

• Hashed password (MD5/SHA256)

• Password restrictions

• Centralized storage of passwords (ACS)

• One time use passwords

118BRKSEC-3007


Session Limits

• Configuring restrictions on brute force attacks will mitigate the effectiveness of the attack by delaying success

• Login block for failed login attempts

Password Length Time to Crack

12 digit password 6 months

12 digit password +

login restriction

758 billion years

See Appendix for configuration examples

login block-for 30 attempts 3 within 10

119BRKSEC-3007


Example on login blocking and timeouts

• Login block configuration

• Session timeouts

line vty 0 4

login authentication MANAGEMENT

transport input telnet


line vty 0 4

exec-timeout 5

120BRKSEC-3007


Login Security Tiers

• Management Access Restriction

• Login Banner

• Password Security

• Session Limits

121BRKSEC-3007


Functionality Based User Security

View Configuration

Edit

ConfigurationTroubleshooting

Commands

NOC

Admin

Contractor

TAC

122BRKSEC-3007


Command Based User Security

Configure Interface

Configure Access Control

Configure

Routing Protocols

Routing

Protocols

Admin

Security

123BRKSEC-3007


User EXEC Mode

• Privilege Level 0

• Can only enable

Privileged EXEC Mode


• View status of router

Global Configuration

Mode


• Configuration commands

Privilege Levels

Router>

Router#

Router(config)#


124BRKSEC-3007


Changing Privilege Levels of Commands

• Commands can be moved down to different privilege levels

• Provide restricted configuration access

• User NOC can shut and no shut interfaces

• Cannot configure any interface features

username NOC privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J.

!

privilege interface all level 7 shutdown

privilege interface all level 7 no shutdown

privilege configure level 7 interface

privilege exec level 7 configure terminal

125BRKSEC-3007


Changing Privilege Levels of Commands

Level 15

Level 7

Level 1

interface ethernet0/0

shutdown

username NOC


126BRKSEC-3007


Role Based Access Control

• Creates views so users can only view a subset of commands in the parser

• Provides more detailed control over CLI access

• Assigned views to each user with restriction

• Commands seen in parser

• Commands allowed to be issued

• Superviews can be used to aggregate functionality

• Introduced in 12.3(7)

parser view INTERN

secret

commands exec include show version

commands exec include show


127BRKSEC-3007


Role Based Access Control• Configuration Example

parser view INTERN

secret

commands exec include show version

commands exec include show

!

parser view NOC

secret

commands interface include shutdown

commands configure include interface

commands configure include interface FastEthernet0/1

commands exec include configure terminal

commands exec include configure

!

parser view ADMIN superview

secret

view INTERN

view NOC

128BRKSEC-3007


Remote Command Authorization

• Centralized server to verify commands before execution

• User gets command authorization set based on device

• Scalable solution for large network environments

• Router will communicate with ACS to verify command before execution

Will IOS allow user issue command?

• Privilege level of user and command

• Local command authorization

Is the user authorized to run the command?

• ACS server command list

• Remote command authorization


129BRKSEC-3007


ACS Command Authorization

• ACS authentication must be enabled so users are correctly mapped

• Router will communicate with ACS to verify command before execution

• This provides scalability

• Same users can be allowed the same commands on all devices

aaa new-model

!

aaa authentication login default group tacacs+ local

!

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local



aaa authorization config-commands

130BRKSEC-3007


User Security Tiers

• Privilege Levels

• Role Based Access Control

• ACS Command Authorization

131BRKSEC-3007


Assigning Privilege Levels

aaa new-model

!

username admin privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY

username NOC privilege 1 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY

!

aaa authentication login AUTHENTICATION_MANAGEMENT local

aaa authorization exec AUTHORIZATION_MANAGEMENT local

!

line vty 0 4

login authentication AUTHENTICATION_MANAGEMENT

authorization exec AUTHORIZATION_MANAGEMENT

132BRKSEC-3007


Privilege Levels in Use

[User]$ telnet 10.1.1.1

Trying 10.1.1.1...

Connected to 10.1.1.1

Escape character is '^]'.

This is the LOGIN banner

Username: NOC

Password:

This is the EXEC banner

Router> show privilege

Current privilege level is 1

[User]$ telnet 10.1.1.1

Trying 10.1.1.1...

Connected to 10.1.1.1

Escape character is '^]'.

This is the LOGIN banner

Username: admin

Password:

This is the EXEC banner

Router# show privilege

Current privilege level is 15

133BRKSEC-3007


Role Based Access Control

• Apply the view setting to the username to force that user into that view

• User authorization must be enabled

• User Setup

username DAFFY privilege 15 view NOC secret DUCK

aaa new-model

!

aaa authorization exec EXEC_AUTHORIZATION_LIST local

134BRKSEC-3007


Network Accounting

• Configure router to send command accounting history to ACS

• Configuration Example

aaa new-model

!

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+



aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

135BRKSEC-3007


Fundamental Security

• Cisco IOS can automate security implementation

• AutoSecure

• Secures a router by using a single CLI command

• Disables common IP services that can be exploited

• Enables IP services and features to defend the network

• AutoSecure can be enabled per feature or all features

• AutoSecure

136BRKSEC-3007


AutoSecure• Feature Options

Router#auto secure ?

firewall AutoSecure Firewall

forwarding Secure Forwarding Plane

full Interactive full session of AutoSecure

login AutoSecure Login

management Secure Management Plane

no-interact Non-interactive session of AutoSecure

ntp AutoSecure NTP

ssh AutoSecure SSH

tcp-intercept AutoSecure TCP Intercept

<cr>

137BRKSEC-3007


AutoSecure• Securing LoginRouter#auto secure login

Gathering information about the router for AutoSecure

Enter the new enable password:

Confirm the enable password:

Configuration of local user database

Enter the username: cisco

Enter the password:

Configuring AAA local authentication

Configuring console, Aux and vty lines for

local authentication, exec-timeout, transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 30

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 10

138BRKSEC-3007


AutoSecure• Login configuration

enable password 7 02250D4808095E731F1A5C

username cisco password 7 02250D4808095E731F1A5C

aaa new-model

aaa authentication login local_auth local

!

line vty 0 4

login authentication local_auth

transport input telnet


!

end

139BRKSEC-3007


Firewall – Basic Functionality

Client Webserver

Attacker

SMTP Server

Internet

HTTP Request

SMTP

TRUSTED UNTRUSTED

Malicious

HTTP Response

Firewall prevents malicious traffic from entering the network by tracking connections

140BRKSEC-3007


Zone Policy Assignment and Scalability

Internet


source USERS destination INTERNET

Users

zone-member USERS

!







zone-member INTERNET

!


zone-member security INTERNET

zone-pair security USERS->INTERNET source USERS destination INTERNET

service-policy type inspect USER->INTERNET_PM

141BRKSEC-3007


Zone Based Firewall (ZBFW) – Zone Members

Untrusted

Zone

Trusted

Zone

zone-pair security INSIDE->OUTSIDE_ZP source INSIDE destination OUTSIDE

service-policy type inspect INSIDE->OUTSIDE_PMAP

zone-member INSIDE

!



zone-member OUTSIDE

!



• ZBFW uses zones as the foundation for all policies

• The same zone can be applied to multiple interfaces

• Each interface can only be part of one zone

142BRKSEC-3007


Building Zone-pairs

InternetUsers

Application

Database

143BRKSEC-3007


Zone Member Scalability

InternetUsers

• Zone policies are directional

• Initiated traffic matches from SOURCE to DESTINATION

• Return traffic matches existing connection

• ZBFW scales when there are multiple zone


Application

Userssource USERS

destination USERS

source USERS

destination APPLICATION

144BRKSEC-3007


Intrazone policies

• On IOS 12.X releases, traffic between interfaces belonging to the same zone was allowed to pass without inspection.

• On IOS 12.X release it was not possible to define Intrazone ZFW policies:

• Starting on IOS 15.0(1)M, intrazone traffic is blocked by default

• IOS 15.X allows the creation of Intrazone Policies (source and destination of traffic in the same zone)

zone-pair security APPLICATION->APPLICATION_ZP source APPLICATION

destination APPLICATION

145BRKSEC-3007


Private VLANs vs. Intrazone Communication

• Isolated cannot speak with anyone but Promiscuous

• Community can speak with other ports in same community and Promiscuous

• Promiscuous can speak with everything

vlan 11

private-vlan isolated

!

vlan 12

private-vlan community

!

vlan 20

private-vlan primary

private-vlan association 11-12

!

interface FastEthernet 1/1

description *** Port in Isolated VLAN ***

switchport mode private-vlan host

switchport private-vlan host-association 20 11

!


description *** Port in Community VLAN ***

switchport mode private-vlan host

switchport private-vlan host-association 20 12

!


description *** Promiscuous Port ***

switchport mode private-vlan promiscuous

switchport private-vlan mapping 20 add 11-12

146BRKSEC-3007


Advanced Topology

InternetClients

Application

Database

zone-pair security USERS->APPLICATION_ZP source USERS destination APPLICATION

zone-pair security USERS->DATABASE_ZP source USERS destination DATABASE


147BRKSEC-3007


Identifying Traffic – Class-Map Theory

•ip access-list extended USER_ACL

•permit tcp any any eq 80Class-map using Access-list

•protocol HTTPClass-map using

Protocol

•class-map USER_PROTOCOLSClass-map using

Nested

148BRKSEC-3007


Identifying Traffic using Class-Map

• Example 1

• ACL matching

• Example 2

• Protocol matching

• Example 3

• Nested class-map matching

Examplesip access-list extended USER_ACL

permit ip 192.168.1.0 255.255.255.0 any

!

class-map type inspect match-all INSIDE->OUTSIDE_CMAP-1



match protocol http


match protocol http

match protocol ftp

!



149BRKSEC-3007


Applying Policy-map

InternetClients

Application

Database

zone-pair security USERS->APPLICATION_ZP source USERS destination APPLICATION

service-policy type inspect USERS->APPLICATION_PMAP

zone-pair security USERS->DATABASE_ZP source USERS destination DATABASE

service-policy type inspect USERS->DATABASE_PMAP


service-policy type inspect USERS->INTERNET_PMAP

150BRKSEC-3007


Inspect Traffic – Protocol vs Applicationip access-list extended USER_ACL

permit ip 192.168.1.0 255.255.255.0 any

!




match protocol http

!



Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB


151BRKSEC-3007


Allowing Inbound Traffic

• Zone-pairs are unidirectional

• Any traffic must be explicitly allowed in the opposite direction

class-map type inspect SMTP_SERVER_CMAP

match access-list SMTP_SERVER_ACL

match protocol SMTP


class type inspect SMTP_SERVER_CMAP

inspect

class class-default

drop

zone-pair security INTERNET->APPLICATION_ZP source INTERNET destination APPLICATION

service-policy type inspect INTERNET->APPLICATION_PMAP

152BRKSEC-3007


Parameter-Map Overview

Router(config)# parameter-map type ?

consent Parameter type consent

content-scan Content-scan parameter-map

inspect inspect parameter-map

ooo TCP out-of-order parameter-map for FW and IPS

protocol-info protocol-info parameter-map

regex regex parameter-map

urlf-glob URLF glob parameter-map

urlfpolicy Parameter maps for urlfilter policy

waas WAAS Parameter Map

153BRKSEC-3007


Application Layer Inspection – HTTP Example

class-map type inspect http match-all BLACK_LIST_CMAP

match request header host regex BLACK_LIST_PARAM

policy-map type inspect http BLACK_LIST_PMAP

class type inspect http BLACK_LIST_CMAP

reset


class type inspect USERS->INTERNET_HTTP_CMAP

inspect

service-policy http BLACK_LIST_PMAP

parameter-map type regex BLACK_LIST_PARAM

pattern .*cisco.*

type inspect

• General ZBFW configuration

• Match on ports and protocols

type inspect http

• Application specific ZBFW configuration

• Match on application specific header information

154BRKSEC-3007


Content Filtering

• Current technologies

• WCCP

• Scansafe

• Old technologies

• Websense

• Trend Micro Content Scanning

155BRKSEC-3007


Scansafe Content Scanning – Request

Scansafe Proxy

Server

www.cisco.com

Client Packet

Client Webserver

CWS Redirect Packet

Router CWS Server

CWS Packet

CWS Server Webserver

156BRKSEC-3007


Scansafe Content Scanning – Response

Scansafe Proxy

Server

www.cisco.com

Client Packet

Webserver Client

Scansafe Redirect Packet

Scansafe Router

Server Packet

Webserver Scansafe

157BRKSEC-3007


Content Scanning Configurationparameter-map type content-scan global

server scansafe primary name proxy2261.scansafe.net port http 8080 https 8080

license 0 ABCDEF1234567890ABCDEFABCDEFFFFF

source interface Ethernet0/0

timeout server 30

user-group CISCOGROUP username CISCOUSER

server scansafe on-failure block-all


ip nat outside


content-scan out

…


ip nat inside


…

158BRKSEC-3007


Content Scanning OutputsRouter# show content-scan statistics

Current HTTP sessions: 0

Current HTTPS sessions: 0

Total HTTP sessions: 83

Total HTTPS sessions: 8

White-listed sessions: 0

Time of last reset: never

Router# show content-scan summary

Primary: 201.94.155.42 (Up)*

Secondary: 70.39.231.99 (Up)

Interfaces: Ethernet0/0

IOS# show content-scan session active

Protocol Source Destination Bytes Time

HTTP 10.1.1.100:57152 209.222.159.185:80 (1635:331595) 00:00:12

URI: www.cisco.com

Username/usergroup(s): ciscouser10/ ciscogroup10

159BRKSEC-3007


Integrating User Identity with Scansafeaaa new-model

aaa authentication login default group radius

aaa authorization network default group radius


ip address 10.1.1.1 255.255.255.0

ip admission AUTHPROXYip admission name AUTHPROXY ntlm

aaa group server ldap LDAP_GROUP

server DC01

ldap attribute-map ldap-username-map

map type sAMAccountName username

ldap server DC01

ipv4 192.168.1.100

attribute map ldap-username-map

bind authenticate root-dn CN=Users,DC=cisco,DC=com password cisco

base-dn dc=cisco,dc=com

search-filter user-object-type top

authentication bind-first

160BRKSEC-3007


Masking SMTP MessagesEthernet Header

IP Header

TCP Header

SMTP DATA

Source MAC Destination MAC

Source IP Destination IP

Source Port Destination Port

EHLO

PIPELINING STARTTLS

Mask specific SMTP messages from presented to clients

Filtering PIPELINING prevents client from sending batches of commands without waiting for response from server

161BRKSEC-3007


Application Layer Inspection – SMTP Example

class-map type inspect smtp match-all SMTP_CMAP

match reply ehlo PIPELINEING

policy-map type inspect smtp SMTP_PMAP

class type inspect smtp SMTP_CMAP

mask

policy-map type inspect INTERNET->APPLICATIONS_PMAP

class type inspect INTERNET->APPLICATIONS_SMTP_CMAP

inspect

service-policy smtp SMTP_PMAP

• Select the message to be masked

• Apply the mask action for the messages selected above

162BRKSEC-3007


Application Layer Inspection – SIP Example

class-map type inspect sip match-all SIP_CMAP

match protocol-violation

policy-map type inspect sip SIP_PMAP

class type inspect sip SIP_CMAP

reset

policy-map type inspect INTERNET->APPLICATIONS_PMAP

class type inspect INTERNET->APPLICATIONS_SIP_CMAP

inspect

service-policy sip SIP_PMAP

• Identify traffic that violates the SIP RFC

• Drop any packets that violate RFC

• TCP SIP results in RESET packet

• UDP SIP results in dropped packets

163BRKSEC-3007


Application Based Inspections

IOS-FW(config)# class-map type inspect ?

h323

http

imap

pop3

sip

smtp

sunrpc

Voice inspections

• Controls how calls can be placed

• Controls how phones can register

eMail inspections

• Controls how email can be sent

inspections

• Controls how email can be sent

164BRKSEC-3007


Enabling Connection Limits for Resource Protection

• Router has a fixed amount of memory for connections

• Connection limitations will prevent DoS attacks from exhausting resources

• Protects device

• Protects endpoint services

• Connection limits can protect:

• Memory exhaustion• Limit total number of connections

• Idle timer of established and half-open connections

• Processor/CPU exhaustion• Limit rate of connection builds

Resource Limits on IOS

165BRKSEC-3007


Applying Connection Limits to Traffic

policy-map type inspect CLIENT->INTERNET_PMAP

class type inspect CLIENT->INTERNET_CMAP

inspect CONN_LIMIT_PARAM

parameter-map type inspect CONN_LIMIT_PARAM

sessions maximum 100

max-incomplete high 1000 low 500

one-minute high 50

one-minute low 25

166BRKSEC-3007


Attack Security

Denial of Service Attack

TCP SYN Flood

IP Fragmentation Attack

Tiny Fragment

Overlapping Fragment

Buffer Overflow

Spoofing Attack

Reflection Flood

167BRKSEC-3007


TCP Intercept

• TCP intercept is enabled because the one minute rate exceeded 1500 embryonic connection attempts

• TCP Intercept was disabled because the one minute rate fell below 900 embryonic connection attempts

access-list 101 permit any

!

ip tcp intercept list 101

ip tcp intercept mode intercept

ip tcp intercept drop-mode random

ip tcp intercept max-incomplete low 2000 high 3000

ip tcp intercept one-minute low 1000 high 1500

Jan 1 12:00:01 EST: %TCP-6-INTERCEPT: getting aggressive, count (2700/3000) 1 min 100

Jan 1 12:05:01 EST: %TCP-6-INTERCEPT: calming down, count (1800/2000) 1 min 900

168BRKSEC-3007

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&links=reference&index=all&query=TCP-6-INTERCEPT

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&links=reference&index=all&query=TCP-6-INTERCEPT


IP Fragmentation Attack MitigationFragments keyword in ACL

ip access-list extended FRAGMENTS_ACL

deny ip any host 192.168.1.100 fragments

permit tcp any host 192.168.1.100 eq 80

deny ip any any



Fragment 1

DataTCP Header

Fragment 2

Data

IP Header

IP Header

169BRKSEC-3007


IP Fragmentation Attack Mitigation

• Basic features of enabling VFR

• Max-reassemblies

• Maximum number of concurrent IP datagrams that can be reassembled

• Max-fragments

• Maximum number of fragments for the same IP datagram

• Drop-fragments

• Drops all fragments

IP Virtual Fragment Reassembly (VFR) Logs

VFR-4_FRAG_TABLE_OVERFLOW

VFR-4_TOO_MANY_FRAGMENTS

VFR-3-OVERLAP_FRAGMENT

VFR-3-TINY_FRAGMENTS

170BRKSEC-3007


uRPF Advanced Features

• Old configuration (DO NOT USE)

• Above command was replaced by below command in 12.0(15)S

• Cisco Express Forwarding (CEF) must be enabled (on by default)

• Allow default route for uRPF verification

Router(config)# ip cef


Router(config-if)# ip verify unicast source reachable-via allow-default


Router(config-if)# ip verify unicast reserve-path


Router(config-if)# ip verify unicast source reachable-via [rx|any]

171BRKSEC-3007


Logging dropped packets and summarizationActions Log drop-pkt disable

Log summary disable

Log drop-pkt disable

Log summary enable

Log drop-pkt enable

Log summary disable

Log drop-pkt enable

Log summary enable

Drop Drop and summary logs not to be printed

Drop and summary logs not to be printed



Drop log Only drop logs printed and no summary logs

Since log option is configured with drop action, both the drop and summary logs for the traffic that matches the action ‘drop log’ under the class is rinted.

Only drop logs printed and summary logs not printed

Since log option is configured with drop action, both the drop and summary logs for the traffic that matches the action ‘drop log’ under the class is printed.

Inspect/zone

to non-zone

Drop and summary logs not printed

Drop and summary logs not printed

Only drop logs printed and summary logs are not printed

Drop due to inspect action and summary logs are printed


Logging New Connections

• Cannot be applied globally

• Enable on a per class-map basis


class type inspect USER->INTERNET_CMAP

inspect LOG_CONNECTION_PARAM

parameter-map type inspect LOG_CONNECTION_PARAM

audit-trail on

173BRKSEC-3007


Monitoring ZBFW StatisticsRouter# show policy-firewall stats drop-counters

DROP action found in policy-map 4

Router# show policy-firewall stats all

Global Stats:

Session creations since subsystem startup or last reset 0

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [0:0:0]

Last session created never

Last statistic reset never

Last session creation rate 0

Maxever session creation rate 0

Last half-open session total 0

174BRKSEC-3007


ZBFW and VPN

Client Packet

SRC A DST B

VPN Packet

SRC X DST Y

A X Y B

SRC X DST Y

ESP Header

IP Protocol 50SRC A DST B

IP Header

IP Protocol 1

175BRKSEC-3007


VPN using Crypto-Map

Client Packet

SRC A DST B

VPN Packet

SRC X DST Y

A X Y

B

zone-pair security LOCAL->OUTSIDE_ZP source LOCAL destination OUTSIDE

service-policy type inspect LOCAL->REMOTE_PMAP

zone-pair security SELF->OUTSIDE_ZP source SELF destination OUTSIDE

service-policy type inspect SELF->OUTSIDE_ZP




crypto-map IPSEC_TUNNEL

• Crypto map are bound to tunnel terminating interface

• Original and VPN traffic have same destination zone

VPN

176BRKSEC-3007


VPN using Virtual Tunnel Interface (VTI)A

X Y B




zone-pair security LOCAL->REMOTE_ZP source LOCAL destination REMOTE


Client Packet

SRC A

VPN Packet

SRC X DST Y



interface Tunnel0


tunnel mode ipsec ipv4

• VTI are independent interfaces with their own zone member

• Original and VPN traffic have different destination zone

DST B

VPN

177BRKSEC-3007


IPv6 Tunneling Design Considerations

Client Packet

SRC AIPv6 DST BIPv6

IPv6-in-IPv4 Tunnel Packet

SRC XIPv4 DST YIPv4

IPv6 IPv4 IPv6

A X Y

B



interface Tunnel0


tunnel mode ipv6ip



zone-pair security LOCAL->REMOTE_ZP source LOCAL destination REMOTE


• IPv6 networks can be connected by using a 6in4 tunnel

• ZBFW should be configured on the IPv6/IPv4 edge

• IPv6 tunneling protocols could bypass security policies

6-in-4

178BRKSEC-3007


ZBFW and VPN configuration

class-map type inspect match-any VPN_CMAP

match access-group name VPN_ACL

policy-map type inspect SELF->OUTSIDE_PMAP

class type inspect VPN_CMAP

pass


service-policy type inspect SELF->OUTSIDE_PMAP

ip access-list extended VPN_ACL

permit esp any any

permit udp any any eq 500

permit udp any any eq 4500

179BRKSEC-3007


Migrating from an Existing Policyip access-list extended OUTSIDE-IN


!


ip access-group name OUTSIDE-IN

ip access-list extended OUTSIDE-IN


!

class-map type inspect match-any OUTSIDE-IN_CMAP

match access-group name OUTSIDE-IN

!

policy-map type inspect OUTSIDE-IN_CMAP

class type inspect OUTSIDE-IN_CMAP

inspect

180BRKSEC-3007


ZBFW configuration exampleZone security INSIDE

Zone security OUTSIDE

!





!

class-map type inspect INSIDE_OUTBOUND_CMAP

match protocol http

!

policy-map type inspect INSIDE_OUTBOUND_PMAP

class INSIDE_OUTBOUND_CMAP

inspect

!

zone-pair security IN2OUT source INSIDE destination OUTSIDE

service-policy type inspect INSIDE_OUTBOUND_PMAP

181BRKSEC-3007


IOS Resiliency

• From console session

• From telnet session

Router(config)#secure boot-config

*Feb 25 18:56:18.458: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured

config archive

[disk0:.runcfg-20130225-185618.ar]

Router(config)#no secure boot-config

*Feb 25 18:56:24.745: %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure

config archival [removed disk0:.runcfg-20130225-185618.ar]

Router(config)#no secure boot-config

%You must be logged on the console to apply this command

182BRKSEC-3007


Stateful Address Assignment

• Centralized server performs all addressing tasks

• Assigns IP addresses

• Keeps track of Client to address mapping

• Provides additional network information• DNS server

• Default gateway

• Examples of Stateful Address protocols

• DHCP

• Client dynamically takes on addressing tasks

• Chooses own IP address• EUI-64

• DAD used to avoid address duplication

• Additional network information not provided by default

• Provided by supporting server

• Examples of Stateless Address protocols

• SLAAC (StateLess Address AutoConfiguration)

Stateless Address Assignment

183BRKSEC-3007


Authentication Proxy - Configurationaaa new-model

aaa authentication login default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

radius-server vsa send authentication

radius server ISE

address ipv4 192.168.1.100 auth-port 1645 acct-port

1646

key cisco


ip address 10.1.1.1 255.255.255.0

ip admission AUTHPROXY

ip admission name AUTHPROXY proxy http

ip http server

184BRKSEC-3007


Authentication Proxy Traffic Flow – Apply Action

1. Interface ACL

2. Consent ACL

3. AuthProxy ACL

185BRKSEC-3007


Authentication Proxy - DebugsMar 23 14:27:54.571: RADIUS/ENCODE(00000015):Orig. component type = Auth Proxy

Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IP: 0.0.0.0

Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IPv6: ::

Mar 23 14:27:54.571: RADIUS/ENCODE(00000015): acct_session_id: 11

Mar 23 14:27:54.571: RADIUS(00000015): sending

Mar 23 14:27:54.575: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250

Mar 23 14:27:54.575: RADIUS(00000015): Send Access-Request to 14.36.112.250:1645 id 1645/11, len 110

Mar 23 14:27:54.575: RADIUS: authenticator 54 01 93 F4 17 F1 93 7D - EB 44 A3 05 FA 49 79 24

Mar 23 14:27:54.575: RADIUS: User-Name [1] 7 "cisco"

Mar 23 14:27:54.575: RADIUS: User-Password [2] 18 *

Mar 23 14:27:54.575: RADIUS: Service-Type [6] 6 Outbound [5]

Mar 23 14:27:54.575: RADIUS: Vendor, Cisco [26] 29

Mar 23 14:27:54.575: RADIUS: Cisco AVpair [1] 23 "service-type=Outbound"

Mar 23 14:27:54.575: RADIUS: Message-Authenticato[80] 18

Mar 23 14:27:54.575: RADIUS: 53 E1 38 E5 A2 93 DD 40 61 88 99 60 A6 70 2D 2E [ S8@a`p-.]

Mar 23 14:27:54.575: RADIUS: NAS-Port-Type [61] 6 Async [0]

Mar 23 14:27:54.575: RADIUS: NAS-IP-Address [4] 6 14.36.112.40

Mar 23 14:27:54.575: RADIUS(00000015): Sending a IPv4 Radius Packet

Mar 23 14:27:54.575: RADIUS(00000015): Started 5 sec timeout

Mar 23 14:27:54.591: RADIUS: Received from id 1645/11 14.36.112.250:1645, Access-Accept, len 287

Mar 23 14:27:54.591: RADIUS: authenticator C0 07 BB 4F 81 FC B8 33 - CB 2A 22 98 23 C0 6E 58

Mar 23 14:27:54.591: RADIUS: User-Name [1] 7 "cisco"

Mar 23 14:27:54.591: RADIUS: State [24] 40

Mar 23 14:27:54.591: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]

Mar 23 14:27:54.591: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 35 35 33 [2470fa0000003553]

Mar 23 14:27:54.591: RADIUS: 32 45 45 44 36 44 [ 2EED6D]

Mar 23 14:27:54.591: RADIUS: Class [25] 54

Mar 23 14:27:54.591: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]

Mar 23 14:27:54.591: RADIUS: 30 30 30 33 35 35 33 32 45 45 44 36 44 3A 72 61 [00035532EED6D:ra]

Mar 23 14:27:54.591: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]

Mar 23 14:27:54.591: RADIUS: 36 2F 35 34 [ 6/54]


Mar 23 14:27:54.591: RADIUS: 3E F1 DA B1 22 AB 23 26 12 0E 54 83 2C 96 C1 AF [ >"#&T,]


Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"


Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"


Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"


Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 55 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-532eed4c"

Mar 23 14:27:54.591: RADIUS(00000015): Received from id 1645/11

186BRKSEC-3007


Authentication Proxy - DebugsMar 23 14:27:54.591: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Mar 23 14:27:54.591: RADIUS(00000000): Config NAS IP: 0.0.0.0

Mar 23 14:27:54.591: RADIUS(00000000): sending

Mar 23 14:27:54.591: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250

Mar 23 14:27:54.591: RADIUS(00000000): Send Access-Request to 14.36.112.250:1645 id 1645/12, len 133

Mar 23 14:27:54.591: RADIUS: authenticator 86 69 58 02 68 24 B8 7D - 52 A6 74 12 C6 34 5E 85

Mar 23 14:27:54.591: RADIUS: NAS-IP-Address [4] 6 14.36.112.40

Mar 23 14:27:54.591: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"


Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"


Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"


Mar 23 14:27:54.591: RADIUS: FA 55 AC 1F E1 57 22 F9 0F 77 4B A6 F4 19 42 5E [ UW"wKB^]

Mar 23 14:27:54.591: RADIUS(00000000): Sending a IPv4 Radius Packet

Mar 23 14:27:54.591: RADIUS(00000000): Started 5 sec timeout

Mar 23 14:27:54.595: RADIUS: Received from id 1645/12 14.36.112.250:1645, Access-Accept, len 327

Mar 23 14:27:54.595: RADIUS: authenticator CD CB 43 D2 51 C4 A2 46 - 80 0C E3 03 10 57 52 4C

Mar 23 14:27:54.595: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"

Mar 23 14:27:54.595: RADIUS: State [24] 40

Mar 23 14:27:54.595: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]

Mar 23 14:27:54.595: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 36 35 33 [2470fa0000003653]

Mar 23 14:27:54.595: RADIUS: 32 45 45 44 36 44 [ 2EED6D]

Mar 23 14:27:54.595: RADIUS: Class [25] 54

Mar 23 14:27:54.595: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]

Mar 23 14:27:54.595: RADIUS: 30 30 30 33 36 35 33 32 45 45 44 36 44 3A 72 61 [00036532EED6D:ra]

Mar 23 14:27:54.595: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]

Mar 23 14:27:54.595: RADIUS: 36 2F 35 35 [ 6/55]


Mar 23 14:27:54.595: RADIUS: C4 80 ED 58 1A 8C 7E 7A 60 C2 BC 2E 5C CF 66 5B [ X~z`.\f[]


Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80"


Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 38 "ip:inacl#2=permit tcp any any eq 443"


Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#3=permit udp any any eq 53"


Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 32 "ip:inacl#4=permit icmp any any"

Mar 23 14:27:54.595: RADIUS(00000000): Received from id 1645/12

187BRKSEC-3007


Authentication Proxy - Outputsradar-CLUS#show ip admission cache

Authentication Proxy Cache

Client Name cisco, Client IP 14.38.112.250, Port 41699, timeout 60, Time Remaining 60,

state ESTAB

radar-CLUS#show epm session summary

EPM Session Information

-----------------------

Total sessions seen so far : 5

Total active sessions : 1

Session IP Address :

-------------------

14.38.112.250

radar-CLUS#show epm session ip 14.38.112.250

Admission feature : Authproxy

AAA Policies :

ACS ACL : xACSACLx-IP-dACL-532eed4c

Supplicant-Group : ENG

188BRKSEC-3007


Authentication Proxy with Consent – Configuration

ip admission name AUTHPROXY proxy http

ip admission auth-proxy-banner file flash:banner.html

ip admission auth-proxy-banner http ^C You have logged in^C

ip admission name AUTHPROXY consent list 100 param-map CONSENT_PMAP

parameter-map type consent CONSENT_PMAP

copy tftp://14.36.112.254/banner.html flash:banner.html

logging enabled

authorize accept identity IDENTITY_POLICY

timeout file download 3600

file flash:html.html

identity policy consent_identity_policy

access-group consent_access_group

189BRKSEC-3007


User Group – Tag and Template

• User credentials are stored on a central ACS

• Each user is bound to a different group

• MKT, ENG, FIN, HRC, etc

• This is the “tag”

• Routers will ask the ACS for group information of the user

• Routers will apply specific action based on the tags

• Template is the configuration on each router

190BRKSEC-3007


Security Group Tagging – Active Authentication

Cisco Avpair: SGT = 3

What should I do with

UserA? Permit UserA,

BUT mark them with this Security

Group Tag.• Security Group Tagging functionality is

similar to Tag/Template configuration

• Policies are created using SGT number

instead of tag name

• This specific implementation of SGT is

local to the router

• SGT information is not exchanged

with other devices ACS

191BRKSEC-3007


User Group Tagging – Active Authentication

UserA = 3

UserB = 4





ACS

192BRKSEC-3007


High Availabilityparameter-map type inspect global

redundancy

redundancy

application redundancy

group 1

name ZBFW_HA

preempt

priority 200

control Ethernet0/2 protocol 1

data Ethernet0/2


ip address 10.1.1.1 255.255.255.0

ip nat inside


redundancy rii 100


193BRKSEC-3007


Verifying High Availability

Router# show redundancy application group 1

Group ID:1

Group Name:ZBFW_HA

Administrative State: No Shutdown

Aggregate operational state : Up

My Role: ACTIVE

Peer Role: STANDBY

Peer Presence: Yes

Peer Comm: Yes

Peer Progression Started: Yes

RF Domain: btob-one

RF state: ACTIVE

Peer RF state: STANDBY-HOT

194BRKSEC-3007


Asymmetric Routing

redundancy

application redundancy

group 1

asymmetric-routing interface Ethernet0/3 interface Ethernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in


redundancy rii 100


redundancy asymmetric-routing enable

ISP1

ISP2

195BRKSEC-3007


Control Plane Protection (CoPPr)

• Extends protection against DoS attacks on infrastructure routers by providing a mechanism for finer policing of control plane traffic that allows you to rate-limit each type individually

• Provides a mechanism for early dropping of packets that are directed to closed or nonlistened Cisco IOS TCP/UDP ports

• Provides ability to limit protocol queue usage such that no single protocol flood can overwhelm the input interface

Provides QoS control for packets that are destined to the control plane of Cisco routers

• Provides better platform reliability, security, and availability

• Provides CPU protection so it can be used for important jobs, such as routing

Benefits

196BRKSEC-3007


Control Plane ProtectionMonitoring Drops

Router#show control-plane counters

Feature Path Packets processed/dropped/errors

Aggregate 3/0/0

Host 3/3/0

Transit 0/0/0

Cef-exception 0/0/0

Router#show control-plane host counters

Control plane host path counters :

Feature Packets Processed/Dropped/Errors

--------------------------------------------------------

TCP/UDP Portfilter 3/3/0

--------------------------------------------------------

197BRKSEC-3007


Control Plane ProtectionMonitoring DropsRouter#show policy-map type port-filter control-plane all

Control Plane Host

Service-policy port-filter input: PORTFILTER_PMAP

Class-map: PORTFILTER_CMAP (match-all)

3 packets, 180 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: closed-ports

drop

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: any

198BRKSEC-3007


Control Plane Protection Example 2

• Problem

• SNMP is exhausting control plane resources, preventing the router from executing certain core functions such as routing and management

• Solution

• Limit the number of packets allowed on the input queue

• Solution is to use queue-limits

• Prevent a single function from overwhelming all resource

• Create tiered policy to ensure functionality

199BRKSEC-3007


Control Plane ProtectionQueue Threshold

class-map type queue-treshold match-all SNMP_QUEUE

match protocol snmp

class-map type queue-treshold match-all OTHER_QUEUE

match protocol host-protocols

!

policy-map type port-filter QUEUELIMIT_PMAP

class SNMP_QUEUE

queue-limit 50

class-map OTHER_QUEUE

queue-limit 150

!

control-plane host

service-policy type queue-limit input QUEUELIMIT_PMAP

Match SNMP

Limit packets to prevent oversubscription

Apply to host subinterface

Match all other protocols

200BRKSEC-3007


Control Plane Protection

• Only telnet is enabled on the router

• The queue threshold processes packets until the limit is exceeded

• Excess unprocessed packets beyond the limit are dropped to protect control-plane resources

Viewing Current Queue


Router#show control-plane host counters

Control plane host path counters :

Feature Packets Processed/Dropped/Errors

--------------------------------------------------------

Port Queue Threshold 150/30/0

--------------------------------------------------------

201BRKSEC-3007


Internet of Things (IoT) Cisco Education OfferingsCourse Description Cisco Certification

NEW! IMINS2 An associate level instructor led training course designed to prepare you

for the CCNA Industrial certification

CCNA® Industrial

Managing Industrial Networks with

Cisco Networking Technologies (IMINS)

This curriculum addresses foundational skills needed to manage and

administer networked industrial control systems. It provides plant

administrators, control system engineers and traditional network engineers

with an understanding of the networking technologies needed in today's

connected plants and enterprises

Cisco Industrial

Networking Specialist

Control Systems Fundamentals

for Industrial Networking (ICINS)

For IT and Network Engineers, covers basic concepts in Industrial Control

systems including an introduction to automation industry verticals,

automation environment and an overview of industrial control networks

Networking Fundamentals

for Industrial Control Systems (INICS)

For Industrial Engineers and Control System Technicians, covers basic IP

and networking concepts, and introductory overview of Automation

industry Protocols.

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

203BRKSEC-3007

http://learningnetwork.cisco.com/

mailto:[email protected]


Business Transformation Cisco Education OfferingsCourse Description Cisco Certification

For IT and Network Professionals:

Building Business Specialist Skills • Builds non-technical skills key to ensure business impact and influence.

Topics include: business analysis, finance, technology adoption and

effective communications.

• Bridges IT and business impacts of mature and emerging solutions

including cloud plus Internet of Everything

Cisco Enterprise IT

Business Specialist

For Technology Sellers:

Applying Cisco Specialized Business Value

Analysis Skills

Builds skills to discover and address technology needs using a business-

focused, consultative sales approach

Cisco Business Value Specialist

Executing Advanced Cisco Business Value

Analysis and Design Techniques

Enables customer transformation through business architecture and

solution selling expertise

Cisco Certified Business

Value Practitioner

Performing Cisco Business-Focused

Transformative Architecture Engagements

Provides skills and an approach to build a strategic roadmap of IT

initiatives, aligned to business priorities

Cisco Transformative

Architecture Specialist

204



BRKSEC-3007




Security Cisco Education OfferingsCourse Description Cisco Certification

CCIE Security Expert Level certification in Security, for comprehensive understanding of security

architectures, technologies, controls, systems, and risks.

CCIE® Security

Implementing Cisco Edge Network Security Solutions

(SENSS)

Implementing Cisco Threat Control Solutions (SITCS)

Implementing Cisco Secure Access Solutions (SISAS)

Implementing Cisco Secure Mobility Solutions

(SIMOS)

Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco

Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls

Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email

Security and Cloud Web Security

Deploy Cisco’s Identity Services Engine and 802.1X secure network access

Protect data traversing a public or shared infrastructure such as the Internet by

implementing and maintaining Cisco VPN solutions

CCNP® Security

Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive

security policy, using Cisco IOS security features

CCNA® Security

Securing Cisco Networks with Threat Detection and

Analysis (SCYBER)

Designed for security analysts who work in a Security Operations Center, the

course covers essential areas of security operations competency, including event

monitoring, security event/alarm/traffic analysis (detection), and incident response

Cisco Cybersecurity Specialist

Network Security Product Training For official product training on Cisco’s latest security products, including Adaptive

Security Appliances, NGIPS, Advanced Malware Protection, Identity Services

Engine, Email and Web Security Appliances.

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com


205BRKSEC-3007

http://www.cisco.com/go/securitytraining




R&S Related Cisco Education OfferingsCourse Description Cisco Certification

CCIE R&S Advanced Workshops (CIERS-1 &

CIERS-2) plus

Self Assessments, Workbooks & Labs

Expert level trainings including: instructor led workshops, self

assessments, practice labs and CCIE Lab Builder to prepare candidates

for the CCIE R&S practical exam.

CCIE® Routing & Switching

• Implementing Cisco IP Routing v2.0

• Implementing Cisco IP Switched

Networks V2.0

• Troubleshooting and Maintaining

Cisco IP Networks v2.0

Professional level instructor led trainings to prepare candidates for the

CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in

self study eLearning formats with Cisco Learning Labs.

CCNP® Routing & Switching

Interconnecting Cisco Networking Devices:

Part 2 (or combined)

Configure, implement and troubleshoot local and wide-area IPv4 and IPv6

networks. Also available in self study eLearning format with Cisco Learning

Lab.

CCNA® Routing & Switching

Interconnecting Cisco Networking Devices:

Part 1

Installation, configuration, and basic support of a branch network. Also

available in self study eLearning format with Cisco Learning Lab.

CCENT® Routing & Switching

206



BRKSEC-3007




Wireless Cisco Education Offerings

Course Description Cisco Certification

• Designing Cisco Wireless Enterprise Networks

• Deploying Cisco Wireless Enterprise Networks

• Troubleshooting Cisco Wireless Enterprise

Networks

• Securing Cisco Wireless Enterprise Networks

Professional level instructor led trainings to prepare candidates to conduct

site surveys, implement, configure and support APs and controllers in

converged Enterprise networks. Focused on 802.11 and related

technologies to design, deploy, troubleshoot as well as secure Wireless

infrastructure. Course also provide details around Cisco mobility services

Engine, Prime Infrastructure and wireless security.

CCNP® Wireless Version 3.0

(Available March 22nd, 2016)

Implementing Cisco Unified Wireless Network

Essential

Prepares candidates to design, install, configure, monitor and conduct

basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.

CCNA® Wireless

(Available Now)

Deploying Basic Cisco Wireless LANs (WDBWL)

Understanding of the Cisco Unified Wireless Networking for enterprise

deployment scenarios. In this course, you will learn the basics of how to

install, configure, operate, and maintain a wireless network, both as an

add-on to an existing wireless LAN (WLAN) and as a new Cisco Unified

Wireless Networking solution.

1.2

Deploying Advanced Cisco Wireless LANs

(WDAWL)

The WDAWL advanced course is designed with the goal of providing

learners with the knowledge and skills to successfully plan, install,

configure, troubleshoot, monitor, and maintain advanced Cisco wireless

LAN solutions such as QoS, “salt and pepper” mobility, high density

deployments, and outdoor mesh deployments in an enterprise customer

environment.

1.2

Deploying Cisco Connected Mobile Experiences

(WCMX)

WCMX will prepare professionals to use the Cisco Unified Wireless

Network to configure, administer, manage, troubleshoot, and optimize

utilization of mobile content while gaining meaningful client analytics.2.0



207BRKSEC-3007




Design Cisco Education OfferingsCourse Description Cisco Certification

Designing Cisco Network Service Architectures

(ARCH) Version 3.0

Provides learner with the ability to perform conceptual, intermediate, and

detailed design of a network infrastructure that supports desired capacity,

performance, availability required for converged Enterprise network

services and applications.

CCDP® (Design Professional)

(Available Now)

Designing for Cisco Internetwork Solutions

(DESGN) Version 3.0

Instructor led training focused on fundamental design methodologies used

to determine requirements for network performance, security, voice, and

wireless solutions. Prepares candidates for the CCDA certification exam.

CCDA® (Design Associate)

(Available Now)



208BRKSEC-3007




Service Provider Cisco Education OfferingsCourse Description Cisco Certification

Deploying Cisco Service Provider Network Routing

(SPROUTE) & Advanced (SPADVROUTE)

Implementing Cisco Service Provider Next-Generation

Core Network Services (SPCORE)

Edge Network Services (SPEDGE)

SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP),

route manipulations, and HA routing features; SPADVROUTE covers advanced

routing topics in BGP, multicast services including PIM-SM, and IPv6;

SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,

QoS mechanisms, and transport technologies;

SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,

and Carrier Ethernet services; all within SP IP NGN environments.

CCNP Service Provider®

Building Cisco Service Provider Next-Generation

Networks, Part 1&2 (SPNGN1), (SPNGN2)

The two courses introduce networking technologies and solutions, including OSI

and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network

management, and Cisco OS (IOS and IOS XR).

CCNA Service Provider®

Implementing Cisco Service Provider Mobility UMTS

Networks (SPUMTS);

Implementing Cisco Service Provider Mobility CDMA

Networks (SPCDMA);

Implementing Cisco Service Provider Mobility LTE

Networks (SPLTE)

The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills

required to understand products, technologies, and architectures that are found in

Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple

Access (CDMA) packet core networks, plus their migration to Long-Term Evolution

(LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and

Radio Access Networks (RANs).

Cisco Service Provider Mobility

CDMA to LTE Specialist;

Cisco Service Provider Mobility UMTS

to LTE Specialist

Implementing and Maintaining Cisco Technologies

Using IOS XR (IMTXR)

Service Provider/Enterprise engineers to implement, verification-test, and optimize

core/edge technologies in a Cisco IOS XR environment.

Cisco IOS XR Specialist



209BRKSEC-3007




Collaboration Cisco Education OfferingsCourse Description Cisco Certification

CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex

collaboration networks

CCIE® Collaboration

Implementing Cisco Collaboration Applications

(CAPPS)

Understand how to implement the full suite of Cisco collaboration

applications including Jabber, Cisco Unified IM and Presence, and Cisco

Unity Connection.

CCNP® Collaboration

Implementing Cisco IP Telephony and Video

Part 1 (CIPTV1)

Implementing Cisco IP Telephony and Video

Part 2 (CIPTV2)

Troubleshooting Cisco IP Telephony and Video

(CTCOLLAB)

Learn how to implement Cisco Unified Communications Manager, CUBE,

and audio and videoconferences in a single-site voice and video network.

Obtain the skills to implement Cisco Unified Communications Manager in a

modern, multisite collaboration environment.

Troubleshoot complex integrated voice and video infrastructures

CCNP® Collaboration

Implementing Cisco Collaboration Devices

(CICD)

Implementing Cisco Video Network Devices

(CIVND)

Acquire a basic understanding of collaboration technologies like Cisco Call

Manager and Cisco Unified Communications Manager.

Learn how to evaluate requirements for video deployments, and implement

Cisco Collaboration endpoints in converged Cisco infrastructures.

CCNA® Collaboration



210BRKSEC-3007




Cloud Cisco Education OfferingsCourse Description Cisco Certification

Understanding Cloud Fundamentals

(CLDFND)

Learn how to perform foundational tasks related to Cloud computing, and the essentials

of Cloud infrastructureCCNA Cloud

Introducing Cloud Administration

(CLDADM)

Learn the essentials of Cloud administration and operations, including how to provision,

manage, monitor, report and remediate.

Implementing and Troubleshooting the

Cisco Cloud Infrastructure (CLDINF)

Learn how to implement and troubleshoot Cisco Cloud infrastructure: compute,

network, storage.

CCNP Cloud

Designing the Cisco Cloud (CLDDES)*Learn how to design private and hybrid Clouds including infrastructure, automation,

security and virtual network services

Automating the Cisco Enterprise Cloud

(CLDAUT)*

Learn how to automate Cloud deployments – provisioning IaaS (private, private with

network automation and hybrid) and applications, life cycle management

Building the Cisco Cloud with Application

Centric Infrastructure (CLDACI)*

Learn how to build Cloud infrastructures based on Cisco Application Centric

Infrastructure, including design, implementation and automation

UCS Director Foundation (UCSDF)Learn how to manage physical and virtual infrastructure using orchestration and

automation functions of UCS Director.

211

* Available Q2CY2016



BRKSEC-3007




Data Center / Virtualization Cisco Education OfferingsCourse Description Cisco Certification

Introducing Cisco Data Center Networking (DCICN);

Introducing Cisco Data Center Technologies (DCICT)

Learn basic data center technologies and skills to build a

data center infrastructure.

CCNA® Data Center

Implementing Cisco Data Center Unified Fabric (DCUFI);

Implementing Cisco Data Center Unified Computing (DCUCI)

Designing Cisco Data Center Unified Computing (DCUDC)

Designing Cisco Data Center Unified Fabric (DCUFD)

Troubleshooting Cisco Data Center Unified Computing

(DCUCT)

Troubleshooting Cisco Data Center Unified Fabric (DCUFT)

Obtain professional level skills to design, configure,

implement, troubleshoot data center network infrastructure.

CCNP® Data Center

Product Training Portfolio: DCNMM, DCAC9K, DCINX9K,

DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K

Gain hands-on skills using Cisco solutions to configure,

deploy, manage and troubleshoot unified computing, policy-

driven and virtualized data center network infrastructure.

Designing the FlexPod® Solution (FPDESIGN);

Implementing and Administering the FlexPod® Solution

(FPIMPADM)

Learn how to design, implement and administer FlexPod

solutions

Cisco and NetApp Certified

FlexPod® Specialist

212



BRKSEC-3007




Network Programmability Cisco Education OfferingsCourse Description Cisco Certification

Integrating Business Applications with Network

Programmability (NIPBA);

Integrating Business Applications with Network

Programmability for Cisco ACI (NPIBAACI)

Learn networking concepts, and how to deploy and troubleshoot

programmable network architectures with these self-paced courses.

Cisco Business Application

Engineer Specialist Certification

Developing with Cisco Network Programmability

(NPDEV);

Developing with Cisco Network Programmability

for Cisco ACI (NPDEVACI)

Learn how to build applications for network environments and effectively

bridge the gap between IT professionals and software developers.

Cisco Network Programmability

Developer Specialist Certification

Designing with Cisco Network Programmability

(NPDES);

Designing with Cisco Network Programmability

for Cisco ACI (NPDESACI)

Learn how to expand your skill set from traditional IT infrastructure to

application integration through programmability.


Design Specialist Certification

Implementing Cisco Network Programmability

(NPENG);

Implementing Cisco Network Programmability

for Cisco ACI (NPENGACI)

Learn how to implement and troubleshoot open IT infrastructure

technologies.


Engineer Specialist Certification



213BRKSEC-3007



Advanced IOS Security - Typepad · 2016. 8. 12. · Zone Based Firewall • Recommended IOS...

Documents

Transcript of Advanced IOS Security - Typepad · 2016. 8. 12. · Zone Based Firewall • Recommended IOS...