CCIE Security Tutorial

CCIE Security Techtorial
TECCCIE-3001
TECCCIE-3001_c2
2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
Agenda
Section
Topic
CCIE Program Overview
CCIE Security Overview
Core Knowledge Section Overview
Implement secure networks using Cisco ASA Firewalls
Implement secure networks using Cisco IOS Firewalls
Implement secure networks using Cisco VPN solutions
Configure Cisco IPS to mitigate network threats
Implement Identity Management
Implement Control Plane & Management Plane Security
10
Configure Advanced Security
11
Identify and Mitigate Network Attacks
12
Preparation Resources and Test-Taking Tips
Disclaimer
Not all the topics discussed today appear on
every exam
For time reasons, were unable to discuss every
feature and topic possible on the exam
Section 1
CCIE Program Overview
CCIEs Worldwide
Most highly respected IT certification for more than 15 years
Industryy standard for validating
g expert
p skills and experience
p
More than 20,000 CCIEs worldwideless than 3% of all
professionals certified by Cisco
Demonstrate strong commitment and investment
to networking career, life-long learning, and
dedication to remaining an active CCIE
New Certification Logos

https://cisco.hosted.jivesoftware.com/docs/DOC-3813
The Learning@Cisco organization is pleased to
introduce new logos for its Cisco Career Certification
Program.
The logos were designed with input from the Cisco
certified community, and represent the prestige and
dedication defined by the program.
Effective January 12, 2009, all certificates and plaques
include the new logos
logos.
Certified individuals can access and download the
logos by logging into the Certifications Tracking System
at: www.cisco.com/go/certifications/login
New Certification Logos
Overview: CCIE Tracks

Routing and
Switching
Security
Voice
Introduced 2002
Introduced 2003
Core networking cert
13% off bookings

b ki
16% off bookings

b ki
64% of all bookings
Labs in Beijing, Hong Kong,

Brussels, RTP, San Jose,
Sydney, Dubai, Bangalore
and Tokyo
Labs in Brussels, San

Jose, RTP, Sydney and
Tokyo
Labs in all regions, all

worldwide locations
Storage Networking
Introduced 2004
1% of bookings
Labs in Brussels and RTP
Service Provider
Networks
Introduced 2002
6% of bookings
Labs in Brussels, Beijing,
Hong Kong, RTP, Sao
Paulo, Sydney
Wireless
Introduced 2009
Labs in Brussels and San
Jose
Available in Six Technical Specialties
CCIE Information Worldwide

Total of Worldwide CCIEs: 19,134*
Total of Routing and Switching CCIEs:
16,727
Total of Security CCIEs:
2,147
Total of Service Provider CCIEs:
1,182
Total of Storage Networking CCIEs:
140
Total of Voice CCIEs:
901
Multiple Certifications
Many CCIEs Have Gone on to Pass the Certification
Exams In Additional Tracks,
Tracks Becoming a Multiple
Multiple
CCIE. Below Are Selected Statistics on CCIEs Who
Are Certified in More Than One Track
*Updated 23-Feb-2009
Total with Multiple Certifications

Worldwide:
1,974
Total of Routing and Switching and

Security CCIEs:
739

Service Provider CCIEs:
496

Storage Networking CCIEs:
35
Total of Routing and Switching and Voice

258
CCIEs:
Total with 3 or More Certifications
316
http://www.cisco.com/web/learning/le3/ccie/certified_ccies/worldwide.html
CCIE Exam Development Process

Input Sought From:
Cisco Business Units/
Technology Groups
Cisco Standard Architectures
(AVVID, SAFE)
Reaching out to Extended

Team Ensures Exam Is Realistic
and Relevant
Advisory Subject
Matter Experts
Technical Support
TAC Cases
Technical Bulletins, Best
Practices, Whitepapers
Feedback:
Input:
CCIE [Track]
Program
Manager
Enterprise Technical
Advisory Board
Focus Groups/Customer
Sessions
CCIE Field Surveys
Exam Objectives
and CCIE Written and
Lab Blueprints
Content
Advisory
Group
CCIE
Program
Team
Certification Process
CCIEs must pass two exams
The written qualification exam has
100 multiple-choice questions
The lab exam is what makes CCIE
different. The full-day, hands-on lab
exam tests the ability to configure
and troubleshoot equipment
Not all lab exams are offered at all
lab locations
Step 1: CCIE Written Exam: #350-018

Available worldwide at any Pearson VUE testing facility for ~$350
USD. Costs may vary due to exchange rates and local taxes
(VAT GST)
(VAT,
Two-hour exam with 100 multiple-choice questions
Closed book; no outside reference materials allowed
Pass/fail results are available immediately following the exam;
the passing score is set by statistical analysis and is subject to
periodic change
Waiting
W iti period
i d off fifive calendar
l d d
days tto retake
t k th
the exam
Candidates who pass a CCIE written exam must wait a minimum
of six months before taking the same number exam
From passing written, candidate must take first lab exam attempt
within 18 months
No skip-question functionality
Step 2: CCIE Lab Exam

Available in select Cisco locations for $1,400 USD,
adjusted for exchange rates and local taxes where
applicable, not including travel and lodging
Eight-hour exam requires working configurations and
troubleshooting to demonstrate expertise
Cisco documentation available via Cisco Web; no
personal materials of any kind allowed in lab
Minimum score of 80% to pass
Scores can be viewed normally online within 48 hours
and failing score reports indicate areas where
additional study may be useful
Section 2

Security is one of the fastest-growing areas in
the industry
Information security is on top agenda to all
organizations
There is an ever-growing demand for Security
professionals in the industry
The CCIE Security certification was introduced in 2002
and has evolved into one of the industrys most
respected high-level security certifications
Just around 2,200 CCIE Security worldwide
Market and Job Specialization

Companies are dedicating job roles
now and expecting to increase the
trend within 5 years
Voice
From 40% now to 69% in 5 years
Security
Growth
Security
From 46% dedicated now to 80%
in 5 years
Advanced Technology Market Growth
Voice
Wireless
From 39% now to 66% in 5 years
2008 Worldwide Survey by Forrester Consulting on Behalf of Cisco
Wireless
Time
CCIE Security Written Exam

Covers networking theory related to:
General Networking
Security Protocols
Application Protocols
Security Technologies
Cisco Security Appliances and Apps
Cisco Security Management
Cisco Security General
Security Solutions
Security General
Lays foundation for Security lab exam
v2.0
v2.0
The CCIE Security v2.0 written exam strengthens

coverage of technologies critical to highly-secure
enterprise networks
Topics such as ASA, IPS, NAC/ATD, CS-MARS, IPv6,
security policies and standards are added to test
candidates on the security technologies and best
practices in use today
Note: Candidates who have passed v2
v2.0
0 written exam
can schedule their Lab for v3.0. There is no additional
requirement to schedule v3.0 lab exam.
Security Written Exam:

Sample Question 1
Which Is a Benefit of Implementing RFC-2827?
A. Prevents DoS attacks based on ARP spoofing
B Prevents DoS attacks based on IP source spoofing
B.
C. Prevents DoS attacks based on MAC spoofing
D. Prevents leaking of Private Internet address space
E. Prevents leaking of Special-Use IPv4 Addresses
Answer is B
Security Written Exam:

Sample Question 2
Which One of the Secure Access Methods Below Can
CS-MARS Use to Get Configuration Information from
an Adaptive Security Appliance (ASA)?
A SSH
A.
B. SFTP
C. SCP
D. SSL
E. HTTPS
Answer is A
New v3.0
CCIE Security Lab Exam
CCIE Security Lab Exam

Candidates build a secure network to a series of
supplied specifications
The point values for each question are shown on
the exam
Some questions depend upon completion of previous
parts of the network
Report any suspected equipment issues to the proctor
as soon as possible; adjustments cannot be made once
the exam is over
Security Lab Exam: Locations

RTP
Beijing
Tokyo
Brussels
Hong Kong
San Jose
Sydney
Dubai
Bangalore
Nine Worldwide CCIE Lab Locations for Security
Security Lab Exam: Changes
New v3.0
The CCIE Security Lab exam content was revised and

implemented worldwide on 20th April 2009, to include
some of the current trends and technologies in the
security industry
New topics and hardware and software upgrades have
been introduced
End-of-Life devices were also removed;
PIX500 and
d VPN3000 were removed
d
Routers were replaced with ISR series models
Catalyst 3550 Switches were replaced with 3560
Security Lab Exam: Equipment

and Software Versions
New v3.0
Lab May Test Any Feature That Can Be

Configured on the Equipment and Cisco IOS
Versions Listed Below, or on the CCIE Website;
More Recent Versions May Be Installed in the
Lab, But You Wont Be Tested on Them
Cisco Integrated Services Routers (ISR) series running
Cisco IOS version 12.4T
Cisco Catalyst 3560 series switches running 12.2SE
Cisco ASA 5500 series Firewalls running version 8.x
Cisco IPS 4240 Appliance Sensor running version 6.x
Cisco Secure ACS version 4.1
Test PC for Testing and Troubleshooting
Candidate PC for rack access
Security Lab Exam: Blueprint
New v3.0
1. Implement secure networks using Cisco ASA

Firewalls
2. Implement secure networks using Cisco IOS Firewalls
3. Implement secure networks using Cisco VPN
solutions
4. Configure Cisco IPS to mitigate network threats
5 Implement Identity Management solutions
5.
6. Implement Control Plane & Management Plane
Security
7. Configure Advanced IOS Security
8. Identify and Mitigate Network Attacks
Security Lab Exam: Pre-Configuration

The Routers and Switches in Your Topology Are
Preconfigured With:
Basic IP addressing, hostname, passwords
Switching: Trunking, VTP, VLANs
WAN: Frame Relay DLCI mappings, HDLC, PPP
Routing: OSPF, RIP, EIGRP, BGP
All pre-configured passwords are cisco
Occasionally, security devices may also have some
pre-configuration. If not, candidate is required to
initialize all security devices
Do Not Change Any Pre-Configuration on Any
Devices Unless Explicitly Stated in a Question
Security Lab Exam: Sample Topology

Context 1
Context 2
BB1
BB2
ACS
ASA Multi-Context
with Failover
vs0
vs1
BB3
FR
PPP
TEST PC
Security Lab Exam: Rack and PC Access

CCIE Lab
Central Location
CCIE Lab
Remote Location
Remote GW
Router
Rack
CommSrv
Central GW
Router
Cisco
Intranet
CCIE
BB
Candidate PC
BB1
BB2
NIC1
NIC2
ACS
TEST PC
Remote Desktop Enabled on NIC1
Security Lab Exam:

The Equipment in Rack
The equipment on the rack assigned to you is
physically cabled and should not be tampered with.
Before starting the exam, confirm working order of all
devices in your rack
During the exam, if any device is locked or inaccessible
for any reason, you must recover it
When finishing the exam, ensure all devices are
accessible for the grading proctor
proctor. Any devices that are
not accessible for grading; can not be marked and may
cause you to lose substantial points
Security Lab Exam: Grading

Proctors grade all lab exams
Automatic tools aid proctors with simple grading tasks
Automatic tools are never solely responsible for lab
exam gradingproctors are
Proctors complete grading of the exam and submits the
final score within 48 hours
No Partial credit awarded on questions
Points are awarded for working solutions only
Some questions have multiple solutions
Summary
Topics Covered in the Exam:
1. Firewalls (ASA and IOSFW)
2 VPNs
2.
3. Intrusion protection
4. Identity authentication
5. Router plane protection
6. Advanced IOS security technologies
7. Mitigation techniques to respond to network attacks
Section 3
Core Knowledge Section Overview
Core Knowledge SectionOverview

Cisco CCIE team has implemented a new type of
question format to the CCIE Security Lab exam called
Core Knowledge Section a.k.a. Interview Section.
In addition to the live configuration scenarios,
candidates will be asked a series of open-ended shortanswer questions, covered from the lab exam blueprint.
No new topics are being added.
The new short-answer questions will be randomly
selected for each candidate every day
Core Knowledge SectionWhy

Why Are You Adding Short-Answer Questions to
the CCIE Lab Exam?
One of the primary goals to introduce the new Core
K
Knowledge
l d S
Section
ti iis maintain
i t i exam security
it and
d
integrity and ensure only qualified candidates achieve
certification.
The questions will be designed to validate concepts,
theory, architecture and fundamental knowledge of
products and protocols.
Core Knowledge SectionFormat

Candidates will be asked four open-ended questions,
computer-delivered, drawn from a pool of questions
based on the material covered on the lab exam
blueprint.
Core Knowledge section format will not be multiplechoice type questions.
Candidates will be required to type out their answers,
which typically require five words or less
less.
Candidates cannot use Cisco Documentation.
No changes are being made to the lab exam blueprint
or to the length of the lab exam.
Core Knowledge SectionTime

Candidates are allowed a maximum of 30 minutes to
complete the questions. The 30 minutes is inclusive in
the total length of the lab exam.
The total length of the CCIE lab exam will remain eight
hours.
Well-prepared candidates should be able to answer the
questions in 15 minutes or less and move immediately
to the configuration section
section.
Core Knowledge SectionScoring

The Core Knowledge section is scored Pass/Fail and
every candidate will be required to pass in order to
achieve CCIE certification.
A candidate must answer at least three of the four
short-answer questions correctly to Pass the Core
Knowledge section, which will be indicated with a 100%
mark on the score report.
If a candidate answers fewer than three correctly,
correctly the
Core Knowledge section will be marked 0%, indicating
a Fail. A 0% does not necessarily indicate the
candidate answered all the questions incorrectly.
Core Knowledge SectionSample Q1

SA
Header 1
Header
SA
2 Header
Initiator
Nonce Key Header 3

4 Header Key Header
Nonce
Responder
Sig [Cert] ID Header 5

Header
Sig
6 Header ID [Cert]
MSG 1:
Initiator offers acceptable encryption and authentication algorithms (3DES,

MD5, RSA)i.e. the transform-set
MSG 2:
Responder presents acceptance of the proposal (or not)
MSG 3:
Initiator Diffie Helman key and nounce (key value is usually a number of 1024
bit length)
l
th)
MSG 4:
Responder Diffie Helman key and nounce
MSG 5:
Initiator signature, ID and keys (maybe cert), i.e. authentication data
MSG 6:
Responder signature, ID and keys (maybe cert)
Which ISAKMP mode is shown above?

Answer = Main Mode
Core Knowledge SectionSample Q2

Conditions for IPS signature to fire:
Version: IPv4
Hacker
Protocol: TCP
Port Destination: 21
String:CWD~root
@IP Dest. 10.0.0.1
Dest Port: 21
first Segment TCP
@IP Dest. 10.0.0.1
Dest Port: 21
sec Segment TCP
Yyy~ryyy
@IP Dest. 10.0.0.1
Dest: 21
last Segment TCP
yyyootzzz
xxxCWDyyy
Fire alarm if packet is an IPv4 TCP packet destined for port 21

and contains the string CWD~root
Target
FTP
server
@IP
10.0.0.1
Which type of pattern matching must be used to mitigate

this multi-vector attack?
Answer = Stateful Pattern Matching
Section 4
Implement Secure Networks Using
Cisco ASA Firewalls
Exam Objectives
Perform basic firewall Initialization

Configure device management
C fi
Configure
address
dd
ttranslation
l ti ((nat,
t global,
l b l static)
t ti )
Configure ACLs
Configure IP routing
Configure object groups
Configure VLANs
Configure filtering
Configure failover
Configure Layer 2 Transparent Firewall
Configure security contexts (virtual firewall)
Configure Modular Policy Framework
Configure Application-Aware Inspection
Configure high availability solutions
Configure QoS policies
FirewallDefined
A firewall is a security device which is configured to
permit, deny or proxy data connections set by the
organization's
i ti ' security
it policy.
li
Fi
Firewalls
ll can either
ith b
be
hardware or software based
A firewall's basic task is to control traffic between computer
networks with different zones of trust
Todays firewalls combine multilayer stateful packet
inspection and multiprotocol application inspection
Virtual Private Network (VPN) services and Intrusion
Prevention Services (IPS) have been combined with the
firewall inspection engine(s)
Despite these enhancements, the primary role of the firewall
is to enforce security policy
Source: Wikipedia (www.wikipedia.com)
Cisco ASA Firewall

Basic Overview
Firewall DesignModes of Operation

There Are a Variety of Choices When Designing a
Firewall Deployment
Routed Mode
Is the traditional mode of the firewall that acts as a routed hop and acts
as a default gateway for hosts that connect to one of its screened
subnets. Two or more interfaces that separate L3 domains.
Transparent Mode
Is where the firewall acts as a bridge functioning mostly at Layer2, that
acts like a "bump in the wire," or a "stealth firewall," and is not seen as a
p to connected devices
router hop
Single Mode
Is the regular basic firewall
Multi-context Mode
Involves the use of virtual firewalls (security contexts)
Interface and Security Levels

Inside Interface always has a security level of 100.
Most Secure level
Outside Interface always has a security level of 0.
Least Secure level
Multiple perimeter networks can exist. Use DMZ
Interface. Security levels between 199
Initializing Cisco ASA

Firewall Mode (Router vs. Transparent)
Single vs.
vs Multiple Context
Enable/Allocate interfaces
Assign IP address for each active Interface
Un-shut Interfaces
Configure Address Translation (optional)
Configure Static/Dynamic Routing
VLAN Interface
Virtual LANs (VLANs) are used to create separate
broadcast domains within a single switched network
You can configure multiple logical interfaces on a single
physical interface and assign each logical interface to a
specific VLAN
ASA supports 802.1q, allowing it to send and receive
traffic for multiple VLANs on a single interface
Routing Protocols
ASA supports RIP, OSPF and EIGRP routing protocols
Practice clear text and MD5 authentication
Practice route filtering and summarization for protocols
Running multiple routing protocols concurrently on the
same Firewall is now supported
Routing protocol in multi-context mode is not
supported use static routes instead
supported,
Address Translation
Subject to NAT-Control
Dynamic translations are built using:
Network Address Translation (NAT)
(one-to-one mapping)
or
Port Address Translation (PAT)
(many-to-one mapping)
Static translations are built using:

St ti command
Static
d
(create permanent mapping between a local
IP address and a global IP address)
Policy NAT
Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses (or ports) in an access list
Regular NAT uses source addresses/ports only,
whereas policy NAT uses both source and destination
addresses/ports
With policy NAT, you can create multiple static
statements that identify the same local address as long
as the source/port and destination/port combination is
unique for each statement
Use an access list with the static command to enable
policy NAT
Object Grouping
Used for simplifying complex access control policies.
Object grouping provides a way to reduce the number
of access rule entries required to describe complex
security policies
Following types of objects:
Protocolgroup of IP protocols. It can be one of the following
keywords; icmp, ip, tcp, or udp, or an integer in the range 1 to
254 representing an IP protocol number. To match any Internet
protocol including ICMP,
protocol,
ICMP TCP,
TCP and UDP,
UDP use the keyword ip
ip.
Servicegroup of TCP or UDP port numbers assigned to
different services
icmp-typegroup of ICMP message types to which you
permit or deny access
Networkgroup of hosts or subnets
Basic Feature Summary:

Practice Them All
Address Translation
AAA
Source/Destination NAT
Object
j
Grouping
p g
VLAN
DHCP
RIP
PPPoE
OSPF
URL Filtering
EIGRP
IDS
Syslog
SSH
Failover
SNMP
TCP Intercept
NTP
Java Filtering
Packet Capture
ActiveX Filtering
Packet Tracer
Cisco ASA Firewall

Advanced Features
Advanced FeaturesImportant
1. Virtual Firewall (Security Contexts)
2 Transparent Firewall
2.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control
2.
5. No NAT-Control
Virtual Firewall
Virtualization provides a way to create multiple
firewalls in the same physical chassis
Virtual Firewallwhen a single Firewall device
can support multiple contexts
A context defines connected networks and the
policies that the Firewall enforces
Virtual FW allows a device to

enforce many (up to 100s) policies
between different networks
Virtualization is a licensed feature
Virtual Firewall on ASA

Context = a virtual firewall
All virtualized firewalls must define a System
y
context and an Admin
context at a minimum
Admin context:
Remote root access
and access to all
contexts
Virtual Firewall
contexts
A
Admin
(mandatory)
C
System context:
Physical ports assigned
There is no policy inheritance between contexts

The system space uses the admin context for network connectivity;
system space creates other contexts
Virtual Firewall:
Multiple Security Context
Configuration
Changing single mode to Multiple Mode:
mode {single | multiple}
To Show system or Context information:

From the system execution space:
show context [[name] [detail] | count]
From a context execution space:
show context [detail]
To specify contexts configuration file:

config-url url
Where URL can be flash/Disk/ftp server/http server
T allocate
To
ll
t physical/VLAN
h i l/VLAN interfaces
i t f
to
t the
th contexts
t t
context {context name}
allocate-interface Ethernet0
allocate-interface Ethernet1
Accessing the contexts:

changeto {system | context name}
context [name] - Changes to the context with the specified name.
system - Changes to the system execution space.
Virtual Firewall:
Sample Configuration: System Context
hostname ASA
enable password cisco
no mac-address auto
!
interface Ethernet0/0
speed auto
duplex auto
!
interface Ethernet0/0.30
vlan 30
!
vlan 40
!
speed auto
duplex auto
!
speed auto
duplex auto
!
admin-context admin
!
context admin
allocate-interface Ethernet0/0
config-url flash:/admin.cfg
!
context custA
allocate-interface Ethernet0/0.30
config-url flash:custA.cfg
!
context custB
allocate-interface Ethernet0/0.40
config-url flash:custB.cfg
System Context
The context is not operational until the
config-url command has been entered.
Virtual Firewall:
Inside a Context
Context CustA
ASA# changeto context custA
ASA/
ASA/custA#
tA# show
h
run
<..>
hostname custA
!
nameif outside
security-level 0
ip address 172.16.30.1 255.255.255.0
!
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ASA/custA# changeto system
ASA#
Context CustB
ASA/custA# changeto context custB
ASA/
ASA/custB#
tB# show
h
run
<..>
hostname custB
!
nameif outside
security-level 0
ip address 172.16.40.1 255.255.255.0
!
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ASA/custB# changeto system
ASA#
2.
5. No NAT-Control
Transparent Firewall Mode (L2 Firewall)

Transparent Firewalls have the capability of operating
at layer 2same level as a bridge
This Firewall is transparent to the data
IP addresses (the network) on either side of the
Firewall are the same
Same subnet exists on inside and outside, different
VLANs on inside and outside
NAT is now supported in Transparent Firewall (v8.0 on
the ASA)
VPN traffic terminating on the firewall is not supported
with the exception of management traffic ONLY
Transparent Firewall
Backbone
9 HSRP, VRRP, GLBP
Router
10.1.1.2
Vlan 20
10.1.1.2
224.0.0.x
9 OSPF, EIGRP, RIP, etc.
OK if ACL
permits
9 PIM, multicast traffic

9 BPDUs, IPX, MPLS
Vlan 30
10.1.1.3
Router
Routers can establish routing protocols adjacencies through the firewall

Protocols such as HSRP, VRRP, GLBP can cross the firewall
Multicast streams can also traverse the firewall
Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
Transparent Firewall
Sample Configuration
ciscoasa# show firewall
Firewall mode: Router
ciscoasa(config)# firewall transparent
Switched to transparent mode
ciscoasa(config)# ip address 10.1.1.254 255.255.255.0
ciscoasa(config)# interface Ethernet0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shut
ciscoasa(config)# interface Ethernet1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config)# access-list 101 permit icmp any any
ciscoasa(config)# access-group 101 in interface outside
2.
5. No NAT-Control
New HA FeatureInterface Redundancy

Compatible with all firewall
modes (routed/transparent and
single/multiple) and all HA
deployments (A/A and A/S)
When the active physical
interface fails, traffic fails to the
standby physical interface and
routing adjacencies,
connection, and auth state
wont need to be relearned.
Feature available on ASA5510
and above.
Sub-interfaces (dot1q) need to
be built on top of the logical
redundant interface, not
physical member interfaces.
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface Redundant1.4
vlan 4
nameif inside
security-level 100
ip address 172.16.10.1 255.255.255.0
!
interface Redundant1.10
vlan 10
nameif outside
security-level 0
ip address 172.16.50.10 255.255.255.0
New HA FeatureRoute Tracking

Method for tracking the availability of static routes with the ability to
install a backup route should the primary route fail
Commonly used for static default routes, often in a dual ISP
environment
Uses ICMP echo replies to monitor the availability of a target host,
usually the next hop gateway
Can only be used in single routed mode
asa(config)# sla monitor 1234
asa(config-sla-monitor)# type echo protocol ipIcmpEcho
10.1.1.1 interface outside
asa(config-sla-monitor-echo)# frequency 3
asa(config)# sla monitor 1234 life forever start-time now
asa(config)# track 1 rtr 1234 reachability
asa(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1
Firewall HA Failover: Basics

Active/standby vs.
primary/ secondary
Stateful failover (optional)
A failover only occurs
when either FW
determines the standby
FW is healthier than the
active FW
Both FWs swap MAC and
IP addresses when a
failover occurs
Level 1 syslogs will give
reason of failover
Stateful
LAN FO
Active
Unit
Standby
Unit
Firewall HAActive/Standby FO
Supported on all ASA models
ASA only supports
LAN Based failover (no
serial cable).
Both platforms must be
identical in software,
licensing, memory and
interfaces
Not recommended to share
the state and failover link, use
a dedicated link for each
Preferably these cables will
be connected into the same
switch with no hosts
Not recommended to use a
direct connection between
firewalls (i.e. straight through
or X-over)
Firewall HA: Active/Active FO

Supported on all
platforms except the
ASA5505
Requires virtualization
(multi-context) which
requires additional
licensing
contexts
Use FO Group command

Requires
q
FO ((AA)) or
UR license
No load-balancing
or load-sharing
support today
Firewall HA: A/A Failover with

Asymmetric Routing Support
A/A ASR mode adds support
for asymmetric traffic flows
though an A/A system.
system
Internet
ISP-A
.1
Logical1-A
.4
Logical2-S
.1
ISP-B
A/A ASR is enabled by adding

multiple A/A units to the same
ASR Group.
.2
If traffic returns via ISP-B

which does not contain state
info so packets are forwarded
to the other member of the
ASR group
Logical1-S
.4
.3
Logical2-A
.2
Inside Network B-1
.3
Inside Network B-2
Inside
Network
2.
5. No NAT-Control
Modular Policy Framework (MPF)

All of My Flows Were Treated Pretty Much the Same
Rules
Inside
Outside
Granular and Flexible Policies
Rules
Rules about
HTTP Rules about
FTP

There is a growing need to provide greater granularity
and flexibility in configuring network policies
For example, the ability to include destination IP
address as one of the criteria to identify traffic for
Network Address Translation, or the ability to create
a timeout configuration that is specific to a particular
TCP application, as opposed to the current timeout
scheme which applies a timeout value to all TCP
applications, etc.
MPF provides the tools to meet these specific needs

MPF features are derived from QoS as implemented in
Cisco IOS; not all features have been carried across though
MPF is built on three related CLI commands
class-mapThis command identifies the traffic that needs a specific
type of control. Class-maps have specific names which tie them into the
policy-map
policy-mapThis command describes the actions to be taken on the
traffic described in the class-map. Class-maps are listed by name under
the appropriate policy-map. Policy-maps have specific names too which
tie
i them
h
iinto the
h service-policy
i
li
service-policyThis command describes where the traffic should be
intercepted for control. Only one service-policy can exist per interface.
An additional service-policy, global-service-policy, is defined for
traffic and general policy application. This policy applies to traffic on
all interfaces

Understand how show service-policy command works
Example shows using the flow keyword; the policies
that the ASA would apply to that flow. You can use this
to check that your service policy configuration will
provide the services you want for specific connections.
ASA1# show service-policy flow tcp host 0.0.0.0 host YY.YY.1.1 eq 80
Global policy:
Service-policy: global_policy
Class-map: WebServer
Match: access-list WebServer
Access rule: permit tcp any host YY.YY.1.1 eq www
Action:
Input flow: set connection embryonic-conn-max 100 per-client-max 5
2.
5. Application Firewall
6. NAT-Control
NAT Control
The security appliance has always been a device
supporting, even requiring Network Address Translation
(NAT) for
f maximum
i
flexibility
fl ibilit and
d security.
it
Introduced in v7.0 is NAT as an option. Specifying NATCONTROL specifies the requirement to use NAT for outside
communications
To enable NAT control, use the nat-control command in
global configuration mode
To disable NAT control, which allows inside hosts to
communicate with outside networks without configuring a
NAT rule, use the command, no nat-control in global
configuration mode
By default, NAT control is disabled
NAT Control
Syntax
nat-control
Configuration
The nat-control statement is valid in routed firewall
mode and in single and multiple security context mode.
No new NAT functionality is provided with this feature.
All existing NAT functionality remains the same.
NAT Control
Consider NAT-CONTROL (v6.3 behavior)
All traffic leaving a firewall from a higher to lower security
interface requires a NAT/GLOBAL pair
All traffic entering a firewall from a lower to higher security
requires a STATIC/ACCESS-LIST pair
All other traffic is dropped
Consider NO NAT-CONTROL (v7.0 behavior)

All ttraffic
ffi leaving
l
i a firewall
fi
ll from
f
a higher
hi h tto lower
l
security
it
interface moves freely
All traffic entering a firewall from a lower to higher security only
requires an ACCESS-LIST
NAT/GLOBAL pairs are needed only for traffic requiring
address translation
Troubleshooting Firewall
Firewall Troubleshooting Tools

Understanding the packet flow
Syslog
Debug commands
Show commands
Packet capture
Understanding the Packet Flow

To effectively troubleshoot a problem, one must first
understand the packet path through the network
Attempt to isolate the problem down to a single device
Then perform a systematic walk of the packet path
through the device to determine where the problem
could be
For problems relating to the ASA, always:
Determine the flow: SRC IP, DST IP, SRC port, DST port,
and protocol
Determine the interfaces through which the flow passes
Note: All Firewall Issues Can Be Simplified to Two Interfaces (Ingress and Egress)
and the Rules Tied to Both
Packet Processing Flow Diagram

1
Recv
Pkt
Ingress
Interface
3
Existing No
Conn
Y
Yes
ACL
Permit
Match
xlate
Yes
Receive Packet
Ingress Interface
Existing Connection?
y Inbound ACL
Permit by
on Interface?
5. Match Translation Rule
(NAT, Static)
6. NAT Embedded IP and
Perform Security Checks/
Randomize Sequence Number
7. NAT IP Header
8. Pass Packet to Outgoing
Interface
9. Layer 3 Route Lookup?
10. Layer 2 Next Hop?
11. Transmit Packet
No
Yes
5
1.
2.
3.
4.
D
Drop
No
Drop
L7 NAT No
Sec
Checks
Drop
Once the Device and

Flow Have Been
Identified, Walk the Path
of the Packet Through
the Device
NAT IP
Header
Egress
Egress
Interface
Interface
Yes 10 L2
L3
Route
Addr
No
Drop
No
Drop
Yes 11 Xmit
Pkt
Translation and NAT Order of Operations
First Mattch
1.
nat 0 access-list (nat-exempt)
2.
Match existing xlates
3.
4.
Match static commands (first match)

a.
Static NAT with and without access-list
b.
Static PAT with and without access-list
Match nat commands

a.
nat <id> access-list (first match)
b.
nat <id> <address> <mask> (best match)

i.
If the ID is 0, create an identity xlate
ii.
Use global pool for dynamic NAT
iii.
Use global pool for dynamic PAT
Syslog
Three different syslog destinations:
TrapSyslog
Trap
Syslog server
ConsoleSerial console port
MonitorTelnet sessions
Log Host defines ASA interface, IP address, protocol

and port for syslog server
Syslog standard protocol is UDP, port is 514
Note: ASA supports syslog over TCP (port 514)
Dont forget Logging On to enable syslog

Most common pilot error
Logging Levels and Events

Log
Level
Alert
Event Messages
Emergencies
Not used, only for RFC compliance
Alerts
Mostly failover-related events
Critical
Denied packets/connections
Errors
Warnings
Notifications
Informational
Debugging
AAA failures, CPU/memory issues, routing

issues, some VPN issues
Denied conns due to ACL, IDS events,
fragmentation OSPF errors
fragmentation,
User and Session activity and firewall
configuration changes
ACL logging, AAA events, DHCP activity,
TCP/UDP connection and teardown
Debug events, TCP/UDP request handling,
IPSEC and SSL VPN connection information
Debug ICMP Trace

Network
Ping
Valuable tool used to troubleshoot connectivity issues

Provides interface and translation information to quickly
determine flow
Echo-replies
E h
li mustt b
be explicitly
li itl permitted
itt d th
through
h ACL
Example of debug icmp trace output
ICMP echo-request from inside:10.1.1.2 to 198.133.219.25 ID=3239 seq=4369 length=80
ICMP echo-request: translating inside:10.1.1.2 to outside:209.165.201.22
ICMP echo-reply from outside:198.133.219.25 to 209.165.201.22 ID=3239 seq=4369 length=80
ICMP echo-reply: untranslating outside:209.165.201.22 to inside:10.1.1.2
Show Traffic
The Show Traffic Command Displays the Traffic
Received and Transmitted out Each Interface of the ASA
fw# show traffic
outside:
received (in 124.650 secs):
295468 packets 167218253 bytes
2370 pkts/sec
1341502 bytes/sec
transmitted (in 124.650 secs):
2093 pkts/sec
966449 bytes/sec
<..>
inside:
received (in 124.650 secs):
2097 pkts/sec
963864 bytes/sec
transmitted (in 124.650 secs):
2363 pkts/sec
1342800 bytes/sec
Show Local-Host
A local-host entry is created for any source IP on a higher security
level interface
It groups the xlates, connections, and AAA information together
Very useful for seeing the connections terminating on servers
fw# show local-host
Interface inside: 1131 active, 2042 maximum active, 0 denied
local host: <10.1.1.9>,
TCP connection count/limit = 1/unlimited
TCP embryonic count = 0
TCP intercept watermark = 50
UDP connection count/limit = 0/unlimited
AAA:
user 'cisco' at 10.1.1.9, authenticated (idle for 00:00:10)
absolute
timeout: 0:05:00
inactivity timeout: 0:00:00
Xlate(s):
Global 172.18.124.69 Local 10.1.1.9
Conn(s):
TCP out 198.133.219.25:80 in 10.1.1.9:11055 idle 0:00:10 Bytes 127 flags UIO
Show Xlate and Show Xlate Debug

show xlate [global|local <ip1[-ip2]> [netmask <mask>]]
[gport |lport <port1[-port2]>] [debug]
fw# show xlate
2 in use, 2381 most used
Global 172.18.124.68 Local 10.1.1.9
PAT Global 172.18.124.65(1024) Local 10.9.9.3(11066)
fw# show xlate debug
Flags:
g
D - DNS, d - dump,
p I - identity,
y i - inside, n - no random,
o - outside, r - portmap, s - static
NAT from inside:10.1.1.9 to outside:172.18.124.68
flags - idle 0:02:03 timeout 3:00:00
TCP PAT from inside:10.9.9.3/11066 to outside:172.18.124.65/1024
flags r idle 0:00:08 timeout 0:00:30
Show Conn and Show Conn Detail
fw# show conn

Idle Time,
Bytes
Transferred
Connection
Flags
TCP out 198.133.219.25:23 in 10.9.9.3:11068 idle 0:00:06 Bytes 127 flags UIO
UDP out 172.18.124.1:123 in 10.1.1.9:123 idle 0:00:13 flags
detail Adds
Interface Names
fw# show conn detail
Flags: A
B
E
G
i
k
P
R
s
awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
outside back connection, F - outside FIN, f - inside FIN,
group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
incomplete, J - GTP, j - GTP data, K - GTP t3-response
Skinny media, M - SMTP data, m - SIP media, O - outbound data,
inside back connection, q - SQL*Net data, R - outside acknowledged FIN,
UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
awaiting outside SYN, T - SIP, t - SIP transient, U - up
TCP outside:198.133.219.25/23 inside:10.9.9.3/11068 flags UO

UDP outside:172.18.124.1/123 inside:10.1.1.9/123 flags -
Connection Flags: Quick Reference

Outbound Connection
TCP Flags
Inbound Connection
FW Flags
saA
A
U
UI
UIO
Uf
UfFR
UfFRr
SYN
SYN+ACK
ACK
Inbound Data
Outbound Data
FIN
FIN+ACK
ACK
Inside
TCP Flags
SYN
SYN+ACK
ACK
Inbound Data
Outbound Data
FIN
FIN+ACK
ACK
Outside
Client
Inside
Server
FW Flags
saAB
aB
UB
UIB
UIOB
UBF
UBfFr
UBfFRr
Outside
Server
Client
Packet Capture
capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
[ethernet-type <type>] [interface <if-name>] [packet-length <bytes>]
Capture sniffs packets on an interface that match

an ACL
Traffic can be captured both before and after it passes
through the ASA
Key steps:
Create an ACL that will match interesting traffic
Define the capture and bind it to an access-list and interface
View the capture on the ASA, or copy it off in pcap format
Capture In
Capture Out
Inside
Outside
Packet Tracer
packet-tracer input [src-interface] [protocol] [SrcAddr] [SrcPort]
[DstAddr] [DstPort] detailed
Packet-tracer
Packet tracer command was introduced in v7
v7.2
2
In addition to capturing packets, you can trace the
lifespan of a packet through the security appliance to
see whether the packet is operating correctly. This tool
lets you do the following:
Debug all packet drops in a production network.
V if the
Verify
th configuration
fi
ti iis working
ki as iintended.
t d d
Show all rules applicable to a packet, along with the CLI
commands that caused the rule addition.
Show a time line of packet changes in a data path.
Inject tracer packets into the data path.
Packet Tracer (Cont.)

The packet-tracer command provides detailed
information about the packets and how they are
processed by the security appliance.
For example; run packet-tracer to verify NAT translation
for any host accessing web server 198.133.219.25/80,
then the source is translated to YY.YY.5.21.
ASA# packet-tracer input inside tcp 0.0.0.0 1025 198.133.219.25 80
<...>
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 access-list policynat
nat-control
match ip inside 0.0.0.0 255.255.255.255 outside 198.133.219.25 255.255.255.255
dynamic translation to pool 1 (YY.YY.5.21)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.1.1.1/1025 to YY.YY.5.21/1024 using netmask 255.255.255.255
<...>
Section 5
Implement Secure Networks Using Cisco IOS Firewalls
Exam Objectives
Configure Zone-Based Firewall
Configure CBAC
Configure Layer 2 Transparent Firewall
Configure Flexible Packet Matching
Configure URL Filtering
Configure Audit
Configure Auth Proxy
Configure PAM
Configure access control
Configure performance tuning
Configure advanced IOS Firewall features
Cisco IOS Firewall Overview

Advanced Layer 37 Firewall
Advanced
Firewall
Stateful filtering
Application inspection (Layer 3 through Layer 7)
Application controlApplication Layer Gateway (ALG)
engines with wide range of protocols and applications
Built-in DoS protection capabilities
y
with Virtualization ((VRFs),
)
Supports deployments
transparent mode and stateful failover
IPv6 support
http://www.cisco.com/go/iosfw
Cisco IOS Zone-Based Policy

Firewall (ZFW)
Zone-Based Policy Firewall (ZFW)

Introduced in Cisco IOS v12.4(6)T, where the CBAC model is
being replaced with the new configuration model that uses ZFW
Allows grouping of physical and virtual interfaces into zones
Firewall policies are applied to traffic traversing zones
Simple to add or remove interfaces and integrate into
firewall policy
This new feature was added mainly to overcome the limitations of
the CBAC that was employing stateful inspection policy on an
interface based model.
interface-based
model The limitation was that all traffic passing
through the interface was subject to the same inspection policy,
thereby limiting the granularity and policy enforcement particularly
in scenarios where multiple interfaces existed.
With ZFW, stateful inspection can now be applied on a zone-based
model. Interfaces are assigned to zones, and policy inspection is
applied to traffic moving between zones.

Security Zones and Policy
Security Zones establish the security boundaries of the network
where traffic is subjected to policy restrictions as it crosses to
another region within the network.
network
By default, traffic between the zones is blocked unless an explicit
policy dictates the permission.
Private-DMZ
Policy
DMZ-Private
Policy
DMZ Zone
DMZ
Public-DMZ
Policy
Public Zone
Internet
Trusted
Private Zone
Private-Public
Policy
Untrusted

Supported Features and New Syntax
Supported Features
Stateful Inspection
Application Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP
URL filtering
Per-policy parameter
Transparent firewall
VRF-aware firewall (Virtual Firewall)
ZFW does not use the classical CBAC ip inspect

command set.
ZFW policies are configured with the new Cisco Policy
Language (CPL), which employs a hierarchical structure to
define inspection for network protocols and the groups of
hosts to which the inspection will be applied.

Configuration Example
class-map type inspect match-any services
Define Services
match protocol tcp
Inspected by Policy
!
policy-map type inspect firewall-policy
Configure Firewall Action
class type inspect services
for Traffic
inspect
!
zone security private
zone security public
Define Zones
!
interface fastethernet 0/0
zone-member security private
A i
Assign
IInterfaces
t f
to
t
!
Zones
interface fastethernet 0/1
zone-member security public
!
zone-pair security private-public source private destination public
service-policy type inspect firewall-policy
Establish Zone Pair, and

Apply Policy
Cisco IOS Context-Based Access

Control (CBAC)
CBAC Overview
Cisco router performs traffic filtering, traffic inspection,
sends alerts, and tracks audit trails
Traffic filtering
Protocol filtering based on application-layer session information.
Filters packets originating in sessions from either the protected
or non-protected networks, but only forwards traffic originating
from protected network
Traffic inspection
p
Inspects packets at a firewall interface and manages state
information of TCP/UDP sessions. State information is used to
create temporary openings in access lists to permit return traffic.
Inspection helps prevent DoS attacks
Creating an Inspection Rule

An inspection rule specifies each application-layer
protocol that is to be inspected by CBAC
Typically, only one inspection rule is defined
Inspection rule can be applied to the interface on
an inbound or outbound basis
One inspection rule per interface
CBAC: Configuration Example

Access Control List (ACL) on the outside interface
stops everything
Inspected traffic will open up temporary access for
return traffic
ip inspect name MYFW tcp
ip inspect name MYFW udp
access-list 101 deny ip any any log-input
interface Serial0
description outside
ip access-group 101 in
Unsecured
Network
Internet
interface Serial0
description outside
ip inspect MYFW out
CBAC
s0
ACL
101 Inspect
Secured
Network
e0
Temporary Access Opened to Permit Matching

Return Traffic (Stateful Cisco IOSFW)
Cisco IOS Layer 2 Transparent Firewall
Layer 2 Transparent Firewall

Introduces stealth firewall capability
No IP address associated with firewall (nothing to attack)
p IP subnets
No need to renumber or break up
IOS Router is bridging between the two halves of the network
Use Case: Firewall Between Wireless and Wired LANs

Both wired and wireless segments are in same subnet 192.168.1.0/24
VLAN 1 is the private protected network.
Wireless is not allowed to access wired LAN
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
192.168.1.2
Transparent
Firewall
Layer 2 Transparent Firewall

Classification:
class-map type inspect match-any protocols
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
Security Policy:
policy-map type inspect firewall-policy
class type inspect protocols
Inspect
Security Zones:
zone security wired
zone security wireless
Cisco IOS URL Filtering
Security Zone Policy:

zone-pair security zone-policy source wired
destination wireless
service-policy
i
li ttype iinspectt fi
firewall-policy
ll li
!
interface VLAN 1
description private interface
bridge-group 1
zone-member security wired
!
interface VLAN2
description public interface
bridge-group 1
zone-member security wireless
Layer2 Configuration:
bridge configuration
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
URL Filtering
Internet Usage Control
Control employee access to entertainment sites during
work hours
Control downloads of objectionable or offensive material,
limit liabilities
Cisco IOS supports static whitelist and blacklist URL filtering
External filtering servers such as Websense, Smartfilter can
be used at the corporate office, with Cisco IOS static lists
p
as backup
Internet
Branch
Office
Web
Surfing
URL Filtering (Web Access Control)

URL Filtering Options
Blocked
Get www.badsites.com
Get www.cisco.com
Get www.badsites.com
Get www.cisco.com
Allowed
Black/white lists
Third-party filter server
N2H2
Websense
SmartFilter
Section 6
Implement Secure Networks Using
Cisco VPN Solutions
Exam Objectives
Configure IPsec LAN-to-LAN (IOS/ASA)
Configure SSL VPN (IOS/ASA)
Configure Dynamic Multipoint VPN (DMVPN)
Configure Group Encrypted Transport (GET) VPN
Configure Easy VPN (IOS/ASA)
Configure CA (PKI)
Configure Remote Access VPN
Configure Cisco Unity Client
Configure Clientless WebVPN
Configure AnyConnect VPN
Configure XAuth, Split-Tunnel, RRI, NAT-T
Configure High Availability
Configure QoS for VPN
Configure GRE, mGRE
Configure L2TP
Configure advanced Cisco VPN features
This Section Is Divided into Six Parts:

1. IPsec
2 Dynamic Multipoint VPN (DMVPN)
2.
3. Group Encrypted Transport (GET) VPN
4. Easy VPN
5. SSL VPN
6. PKI (IOS CA Server)
Part 1:
IPSec
Network Security
Data Security Assurance Model (CIA)
Confidentiality
Integrity
Authentication
Benefit
Benefit
Benefit
Ensures data privacy
Ensures data
is unaltered
during transit
Ensures identity
of originator or
recipient of data
Shuns
Shuns
Alteration
Impersonation
Replay
Replay
Shuns
Sniffing
Replay
What Is IPsec?
Internet Protocol Security
A set of security protocols and algorithms used to
secure IP data at the network layer
IPsec provides data confidentiality (encryption),
integrity (hash), authentication (signature/certificates)
of IP packets while maintaining the ability to route them
through existing IP networks
IPsec: Building a Connection

IKE (Phase 1)
IPsec (Phase 2)
Data
Two-phase protocol:
Phase 1 exchange: two peers establish a secure, authenticated
channel with which to communicate; Main mode or Aggressive mode
accomplishes a Phase 1 exchange
There is also a Transaction Mode in between which is used for EzVPN client
scenario performing XAUTH and/or Client attributes (Mode Config)
Phase 2 exchange: security associations are negotiated on behalf
of IPsec services; Quick mode accomplishes a Phase 2 exchange
Each phase has its SAs: ISAKMP SA (Phase 1)

and IPsec SA (Phase 2)
Deployment Scenarios:
Basic Peer-to-Peer Topology
Site-to-Site VPN Deployment Scenarios

Basic peer-to-peer topology
Basic site-to-site
site to site IPsec configuration
Static vs. dynamic mapping
Split tunneling consideration
Filtering/Access Control
Crypto ACL consideration
High Availability
STEP 1IKE Phase 1 Policy

Site-2-Site Configuration
IP
R1
R2
IPsec
3.1.0.0/24
2.0.0.1/30
crypto isakmp policy 1

authentication pre-shared
hash sha
encr aes 128
group 2
!
crypto isakmp key 123 address 2.0.0.2
3.2.0.0/24
2.0.0.2/30

hash sha
encr aes 128
group 2
!
crypto isakmp key 123 address 2.0.0.1
STEP 2IKE Phase 2 Policy

IP
R1
R2
IPsec
3.1.0.0/24
2.0.0.1/30
3.2.0.0/24
2.0.0.2/30
crypto ipsec transform-set ts esp-aes

128 esp-sha-hmac
!
access-list 101 permit ip 3.1.0.0
0.0.0.255 3.2.0.0 0.0.0.255
!
crypto map cm 10 ipsec-isakmp
set peer 2.0.0.2
match
t h address
dd
101
set transform-set ts
crypto ipsec transform-set ts esp-aes

128 esp-sha-hmac
!
access-list 101 permit ip 3.2.0.0
0.0.0.255 3.1.0.0 0.0.0.255
!
crypto map cm 10 ipsec-isakmp
set peer 2.0.0.1
match
t h address
dd
101
set transform-set ts
STEP 3Applying the VPN Policy

IP
R1
R2
IPsec
3.1.0.0/24
2.0.0.1/30
interface serial 1/0

ip address 2.0.0.1 255.255.255.0
crypto map cm
!
ip route 3.2.0.0 255.255.255.0 2.0.0.2
3.2.0.0/24
2.0.0.2/30
interface serial 1/0

ip address 2.0.0.2 255.255.255.0
crypto map cm
!
ip route 3.1.0.0 255.255.255.0 2.0.0.1
Static vs. Dynamic Crypto Map
Static Crypto Map
Site_A
crypto map vpn 10 IPSec-isakmp

set peer Site_A
ISP
set transform-set
match address 101
crypto map vpn 20 IPSec-isakmp
Site B
Site_B
Dynamic Crypto Map

crypto map vpn 10 IPSec-isamkp
dynamic dynamap
set peer Site_B

set transform-set
match address 102
crypto dynamic-map dynamap 10

set transform-set
match address
Static vs. Dynamic Crypto Map (Cont.)

Static Crypto Map
Dynamic Crypto Map
Need to VPN p
peer, crypto
yp
ACL, IPsec transform-set
Onlyy need to configure

g
IPsec
transform-set,
crypto ACL is optional
Use multiple crypto map

instances to define multiple
VPN peers
Bidirectional tunnel initiation
Requires more intensive
management,
t deployment
d l
t and
d
troubleshooting
One dynamic map as

a template
Only the remote peer
can initiate tunnel
U
Used
d when
h remote
t peer
has dynamic IP address
Simple to manage
and deploy
Split Tunneling
Definition: Split Tunneling Is the Ability of a Device to
Forward Clear and Encrypted Traffic at the Same Time
over the
th Same
S
I t f
Interface
In site-to-site VPN, use routing and crypto ACL to control
split tunneling
Without Split Tunneling
With Split Tunneling
http://www.cisco.com/
http://www.cisco.com/
Central Site
VPN Head-End
Central Site
VPN
VPN Head-End
VPN
Filtering/Access Control
When filtering at the edge theres not much to see
IKE
UDP port 500
ESP, AH
IP protocol numbers 50, 51 respectively
NAT transparency-enabled
UDP port 4500
Internal access control should be implemented via the

internal interface ACLs or group policy and not the
crypto ACLs for performance reasons
High Availability
Common High Availability (HA) practice in conjunction
with IPsec HA features
Design options
Local HA using link resiliency
Local HA using HSRP and RRI
Cisco IOS IPsec Stateful Failover
Geographical HA using IPsec backup peers
Local/geographical HA using GRE over IPsec
(dynamic routing)
Local HA Using Link Resiliency
ISPs
Link resiliency: ISDN backup, backup Frame Relay

DLCI, etc.
Choose multiple ISPs to achieve link diversity
Use a loopback interface as the ISAKMP identity for the
VPN router
Failover mechanism: backup interface, dialer watch,
floating static routes
Local HA Using HSRP and RRI

(1)
SA Established to Primary
Sending IKE Keepalives
(2) Router P RRI:I can reach 10.1.1.0
R
Remote
t
P
Internet
(3) 10.1.1.0/24 via P
Head-End
10.1.1.0/24
(6) New SA Established to Secondary
Sending IKE Keepalives
(8) 10.1.1.0/24 via S

S
(5) Secondary Active
(7) Router S RRI:I Can Reach 10.1.1.0
= Unscheduled Immediate Memory Initialization Routine (4)
HSRP is enable on outside (WAN facing) interface

Cisco IOS IPsec HA enhancement features:
Allow IPsec use HSRP virtual IP as the peer address
Reverse route injection (RRI) injects IPsec remote proxy IDs
into dynamic routing process
Cisco IOS IPsec Stateful Failover

HA-1
Peer
Internet
I t
Internal
l
Network
N t
Net
Gateway
HA-2
IPsec stateful failover greatly improves failover time

compared to the stateless IPSec/HSPR failure
Stateful failover for IPSec is designed to work in conjunction
with stateful switchover (SSO) and Hot Standby Routing
Protocol (HSRP).
SSO allows the active and standby routers to share IKE and
IPSec state information so that each router has enough
information to become the active router at any time.
Geographic HA Using Backup Peers

200.1.1.1
Branch
B
h
Office
Corporate
Network
ISPs
crypto isakmp keepalive 20 3
200.1.5.1
crypto map vpn 10 ipsec-isakmp

set peer 200.1.1.1
set peer 200.1.5.1
set transform
transform-set
set myset
match address 101
During IKE negotiation, IKE timer (three retries) detects

the peer failure
IKE keepalive or DPD detected failed peer after tunnel is
established1
Local/Geographical HA Using
GRE over IPsec: Dynamic Routing
San Jose
s1
Corporate
Network
Branch
Internet
h1
h2
s2
New York
Geographical HA
Primary Tunnel
Secondary Tunnel
Local HA with Redundant Hub Design
Except under failure conditions:

The IPsec and GRE tunnels are always up since routing
protocols are always running
The remote sites always have two apparent paths to all networks
available via the head-end
Use dynamic routing for path selection and failover
Troubleshooting IPsec
Troubleshooting IPsec
Determine the Problem Characteristics
Is the problem in connection establishment?
Phase 1 failure
Transaction Mode/XAUTH
Phase 2 failure
Is the problem in passing traffic?

All traffic
Specific traffic
Always Use Show Command

Before Debug
show crypto isakmp sa
Important
Show
show crypto ipsec sa

sho crypto
show
cr pto engine connection active
acti e
Interesting Traffic Received

Main Mode IKE Negotiation
Quick Mode Negotiation
Show
Functionality
Flowchart
Establishment off Tunnel

IKE
IPsec
Data
Debug Commands
debug crypto isakmp
Important
Debugs
debug crypto ipsec

deb g crypto
debug
cr pto engine
Interesting Traffic Received

Main Mode IKE Negotiation
Quick Mode Negotiation
Debug
Functionality
Flowchart
Establishment off Tunnel

IKE
IPsec
Data
Basic Hub and Spoke Topology:

GRE over IPsec
Hub and Spoke Topology

90% hub
spoke, 10% spoke
spoke traffic
Design options:
Cisco IOS: uses crypto ACL summarization for smaller scale
deployment; uses GRE over IPsec with dynamic routing protocol
for larger scale deployment
ASA use summarized network lists for small scale deployment
Best option: GRE over IPsec with dynamic routing

protocol
Why GRE over IPsec

L3
IP
HDR
Data
IPsec Tunnel
GRE Tunnel
IP GRE
HDR HDR
IP Data
HDR
IP
HDR
ESP
HDR
IP
HDR
GRE
HDR
IP
HDR
IP
Data
HDR
Encrypted
Data
Decapsulate
Twice
IPsec (ESP) tunnels only IP unicast traffic

GRE encapsulates non-IP and IP multicast or
b d
broadcast
t packets
k t iinto
t IP unicast
i
t packets
k t
GRE over IPsec Configuration Evolution

Before 12.2(13)T, crypto maps are required to apply to
both GRE tunnel interface and physical interface
From 12.2(13)T and later
Only need to apply crypto map on physical interface or
Use tunnel protection IPsec profile under tunnel interface
GRE over IPsec Configuration

authentication pre-share
crypto isakmp key cisco47 address 172.17.63.18
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
!
crypto map vpnmap2 local-address Ethernet1
crypto map vpnmap2 10 IPSec-isakmp
set peer 172.17.63.18
set transform-set trans2
match address 110
interface Ethernet1
ip address 172.16.175.75 255.255.255.0
crypto map vpnmap2
interface Tunnel0
ip address 10.10.2.1 255.255.255.252
ip mtu 1400
tunnel source Ethernet1
tunnel destination 172.17.63.18
crypto map vpnmap2
ip route 0.0.0.0 0.0.0.0 172.16.175.1
!
access-list 110 permit gre host 172.16.175.75 host 172.17.63.18
12.2(13)T and Later

authentication pre-share
crypto isakmp key cisco47 address 172.16.175.75
!
crypto ipsec transform-set trans2 esp-3des esp-md5hmac
crypto ipsec profile vpnprof

set transform-set trans2
!
interface Ethernet1
i address
ip
dd
172.17.63.18
172 17 63 18 255
255.255.255.0
255 255 0
interface Tunnel0
ip address 10.10.2.2 255.255.255.252
ip mtu 1400
tunnel source Ethernet1
tunnel protection ipsec profile vpnprof

ip route 0.0.0.0 0.0.0.0 172.17.63.1z
IPsec Virtual Tunnel Interface

(VTI) and Dynamic VTI (DVTI)
192.168.100.0/30
.1
.2
Tunnel0
.1
192
2.168.2.0/24
IPsec Static Virtual Tunnel Interfaces

. .
192
2.168.1.0/24
Virtual Tunnel Interface
.1
Simplifies VPN configuration by eliminating crypto maps, access

control lists (ACLs), and Generic Router Encapsulation (GRE)
Simplifies
p
VPN design:
g
1:1 relationship between tunnels and sites with a dedicated logical interface
More scalable alternative to GRE

VTI can support Quality of Service (QoS), multicast, and other
routing functions that previously required GRE
Improves VPN interoperability with other vendors
VTI Peer-to-Peer Configuration:

IKE (Phase One) Policy
172.16.172.10
172.16.171.20
Backbone
Router1
10.1.1.0/24
Router2
10.1.2.0/24
hash sha
hash sha
encr aes 256
encr aes 256
group 5
crypto isakmp key cisco address
172.16.171.20 netmask 255.255.255.255
group 5
crypto isakmp key cisco address
172.16.172.10 netmask 255.255.255.255
IPsec (Phase Two) Policy

172.16.172.10
172.16.171.20
Backbone
Router1
10.1.1.0/24
Router2
10.1.2.0/24
crypto ipsec transform-set tset aes_sha

esp-aes 256 esp-sha-hmac
h h
crypto ipsec profile VTI
set transform-set tset
crypto ipsec transform

transform-set
set tset aes
aes_sha
sha esp
espaes 256 esp-sha-hmac
crypto ipsec profile VTI
set transform-set tset
Apply VPN Configuration

172.16.172.10
172.16.171.20
Backbone
Router1
10.1.1.0/24
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel source 172.16.172.10
tunnel protection ipsec profile VTI
Router2
10.1.2.0/24
interface Tunnel0
ip address 11.11.11.1
11 11 11 1 255
255.255.255.0
255 255 0
tunnel source 172.16.172.20
tunnel protection ipsec profile VTI
Dynamic Virtual Interfaces Taxonomy

Term
Description
Virtual Template Is a Generic Infrastructure Which
Provides Template for Configuration
Virtual Template
Virtual Template Provides Mechanisms to Dynamically

Create and Delete Interfaces
Defined on Router
Dynamically Created Interface for Each New User
Virtual Access Interface
Configuration from Virtual Templates

Applying Virtual Templates Cisco IOS Commands
onto a Virtual Access Interface
Cloning
Dynamic Virtual Interface: How It Works?

User 1
Remote
LAN
Bridge/
Router
Single User
Client with
ISDN Card
Local
Auth.
auth
1
2
ISDN
DSL
Single User
Client
Virtual
Template
Interface
Physical
Interface
4
4
Router
Virtual
Access
Interface
1. User 1 calls the router

2. Router 1 checks authentication locally/AAA server
3. Authentication succeeds
4. Clone virtual access interface from virtual template interface
Dynamic Virtual Interface: Example

User 1
Remote
LAN
Bridge/
Router
Single User
Client with
ISDN Card
AAA
2
ISDN
DSL
Physical
Interface
Router
aaa authe login list vpn-client group radius

aaa author network list vpn-client group radius
4
4
Single User
Client
crypto isakmp profile vpn1-ra

match identity group vpn 1
client authentication list vpn-client
isakmp authorization list vpn-client
client address respond
virtual-template 1
Virtual
Template
T
l t
Interface
Virtual
Access
Interface
interface Virtual-Template1 type tunnel

ip unnumbered loopback1
load-interval 30
tunnel protection ipsec profile vpn1-ra
Head-end configuration
Old way: easy VPN server with dynamic crypto map
New way: IPsec virtual interface
Authorization, authentication, and accounting via RADIUS
Part 2:
Dynamic Multipoint VPN (DMVPN)

Provides full meshed connectivity with simple
configuration of hub and spoke
Supports dynamically addressed spokes
Facilitates zero-touch configuration for addition of
new spokes
Features automatic IPsec triggering for building an
IPsec tunnel

=
Dynamic and Permanent

Spoke-to-Hub IPsec Tunnels
Dynamic and Temporary

S k t S k IP
Spoke-to-Spoke
IPsec Tunnels
T
l
10.1.0.0 255.255.255.0
10.1.0.1
Static
Public IP
Address
130.25.13.1
Dynamic
(or Static)
Public IP
Addresses
10.1.3.1
10.1.3.0 255.255.255.0
Spoke
10.1.1.1
10.1.1.0 255.255.255.0
10.1.2.1
10.1.2.0 255.255.255.0
DMVPN Advantages
Supports IP Unicast, IP Multicast, and dynamic
routing protocols
Supports spoke routers behind dynamic NAT
and hub routers behind static NAT
Dynamic partial-mesh or full-mesh VPNs
Usable with or without IPsec encryption
DMVPN Components
Next Hop Resolution Protocol (NHRP)
NHRP Registration
NHRP Resolution and Redirect
Multipoint GRE Tunnel Interface (mGRE)

Single GRE interface to support multiple GRE/IPSec tunnels
Simplifies size and complexity of configuration
IPsec Tunnel Protection

Dynamically creates and applies encryption policies
Routing
Dynamic advertisement of branch networks; almost all routing
protocols (EIGRP, RIP, OSPF, BGP, ODR) are supported
DMVPN Components: NHRP Registration

Spokes register to hub as clients of the NHRP server
using static NHRP mapping
Hub creates a dynamic NHRP entry, mapping spokes
private tunnel address to the spokes dynamic
public address
Using the routing protocol, spokes advertise their LAN
network to hub and learn about remote LAN addresses
via hub
With routing and NHRP mappings in place, traffic flows
over newly created spoke to hub GRE tunnels
These spoke to hub tunnels permanently stay up
DMVPN Components: NHRP Resolution

and Redirect
Traffic from LAN behind one spoke is always forwarded
to LAN behind another spoke via the hub initially
Hub realizes traffic entered and exited the same tunnel
interface and sends an NHRP redirect to the spoke
The originating spoke sends an NHRP resolution
request trying to resolve the public address for
destination prefix
Hub forwards this query to spoke that owns the prefix
Remote spoke responds back to this query by initiating
a new dynamic GRE tunnel
Network Designs
Hub-and-spoke Design
Spoke-to-spoke traffic via hub
Spokes configured with pt-to-pt GRE tunnels
Dual DMVPN Clouds
Hub-and-Spoke
Spokes configured with mGRE tunnels

Single DMVPN cloud
Spoke-to-spoke Design
Spoke to spoke data traffic over dynamic tunnels
Spoke-to-Spoke
Spokes configured with mGRE tunnels

Single or Dual DMVPN clouds
Large Scale IOS SLB Design

Hub and Spoke as well as Spoke to Spoke support
Multiple identical hubs increase the CPU power
Server Load Balancing
Network Designs
Spoke-to-hub tunnels
Spoke-to-spoke path
Hub and spoke (Phase 1)
Spoke-to-spoke (Phase 2)
Server Load Balancing
Hierarchical (Phase 3)
DMVPN Phases Summarized

Phase 1
Phase 2
Phase 3
Hub and spoke

functionality 12.2(13)T
Spoke to spoke
functionality 12.3(4)T
Architecture and
scaling 12.4(6)T
Simplified and smaller

config for hub & spoke
Single mGRE
interface in spokes
Support dynamically
address CPE
Direct spoke to spoke

data traffic reduced
load on hub
Increase number of
hub with same hub
and spoke ratio
Support for multicast

traffic from hub
to spoke
Summarize routing
at hub
Cannot summarize
spoke routes on hub
Route on spoke must
have IP next hop of
remote spoke
Troubleshooting DMVPN
No hub daisy-chain
Spokes dont
don t need full
routing table
OSPF routing protocol
not limited to 2 hubs
Cannot mix phase 2
and phase 3 in same
DMVPN cloud
Debug and Show Commands

Introduced in 12.4(9)T
Show
show dmvpn
[ peer {{{ nbma | tunnel } ip_address } |
{ network ip_address mask } | { interface tunnel# } |
{ vrf vrf_name }}]
[ detail ] [ static ]
Debug
debug dmvpn [ { error | event | detail | packet | all }
{ nhrp
h | crypto
t | tunnel
t
l | socket
k t | allll } ]
debug dmvpn condition [ peer
{{{ nbma | tunnel } ip_address } | { network ip_address mask } |
{ interface tunnel# } | { vrf vrf_name }}]
Logging
logging dmvpn { <cr> | rate-limit < 0-3600 > }
DMVPN Show Commands

show dmvpn
Hub-1
192.100.1.0
Tu1: 172.20.1.100
3.3.3.3
1.1.1.1
2.2.2.2
Tu1: 172.20.1.2
Tu1: 172.20.1.1
192.1.1.0
Spoke-1
HUB-1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----1
1.1.1.1
172.20.1.1
UP 00:04:32 D
1
2.2.2.2
172.20.1.2
UP 00:01:25 D
SPOKE-1#show dmvpn
p
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
Tunnel1, Type:Spoke, NHRP Peers:1,
----- --------------- --------------- ----- -------- ----1
3.3.3.3
172.20.1.100
UP 00:21:56 S
192.2.2.0
Spoke-2
Hub-1
192.100.1.0
Tu1: 172.20.1.100
DMVPN Show Commands

show dmvpn detail
3.3.3.3
1.1.1.1
2.2.2.2
Tu1: 172.20.1.2
Tu1: 172.20.1.1
192.1.1.0
Spoke-1
192.2.2.0
Spoke-2
HUB-1#show dmvpn detail

-------------- Interface Tunnel1 info: -------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100
Source addr: 3.3.3.3, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:
Type:Hub, NBMA Peers:2
Target Network
----- --------------- --------------- ----- -------- ----- ----------------1
1.1.1.1
172.20.1.1
UP 00:26:38 D
172.20.1.1/32
IKE SA: local 3.3.3.3/500 remote 1.1.1.1/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 3.3.3.3 host 1.1.1.1
Active SAs: 2, origin: crypto map
Outbound SPI : 0xB28957C6, transform : esp-3des esp-sha-hmac
Socket State: Open
DMVPN Show Commands

show dmvpn peer
Hub-1
192.100.1.0
Tu1: 172.20.1.100
3.3.3.3
1.1.1.1
2.2.2.2
Tu1: 172.20.1.2
Tu1: 172.20.1.1
192.1.1.0
Spoke-1
192.2.2.0
Spoke-2
HUB-1#show dmvpn peer nbma 2.2.2.2 detail

-------------- Interface Tunnel1 info: -------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100
Source addr: 3.3.3.3, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:
Type:Hub, NBMA Peers:1
Target Network
----- --------------- --------------- ----- -------- ----- ----------------1
2.2.2.2
172.20.1.2
UP 00:35:01 D
172.20.1.2/32
IKE SA: local 3.3.3.3/500 remote 2.2.2.2/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 3.3.3.3 host 2.2.2.2
Active SAs: 2, origin: crypto map
Outbound SPI : 0x74146521, transform : esp-3des esp-sha-hmac
Socket State: Open
DMVPN Show Commands
Hub-1
192.100.1.0
Tu1: 172.20.1.100
3.3.3.3
1.1.1.1
show ip nhrp traffic
2.2.2.2
Tu1: 172.20.1.2
Tu1: 172.20.1.1
192.1.1.0
Spoke-1
192.2.2.0
Spoke-2
HUB-1#show ip nhrp traffic

Tunnel1: Max-send limit:100Pkts/10Sec, Usage:0%
Sent: Total 2
0 Resolution Request
2 Registration Reply
0 Error Indication 0
Rcvd: Total 2
0 Resolution Request
0 Registration Reply
0 Error Indication 0
0 Resolution Reply 0 Registration Request

0 Purge Request 0 Purge Reply
Traffic Indication
0 Resolution Reply 2 Registration Request
0 Purge Request 0 Purge Reply
Traffic Indication
Part 3:
Group Encrypted Transport (GET) VPN
Cisco Group Encrypted Transport (GET)

VPNSolution for Tunnel-Less VPNs
Cisco GET VPN Delivers a Revolutionary Solution
for Tunnel-Less, Any-to-Any Branch Confidential
Communications
Large-scale any-to-any encrypted
communications
Native routing without tunnel overlay
Optimal for QoS and Multicast
supportimproves application
performance
Any-to-Any
Any-to-Any
Connectivity
Connectivity
Transport agnosticprivate
LAN/WAN, FR/AATM, IP, MPLS
Cisco GET
Offers flexible span of control among

subscribers and providers
VPN
Scalable
Real Time
Available on Cisco Integrated Services

Routers; Cisco 7200 and Cisco 7301
with Cisco IOS 12.4(11)T
Benefits of Cisco GET VPN

Previous Limitations
New Feature and Benefits
M lti
Multicast
t traffic
t ffi encryption
ti through
th
h E
Encryption
ti
supported
t d for
f Native
N ti Multicast
M lti
t and
d
IPsec tunnels:
Unicast traffic with GDOI
Not scalable
Allows higher scalability
Difficult to troubleshoot
Simplifies Troubleshooting
Extensible standards-based framework
Overlay VPN Network
Overlay Routing
Sub-optimal Multicast
replication
li ti
Lack of Advanced QoS
No Overlay
Leverages Core network for Multicast
replication via IP Header preservation
Optimal
O ti l Routing
R ti iintroduced
t d
d iin VPN
Advanced QoS for encrypted traffic
Full Mesh Connectivity

Hub and Spoke primary
support
Spoke to Spoke not scalable
Any to Any Instant Enterprise Connectivity

Leverages core for instant communication
Optimal for Voice over VPN deployments
GET VPN
Overview
Group Security Functions

Key Server
Validate Group Members
Manage
M
S
Security
it Policy
P li
Create Group Keys
Distribute Policy / Keys
Key Server
Routing Member
Forwarding
Replication
Routing
Group
Member
Routing
Members
Group
Member
Group Member
Encryption Devices
Route Between Secure / Unsecure
Regions
Multicast Participation
Group
Member
Group
Member
Group Security Elements

Key Servers
Group Policy
Proprietary: KS
Cooperative Protocol
Key Encryption Key

(KEK)
Traffic Encryption
Key (TEK)
Group
Member
Routing
Members
Group
Member
Group
Member
RFC3547:
Group Domain of
Interpretation
(GDOI)
Group
Member
Group Keys
Key Encryption Key (KEK)
Used to encrypt GDOI (i.e. control
traffic) between KS and GM
Key Server
KEK
TEK1
Traffic Encryption Key (TEK)

Used to encrypt data (i.e. user
traffic) between GM
IP VPN
Group Member
Group Member
Group Member
GET VPN
Data Plane
IPsec Tunnel Mode with IP Address

Preservation
IP Packet
Group
E
Encrypted
t d
Transport
IP Header
Copy of Original
IP Header
IP Payload
ESP
S
IP Header
IP Payload
IPsec header preserved by VPN

Gateway
Preserved IP address uses original
routing plane
Secure Data Plane Multicast
Data Protection
Secure
Multicast
Premise: Sender does

not know the potential
recipients
GM
?
GM
GM
GM

Premise: Sender does
recipients
Sender assumes that
legitimate group
members
obtain Traffic
Encryption
Key from key server
for the group
Data Protection
Secure
Multicast
KS
GM
GM
GM
GM
Data Protection
Secure
Multicast

Premise: Sender does not
know the potential recipients
KS
Sender assumes that legitimate

group members obtain traffic
encryption key from key
server for the group
Encrypt Multicast
with IP address
preservation
GM
GM
GM
GM
Replication in the core

based on original (S,G)
Corollary:
Secure Data Plane Unicast
Data Protection
Secure
Unicast
Premise: Receiver advertises

destination prefix but does
encryption sources
?
GM
?
?
GM
GM
GM
Corollary:
encryption sources
Data Protection
Secure
Unicast
KS
Receiver assumes
that legitimate
group members
GM
obtain Traffic Encryption
Key from key server
for the group
GM
GM
GM
Corollary:
encryption sources
Receiver assumes
that legitimate
group members
GM
obtain Traffic Encryption
Key from key server
for the group
Receiver can authenticate
the group membership
Data Protection
Secure
Unicast
KS
GM
GM
GM
GET VPN
Control Plane GM-KS
Group Member: Membership

Management
Group Member Join: Registration
Immediately upon boot
Immediately upon applying crypto map
Protected by IKE SA (Pre-shared Keys or PKI Certificate)
Group Member Maintenance: Rekey

Periodic Update Protected by Rekey SA (IKE SA expires)
New Policies, Time Sync, or New Keys (TEK or KEK)
Acknowledgement with Unicast Rekey
Unacknowledged with Multicast Rekey
Group Member States

Unknown
Unknown
Reboot
Initialize
Initialize
Reset
Mis-configured
Cleared
Fail-Closed
Blocking/Dropping
Fail-Closed
Expired,
Retry
Fail-Open
Fail-Open
Authentication
Fail-Open
Registration
Fail-Closed
Registration
Forwarding
Registration
Expiring
TEK
Authenticating
Group Member
Authorization
Authorization
Group Member
Forwarding/Encrypting
Retry
Authentication
Rekey
Receiving Rekeys
GDOI Protocol
Registration
RFC3547 Definitions
IKE Phase 1
Group Member
Initiator is a Group Member
GROUP-ID
Receiver or GCKS is a Key Server
GROUPKEY-PULL (a.k.a
Registration)
Key Server
Policy / Key
SA-Policy
Protection
IKE SA
Acknowledge
Group Member Request

Group Info
KEK, TEK, Seq. #
Key
Lifetime
Key Server Supplies Policy

Rekey
p Member Acknowledges
g
Group
and asks for Keys
Key Server Supplies Keys
GROUPKEY-PUSH
(a.k.a Rekey)
Key Server refreshes Keys
and/or Policy
Rekey
y
Protection
REKEY SA
Rekey
Key
Lifetime
X
Rekey
Registration
IKE Phase 1
Protection
IKE SA
GROUP-ID
Group Member
Secured Group Member Interface
interface Serial0/0
ip address 192.168.1.14 255.255.255.252
crypto map svn
access-group fail-closed out
<- WAN ENCRYPTION

<- BLOCK EVERYTHING BUT CONTROL
F il l
Fail-closed
d Policy
P li
ip access-list extended fail-closed
permit esp any any
permit ip host 192.168.1.14 host 192.168.1.13
permit tcp host 192.168.1.14 eq ssh any
<- ALLOW ENCRYPTED

<- ALLOW ROUTE ADJACENCY
<- ALLOW SECURE SHELL
Crypto Map Association to Group Security

crypto map svn 10 gdoi
set group secure-wan
match address control_plane
<- GROUP CRYPTO MAP ENTRY

<- GROUP MEMBERSHIP
<- EXCLUDE ENCRYPTION
Group Member Policy Exceptions

ip access-list extended control_plane
<- CONTROL PLANE PROTOCOLS
deny ip host 192.168.1.14 host 192.168.1.13 <- PE-CE LINK (BGP, ICMP)
deny tcp host 192.168.1.14 eq ssh any
<- MANAGEMENT SECURE SHELL
Group Member Association

crypto gdoi group secure-wan
identity number 3333
server address ipv4 <ks1_address>
server address ipv4 <ks2_address>
<<<<-
GROUP ENCRYPTION
MEMBERS GROUP IDENTITY
KS ADDRESS TO REGISTER
ALTERNATE KS REGISTRATION
Key Server States

Unknown
Reboot
Unknown
Mis-configured
Cleared
Initialize
Reset
Secondary
Receiving Policies and Keys via
Primary Announcements
Evaluate
Serving Registration
Election
Announcement of new GM
Primary
Creating Policies and Keys
Service Registration
Announcing Policies and Keys
Rekey
Announcement of GM database
Secondary
Evaluate &
Announce
Primary
Yield &
Demote
Reset
Key Server
Key Server Configuration
crypto gdoi group secure-wan

identity number 3333
server local
rekey address ipv4 102
rekey retransmit 40 number 3
rekey authentication mypubkey rsa my_rsa
authorization address ipv4 member-list
sa ipsec 1
profile gdoi-p
match address ipv4 lans-only
no replay
address ipv4 <ks_address>
<<<<<<<<<<<-
GROUP ID
KEY SERVER
REKEY ADDRESSES REKEY
REKEY RETRANSMITS
KS MSG AUTHENTICATION
GROUP MEMBER AUTHORIZATION
SECURITY ASSOCIATION
CRYPTO ATTRIBUTES SELECTION
ENCRYPTION POLICY LAN-to-LAN
NO ANTI-REPLAY
KS ADDRESS
Rekey Profile (needed for multicast rekey only)

access-list 102 permit any host 239.192.1.1
<- REKEY SOURCE / DESTINATION
G
Group
Member
M b Authorization
A th i ti List
Li t (optional)
( ti
l)
ip access-list extended member-list
permit <ks_peer_address>
permit <gm_address>
<- GM AUTH LIST

<- PEER KS
<- GROUP MEMBER
Encryption IPsec Proxy (mandatory)

ip access-list extended lans-only
<deny udp any eq 848 any eq 848
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 232.0.0.0 0.255.255.255
Part 4:
Easy VPN
ENCRYPTION POLICY
<- ALLOW GDOI
<- UNICAST
<- MULTICAST
Cisco Easy VPN Overview

Branch Office
Central Site
Easy VPN Server:
Internet
Cisco IOS Router or

Cisco ASA
Easy VPN Remote:

Cisco IOS Router or
Cisco ASA
Small Offices and

Home Offices
Software Client:
Cisco VPN Client on
PC/MAC/Unix
Mobile Users
1. Cisco Easy VPN Unity Framework: Remote/branch device can be Cisco IOS
router, ASA or PC/Mac/Unix computer running VPN Client software
2. Call Home/Authentication: Remote device contacts central-site router/concentrator,
and provides authentication credentials
3. Centralized Policy Push: Central-site checks credentials and pushes configuration
securely to the remote device
4. VPN is established
Easy VPN Remote Connection Modes

Easy VPN Remote Feature Supports Three
Modes of Operation
Client mode
Server pushes down an IP address to the client and all traffic from the
client is internally translated to this address before being encrypted and
sent into the tunnel
NAT or PAT is performed at the remote end of the VPN tunnel, forming
a private network and protecting the remote hosts behind the router
Network extension
Remote subnet IP addresses are fully routable and reachable by the
server side network over the tunnel
Network extension plus

Typically used for management purposes
Identical to network extension mode with one addition:
Remote requests an IP address through mode-config from the server,
and ties it to an available loopback interface
Easy VPN Remote Connection Modes

Client Mode:
Address is pushed down and all
outgoing traffic is translated to
use this assigned
g
IP
172.19.168.8
Network Extension Mode:

Fully routable network
172.19.168.0/24
Internet
10.10.10.0/24
Cisco Easy
VPN Server
172.19.168.9
10.10.10.0/24
Network Extension Plus Mode:

Address is pushed down and
bound to a loopback interface
Enhanced Easy VPN Architecture

Problem Statement
Certain deployments require the ability to treat VPN
(encrypted) and non-VPN (plain text) traffic as distinct
entities within the router, and apply separate IP
services such as QoS, multicast and NAT
Traditional Easy VPN architecture had limitations
in this respect
Solution
Enhanced Easy VPN defines a logical interface (a
virtual interface) in which packets are encapsulated
with IPsec
Each interface has the capability to tie several services
such as QoS, multicast and NAT to Easy VPN
Enhanced Easy VPN Architecture

Administrator defines a virtual template containing
Cisco IOS commands applicable for all users
Easy VPN Remote (hardware client) has a separate interface
context allowing tunnel specific features to be applied e.g., ACL,
NAT and QoS
As each new user seeks to gain VPN access, a virtual

access interface is cloned automatically based on the
virtual template
Per-user attributes allow individual users to be treated
preferentially for QoS, ACLs, etc.
Virtual Templates for Easy VPN Server

Use the specified
virtual template
interface for
creating and
cloning the virtual
access interface
Dynamic IPsec
interface is
required
The IPsec profile is

applied on the virtual
template
IPsec profiles define
the phase 2 policy
Interface Virtual-template1 tunnel

ip unnumbered Lo0
...
tunnel mode IPsec ipv4
tunnel protection IPsec profile IPSEC_PROFILE
IPSEC PROFILE
...
!
Crypto isakmp profile FOO
virtual-template 1
...
!
14
Part 5:
SSL VPN
What Is SSL VPN?

Mechanism for secure communication over IP like
IPsec VPN (Internet Protocol Security)
SSL is the security technology for establishing an
encrypted link between the browser and the web server
Encrypted link ensure all data passed between the
client and server remains private and integrity is
maintained
For an SSL connection to be established the head end
device requires an SSL certificate
Types of SSL VPN

Two Types of SSL VPN
1 Clientless SSL VPN
1.
2. Cisco AnyConnect VPN Client (full client)
All above types access the VPN appliance through https protocol
Clientless SSL VPN

No VPN client needs to be installed on the end
user machine
Uses a standard web browser (Internet Explorer,
Firefox)
Can access web applications http, https, Common
Internet File Sharing (CIFS), File Transfer
Protocol (FTP)
Client-Server
Client Server Plug
Plug-ins
ins for Remote Desktop Protocol
(RDP), Virtual Network Computing (VNC), Secure
Shell (SSH) access, Telnet and Citrix
VPN appliance gives web-based look and feel for the
application access (customizable) through content
rewrite process
Clientless SSL VPN
HTTPSTCP/443
HTTPTCP/80
If HTTP redirection desired
Cisco AnyConnect VPN Client

Thick Client, Full Tunneling, or Tunnel Client
Traditional-style client
delivered via automatic
download
Requires administrative
privileges for initial
install only
Pre-deployment MSI
package available
Can use TLS or DTLS
as transport
Can be upgraded from a previous
version upon connection

Installation Options
WebLaunch
Initiate via web browser
Login via portal
Auto-download (ActiveX/Java)
Manual download
Manual
MSI installer

Key Differences
Cisco VPN Client
Cisco AnyConnect
VPN client
Approximate size
~10 MB
~1.2 MB
Initial install
distribute
Admin rights required

P t
Protocol
l
Head End
Client reboot required
yes
auto download
distribute
yes
initial install only
IP
IPsec
DTLS TLS
DTLS,
ASA/PIX/IOS
ASA/IOS
yes
no
Part 6:
Public Key Infrastructure (PKI)IOS
CA Server
Why PKI?
Need a method to authenticate IKE
Wildcard preshared keys are scalable but are not
secure
Pair-wise preshared keys are more secure but is not
scalable
PKI is both secure and scalable
Public Key Cryptography
Core Concepts
Building Blocks for Core Concepts

Asymmetric key pairs
Digital signatures
Certificates
Public Key Cryptography
Core Concepts
Building Block 1Asymmetric Key Pairs

Two keys are involved, the public key and the
private key
A user gives his or her public key to other users,
keeping the private key to himself or herself
Data encrypted with a public key can only be decrypted
with the corresponding private key, and vice versa
Key pairs are asymmetric
Core Concepts
Digital Signatures
Building Block 2How Signatures Are Built
One-way function; easy to produce
hash from message, impossible
to produce message from hash
Hash
Function
Alice
Hash of Message
Sign Hash with Private Key
s74hr7sh7040236fw
7sr7ewq7ytoj56o457
Signature = Encrypted Hash of Message
Digital Signature Verification
Core Concepts
Separate the message from the signature
Message
1. Hash the
message
Signature
1. Decrypt the signature
using the public key
2. Decrypted signature
should contain the
hash of the message
If Hashes
Are Equal
Signature
Is Verified
Digital Certificate
Core Concepts
Building Block 3What Is a Digital Certificate?

Each client generates a private/public key pair
Each client sends its public key to a third party
That third party digitally signs the clients public key
with its private key (process discussed in previous
digital signature section)
The trusted third party is called a certificate authority
Certificate Authorities
Core Concepts
A Certificate Authority (CA) is an entity which can

issue a certificate to a user or network device
Before any PKI operations can begin, the CA generates
its own public key pair and creates a self-signed
CA certificate
PKI/CA Enrollment
Core Concepts
A router requesting a certificate sends an enrollment

request to a certificate authority using SCEP (Simple
Certificate Enrollment Protocol)
SCEP runs over TCP port 80 (HTTP)
Entire 43-page IETF draft on the protocol details are
available (focus of this presentation is on infrastructure)
http://www.ietf.org/internet-drafts/draft-noursescep-16.txt
How to Set up a Basic CA Server

High-Level Steps
Generate RSA key pairs (Step 1)
Enable HTTP server on the router (Step 1)
Configure the PKI server on the CA (Step 2)
Configure PKI trust point for self signage (Step 2)

Steps 1Configure RSA and HTTP Server
R1(config)#crypto key generate rsa general-keys label cisco1

exportable
R1(config)#ip http server

Steps 2 Configure a Basic PKI Server
The certificate server must use the same name as
the key pair
R1(config)#crypto pki server cisco1
Specify where to store the CAs file system

R1(cs-server)#database url nvram:
{or external ftp url is preferred}
Specify the lifetime for the self signed and

issued certificates
R1(cs-server)#lifetime ca-certificate 365
R1(cs-server)#lifetime certificate 200

Steps 2 Configure a Basic PKI Server (Cont.)
For self signage created the local trust point
R1(config)#crypto pki trustpoint cisco1
Specify your local RSA key pair for the CA

R1(cs-server)# revocation-check crl none
R1(cs-server)# rsakeypair cisco1
Section 7
Configure Cisco IPS to Mitigate
Network Threats
Exam Objectives
Configure IPS 4200 Series Sensor Appliance
Initialize the Sensor Appliance
Configure Sensor Appliance management
Configure virtual Sensors on the Sensor Appliance
Configure security policies
Configure promiscuous and inline monitoring on the Sensor Appliance
Configure and tune signatures on the Sensor Appliance
Configure custom signatures on the Sensor Appliance
Configure blocking on the Sensor Appliance
Configure TCP resets on the Sensor Appliance
Configure rate limiting on the Sensor Appliance
Configure signature engines on the Sensor Appliance
Use IDM to configure the Sensor Appliance
Configure event action on the Sensor Appliance
Configure event monitoring on the Sensor Appliance
Configure advanced features on the Sensor Appliance
Configure and tune Cisco IOS IPS
Configure SPAN & RSPAN on Cisco switches
IPS Terminology:
The Marketing of IPS/IDS
IDS Intrusion Detection SystemTypically limited to
promiscuous sensors (out of packet stream)
IPS Intrusion Prevention/Protection SystemThe term
most commonly applied to a sensor that sits inline (in
the packet stream) and can drop malicious packets,
flows or attackers
IDP Intrusion Detection and PreventionMarketing
term coined by a vendor for product differentiation
IPS Terminology: What Is IPS?

IPS Closely Resembles a Layer 2 Bridge or Repeater
Identical to a wire is the closest analogy
Inline interfaces have no MAC or IP and cannot be
detected directly
Network IPS passes all packets without directly participating in
any communications including spanning tree (but spanning tree
packets are passed)
Default behavior is to pass all packets even if unknown, (i.e. IPX,
Appletalk, etc.) unless specifically denied by policy or detection
IPS Components
Network-based sensors
Specialized software and/or hardware used to collect and
analyze network traffic (either in IPS or IDS mode: inline or
promiscuous)
Appliances, modules, embedded in network infrastructure (either
inline or promiscuous)
Network IDS: Appliances, modules, embedded
Host IDS: Server-specific agent
Security management and monitoring

Performs configuration and deployment services
Performs alert collection, aggregation, and correlation
Network-Based IDS: The Sensor

Command & Control Interface
Has an IP Address
Network Link to the

Management Console
Promiscuous Interface
No IP Address
Data Capture using
SPAN, TAP, VACL
capture, etc
Client-Server on Same
Layer 2 VLAN
e.g. VLAN 10
Data Flow
Client
Same Layer 3 Segment
Server
Monitoring the Network

(Promiscuous out-of-band)
Transparent Inline Interface #1

No MAC or IP Address
Network Link to the

Management Console
Network-Based IPS: The Sensor
Command & Control Interface

Has an IP Address
Server & Interface #2

on Separate
Layer 2 VLAN
e.g. VLAN 20
Client & Interface #1

on Separate
Layer 2 VLAN
e.g. VLAN 10
Data Flow
Client
Transparent Inline Interface #2

No MAC or IP Address
Data Flow
Monitoring the Network

(inline within packet stream)
Server
IPS Functions and Capabilities

Monitors all traffic traversing between two interfaces
transparently
Can also monitor traffic promiscuously: SPAN, TAP, VACL
capture, etc.
Compare traffic against well known attack patterns
(signatures); also look for heuristic attack patterns (i.e.
multihost scans, DoS) and protocol anomalies
g
and stream reassembly
y logic
g for
Includes fragmentation
de-obfuscation of attacks as well as TCP/IP packet stream
normalization
Both an alarming and visibility tool as well as preventative
capability through packet filtering; also allows active
response: TCP reset, blocking, IP session logging, and
deny packet/flow/attacker
Management
IPS Device Manager (IDM)
Web-based Java GUI, providing management of a
single device
IPS Appliance Deployment Examples

IPS Appliance Sensor Deployment Examples:
Two L2 devices (non trunk)
Two L2 devices (trunked; 802
802.1q)
1q)
Two L3 devices
Bridging 2 VLANs on same switch
IPS Appliance Deployment Examples

Two L2 devices
((non-Trunk))
Two L2 devices
((Trunk 802.1q)
q)
Two L3 devices
Bridging Two VLANs

Inline-on-a-Stick
VLAN X
Trunk
Trunk
VLAN Y
Inline VLAN Pairing Example

VLAN pairing a.k.a. Inlineon-a-stick, allows a sensor
t bridge
to
b id VLAN
VLANs ttogether
th
on the same physical
interface by creating, in
effect, sub-interfaces that
allow the sensor to bring
packets in on VLAN X and
out on VLAN Y
Multiple VLAN pairs per
physical interface reduces
the need to have many
physical interfaces
per chassis
Bridging Two VLANs

Inline VLAN Pair
(I li
(Inline-on-a-Stick)
Sti k)
Switchport Fa0/5
(Trunk Port)
VLAN 10
VLAN 20
IPS Sensing Interface Gig2/0

Switchport configured as Trunk Port
Inline Interface Pair Example

Inline Interface Pair
(Between Two L3 devices)
R1
VLAN 10

Connection
Switchport
VLAN
R1 Ethernet0/0
Fa0/1
10
IPS Gig2/0
Fa0/10
10
R2 Ethernet0/0
Fa0/2
20
IPS Gig2/1
Fa0/20
20
VLAN 20
Switchport are configured as Access Ports
R2

172.16.1.0/24
Separate Layer 2 VLANs
Initializing the Sensor in Lab Exam

Default username/password will be changed in the lab
exam. Follow the instructions/guidelines in your
workbook. In most cases, username and password will
be set to cisco/123cisco123. Do not change this
user credentials, else; you will lose all points
Configure basic parameters such as the
host name, IP address, netmask, gateway and
communications options
Use IPS Device Manager (IDM) to browse the sensor
management IP address to complete remaining exam
Signatures and Anomalies

Signatures explicitly define what activity should be
considered malicious
Simple pattern matching
E.g. look for root
Stateful pattern matching
E.g. decode a telnet session to look for root
Protocol decode-based analysis (including protocol anomalies)
E.g. RPC session decoding and analysis; SNMP protocol
anomaly detected from use of protos tool
Heuristic-based analysis
E.g. rate of inbound SYNsSYN flood?
Anomaly detection involves defining or learning

normal activity and looking for deviations from this
baseline
Signature Implementations and

Structures
Signature implementation
Contexttrigger
Context
trigger data contained in packet header
Contenttrigger data contained in packet payload
Signature structure
Atomictrigger contained in a single packet
Compositetrigger contained in a series of
multiple packets
Signature Tuning
Sensors are shipped with default signature configuration
Signature specific:
Ports, protocols, services, analysis length, etc.
Filtering: what networks to alarm on
Event count: number of events to see before alarm

Severity: what level of alarm to send
gg g
how many
y alarms to send
Alarm aggregation:
Summary mode: fire all, summarize, global summarize
Summary interval: summarization window
Summary threshold: high water mark to change summarization
Event action: what to do following when the sig is triggered

(includes producing an alert)
Custom Signatures
New environment specific signatures can be created
Custom signature configuration tasks:

1. Select the signature micro-engine that best meets
your requirements
2. Enter values for the signature parameters that are required
and meet your requirements
3. Save and apply the custom signature to the sensor
IPS v6.x New Feature Highlights
Virtualization
IPS 6.0 and 6.1 Allows the Creation of Multiple
Virtual Sensors
Each physical sensor can have a maximum of four
Vi t l Sensors
Virtual
S
configured,
fi
d with
ith the
th exception
ti off the
th
IPS-4215, which does not support virtualization at all.
Each virtual sensor can have its own:
Interfaces/Pairs
Signature Definition Policy
Event Action Rule Policy (filters and overrides)
Anomaly Detection Policy
Anomaly Detection Operational Mode
TCP Session Tracking Mode
Anomaly Detection
IPS 6.x learns normal network behavior, and alerts
when abnormal behavior appears to be caused by
a network worm
Anomaly Detection detects the following situations:
When the network starts on the path of becoming congested
by worm traffic
When a single worm-infected source enters the network and
starts scanning
g for other vulnerable hosts
IPS 6.1 Default Protection Policy

Understanding Default Inline Behavior
Beginning in IPS 6.1, if a sensor is placed inline

(IPS mode), High Risk attacks are denied by
default.

Risk Rating Thresholds are set under Risk Category.
The Risk Rating is a mathematical calculation based on:
1.Signature
g
Severity
y
2.Attack Relevancy
3.Signature Fidelity
4.Value of the Victim Host
Risk Rating is a value from 1 100.
By default, if this HIGHRISK policy

denies a packet inline, it also sends a
TCP Reset,
Reset in one direction only (to the
victim). This behavior frees resources
on the victim and hangs applications on
the attacker.
If you do not want the One-Way

TCP Reset to occur, disable it
here.
Other New Features of 6.0 and 6.1

Rate-Limiting as a Response Action (added in 6.0)
Support for Unauthenticated NTP Servers
(added in 6.1)
Login Password Restrictions (added in 6.1)
Auto-Update from Cisco.com (added in 6.1)
Sensor Health Monitoring (added in 6.1)
Enhanced Response Actions (added in 6.1)
Support for Asymmetric Flow Protection (added in 6.1)
Understanding IPS Engines
IPS 6.1 Engines

AIC FTP
AIC HTTP
Atomic ARP
Atomic IP
Application Inspection & Control for FTP

Application Inspection & Control for HTTP
Inspection of Single ARP Packets
Inspection of Single IP Protocol Packets
Atomic IPv6
Inspection of Single IPv6 Protocol Packets
Flood Host
Denial of Service Against a Single Host
Flood Net
Denial of Service Against a Network
Meta
Combines Signatures, Including Across Multiple Engines
IPS 6.1 Engines (Cont.)

Multi String
Inspection of Multiple String Matches
Normalizer*
Inspects Malformed, Fragmented or Illegal Traffic
Service DNS
Protocol Inspection of DNS
Service FTP
Protocol Inspection of FTP
Service Generic
Generic Protocol Protocol Inspection
Service H225
Protocol Inspection of H.225
Service HTTP
Protocol Inspection of HTTP
Service Ident
Protocol Inspection of Ident
* Inline Only

Service MSRPC
Protocol Inspection of MSRPC
Service MSSQL
Protocol Inspection of Microsoft SQL Server Traffic
Service NTP
Protocol Inspection of NTP
Service RPC
Protocol Inspection of RPC
Service SMB
Protocol Inspection of SMB
Service SMB
Advanced
Enhanced Protocol Inspection of SMB
Service SNMP
Service SSH
Protocol Inspection of SNMP

Protocol Inspection of SSH

Service TNS
State
Protocol Inspection of TNS

Primarily Inspects Mail and IOS State Commands
String ICMP
String Matching within ICMP
String TCP
String Matching within TCP
String UDP
String Matching within UDP
Sweep
Sweep other TCP
Traffic Anomaly
Reconnaissance Activities
Additional Reconnaissance Activities
Watches for Changes in Host Behavior

Traffic ICMP
Flood Conditions via ICMP
Trojan Bo2k
Back Orifice Trojan Activity
Trojan Tfn2k
Tribe Flood Network Activity
Trojan UDP
Trojan Activity via UDP
Understanding IPS Actions
IPS 6.1 Actions

Logging or Monitoring Actions
Produce Alert
Provide an Alert
Produce Verbose Alert
Provide an Alert, including the Trigger Packet
Log Attacker Packets
Create IP Log of Packets To/From Attacker
Log Victim Packets

Log Pair Packets
Create IP Log of Packets To/From Victim

Create IP Log of Packets Between Attacker and Victim
Request SNMP Trap
Send SNMP Trap to a Management Station
IPS 6.1 Actions

Deny ActionsInline Operations Only
Deny Packet Inline
IPS Does Not Transmit This Packet
Deny Connection Inline*
IPS Does Not Transmit This Packet, or Any Other

Packet in this TCP Flow
Deny Attacker Victim

Pair Inline

Packet Between These Two Hosts
Deny Attacker Service

Pair Inline

Packet From Attacker On This Destination Port
Deny Attacker Inline
IPS D
Does N
Nott T
Transmit
it Thi
This P
Packet,
k t or A
Any Oth
Other
Packet From Attacker to Any Host
* TCP Traffic Only
IPS 6.1 Actions

Other Actions
Reset TCP Connection*

Modify Packet Inline**
IPS Sends TCP RST Packets Bi-directionally,

Bi-directionally To
Both Attacker and Victim
IPS Modifies Packet In Various Methods
Request Block Connection
A Blocking Request Is Sent to a Router, Switch, or

Firewall to Block Traffic. IPS Also Executes Deny
Connection Inline If Possible.
Request Block Host
A Blocking Request Is Sent to a Router, Switch, or

Firewall to Block Traffic. IPS Also Executes Deny
Attacker Inline If Possible.
Request Rate-Limit
A Rate-Limit Request Is Sent to a Router
* TCP Traffic Only

** Valid Only For Normalizer Engine, Inline Operation Only
Useful Show Commands on IDS Console

show statistics eventStore
show events alert {high|medium|low}
show events status
show interface
show configuration
show version
show statistics
Cisco IOS IPS
Cisco IOS Intrusion Prevention (IPS)

Cisco IOS IPS stops attacks at the entry point, conserves WAN
bandwidth, and protects the router and remote network from DoS attacks
cost effective and viable to deploy IPS in
Integrated form factor makes it cost-effective
Small and Medium Business and Enterprise branch/telecommuter sites
Supports 2000+ signatures sharing the same signature database available
with Cisco IPS sensors
Allows custom signature sets and actions to react quickly to new threats
Protect router
and local network
from DoS attacks
Branch Office
Stop attacks
before they fill
up the WAN
Internet
Small Branch
Small Office and

Telecommuter
Corporate Office
Apply IPS on traffic from

branches to kill worms
from infected PCs
http://www.cisco.com/go/iosips
Cisco IOS IPS

Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt
Cisco IOS IPS Configuration (Cont)

retired false
interface fast Ethernet 0
ip ips ips-policy in
Configure Cisco IOS IPS Crypto Key

mkdir ipstore (Create directory on flash)
Paste the crypto key from
Load the signatures from TFTP server

copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
show ip ips signature count

Total Compiled Signatures:
338 -Total active compiled signatures
Cisco IOS IPS Configuration

ip ips config location flash:ipstore retries 1
ip ips notify SDEE
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic
Cisco IOS Transparent IPS

Use Case: IPS Between Wireless and Wired LANs
Introduces stealth IPS capability
No IP address associated with IPS (nothing to attack)
IOS Router is bridging between the two halves of the network
Both wired and wireless segments are in same subnet

192.168.1.0/24
VLAN 1 is the private protected network.
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
192.168.1.2
Transparent
IPS
Cisco IOS Transparent IPS

Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
IOS-Sxxx-CLI.pkg
Configure Cisco IOS IPS Crypto Key
mkdir ips5 (Create directory on flash)
Paste the crypto key from
Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1
ip ips notify SDEE
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
Section 8
Implement Identity Management
Cisco IOS IPS Configuration (Cont)

interface VLAN 1
bridge-group 1
ip ips ips-policy out
interface VLAN 2
bridge-group 1
ip ips ips-policy in
Load the signatures from TFTP server
copy tftp://192.168.10.4/IOS-S289-CLI.pkg
idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
show ip ips signature count
Total Compiled Signatures:
338 -Total active compiled signatures
Exam Objectives
Configure RADIUS and TACACS+ security protocols
Configure LDAP
Configure Cisco Secure ACS
Configure certificate-based authentication
Configure proxy authentication
Configure 802.1x
Configure advanced identity management features
Configure Cisco NAC Framework
AAA Overview
Authentication, Authorization, and Accounting (AAA)
network security services provide the primary
framework through which you set up access control
The CiscoSecure ACS uses authentication,
authorization, and accounting (AAA) to provide network
security. Each facet of AAA significantly contributes to
the overall security of your network:
Authentication determines the identityy of users and whether they
y
should be allowed access to the network
Authorization determines the level of network services available
to authenticated users after they are connected
Accounting keeps track of each users network activity
RADIUS vs. TACACS+

RADIUS
TACACS+
RADIUS uses UDP port

1645/1646 and as per
RFC 2138; 1812/1813
TACACS+
TACACS uses TCP
port 49
RADIUS encrypts only the

password in the packet
Single challenge response
Combines authentication
and authorization
Industry standard (created
by Livingston)
TACACS+ encrypts
entire packet
Multiple challenge response
Uses the AAA architecture and
separates each process
Cisco proprietary
Supports command
authorization
Does not support command

authorization
CiscoSecure ACS
CiscoSecure ACS Server supports both; RADIUS and
TACACS+ protocols
Full access will be provided for configuration,
verification and troubleshooting purpose
How to bring up ACS GUI remotely?
http://ip_address:2002
Device Management
Practice device management using AAA on router and
Cisco Catalyst switches equally
Device management via Telnet, SSH, HTTP/HTTPS
are the most commonly authenticated protocols
Console/Aux port should not be affected by any AAA
commands unless otherwise specified
Device management can be performed on all devices
such as routers, Cisco Catalyst switches, and ASA (IDS
does not support AAA)
TACACS+ gives you the best control for managing a
device by allowing you to restrict commands used while
on the device using various privilege levels
Centralized Authentication Example

Use centralized authentication system
Use RADIUS or TACACS+
AAA Configuration
aaa new-model
aaa authentication login mymethod group tacacs+ enable
ip tacacs source-interface Ethernet 0
Optional Source
Interface
tacacs-server host 10.1.1.254

tacacs-server
tacacs
server key cisco
line vty 0 4
login authentication mymethod
Define AAA Server and

Shared-Secret
Shared
Secret Key
Apply AAA
Method Online
Command Authorization
A device can be configured to authorize commands
through a AAA server at all or specific levels
The following router configuration allows all users to
have per-command authorization set up on the server
Here we authorize all commands through CiscoSecure
ACS using TACACS+; but if the AAA server is down,
fallback authorization is set to local database
Example:
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
ASA Management
AAA support is available to authenticate Telnet, SSH
and Console access on ASA using TACACS+
and RADIUS
Make sure you can Telnet from the inside network
to the inside interface of the ASA without any
AAA authentication
Always have an active connection open to the ASA
while adding authentication statements in the event
that backing out the commands is necessary
The RADIUS authentication and accounting ports can
be changed to other than the default 1645/1646
ASA Management (Cont.)

ASA command authorization and expansion of local
authentication was introduced in version 6.2
Commands performed may be controlled locally on the
firewall or remotely through TACACS+
RADIUS command authorization is not supported; this
is a limitation of the RADIUS protocol
Example:
aaa-server <tag> [<(if_name)>] host <ip_address> [<key>]
aaa-server <tag> protocol tacacs+|radius
aaa authentication serial|telnet|ssh|http|enable console {LOCAL |
tacacs_server_tag}
aaa authorization command {LOCAL | tacacs_server_tag}
Cisco ASA Service Authentication

RADIUS and TACACS+ authentication can be done
for HTTP, HTTPS, FTP, Telnet, SSH, and ICMP
connections through the Firewall using AAA
Authentication for other less common protocols, nonstandard services and/or other TCP/UDP ports can also
be made to work using tcp/<port> and udp/<port>
Note that TACACS+ authorization is supported,
however RADIUS authorization is not
however,
AAA Test Command

AAA test command provides protocol connectivity test
from the NAS to the RADIUS/TACACS+ server. It validates
if the NAS can establish connectivity with the server using
RADIUS/TACACS+ ports
At times, the test aaa may yield a failed result even if the
ping (ip connectivity) is successful. Why?
Example:
Router# test aaa group tacacs+ testuser mypassword legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated
Or
Router# test aaa group radius testuser mypassword legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated
Or
ASA# test aaa authentication acs host 10.1.1.254 username cisco password cisco
INFO: Attempting Authentication test to IP address <10.1.1.254>.......
INFO: Authentication Successful
Troubleshooting AAA
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug radius
debug tacacs
test aaa group radius|tacacs+ username pwd legacy
Section 9
Implement Control Plane and Management Plane Security
Exam Objectives
Implement routing plane security features (protocol authentication, route
filtering)
Configure
C fi
C
Control
t l Pl
Plane P
Policing
li i
Configure CP protection and management protection
Configure broadcast control and switchport security
Configure additional CPU protection mechanisms (options drop, logging
interval)
Disable unnecessary services
Control device access (Telnet
(Telnet, HTTP
HTTP, SSH,
SSH Privilege levels)
Configure SNMP, Syslog, AAA, NTP
Configure service authentication (FTP, Telnet, HTTP, other)
Configure RADIUS and TACACS+ security protocols
Configure device management and security
Understanding Routers and Planes
Routers and Planes

A network device typically handles traffic in several
different forwarding planes
There are nuances to the definition of these planes
IETF RFC3654 defines two planes: control and forwarding
ITU X805 defines three planes: control, management,
and end-user
Cisco defines three planes: control, management, and data
Routers and Planes

Traffic to the control and management plane is
always destined to the device and is handled at
process level ultimately:
In hardware switched platforms, control/management
plane traffic is sent to the RP/MSFC and then sent to
the process level for processing
In software switched platforms, it is sent directly to
the process level for processing
Traffic in the data plane is always destined

through the device and is:
Implemented in hardware on high end platforms
CEF switched (in the interrupt) in software switched platforms
Data Plane
Data Plane
Forwarding/Feature
ASIC Cluster
Forwarded Packets
Ingress Packets
All Packets
Forwarded Through
the Platform
Punted Packets
s
Data Plane
ToFab
T
F b to
t Other
Oth
Line Cards
ASICs
Supporting
CPU
Receive Path Packets
Route
Processor
CPU
Control Plane
Forwarding/Feature
ASIC Cluster
Forwarded Packets
Ingress Packets
ToFab
T
F b to
t Other
Oth
Line Cards
Control Plane
Punted Packets
s
Control Plane
ARP, BGP, OSPF, and
Other Protocols that Glue
the Network Together
ASICs
Supporting
CPU
Most Control
Plane Packets
Go to the RP
Route
Processor
CPU
Management Plane
Forwarding/Feature
ASIC Cluster
Forwarded Packets
Ingress Packets
ToFab
T
F b to
t Other
Oth
Line Cards
Management Plane
Punted Packets
s
Management Plane
Telnet, SSH, TFTP, SNMP,
FTP, NTP, and Other
g
Protocols Used to Manage
the Device
ASICs
Supporting
CPU
All Management
Plane Traffic
Goes to the RP
Route
Processor
CPU
IP Control Plane Security
IP Control Plane Security

The control plane is the logical group containing all
routing, signaling, link-state, and other control protocols
used to create and maintain the state of the network
and interfaces
It is, therefore, critical that control plane resources and
protocols are protected to:
Keep the network up and running at all times
Prevent traffic redirection which could result in a DoS
condition, eavesdropping or manipulation of application
layer (data) content
The control plane also enables other protection

mechanisms to help mitigate the risk of security attacks
IP Control Plane Security Techniques

Disable unused control plane services
ICMP techniques
Selective packet discard
Control plane policing
MD5 authentication
BGP techniques
Generalized TTL security mechanism
Protocol specific filters
Disable Unused Control Plane Services

Gratuitous ARP: filter unsolicited ARP replies which
may be used by an attacker to intercept traffic flows
IP Source Routing: prevent source IP hosts from being
able to specify an explicit route it wishes a packet to
traverse through the network
MOP: proprietary and legacy protocol used for utility
services such as transferring system software and
remote troubleshooting
Proxy ARP: generally only required on shared LANs
Others as appropriate
ICMP Techniques
ICMP is handled at the Cisco IOS process level, hence,
is often leveraged within DoS attacks
By default, Cisco IOS software enables certain ICMP
processing functions in accordance with IETF
standards
These default configurations may not conform to
security best practices or to security policies you
may have for your network
ICMP Techniques
To Reduce the Risk of ICMP-Related DoS
Attacks, Consider the Following Techniques:
no ip unreachables: disables the interface from generating ICMP
Destination Unreachable (Type 3) messages
messages, thereby reducing the impact
of certain ICMP-based DoS attacks on the router CPU
no ip redirects: disables the interface from generating ICMP Redirect
(ICMP Type 5) messages when it is forced to send an IP packet through
the same interface on which it was received
no ip information-reply: disables the router from generating ICMP
Information Reply (Type 16) messages when it receives unsolicited ICMP
Information Request (Type 15) messages (applied by default)
no ip mask-reply: disables the router from generating ICMP Address
Mask Reply (Type 18) messages when it receives unsolicited ICMP
Address Mask Request (Type 17) messages (applied by default)
Interface ACLs: infrastructure and transit ACLs may be used to filter
unnecessary ICMP messages destined to network infrastructure, including
but not limited to ICMP Source Quench (Type 4), ICMP Echo (Type 8; in
other words, ping), and ICMP Timestamp (Type 13) messages
Selective Packet Discard

Selective Packet Discard (SPD) is an IOS internal
mechanism that manages the process level input queues
on the Route Processor (RP)
SPD seeks to prioritize routing protocol packets and other
important control plane traffic such as Layer 2 keepalives
during periods of process level queue congestion
SPD only applies to ingress packets destined to the IOS
process-level
SPD does not apply
pp y to locally
y sourced router p
packets
On distributed processing platforms (e.g., 12000), only packets
punted to the RP are subject to SPD
SPD functions have proven effective during heavy IOS

process level packet floods, because it gives priority service
to important packets and ensures fairness among router
interfaces of IOS process level router resources
Control Plane Policing (CoPP)

Provides filtering and rate-limiting capabilities for all
packets punted to the route processor for handling
not just control plane packets
CEF receive adjacency traffic
Exceptions IP and non-IP traffic (e.g., router alert IP header
options, ARP, etc.)
Provides improved flexibility in packet control

Traffic may be permitted,
permitted but at a controlled rate
Transit (exceptions) IP traffic can be policed, further protecting
the route processor
CoPP is widely available within IOS
Control Plane Policing (CoPP)

CoPP uses the IOS Modular QoS CLI (MQC) for policy
definition
Consistent approach on all boxes
Dedicated control-plane interface
Single point of application
Highly flexible: permit, deny, rate limit
CoPP Conceptual View

Control Plane
Management
SNMP, Telnet
ICMP
IPv6
Routing
Updates
Management
SSH, SSL
Input
Output
to the Control Plane
from the Control Plane
Control Plane Policing

(Alleviating DoS Attack)
..
Silent Mode
(Reconnaissance
Prevention)
Processor
Switched Packets
CEF Input
Forwarding Path
Output Packet
B ff
Buffer
Locally
Switched Packets
NAT
ACL
Packet
B ff
Buffer
uRPF
Incoming
P k
Packets
CEF/FIB LOOKUP
Applies to all ingress packets punted to IOS process level

Silent mode available for output (locally sourced) control packets
Configuring CoPP
Four Required Steps:
1. Define ACLs
Classify traffic
2. Define class-maps
Setup class of traffic
3. Define policy-map
Assign QoS policy action to class of traffic (police, drop)
4 Apply
4.
A l C
CoPP
PP policy
li tto control
t l plane
l
i
interface
t f
Routerr CPU
Protec
ction
untrusted
untrusted
CoP
PP
Control Plane Policing
Attacks, junk
Provides a cross-platform methodology for protecting

the control plane
Consistent show command and MIB support
Granular: Permit, Deny and Rate-limit
MD5 Neighbor Authentication

A variety of IOS protocols support MD5 authentication including
BGP, OSPF, RIPv2, EIGRP, HSRP, NTP, etc.
MD5 helps to prevent
pre ent attackers from injecting false information into
the control plane
Adds yet another layer of defense that an attacker must overcome
Does not protect against packet flood DoS attacks
Configured Shared Key = X
Configured Shared Key = X

If MAC1 = MAC2,
Then Routing
Advertisement
Authenticated.
Else Routing
Advertisement
Discarded.
MAC1 + Routing
Advertisement
2
Routing Advertisement +
Shared Key
Routing Advertisement +
Shared Key
MD5
Hash
MD5
Hash
MAC1
1
MAC1
3
BGP Security Techniques

BGP is the common external control protocol, hence,
it is a common target for external attacks
MD5 authentication is technique available to help
reduce the risk of BGP attacks
Others include
Prefix filters
Prefix limits
AS-PATH limits
Graceful restart
BGP TTL security check (GTSM)
Generalized TTL Security Mechanism

eBGP
Session
AS2
RTR-A
RTR-C
badnet
AS1
RTR B
RTR-B
RTR-D
1
2
3
TTL Distance
(Diameter)
The GTSM feature, also known as BGP TTL Security Hack (BTSH),
provides a lightweight security mechanism to protect external eBGP
peering sessions from attacks using forged IP packets
GTSM enforces a minimum TTL-value on all BGP p
packets associated
with the eBGP session
Initial TTL values are set to 255. Per-hop decrements determine the final value upon
reaching the eBGP peer. The BGP TTL security mechanism requires configuring this
hop count value.
Spoofed IP packets may have correct IP source and destination addresses (and TCP source
and destination ports). However, unless these packets originate on a network segment that is
between the eBGP peers, the received TTL values will be less than the minimum
configured in the BGP TTL security check.
If the received TTL value is less than the configured value, the packet is silently discarded
Protocol Specific ACL Filters

Protocol-specific ACL policies can be applied directly to
a specific IOS control plane protocol
IP interface ACL policies are applied to specific router interfaces
CoPP policies are applied to the IOS receive interface
Protocol-specific ACL policies provide added control for

defining valid protocol peers
Protocol-specific ACL filters consider only the associated
protocol, which helps with policy management
Example
E ample protocol specific ACL filters
filters:
MPLS LDP
PIM
IGMP
SNMP
Telnet/SSH
IP Management Plane Security
IP Management Plane Security

The management plane is the logical group containing
all management traffic supporting provisioning,
maintenance, and monitoring functions for the network
It is, therefore, critical that management plane
resources and protocols are:
Secured to mitigate the threat of unauthorized access and
malicious network reconnaissance, which inevitably leads to
attacks within the IP data, control, and services planes
Protected to mitigate the risk of DoS attacks
Remain available during attacks such that attack sources can be
identified and attacks themselves can be mitigated
Management Plane Security Techniques

Out-of-band management
Password security
SNMP security
Remote terminal access security
Disable unused management plane services
Disable idle user sessions
System banners
y
Secure IOS file systems
Role-based CLI access
Management plane protection
AAA
AutoSecure
Network telemetry
Management Interface Types

In-band: a physical (or logical) interface that carries
both management and data plane traffic
Out-of-band: a physical interface that connects to
a physically separate, isolated network dedicated
exclusively to the operation and management of all
network elements
OOB management networks are deployed today for
two primary reasons
Availability: an OOB network provides an alternate path to
reach network elements if in-band management connectivity
is lost, or vice versa
Scalability: large-scale network management operations,
including service provisioning, monitoring, billing, alarms,
software upgrades, configuration backups, and so on, may
be better served with a separate management network
Out-of-Band Management Interfaces

Console port: the console port (CTY) is an
asynchronous serial port that uses a DCE RJ-45
receptacle
t l for
f connecting
ti a data
d t terminal
t
i l (DTE)
Auxiliary port: the auxiliary port (AUX) is also an
asynchronous serial port that uses a DTE RJ-45
receptacle for connecting a modem or other DCE
device (such as a CSU/DSU or another router
Management Ethernet port: on certain routers, a
separate Ethernet port is made available strictly
for OOB management connectivity
CEF is disabled by default to prevent traffic forwarding between
the OOB network and the in-band network
Cisco strongly recommends against enabling CEF routing
functions on this port to prevent IP reachability between the
in-band and OOB networks
Management Lines
In addition to CTY and AUX lines, IOS supports VTY
and TTY lines
Virtual terminal lines (VTY) have no associated physical
interface and are used exclusively for remote terminal
access (e.g., Telnet, SSH)
TTY lines represent standard asynchronous lines,
which are separate from the console and auxiliary
ports and the VTY lines
lines, and are used for inbound or
outbound modem and terminal connections
By default, no password is defined for either the
console or auxiliary parts
VTY lines require a password (by default) to gain access to user
EXEC mode
Password Security
password: sets a password for a line and user EXEC mode
password: sets a p
password for a local username
username p
enable password: sets a local password to restrict access
to the various EXEC mode privilege levels. By default,
password is stored in clear text.
enable secret: sets a local router password for EXEC
privilege levels and stores the password using a
nonreversible cryptographic hash function
service password-encryption: encrypts all local passwords
including line, username, enable, and authentication
key passwords
Useful if an unauthorized user obtains a copy of your configuration file
It should be noted that this command invokes the same Type 7
encryption algorithm used by the enable password CLI
SNMP Security
Community string: included within each SNMP protocol message and
functions much like a password. Two types of community strings:
Read Only (ro) community string
Read-Only
Read-Write (rw) community string
Note, that no technique is available to encrypt or hash the assigned community strings within
the router configuration file.
Service password-encryption does not apply to SNMP community strings
snmp-server packetsize: establishes control over the largest SNMP

packet size permitted when the SNMP server is receiving a request or
generating a reply. Default 1500 bytes.
SNMPv3: adds advanced security mechanisms, including MD5 or SHA
authentication of messages, DES encryption of messages, a view-based
Access Control Model (VACM), SNMP contexts, and enforcement of
message timeliness to defend against reply attacks. It is worth noting
that many versions of IOS also support AES and 3DES encryption of
SNMPv3 messages. SNMPv3 also uses a username and encrypted
password. SNMPv3 user passwords are also not visible within the
router configuration.
Remote Terminal Access Security

VTY access lists: restricts the source IP addresses that
are allowed access to the VTY lines
Secure shell: a protocol that may be used to provide
encrypted remote terminal access to a network device
Transport input: defines which incoming protocols
are allowed to connect to a specific line of the router.
To deny all forms of remote terminal access for a line,
use the transport preferred none command
command.
Secure HTTP (HTTPS): provides secure web-based
administration of a device
Disable Unused Management Services

BOOTP services
NTP
HTTP
PAD
MOP
Small TCP servers
Finger service
EXEC mode on unused lines
DHCP server and
relay functions
CDP: best practice to disable
on e
external
ternal ((untrusted)
ntr sted)
interfaces
DNS-based host
name-to-address translation
(i.e., no ip domain lookup);
alternatively configure name
servers explicitly
Small UDP servers
Disable Idle User Sessions

To mitigate the risk associated with idle user sessions:
exec-timeout:
exec
timeout: disconnects incoming user sessions after a
specific period of idle time
ip http timeout-policy idle: disconnects idle HTTP (or HTTPS)
client connections after a specific period of idle time
To verify whether a remote host associated with a

previously connected TCP session is still active
and reachable:
service tcp-keepalives-in: to generate keepalive packets on
inactive incoming network connections (initiated by the
remote host)
service tcp-keepalives-out: to generate keepalive packets on
inactive outgoing network connections (initiated by a local user)
System Banners
A banner serves as a legal notice, such as
no trespassing or a warning statement. A proper
legal notice protects you such that it enables you to
pursue legal actions against unauthorized users.
EXEC banner: specifies a message (or EXEC banner)
to be displayed when an EXEC process is created
MOTD banner (message-of-the-day): specifies a MOTD
to be displayed immediately to all user sessions and
when new users first connect to the router
Incoming banner: specifies an incoming banner to be
displayed for incoming reverse Telnet sessions
Login banner: specifies a login banner to be displayed
before username and password prompts
Secure Cisco IOS File Systems

Cisco IOS supports features to mitigate the risk of
malicious attempts to erase the contents of persistent
storage (NVRAM and flash) and features to prevent
corrupted Cisco IOS images from being loaded
secure boot-config (IOS Resilient Configuration): takes a
snapshot of the router running configuration and securely
archives it in persistent storage
secure boot-image (IOS Resilient Configuration): makes a
copy of the router image running and securely archives it in
file verify auto (IOS Image Verification): enables automatic image
verification
ip scp server enable: the IOS Secure Copy (SCP) feature
provides a secure and authenticated method for copying router
configuration and IOS image files to and from an IOS router
Role-Based CLI Access

Allows you to define CLI views, which provide
selective access and visibility to EXEC commands and
configuration information
Similar to EXEC privilege levels, CLI views restrict user
access to EXEC mode commands and limit visibility of
router configuration information
Unlike EXEC privilege levels, CLI views:
Are independent of one another
Multiple
M
lti l kkeyword
d commands
d can be
b assigned
i
d tto a CLI view
i
without
ith t the
th
view being automatically assigned the command associated with the
first keyword
May specify an interface or a group of interfaces to a CLI view, thereby
allowing command access on the basis of specified interfaces
Operates completely independently of EXEC mode privileges and lists
commands allowed within a CLI view can span multiple privilege levels
Management Plane Protection

Cisco IOS Software Release 12.4(6)T introduced the
Management Plane Protection (MPP) feature, which
allows
ll
any iin-band
b d ((physical)
h i l) iinterface
t f
tto b
be d
dedicated
di t d
for OOB management
Provides greater flexibility because you are no longer
restricted to using the fixed console, auxiliary, and
management Ethernet ports for OOB management
Not only can you dedicate in-band interfaces for OOB
management, you can also
l restrict
i which
hi h management
protocols are allowed (for example, SSH versus Telnet)
Behavior of the console, auxiliary, and management Ethernet
interfaces does not change
Other interfaces not enabled for MPP are no longer accessible
in-band for MPP management protocols
AAA
Provides a highly flexible and scaleable framework
through which you can set up centralized access
control
t l for
f IP network
t
k access and/or
d/ remote
t terminal
t
i l
access to AAA clients such as Cisco IOS routers
AAA servers facilitate the configuration of three
independent security functions in a consistent and
modular manner, including:
Authentication: the process of validating the claimed identity
of a user
Authorization: the act of granting access rights to a user or group
of users, on a command basis.
Accounting: the methods of logging user connectivity
and activity
The AAA protocol used between AAA clients and AAA

servers can be TACACS+, RADIUS, or Kerberos
AutoSecure
Do not use this CMD in lab exam

unless explicitly mentioned
AutoSecure facilitates IP router security by simplifying

the configuration process of security policies
Offers a one-touch device lockdown capability
Supported in IOS Software Releases 12.3(1), 12.2(18)S,
and later
Rather than apply each of the individual Cisco IOS

security-related commands manually, AutoSecure
uses a single command to:
Disable nonessential system services and protocols that can be
exploited for network attacks
Enable IP services and features to help protect against attacks
This feature is directed toward customers lacking a

detailed understanding of Cisco IOS services and the
associated security implications
Network Telemetry and Security

In addition to securing the network and network
elements themselves, it is also critically important to be
able
bl tto identify
id tif and
d classify
l
if security
it events
t
Some of the network telemetry tools available include:
Log neighbor changes (BGP, OSPF, EIGRP, etc.)
BGP policy accounting
Embedded Event Manager (EEM)
IP source tracker
IP traffic export
NetFlow
NTP
SNMP
Syslog
RMON
Section 10
Configure Advanced Security
Exam Objectives
Configure mitigation techniques to respond to network attacks

Configure packet marking techniques
Implement security RFCs (RFC1918/3330
(RFC1918/3330, RFC2827/3704)
Configure Black Hole and Sink Hole solutions
Configure RTBH filtering (Remote Triggered Black Hole)
Configure Traffic Filtering using Access-Lists
Configure IOS NAT
Configure TCP Intercept
Configure uRPF
Configure CAR
Configure NBAR
Configure NetFlow
Configure Anti-Spoofing solutions
Configure Policing
Capture and utilize packet captures
Configure Transit Traffic Control and Congestion Management
Configure Cisco Catalyst advanced security features
Global Services That Should Be Disabled

Some Services, Turned on by Default, Should
Be Turned off to Save Memory and Prevent
Security Breaches/Attacks
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no ip bootp server
Interface Services You Turn Off

All Interfaces on a Backbone Router Should Have the
Following as a Default:
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no ip source-routing
No Source Routing
Network
100.97.0.0
interface Serial 1
ip address 64.100.2.32 255.255.255.252
no ip source routing
!
Intranet
Im 100.97.5.23
and Heres the
Route Back to Me
On by Default per RFC 1812

Requirements for IP Version 4 Routers
RFC 792: Internet Protocol
SNMP
Change your community strings; do not use public,
private, secret
Use different community strings for the RO and
RW communities
Use mixed alphanumeric characters in the community
strings: SNMP community strings can be cracked, too
Turn off SNMP if it isnt needed:
Cisco IOS: no snmp-server
Block SNMP access to outsiders
ICMP Message Types

Control the Direction of a Ping
access-list 111 permit icmp any 10.1.1.0 0.0.0.255 echo-reply
!
interface Serial 0
access-group 111 in
Summary of ICMP Message Types

0
3
4
5
8
Echo Reply
Destination Unreachable
Source Quench
Redirect
Echo
11
12
13
14
15
16
Time Exceeded
Parameter Problem
Timestamp
Timestamp Reply
Information Request
Information Reply
64 100 1 12
64.100.1.12
64
4.100.1.0/28
IP Spoofing
64.100.1.14
Attacker
Hacker claims he is one of the inside hosts

Inside host may have a trust relationship
with spoofed host
IP Spoofing: How to Avoid It

Deny incoming packets if source address
is one of yours
Deny outbound packets if source address
is not one of yours
Ingress Packet Filtering

You should not be sending
g any
y IP p
packets out to the
Internet with a source address other than the
addresses you have been allocated!
RFC 2827 (BCP 38)
Unicast Reverse Path Forwarding (uRPF)

Mitigates source address spoofing by checking that
a packets return path uses the same interface it
arrived on
Source IP packets are checked to ensure that the route
back to the source uses the same interface
Requires CEF
Not always appropriate where asymmetric paths exist
ip cef
!
interface Serial 0
ip verify unicast (reverse-path | source reachable-via rx |
source reachable-via any) <ACL_Number>
Unicast RPF Techniques

uRPF Operates in Several Different Modes
Strict uRPF: requires that the source IP address of an
incoming packet has a FIB return path via the exact
same interface as that on which the packet arrived; if
otherwise, the packet is dropped
Loose uRPF: requires that a valid FIB path entry via
any interface exist, excluding Null0, for the source IP
address of an incoming packet; if otherwise
otherwise, the packet
is dropped
uRPF Strict and Loose Modes

router(config-if)# ip verify unicast source reachable-via rx
i/f 2
i/f 1
i/f 2
i/f 3
1
S D i/f
Data
i/f 1
i/f 3
1
S D i/f
Data
FIB:
...
S i/f 1
D i/f 3
...
FIB:
...
S i/f 2
D i/f 3
...
Same i/f:
Forward
Other i/f:
Drop
Strict Mode
(a.k.a. v1)
router(config-if)# ip verify unicast source reachable-via any

i/f 2
i/f 1
i/f 2
i/f 3
1
S D i/f
Data
i/f 1
i/f 3
1
S D i/f
Data
FIB:
...
S i/f x
D i/f 3
...
Any i/f:
Forward
Loose Mode
(a.k.a. v2)
FIB:
...
...
D i/f 3
...
Src not in FIB

or route = null0:
Drop
Flexible Packet Matching (FPM)

Access Lists on Steroids
Considered the next generation of ACL

Introduced in IOS 12.4T and 12.2(18)ZY
Performs stateless deep packet inspection providing more granular

control than ACLS
Enables you to specify powerful custom pattern matching deep within the
packet header or payload to block viruses, worms, and attacks while
minimizing inadvertent filtering of legitimate network traffic
Traditional ACLs take a shotgun approachlegitimate traffic could
be blocked
Example: Stopping Slammer with ACLs meant blocking port 1434denying business
transactions involving Microsoft SQL
FPM delivers flexible

flexible, granular Layer 2
27
7 matching at any offset within
the packet
e.g: port 1434 + packet length 404B + specific pattern within payload Slammer
0111111010101010000111000100111110010001000100100010001001
Match Pattern
AND
OR
Cisco.com/go/fpm
NOT
Flexible Packet Matching (FPM)

Configuration ExampleSlammer Filter
load protocol flash:ip.phdf
load protocol flash:udp.phdf
!
class-map type stack match-all ip-udp
match field IP protocol eq 17 next UDP
class-map type access-control match-any slammer
match field UDP dest-port eq 1434
access-control typed class

defines traffic pattern: udp
dest port 1434, starting
from IP header, offset 224
byte, the 4 byte value
should be 0x04041010
match start IP version offset 224 size 4 eq 0x4041010

match start l3-start offset 224 size 4 eq 0x4041010
!
policy-map type access-control udp-policy
Allows a choice of
response actions
class slammer
drop
policy-map type access-control fpm-policy
class ip-udp
service-policy udp-policy
!
interface GigabitEthernet0/1
service-policy type access-control input fpm-policy
Limit the Impact of DoS Attacks:

Committed Access Rate
Traffic
Matching
Specification
Traffic
Measurement
Instrumentation
Action Policy
Rate limiting
Several ways
to filter
Tokens
Token bucket
implementation
Burst
Limit
Next
Policy
Conforming
Traffic
Excess
Traffic
Committed Access Rate (CAR)

Use on edge routers to classify and/or rate
limit traffic
Can be applied to all traffic or a subset of the traffic
selected by an access list
Configured on an interface
rate-limit {input|output} access-group
index bps normal-burst max-burst conformaction
ti
action
ti
exceed-action
d
ti
action
ti
Class-Based Weighted Fair Queuing

(Modular QoS CLIMQC)
Traffic is queued by user defined classes
A queue is reserved for each class
Queue uses tail drop or WRED
Unclassified traffic is flow-based
Configuring MQC
Three Required Steps:
1. Define Class-maps
Setup classes for traffic using ACL or Matching Ports
2. Define Policy-map
Assign action to class of traffic (bandwidth, police, drop, set)
3. Apply Service-Policy
Apply policy to desired interface
NBAR: Network-Based
Application Recognition
NBAR is used for classifying traffic
Classification of applications that dynamically assign
TCP/UDP port numbers
Classification of HTTP traffic by URL, HOST, or
Multipurpose Internet Mail Extension (MIME) type
Classification of application traffic using
sub-port information
Use the classification in conjunction

j
with CAR
or traffic policing
Policing with NBAR Example

Use NBAR to classify the traffic:
class-map match-any p2p
match
t h protocol
t
l f
fasttrack
tt
k
match protocol gnutella
match protocol napster
match protocol http url \.hash=*
match protocol http url /.hash=*
match protocol kazaa2
Use traffic policing to limit the traffic:

policy map p2p
policy-map
class p2p
police cir 8000 bc 1500 be 1500 conform-action drop
exceed-action drop
!
Interface FastEthernet 0/0
ip nbar protocol-discovery
service-policy input p2p
NetFlow
Provides network administrators with
packet flow information
Allows for:
Traffic flow analysis
Security monitoring
Anomaly detection
Enabling NetFlow
Receive NetFlow information only on the specific
interface(s) of interest
Typical use case for NetFlow: Accounting, Security and
Capacity Planning
Router(config-if)# ip flow ingress
Starting
g Cisco IOS v12.2(15)T
( ) a simple ip flow
ingress interface command starts collecting
NetFlow data on that interface
This New Command Was Added in Cisco IOS v12.2(15)T
Older Command ip route-cache flow Also Enables Ingress
NetFlow on the Interface but Should No Longer Be Used
Verifying NetFlow (Sample Output)

Router# show ip cache flow
IP packet size distribution (85435 total packets):
1-32
64
96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 1.00 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
2728 active, 1368 inactive, 85310 added
463824 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol
Total
Flows
Packets Bytes
-------Flows
/Sec
/Flow /Pkt
TCP-Telnet
20
0.0
1 1440
TCP-other
82580
11.2
1 1440
Total:
82582
11.2
1 1440
SrcIf
Et0/0
Et0/0
Et0/0
SrcIPaddress
132.122.25.60
139.57.220.28
165.172.153.65
DstIf
Se0/0
Se0/0
Se0/0
Traffic Classification
Flow Info Summary
Packets Active(Sec) Idle(Sec)
/Sec
/Flow
/Flow
0.0
0.0
9.5
Flow
11.2
0.0Details
12.0
11.2
0.0
12.0
DstIPaddress
192.168.1.1
192.168.1.1
192.168.1.1
Pr
06
06
06
SrcP
9AEE
708D
CB46
DstP
0017
0017
0017
Pkts
1
1
1
Hex
Cisco Catalyst Security and

Advance Features
Practice Cisco Catalyst Security Features and Other
Advanced Cisco Catalyst Configuration; Some
Examples Are:
Port
P Security
S
i
Root/BPDU Guard
802.1x
Router ACLs, Port ACLs, VLAN ACLs
AAA on Switch
Traffic Control
802.1Q Protocol
SPAN, RSPAN
Section 11
Identify and Mitigate Network Attacks
Exam Objectives
Identify and protect against fragmentation attacks

Identify and protect against malicious IP option usage
Identify and protect against network reconnaissance attacks
Identify and protect against IP spoofing attacks
Identify and protect against MAC spoofing attacks
Identify and protect against ARP spoofing attacks
Identify and protect against Denial of Service (DoS) attacks
Identify and protect against Distributed Denial of Service (DDoS) attacks
Identify and protect against Man-in-the-Middle (MiM) attacks
Identify and protect against port redirection attacks
Identify and protect against DHCP attacks
Identify and protect against DNS attacks
Identify and protect against Smurf attacks
Identify and protect against SYN attacks
Identify and protect against MAC Flooding attacks
Identify and protect against VLAN hopping attacks
Identify and protect against various Layer2 and Layer3 attacks
Proactive vs. Reactive

The Questions in This Section of the Exam Are Mainly
Focused on Reactive Measures
Focus on techniques used to mitigate network attacks
Same tools and techniques are used as discussed in
previous section Advanced Security
Questions will also test knowledge of protocols, e.g.
TCP, HTTP, ICMP
Questions will also test knowledge of Headers and
standard
t d d packet
k t fformat,
t e.g. TCP H
Header
d
Questions will also test knowledge of reading packet
captures and various show and debug outputs
Common Attacks
Network reconnaissance
MAC spoofing
Denial of Service (DoS)
ARP snooping
IP spoofing
Fragment attack
DHCP snooping
Smurf attack
DNS spoofing
TCP SYN attack
Knowledge of Protocols
Traffic Characterization
Packet Classification
Marking Techniques
Identifying Attack Patterns
Understanding Attack Vectors
Example: SYN, TCP/UDP options, ICMP Type/Code
Common Protocol and Port Numbers
Understanding Protocol Headers

Understanding & Interpreting ARP Header Structure
Understanding & Interpreting IP Header Structure
Understanding & Interpreting TCP Header Structure
Understanding & Interpreting UDP Header Structure
Understanding & Interpreting ICMP Header Structure
Understanding & Interpreting ICMP Type/Code
Understanding & Interpreting SYSLOG Messages
Understanding & Interpreting Sniffer Capture Outputs
Mitigation Using Various Techniques

Preventing SYN Attack using ACL
Preventing SYN Attack using NBAR
Preventing SYN Attack using Policing
Preventing SYN Attack using CBAC
Preventing SYN Attack using CAR
Preventing SYN Attack using TCP Intercept
Preventing SYN Attack using MPF

Preventing IP Spoofing Attack using anti-spoofing ACLs
Preventing IP Spoofing Attack using uRPF
Preventing IP Spoofing Attack using IP Source Guard

Preventing MAC Spoofing Attack using Port Security
Preventing ARP Spoofing Attack using DAI
Preventing STP Attack using Root/BPDU Guard
Preventing DHCP Spoofing Attack using Port Security
Preventing DHCP Spoofing Attack using DAI
Preventing Fragment Attack using ACL
Section 12
Preparation Resources and Test-Taking
Tips
Preparation Resources
Planning Resources
There is an abundance of material available to prepare
for the CCIE certification. However, you have to be very
selective of the material you choose to use
Choose materials that offer configuration examples and
take a hands-on approach
Look for materials approved or provided by Cisco and
its Learning Partners
Customize your study plan to reflect your own personal
strengths and weaknesses
A Good Study Plan Is Key to Your Success
Assessing Strengths
Evaluate your experience and knowledge in the major
topic areas listed on blueprint
Using the content blueprint, determine your experience
and knowledge level in the major topic areas
For areas of strength: practice for speed
For weaker areas: boost knowledge with training or
book study first, then practice
Trainings
Although No Formal Training Is Required for the
CCIE Security Certification, Cisco Recommends
the Following Training Courses, Which Are
Described Further on the Cisco Website at:
http://www.cisco.com/web/learning/le3/ccie/security/training.html
Books
Many Cisco Press and other vendor books are
available to assist in preparing for CCIE exams
A current list can be found on the CCIE website at
http://www.cisco.com/web/learning/le3/ccie/security/book_
list.html
No single resource is uniformly great; you will likely

need to add multiple books to your collection
Cisco Press Resources

Enhances Classroom or Web-Based
Web Based Training
Cisco Press Learning Path
Learn
Experience
Prepare
Practice
Expert-Level
www.ciscopress.com
Cisco Website CCO

Many candidates overlook one of the best resources
for useful material and technical informationthe
Cisco website
There are many sample scenarios available on the
Tech Support pages for each Cisco product and
technology. For instance, the Tech Support page for
IPsec has more than 100 samples and tips available
These articles are written to reflect current trends and
demands and include sample diagrams, configurations,
and invaluable show and debug command outputs
Forums
Forums Can Play an Essential Role for a Candidate
During Preparation; You Can Generally Find Qualified
CCIEs and Other Security Engineers Available 24x7 to
Answer Your Queries and Work Through Your Technical
Problems
Ciscos Networking Professional Connection
http://www.cisco.com/go/netpro
Networking Professionals can post questions for technical assistance, seek suggestions
or share experiences at NetPro
Cisco Learning Network (CLN)

http //
http://www.cisco.com/go/learnnetspace
cisco com/go/learnnetspace
Offers online learning network to enhance and advance your IT career. Browse technical
content and connect and share insights, opinions, and knowledge with the community.
Ciscos Certification Online Support

http://www.cisco.com/go/certsupport
Q and A on certification related topics such as exam info, books, trainings, requirements,
resources, tools and utilities and much more
Documentation CD (Your Lifeline)

You need to be able to navigate the Cisco
documentation CD with confidence
This is the only resource you are allowed during
the exam and you will need to be able to look up
anything you need with speed and confidence
Make it part of your regular practice; if you are familiar
with it, it can save you time during the exam
Practice Labs
Practice lab exercises with a high level of complexity
will assist you in making improvements in your exam
strategy and identifying areas requiring extra study.
Practice labs can be used to gauge your readiness and
help identify your strengths and weaknesses. This will
help you refocus and revise your study plan and
adjust it according to your findings
Technical skill is not the only thing you need to work
on; time management and your exam-taking strategy
is also important to succeed in the CCIE exam.
Practice labs also assist you in improving your time
management and test-taking approach
Equipment (Home Lab vs. Rental Racks)

Although acquiring a personal home lab is an ideal
scenario, it can be costly to gather all the equipment to
build a security rack. You can start with just a few
devicesthree to four routers, a switch and a ASA
firewall. The goal is to obtain a thorough understanding
of the technologies and the architecture and also know
how they integrate with each other
For the hardware devices which are more costly to
obtain, such as the ASA firewall or IDS Sensor, I
would advise looking at renting the equipment online.
There are many vendors who provide such services.
This is far less expensive than purchasing a home
security rack
Test-Taking Tips
Lab Preparation: Hands-On Practice

Essential for passing lab
Borrow or rent equipment you can practice on
Two or three routers will support most scenarios
Build and practice scenarios for each topic
Go beyond the basicspractice additional features
If a technology has multiple configurationspractice
all of them
Learn show and debug commands for each topic
Lab Exam Tips

Reduce stressarrive early
yourself timeexam can run over
Leave y
Read entire exam
Redraw topology to clarify scenario
Manage your time
Make no assumptions
Keep a list
Work questions as a unit
Test your work
Save configurations often
Minimize last-minute changes
Lab Exam Proctors

Ask the Proctor Questions
Proctors role is to keep exam fair
Talk to proctor if you dont
don t understand question
Ask the proctor clarifying questions
Report any equipment or technical problems to proctor
as soon as it occurs
For More Information

Beware of rumors
Visit the CCIE web page
http://www.cisco.com/go/ccie
Online Support
www.cisco.com/go/certsupport
E-mail
ccie-lab@cisco.com
Cheating
ccie-nda-enforcement@cisco.com
Recommended Reading
Network Security Technologies
and Solutions (CCIE Professional
Development Series)
ISBN: 1587052466
By Yusuf Bhaiji
Available Onsite at the Cisco Company Store
Recommended Reading (Cont.)

CCIE Security Practice Labs
(CCIE Self-Study)
ISBN: 1587051346
By Yusuf Bhaiji
Recommended Reading (Cont.)

CCIE Security Exam
Quick Reference Sheets
ISBN: 1587053349
By Lancy Lobo, Umesh
Lakshman
Q and A
Please Visit the Cisco Booth in the

World of Solutions
See the technology in action
Programs and Services
Presentations in the solutions theater
within the Cisco booth
View the schedule of presentations in your
conference guide
Recommended Reading
Network Security Technologies
and Solutions,
ISBN: 1
1-58705-246-6
58705 246 6
CCIE Security Practice Labs,
ISBN: 1-58705-134-6
CCIE Security Exam Quick
Reference Sheets (Digital Short
Cut), ISBN: 1-58705-334-9
Cisco Access Control Security:
AAA Administration Services,
ISBN: 1-58705-124-9
Complete Your Online

Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for
each session evaluation you
complete.
Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal) or
visit one of the Internet stations
throughout the Convention
Center.
Dont forget to activate your

Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.

CCIE Security Tutorial

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CCIE Security Tutorial

Enviado por

Direitos autorais:

Formatos disponíveis

CCIE Security Techtorial

2009 Cisco Systems, Inc. All rights reserved.

CCIE Program Overview

CCIE Security Overview

Core Knowledge Section Overview

Implement secure networks using Cisco ASA Firewalls

Implement secure networks using Cisco IOS Firewalls

Implement secure networks using Cisco VPN solutions

Configure Cisco IPS to mitigate network threats

Implement Identity Management

Implement Control Plane & Management Plane Security

Configure Advanced Security

Identify and Mitigate Network Attacks

Preparation Resources and Test-Taking Tips

New Certification Logos

New Certification Logos

Overview: CCIE Tracks

Core networking cert

13% off bookings

16% off bookings

64% of all bookings

Labs in Beijing, Hong Kong,

Labs in Brussels, San

Labs in all regions, all

Available in Six Technical Specialties

CCIE Information Worldwide

Total of Security CCIEs:

Total of Service Provider CCIEs:

Total of Storage Networking CCIEs:

Total of Voice CCIEs:

Total with Multiple Certifications

Total of Routing and Switching and

Total of Routing and Switching and

Total of Routing and Switching and

Total of Routing and Switching and Voice

CCIE Exam Development Process

Reaching out to Extended

Step 1: CCIE Written Exam: #350-018

Step 2: CCIE Lab Exam

CCIE Security Overview

Market and Job Specialization

Advanced Technology Market Growth

CCIE Security Written Exam

CCIE Security Written Exam

Lays foundation for Security lab exam

CCIE Security Written Exam

The CCIE Security v2.0 written exam strengthens

Security Written Exam:

Security Written Exam:

CCIE Security Lab Exam

CCIE Security Lab Exam

Security Lab Exam: Locations

Nine Worldwide CCIE Lab Locations for Security

Security Lab Exam: Changes

The CCIE Security Lab exam content was revised and

Security Lab Exam: Equipment

Lab May Test Any Feature That Can Be

Security Lab Exam: Blueprint

1. Implement secure networks using Cisco ASA

Security Lab Exam: Pre-Configuration

Security Lab Exam: Sample Topology

Security Lab Exam: Rack and PC Access

Security Lab Exam:

Security Lab Exam: Grading