Implementing Cisco IOS Network Security (IINS) foundation learning ...

Implementing Cisco IOS Network Security (HNS) Foundation Learning Guide Second Edition Catherine Paquet

Cisco Press 800 East 96th Street

Indianapolis,

Indiana 46240 USA

Contents Introduction Part I

Chapter

xxviii

Networking Security Fundamentals 1

Network

Security Concepts

Building Blocks of

Information

and Policies

Security

Basic

Security Assumptions

2

Basic

Security Requirements

2

2

Data, Vulnerabilities, and Countermeasures Data

Classification

Vulnerabilities

7

Classification

Need for Network Security Intent Evolution

8

12

13

Threat Evolution

14

Trends Affecting Network Security

Adversaries, Methodologies, Adversaries

16

and Classes of Attack

20 21

Methodologies

Threats Classification

23

Man-in-the-Middle Attacks

32

Overt and Covert Channels

33

Botnets

37

DoS and DDoS Attacks

37

Principles of Secure Network Design

Defense in Depth Evaluating

and

Analysis

the Risk

42

Management

44

43

and

Risk Analysis

44

Building Blocks of Risk Analysis A

39

41

Managing

Levels of Risks Risk

3

4

Classifications

Countermeasures

1

Lifecycle Approach

to

Regulatory Compliance

Risk 50

47

Management

49

x

Implementing Cisco IOS

Security (IINS 640-554)

Network

Foundation

Guide

Learning

Security Policies 53 55

Security Policy Components Governing Policy

56

End-User Policies

57

Technical Policies

57

Standards, Guidelines, and Procedures

59

Security Policy Roles and Responsibilities Security Awareness Secure Network IT

61

62

Lifecycle Management

63

Governance, Risk Management, and Compliance

Secure Network Life Initiation Phase

Cycle

65

Acquisition and Development Phase Implementation Phase Phase

67

Network Security Posture

69 70

Security Testing

Security Testing Techniques Common Incident

Testing

Tools

70

71

72

Response

Incident Management

73

Computer Crime Investigations Laws and Ethics

Liability Disaster

References

75

76

Continuity Concepts

79 79

Publications

79

Web Resources Review

74

Recovery and Business Continuity Planning

Business

Summary

67

67

Models and Frameworks

Network

65

66

Operations and Maintenance Phase Disposition

64

64

Questions

80 80

78

77

Chapter

2

Security Strategy

and Cisco Borderless Network

Borderless Networks

Cisco Borderless Network

Borderless End Zone Borderless Internet

Security Architecture

89 90 91

Policy Management Layer

Borderless Network Services

Security

SecureX,

a

Products

91

92

Context-Aware Security Approach

SecureX Core

Components

93

94

Threat Control and Containment Cisco

86

88

Borderless Data Center

Borderless

85

85

98 99

Security Intelligence Operation

Cloud Security, Content Security, and Data Loss Prevention Content

Security

101

Data Loss Prevention

101

Cloud-Based

101

Web

Security 101

Security

Email

104

Security

Secure Connectivity Through VPNs

Security Management Cisco

References Review

106 107

Security Manager

Summary

105

108 108

Questions

109

Part II

Protecting the Network Infrastructure

Chapter 3

Network Foundation Protection and Cisco Configuration Professional

111

Threats Against

the Network Infrastructure

Cisco NFP Framework Control Plane

CoPP

119

CPPr

119

114

Security

Traffic Classes

120

118

112

xii

Cisco IOS Network

Implementing

Security (IINS 640-554) Foundation Learning Guide

Routing Protocol Integrity Cisco AutoSecure Plane

Management

121

122

Security

123

Secure Management and Reporting Role-Based Access Control

Deploying Data Plane

Security

128

Access Control List Filtering

128

Configuration Professional

131

CCP Initial Cisco

Configuration Professional

Toolbar

Pane

Status Bar

138

142

142

Configuration Professional Building Blocks

Communities

Managing

User Profiles

144

147

CCP to Harden Cisco IOS Devices

Security Audit

Cisco IOS AutoSecure

References

152 152

154 155

Questions

Securing

148

149

One-Step Lockdown

Review

143

Communities 145

Templates

Summary

142

142

Creating Communities

Using

136

138

Content Pane

4

User Interface and Features

136

Navigation

Cisco

133

Configuration

Menu Bar

Chapter

126

127

AAA

Cisco

124

the

155

Management Plane

on Cisco IOS Devices and AAA

Configuring Secure Administration Access Configuring an SSH

Daemon for Secure

Configuring Passwords

on

159

Management

Cisco IOS Devices

Setting Timeouts for Router Lines

Access

163

164

Configuring the Minimum Length for Router Passwords Enhanced Username Password

161

Security

166

165

159

Contents

Securing

ROM Monitor

Securing

the Cisco IOS

167 and

Image

Configuring Multiple Privilege

Configuration Files

Levels

170

Configuring Role-Based Command-Line Interface

Implementing Secure Management Planning

and

Considerations for Secure

Secure Management and

Reporting

Access

Management and Reporting Architecture

Reporting

Features

Network

Security

Implementing Log Messaging for Security Using

Manage

Network Devices

on a

178 179 182

183

Enabling SNMP Options Using

Configuring AAA

176

177

Using Syslog Logging for

SNMPv3 Architecture

Cisco CCP

Cisco Router

185

186

Authentication, Authorization, and Accounting Authenticating Router Access

186

188

Configuring

AAA Authentication and Method Lists

Configuring

AAA

on a

on a

Cisco Router

Using Cisco

Cisco Secure ACS Overview

Cisco Identity Services Engine

RADIUS

on a

Secure ACS

205

205 206

Cisco Router

Using

an

206

External Database

Configuration Steps for AAA Using an External AAA Servers and Groups

208

AAA Authentication Method Lists

AAA Authorization Policies AAA

198

204

Comparing TACACS+ and RADIUS AAA

192

198

TACACS+ and RADIUS Protocols

TACACS+

190

Cisco Router Using the Local Database

Configuring AAA Local Authentication AAA

Accounting

175

176

176

Network Time Protocol

SNMP to

171

174

Secure Management and Reporting Guidelines

Enabling Time

168

Policies

211

213

210

208

Database

208

191

xiii

xiv

Implementing

Cisco IOS Network

AAA

Security (IINS 640-554) Foundation Learning Guide

Configuration for TACACS+ Example

Troubleshooting TACACS+ Deploying and

Configuring

216

Cisco Secure ACS

Evolution of Authorization

219

Now: More Than Just Identities

Configuring Cisco

218

219

Before: Group-Based Policies Rule-Based Policies

215

220

222

Secure ACS 5.2

223

Configuring Authorization Policies for Device Administration 230

Summary References

230

Review Questions

Chapter

5

Securing

231

the Data Plane

Overview of VLANs and

Trunking

and

Native VLANs

Cisco Catalyst Switches

Thinking

233

234

235

802.1Q

802.1Q Tagging

on

236 237

Configuring VLANs and Trunks

237

Step

1:

Configuring and Verifying 802.1Q Trunks 238

Step

2:

Creating a VLAN

240

Step 3: Assigning Switch Ports to Step

4:

Spanning

VLAN

Configuring Inter-VLAN Routing

Tree Overview

STP Fundamentals

Verifying

248

249

Basic

Switch Operation

Layer

2 Best Practices

Layer

2 Protection Toolkit

250

VLAN Attacks

251

Hopping

249

250

251

Mitigating Spanning PortFast

243

245

RSTP and PVRST+

Mitigating

242

244

Mitigating Layer 2 Attacks

VLAN

a

Tree Attacks

254

255

Mitigating CAM Table

Overflow Attacks

259

224

Contents

Mitigating MAC

Address

Using Port Security

Chapter

6

263

270

References Review

260

261

Errdisable Recovery

Summary

Spoofing Attacks

271 271

Questions

Securing the Data Plane in IPv6 Environments The Need for IPv6

IPv6 Features and Enhancements IPv6 Headers

278

279

Autoconfiguration

Stateless Address Internet Control

Message

IPv6 General Features Transition to IPv6 IPv6

Protocol Version 6

282

283

IPv6 Address

Representation

IPv6 Address

Types

IPv6 Unicast

Addressing

285

286

Assigning IPv6 Global

286

Unicast Addresses

Interface ID Assignment 291

Stateless Autoconfiguration

DHCPv6

292

(Stateful) 292

IPv6 EUI-64 Interface Identifier IPv6 and Cisco Routers

292

293

IPv6 Address Configuration

294

Example

Considerations for IPv6

294

Revisiting Threats: Considerations for IPv6

Examples of Possible

IPv6 Attacks

Recommended Practices

Summary References Review

291

291

Manual Interface Assignment

Routing

280

285

Addressing

EUI-64

275

275

301 301

Questions

302

300

298

295

281

xv

Implementing Cisco

Part III

IOS Network

Security (IINS 640-554) Foundation Learning Guide

Threat Control and Containment

Chapter

7

Planning

a

Threat Control

Threats Revisited

305

Strategy

305

Trends in Network Security Threats

306

Threat Mitigation and Containment: Design Fundamentals Threat Control Design Guidelines

307

308

Application Layer Visibility 309 Distributed Security Intelligence

309

Security Intelligence Analysis

310

Integrated Threat Control Strategy

311

Cisco Threat Control and Containment

Integrated Approach

to

Application Awareness

Threat Control

Cisco

311

312

313 313

Application-Specific Gateways Security Management

Categories

313

Security Intelligence Operations Site

313

Cisco Threat Control and Containment Solutions Fundamentals Cisco

Security Appliances

Cisco IPSs

References

Chapter

8

316

317

Summary

Review

318

Questions

318

Access Control Lists for Threat ACL Fundamentals

Types

Subnetting

Mitigation

319

320

of IP ACLs

ACL Wildcard

324

Masking and VLSM Review 325 Overview

Subnetting Example:

Subnetting Example

326 Class C

326

327

Variable-Length Subnet Masking A

314

314

Working

VLSM

ACL Wildcard Bits

Example

328

329

331

Example: Wildcard Masking Process for IP Subnets 332 Example: Wildcard Masking Process with a Single IP Address Example: Wildcard Masking Process with a Match Any IP Address

334

333

Contents

Using ACLs

to Control Traffic

335

Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet Numbered Extended IPv4 ACL

Displaying

ACLs

338

342

Enhancing ACLs with Object Groups ACL Considerations

Configuring ACLs Professional

345

for Threat Control

Using Cisco Configuration

347

Rules in Cisco

Working

343

Configuration Professional

with ACLs in CCP

ACL Editor

347

348

349

Adding Rules

350

Associating Rules with Interfaces

352

Enabling Logging with CCP

354

Monitoring ACLs with

356

CCP

Configuring an Object Group with CCP 357 Using ACLs

in IPv6 Environments

Summary References

364

Review Questions

Chapter 9

360

363

364

Firewall Fundamentals and

Network Address Translation

Introducing Firewall Technologies Firewall Fundamentals

367

367

Firewalls in a Layered Defense Strategy Static

Packet-Filtering Firewalls

Application Layer Gateways Dynamic or Stateful Other

Types

367

370

372

374

Packet-Filtering Firewalls

of Firewalls

378

382

Application Inspection Firewalls, aka Deep Packet Inspection Transparent Firewalls (Layer 2 Firewalls) NAT Fundamentals

384

Example of Translating an Inside NAT Deployment Choices Firewall Designs

383

Source Address

387

389

390

Firewall Policies in

a

Layered

Defense

Firewall Rules Design Guidelines

Strategy

392

391

382

336

xvii

xviii

Implementing Cisco

IOS Network

Security (IINS 640-554) Foundation Learning Guide

394

Summary References

394

Review Questions

Chapter 10

394

Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA

397

Cisco Firewall Solutions Cisco IOS Zone-Based

Zone-Based

398

Policy

to

Zone-Based Service

398

402

402

Zone-Based Introduction

398

Policy Firewall Overview

Zones and Zone Pairs

Self Zone

Firewall

Cisco Common Classification Policy Language

Policy

Firewall Actions

Policy Zone

Zone-Based

407

Pair Assignments

408

Policy Firewall: Rules for Router Traffic

Step

1: Start the Basic Firewall Wizard

Step

2: Select Trusted and Untrusted

Step

3: Review and and

Zone

408 409

Configuring Basic Interzone Policies Using CCP and the CLI

Verifying

403

Policy Firewall: Default Policies, Traffic Flows, and

Interaction Zone-Based

403

Topology Examples

Verify

the

411

412

Interfaces

413

Resulting Policies

Tuning the Configuration

416

416

Step

4:

Enabling Logging

Step

5:

Verifying Firewall

Step

6:

Modifying Zone-Based Firewall Configuration Objects

Step

7:

Verifying

Configuring

Step

the

417 Status and Activity

419

Configuration Using the CLI

NAT Services for Zone-Based Firewalls

1: Run the Basic NAT Wizard

NAT with CCP and the CLI

Cisco ASA Firewall

422

423

Step 2: Select NAT Inside and Outside Interfaces Step 3: Verify

421

424

426

427

Stateful Packet Filtering and

Application

Awareness

427

Network Services Offered by the Cisco ASA 5500 Series 428 Network Address Translation

Additional Network Services

428 431

Cisco ASA

Security Technologies

Cisco ASA

Configuration Fundamentals

Cisco ASA 5505

435

431 432

420

Contents

Cisco ASDM

436

Preparing the Cisco ASA 5505 for ASDM Cisco ASDM Features and Menus

Cisco Modular Class

438

Policy Framework

Map: Identifying Traffic on

443 Which

Policy Map: Configuring the Action

Traffic Service

Policy

on

Other Resources

Cisco ASDM

446

462

462

CCP and ASDM Demo Mode Tutorials

Intrusion Prevention Systems

IPS Fundamentals

467

467

Introducing IDS and

467

IPS

So, IDS or IPS? Why Not Both?

Types

462

463

Questions

Alarm

Simple Example

473

474

Intrusion Prevention

Technologies

Signature-Based IDS/IPS

Policy-Based IDS/IPS

475

476

477

Anomaly-Based IDS/IPS

477

Reputation-Based IPS 478 IPS Attack

478

Responses

IPS Anti-Evasion

Techniques

480

Risk-Based Intrusion Prevention IPv6-Aware IPS

Alarms

484

Monitoring and Management

Global Correlation IPS

482

484

IPS Alarms: Event

Deployment

Cisco IPS

486

488

Offerings

490

445

Cisco ASA Using Cisco ASDM

462

Cisco.com Resources

11

443

444

Framework:

Configuration Steps Using

References

Enforced

Applied to the

461

Summary

Chapter

Will Be

Policy

That Will Be

Policy: Activating the Policy

Basic Outbound Access Control

Review

a

444

Cisco ASA Modular

Scenario

437

485

446

xix

xx

Implementing Cisco

IOS Network

Security (HNS 640-554)

IPS Best Practices

495 495

Scenario: Protecting the Branch

Office Against Inside Attack

Files

498 500

Signature Management

Examining Signature Microengines

500

502

Signature Tuning

Optimal Signature

Set

504

Monitoring IPS Alarms and Event Management

Configuring

Cisco IOS IPS

Using Cisco

1: Download Cisco IOS IPS

Step 2: Launch

Verify Configuration

Step

4:

Perform Signature Tuning 517

Step

5:

Verify Alarms

Review Questions

524

530 530

530

Connectivity

Fundamentals of VPN Overview VPN

515

530

General IDS/IPS Resource

12

Files

521

Cisco IOS IPS Using the CLI

Cisco.com Resources

Chapter

Signature

529

References

Secure

508

509

3:

Configuring

Part IV

Signature Package

IPS Policies Wizard and

505

Configuration Professional

Step

Summary

Types

Cryptography

535 536

Remote-Access VPNs

Examining Cryptographic

The History

Ciphers

and VPN

534

Site-to-Site VPNs

Cryptology

497

497

Signatures

Step

Guide

4 94

Cisco IOS IPS Features

Signature

Learning

492

Cisco IPS Architecture

Cisco IOS IPS

Foundation

Overview

537 Services

538

of Cryptography

540

538

540

Technologies

533

507

Block and Stream Block

Ciphers

Stream

547

Ciphers

547 548

Ciphers

The Process of

Encryption 549

Encryption Application Examples Cryptanalysis

550

551

Desirable Encryption Algorithm Features 555

Key Management

555

Key Management Components 556

Keyspaces

Length Issues

Key

554

556

Example of the Impact of Key Length Symmetric and Asymmetric Encryption

557

Overview 558

Symmetric Encryption Algorithms

Comparing Symmetric Encryption Algorithms DES Modes of DES The

Operation

557

560

561

Security Guidelines 561 Rijndael Cipher

AES Versus 3DES

563

564

Asymmetric Encryption Algorithms 565 Public

Key Confidentiality

566

Encryption Algorithm Selection 567 Cryptographic Hashes

and

Hashing Algorithms MD5

Digital Signatures

568

571

572

SHA-1

572

SHA-2

573

Hashed Message Authentication Codes Overview of

Digital Signatures

573

575

Digital Signatures Encrypted Message Digest =

Diffie-Hellman

579

Diffie-Hellman

Example

Cryptographic

Processes in VPNs

581 582

578

xxii

Implementing

Cisco IOS Network

Security (HNS 640-554)

Foundation

Asymmetric Encryption: Digital Signatures Overview

Asymmetric Encryption

Public Key Authentication RSA and

PKI

584

Digital Signatures

Public Key Infrastructure

585

587

Terminology and Components

Certificate Classes

590

593

PKI Standards

Revocation

Certificate Use

599

600

Digital Certificates and CAs Summary

603

Books and Articles

Standards

603

603

Encryption Regulations

IPsec Fundamentals

IPsec Framework Suite B

603

604

Review Questions 13

601

602

References

Chapter

589

590

Certificate Authorities

Certificate

583

609

609

Cryptographic Standard

Encryption Algorithms

612

Key Exchange: Diffie-Hellman

613

614

Data Integrity Authentication IPsec Protocol

611

615

616

Authentication Header

618

Encapsulating Security Payload IPsec Modes of

Operations

Transport Mode Tunnel Mode IKE Protocol

620

621

621

622

IKEvl Modes

624

IKEvl Phases

625

IKEvl Phase 1 IKEvl Phase 1

625

Example

626

619

583

Learning Guide

Contents

IKEvlPhase2

631

IKE Version 2

632

IKEvl Versus IKEv2

IPv6 VPNs

635

IPsec Services for

Summary

Transitioning

Chapter

14

636

637 637 637

Cisco.com Resources Review

to IPv6

637

References Books

633

637

Questions

Site-to-Site IPsec VPNs with Cisco IOS Routers Site-to-Site IPsec: Planning and Preparation Site-to-Site IPsec VPN and

Planning

Checklist

Building Blocks of Site-to-Site

643

IPsec

643

Interesting Traffic and Crypto ACLs Mirrored Crypto ACLs

Cipher Suite

645

Crypto Map

646

Configuring Initiating

a

IKE

the VPN Wizard

Transform

Set

Verifying the

Mirror IPsec

649

654 656

Configuration for the

Configuration Using

Peer Site

Verifying IKE Policy Using the Verifying IKE Phase

2

CLI

658

659

Policy Using

Verifying Crypto Maps Using the

the CLI

CLI

VPN

Troubleshooting

662 662

660

660

Monitoring Established IPsec VPN Connections

Policy Negotiation

657

CCP and CLI

Verifying IPsec Configuration Using CLI

IKE

647

653

Configuration Summary a

CCP

652

Traffic to Protect Creating

Using

647

Information

Proposals

643

644

Site-to-Site IPsec VPN

VPN Connection

641

642

Operations

Preparation

641

661

658

xxiii

xxiv

Implementing

Cisco IOS Network

Monitoring

IKE

Monitoring

IPsec

References Review 15

Security Association Security

Learning

Guide

664

Association

664

666

Questions

666

SSL VPNs with Cisco ASA

669

SSL VPNs in Borderless Networks

Cisco SSL VPN

SSLandTLS

670

671

SSL and TLS Protocol Framework

SSL

Foundation

665

Summary

Chapter

Security (IINS 640-554)

672

673

Cryptography

674

SSL Tunnel Establishment

675

SSL Tunnel Establishment Example Cisco SSL VPN

Deployment

676

Options and Considerations

Cisco SSL VPN Client: Full Network Access

SSL VPN on Cisco ASA in Clientless Mode Clientless

Configuration Scenario

679

681

683

683

Task 1: Launch the Clientless SSL VPN Wizard from ASDM Task 2:

Configure the

Task 3:

SSL VPN Interface

Configure User Authentication

Task 4:

Configure

User

Task 5:

Configure

a

Group Policy

Bookmark List

684

686 686

687

Task 6: Verify the Clientless SSL VPN Wizard

Log

Configuration

In to the VPN Portal: Clientless SSL VPN

SSL VPN Cisco

on

ASA

Using the Cisco AnyConnect

AnyConnect Configuration Scenario

Phase 1:

Configure

Cisco ASA for Cisco

Task 1: Connection

690

VPN Client

AnyConnect

Profile Identification

693

694 695

Image 696

Task 4: Authentication Methods

697

Task 5: Client Address Assignment

698

Task 6: Network Name Resolution Servers Task 7: Network Address Translation

692

693

Task 2: VPN Protocols and Device Certificate Task 3: Client

684

700

Exemption

Task 8: AnyConnect Client Deployment Summary

700 702

690

Contents

Phase 2:

Configure

the Cisco

Phase 3: Verify VPN Client

Verifying Summary

VPN

Connectivity from

Cisco ASA

708

Answers to

719

708

Chapter

Review Questions

711

702

AnyConnect VPN

706

Review Questions

Index

Connectivity

with Cisco

707

References

Appendix A

AnyConnect VPN Client

706

xxv