Monday, July 25, 2016

CCIE Security exam Notes

Cisco IOS methods:

Threat Management

Attack types
- Network reconnaissance
- Denial of Service (DOS)
- IP spoofing
- DHCP snooping
- DNS spoofing
- Session hijacking
- MAC Spoofing
- ARP snooping
- Fragment attack
- TCP syn attack

Attack Mitigations
- Traffic characterization
- Packet classification
- Marking Techniques
- Identifying Attack Patterns
- Understanding Attack vectors
- Common Protocol and Port numbers

Cisco IOS Mitigations Tools
- Cisco IOS firewalling ( CBAC and ZFW) and Cisco IPS are well-known security features
- Other features available to identify and protect against attacks:
 : Flexible packet matching (FPM)
 : network-based application recognition (NBAR)
 : Netflow

- performs stateless deep packet inspection providing more granular control than ACLs
- supports IPv4 and IPv6
- Specify custom pattern matching deep within the packet header or payload to block viruses, worms, and attacks while minimizing inadvertent filtering of legitimate network traffic
- with ACLs -legitimate traffic could be blocked
 eg stopping slammer with ACLs meant blocking port 1434 - denying business transactions involving microsoft sql
- FPM delivers flexible, granular L 2-7 matching at any offset within the packet.
 eg port 1434 + packet length 404B + specific pattern within payload -> slammer

FPM is stateless; it cannot keep track of traffic flow through the configured interface eg port numbers
FPM cannot classify packets with IP options
FPM is not supported on tunnel or multiprotocol label switching (MPLS) interfaces
Non-initial fragments will not be matched by FPM

Config :

used for classifying traffic

- Classification of applications that dynamically assign TCP/UDP port numbers
- Classification of http traffic by URL, HOST, or Multipurpose Internet Mail Extension (MIME) type
- Classification of application traffic using sub-port information
- can support customized application
- Protocol discovery via packet description language modules (PDLMs) eg P2P
- Use the classification in conjunction with CAR or traffic policing

- NBAR doesn’t support
 : non-ip traffic
 : MPLS label packets
 : fragmented packtes
 : pipelined persistent http requests
 : URL/host/MIME classification with secure http
 : asymmetric flows with stateful protocols

Config eg:
1. Identify the criteria of interest
2. All scep request to the CA server must be tracked

show policy-map int e0/0

Netflow :
- Provides network administrators with “packet flow” information
- Allows for
 : Traffic flow analysis
 : Security monitoring
 : Anomaly detection

Enable on an interface via # ip flow ingress
tuned by MQC to identify interesting traffic
ip flow global commands customize output (vlan-d , mac-address)
customize displays: ip fow-top-talkers

Netflow mitigates attacks
Netflow classify the attack
Can be used for anomaly detection

Understanding Logical Planes:

Traffic to the control and management plane is always destined to the device. “Receive Packets” and “Exception Packets”

Traffic in the data plane is always destined through the device. “Transit packets”.

Control Plane Policing CoPP:
Police and apply actions to inbound traffic types.
protecting bandwidth for essential operations

Control Plane Protection CPPr.

Finer granularity for policing of inbound control plane traffic and by providing the ability to rate limit on each subinterface (host, transit, and CEF-exception) individually
Ability to limit protocol queue usage, eg limit eBGP on CEF-exception
Filter on closed on nonlistening TCP/UDP ports on a Cisco IOS Devices.

Control Plane Security :
Disable unused control plane services globally
- no service dhcp

ICMP techniques applied on interfaces that limit need for ICMP messages
- no icmp redirects, no icmp unreachables

Selective packet discard - ip options, fragments
ip options drop
deny ip any any option traceroute

MD5 authentication
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco

BGP techniques - max prefixes, ttl-security
neigbor ttl-security hops 2
neighbor maximum-prefix 10 65 restart 5

OSPF ttl-security
ip ospf ttl-security hops 254

Route filtering and passive interfaces

Infrastructure ACL’s

Selective Packet discard IPv6 - prioritize routing packets  (precedence 7)
ipv6 spd queue max-threshold 60000

ipv6 router ospf 21
 area 0 encryption ipsec

Management Plane Security Goals:
limit threat potential by restricting device access
Authorize and monitor access activities
Only allow access from trusted sources
Understanding what the device is doing and apply the best methods
 - management plane specific security features
 - protocol and best practices features.

Management Plane Protection (MPP)
 control-plane host
 management-interface g0/1 allow
 http telnet

Password security
-SMP security
-Remote terminal access security
-Disable idle user sessions
-Infrastructure ACLs
-Role-based CLI access

Data Plane Security Goals:
Prevent punting “transit” packets to the RP as they require some additional processing
Prevent forwarding unnecessary traffic, protect bandwidth and other devices
Discard unknowns as soon as possible
Drop all or selective drop IP options
Disable redirects, source routing directed broadcasts
- eg prevent SMURF attacks

Implement ICMP packet filtering (IPv4 vs IPv6)
- ICMPv4 : reduce activities requiring the RP
- ICMPv6 : neighbor discover protocol is a MUST

Unicast RPF
 - strict and loose modes

TTL expiry control
  - ttl expired in transit messages

Device management:
 AAA for Device Security
- Local or remote (via AAA server)
-TACACS+ is the protocol of choice for device management
  allows for granular command control
  per user access levels
- Audit is important to track configuration changes
- Console and line access can be controlled
- Role-based access control (RBAC) methods allow support for users grouped by requirements
  Admins versus Help Desk

RBAC requires each role is represented by a Group, users are created and become group members allowing for individual audit trails and group policy application

AAA and login on router lines
By default console and vty - no authentication or password

line vty 0 4
password cisco

While login it will ask for password

if password is not set
you will get message “password required” but none set

If no login is set, the line is open

if login local is set, a locally defined username/password is required.

Using aaa new model

R1# aaa new-model
No authentication is required at console but local username and password is required for VTY

Default Method :
R1 # aaa authentication login default local

The default method for authentication is applied to all lines, console and vty
Now vty and cole both require username and password.


ikev2 based unified VPN that consolidates site-to-site, remote access, hub-spoke and spoke-spoke topologies

Flex VPN highlights
- common CLI -ikev2 , ipsec-profiles
- Comman infrastructure : leverages IOS p2p VTIs
-Support for dynamic routing for all deployments, or static via route-ste
- DoS protection with anti-clogging cookie
- Simplified config using smart defaults
- Ikev2 standards compliant and consolidates IKEv1 and extensions

IKEv2 Exchanges
IKE_SA_INIT (2 messages) -> IKE_SA authentication parameters negotiated
IKE_AUTH (incl. CREATE_CHILD_SA) 2 msg -> IKE authentication occurs and one CHILD_SA created


A ———————protected data ———————B
No AUTH payload in IKE_AUTH(i) indicates use EAP (additional IKE_AUTH)

Wireless authentication method:

WLC supports multiple dynamic interfaces -> WLANS -> SSIDs

AP receives an IP address from pool and discovers WLC addr from DHCP option 43

Once AP knows WLC, it will be provisioned and managed by WLC using CAPWAP : UDP (control channel) and 5247 (data channel). This can be encrypted using DTLS

AP may be subject to TrustSec auth method.

a client connects to AP using SSID

SSID mapped to dynamic int

WLAN profile applies security policy

Client IP addresses issued from DHCP server via wired interface

security for wlans can be done at layer 2 (WPA + WPA 2) and layer 3

Port-security keyword provides an additional level of security as it will prevent a device from sending traffic on a switchport (apart from DHCP) until it receives an IP address from DHCP

To allow Telnet or SSH access, you need to specify the incoming source ip address or network

telnet inside
ssh inside

5 tuples on ASA:
source ip address/port
destination ip address/port
protocol in use

Cisco ASA packet flow :
1. Check ACL . If a connection is already there ACL is bypassed.
2. Check for NAT table if applicable.
3. Route lookup
4. Mac L2 resolution

null is null device

IPS # show interfaces brief