Você está na página 1de 94

Reference Manual ver. 1.

0 (2012-14)

Created by Paul Nadstoga (pnadstoga@gmali.com)

Contents
SECURING THE EDGE ROUTER
AAA
ACLs
CLI BASED FIREWALLS
IPS & IDS
LAYER 2 SECURITY
IPSec
APPENDIXES

1
22
28
39
50
60
67
81

SECURITY THE
EDGE ROUTER
Administrative Access Security

Banners
Login Security
SSH
Securing the System Files
Clock Configuration

System Logging
Role-Based CLI
Privilege Levels
Enabling SDM Support
Routers Passwords Recovery Procedure
Security Audits
Sample Routing Hardening Configuration

ADMINISTRATIVE ACCESS SECURITY


STEP #

COMMANDS

COMMENTS

GLOBAL SETTINGS

CONFIGURE ENABLE PASSWORD

<Router(config)#enable secret (password)>

MIN. PASSWORD LENGTH

<Router(config)#security password min-length (0-16)>

The recommended min. password length is 10 characters.

<Router(config)#service password-encryption>

enable secret - password restricts access to privilege


level 15 and it is always hashed in the config. using MD5
algorithm

The password encryption affects all the passwords created


after the command was issued passwords created prior to
activation are not affected.

ENCRYPT PASSWORDS STORED


IN CONFIG FILE

Type 7 encryption is used (very weak algorithm).


Removing the command will keep already existing passwords
encrypted.

CREATE LOCAL USER DATABASE

<Router(config)#username (username) secret (0 | 5) (password)>

0 indicates that plain text password will follow


5 indicates that MD5 hashed password will follow

ADMINISTRATIVE PORTS
<Router(config)#line con 0>

ACCESS LINES CONFIG MODE

<Router(config)#line vty 0 4>


<Router(config)#line aux 0>

CONFIGURE PASSWORDS

<Router(config-line)#password (password)>

The password has to be configured before trying to issue the


login | login local commands.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

<Router(config-line)#login | login local>

ENABLE PASSWORD PROMPT

login enables the password prompt when trying to


access a given line; checks the password against
configured value
login local enables the username | password prompt
when trying to access a given line; checks the username
and password against entries in the local user database

<Router(config-line)#exec-timeout (0-35791min.) (0-2147483 sec.)


To disable idle timeout:

CONFIGURE IDLE TIMEOUT

<Router(config-line)#no exec-timeout>
OR
<Router(config-line)#exec-timeout 0 0>

*DISABLE INCOMING
CONNECTIONS

<Router(config-line)#no exec>

Allows only outgoing connections on the line.


Issuing the command will not terminate the ongoing
connection but wont allow establishing new ones.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

BANNERS
STEP #

COMMANDS
<Router(config)#banner (type) & MESSAGE+TOKENS &>

COMMENTS
Banner types:

CONFIGURE BANNERS

EXEC displayed when an EXEC process is created


INCOMING displayed when theres an incoming connection on a
terminal line
LOGIN displayed before username and password login prompts
MOTD displayed upon successful login
SLIP-PPP displayed when SLIP/PPP connection is made

Tokens:

$(hostname)
$(domain)
$(line)
$(line-desc)

& - delimiting character, indicates the beginning and end of the message
(cannot be part of the message itself)

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

LOGIN SECURITY
STEP #

COMMANDS

COMMENTS

<Router(config)#login block-for (1-65535) attempts (1-65535) within (1-65535)>

Activates other login enhancements.

<Router(config)#login quiet-mode access-class (ACL name | #)>

Starts in NORMAL (WATCH) mode during which the router


keeps track of number of failed logins.
The QUIET mode is initialized when number of failed login
attempts exceeds the defined limit. Blocks all login attempts
for a defined number of seconds.

ENABLE LOGIN ENHANCEMENTS

An ACL can be applied to allow login attempts, while in the


QUIET mode, coming from permitted destinations.
Introduces a 1 sec. delay between login attempts.
The feature is helpful in mitigating DoS attacks.
<Router(config)#login delay (1-10)>

Delay in sec. between successive login attempts (both failed


and successful).

CONFIGURE LOGIN DELAY

Helps mitigate dictionary attacks.


<Router(config)#login on-success (*log | trap) (*every (1-65535))>

RECORD SUCCESSFUL LOGINS

To verify:

Logs every successful login attempt.

log - generates a syslog message


trap - generates a SNMP trap

log - logs every failed login attempt


security authentication failure - generates a syslog
entry (TOOMANY-AUTHFAILS)

<Router#show login>
<Router(config)#login-on failure (*log | trap) (*every (1-65535))>
Alternatively:

RECORD FAILED LOGINS

<Router(config)#security authentication failure rate (2-1024) log


To verify:
<Router#show login (failures)>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

SSH (SECURE SHELL)


STEP #

COMMANDS

COMMENTS

CONFIGURE HOSTNAME

<Router(config)#hostname (hostname)>

CONFIGURE DOMAIN NAME

<Router(config)#ip domain-name (domain name)>

GENERATE 1-WAY SECRET KEY

<Router(config)#crypto key generate rsa general-keys modulus (360-2028)>

A minimum recommended value is 1024 bits.

To verify:

SSH ver. 1 is automatically enabled once keys are


generated.

<Router#show crypto key mypublic rsa>


To erase:
<Router(config)#crypto key zeroize rsa>
<Router(config)#username (username) secret (password)>

CREATE LOCAL USER DATABASE ENTRY

ENABLE VTY INBOUND SSH SESSIONS

*SET SSH VERSION

*TUNE EXEC-TIMEOUT

<Router(config)#ip ssh time-out (1-120)>

*TUNE LOGIN ATTEMPTS LIMIT

<Router(config)#ip ssh authentication-retries (3, 0-5)>

TSHOOT

<Router(config-line)#login local>
<Router(config-line)#transport input ssh>
<Router(config)#ip ssh version (1-2)>

Version 2 provides better encryption and integrity


check than ver. 1.

show ip ssh
show ssh

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

SECURING THE SYSTEM FILES


STEP #

COMMANDS

COMMENTS

TO SECURE THE IOS IMAGE + CONFIGURATION

SECURE THE IOS IMAGE

<Router(config)#secure boot-image>
<Router(config)#secure boot-config>

Secure IOS Resiliency feature securely archives files in


persistent storage - the secured files dont appear in the
output of the dir or show flash commands.
The feature will not prevent someone from viewing the files
or accessing files from ROMMON mode.

SECURE THE CONFIGURATION FILE

Denies all requests to copy, modify, or erase the files


secured.
Only files run locally can be secured.

TSHOOT

show secure bootset

TO RESTORE SYSTEM USING SECURED FILES:

RELOAD THE ROUTER

<Router#reload>

ENTER ROMMON MODE

Hold the BREAK key

VIEW FILES

<rommon #1>dir

BOOT WITH SECURED IOS

<rommon #2>boot (image name)

RESTORE CONFIGURATION

<Router(config)#secure boot-config restore>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

CLOCK CONFIGURATION
STEP #

COMMANDS

COMMENTS

MANUAL

ISSUE CLOCK COMMAND

<Router#clock set HH:MM:SS MONTH DAY YEAR>

Even when NTP is used, the clock still needs to be configured


manually on the NTP server.

<Router#ntp master (stratum 1-15)>

Sets the router as a NTP master with the number of hops


away from the authorative server.

<Router(config)#ntp server (A.A.A.A)>

Sets the router as a NTP slave with the IP address of the NTP
master.

NTP

CONFIGURE NTP MASTER

CONFIGURE NTP SLAVE

<Router(config)#ntp authenticate>

<Router(config)#ntp authentication-key (1-4294967295) md5 (key name)>

ENABLE NTP AUTHENTICATION

<Router(config)#ntp trusted-key (1-4294967295)>

ntp authenticate - turns NTP authentication on.

The authentication is for the benefit of a client to ensure that


it is getting the time from an authenticated server.
Clients configured without authentication still get the time
from the server.
The difference is that these clients do not authenticate the
server as a secure source.

TSHOOT

show ntp status


show ntp associations details

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

SYSTEM LOGGING
STEP #

COMMANDS
<Router(config)#logging host (hostname | A.A.A.A)>

LOCATE LOGGING SERVER

*<Router(config)#logging source-interface (interface)>

source-interface is optional and can be useful in


situations where more than one link to the server exists
(normally, the router will use information in the routing
table to select the best path)

SET LOGGING SEVERITY FOR THE MESSAGES SENT TO THE :


LVL

KEYWORD

SERVER

<Router(config)#logging trap (lvl | keyword)>

CONSOLE

<Router(config)#logging console (lvl | keyword)>

EMERGENCIES

BUFFER

<Router(config)#logging buffered (lvl | keyword)>

ALERTS

<Router(config)#logging monitor (lvl | keyword)>

CRITICAL

ERRORS

WARNINGS

NOTIFICATIONS

INFORMATIONAL

DEBUGGING

LINES

<Router(config)#logging on>

COMMENTS

logging on - enables logging on all outputs

Only the console logging is enabled by default.

ENABLE LOGGING

Logging to specific destinations can be controlled individually.

TSHOOT

show logging

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

ROLE-BASED CLI
STEP #

ENABLE AAA

COMMANDS

COMMENTS

<Router(config)#aaa new-model>

Using CLI roles requires enabling AAA first.

<Router#enable view (enable password)>

Equivalent to a level 15 privilege user.


Only Root can add / delete / modify views

ACCESS ROOT VIEW

The enable password is only required if it has been already


configured.
<Router(config)#parser view (view name)>

The password has to be configured before trying issuing any


other commands in the view sub-configuration mode.

<Router(config-view)#secret (password)>

CREATE VIEWS

To switch between views:


<Router#enable view (view name)>
To verify:
<Router#show parser view (all)>
<Router(config-view)#commands (mode) (include | exclude | include-exclusive)
(all | command)>

ADD COMMANDS TO A VIEW

Examples:
<Router(config-view)#commands exec include configure>
<Router(config-view)#commands configure include interface>

include adds a command to the view


exclude remove a command from the view
include-exclusive adds a command to the view and
prohibits it from being added to other views
all include all commands in a given mode that start
with the same keyword

<Router(config-view)#commands interface include shutdown>

SUPERVIEW

<Router(config)#parser view (name) superview>

Superview is a collection of individual views.

<Router(config-view)#secret (0 | 5) (password)>

Commands cannot be added to a superview - they need to be


added to one of subordinate views.

<Router(config-view)#view (view name)>

Deleting a superview does not delete subordinate views.

<Router(config-view)#view (view name)>

ASSIGN A VIEW TO A USER

<Router(config)#username (username) view (view name) secret (password)>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

10

PRIVILEGE LEVELS
STEP #

COMMANDS

COMMENTS

Privilege level assigned to enable command:

LEVEL 0 (predefined for a user-level access)

<Router(config)#enable secret level (1-15) (0 | 5) (password)>


Privilege level assigned to a specific user from the local user database:
<Router(config)#username (username) privilege (0-15) secret (password)>
To check what privilege level is assigned to the current user:
<Router#show privilege>

LEVEL 1

DEFINE METHODS TO ACCESS A


SPECIFIC PRIVILEGE LEVEL

DISABLE
ENABLE
EXIT
HELP
LOGOUT

user cant introduce any changes


user cant view the running-config.

LEVEL 2-14

customizable
commands available at lower levels are available at
higher levels

LEVEL 15

all IOS commands are available

Assuming that a user has access to show running command,


the information displayed will be only on resources the user
has access to.
<Router(config)#privilege (mode) level (level #) (command)>
Examples:

ASSIGN A PRIVILEGE LEVEL TO


AN IOS COMMAND

configure

<Router(config)#username Admin privilege 7 secret cisco123>

exec

global config.
EXEC mode

<Router(config)#privilege exec level 7 show>


<Router(config)#privilege configure level 7 interface>

interface

<Router(config)#privilege interface level 7 shutdown>

line

interface subconfig.
line subconfig.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

11

ENABLING SDM SUPPORT


STEP #

COMMANDS

COMMENTS

CONFIGURE HOSTNAME

<Router(config)#hostname (hostname)>

CONFIGURE DOMAIN NAME

<Router(config)#ip domain-name (domain name)>

ENABLE HTTP SERVICES

<Router(config)#ip http server>

ip http server - enables HTTP services

ENABLE HTTPS SERVICES

<Router(config)#ip http secure-server>

ip http secure-server - enables SSL services

ENABLE AUTHENTICATION

CREATE A PRIVILEGE LVL 15 USER

<Router(config)#ip http authentication (local | aaa)>

Enables user authentication either via an AAA server


or local user database.

<Router(config)#username (username) privilege 15 secret (password)>

The user running SDM has to have unrestricted access


to the routers resources.

<Router(config)#ip http timeout-policy idle (1-600) life (1-86400) requests (1-86400)>

TUNE HTTP CONNECTIONS

idle defines how long the connection will


remain open if no data is sent / received (default
= 180 sec.)
life defines how long the connection will be
kept open to the server from the time it has
been established (default = 180 sec.)
requests the number of concurrent requests
processed on an existing connection

CONFIGURE VIRTUAL LINES:


o

GRANT LVL 15 PRIVILEGES TO


ANY USER THAT LOGS IN ON
THE LINE

<Router(config-line)# privilege 15>

ENABLE AUTHENTICATION
VIA THE LOCAL USER
DATABASE

<Router(config-line)#login local>

ENABLE SSH

<Router(config-line)#transport input ssh>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

12

ROUTERS PASSWORDS RECOVERY PROCEDURE


STEP #

COMMANDS

COMMENTS
The procedure requires physical access to the device
and cannot be performed over a virtual connection.

CONNECT TO THE ROUTER VIA CONSOLE PORT


<Router#show version>

The register value dictates how the router acts during


the bootup process e.g. how the router boots and
what options its using.

() Configuration register is 0x2102

Relevant values:

RECORD CURRENT REGISTER VALUE

POWER ROUTER OFF / ON

ENTER THE ROMMON MODE

Issue the break sequence within 60 seconds of power up.

MODIFY THE REGISTER TO IGNORE THE STARTUP


CONFIGURATION DURING BOOTUP

rommon #1>confreg 0x2142

REBOOT THE ROUTER

rommon #2>reset

COPY STARTUP CONFIGURATION TO NVRAM

VIEW THE STARTUP CONFIG

RESTORE THE REGISTER VALUE

0x2102

default setting
enters ROM if booting fails

0x2142

ignores content of NVRAM

<Router#copy startup-config running-config>

The command will override the default configuration


the router booted up with.

<Router#show startup-config>

The purpose here is to view the startup configuration


and try to recover the passwords
If the passwords are stored in an encrypted form and
cannot be recovered, new ones should be configured.

<Router(config)#config-register 0x2102>

Register is changed again to load the NVRAM content


during boot up.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

13

<Router(config)#no service password-recovery>

To recover after the command was issued:

* DISABLE PASSWORD RECOVERY

issue break within 5 sec. of image being


decompressed
confirm to delete the startup config
the router will boot with default settings

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

14

SECURITY AUDITS
DISABLES

ENABLES

SETS

SDM SECURITY AUDIT WIZARD / CLI AUTO SECURE

SNMP
Finger
PAD
TCP Small Servers
UDP Small Servers
IP BootP
IDENT
CDP
IP Source Route
IP Redirects
IP Proxy ARP
IP Directed Broadcast
MOP
IP Unreachables
IP Mask Reply

password encryption
IP CEF
firewall rules on all outbound interfaces
unicast RPF on all outbound interfaces
logging

minimum password length to 6 characters


local user database entries

password encryption
IP CEF
firewall rules on all outbound interfaces
unicast RPF on all outbound interfaces
SSH
AAA
TCP Keepalives Inbound / Outbound
seq. # and timestamps on debugs

minimum password length to 6 characters


authentication failure rate <3 retries
TCP synwait time
notification banner
logging parameters
enable secret password
scheduler interval
scheduler allocate
users
Telnet settings
ACLs on HTTP server service
ACLs on VTY lines

ONE STEP LOCKDOWN

SNMP
Finger
PAD
TCP Small Servers
UDP Small Servers
IP BootP
IDENT
CDP
IP Source Route
IP Redirects
IP Proxy ARP
IP Directed Broadcast
MOP
IP Unreachables
IP Mask Reply

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

15

SAMPLE ROUTING HARDENING CONFIGURATION


GLOBAL

set hostname

<RTR1(config)#hostname RTR1>

set domain name

<RTR1(config)#ip domain-name archimetric.com>

enable password encryption

<RTR1(config)#service password-encryption>

set minimum password length = 7

<RTR1(config)#security passwords min-length 7>

set privilege EXEC password

<RTR1(config)#enable secret cisco123>

generate a 1024 bit RSA key

<RTR1(config)#crypto key generate rsa encryption modulus 1024>

enable SSH ver.2

<RTR1(config)#ip ssh version 2>

set SSH timeout to 60

<RTR1(config)#ip ssh time-out 60>

set SSH authentication retires limit to 2

<RTR1(config)#ip ssh authentication-retries 2>

create a user Admin with lvl. 15 privileges and encrypted password

<RTR1(config)#username Admin privilege 15 secret cisco123>

SSH

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

16

LOGIN

disable login for 60 sec. if there are 3 failed login attempts within 20 sec.

<RTR1(config)#login block-for 60 attempts 3 within 20>

set login delay of 5 sec.

<RTR1(config)#login delay 5>

BANNERS

MOTD

<RTR1(config)# banner motd WARNING!!! RESTRICTED ACCESS!!!>

LOGIN

<RTR1(config)#banner login ENTER YOUR USERNAME AND PASSWORD:

EXEC

<RTR1(config)#banner enable LOGIN SUCCESSFUL! HAPPY ROUTING!

<RTR1(config)#line con 0>

MANAGEMENT LINES

CONSOLE
o

configure password cisco123

<RTR1(config-line)#password cisco123>

enable synchronous logging

<RTR1(config-line)#logging synchronous>

set idle timeout to 10 min.

<RTR1(config-line)#exec-timeout 10 0>

AUX LINE

<RTR1(config)#line aux 0>

configure password cisco123

<RTR1(config-line)#password cisco123>

enable synchronous logging

<RTR1(config-line)#logging synchronous>

set idle timeout to 10 min.

<RTR1(config-line)#exec-timeout 10 0>

allow only outbound connections

<RTR1(config-line)#no exec>

VTY LINES

<RTR1(config)#line vty 0 4>

configure password cisco123

<RTR1(config-line)#password cisco123>

enable synchronous logging

<RTR1(config-line)#logging synchronous>

set idle timeout to 10 min.

<RTR1(config-line)#exec-timeout 10 0>
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

17

allow only SSH connections

<RTR1(config-line)#transport input ssh>

grant level 15 privileges to users logging in on VTY lines

<RTR1(config-line)#privilege 15>

set idle timeout to 5 min.

<RTR1(config-line)#exec-timeout 5 0>

LOGGING

enable logging to buffer of lvl. 7 messages (buffer size = 8192 bits)

<RTR1(config)#logging buffered 8192 debugging>

enable logging to console of lvl. 7 messages

<RTR1(config)#logging console informational>

enable logging to routers lines other than console of lvl. 7 messages

<RTR1(config)#logging monitor debugging>

enable logging to a syslog server (10.1.60.12) of lvl. 5 messages

<RTR1(config)#logging trap notifications>

<RTR1(config)#logging host 10.1.60.12>

generate log on every successful login attempt

<RTR1(config)#login on-success log>

generate log on every unsuccessful login attempt

<RTR1(config)#login on-failure log>

SDM SUPPORT

enable HTTP services

<RTR1(config)#ip http server>

enable HTTPS services

<RTR1(config)#ip http secure-server>

use local user database to authentication incoming HTTP connections

<RTR1(config)#ip http authentication local>

terminate the connection after 360 sec. of inactivity


leave the connection open for 360 sec. from the time its established
allow only 1 request at a time

<RTR1(config)#ip http timeout-policy idle 360 life 360 requests 1>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

18

DISABLE FEATURES AND SERVICES

GLOBALLY
o

IP Source Routing

<RTR1(config)#no ip source-route>

Finger

<RTR1(config)#no service finger>

TCP Small Servers

<RTR1(config)#no service tcp-small-servers>

UDP Small Servers

<RTR1(config)#no service udp-small-servers>

Cisco Discovery Protocol

<RTR1(config)#no cdp run>

BootP

<RTR1(config)#no ip bootp server>

TFTP Broadcast IOS

<RTR1(config)#no boot network>

TFTP Broadcast Config.

<RTR1(config)#no service config>

DNS Lookup

<RTR1(config)#no ip domain-lookup>

IDENTD Services

<RTR1(config)#no ip identd>

X.25 PAD

<RTR1(config)#no service pad>

Gratuitous ARPs

<RTR1(config)#no ip gratuitous-arps>

SNMP

<RTR1(config)#no snmp-server>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

19

ON INTERFACES
o

Proxy ARP

<RTR1(config-if)#no ip proxy-arp>

ICMP Redirects

<RTR1(config-if)#no ip redirects>

ICMP Unreachables

<RTR1(config-if)#no ip unreachables>

ICMP Mask Reply

<RTR1(config-if)#no ip mask-reply>

Maintenance Operation Protocol

<RTR1(config-if)#no mop enable>

Cisco Discovery Protocol

<RTR1(config-if)#no cdp enable>

IP Directed Broadcast

<RTR1(config-if)#no ip directed-broadcast>

ENABLE FEATURES AND SERVICES

GLOBALLY
o

TCP Keepalives IN

<RTR1(config)#service tcp-keepalives-in>

TCP Keepalives OUT

<RTR1(config)#service tcp-keepalives out>

Sequence Numbers And Timestamps On Debugs

<RTR1(config)#service timestamps debug datatime show-timezone msec>

Sequence Numbers And Timestamps On Logs

<RTR1(config)#service timestamps log datatime show-timezone msec>

TCP Synwait Time

<RTR1(config)#ip tcp synwait-time 10>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

20

AAA
AAA Local Authentication

AAA Server Authentication (TACACS+)


AAA Server Authorization (TACACS+)
AAA Server Accounting (TACACS+)

AAA LOCAL AUTHENTICATION


STEP #

ADD USERS TO THE LOCAL USER


DATABASE

COMMANDS

COMMENTS

<Router(config)#username (username) secret (password)>

<Router(config)#aaa new-model>

Disables all other forms for authentication on the router

ENABLE AAA

Local AAA Authentication is similar to login local command


with the addition of fallback mechanisms.
<Router(config)#aaa authentication login (default | name) (method1) (method2)
(method3) (method4)>

The list is sequential.

EXAMPLE:

Next method is used only when theres no response or error


from the previous method

<Router(config)#aaa authentication login default local-case enable>


<Router(config)#aaa authentication login CONSOLE line enable>

1-4 methods can be specified.

The default list is used for all authentication if no other lists


were specifically assigned.
The default list contains only one method: local
On the console line, login succeeds without any
authentication checks if default is not set.

DEFINE A LIST OF
AUTHENTICATION METHODS

METHOD
enable

line password

local

local user database

none

ASSIGN A LIST TO LINES /


INTERFACES

<Router(config-line)#login authentication (default | name)>

enable password

line

local-case

USES

local user database (case sensitive)


no password required

Different lists can be assigned to different lines / interfaces.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

21

<Router(config)#aaa local authentication attempts max-fail (1-65535)>


To view locked accounts:

* DEFINE A LIMIT FOR FAILED


AUTHENTICATION ATTEMPTS

If the threshold is exceeded the user is locked out and further


attempts are only possible if the administrator unlocks the
account first.

<Router#show aaa local user lockout>


To unlock an account:
<Router#clear aaa local user lockout (all) | username (username)>
<Router(config)#aaa authentication banner & BANNER &>

* CONFIGURE BANNERS AND


PROMPTS

<Router(config)#aaa authentication username-prompt (prompt)>

aaa authentication banner - overrides LOGIN banner


aaa authentication fail-message - text displayed upon
failed authentication

<Router(config)#aaa authentication password-prompt (prompt)>


<Router(config)#aaa authentication fail-message & MESSAGE &>

TSHOOT

show aaa user (all | username)


show aaa sessions
debug aaa authentication

EXAMPLE:
<Router(config)#username Admin secret cisco123>
<Router(config)#aaa new-model>
<Router(config)#aaa authentication login default local-case enable>
<Router(config)#line con 0>
<Router(config-line)#login authentication default> (* hardcoding a default method is not necessary)
<Router(config)#aaa local authentication attempts max-fail 2>
<Router(config)#aaa authentication banner & Authentication commences: &>
<Router(config)#aaa authentication username-prompt Username:>
<Router(config)#aaa authentication password-prompt Password:>
<Router(config)#aaa authentication fail-message & Wrong password &>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

22

AAA SERVER AUTHENTICATION (TACACS+)


STEP #

ENABLE AAA

DEFINE TACACS+ SERVER

COMMANDS

COMMENTS

<Router(config)#aaa new-model>
<Router(config)#tacacs-server host (A.A.A.A) (*single-connection) key (key)>

To assign the same key for all TACACS+ server used:

<Router(config)#tacacs-server key (key)>

DEFINE A LIST OF
AUTHENTICATION METHODS

<Router(config)#aaa authentication login ((default) | (name)) group tacacs+


(method 1) (method2) (method3) (method4)>

ASSIGN THE LIST TO LINES

<Router(config-line)#login authentication (default) | (list name)>

TSHOOT

EXAMPLE

single-connection sends all AAA traffic using a single


TCP connection
key - has to be identical to the one defined on the
TACACS+ server

debug tacacs authentication

<Router(config)#aaa new-model>
<Router(config)#tacacs-server host 10.0.0.3 single connection key cisco123>
<Router(config)#aaa authentication login default group tacacs+ local-case enable>
<Router(config)#line con 0>
<Router(config)#login authentication default>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

23

AAA SERVER AUTHORIZATION (TACACS+)


STEP #

COMMANDS

COMMENTS

<Router(config)#username (username) privilege 15 secret (password)>

When AAA authorization is not enabled, all users are allowed


full access.
After authentication is started, the default changes to allow no
access.

This means that the administrator must create a user with full
access rights before authorization is enabled.

CREATE A LEVEL 15 PRIVILEGE USER

Failure to do so immediately locks the administrator out of the


system the moment the aaa authorization command is
entered.
To recover reboot the router.

ENABLE AAA

<Router(config)#aaa new-model>

DEFINE TACACS+ SERVER

<Router(config)#tacac-server host (A.A.A.A) (*single-connection) key (key)>


<Router(config)#aaa authorization (resource type) (default | name) (method1)
(method2) (method3) (method4)>

RESOURCE TYPE
network

DEFINE A LIST OF AUTHORIZATION


METHODS

TSHOOT

DESCRIPTION
authorization for starting L2
connections

exec

verifies if a user has access to an


EXEC shell

commands level_#

verifies if a user has access to a


command at a specific privilege
level

debug aaa authorization


debug tacacs authorization

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

24

EXAMPLE

<Router(config)#username Admin privilege 15 secret cisco123>


<Router(config)#aaa new-model>
<Router(config)#tacacs-server host 10.0.0.3 single-connection key cisco123>
<Router(config)#aaa authorization exec default group tacacs+ local>
<Router(config)#aaa authorization commands 15 default group tacacs+ local>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

25

AAA SERVER ACCOUNTING (TACACS+)


STEP #

COMMAND

COMMENTS

ENABLE AAA

<Router(config)#aaa new-model>

DEFINE TACACS+ SERVER

<Router(config)#tacac-server host (A.A.A.A) (*single-connection) key (key)>


<Router(config)#aaa accounting (usage type) (default | name) (trigger)
(*broadcast) group tacacs+)>
Example:

DEFINE A LIST OF ACCOUNTING


METHODS

broadcast sends record to multiple server; by default it


is sent only to the first available server

USAGE TYPES:

<Router(config)#aaa accounting exec default start-stop group tacacs+>


<Router(config)#aaa accounting system default start-stop group tacacs+>

TYPE

DESCRIPTION

network

records requests for L2 DDL connections

exec

records any requests for access to an


EXEC shell

command lvl

records all commands executed at the


specific EXEC level

system

records system events not associated


with the user e.g. interface status
change

TRIGGERS:
TYPE

DESCRIPTION

start-stop

accounting recording starts at the


beginning of the users action and
stops at the end of users action

stop-only

accounting is generated only at the end


of users action

none

disable accounting for a line

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

26

TSHOOT

debug aaa accounting


debug tacacs accounting

EXAMPLE
<Router(config)#aaa new-model>
<Router(config)#tacacs-server host 10.0.0.3 single-connection key cisco123>
<Router(config)#aaa accounting exec default start-stop group tacacs+>
<Router(config)#aaa accouting command 15 default stop-only group tacacs+>
<Router(config)#aaa accouting system default stop-only group tacacs+>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

27

ACLs
Standard ACLs

Extended ACLs
Misc ACL Features
o
o
o
o
o
o
o
o

Sequencing
Wildcards
Port Operators
TCP Established
Reflexive ACLs
Dynamic ACLs
Time Based ACLs
Turbo ACLsMisc ACL Features

ACLs Verification and Tshooting

STANDARD ACLs

RANGE

1 - 99
1300 - 1999

FILTER BASED ON

SOURCE ADDRESS

POSITION

AS CLOSE TO DESTINATION AS POSSIBLE

WORK AT

L3 NETWORK LAYER

CONFIGRAUTION: STANDARD MODE


ELEMENT

REMARK

SYNTAX

COMMENTS

<R1(config)#access-list (1-99 | 1300-1999) remark (remark up to 100 characters)>

Remarks are saved in routers NVRAM.

<R1(config)#access-list (1-99 | 1300-1999) (permit | deny) (source A.A.A.A W.W.W.W) (*log)>

log generates a log entry every time a packet


matches the ACLs statement

Log messages are generated on the first match and


then at 5 min. intervals

RULES

Should only be used when the network is under attack


(very resources consuming)

ACTIVATION

<R1(config-if)#ip access-group (1-99 | 1300-1999) (in | out)>


<R1(config-line)#access-class (1-99 | 1300-1999) (in | out)>

EXAMPLE

deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)


allow all other traffic

<Perth(config)#access-list 10 remark Deny traffic from Sydney (192.168.0.1)>


<Perth(config)#access-list 10 deny 192.168.0.1 0.0.0.0>
<Perth(config)#access-list 10 permit 0.0.0.0 255.255.255.255>
<Perth(config-if)#ip access-group 10 in>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

28

CONFIGURATION: SUB-CONFIGURATION MODE


ELEMENT

SYNTAX

COMMENTS

CREATE ACL

<R1(config)#ip access-list standard (1-99 | 1300-1999 | name)>

REMARK

<R1(config-std-acl)#(*sequence number 1-2147483647) (remark up to 100 characters)>

RULES

<R1(config-std-acl)#(*sequence number 1-2147483647) (permit | deny) (source A.A.A.A W.W.W.W


(*log)>
<R1(config-if)#ip access-group (1-99 | 1300-1999 | name) (in | out)>

ACTIVATION

<R1(config-line)#access-class (1-99 | 1300-1999 | name) (in | out)>

The router doesnt evaluate traffic against outbound


set ACL if the traffic is originated by the router itself
e.g. routing protocol updates

EXAMPLE

deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)


allow all other traffic

<Perth(config)#ip access-list standard DENY_SYD>


<Perth(config-std-acl)#remark Denies Sydney (192.168.0.1) from reaching Perth (192.168.0.2)
<Perth(config-std-acl)#10 deny 192.168.0.1 0.0.0.0>
<Perth(config-std-acl)#20 permit 0.0.0.0 255.255.255.255>
<Perth(config)#interface fa0/0>
<Perth(config-if)#ip access-group DENY_SYD in>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

29

EXTENDED ACLs

RANGE

100 - 199
2000 - 2699
DESTINATION ADDRESS
SOURCE ADDRESS
IP PROTOCOL (NAME / NUMBER)
PROTOCOL INFORMATION
o ICMP: message type
o TCP /UDP: source and/or destination port names and numbers
o TCP: flags

FILTER BASED ON

POSITION

AS CLOSE TO SOURCE AS POSSIBLE

WORK AT

L3 NETWORK LAYER
L4 TRANSPORT LAYER

CONFIGRAUTION: STANDARD MODE


ELEMENT

SYNTAX

COMMENTS

REMARK

<R1(config)#access-list (100-199 | 2000-2999) remark (remark up to 100 characters)>

RULES

<R1(config)#access-list (100-199 | 2000-2699) (permit | deny) (protocol name | 0-255)


(source A.A.A.A W.W.W.W) (destination A.A.A.A W.W.W.W) (*log)>

ACTIVATION

<R1(config-if)#ip access-group (100-199 | 2000-2699) (in | out)>


<R1(config-line)#access-class (100-199 | 2000-2699) (in | out)>

EXAMPLE

allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)

<Perth(config)#access-list 100 remark Allows IPSec traffic originated by Sydney>


<Perth(config)#access-list 100 permit ahp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config)#access-list 100 permit esp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config)#access-list 100 permit udp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config-if)#ip access-group 100 in>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

30

CONFIGURATION: SUB-CONFIGURATION MODE


ELEMENT

SYNTAX

COMMENTS

CREATE ACL

<R1(config)# ip access-list extended (100-199 | 2000-2999 | name)>

REMARK

<R1(config-ext-nacl)#(*sequence number 1-2147483647) remark (remark up to 100 characters)>

RULES

<R1(config-ext-nacl)#(*sequence number 1-2147483647) (permit | deny) (protocol name | 0-255) (source


A.A.A.A W.W.W.W) (destination A.A.A.A W.W.W.W) (*log)>

ACTIVATION

<R1(config-if)#ip access-group (100-199 | 2000-2699) (in | out)>


<R1(config-line)#access-class (100-199 | 2000-2699) (in | out)>

EXAMPLE

allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)

<Perth(config)#ip access-list extended IPSEC_TRAFFIC>


<Perth(config-ext-nacl)#remark Allow IPSec traffic originated by Sydney>
<Perth(config-ext-nacl)#10 permit ahp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config-ext-nacl)#20 permit esp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config-ext-nacl)#30 permit udp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config)#interface fa0/0>
<Perth(config-if)#ip access-group 100 in>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

31

MISC ACL FEATURES

ACLs are processed:


o top-down, from the first to the last statement
o until a packet matches a statement or the packet matches none of the statements
o once a match is found, no more statements are processed

the more restrictive statements should be at the top of the list and the less restrictive ones at the bottom
by default, statements are added to the end of the list (can be overridden by using the sequence numbers)
there is an invisible deny 0.0.0.0 255.255.255.255 statement at the end of the list that drops all traffic not explicitly permitted
one ACL per protocol, per interface and per direction is allowed
an empty ACL permits all traffic
an ACL needs to have at least one statement permitting traffic for the invisible deny any to take effect
explicit deny ip any any statement should be put at the end of the ACL to be able to view hit counts for denied traffic

SEQUENCING
SYNTAX

COMMENTS

<R1(config-std/ext-nacl)#(sequence number 1-2147483647) (ACL rules)>

Sequencing works only in sub-configuration mode (for


both standard and extended ACLs).

To resequence:

Each entry is given a unique sequence number.

<R1(config)#ip access-list resequence (name | #) (starting number 1-2147483647) (increment 1-2147483647)>

By default starts at 10 and increments by 10.


Not stored in NVRAM; the IOS adds them when router
loads the startup config. into RAM.
If no sequence number is specified the number will be
the next increment (starting with 10).

WILDCARDS
SYNTAX

host A.A.A.A = A.A.A.A 0.0.0.0

access-list 100 permit ip 192.168.0.1 0.0.0.0 192.168.0.11 0.0.0.0

COMMENTS

access-list 100 permit ip host 192.168.0.1 host 192.168.0.11

any = 0.0.0.0 255.255.255.255

0 = match exactly
1 = ignore

If wildcard is omitted it defaults to 0.0.0.0 (only true


for standard ACLs)

access-list 10 permit 0.0.0.0 255.255.255.255 access-list 10 permit any


ip access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ip access-list 100 permit ip any any
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

32

PORT OPERATORS
SYNTAX

COMMENTS

<Router(config)#access-list (name | #) (permit | deny) (tcp | udp) (source) (*operator) (protocol name | 0-255)
(destination) (*operator) (protocol name | 0-255)>
Example:

eq

allow only HTTP traffic from R1 (10.0.0.1) to the R2 server (10.0.0.2)

<R2(config)#access-list 100 permit tcp host 10.0.0.1 host 10.0.0.2 eq 80>

OPERATOR

deny all incoming traffic on ports 10-25

<R2(config)#access-list 144 deny any range 10-25 any>

range

MATCHES
match only packets on a given port
match only packets in the range of ports

gt

match only packets with a greater port number

lt

match only packets with a lower port number

neq

match only packets not on a given port number

TCP ESTABLISHED PARAMETER


SYNTAX

COMMENTS

<Router(config)#access-list (100-199 | 2000-2699 | name) tcp (source) (destination) established>

Works only with extended ACLs.

Example:

Allows / denies traffic coming from the outside that was initiated
from the inside.

allow any HTTPS traffic to host SYDNEY (10.0.0.3) as long as it was originated by SYDNEY.

<Sydney(config)#access-list 100 permit tcp any host 10.0.0.3 eq 443 established>


<Sydney(config)#interface s1/0>
<Sydney(config)#ip access-group 100 in>

Does not maintain stateful information.


Checks TCP segments for the following flags (ACK or RST) and
permits the packets if these bits are have the flags set on.
Available only for TCP; UDP and ICMP can only be permitted or
denied.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

33

REFLEXIVE ACLs

allow to perform session filtering for any type of IP traffic


remembers outgoing traffic by dynamically building ACL entries and permits returning traffic
allow the local device to initiate traffic to the remote devices and get response (but denies traffic initiated by remote devices)
SYNTAX

COMMENTS

CREATE AN OUTBOUND ACL

<R1(config)#ip access-list extended (name)>


<R1(config-ext-nacl)#permit (protocol name | 0-255) (source) (destination) reflect (reflexive ACL name) (*timeout (1-2147483))>

reflect creates reflexive access list entry in the


reflexive ACL (name) with the source and
destination addresses swapped
timeout maximum time for the ACL to live
(default = 300 sec.)
reflexive ACLs are allowed on named ACLs only

evaluate nests ACL within ACL

CREATE AN INBOUND ACL

<R1(config)#ip access-list extended (name)>


<R1(config-ext-nacl)#evaluate (reflexive ACL name)>

ASSIGN THE ACL TO AN INTERFACE

<R1(config)#interface (interface)>
<R1(config-if)#ip access-group (outbound ACL name) out>
<R1(config-if)#ip access-group (inbound ACL name) in>
EXAMPLE

allow only TELNET and ICMP traffic into the local network as long as it was originated by HOME (98.174.249.99)
deny all traffic originated from the remote network
the ACLs need to be configured on the border router CLOUD on the outside interface s1/1

<Cloud(config)#ip access-list extended OUTBOUND>


<Cloud(config)#permit tcp host 98.174.249.99 host 67.40.69.33 eq telnet reflect REFLEXIVE_ACL>
<Cloud(config)#permit icmp host 98.174.249.99 host 67.40.69.33 reflect REFLEXIVE_ACL>
<Cloud(config-ext-nacl)#exit>
<Cloud(config)#ip access-list extended INBOUND>
<Cloud(config-ext-nacl)#evaluate REFLEXIVE_ACL>
<Cloud(config-ext-nacl)#exit>
<Cloud(config)#interface s1/1>
<Cloud(config-if)#ip access-group OUTBOUND out>
<Cloud(config-if)#ip access-group INBOUND in>
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

34

DYNAMIC ACLs (LOCK AND KEY)

opens a temporary door in the firewall and grants access to specified resources provided the user is authenticated using Telnet / SSH
the access request is put on hold until the user is authenticated using a Telnet / SSH connection
once authentication is complete the remote connection is dropped and a single-entry dynamic ACL is added to the existing extended ACL
the traffic is permitted for specified period (idle and absolute timeouts)
only one policy can be configured for all dynamic ACL users and this single policy is applied to all the authenticated users
SYNTAX

COMMENTS
Supported methods of authentication:

CREATE LOCAL USER DATABASE ENTRY

<R1(config)#username (name) secret (password)>

The first statement has to allow remote access


connections (Telnet or SSH)

CREATE A DYNAMIC ACCESS LIST

<R1(config)#access-list (100-199 | 2000-2699) permit tcp (source) (destination) eq telnet>


<R1(config)#access-list (100-199 | 2000-2699) dynamic (name) (*timeout (1 9999)) (permit | deny) (port 0-255 | name)
(source) (destination)>

local user database


AAA server
line password

dynamic - defines what resources are available /


prohibited once the authentication is successful
only one dynamic statement per an ACL is allowed
timeout (absolute timer) specifies the time
window during which the DYNAMIC ACL rules are in
effect (in minutes)

ASSIGN THE ACL TO AN INTERFACE

<R1(config-if)#ip access-group 101 in>

CONFIGURE THE VTY LINES

<R1(config-line)#login local>
<R1(config-line)#autocommand access-enable (*host) (*idle (1-9999))>

autocommand - executes the command that follows


after successful authentication
access-enable creates a temporary ACL entry
host replaces the ACL entry any with the users IP
address (dependent on ACL direction)
idle idle timeout (overridden by the absolute
timer configured in the DYNAMIC ACL)

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

35

EXAMPLE

allow remote host JEREMY (172.30.2.11/24) to access 192.168.1.0/24 network upon successful authentication with REMOTE router (67.40.69.33/24)

<REMOTE(config)#access-list 101 permit tcp host 172.30.2.11 host 67.40.69.33 eq telnet>


<REMOTE(config)#access-list 101 dynamic DYN_ACL timeout 10 permit ip host 172.30.2.11 192.168.1.0 0.0.0.255>
<REMOTE(config)#interface s1/1>
<REMOTE(config-if)#ip access-group DYN_ACL in>
<REMOTE(config-if)#exit>
<REMOTE(config)#line vty 0 4>
<REMOTE(config)#autocommand access-enable>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

36

TIME BASED ACLs

CREATE TIME RANGE

<R1(config)#time-range (range name)>


<R1(config-time-range)#absolute start (hh:mm) (1-31) (month) (1993-2030) end (hh:mm) (1-31) (month) (1993-2030)>
<R1(config-time-range)#periodic (Monday Sunday | weekend | weekdays | daily) (hh:mm) to (hh:mm)>

absolute single time period for which the time


range is valid; if start time is omitted it defaults to
current time on the router; if end time is omitted it
defaults to 23:59 31 December 2035
periodic recurring time period for which the time
range is valid; if the day of week parameter is
omitted, it defaults to the day of week configured
for the beginning time

APPLY TIME RANGE TO AN ACL

<R1(config)#access-list 101 (permit | deny) (0-255 | name) (source) (destination) time-range (range name)>

APPLY ACL TO AN INTERFACE

<R1(config-if)#ip access-group 101 in>


EXAMPLE

allow web surfing only on the weekdays between 17:00 6:00

<R1(config)#time-range WWW_ACCESS>
<R1(config-time-range)#periodic weekdays 05:59 to 16:59>
<R1(config)#access-list 101 deny tcp any any eq 80>
<R1(config)#interface s1/0>
<R1(config-if)#ip access-list 101 out>
TURBO ACLs
SYNTAX
<Router(config)#access-list compiled>
To verify:
<Router#show access-list compiled>

COMMENTS
Reduces the ACL lookup time by compiling ACLs into a hash
table.
The lookup time is the same no matter which ACL command is
being looked up
Can only be used on an ACL that has more than three entries!

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

37

ACL VERIFICATION AND TSHOOTING

show access-list
show ip access-list (1-1999 | 1300-2799 | name | dynamic | (interface (interface))
show running-config
show ip interface (interface)
debug ip packet (1-99 | 1300-2699) (*detail)
COMMAND

VERIFIES
ACL type
ACL number / name
ACL sequence number
ACL rules
ACL matches
does not display remarks

show access-list (1-2799 | name | compiled)

show ip access-list (1-1999 | 1300-2799 | name | dynamic | (interface (interface))

same as above but only for ACLs created for IP protocol

show running-config

ACL remarks
ACL rules
ACL and direction bound to an interface

*the order of rules for a given ACL matches the order the rules where entered (even if ACLs
were re-sequenced)

show ip interfaces (*interface)

ACL and direction bound to the interface

debug ip packet (1-99 | 1300-2699) (*detail)

captures the packets that are process-switched


received, generated and forwarded
detail packet types and codes, source and destination port numbers

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

38

CLI BASED
FIREWALLS
CBAC

Zone Based Firewall

CBAC (Context Based Access Control)

Cisco IOS based firewall that filters TCP and UDP packets based on their L7 Application Layer information
generates real time audits and trails
creates and maintains session table to build dynamic ACL entries

CBAC CONFIGURATIONS
STEP #

COMMANDS

COMMENTS

On what interfaces does the external traffic arrive?

What outbound interfaces are used to reach external networks?

IDENTIFY INTERFACE ROLES

Example:

FILTER INGRESS TRAFFIC


USING ACLs

DEFINE INSPECTION RULES

INTERNAL interface on which sessions can be


initiated
EXTERNAL sessions initiated from external
interfaces will be blocked
the ACL for the return traffic must be an
extended ACL

Allow protocols that are necessary for the network to


be operational e.g. routing protocols.

<Router(config)#ip access-list 101 permit udp any any eq rip>


<Router(config)#ip access-lsit 101 deny ip any any>
<Router(config)#interface s1/1>
<Router(config)#ip access-group 101 in>

Deny all external traffic that tries to access internal


network.

<Router(config)#ip inspect name (rule name) (protocol name) (*alert (on | off)) (*routertraffic) (*audit-trail (on | off)) (*timeout 5-43200)>

Example:

<Router(config)#ip inspect name CBAC_RULES tcp router-traffic audit-trail on>


<Router(config)#ip inspect name CBAC_RULES udp>
<Router(config)#ip inspect name CBAC_RULES icmp>

alert on | off displays messages on the console


line concerning CBAC operation e.g. DoS attacks
(to globally disable alerts: no ip inspect alert-off)
audit-trail on | off keeps track of the
connection inspected by CBAC (including valid
and invalid access attempts) e.g. displays
messages when CBAC adds / removes an entry
from the state table. By default outputs to the
console line but logging to a syslog server is
possible if enabled.
router-traffic inspects traffic generated by the
router itself
timeout - overrides the global TCP and UDP
timeouts but does not override the global
Domain Name Service (DNS) timeout

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

39

<Router(config)#interface s1/1>

<Router(config-if)#ip inspect (rule name) in | out>

ASSIGN INSPECTION RULES


TO AN INTERFACE

It also resets all timeout and threshold values to their


factory defaults. After CBAC is removed, all inspection
processes are no longer available, and the router uses
only the current ACL implementations for filtering.
<Router(config)#ip inspect tcp synwait-time (1-2147483)>
<Router(config)#ip inspect tcp finwait-time (1-2147483)>
<Router(config)#ip inspect tcp idle-time (1-2147483)>
<Router(config)#ip inspect udp idle-time (1-2147483)>

<Router(config)#ip inspect max-incomplete high (1-2147483647)>


<Router(config)#ip inspect max-incomplete low (1-214748364)7>

<Router(config)#ip inspect one-minute high (1-2147483647)>


<Router(config)#ip inspect one-minute low (1-2147483647)>

<Router(config)#ip inspect tcp max-incomplete host (1-4294967295) block-time (0-35791)>

in - on an INTERNAL interface
out - on an EXTERNAL interface
no ip inspect - removes all CBAC commands, the
state table, and all temporary ACL entries
created by CBAC.

*TIMERS + THRESHOLDS

tcp synwait-time length of time CBAC waits for


a new TCP session to reach established state
(default = 30 sec.)
tcp finwait-time length of time CBAC continues
to manage a TCP session after receiving a FIN
flag (default = 5 sec.)
tcp idle-time length of time CBAC continues to
manage a TCP session with no activity
(default = 3600 sec.)
udp idle-time length of time CBAC continues to
manage an UDP session with no activity
(default = 30 sec.)
max-incomplete high once the threshold for
incomplete connections has been reached, CBAC
will actively begin to delete them (default = 500
sessions)
max-incomplete low if the threshold for
incomplete session have been breached, they
will be deleted until this value is reached
(default = 400 sessions)
one-minute high / low as above but over the
course of one minute
max-incomplete host threshold for incomplete
TCP connections from a single host (default = 50
connections), and how long should connection
attempts be rejected if the threshold is reached
(default = 0)

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

40

EXAMPLE

the border Router, Cloud, has two active interfaces: s1/0 (INSIDE) and s1/1 (OUTSIDE)
the OUTSIDE traffic cannot initiate connection to the devices on the INSIDE and is dropped at the border router
RIP updates are excepted; their exchange is crucial for the network operation
device on the INSIDE can initiate connection to the OUTSIDE devices and the return traffic is permitted through the border router
allowed protocols: HTTP, ICMP, TELNET

<Router(conf)#ip access-list extended 100>


<Router(conf-ext-nacl)#permit udp any any eq rip>
<Router(conf-ext-nacl)#deny ip any any>
<Router(conf-ext-nacl)#exit>
<Router(conf)#interface s1/1>
<Router(config-if)#ip access-group 100 in>
<Router(config-if)#exit>
<Router(config)#ip inspect name IN-OUT-IN http>
<Router(config)#ip inspect name IN-OUT-IN icmp>
<Router(config)#ip inspect name IN-OUT-IN telnet>
<Router(config)#interface s1/1>
<Router(config)#ip inspect IN-OUT-IN out>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

41

CBAC VERIFICATION AND TSHOOTING

show ip inspect (parameter)


debug ip inspect detailed
debug ip inspect object-creation
debug ip inspect object-deletion
debug ip inspect function-trace
debug ip inspect events
debug ip inspect protocol (protocol)
COMMAND

VERIFIES

PAREMTER
all
config

show ip inspect (parameter)

interfaces
name
sessions
session details

DESCRIPTION
all available information
CBAC configuration
rules activated on interfaces
rules details
summary of inspections in the CBAC table
detailed information on inspection in the CBAC table

debug ip inspect detailed

debugs information about all CBAC processes on the router

debug ip inspect timers

debugs information related to CBAC timers e.g. idle timers expiration

debug ip inspect object-creation

debugs information about added entry to the CBAC table

debug ip inspect object-deletion

debugs information about removed entry from the CBAC table

debug ip inspect function-trace

debugs information about the software function that CBAC calls

debug ip inspect events

debugs CBAC events, including processing of packets

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

42

debug ip inspect protocol (protocol)

debugs protocol related events

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

43

ZONE BASED FIREWALL


ZBF CONFIGURATION
STEP #

COMMANDS

COMMENTS

<Router(config)#zone security (zone name up to 256 characters)>

The zone cannot be named self or null.

<Router(config-sec-zone)#description (description)>

Traffic flowing to and from the routers interfaces is excluded


from zone policies.
Traffic between a zone and self zone is permitted by default (the
self zone is the only exception to the default deny all policy).

CREATE ZONES

A policy can be defined using the self zone either as the source or
destination.
The self zone does not require any interfaces to be configured as
members all the IP interfaces on the router are automatically
assigned to the self zone.
<Router(config)#interface (interface)>
<Router(config-if)#zone-member security (zone name)>

Once an interface is a member of a zone all traffic to and from


that interface (except traffic going to the router or initiated by
the router) is dropped by default.
An interface can only belong to a single zone.
Traffic cannot flow between an interface with an zone
assignment and an interface without a zone assignment.

ASSIGN INTERFACES
TO THE ZONES

Traffic between interfaces in the same zone is never filtered.


Interfaces should be grouped together based on their security
requirements.
A zone must be created before interfaces can be assigned to it.
If there is no need for the interface to be a member of a zone it
may be necessary to put that interface into a zone and configure
a pass-all policy (dummy policy) between that zone and any
other zone to which traffic flow is desired.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

44

L3/4 TYPE

<Router(config)#class-map type inspect (match-any | match-all) (class map name)>

The order is significant since the statements are processed topdown for a match.

<Router(config-cmap)#match protocol (protocol name)>


<Router(config-cmap)#match access-group (ACL_# | name (ACL name))>
<Router(config-cmap)#match class-map (class map name)>

CREATE CLASS MAPS

Only stateful protocols supported by the router can be


inspected.

Example:

L3/4 maps classify traffic based on information in the L3/4


headers.

<Router(config)#class-map type inspect match-any MYMAP>


<Router(config-cmap)#match protocol http>
<Router(config-cmap)#match protocol tcp>

L3/4 TYPE

<Router(config)#policy-map type inspect (policy map name)>

*<Router(config-pmap)#description (description of the policy map; up to 200 characters)

CREATE POLICY MAPS

*<Router(config-pmap)#rename (new policy map name)>

*<Router(config-pmap)#class class-default>

<Router(config-pmap)#class type inspect (class map name)>


<Router(config-pmap-c)#((pass | drop) (*log)) (inspect (*parameter map name)>
*<Router(config-pmap-c)#police rate (8000-2000000000) burst (1000-512000000)>

type inspect only maps defined with this parameter can


be used with ZBF
match-any a match on any of the conditions in the class
map satisfies the requirements
match all specifies that traffic needs to match all entries
in the class map to be considered a match.
match protocol specifies a particular protocol (only
stateful are allowed)
match access-group traffic matching permit statements
in a given ACL will be included in the class map (statements
matching an ACL deny rule are excluded).
match class-map includes (embeds) another class map
which allows for nesting.
type inspect only maps defined with this parameter can
be used with ZBF
inspect enables stateful packet inspection of the traffic in
the class map (parameter map optional)
pass packets are allowed to through but no stateful
inspection is applied
drop packets are dropped
police rate specifies an average traffic rate in bits /
seconds and an allowed burst size in number of bytes
log creates a log msg. for matching traffic
class class-default class map that covers all packets that
do not match any of the other class maps in the configured
policy map

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

45

<Router(config)#zone-pair security (zone pair name) source (zone name | self)


destination (zone name | self)>

PAIR ZONES

APPLY POLICY MAP


TO ZONE PAIRS

<*Router(config-sec-zone-pair)#description (zone pair description)>

Interfaces that belong to the same zone cannot be paired!

zone-pair security pairs together two zones in a specify


direction; if a policy needs to be applied in the reverse
direction a new pair has to be created with reversed source
/ destination values
interfaces belonging to the same zone cannot be paired

service-policy associates a policy to a zone pair

<Router(config-sec-zone-pair)#service-policy type inspect (policy map name)>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

46

ZBF VERIFICAITON AND TSHOOTING

show zone security (*zone_name)


show zone-pair security (*source (source zone)) destination (destination zone))
show class-map type inspect (*class-map_name)
show policy-map type inspect (*policy-map_name)
show policy-map type inspect zone-pair sessions
(config)#ip inspect log drop-pkt
debug zone security events
COMMAND

VERIFIES

show zone security (*zone_name)

zones configured
interfaces associated with zones

show zone-pair security (*source (source zone)) destination (destination zone))

source and destination zones


policy associated with zone pairs

show class-map type inspect (*class-map_name)

class maps configured on the router

show policy-map type inspect (*policy-map_name)

policy maps configured on the router

show policy-map type inspect zone-pair sessions

ZBF state table (number of established sessions)


zone-pair and associated policy-map
policy-map and associated class-map
class-map and hits statistics
action to be taken with regards to packets that fall under class-map
default class-map characteristics

(config)#ip inspect log drop-pkt

packets dropped by the firewall

debug zone security events

debugs events associated with ZBF

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

47

ZBF LOGIC

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

48

YES

DOES THE POLICY INCLUDE


A CLASS MAP?

NO

DROP

YES

DOES THE TRAFFIC


MATCHES THE CLASS-MAP
ASSOCIATED WITH POLICYMAP?

NO

HAS THE DEFAULT POLICY


BEEN MODIFIED?

YES

YES

APPLY POLICY-MAP:

APPLY DEFAULT POLICY

NO

DROP

POLICY STATEMENTS:
DROP
PASS
INSPECT

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

49

IDS & IPS


IDS vs IPS

IPS Implementations
IPS Signatures
IPS Management and Monitoring
ISP Configurations
IPS Verification and Tshooting

IDS vs IPS
IDS (Intrusion Detection System)

implemented to passively monitor network traffic


an IDS-enabled device (e.g. Switch) copies all traffic passing through on the port to which IDS is connected
the IDS appliance analyses traffic in an off-line manner by comparing it to a known malicious signatures
if a match is found the IDS sends a command to a device to deny access / block traffic

PROS

off-line implementation (promiscuous mode) ensures no impact on network performance


does not introduce latency, jitter or other traffic flow issues

CONS

IDS cannot stop malicious traffic from single-packet attacks from reaching the target system
IDS requires assistance from other networking devices (e.g. routers, firewalls) to respond to attack
less helpful in stopping email viruses and automated attacks e.g. worms
more vulnerable to network evasion techniques
a well thought-out security policy is essential to successfully deploy an IDS

IPS (Intrusion Prevention System)

implemented in inline mode all ingress and egress traffic must flow through it for processing
no traffic is allowed into the trusted network without first being analyzed
IPS can drop the trigger packet, the packets in connection or packets from a source IP address
PROS

CONS

if the traffic matches a signature the IDS can stop the attack immediately
IDS can use traffic normalization techniques to reduce or eliminate many of the network evasion capabilities

can negatively affect the packet flow of the forwarded traffic


must be appropriately sized and implemented so that time-sensitive applications e.g. VoIP are not negatively
affected
errors, failures and overrunning the IPS sensor with too much traffic
can introduce jitter and latency

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

50

IPS IMPLEMENTATIONS
HOST BASED IPS IMPLEMENTATION

COMMENTS

installed on individual computers using HIPS (Host Intrusion Prevention System) e.g. CSA
HIPS audits host log files, file systems and resources
protect systems using policies that network administrators configure and deploy on agents
the agents check whether an action is allowed or denied before any system resources are accessed and acted upon
can stop attacks by reacting in real time without any updates

PROS

can monitor OS processes and protect critical system resources including files that may exist only on that specific host
has access to traffic in unencrypted form
with HIPS the success or failure of an attack can be readily determined

does not provide a complete network pictures and has difficulty coordinating the events happening across the entire
network
has to support multiple OS

CONS

CSA contains two components:

NETWORK BASED IPS IMPLEMENTATION

COMMENTS

analyze network-wide activity looking for malicious activity


sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring
(regardless of the location)

PROS

CONS

additional hosts can be deployed without requiring more sensors


can easily see attacks that are occurring across the entire network
does not need to support every type of OS

does not know whether an attack was successful


cannot examine encrypted traffic

Management Center (installed on a


central server)
Security Agents (installed on hosts)

Sensors can be deployed as:

a module on a device
a dedicated appliance
a networking device with IPS
capabilities (e.g. router)

Additional sensors are only required when


their rated traffic capacities are exceeded
or their performance does not meet
current needs.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

51

IPS SIGNATURES

malicious traffic displays distinct characteristics (signatures)


a set of rules that and IDS and IPS use to detect typical intrusive activity

ATOMIC SIGNATURES

COMMENTS

consists of a single packet, activity or event that is examined to determine if it matches a configured signature
because they can be matched on a single event there is no need to maintain state information by the IPS
the entire inspection can be accomplished in an atomic operation that does not require knowledge of past / future activities
detecting atomic signatures require minimal resources (e.g. RAM) on the IPS /IDS device
easy to identify and understand because they are compared against a specific event or packet
an IDS is vulnerable to an atomic packet attacks because until it finds the attack malicious single packets are allowed into the network
an IPS prevents atomic packet attacks from entering the network

COMPOSITE (STATEFUL) SIGNATURES

COMMENTS

the signature identifies a sequence of operations distributed across multiple hosts over a period of time
stateful properties of a composite signature usually require several pieces of data to match an attack signature

IPS SIGNATURE CHARACTERISTICS

ATOMIC

SERVICE

event horizon - the length of time


that the signature must maintain
state (can be adjusted)
EXAMPLE

signatures that examine simple packets

ATOMIC.IP
ATOMIC.ICMP
ATOMIC.IPOPTIONS
ATOMIC.UDP
ATOMIC.TCP

signatures that examine service that are attacked

SERVICE.DNS
SERVICE.HTTP
SERVICE.FTP

signatures that use regular expression-based patterns to detect intrusions

STRING.TCP
STRING.UDP
STRING.ICMP

STRING

MULTI-STRING

supports flexible pattern matching and Trend Labs signatures

MULTI-STRING

OTHER

internal engine that handles misc. signatures

NORMALIZER

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

52

IPS SIGNATURES ALARMS

PATTERN BASED

COMMENTS

simplest triggering mechanism


searches for a specific, pre-defined pattern
network traffic is compared to a database of known attacks and triggers alarm if a match is found
can be detected in a single packet (atomic) or in a sequence of packets (composite)
this technique helps to lessen the amount of inspection done on every packet
makes it more difficult for systems to deal with protocols and attacks that do not utilize well-defined ports

also known as profile-based detection


triggers alarms upon detecting traffic that deviates from normal profile (requires base-lining first)
can detect new and unpublished attacks
alarms can be misleading because not every traffic deviating from normal means a malicious activity
the administrator must guarantee that network is free of attack during base-lining
might be difficult to correlate an alert back to a specific attack (because it only indicates that non-normal traffic
was detected)

ANOMALY

POLICY

the administrator defines behaviors that are suspicious based on historical analysis
enables a single signature to cover an entire class of activities without having to specify each individual situation

HONEYPOT

uses a dummy server to attract attacks

IPS SIGNATURES ALARM TYPES

COMMENTS

FALSE POSITIVE

alarm generated in response to normal traffic

FALSE NEGATIVE

alarm not generated in response to malicious traffic

TRUE POSITIVE

alarm generated in response to malicious traffic

TRUE NEGATIVE

alarm generated in response to normal traffic

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

53

IPS SIGNATURE ACTIONS

COMMENTS

ATOMIC ALERTS

- generated every time a signature is detected


- can be exploited by sending numerous bogus alerts against an IPS or applications

GENERATE AN ALERT

SUMMARY ALERTS

- a single alert that indicates multiple occurrences of the same signature from the same source
- limit the number of alerts generated and make it difficult for an attacker to consume resources on the sensor
- can be configured to summarize atomic alerts as well

LOG THE ACTIVITY

DROP / PREVENT THE


ACTIVITY

RESET TCP
CONNECTION

by logging the alerts the administrator can perform analysis later and identify exactly what is taking place
and make a decision as to whether it should be allowed or denied in the future

enables the device to stop an attack before it has the chance to perform malicious activity
the analysis engine determines which packets should be forwarded and which should be dropped
the drop action can be expanded to drop all packets for a specific session or all packets from a specific host
for a specific amount of time

used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set
an IPS can use the TCP reset action to abruptly end a TCP connection that is performing unwanted
operation
can be used with conjunction with deny packet / connection actions
future traffic can be blocked by the IPS device update the ACL on one of the infrastructure devices
the ACL expires after defined amount of time
can be used with conjunction with other actions such as dropping unwanted traffic
the IPS can block traffic at multiple locations throughout the network
allows to configure exceptions

BLOCK FUTURE
ACTIVITY

ALLOW THE ACTIVITY

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

54

IPS MANAGEMENT AND MONITORING

MANAGEMENT
METHOD

LOCAL

sensors can be managed individually or centrally


in larger networks a centralized management system that allows to configure and manage all IPS devices
from a single device

correlating attacks and other events that are happening simultaneously at different points across the
network
NTP should be used to ensure that all alerts are accurately time-stamped
a correlation tool can correlate the alerts based on the timestamps
a centralized monitoring facility allows for accurate even correlation

SECURITY STAFF

INCIDENT RESPONSE
PLAN

MANAGING
SIGNATURES

large enterprises require the appropriate security staff to analyze numerous alerts and to tune and
optimize IPS sensors

a response plan needs to be designed to restore the state of the system to the state before the attack

upgrading sensors will mean network downtime


automatic update rather than manual if the number of sensors is high
signature packs should be placed on a dedicated FTP server within the management network
the FTP server should be allowed only read-only access
a custom signature can be created if an update is not available
the FTP server should be queried periodically and an update time windows should be set

IEV
CSM
MARS

SDEE (Secure Device Event Exchange):

EVEN CORRELATION

CISCO MARS allows for correlate not only


IPS events but other events on the
network e.g. syslog messages and
NetFlow input.

SDM
IDM

CENTRAL

an alternative to syslog
format was developed to improve
communication of events generated
by security devices
primarily communicates IDS events
but the protocols is intended to be
extensible and allows additional
event types to be included as they
are defined
Cisco SDM can monitor syslog and
SDEE-generated events

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

55

IPS CONFIGURATIONS
CONFIGURATION VIA CISCO CLI
STEP #

COMMANDS

COMMENTS

Required files:

In Cisco IOS software T-Train releases prior to


12.4(11)T, and in all Cisco IOS Software 12.4
Mainline releases, IPS signature selection involves
loading an XML file onto the router.

IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt

XML - called the signature definition file (SDF),


contains a detailed description of each selected
signature in Cisco IPS Sensor software 4.x signature
format.

DOWNLOAD IOS IPS FILES

Starting with Cisco IOS release 12.4(11)T, there are


no built-in (hard-coded) signatures within the Cisco
IOS software. Instead all signatures are stored in a
separate signature file and must be imported. IOS
releases 12.4(11)T and later use the newer 5.x
format signature files, which can be can be
downloaded from Cisco.com

CREATE AN IPS CONFIGURATION


DIRECTORY IN FLASH

CONFIGURE AN IOS IPS CRYPTO KEY

<R1#mkdir (directory_name)>

Any system location will be accepted as long there


is write access.

<R1#dir flash:>
<R1(config)#crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
exit

The crypto key verifies the digital signature for the


master signature file (sigdef-default.xml). The
content of the file is signed by a Cisco private key
to guarantee its authenticity and integrity.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

56

exit>
To remove:
<R1(config)#no crypto key pubkey-chain rsa)
<R1(config)#no named-key realm-cisco.pub>

Identify the IPS rule name and specify the location

<R1(config)#ip ips name (rule name) list (ACL name | #)>

ENABLE IOS IPS

If an ACL is used all traffic matching the permit


statement is subject to inspection by the IPS; traffic
that is denied is not inspected.

Configure the IPS signature storage location

<R1(config)#ip ips config location (location)>


<R1(config)#ip http server>

<R1(config)#ip ips notify sdee>

ENABLE SDEE AND LOGGING

<R1(config)#ip ips notify log>

<R1(config)#ip ips signature-category>

<R1(config-ips-category)#category (all | attack | ddos | dos | email)>


<R1(config-ips-category-action)# retired (true | false)>

<R1(config-ips-category-action)#exit>
<R1(config-ips-category)#exit>

CONFIGURE THE SIGNATURE


CATEGORY

Do you want to accept these changes? [confirm] (Y | N)

ip http server if not enable the router wont


be able to respond to SDEE clients
ip ips notify sdee (disabled by default)
enables SDEE notifications
ip ips notify log generates syslog messages
(if logging console is enabled messages are
displayed on the console)
ip ips signature-category - all signatures are
grouped into categories and the categories
are hierarchical
retired (true | false) retiring a signature
means that IPS does not compile that
signature into memory for scanning and
ultimately the traffic is not scanned against it.
Initially the all category should be retired and
then selected signature unretired.

IOS IPS processes the category commands in the


order listed in the configuration
If multiple categories are configured and a
signature belongs to more than one of them, IOS
IPS uses the signatures properties in the last
configured category e.g. retired, unretired

APPLY THE IPS RULE TO AN


INTERFACE

<R1(config)#interface (interface)>

A rule can be applied in both directions

<R1(config-if)#ip ips (rule name) (in | out)>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

57

<R1#copy (source) idconf>

LOAD SIGNATURE PACKAGE TO THE


ROUTER

Commonly a FTP or TFTP server is used.

To verify:
<R1#show ip ips signature>

MODIFYING IPS SIGNATURES


<R1(config)#ip ips signature-category>

event-action modify the action associated


with a signature

signature (ID) (SUBID)


status sub-configuration for retiring or unretiring a signature
engine sub-configuration for modifying a
signature action

<R1(config-)#category>
<R1(config-ips-category)#(all | ios_ips (basic | advanced))>

MODYFING A GROUP OF
SIGNATURES

<R1(config-ips-category-action)#event-action (action)>
<R1(config-ips-category-action)#exit
<R1(config-ips-category)#exit>
Do you want to accept these changes? [confirm] (Y | N)
<R1(config)#ip ips signature-definition>
<R1(config-sigdef)#signature (1-65535) (0-65535)>
<R1(config-sigdef-sig)#status>

<R1(config-sigdef-sig-status)#retired (true | false)>


<R1(config-sigdef-sig-status)#enabled (true | false)>

MODYFING AN INDIVIDUAL
SIGNATURE

<R1(config-sigdef-sig-status)#exit
<R1(config-sigdef-sig)#engine>
<R1(config-sigdef-sig-engine)#event-action (action)>
<R1(config-sigdef-sig)#exit>
<R1(config-sigdef)#exit>
Do you want to accept these changes? [confirm] (Y | N)

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

58

IPS VERIFICATION AND TSHOOTING

show ip ips all


show ip ips configuration
show ip ips interfces
show ip ips signatures (detail)
show ip ips statistics
clear ip ips statistics
clear ip ips configuration
COMMAND

VERIFIES

show ip ips all

Displays all IPS configuration data

show ip ips configuration

Displays additional configuration data that is not displayed with the show running-config

show ip ips interfaces

show ip ips signatures (detail)

Vverifies the signatures configuration

show ip ips statistics

Displays number of packets audited and the number of alarms set

clear ip ips statistics

Resets statistics on packets analyzed and alarms set

clear ip ips configuration

Removes all IPS configuration entries and releases dynamic resources

interface configuration data


inbound / outbound rules

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

59

LAYER 2
SECURITY
Layer 2 Attacks

Securing Layer 2
o
o
o
o

DTP Modes
Switchport Security
STP Security
Misc

LAYER 2 ATTACKS
ATTACK

HOW IT WORKS

MAC ADDRESSING SPOOFING

MAC ADDRESS TABLE


OVERFLOW

COMMENTS

a rouge host masquerades or poses as another to receive otherwise inaccessible data or to


circumnavigate security appliances
performed by changing the MAC address of the rouge device to match another known MAC
address of a known device
the attacking hosts then sends a frame throughout the network with the newly configured MAC
address
when the switch receives the frame with new MAC address it removes the original entry and
assigns the new MAC address to the new port
when the target host sends traffic the switch receives and examines the frame, which results in the
MAC address table being rewritten
takes advantage of the MAC table limited size and bombards the switch with fake source MAC
addresses until the switch MAC table is full if enough entries are entered into MAC addresses
table before older entries expire, the table fills up to the point that no new entries are can be
accepted
when this happens the switch begins to flood all incoming traffic to all ports (effectively turning into
hub)
the attacker can see all of the frames sent from one host to another (but only within the local
VLAN)

If the intruder does not maintain the


flood of invalid source MAC addresses
the switch eventually ages out the older
MAC addresses from the table.
Most common protection would be set a
limit to dynamically learnt MAC
addresses.
macof this tool floods a switch with
frames containing randomly generated
source MAC and IP addresses; as long as
it is running the switch acts as a hub.

STP MANIPULATION ATTACKS

LAN STORM ATTACKS

the attacker broadcasts BPDUs that contain false STP configuration and topology changes
aim to promote the rouge device to the rank of ROOT BRIDGE, which will result in the attacker
having access to otherwise inaccessible traffic

LAN Storm packets flood the LAN creating excessive traffic and hurting network performance
broadcasts and multicasts are flooded on all ports within the same VLAN
storms can increase the CPU utilization on a switch to 100%

PortFast
ROOT guard
BPDU guard

May be caused by errors in stack


implementation, configuration or user
initiated DoS attacks.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

60

VLAN ATTACKS

exploiting DTP (Dynamic Trunking Protocol)


double-tagging

Can be done by spoofing DTP messages


or using a rouge switch.
Works only if the rouge and trunk port
have the same native vlan configured.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

61

SECURING LAYER 2
DTP MODES
MODE

OVERVIEW

COMMENTS

starts as a TRUNK port


periodically sends DTP frames (advertisements) to the remote host
unconditional trunking state

TRUNK
To hardcode mode on an interface:

DYNAMIC AUTO

<S1(config-if)#switchport mode trunk>

starts as an ACCESS port


periodically sends DTP frames to the remote host
advertises that it is able to trunk
does not request remote host to go into trunking mode

To hardcode mode on an interface:

DYNAMIC DESIRABLE (default)

< S1(config-if)#switchport mode dynamic auto>

starts as an ACCESS port


periodically sends DTP frames to the remote host
advertises that is able to trunk
requests remote host to go into trunking mode

To hardcode mode on an interface:

NON-NEGOTIATE

<S1(config-if)#switchport mode dynamic desirable>

disables DTP protocol


use when connecting switch from different vendors

To hardcode mode on an interface:

<S1(config-if)#switchport nonegotiate>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

62

ACCESS

TRUNK

DYNAMIC AUTO

DYNAMIC DESIRABLE

NON-NEGOTIATE

ACCESS

ACCESS

MISMATCH

ACCESS

ACCESS

MISMATCH

TRUNK

MISMATCH

TRUNK

TRUNK

TRUNK

TRUNK

DYNAMIC AUTO

ACCESS

TRUNK

ACCESS

TRUNK

MISMATCH

DYNAMIC DESIRABLE

ACCESS

TRUNK

TRUNK

TRUNK

MISMATCH

NON-NEGOTIATE

MISMATCH

TRUNK

MISMATCH

MISMATCH

TRUNK

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

63

SWITCHPORT SECURITY
STEP #

SET PORT TO ACCESS MODE

ENABLE SWITCHPORT SECURITY

MAXMIUM MAC ADDRESSESES

SECURITY VIOLATION MODE

COMMANDS

COMMENTS

<S1(config-if)#switchport mode access>

A port can only be secured if it is in explicit ACCESS


mode.

<S1(config-if)#switchport port-security>

None of the port security settings will take effect


until this command is issued.

<S1(config-if)#switchport port-security maximum (1-132)>

Number of MAC addresses allowed on the port.

<S1(config-if)#switchport port-security violation (protect | restrict | shutdown)>

To recover a port from err-disabled state:

<S1(config-if)#shutdown>
<S1(config-fi)#no shutdown>

protect blocks all MAC addresses above the


limit
restrict as above + sends a syslog msg. +
sends a SNMP trap + increments violation
counter
shutdown puts port into err-disabled state

OR
<S1(config)#errdisable recovery cause psecure-violation>

<S1(config-if)#switchport port-security mac-address (H.H.H | sticky)>

H.H.H.H enter MAC address manually


sticky learns the incoming MAC addresses
and adds them to the running configuration; if
the command is later removed all sticky MACs
remain a part of the running conf. but are
removed from the MAC table

<S1(config-if)#switchport port-security aging static time (0-1440) type (absolute |


inactivity)>

absolute - all secure addresses on this port are


age out exactly after specified time and
removed from the secure address list
inactivity secure address on this port are
aged out only if there is no data traffic from
the secure source for the specified time period

MAC ADDRESS ENTRY

AGING

TSHOOT

show port-security (interface)


show port-security address

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

64

STP SECURITY
STEP #

COMMANDS
<S1(config)#spanning-tree portfast default>

PortFast

<S1(config-if)#spanning-tree portfast>

<S1(config)#spanning-tree portfast bpduguard default>

COMMENTS

<S1(config-if)#spanning-tree bpduguard enable>

spanning-tree portfast default sets all nontrunking ports to PortFast


spanning-tree portfast sets given port to
PortFast (instant transition to ACCESS mode)
spanning-tree portfast bpduguard default
enable BPDU Guard on all PortFast ports

If a port with BPDU Guard enabled receives a BPDU


it will be blocked.

BPDU Guard

Should be enabled on all non-trunking ports.

BPDU Filter

Root Guard

<S1(conif-if)#spanning-tree bpdufilter>

spanning-tree bpdufilter disable sending and


receving of BPDUs

<S1(config-if)#spanning-tree guard root>

spanning-tree guard root enables root guard


on a per-interface basis

If a port with Root Guard enabled receives a BPDU


with a lower priority than those issued by the
current root bridge, that port is moved into rootinconsistent state (STP listening state) - the port
recovers as soon as the offending BPDUs stop being
received.
Best deployed toward ports that connect to switches
that should never become the root bridge.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

65

MISC
<S1(config-if)#storm-control (broadcast | multicast | unicast) level ()>

level (level-low)
bps (bps-low)
pps (pps-low)

Allows to shutdown interfaces sending excessive


traffic.
The blocked port remains shut until the traffic drops
below the falling threshold.

<S1(config-if)#storm-control action (shutdown | trap)>


To verify:
<S1#show storm-control (broadcast | multicast | unicast)>

Storm Control

<S1(config)#monitor session 1 source(interface | vlan) (i-face | vlan) (both | rx | tx)>


<S1(config)#monitor session 1 destination interface (interface)>

SPAN Ports
To verify:
<S1#show monitor>

level (level-low) specifies the rising and


falling suppression levels as a % of total
bandwidth of the port:
level rising suppression (0.00 100.00);
flooding of storm packets is blocked when the
value specified is reached
level-low falling suppression level (0.00
100.00); by default equals to the value of rising
suppression
bps (bps-low) specifies the rising and falling
suppression levels as a rate in bits per seconds
at which traffic is received on the port.
pps (pps-low) specifies the rising and falling
suppression levels as a rate in packets per
seconds at which traffic is received
action shutdown err-disabled status
action trap the switch sends a SNMP trap
when a storm occurs

Forwards all the traffic received on port specified to


a specified destination port (mirrors the traffic) for
further analysis (to an IPS / IDS).
RSPAN allows for mirroring traffic to a port on a
remote device.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

66

IPSec
IPSec Configuration
IKE Phase 1
IKE Phase 2

IPSec Verification and Tshooting


IPSec Configuration Example
IPSec Planning Template

IPSec CONFIGURATION
IKE PHASE 1

IKE - Internet Key Exchange


PHASE 1 is used:
o to exchange and agree on policy sets to be used
o to exchange DH keys
o to authenticate the peer
can run in MAIN or AGGRESSIVE mode
STEP #

COMMANDS

COMMENTS

<Router(config)#access-list 102 permit ahp host A.A.A.A host A.A.A.A>


<Router(config)#access-list 102 permit esp host A.A.A.A host A.A.A.A>

*ENSURE IPsec TRAFFIC IS


ALLOWED

<Router(config)#access-list 102 permit udp host A.A.A.A host A.A.A.A eq isakmp>


<Router(config)#interface (interface)>
<Router(config-if)#ip access-group 102 in>

ENABLE ISAKMP

<Router(config)#crypto isakmp enable>

IPSec uses the following protocols:

ESP (IP 50)


AH (IP 51)
ISAKMP (UDP 500)

They have to be permitted i.e. not blocked on the interfaces


using IPSec (restrictive traffic policies are most likely to be
present on perimeter routers).
The default state of isakmp will differ depending on the IOS
version.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

67

<Router(config)#crypto isakmp policy (1-10000)>


<Router(config-isakmp)#authentication (pre-share | rsa-encr | rsa-sig)>
<Router(config-isakmp)#encryption (3des | aes | des)>
<Router(config-isakmp)#hash (md5 | sha)>
<Router(config-isakmp)#group (1 | 2 | 5 | 14 | 15 | 16)>
<Router(config-isakmp)#lifetime (60 - 86400)>
To verify:

Each policy configured on a router is assigned a priority


number, which is only locally significant (the lower the number
the higher the priority).
The peer initiating the negotiation sends all of its policies to the
remote peer, who compares them with the locally configured
until a match is found - the policies with higher priorities are
compared first (thats why the most secure policies should
have lower priorities).
For a match to be found, two policies have to use identical
following protocols:

<Router#show crypto isakmp policy>

CREATE ISAKMP POLICY

AUTHENTICATION
ENCRYPTION
HASH
DH LEVEL

If a match is found ISAKMP will use DH algorithm to exchange


keys and authenticate the peers
If a match is not found ISAKMP refuses negotiation.

<Router(config)#crypto isakmp identity (address | hostname)>

CREATE ISKAMP LOCAL ID

lifetime - specifies after what time the IKE Phase 1 tunnel


is torn down and re-established (the value does not have
to be identical on both ends and if a non-default value is
used the lower the value on either sides is used).

The router can ID itself when communicating with the remote


end using either its IP address or hostname (both ends need to
use the same form of authentication).
Hostname should only be used when the routers IP address is
a subject to frequent changes e.g. by the ISP.
If hostname is used a DNS server must be present to resolve
the hostname to its IP address.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

68

IF LOCAL ID = HOSTNAME

The PKS has to be identical on both ends.

<Router(config)#crypto isakmp key (key up to 128 char) hostname (remote devices


hostname)>
IF LOCAL ID = IP ADDRESS

CREATE PSKs

<Router(config)#crypto isakmp key (key up to 128 char) address (remote devices IP


address)>
To verify:
<Router#show crypto isakmp key>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

69

IKE PHASE 2

PHASE 2 is used to:


o negotiates and establishes IPSec SA (Security Associations) parameters protected by the existing IKE SA
o periodically renegotiates IPSec SA to ensure security
o optionally performs an additional DH exchange (with PFS)
STEP #

COMMANDS

COMMENTS

<Router(config)#crypto ipsec transform set (name) (AH authentication) (ESP


authentication) (ESP encryption) (compression)>

*<Router(cfg-crypto-trans)#mode (transport | tunnel)>

Multiple sets can be configured and multiple sets can be


specified in a crypto map

To verify:
<Router#show crypto ipsec transform-set (sets name)>

transform set - groups together security protocols and


their protection methods and create security parameters
that protect traffic traveling through the IPSec tunnel

Each set is compared against each of the sets configured on the


peer - at least one needs to match
There are four groups of transforms (only one transform from
each category can be used):

CREATE TRANSFORM SET

o
o
o
o

<Router(config)#crypto ipsec security-association lifetime kilobytes (2560 - 4294967295)

mode transport - protection of L2 and below


mode tunnel - protection of L3 and below

lifetime kilobytes - sets the amount of data limit after


reaching which will cause the tunnel to be torn down and
renegotiated (default = 460800 kb)
lifetime seconds - sets the time period after which the
tunnel will be torn down and renegotiated (default =
3600 sec.)
idle-timer - disabled by default

<Router(config)#crypto ipsec security-association lifetime seconds (120 - 86400)>

*TUNE IPSec SA
PARAMETERS

<Router(config)#crypto ipsec security-association idle-time (60 - 86400)>

AU AUTHENTICATION (hashing)
ESP AUTHENTICATION (hashing)
ESP ENCRYPTION
COMPRESSION

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

70

<Router(config)#ip access-list extended (ACL name | #)>


<Router(config-ext-nacl)#(permit | deny) ip (source) (destination)>

<Router(config)#crypto map (map name) (sequence number) ipsec-isakmp>

Crypto map binds all the IPSec information together.

<Router(config-crypto-map)#match address (crypto ACL)>

Only one crypto map can exist on an interface.

<Router(config-crypto-map)#set peer (remote peers IP address)>

If no PKS are configured, the SA keys Phase 1 connection.

CREATE CRYPTO MAP

*<Router(config-crypto-map)#set pfs (1 | 2 | 5 )>

ASSIGN CRYPTO MAP TO


AN INTERFACE

permit - encrypt data


deny - send in plain text

The ACL criteria are applied in the forward direction to traffic


exiting the router, and in the backward direction to the traffic
entering the router (the outbound ACL source becomes the
inbound ACL destination).

CREATE CRYPTO ACL

<Router(config-crypto-map)#set transform-set (transform sets name)>

sequence number - used to prioritize multiple maps that


may exist on a router (the lower the number the higher
the priority)
set pfs - (Perfect Forward Secrecy) performs a new DH
exchange with each quick mode and provides key
material that has greater life and thereby greater
resistance to cryptographic attacks (increases CPU usage)

<Router(config-if)#crypto map (crypto map name)>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

71

IPSec VERIFICATION AND TSHOOTING

show crypto isakmp policy


show crypto ipsec transform-set
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto session detail
debug crypto isakmp
debug crypto ipsec
clear crypto isakmp (connection ID)
clear crypto sa
clear crypto sa peer
clear crypto sa map
clear crypto sa counters
COMMAND

VERIFIES

EXAMPLE

Displays all of the isakmp policies defined on the router:

show crypto isakmp policy

policy number
encryption algorithm
hashing algorithm
authentication method
DH group
lifetime

Displays all of the transform sets defined on the router:

show crypto ipsec transform-set

transform set name


encryption algorithm
hashing algorithm

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

72

Displays all of the crypto maps defined on the router:

show crypto map

maps name and sequence number


peer associated with the map
ACL defining interesting traffic associated
with the map
transform set associated with the map
interface associated with the map

IKE Phase 1 Tunnel information:

source and destination


tunnels state (QM_IDLE desired)
tunnels status (ACTIVE desired)
MM = Main Mode
QM = Quick Mode
PHASE / STATE

show crypto isakmp sa

DESCRIPTION
The tunnel has been initialized but nothing
has been negotiated yet.

MM_NO_STATE
AG_NO_STATE

MM_SA_SETUP

The peers have negotiated IKE Phase 1


policies.

MM_KEY_EXCH

DH has completed.

AG_INIT_EXCH

The peers have negotiated the Phase 1


policies and performed DH.

AG_AUTH

QM_IDLE

The Phase 1 authentication has completed.

The Phase 1 and/or Phase 2 sessions have


completed successfully.

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

73

IKE Phase 2 Tunnel information:

local and remote identity


packets encapsulated / encrypted / digested
packets decapsuated / decrypted / verified

show crypto ipsec sa

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

74

Displays tunnels information and statistics

show crypto session detail

debug crypto isakmp

Debugs the process of creating IKE Phase 1 tunnel

debug crypto ipsec

Debugs the process of creating IKE Phase 2 tunnel

clear crypto isakmp (connection ID)

Clears active ISAKMP connections

clear crypto sa

Clears all data SA

clear crypto sa peer (IP Address |


hostname)

Clears data SA associated with specific peer.

clear crypto sa map

Clears all data SA associated with specific crypto map.

clear crypto sa counters

Clears the counters in the output of the show crypto ipsec sa

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

75

IPSec CONFIGURATION EXAMPLE


Secure the traffic sent between 172.30.2.0 /24 and 192.168.1.0 /24

IKE PHASE 1: PLANNING


PEERS

PEER 1: HOME

LOCAL ID

IP ADDRESS

PEER 2: REMOTE
IP ADDRESS

98.174.249.99

67.40.69.33

#10

#60

POLICY

NUMBER

AUTHENTICATION

ENCRYPTION

HASHING

DH LVL

LIFETIME

PRE SHARED KEY


AES 128
SHA 1
2
86,400

PRE SHARED KEY

NAME

ACCEPTED FROM

cbtkey
67.40.69.33

98.174.249.99

IKE PHASE 2: PLANNING


TRANSFORM SET
CBTVPN

NAME

AH HASHING

N/A

ESP HASHING

ESP-AES 123

ESP ENCRYPTION

COMPRESION

ESP-SHA-1-HMAC
N/A

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

76

CRYPTO ACL
S2S-VPN-TRAFFIC

NAME

INTERESTING TRAFFIC

S2S-VPN-TRAFFIC

172.30.2.0 /24 192.168.1.0 /24

CRYPTO MAP
S2S-VPN

S2S-VPN

SEQUENCE #

100

200

INTERFACE

s1/0

s1/1

NAME

IKE PHASE 1: CONFIGURATION


STEP #
1. ENABLE ISAKMP

COMMANDS
<Router(config)#crypto isakmp enable>
<Rotuer(config)#crypto isakmp policy 10>
<Router(config-isakmp)#authentication pre-share>
<Router(config-isakmp)#encryption aes 128 >
<Router(config-isakmp)#group 2>

2. CREATE ISAKMP POLICY

<Router(config-isakmp)#hash sha>
<Router(config-isakmp)#lifetime 86400>
VERIFY:
<Router#show crypto isakmp policy>

3. CREATE ISAKMP LOCAL IDENTITY

<Router(config)#crypto isakmp identity address>


<HOME(config)#crypto isakmp key cbtkey address 67.40.69.33>
<REMOTE(config)#crypto isakmp key cbtkey address 98.174.249.99>

4. CONFIGURE PRE-SHARED KEYS


VERIFY:
<Router#show crypto isakmp key>

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

77

IKE PHASE 2: CONFIGURATION


STEP #

COMMANDS

5. CREATE TRANSFORM SET

<Router(config)#crypto ipsec transform-set CBTVPN esp-aes 128 esp-sha-hmac>


<Router(config)#ip access-list extended S2S-VPN-TRAFFIC

6. CREATE CRYPTO ACL

<HOME(config-ext-nacl)#permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255>


<REMOTE(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.30.2.0 0.0.0.255>
<Router(config)#crypto map S2S-VPN 100 ipsec-isakmp>
<Router(config-crypto-map)#match address S2S-VPN-TRAFFIC>
<HOME(config-crypto-map)#set peer 67.40.69.33>
<REMOTE(config-crypto-map)#set peer 98.174.249.99>

7. SET UP IPSec CRYPTO-MAP

<Router(config-crypto-map)#set transform-set CBTVPN)>


VERIFY:
<Router#show crypto map>
<HOME(config)#interface s1/0>
8. ASSIGN CRYPTO MAP TO AN INTERFACE

<HOME(config-if)#crypto map S2S-VPN>


<REMOTE(config)#interface s1/1>
<REMOTE(config-if)#crypto map S2S-VPN>

VERIFICATION AND TSHOOTING

show crypto isakmp policy


show crypto isakmp key
show crypto ipsec transport-set
show crypto map
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp
debug crypto ipsec

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

78

CONFIGURATION FILES
HOME
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 67.40.69.33
!
crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 67.40.69.33
set transform-set CBTVPN
match address S2S-VPN-TRAFFIC
!
interface Serial1/0
ip address 98.174.249.99 255.255.255.0
serial restart-delay 0
crypto map S2S-VPN
!
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!

REMOTE
!
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 98.174.249.99
!
crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 98.174.249.99
set transform-set CBTVPN
match address S2S-VPN-TRAFFIC
!
interface Serial1/1
ip address 67.40.69.33 255.255.255.0
serial restart-delay 0
crypto map S2S-VPN
!
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 172.30.2.0 0.0.0.255
!

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

79

IPSec PLANNING TEMPLATE


IKE PHASE 1
PEER

PEER 1

LOCAL ID

IP ADDRESS

PEER 2

POLICY

NUMBER

AUTHENTICATION

ENCRYPTION

HASHING

DH LVL

LIFETIME

PRE SHARED KEY

NAME

ACCEPTED FROM

IKE PHASE 2
TRANSFORM SET

NAME

AH HASHING

ESP HASHING

ESP ENCRYPTION

COMPRESION

CRYPTO ACL

NAME

INTERESTING TRAFFIC

CRYPTO MAP

NAME

SEQUENCE #

INTERFACE

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14

80

APPENDIXES
IPv4 Subnetting

Common Ports
ACLs
Zone Based Firewall
IPSec

IOS IPV4 ACCESS LISTS

packetlife.net

Standard ACL Syntax

Actions

! Legacy syntax
access-list <number> {permit | deny} <source> [log]
! Modern syntax
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log]

permit

Allow matched packets

deny

Deny matched packets

remark

Record a configuration comment

evaluate

Evaluate a reflexive ACL

Extended ACL Syntax


! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]

ACL Numbers
1-99
IP standard
1300-1999

Source/Destination Definitions
any Any address
host <address> A single address

100-199
IP extended
2000-2699

<network> <mask> Any address matched by the wildcard mask

200-299 Protocol

IP Options

300-399 DECnet
400-499 XNS
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
TCP Options
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
urg Match URG flag
established

Match packets in an
established session

Logging Options
log Log ACL entry matches
Log matches including
log-input ingress interface and
source MAC address
by Jeremy Stretch

dscp <DSCP> Match the specified IP DSCP


fragments Check non-initial fragments
option <option> Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl <count> Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq <port> Equal to

neq <port> Not equal to

lt <port> Less than

gt <port> Greater than

range <port> <port> Matches a range of port numbers


Miscellaneous Options
reflect <name> Create a reflexive ACL entry
time-range <name> Enable rule only during the given time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0
ip access-group {<number> | <name>} {in | out}

Troubleshooting
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
v2.0

COMMON PORTS

packetlife.net
TCP/UDP Port Numbers

7 Echo

554 RTSP

19 Chargen

2745 Bagle.H

6891-6901 Windows Live

546-547 DHCPv6

2967 Symantec AV

6970 Quicktime

560 rmonitor

3050 Interbase DB

7212 GhostSurf

22 SSH/SCP

563 NNTP over SSL

3074 XBOX Live

23 Telnet

587 SMTP

3124 HTTP Proxy

8000 Internet Radio

25 SMTP

591 FileMaker

3127 MyDoom

8080 HTTP Proxy

42 WINS Replication

593 Microsoft DCOM

3128 HTTP Proxy

43 WHOIS

631 Internet Printing

3222 GLBP

8118 Privoxy

49 TACACS

636 LDAP over SSL

3260 iSCSI Target

8200 VMware Server

53 DNS

639 MSDP (PIM)

3306 MySQL

8500 Adobe ColdFusion

646 LDP (MPLS)

3389 Terminal Server

8767 TeamSpeak

69 TFTP

691 MS Exchange

3689 iTunes

8866 Bagle.B

70 Gopher

860 iSCSI

3690 Subversion

79 Finger

873 rsync

3724 World of Warcraft

80 HTTP

902 VMware Server

20-21 FTP

67-68 DHCP/BOOTP

88 Kerberos

989-990 FTP over SSL

102 MS Exchange
110 POP3
113 Ident

9800 WebDAV

4444 Blaster

9898 Dabber

995 POP3 over SSL

4664 Google Desktop

9988 Rbot/Spybot

4672 eMule

9999 Urchin

1026-1029 Windows Messenger

4899 Radmin

1080 SOCKS Proxy

5000 UPnP

1080 MyDoom

5001 Slingbox

1194 OpenVPN

5001 iperf

143 IMAP4

1214 Kazaa

5004-5005 RTP

1241 Nessus

5050 Yahoo! Messenger

177 XDMCP

1311 Dell OpenManage

5060 SIP

179 BGP

1337 WASTE

5190 AIM/ICQ

201 AppleTalk

9119 MXit

4333 mSQL

135 Microsoft RPC

161-162 SNMP

9100 HP JetDirect
9101-9103 Bacula

3784-3785 Ventrilo

123 NTP

137-139 NetBIOS

8086-8087 Kaspersky AV

993 IMAP4 over SSL

1025 Microsoft RPC

119 NNTP (Usenet)

7648-7649 CU-SeeMe

1433-1434 Microsoft SQL

5222-5223 XMPP/Jabber

10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob

264 BGMP

1512 WINS

5432 PostgreSQL

19226 AdminSecure

318 TSP

1589 Cisco VQP

5500 VNC Server

19638 Ensim

1701 L2TP

5554 Sasser

20000 Usermin

5631-5632 pcAnywhere

24800 Synergy

381-383 HP Openview
389 LDAP

1723 MS PPTP

411-412 Direct Connect

1725 Steam

443 HTTP over SSL

1741 CiscoWorks 2000

445 Microsoft DS

1755 MS Media Server

464 Kerberos

1812-1813 RADIUS

5800 VNC over HTTP


5900+ VNC Server
6000-6001 X11
6112 Battle.net

25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty

465 SMTP over SSL

1863 MSN

6129 DameWare

497 Retrospect

1985 Cisco HSRP

6257 WinMX

500 ISAKMP

2000 Cisco SCCP

512 rexec

2002 Cisco ACS

6500 GameSpy Arcade

Chat

513 rlogin

2049 NFS

6566 SANE

Encrypted

6588 AnalogX

Gaming

514 syslog

2082-2083 cPanel

6346-6347 Gnutella

515 LPD/LPR

2100 Oracle XDB

6665-6669 IRC

520 RIP

2222 DirectAdmin

6679/6697 IRC over SSL

521 RIPng (IPv6)

2302 Halo

540 UUCP

2483-2484 Oracle DB

31337 Back Orifice


33434+ traceroute

6699 Napster

Legend

Malicious
Peer to Peer
Streaming

6881-6999 BitTorrent

IANA port assignments published at http://www.iana.org/assignments/port-numbers

by Jeremy Stretch

v1.1

IOS IPV4 ACCESS LISTS

packetlife.net

Standard ACL Syntax

Actions

! Legacy syntax
access-list <number> {permit | deny} <source> [log]
! Modern syntax
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log]

permit

Allow matched packets

deny

Deny matched packets

remark

Record a configuration comment

evaluate

Evaluate a reflexive ACL

Extended ACL Syntax


! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]

ACL Numbers
1-99
IP standard
1300-1999

Source/Destination Definitions
any Any address
host <address> A single address

100-199
IP extended
2000-2699

<network> <mask> Any address matched by the wildcard mask

200-299 Protocol

IP Options

300-399 DECnet
400-499 XNS
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
TCP Options
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
urg Match URG flag
established

Match packets in an
established session

Logging Options
log Log ACL entry matches
Log matches including
log-input ingress interface and
source MAC address
by Jeremy Stretch

dscp <DSCP> Match the specified IP DSCP


fragments Check non-initial fragments
option <option> Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl <count> Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq <port> Equal to

neq <port> Not equal to

lt <port> Less than

gt <port> Greater than

range <port> <port> Matches a range of port numbers


Miscellaneous Options
reflect <name> Create a reflexive ACL entry
time-range <name> Enable rule only during the given time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0
ip access-group {<number> | <name>} {in | out}

Troubleshooting
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
v2.0

IOS ZONE-BASED FIREWALL


Terminology

Inspection Class Configuration

Security Zone
A group of interfaces which share a common level of security

Zone Pair
A unidirectional pairing of source and destination zones to which a
security policy is applied

Inspection Policy
An inspect-type policy map used to statefully filter traffic by
matching one or more inspect-type class maps

Parameter Map
An optional configuration of protocol-specific parameters referenced
by an inspection policy

MPLS WAN

Internet

G0/0

G0/1

! Match by protocol
class-map type inspect match-any ByProtocol
match protocol tcp
match protocol udp
match protocol icmp
! Match by access list
ip access-list extended MyACL
permit ip 10.0.0.0 255.255.0.0 any
!
class-map type inspect match-all ByAccessList
match access-group name MyACL

Parameter Map Configuration

Security Zones

Trusted

packetlife.net

Internet

parameter-map type inspect MyParameterMap


alert on
audit-trail off
dns-timeout 5
max-incomplete low 20000
max-incomplete high 25000
icmp idle-time 3
tcp synwait-time 3

Guest

Inspection Policy Actions


Drop Traffic is prevented from passing

Corporate
LAN

G0/2.10

G0/2.20

Guest
Wireless LAN

! Defining security zones


zone security Trusted
zone security Guest
zone security Internet
! Assigning interfaces to security zones
interface GigabitEthernet0/0
zone-member security Trusted
!
interface GigabitEthernet0/1
zone-member security Internet
!
interface GigabitEthernet0/2.10
zone-member security Trusted
!
interface GigabitEthernet0/2.20
zone-member security Guest

Zone Pair Configuration


! Service policies are applied to zone pairs
zone-pair security T2I source Trusted destination Internet
service-policy type inspect Trusted2Internet

Pass

Traffic is permitted to pass without


stateful inspection

Traffic is subjected to stateful


Inspect inspection; legitimate return traffic is
permitted in the opposite direction
Inspection Policy Configuration
policy-map type inspect MyInspectionPolicy
! Pass permitted stateless traffic
class VPN-Tunnel
pass
! Inspect permitted stateful traffic
class Allowed-Traffic1
inspect
! Stateful inspection with a parameter map
class Allowed-Traffic2
inspect MyParameterMap
! Drop and log unpermitted traffic
class class-default
drop log

Troubleshooting
show zone security
show zone-pair security
show policy-map type inspect

zone-pair security G2I source Guest destination Internet


service-policy type inspect Guest2Internet
zone-pair security I2T source Internet destination Trusted
service-policy type inspect Internet2Trusted

by Jeremy Stretch

show class-map type inspect


show parameter-map type inspect
debug zone security events
v1.0

IPSEC

packetlife.net
Protocols

Encryption Algorithms

Internet Security Association and Key Management


Protocol (ISAKMP)
A framework for the negotiation and management of
security associations between peers (traverses UDP/500)
Internet Key Exchange (IKE)
Responsible for key agreement using asymmetric
cryptography
Encapsulating Security Payload (ESP)
Provides data encryption, data integrity, and peer
authentication; IP protocol 50
Authentication Header (AH)
Provides data integrity and peer authentication, but not data
encryption; IP protocol 51

L2

IP

TCP/UDP

Transport
Mode

L2

IP

ESP/AH

Tunnel
Mode

L2

New IP

ESP/AH

Strength

56

Weak

168

Medium

AES Symmetric

128/192/256

Strong

RSA Asymmetric

1024+

Strong

DES Symmetric
3DES Symmetric

Hashing Algorithms
Length (Bits)

MD5 128

Strength

Medium

SHA-1 160

Strong
IKE Phases

Phase 1.5 (optional)


Xauth can optionally be implemented to enforce
user authentication

TCP/UDP

IP

TCP/UDP

Transport Mode
The ESP or AH header is inserted behind the IP header; the
IP header can be authenticated but not encrypted
Tunnel Mode
A new IP header is created in place of the original; this
allows for encryption of the entire original packet
Configuration
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600

Key Length (Bits)

Phase 1
A bidirectional ISAKMP SA is established
between peers to provide a secure management
channel (IKE in main or aggressive mode)

IPsec Modes
Original
Packet

Type

ISAKMP Policy

Phase 2
Two unidirectional IPsec SAs are established for
data transfer using separate keys (IKE quick
mode)
Terminology
Data Integrity
Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Data Confidentiality
Encryption is used to ensure data cannot be
intercepted by a third party
Data Origin Authentication
Authentication of the SA peer

ISAKMP Pre-Shared Key

crypto isakmp key 1 MySecretKey address 10.0.0.2


IPsec Transform Set

crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac


mode tunnel
IPsec Profile

crypto ipsec profile MyProfile


set transform-set MyTS
Virtual Tunnel Interface
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile

Anti-replay
Sequence numbers are used to detect and
discard duplicate packets
Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
provide message authenticity
Diffie-Hellman Exchange
A shared secret key is established over an
insecure path using public and private keys
Troubleshooting
show crypto isakmp sa
show crypto isakmp policy
show crypto ipsec sa
show crypto ipsec transform-set
debug crypto {isakmp | ipsec}

by Jeremy Stretch

v2.0

Você também pode gostar