Course Outline

• Chapter 1. Networking Security Concepts

• Chapter 2. Common Security Threats
• Chapter 3. Implementing AAA in Cisco IOS
• Chapter 4. Bring Your Own Device (BYOD)
• Chapter 5. Fundamentals of VPN Technology and Cryptography
• Chapter 6. Fundamentals of IP Security
• Chapter 7. Implementing IPsec Site-to-Site VPNs
• Chapter 8. Implementing SSL VPNs Using Cisco ASA
• Chapter 9. Securing Layer 2 Technologies
• Chapter 10. Network Foundation Protection
• Chapter 11. Securing the Management Plane on Cisco IOS Devices
• Chapter 12. Securing the Data Plane in IPv6
• Chapter 13. Securing Routing Protocols and the Control Plane
• Chapter 14. Understanding Firewall Fundamentals
• Chapter 15. Implementing Cisco IOS Zone-Based Firewalls
• Chapter 16. Configuring Basic Firewall Policies on Cisco ASA
• Chapter 17. Cisco IDS/IPS Fundamentals
• Chapter 18. Mitigation Technologies for E-mail-Based and Web-Based Threats
• Chapter 19. Mitigation Technologies for Endpoint Threats

CCNA Sec Page 1

CCNA Sec 01

• The basics of IT security: CIA (Confidentiality, Integrity, Availability)

• Confidentiality.
• Measures that prevent disclosure of information or data to unauthorized individuals or systems.
• Integrity.
• Protecting the data from unauthorized alteration or revision.
• Often ensured through the use of a hash.
• Availability.
• Making systems and data ready for use when legitimate users need them at any time.
• Guaranteed by network hardening mechanisms and backup systems.
• Attacks against availability all fall into the “denial of service” realm.
• Asset.
• It is anything that is valuable to an organization.
• Vulnerability.
• An exploitable weakness in a system or its design.
• Threat.
• Any potential danger to an asset.
• Countermeasure.
• A safeguard that somehow mitigates a potential risk.
• Risk.
• The potential for unauthorized access to, compromise, destruction, or damage to an asset.
• Classifying Assets.
• One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in
a given class.

• Classifying Vulnerabilities.
• Policy flaws
• Design errors

CCNA Sec Page 2

• Design errors
• Protocol weaknesses
• Misconfiguration
• Software vulnerabilities
• Human factors
• Malicious software
• Physical access to network resources
• Potential Attackers.
• Terrorists
• Criminals
• Government agencies
• Nation states
• Hackers
• Disgruntled employees
• Competitors
• Attack Methods.
• Reconnaissance.
• This is the discovery process used to find information about the network.
• Social engineering.
• Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks):
the user.
• Could be done through e-mail or misdirection of web pages, which results in the user clicking something that
leads to the attacker gaining information.
• Phishing.
• Presents a link that looks like a valid trusted resource to a user.
• Pharming.
• Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the
valid site to the user.
• Privilege escalation.
• The process of taking some level of access and achieving an even greater level of access.
• Backdoor.
• Application can be installed to allow access.
• Code execution.
• When attackers can gain access to a device, they might be able to take several actions.
• Man-in-the-Middle Attacks.
• Results when attackers place themselves in line between two devices that are communicating.
• To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection).
• Additional Attack Methods.
• Covert channel.
• Uses programs or communications in unintended ways.
• For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to-
peer traffic inside of HTTP traffic.
• Also a backdoor application collecting keystroke information from the workstation and then sending it out as
ICMP or http packet.
• Trust exploitation.
• Ex. an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks
from there to the inside network.
• Brute-force (password-guessing) attacks.
• Performed when an attacker’s system attempts thousands of possible passwords looking for the right match.
CCNA Sec Page 3
• Performed when an attacker’s system attempts thousands of possible passwords looking for the right match.
• Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time.
• DoS (Denial of Service).
• An attack is launched from a single device with the intent to cause damage to an asset
• DDoS (Distributed Denial-of-Service).
• An attack is launched from multiple devices as from botnet network.
• Botnet.
• A collection of infected computers that are ready to take instructions from the attacker.
• RDoS (Reflected DDoS).
• When the source of the initial (query) packets is actually spoofed by the attacker.
• The response packets are then “reflected” back from the unknowing participant to the victim of the attack.
• Guidelines for Secure Network Architecture.
• Rule of least privilege.
• Minimal access should only provided to the required network resources.
• Defense in depth.
• You should have security implemented on an early every point of your network.
• Ex. filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches
your servers, and using host-based security precautions at the servers, as well.
• Separation of duties.
• Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being
addressed, because a person who moves into a new role will be required to review the policies in place.
• Auditing.
• Accounting and keeping records about what is occurring on the network.
• Common forms of social engineering.
• Phishing.
• Elicits secure information through an e-mail message that appears to come from a legitimate source such as a
service provider or financial institution.
• The e-mail message may ask the user to reply with the sensitive data, or to access a website to update
information such as a bank account number.
• Malvertising.
• This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being
inadvertently redirected to sites hosting malware.
• Phone scams.
• An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of
the organization and then using that information to start building a database to leverage for a future attack.
• Defenses Against Social Engineering.
• Password management.
• The number and type of characters that each password must include, how often a password must be changed.
• Two-factor authentication.
• Use two-factor authentication rather than fixed passwords.
• Antivirus/antiphishing defenses.
• Document handling and destruction.
• Sensitive documents and media must be securely disposed of and not simply thrown out with the regular
office trash.
• Physical security.
• Malware Identification Tools.
• Packet captures.
• Snort IDS
- An open source IDS/IPS developed by the founder of Sourcefire.

CCNA Sec Page 4

- An open source IDS/IPS developed by the founder of Sourcefire.
• NetFlow
• IPS events
• Advanced Malware Protection (AMP).
• Designed for Cisco FirePOWER network security appliances.
• Provides visibility and control to protect against highly sophisticated, targeted, zero -day, and persistent
advanced malware threats.
• NGIPS (Next-Generation Intrusion Prevention System).
• The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high
inspection throughput rates.
Implementing AAA in Cisco IOS
• Administrative access methods.
• Password only.
• Local database.
• AAA Local Authentication (self-contained AAA).
• AAA Server-based.
• AAA provides:
• Authentication.
• Who is permitted to access a network.
• Authorization.
• What they can do while they are there.
• Accounting.
• Records in details what they did.
• Methods of implementing AAA services.
• Local AAA Authentication.
- Uses a local database stored in the router for authentication.
• Server-Based AAA Authentication.
- Uses an external database server that leverages RADIUS or TACACS+ protocols.
- Preferred in large environment.
• Server-Based Authentication
• The user establishes a connection with the router.
• The router prompts the user for a username and password.
• The router passes the username and password to the Cisco Secure ACS.
• The ACS authenticates and authorizes the user based on its database.
• ACS (Access Control Server).
• Can create a central user and administrative access DB that all network devices can access.
• Can work with many external databases, such as Active Directory.
• Supports both TACACS+ and RADIUS protocols.
• Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS).
• Provides user and device group profiles.
• Restrictions to network access based on a specific time.
• Can be software installed on windows server or a physical appliance can be purchased from Cisco.
• RADIUS (Remote Authentication Dial-In User Service).
• Open standard, RFCs 2865, 2866, 2867, and 2868.
• Combines authentication & authorization, but separates accounting.
• Supports detailed accounting required for billing users, so preferred by ISPs.
• Encrypts only the password.
• Does not encrypt user name, or any other data in the message.

CCNA Sec Page 5

• Does not encrypt user name, or any other data in the message.
• Used UDP port 1645 & now 1812 for authentication & authorization.
• Used UDP port 1646 & now 1813 for accounting.
• Supports remote-access technologies, 802.1X, and SIP.

• TACACS+ (Terminal Access Control Access Control Server).

• Cisco proprietary.
• Separates authentication and authorization.
• Provides limited detailed accounting.
• Encrypts all packet not only the password.
• Utilizes TCP port 49.
• Multiprotocol support, such as IP and AppleTalk.
• Incompatible with any previous version of TACACS.

• AAA clients must run Cisco IOS Release 11.2 or later.

• ISE (Identity Services Engine).
• An identity and access control policy platform.
• Can validate that a computer meets the requirements of a company’s policy related to virus definition files,
service pack levels, and so on before allowing the device on the network.
• Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent
replacement for ACS.
• ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts.
• Login method types:
• Enable.
• Uses the enable password for authentication.
• Line.
• Uses the line password for authentication.
• Local.
• Uses the local username database for authentication.
• Local-case.
• Uses case-sensitive local username authentication.
CCNA Sec Page 6
• Uses case-sensitive local username authentication.
• Group radius.
• Uses the list of all RADIUS servers for authentication.
• Group tacacs+.
• Uses the list of all TACACS+ servers for authentication.
• Group group-name.
• Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius
or aaa group server tacacs+ command.
• None.
• To ensure that the authentication succeeds even if all methods return an error.
• AAA lists.
• When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods
defined unless a predefined list is assigned.
• If the default method list is not set and there is no other list, only the local user database is checked.
• Authorization.
• What a user can and cannot do on the network after that user is authenticated.
• Implemented using a AAA server-based solution.
• When a user has been authenticated, a session is established with the AAA server.
• The router requests authorization for the requested service from the AAA server.
• The AAA server returns a PASS/FAIL for authorization.
• TACACS+ establishes a new TCP session for every authorization request.
• When AAA authorization is not enabled, all users are allowed full access.
• To enable AAA.
• R(config)# aaa new-model
• To Configure Authentication to Use the AAA Server.
• R(config)# aaa authentication login list-name|default method method method [maximum 4 methods]
• R(config)# aaa authentication login default group radius group tacacs+ local …..
• R(config)# aaa authentication enable list-name|default group tacacs+ enable
• Methods are used in order, if no response from one, the next is used.
• To specify the number of unsuccessful login attempts (then the user will be locked out).
• R(config)# aaa local authentication attempts max-fail n
• The account (non priv 15) will stay locked until it is cleared by an administrator.
• To display a list of all locked-out users.
• R# show aaa local user lockout
• To unlock a specific user or to unlock all locked users.
• R# clear aaa local user lockout all | username name
• To display the attributes that are collected for a AAA session.
• R# show aaa user all | unique-id
• To show the unique ID of a session.
• R# show aaa sessions
• For vty lines.
• R(config)# line vty 0 4
• R(config-line)# login authentication name|default
• R(config-line)# authorization exec name|default
• To debug aaa authentication.
• R# debug aaa authentication|authorization
• Look specifically for GETUSER and GETPASS status messages.
• To configure AAA with CCP.

CCNA Sec Page 7

• To configure AAA with CCP.
• CCP, Configure, Router, AAA,…...
• To create a local user account.
• CCP > Router > Router Access > User Accounts/View > Add
• To configure the AAA client (router) with the TACACS+ server.
• R(config)# tacacs-server host ip key the-key
• To configure the AAA client (router) with the RADIUS server.
• R(config)# radius-server host ip key the-key
• AAA Authorization (Router)
• To get the priviege level that should be given to user from the local user database.
• R(config)# aaa authorization exec default local
• To get the priviege level that should be given to user from the tacacs server.
• R(config)# aaa authorization exec default group tacacs+
• To enable command authorization on the console.
• R(config)# aaa authorization console
• AAA debugging
• To debug aaa.
• R# debug aaa authentication
• To debug RADIUS or TACACS+.
• R# debug radius|tacacs events
• AAA Accounting
• Each session established through the ACS can be fully accounted for and stored on the server.
• To configure AAA accounting.
• R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 …
• To configure AAA accounting.
• R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 …
• R(config)#aaa accounting commands 1 default start-stop group tacacs+
• ACS server configurations.
• To manage ACS server.
• https://ip
• Default username and password: acsadmin pass: default
• For trial license.
https://www.cisco.com/go/license
username: 61fafd03@emailna.co , pass: P@ssw0rdcisco123
get other licenses , demo and..., search for access control ,
• To create a device group.
• ACS > Network Resources > Network Device Groups > Device Type > Create
• To add a device to the group.
• Network Resources > Network Devices and AAA Clients > Create
• Click the Select button to the right of the device type and select the device group
• Select tacacs+ and type the password
• In the ip address select range and type the range (ex. 10.0.0.100-200) , Add V
• To create a user group.
• Users and Identity Stores > Identity Groups > Create
• To create individual user.
• Users and Identity Stores > Internal Identity Stores > Users and click > Create
• To create a shell profile.
• Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create

CCNA Sec Page 8

• Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create
• Custom tasks tab, Default Privilege:static, type a privilige level
• To configure authorization policies (To assign permisions to identity group to access device group).
• Access Policies > Access Services > Default Device Admin > Authorization > Create
• Then select a shell profile or create one (shell profile has a name and defines a privilige level).
• Verifying and Troubleshooting Router-to-ACS Server Interactions.
• Ping the ACS server from the router.
• R# test aaa group tacacs+ username password legacy
• Using debug Commands to Verify Functionality
• To look at the reports on the ACS server.
• Monitoring & Reports > Reports > Catalog > AAA Protocol
Bring Your Own Device (BYOD)
• Allowing users bringing their own network-connected devices while also maintaining an appropriate
security posture.
• The organization’s security policy must be lever-aged to govern the level of access for BYOD devices.

• BYOD Solution Components.

• BYOD devices.
• The corporate-owned and personally owned endpoints that require access to the corporate network regardless
of their physical location.
• Wireless access points (AP).
• Provide wireless network connectivity to the corporate network for both local & BYOD devices.
• Identity Services Engine (ISE).
• The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies
put forth by the organization.
• Cisco AnyConnect Secure Mobility Client.
• Provides connectivity for end users who need access to the corporate network.
• Inside network users leverages 802.1X to provide secure access to the corporate network.
• Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking.
• Integrated Services Routers (ISR).
CCNA Sec Page 9
• Integrated Services Routers (ISR).
• Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and
Internet access for home office environments.
• Can provide VPN connectivity for mobile devices that are part of the BYOD solution.
• Adaptive Security Appliance (ASA).
• Provides all the standard security functions for the BYOD solution at the Internet edge.
• Can provide IPS and VPN for end devices.
• Cloud Web Security (CWS).
• Provides enhanced security for all the BYOD solution endpoints while they access Internet.
• RSA SecurID.
• The RSA SecurID server provides one-time password (OTP) generation and logging for users that access
network devices and other applications which require OTP authentication.
• Active Directory.
• Restricts access to those users with valid authentication credentials.
• Certificate authority.
• The CA server ensures that only devices with corporate certificates can access the corporate network.
• Mobile Device Management (MDM).
• Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution.
• Specific functions provided by MDM include:
- Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached).
- Enforcement of strong passwords for all BYOD devices.
- Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting
to use these compromised devices on the corporate network.
- Enforcement of data encryption requirements based on an organization’s security policies.
- Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed.

CCNA Sec Page 10

 CCNA Sec 02

Fundamentals of VPN Technology and Cryptography

• VPN refers to a logical connection between the two devices.
• Cheaper than other WAN technologies.
• Types of VPNs encryption protocols.
• IPSec VPN.
• Implements security of IP packets at L3, and can be used for site-to-site VPNs and remote-access VPNs.
• SSL (Secure Sockets Layer) VPN.
• Implements security of TCP sessions over encrypted SSL tunnels.
• Can be used for remote-access VPNs (also used to securely visit a web server that supports it via HTTPS).
• MPLS (Multiprotocol Label Switching) VPN (MPLS L3VPN).
• Allows a company with two or more sites to have logical connectivity between the sites using the service
provider network for transport.
• No encryption by default.
• IPsec could be used on top of the MPLS VPN to add confidentiality (through encryption).
• Two Main Types of VPNs.
• Site-to-site VPNs.
• Two or more sites that they want to connect securely together (likely using the Internet).
• Remote-access VPNs.
• Users that build a VPN connection from their individual computer to the corporate headquarters.
• Can use IPsec or Secure Shell (SSL) technologies.

• Main Benefits of VPNs.

• Confidentiality.
• Only the intended parties can understand the data that is sent.
• The part that makes the message secret is the key or “secret” that is used to encrypt the data.
• Must be known by the sender and the receiver.
• Data integrity.
• Authentication with:
- Pre-shared keys used for authentication only
- Public and private key pairs used for authentication only
- User authentication (in combination with remote-access VPNs).
• Ciphers.
CCNA Sec Page 11
• Ciphers.
• A set of rules, which can also be called an algorithm, about how to perform encryption or decryption.
• Common methods that ciphers:
• Substitution.
• Substitutes one character for another.
• The exact method of substitution could be referred to as the key.
• If both parties involved in the VPN understand the key, they can both encrypt and decrypt data.
• Transposition.
• Uses many different options, including the rearrangement of letters.
• Ex. if we have the message “This is secret” we could write it out (top to bot-tom, left to right) as shown.

• Keys.
• Encryption Methods.
• Stream Ciphers (cipher digit stream).
• A symmetric key cipher, where each bit of plaintext data to be encrypted is done 1 bit at a time against the bits
of the key.
• Block Ciphers.
• A symmetric key cipher that operates on a group of bits called a block.
• May take a 64-bit block of plain text and generate a 64-bit block of cipher text.
• Examples:
• Digital Encryption Standard (DES)
• Triple Digital Encryption Standard (3DES)
- Advanced Encryption Standard (AES)
- Blowfish
- International Data Encryption Algorithm (IDEA)
• Block ciphers may add padding in cases where there is not enough data to encrypt.
• Key algorithms.
• Symmetric.
• Uses the same key to encrypt the data and decrypt the data.
• Examples:
- DES
- 3DES
- AES
- IDEA
- RC2, RC4, RC5, RC6
- Blowfish
• Used for most of the data that we protect in VPNs today.
• Much faster to use a symmetrical encryption algorithm.
• The more difficult the key, the more stronger encryption.
• The minimum symmetric key length should be at least 128 bits.
• Asymmetric.
• An example of an asymmetric algorithm is public key algorithms.
• We use two different keys (key pair) that mathematically work together as a pair.
• These keys are the public key and the private key.
• We use asymmetric algorithms for things such as authenticating a VPN peer or generating keying material that
we could use for our symmetrical algorithms.
CCNA Sec Page 12
•
we could use for our symmetrical algorithms.
• The public key is published and available to anyone who wants to use it.
• The private key is known only to the device that owns the public-private key pair.
• Examples of asymmetrical algorithms.
• RSA (Rivest, Shamir, and Adleman).
• The primary use of this asymmetrical algorithm today is for authentication.
• The key length may be from 512 to 2048 (Recommended 1024).
• DH (Diffie-Hellman).
• Allows devices to establish shared secret keys over an untrusted network.
• This key will be used with symmetric algorithms as 3DES, AES.
• ElGamal.
• Asymmetrical encryption system is based on the DH exchange.
• DSA (Digital Signature Algorithm).
• Was developed by the U.S. National Security Agency.
• ECC (Elliptic Curve Cryptography).
• OTP (one-time pad).
• A good example of a key that is only used once.
• To encrypt a 32-bit message, we use a 32-bit key, also called the pad , which is used one time only.
• Each bit from the pad is mathematically computed with a corresponding bit from our message, and the results
are our cipher text.
• The pad must also be known by the receiver if he wants to decrypt the message.
• Hashes.
• Hashing is a method used to verify data integrity.
• It is a one-way function.
• The result of the hash is a fixed-length small string of data called (digest or message digest or hash).
• The three most popular types of hashes:
- Message Digest 5 (MD5): This creates a 128-bit digest.
- Secure Hash Algorithm1 (SHA-1): This creates a 160-bit digest.
- Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
• Hashed Message Authentication Code (HMAC).
• It includes in its calculation a secret key.
• Digital Signatures.
• Prove that you are who you say you are.
• Keyspace.
• Refers to all the possible key values for a key.
• Next-Generation Encryption Protocols.
• Elliptic Curve Cryptography (ECC).
• Replaces RSA signatures with the ECDSA algorithm.
• Replaces the DH key exchange with ECDH.
• AES in the Galois/Counter Mode (GCM) of operation.
• ECC Digital Signature Algorithm.
• SHA-256, SHA-384, and SHA-512.
• IPSec.
• A collection of protocols and algorithms used to protect IP packets at Layer 3.
• Provides:
- Confidentiality through encryption.
- Data integrity through hashing and HMAC.
- Authentication using digital signatures or using a pre-shared key (PSK) that is similar to a password.
• Types of IPSec.
CCNA Sec Page 13
• Types of IPSec.
• Encapsulating Security Payload (ESP).
• Can do all the features of Ipsec.
• Authentication Header (AH).
• Can do many parts of the IPsec objectives, except encryption of the data.
-------------------------------------------------------------------------------------------------------------------
• Encryption algorithms for confidentiality: DES, 3DES, AES.
• Hashing algorithms for integrity: MD5, SHA.
• Authentication algorithms: Pre-shared keys (PSK), RSA digital signatures.
• Key management: for ex. Diffie-Hellman (DH), which can dynamically generate symmetrical keys.
• SSL.
• There is not an IPsec client or software currently running on everybody’s computer.
• Even if there were, not everyone has a certificate or a PSK for authentication.
• Every web browser on every computer supports SSL.
• Public Key Infrastructure (PKI).
• Key pair.
• A set of two keys that work in combination with each other as a team.
• The public key may be shared with everyone.
• The private key is not shared with anyone.
• CA (Certificate Authority).
• A computer or entity that creates and issues digital certificates.
• Inside the certificate the ip and the FQDN and the public key for the issuer.
• In the final certificate is a URL that other devices can check to see whether this certificate has been revoked and
the validity date.
• Most web browsers maintain a list of the more common trusted public CA servers.
• Root certificate.
• Contains the public key of the CA server and the other details about the CA server.

• Identity certificate.
• Similar to a root certificate, but it describes the client and contains the public key of the client.

CCNA Sec Page 14

•

• X.500 and X.509v3 Certificates.

• X.500.
• A series of standards focused on directory services and how those directories are organized.
• Popular network operating systems have been based on X.500, including Microsoft Active Directory.
• The foundation from which you see common directory elements such as CN=Bob (Common Name = CN),
OU=engineering (organiza-tional unit = OU), O=cisco.com (organization = O), and so on
• X.509 Version 3.
• A standard for digital certificates.
• LDAP is a common protocol that is used to do lookups from a directory.
• Most digital certificates contain:
• Serial number.
• Assigned by the CA and used to uniquely identify the certificate.
• Subject.
• The person or entity that is being identified.
• Signature algorithm.
• The specific algorithm that was used for signing the digital certificate.
• Signature.
• The digital signature from the certificate authority.
• Issuer.
• The entity or CA that created and issued the digital certificate.
• Valid from.
• The date the certificate became valid
• Valid to.
• The expiration date of the certificate.
• Key usage.
• The functions for which the public key in the certificate may be used
• Public key.
• The public portion of the public and private key pair generated by the host whose certificate is issued.
• Thumbprint algorithm.
• The hash algorithm used for data integrity.

CCNA Sec Page 15

• The hash algorithm used for data integrity.
• Thumbprint.
• The actual hash.
• Certificate revocation list location.
• The URL that can be checked to see whether the serial number of any certificates issued by the CA have
been revoked
• Enrolling with the CA.
• Step 1: Trust the CA server.
• You cannot verify the signature on a certificate until you have the CA public key.
• You could download and install the root certificate.
• Step 2: Request your own identity certificate.
• This involves generating a public-private key pair and including the public key portion in any requests.
• The CA takes all of your information and generate an identity certificate, and sent it back yo you.
• PKCS (Public Key Cryptography Standards).
• A PKI standard that control the format and use of certificates, including requests to a CA for new certificates,
the format for a file that is going to be the new identity certificate, and the file format and usage access for
certificates.
• PKCS#10.
• A format of a certificate request sent to a CA that wants to receive its identity certificate.
• Includes the public key for the entity desiring a certificate.
• PKCS#7.
• A format that can be used by a CA as a response to a PKCS#10 request.
• The response itself will very likely be the identity certificate that had been previously requested.
• PKCS#1.
• RSA Cryptography Standard.
• PKCS#12.
• A format for storing both public and private keys using a symmetric password-based key to “unlock” the data
whenever the key needs to be used or accessed.
• PKCS#3.
• Diffie-Hellman key exchange.
• Simple Certificate Enrollment Protocol (SCEP).
• Automate most of the process for requesting and installing an identity certificate.
• It is not an open standard.
• Supported by most Cisco devices and allow it to get and install both root and identity certificates.
• Revoked Certificates.
• A certificate contains information on where an updated list of revoked certificates can be obtained.
• Peers check this URL to check the validity of the certificate.
• The revoked certificates are listed based on its serial number.
• Uses for Digital Certificates.
• Can be used for clients who want to authenticate a web server using HTTPS, SSL, TLS.
• SSL remote-access VPNs.
• With IPSec for authentication with certificate.
• Can also be used with protocols such as 802.1X
• ASA’s Certificate.
• ASA uses a self-signed digital certificate by default.
• ---------------------------------------------------------------------------------------------------------------
• To view the ASA certificate.
• ASDM, Device Management, Certificate Management, Identity Certificates, Add, Add a New Identity Certificate

CCNA Sec Page 16

•

CCNA Sec Page 17

•

• Review Key PKI Components.

CCNA Sec Page 18

 Fundamentals of IP Security
• IPSec.
• A Layer3 protocol provides confidentiality, data integrity, and authentication of the VPN.

• Internet Key Exchange (IKE) Protocol.

• Used to negotiate and establish secured site-to-site or remote access VPN tunnels.
• A framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and
parts of two other key management protocols, Oakley and Secure Key Exchange Mechanism (SKEME).
• IKE uses UDP, Port Number 500.
• IKE phases.
• IKE Phase1.
• IPsec peers negotiate and authenticate each other.
• IKE Phase 2.
• Peers negotiate keying materials and algorithms for the encryption of the data.
• IKEv1.
• IKE Phase 1 tunnel (once established) will not used to forward user packets, but rather only to protect
management traffic related to the VPN between the two routers.
• Ex. Packets such as a keepalive message to verify that the VPN tunnel is still working.
• Step1: Five basic items need to be agreed
• Hash algorithm: MD5 or SHA (Secure Hash Algorithm).
• Encryption algorithm: DES, 3DES, AES with various key lengths. (Longer is better for keys).
• Diffie-Hellman (DH) group: Group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536.
More secure DH groups are part of the next-generation encryption (NGE):
Group 14 or 24: Provides 2048-bit
Groups 15 and 16: Support 3072-bit and 4096-bit
Group 19 or 20: Supports the 256-bit and 384-bit ECDH groups respectively
- The purpose of DH is to generate shared secret keying material (symmetric keys).
- It is important to note that the DH exchange itself is asymmetrical (and is CPU intensive).
• Authentication method: PSK or RSA signatures.
• Lifetime: How long until this IKE Phase 1 tunnel should be torn down.
The default is one day, listed in seconds.
This is the only parameter that does not have to exactly match with the other peer to be accepted.
A shorter lifetime is considered more secure.
• Step2: Run the DH Key Exchange.
CCNA Sec Page 19
• Step2: Run the DH Key Exchange.
• To have symmetrical keying material.
• Step 3: Authenticate the Peer.
• Peers authenticate each other by method they agreed upon.
• All IKE phase 2 negotiantions are secured by the phase 1 tunnel.
• IKE Phase 2 tunnel is called Quick mode.
• Crypto ACL.
• An ACL that has been created to identify which traffic should be encrypted.
• Not applied directly to any interface, but instead it is referenced by a policy called a crypto map.
• The crypto map is directly applied to an interface.
• Tunnel mode (the default).
• Means that R1 will take any outbound packets matching the access list, encrypt them and then re-encapsulate
them inside of an IPsec packet, which is then forwarded to the peer (R2).
• On the other side of the VPN tunnel, it will need to be in tunnel mode to work.
• The IP header and the payload are encrypted.
• Transport mode.
• Used only when the transit traffic is directly from and to the endpoints of the VPN tunnel (such as R1 and R2
talking amongst themselves).
• Only the packet payload is encrypted.
• CLI configurations.
• R1(config)# crypto isakmp policy 1
• R1(config-isakmp)# authentication pre-share
• R1(config-isakmp)# encr aes
• R1(config-isakmp)# hash sha
• R1(config-isakmp)# group 2
• R1(config-isakmp)# lifetime 3600
• R1(config)# crypto isakmp key cisco address 2.2.2.2
• Crypto ACL.
• R1(config)# access-list 100 permit ip 60.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
• R1(config)# crypto ipsec transform-set set1 esp-sha-hmac esp-aes
• R1(cfg-crypto-trans)# mode tunnel
• R1(config)# crypto map vpnmap 1 ipsec-isakmp
• R1(config-crypto-map)# match address 100
• R1(config-crypto-map)# set transform-set set1
• R1(config-crypto-map)# set peer 2.2.2.2
• R1(config)# interface f1/1
• R1(config-if)# crypto map vpnmap
• Configuring and Verifying Ipsec by CCP.
• Configure > Security > VPN > Site-to-Site VPN

CCNA Sec Page 20

•

CCNA Sec Page 21

CCNA Sec Page 22
CCNA Sec Page 23
•

CCNA Sec Page 24

• SPI (Security Parameter Index).
• A way of tracking a specific Security Association (SA) between router and a peer.
• Think of it as a serial number (unique) for each SA.
• PFS (Perfect Forward Secrecy).
• The ability for IKE Phase 2 to run the DH algorithm again, instead of using the keys generated during the DH
from IKE Phase 1.
• This feature is off by default for most platforms.

Implementing IPsec Site-to-Site VPNs

CCNA Sec Page 25

• IPsec framework protocols.
• AH (Authentication Header).
• IP protocol 51.
• Used when confidentiality is not required.
• Provides data authentication and integrity.
• ESP (Encapsulating Security Payload).
• IP protocol 50.
• Can provide confidentiality, integrity, and authentication.

• Authentication with certificate configuration.

• R(config)# crypto isakmp policy 1
• R(config-isakmp)# encr aes
• R(config-isakmp)# group 2
• R(config-isakmp)# authentication rsa-sig
• R(config-isakmp)# hash sha
• R(config-isakmp)# lifetime 3600
CCNA Sec Page 26
• R(config-isakmp)# lifetime 3600
• R# show crypto isakmp policy
• R(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
• R(config)# access-list 100 permit ip 60.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
• R(config)# crypto map MYMAP 1 ipsec-isakmp
• R(config-crypto-map)# match address 100
• R(config-crypto-map)# set peer 2.2.2.2
• R(config-crypto-map)# set transform-set MYSET
• R(config)# interface f1/1
• R(config-if)# crypto map MYMAP
• Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS.
• To verify the IKEv1 Phase 1 policy or policies in place.
• R# show crypto isakmp policy
• Verify cryptomaps and where they are applied.
• R# show crypto map
• Debug the IKEv1 Phase 1 process
• R# debug crypto isakmp
• Check to see if there is an IKEv1 Phase 1 tunnel already in place.
• R# show crypto isakmp sa
• To view Crypto Engine Connections.
• R# show crypto engine connections active
• Alternative site-to-site VPN technologies:
• Dynamic Multipoint VPN (DMVPN).
• A Cisco solution for deploying highly scalable IPsec site-to-site VPNs.
• Enables branch locations to communicate directly with each other over the Internet without requiring a
permanent VPN connection between sites.
• FlexVPN
• Can be deployed over either public Internet connections or a private MPLS VPN network.
• Designed for the concentration of both site-to-site and remote access VPNs.
• Implementing and Verifying an IPsec Site-to-Site VPN in Cisco ASA

• ASDM > Wizards > VPN Wizards > Site-to-Site VPN Wizard .

CCNA Sec Page 27

•

CCNA Sec Page 28

CCNA Sec Page 29
CCNA Sec Page 30
• Troubleshooting commands.
• ASA1# show isakmp stats
• ASA1# show crypto ipsec sa
• ASA1# show isakmp sa detail
• ASA1# show vpn-sessiondb
• ASA1# debug crypto ikev1|ikev2
• ASA1# debug crypto ipsec
• ASA1# debug crypto ikev2
• ASA1# debug crypto ikev2

Implementing SSL VPNs Using Cisco ASA

CCNA Sec Page 31

• Clientless SSL VPN.

CCNA Sec Page 32

CCNA Sec Page 33
•

CCNA Sec Page 34

 -----------------------------------------------------------------------------------------------------------------------
• RAVPN AnyConnect Secure Mobility Client Connections.

CCNA Sec Page 35

•

CCNA Sec Page 36

CCNA Sec Page 37
CCNA Sec Page 38
CCNA Sec Page 39
 CCNA Sec 03

Securing Layer 2 Technologies

• VLAN and Trunking Fundamentals.

• Virtual LAN (VLAN).

• Another name for a Layer 2 broadcast domain and are controlled by the switch.
• By default, all ports are assigned to VLAN 1
• Create the new VLAN
• Sw(config)# vlan 10
• Assign the port as an access port belonging to VLAN 10
• Sw(config-vlan)# interface fa0/1
• Sw(config-if)# switchport mode access
• Sw(config-if)# switchport access vlan 10
• Verify the VLAN exists, and that Fa0/1 has been assigned to it.
• Sw(config-if)# do show vlan brief
• Another way to verify the port is assigned the VLAN:
• Sw# show vlan id 10
• One more way to verify the same thing.
• Sw# show interfaces fa0/1 switchport
• Trunking with 802.1Q.
• The standard protocol for frame tagging.
• Sw(config)# interface range fa0/23-24
• Sw(config-if-range)# switchport mode trunk
• Sw(config-if-range)# switchport trunk encapsulation dot1q
• To verify the trunks:
• Sw(config-if-range)# do show interface trunk
• Another way to verify the trunk.
• Sw# show interface fa0/23 switchport
• The Native VLAN on a Trunk.
• By default, native VLAN traffic is not tagged on trunk links.
• Trunks can be automatically negotiated between two switches, or between a switch and a device that can
support trunking.
• Router-on-a-stick.
• Connecting multiple VLANs by the router with one physical interface.
• Each sub-interface of the router's physical interface will be linked to a VLAN.
• Enable trunking on the switchport connected to the router.
• Sw(config)# interface fa 0/3

CCNA Sec Page 40

• Sw(config)# interface fa 0/3
• Sw(config-if)# switchport mode trunk
• Sw(config-if)# switchport trunk encapsulation dot1q
• Make sure the physical interface isn't shutdown
• R3(config)# interface fa 0/0
• R3(config-if)# no shutdown
• Create a logical sub interface
• R3(config-if)# interface fa 0/0.10
• Tell the router to process any dot1q frames tagged with VLAN ID 10 with this logical interface
• R3(config-subif)# encapsulation dot1q 10
• R3(config-subif)# ip address 10.0.0.1 255.255.255.0
• Spanning-Tree Protocol (STP).
• STP can avoid loops at Layer 2 of the OSI model.
• STP is a solution to the Layer 2 Loop.
• Sw# show spanning-tree vlan n
• Sw# show interfaces trunk
• STP is on by default.
• PVST (Per-VLAN Spanning Tree Plus).
• If you have multiple VLANs, you have multiple instances of STP.
• STP consists of the following port states.
• Root Port.
• The switch port that is closest to the root bridge.
• All switches, other than the root bridge, contain one root port.
• Designated.
• The switch port that can send the best BPDU for a particular VLAN on a switch is considered the
designated port.
• Nondesignated.
• These are switch ports that do not forward packets, so as to prevent the existence of loops within the
networks.
• PortFast.
• Causes an access port to transmit from the blocking to the forwarding state immediately, bypassing the
listening and learning states.
• Minimizes the time that access ports must wait for STP to converge.
• It should be used only on access ports.
• To configure Portfast on a specific interface.
• Sw(config-if)# spanning-tree portfast
• To configures PortFast for all non-trunking ports at once.
• Sw(config)# spanning-tree portfast default
• To verify that PortFast has been configured on an interface.
• Sw# show running-config interface Fa0/8
• To change the STP from 802.1D to 802.1w.
• Sw(config)# spanning-tree mode rapid-pvst
• Common Layer 2 Threats and How to Mitigate Them.
• BPDU Guard.
• Protects the network from receiving BPDUs on ports that should not be receiving them.
• If a PortFast enabled port received a BPDU, STP can put the port into the error-disabled state.
• To enable BPDU guard on all ports with PortFast enabled.
CCNA Sec Page 41
• To enable BPDU guard on all ports with PortFast enabled.
• Sw(config)# spanning-tree portfast bpduguard default
• To display information about the state of spanning tree.
• Switch# show spanning-tree summary totals
• To configure per interface.
• Sw(config-if)# interface fa 0/2
• Sw(config-if)# spanning-tree bpduguard enable
• Configuring the Switch to Automatically Restore Err-Disabled Ports
• Sw(config)# errdisable recovery cause bpduguard
• Sw(config)# errdisable recovery interval n-sec
• Sw# show errdisable recovery
• Root guard.
• Provides a way to enforce the placement of root bridges in the network.
• Limits the switch ports out of which the root bridge can be negotiated.

• Sw(config)# interface fa 0/24

• Sw(config-if)# spanning-tree guard root
• Port Security.
• Controls how many MAC addresses can be learned on a single switch port.
• Protects against malicious applications that may be sending thousands of frames into the network, with a
different bogus MAC address.
• Can prevent CAM table overflow attack.
• The default violation action is to shut down the port.
• Also violation responses can be:
• Protect.
• Will not shut down the port but will deny any frames from new MAC addresses over the set limit.
• Restrict.
• Action does the same as protect but generates a syslog message, as well.
• Port security configurations.
• Sw(config-if)# interface fa 0/2
• Sw(config-if)# switchport port-security maximum n
• Sw(config-if)# switchport port-security violation protect
• Sw(config-if)# switchport port-security mac-address sticky
• Sw# show port-security
• Sw# show port-security interface fa0/2
CCNA Sec Page 42
• Sw# show port-security interface fa0/2
• Disabling CDP & LLDP.
• A recommended best practice is to disable CDP on any ports facing untrusted or unknown networks.
• sw(config)# interface fa0/24
• sw(config-if)# no cdp enable
• Disable CDP Globally on switch
• sw(config)# no cdp run
• sw# show cdp
• To disable lldp (another discovery protocol).
• sw(config)# no lldp run
• DHCP Snooping.
• A security feature that acts like a firewall between untrusted hosts and trusted DHCP servers.
- Validates DHCP messages received from untrusted sources and filters out in valid messages.
- Rate-limits DHCP traffic from trusted and untrusted sources.
- Builds and maintains the DHCP snooping binding database.
- Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
• DHCP snooping is enabled on a per-VLAN basis. [By default inactive on all VLANs]
• You can enable the feature on a single VLAN or a range of VLANs.
• Enable DHCP Snooping Globally
• sw(config)# ip dhcp snooping
• Enable DHCP Snooping on VLAN 10
• sw(config)# ip dhcp snooping vlan 10
• Configure Interface Fa0/24 as a Trusted interface
• sw(config)# interface fa0/24
• sw(config-if)# ip dhcp snooping trust
• Configure the DHCP snooping database agent to store the bindings at a given location
• sw(config)# ip dhcp snooping database tftp://60.1.1.1/directory/file
• Verify DHCP Snooping Configuration
• sw# show ip dhcp snooping
• Router DHCP service configuration.
ip dhcp pool pool1
network 10.0.0.0 255.0.0.0
dns-server 10.0.0.8
default-router 10.0.0.100
lease 30 The default is a one-day lease.
• On switch
• Sw(config-if)# ip dhcp snooping trust
• Sw(config)# ip dhcp snooping
• Sw(config)# ip dhcp snooping vlan id
• Sw(config)#no ip dhcp snooping information option
• Sw# show ip dhcp spoofing
• Sw# show ip dhcp snooping binding
• Sw# show ip dhcp snooping database
• Dynamic ARP Inspection.
• A security feature that validates ARP packets in a network.
• Intercepts and discards ARP packets with invalid IP-to-MAC address bindings stored in the DHCP
snooping binding database.

CCNA Sec Page 43

•
snooping binding database.
• Enable DAI on VLAN 10
• sw(config)# ip arp inspection vlan 10
• sw(config)# exit
• Verify DAI Configuration for VLAN 10
• sw# show ip arp inspection vlan 10
• Configure Interface Fa1/0/24 as a Trusted DAI Interface
• sw(config)# interface fa0/24
• sw(config-if)# ip arp inspection trust
• sw(config-if)# exit
• sw(config)# exit
• sw# show ip arp inspection interfaces
• To control whether a port is an access port or a trunk port.
• Sw(config-if)# switchport mode access
• Sw(config-if)# switchport access vlan n
• To disable DTP.
• Sw(config-if)# switchport nonegotiate
• To specify the port as a trunk, using dot1q.
• Sw(config-if)# switchport mode trunk
• Sw(config-if)# switchport trunk encapsulation dot1q
• To specify the native vlan.
• Sw(config-if)# switchport trunk native vlan n

Network Foundation Protection (NFP).

• Breaking the infrastructure down into smaller components and then systematically focusing on how to
secure each of those components.
• Broken down into three basic planes (also called sections/areas).
• Management plane.
• This includes the protocols and traffic that an administrator uses between his workstation and the router or
switch itself.
CCNA Sec Page 44
•
switch itself.
• For ex. Using SSH to monitor or configure the router or switch.
• For security, use AAA, Authenticated NTP, SSH, SSL/TLS, Protected syslog, SNMPv3, Parser views.
• Control plane.
• This includes protocols and traffic that the network devices use on their own without direct interaction from
an administrator.
• For ex. A routing protocol that can dynamically learn and share routing information that the router can then
use to maintain an updated routing table.
• For security use CoPP, CPPr, Authenticated routing protocol updates.
• Data plane.
• This includes traffic that is being forwarded through the network (sometimes called transit traffic).
• For ex. a user sending traffic from one part of the network to access a server in another part of the network.

Securing the Management Plane on Cisco IOS Devices

• Password Recommendations.
• To define password length.
• R(config)# security password min-length n
• Use enable secret instead of enable password.
• To encrypt all unencrypted passwords.
• R(config)# service password-encryption
• Passwords can include any alphanumeric character, a mix of uppercase and lowercase characters, and
symbols and spaces.
• Passwords should not use words that may be found in a dictionary.
• Leading spaces in a password are ignored.
• Passwords should be changed periodically.
• Use AAA to Verify Users.
• AAA can authenticate, authorize and audit users accessing the router or the network by VPN ( packet mode).
• Privilege levels.
• Who should connect to the device and what that person should be able to do with it.
• CLI has two levels:
• User EXEC mode (privilege level 1).
• The lowest EXEC mode user privileges that includes all commands at the prompt router>.
• Privileged EXEC mode (privilege level 15).
• Includes all enable-level commands at the prompt router#.
• The higher the privilege level, the more router access a user has.
• A privilege level includes the privileges of all lower levels.
• To configure a privilege level for specific commands.
• R(config)# privilege exec level n command-string
• R(config)# privilege exec level 8 configure terminal
• Password can be assigned to the level on the level itself or when creating the user.
• To set a password for that level.
• R(config)# enable secret level n the-password
• To login to a specific level.
• R> enable n
• To view current privillege level.
• R# show privilege
• R# sh run | in username [get any line contains the word username]
CCNA Sec Page 45
• R# sh run | in username [get any line contains the word username]
• To create a user with a specific privilege level.
• R(config)# username username privilege n secret the-password
• R(config)# username username privilege n secret 5 the-MD5-password-hash
• R(config)# username username privilege n secret 4 the-SHA256-password-hash
• To login with a specific user.
• R> login
• Assigning a command with multiple keywords, will automatically assign all commands associated with the
first few keywords to the level.
• Level 0.
• Predefined for user-level access privileges, includes only: disable, enable, exit, help, logout.
• Level 1.
• The default for login, and user cannot make any changes or view the running configuration file.
• To exclude a command from a level, assign that command to an upper level.
• Views.
• Types of views.
• Root view.
• Has the same access privileges as a user who has level 15 privileges.
• You must be in this view to configure any view.
• CLI view.
• A specific set of commands can be bundled into a CLI view.
• Has no command hierarchy, so no higher or lower views and no inheritance.
• The same commands can be used in multiple views.
• There is a maximum limit of 15 views in total.
• Superview.
• Consists of one or more CLI views.
• A single CLI view can be shared within multiple superviews.
• Commands cannot be configured for a superview.
• Each superview has a password used to enter or switch between superviews.
• Deleting a superview does not delete the associated CLI views.
• To configure views.
• First, enable the use of AAA on the device.
• R(config)# aaa new-model
• Set a password on the privileged level to be used to enter to the root view.
• R(config)# enable secret the-password
• To create a view, first login with the root view.
• R# enable view root
• Then enter the privileged level password
• To create a view and enter view configuration mode.
• R(config)# parser view name
• To configure a view password using MD5.
• R(config-view)# secret the-password
• To configure commands or interfaces that are accessible from within the configured view.
• R(config-view)# commands exec {include | include-exclusive | exclude} [command]
• Include-exclusive: Adds a command or an interface and excludes it from all other views.
• Exclude: Excludes a command or an interface from the view.
• Ex
CCNA Sec Page 46
• Ex
R(config-view)# commands exec include show version
R(config-view)# commands exec include ping
R(config-view)# commands exec include all show
R(config-view)# commands exec include configure
• To enter a root or specific view.
• R> enable view root
• To enter the root view.
• R> enable view name , then enter the enable secret password.
• To create a superview.
• R(config)# parser view name superview
• To configure a view password using MD5.
• R(config-view)# secret the-password
• To associate a CLI view to the superview.
• R(config-view)# view view-name
• To link a user to a view
• R(config)# username user1 view view-name pasword the-pasword
• To verify a view.
• Enter that view, and type ?
• To view the current view accessed.
• R# show parser view
• SSH.
• Provides the same functionality as Telnet but encrypts all the packets in the session.
• Only the Cisco IOS cryptographic images (k8 or k9) have the IPsec feature set support SSH.
• To Configure the router with a domain name.
• R (config)# ip domain-name name
• To Generate an rsa key pair.
• Router (config)# crypto key generate rsa general-keys modulus modulus-size
• The minimum recommended key length is 1024 bits (can be from 360 --› 2048 bits, 512 is default).
• SSH is automatically enabled after the RSA keys are generated.
• To enable ssh without domain name.
• Create a key-pair name for the RSA keys:
• Router(config)#ip ssh rsa keypair-name name
• Configure the RSA keys on the router and attach the already created label:
• Router(config)#crypto key generate rsa modulus 1024 label name
• Create a local database.
• R (Config)# username name privilege n password the-password
• Use SSH instead of telnet.
• Sw(config-line)# login local
• Sw(config-line)# transport input ssh
• To verify SSH and display the generated keys.
• R# sh crypto key mypubkey rsa
• IOS Release 12.3(4)T and later supports both SSHv1 and SSHv2.
• To configure the SSH version.
• R(config)# ip ssh version 1|2
• To configure number of consecutive SSH retries.
• R(config)# ip ssh authentication-retries n
CCNA Sec Page 47
• R(config)# ip ssh authentication-retries n
• To verify the optional SSH command settings.
• R# sh ip ssh
• To verify the current SSH session(s).
• R# sh ssh
• To start a SSH session from the computer.
• Use programs such as PuTTY, OpenSSH, and TeraTerm.
• To start a SSH session from a router.
• R# ssh -l user-name ip (-l for local DB)
• To configure the virtual lines with the output and the input protocol to use.
• R(config-line)# transport input telnet|ssh
• R(config-line)# transport output telnet|ssh
• To remove existing rsa key-pair.
• R(config)# crypto key zeroize rsa
• CCP , Configure > Router > Router Access > SSH.
• CCP , Configure > Router > Router Access > VTY.
• HTTPS.
• CCP Pre-configurations.
• R(config)# ip http server
• R(config)# ip http secure-server
• R(config)# ip http authentication local
• R(config)# username user privilege 15 password 123
• For securing GUI management tools such as CCP, use HTTPS instead of HTTP.
• Logging.
• Data between management hosts and the managed devices can take two paths:
• OOB (Out-Of-Band).
• Data flows on a dedicated management network on which no production traffic resides.
• In-band.
• Data flows across an enterprise production network.
• Should be sent securely using a private encrypted tunnel or VPN tunnel.
• Logs can be sent to one or more of these items:
• Console.
• On, by default.
• Can be viewed when connected to the router using terminal emulation software on console.
• Terminal lines.
• Enabled EXEC sessions can be configured to receive log messages on any terminal lines.
• Not stored by the router and only valuable to the user on that line.
• Buffered logging.
• Log messages are stored in router memory for a time.
• Events are cleared whenever the router is rebooted.
• Size limited to few kilobytes.
• SNMP traps.
• Router events can be forwarded as SNMP traps to an external SNMP server.
• Syslog.
• Router can forward log messages to an external syslog service on port udp 514.
• The most popular message logging facility.

CCNA Sec Page 48

•
• Log messages fall into levels, the lower level number, the higher the severity level.
• Syslog messages are transmitted in clear text.

• The log message contain three main parts:

- Timestamp.
- Log message name and severity level.
- Message text.

• Syslog implementations contain:

• Syslog server (log hosts).
• Systems that accept and process log messages from syslog clients.
• Syslog clients.
• Routers or other types of equipment that generate and forward log messages to syslog servers.
• To set the destination logging host.
• Router (config)# logging host name|ip
• To set the log severity (trap) level.

CCNA Sec Page 49

• To set the log severity (trap) level.
• Router (config)# logging trap level
• Level can be from 0 to 7 or level name.
• This limits the logging of messages to the syslog servers to a specified level.
• To add time stamps to the syslog messages.
• Router (config)# service timestamps log datetime
• To set the source interface.
• Router (config)# logging source-interface interface-id
• To enable logging globally.
• Router (config)# logging on
• To allow log messages to be sent to the vty sessions.
• Router# terminal monitor
• To enable specific logging type.
• Router (config)# logging buffered | monitoring
• Router (config)# logging buffered 4096 debugging
• CCP, Configure > Router > Logging.
• To Clear logging buffer.
• Router# clear log
• If logging is disabled, no messages are sent to servers, only the console receives messages.
• To monitor logging.
• CCP, Monitor > Logging.
• To stop logging messages on console or vty lines while typing commands.
• Router (config-line)# logging synchronous
• SNMP.
• Application layer protocol, part of the TCP/IP suite.
• Was developed to manage nodes, such as servers, workstations, routers, switches,…..
• Uses 3 versions 1, 2, 3 they all uses NMSs, agents (managed nodes), and MIBs.
• The agent provides access to a local MIB of objects that reflects resources & activity at its node.
• The manager can get, change or set information in the agent.
• A set can cause a router to reboot, send a configuration file, or receive a configuration file.
• SNMP components.
• SNMP manager (NMS Network Management Server).
• Runs a network management application.
• SNMP agent.
• A piece of software that runs on a managed device.
• MIB (Management Information Base).
• Information about a managed device’s resources and activity is defined by a series of objects.
• Trap.
• An unsolicited message sent from a managed device to an SNMP manager.
• SNMP community string.
• Essentially used for password-only authentication of messages between the NMS and the agent.
• Types of community strings:
• Read-only.
• Provides read-only access to all objects in the MIB, except the community strings.
• Read-write.
• Provides read-write access to all objects in the MIB, except the community strings.

CCNA Sec Page 50

•
• If the manager sends a correct read-only strings, it can get information but not set information.
• If the manager uses a correct read-write strings, it can get or set information in the agent.
• Most SNMP systems use "public" as a community string for read only, "private" for read-write.
• SNMPv1,2 send strings as clear text.
• SNMP Security level.
• Defines the type of security algorithm performed on SNMP packets.
• NoAuthentication (noauth command).
• Authenticates a packet by a community string.
• Authentication (auth command).
• Authenticates a packet by using either the HMAC MD5, or HMAC SHA
• Privacy (priv command).
• Authenticates a packet by using either the HMAC MD5, or HMAC SHA
• Encrypts the packet using DES, 3DES, AES.
• Only SNMPv3 supports the auth and priv security levels.
• To configure SNMP by CCP.
• CCP, Configure > Router > SNMP
CCP can't configure SNMP v3
• To configure community string by CLI.
• R(config)# snmp-server community string ro | rw access-list-number
• Router(config)# snmp-server group CCNA-group v3 noauth
• Router(config)# snmp-server user CCNA-user CCNA-group v3
• NTP.
• To ensure that logs are accurately timestamped, clocks must be synchronized and maintained.
• Date and time can be set manually or by NTP.
• NTP uses UDP port 123 and is documented in RFC 1305.
• NTP clients either contact the master or listen for messages from it to synchronize their clocks.
• NTP server configurations.
• To set the clock manually.
• R# clock set 10:00:00 dec 1 2018
• To makes the system an authoritative NTP server.
• Router(config)# ntp master
• To enable NTP authentication.
• Router(config)# ntp authenticate
• NTP client configurations.
• To display the clock and ntp status.
• Router# sh clock
• Router# sh clock detail
* in the output means that time is not authorotative.
. in the output means that time is authorotative but NTP is not authorized yet
Blank symbol means that time is authorotative and NTP is authorized.
• Router# sh ntp status
• To enable NTP authentication.
• Router(config)# ntp authenticate
• To define an authentication key for NTP
• Router(config)# ntp authentication-key key-number md5 key-value
• To contact the master.
• Router(config)# ntp server ip key n
CCNA Sec Page 51
• Router(config)# ntp server ip key n
• To define one or more keys that a peer NTP system must provide in its NTP packets for synchronization.
• Router(config)# ntp trusted-key key1.key2.key3.key4 (or key1-key4)
• NTP Configuration with CCP.
• CCP > Configure > Router > Time > NTP and SNTP > Add
• Protecting Cisco IOS Files.
• When a router first boots, it performs a power-on self-test and then looks for an image of IOS on the flash.
• After loading the IOS into RAM, the router then looks for its startup configuration.
• IOS Resilient feature.
• Stores a secure copy of the IOS and running configuration in flash.
• The secure copy of the running configuration is stored in flash along with the secure IOS image.
• The feature can be disabled only through a console session.
• The secured IOS image is hidden so that it doesn't appear in a directory listing of files.
• rommon mode can list and boot from secured files.
• Used only when the system runs an image from a flash drive.
• Images that are booted from the network, such as a TFTP server, cannot be secured.
• Bootset.
• The secure set of Cisco IOS image and router running configuration files.
• To enable cisco resilience and immediately secure the IOS image.
• R (config)# secure boot-image
• To take a snapshot of run configuration and securely archive it in a persistent storage.
• R (config)# secure boot-config
• To upgrade the image or configuration archives to the newer ones, reenter the commands.
• To verify the existence of the archive.
• R# show secure bootset
• To restore a primary bootset from a secure archive.
• ROMmon> dir flash:
• ROMmon> boot bootset-image-name
• When the router boots, restore the configuration.
• R(config)# secure boot-config restore filename
• To disable password recovery.
• R(config)# no service password-recovery
• This command will disable all access to the ROMmon mode.
• To recover a device after the no service password-recovery command is entered.
• Initiate the break sequence within five seconds after the image decompresses during the boot.
• You are prompted to confirm the break key action.
• After the action is confirmed, the startup configuration is completely erased.
• The router boots with the factory default configuration.
• Securing passwords.
1. Define a long Password length.
• R(config)# security password min-length n
2. Use enable secret instead of enable password.
3. Encrypt all unencrypted passwords.
• R(config)# service password-encryption
4. Use AAA.
• To view logged in users (sessions console or vty).
• R# who
CCNA Sec Page 52
• R# who
• Using debug Commands.
• R# debug aaa authentication
• R# debug aaa authorization
• R# debug aaa accounting
• SCP (Secure Copy Protocol).
• Feature provides a secure and authenticated method for copying device configurations or image files.
• SCP relies on Secure Shell (SSH).
• SCP requires that AAA authorization be configured so that the device can determine whether the user has
the correct privilege level.
• After configuring AAA authentication and authorization for local, enable the SCP.
• R(config)# crypto key generate rsa modulus 1024 label pair1
• R(config)# aaa new-model
• R(config)# aaa authentication login default local
• R(config)# aaa authorization exec default local
• R(config)# username admin privilege 15 password admin
• R(config)# ip scp server enable
C:\> pscp.exe -scp admin@60.0.0.100:running-config c:\running-config.txt

Securing Routing Protocols and the Control Plane.

• Control plane packets are network device generated or received packets that are used for the creation and
operation of the network itself.
• Includes routing protocols and even ICMP messages.
• Control Plane Policing (CoPP).
• Used to identify the type and rate of traffic that reaches the control plane of the Cisco IOS device.
• Feature designed to allow users to manage the flow of traffic handled by the route processor.
• Prevent unnecessary traffic from overwhelming the route processor.
• R(config)# access-list 100 permit icmp any any
• R(config)# class-map class1
• R(config-cmap)# match access-group 100 OR(config-cmap)# match protocol http
• R(config)# policy-map policy1
• R(config-pmap)# class class1
• R(config-pmap-c)# police 8000 conform-action transmit exceed-action drop
• R(config-pmap-c)# police rate percent 10 conform-action transmit exceed-action drop
• R(config-pmap-c)# police rate 20000 pps conform-action transmit exceed-action drop
• R# sh policy-map control-plane [all]
• R(config)# control-plane
• R(config-cp)# service-policy [input | output] policy1
• For test: ping 60.0.0.100 -l 1200 -n 10
• R# show policy-map control-plane
• CPPr (Control Plane Protection).
• Another feature, similar to control plane policing.
• CPPr feature also additionally provides the following:
• Port-filtering.
• Enables the policing and dropping of packets that are sent to closed or nonlistening TCP or UDP ports.
• Queue-thresholding.
• Limits the number of packets for a specific protocol that are allowed in the control-plane IP input queue.
CCNA Sec Page 53
• Limits the number of packets for a specific protocol that are allowed in the control-plane IP input queue.
• Securing Routing Protocols.
• Failure to secure the exchange of routing information allows an attacker to introduce false routing
information into the network.
• Use password authentication with routing protocols between routers to enhance the security of the network.
• Authentication is sent clear text, so MD5 should be used.
• It is recommended to use complex password to avoid dictionary or even brute force attacks.
• OSPF authentication.
• OSPF MD5 authentication for OSPF requires configuration at interface level & router OSPF process itself.
• OSPF Authentication.
router ospf 100
network 3.3.3.0 0.255.255.255 area 0
network 4.4.4.0 0.255.255.255 area 0
exit
inter f1/0
ip ospf message-digest-key 5 md5 cisco
router ospf 100
area 0 authentication
area 0 authentication message-digest

show ip ospf [100]

show ip ospf interface f0/0
• EIGRP MD5 Authent ication Conf iguration.
• EIGRP uses key chain configured in the global configuration mode.
router eigrp 500
network 3.3.3.0
network 4.4.4.0
network 1.1.1.0
key chain chain1
key 5
key-string cisco
inter f1/0
ip authentication key-chain eigrp 500 chain1
ip authentication mode eigrp 500 md5
exit

show ip eigrp interfaces detail

• Implement Routing Update Authentication on RIP.
• Cisco implementation of RIPv2 supports plaintext authentication and MD5 authentication.
• Plaintext authentication mode is the default when authentication is enabled.
• RIPv1 does not support authentication.
• RIPv2 requires configuration only at the interface level.
key chain chain1
key 5
key-string cisco
router rip
network 3.3.3.0
network 4.4.4.0
version 2

CCNA Sec Page 54

 version 2
inter f0/0
ip rip authentication key-chain chain1
ip rip authentication mode md5
exit

show ip protocols
• Implement Routing Update Authentication on BGP.
• R(config)# router bgp AS-n
• R(config-router)# neighbor 1.1.1.2 remote-as other-router-as (if the same, iBGP will be used)
• R(config-router)# network 10.0.0.0 mask 255.0.0.0
• R# sh ip bgp summary
• R(config-router)# neighbor ip password key
• R# show ip bgp neighbors

Securing the Data Plane in IPv6

• IPv6 is 128-bit address.
• Does not support NAT.
• Hosts can use stateless address autoconfiguration to assign an IP to themselves, but can also use DHCP to
learn more information, such as DNS servers,…...
• Does not use any broadcasts and does not use ARP.
• Instead, it uses multicast addresses and NDP (Neighbor Discovery Protocol) that replaced ARP.
• Devices can automatically discover the IPv6 network address and any routers on the network.
• NDP (also called ND) uses IPv6’s version of ICMP as the workhorse behind most of its functions.
• IPv6 supports bothe L4 protocols UDP & TCP.

• Leading zeros in a field are optional, 09C0 = 9C0 , 0000 = 0

• Successive fields of zeros can be “::” only once in an address. (FF01:0:0:0:0:0:0:1= FF01::1).
• To configure IPv6.
• R1(config-if)# ipv6 address 2001:0db8:0000:0000:1234:0000:0052:0001/64

CCNA Sec Page 55

• R1(config-if)# ipv6 address 2001:0db8:0000:0000:1234:0000:0052:0001/64
• R1# show ipv6 interface brief
• IPv6 Address Types.
• Link-local.
- Like APIPA.
- Not routable.
- Obtained automatically by the prefix FE80::/64 + the L2 address.
- Used only for internal LAN connections.
- The last 64 bits are the host ID (interface ID).
- The device uses the modified EUI-64 format (by default) to create that using the MAC address.
- To get to 64 bits for the host ID, it inserts FFFE into the middle of the MAC.
• Loopback address.
• In IPv4, this was the 127 range of IP addresses.
• In IPv6, the address is ::1 (which is 127 0s followed by a 1).
• Multicast.
• A packet is delivered to all interfaces identified by that address.
• Multicasts begin with FFxx:

• Global.
• Like Real.
• Globally unique.
• Routable with no modification.
• Configured automatically or manually.
• Have the first four characters in the range of 2000 to 3FFF
• Anycast.
• A shared global unicast address to multiple devices.
• An IP address that appears more than one time in a network.
• Usually, two DNS servers, if they both use the same anycast address, are functional to the users.
• ----------------------------------------------------------------------------------------------------------------------------- -
• R1# show ipv6 interface fa0/1
• Configuring IPv6 Routing.
• IPv6 dynamic routing protocols:
- RIP, called RIP next generation (RIPng)
- OSPFv3
- EIGRP for IPv6
• To include interfaces of the routing process, you use interface commands.
• For EIGRP, you also need to issue the no shutdown command in EIGRP router configuration mode.
• To enables IPv6 routing.
• R(config)# ipv6 unicast-routing

CCNA Sec Page 56

•
• Enabling RIPng on the interface
• Create a new "name" for the process.
• R(config-if)# ipv6 rip MYRIP enable
• Enabling OSPFv3 on the interface.
• R(config-if)# ipv6 ospf 1 area 0
• Enabling IPv6 EIGRP on the interface.
• R(config-if)# ipv6 eigrp 1
• R(config)# ipv6 router eigrp 1
• R(config-rtr)# no shutdown
• Verify which routing protocols are running
• R1# show ipv6 protocol
• To view ipv6 routing table.
• R1# show ipv6 route
• Ping sweep will not succeed as earlier, and so reconnaissance (because there are potentially millions of
addresses on each subnet [2ˆ64].
• If attacker has local access, he could ping that local multicast group FF02::1 and get a response.
• IPv6 Access Control Lists (IPv6 ACL).
• Can filter and restrict the types of IPv6 traffic that enters the network at ingress points.
• R(config)# ipv6 access-list IPv6-ACL
• R(config-ipv6-acl)# deny udp any 2001:DB8:1:60::/64 eq 53
• Allow IPv6 neighbor discovery (neighbor solicitation packets and neighbor advertisement packets).
• R(config-ipv6-acl)# permit icmp any any nd-ns
• R(config-ipv6-acl)# permit icmp any any nd-na
• R(config-ipv6-acl)# deny ipv6 any any
• R(config-ipv6-acl)# interface fa0/0
• R(config-if)# ipv6 traffic-filter IPv6-ACL in

CCNA Sec Page 57

 CCNA Sec 04

Understanding Firewall Fundamentals

• Firewall.
• Commonly describes systems or devices that are placed between a trusted and an untrusted network.
• Personal firewalls.
• Software applications can run on a system to protect only that host.
• A firewall can be:
- Router with ACLs.
- ASA firewall.
- Switch with VLANs without any routing between them.
- Hosts or servers that are running software.
• Traffic between networks must be forced through the firewall (avoid multiple paths).
• Permit only the minimum required connectivity to that given system.
- Only allow web traffic to a specific IP of a web server on your DMZ, even if that web server has other services
running.
• You can configure a firewall to inspect protocols to ensure compliance with the standards for that protocol.
• A firewall could control which user’s traffic is allowed through the firewall.
• A firewall can detect and block malicious data.
• Application layer inspection may be able to identify and prevent tunneling.
- Tunneling refers to hiding forbidden traffic inside another protocol as HTTP, HTTPS.
• The Defense-in-Depth Approach (layered approach).
• It cannot be just a single device protecting all of your network.
• Firewalls do not replace the need for other systems such as a backup or disaster recovery plans.
• Firewall Methodologies.
• Static Packet Filtering.
• Is based on Layer 3 and Layer 4 of the OSI model.
• Ex. a router with an ACL applied to one or more of its interfaces.
• Stateless (does not maintain session information for current flows of traffic going through the router).
• Can't work with some applications that jump around and use many ports, some of which are dynamic.
• Application Layer Gateway (proxy firewalls).
• Can operate at Layer 3 and higher in the OSI reference model.
• Works as a proxy for clients.
• No direct communication occurs between the client and the destination server.
• Takes requests from a client, puts that client on hold for a moment, and then turns around and makes the
requests as if it is its own request out to the final destination.
• Memory and disk intensive at the proxy server.
• Could potentially be a single point of failure in the network.
• Stateful Packet Filtering.
• Called stateful because it remembers the state of sessions that are going through the firewall.
• Can be implemented on routers and dedicated firewalls.
• Provides a defense against spoofing and DoS attacks.
• Application Inspection.
• Can analyze and verify protocols all the way up to Layer 7 of the OSI reference model.
• Can see deeper into the conversations, to see secondary channels that are about to be initiated from the server.
- If an application is negotiating dynamic ports, and the server is about to initiate one of these dynamic ports to
the client, the application inspection could have been analyzing that conversation and dynamically allowed that
connection from the server to allow it through the firewall and to the client.

CCNA Sec Page 58

 connection from the server to allow it through the firewall and to the client.
• Can correct or deny protocol anomaly that is a deviation from the standard.
• Transparent Firewalls.
• Can use packet-based filtering, stateful filtering, application inspection but implemented at Layer 2.
• Next-Generation Firewalls (NGFW).
• Provides threat-focused security services allowing for protection from known and advanced threats, including
protection against targeted and persistent malware attacks.
• Ex. Cisco ASA with FirePOWER Services (classic ASA + Sourcefire threat, malware prevention in 1 device).
• --------------------------------------------------------------------------------------------------------------------------
• Using Network Address Translation (NAT).
• Firewall supports NAT in combination with the other firewall features previously discussed.

• NAT Terminology.
• Inside local.
• The IP configured on an inside host, such as PC1.
• Inside global.
• The mapped/global address that the router is swapping out for the inside host during NAT.
• Outside local.
• This is the mapped address of the outside device.
• Outside global.
• The real IP configured on an outside host, such as the IP on Server A.

• Dynamic NAT.
• Maps multiple private ips to multiple public ips randomly.
• Uses Access-list to select allowed addresses for dynamic translation.
• Define Access-list for local addresses to be translated.
• R(config)# access-list 10 permit 60.0.0.0 0.255.255.255
• Create a pool of global addresses to be translated.
• R(config)# ip nat pool pool1 5.5.5.1 5.5.5.20 netmask 255.0.0.0
• Enable dynamic NAT between IPs in the ACL and the global pool.
• R(config)# ip nat inside source list 10 pool pool1
- This means, translate permitted addresses in that Access-list to that pool
• Define the local NAT interface.
• R(config-if)# ip nat inside
CCNA Sec Page 59
• R(config-if)# ip nat inside
• Define the outside NAT interface.
• R(config-if)# ip nat outside
• To view NAT translations on Router.
• R# show ip nat translation

• Static NAT.
• Allow one-to-one mapping of local and global addresses.
• For hosts which must have consistent ip accessible from the Internet. (servers).
• Define translated addresses (local & global).
• R(config)# ip nat inside source static 60.0.0.1 5.5.5.1
• Define the local NAT interface.
• R(config-if)# ip nat inside
• Define the outside NAT interface.
• R(config-if)# ip nat outside
• To view NAT translations on Router.
• R# show ip nat translation

• PAT (called Overloading).

• Enables NAT to map multiple private IPs to a single public IP.
• Each private address is tracked by a port number.
• This process is called NAT/PAT.
• PAT keeps unique source port numbers on the inside global IP to distinguish between translations.
• 1 public IP support up to 64511 connection (65,535 – 1024 [well-known ports]).
• Define Access-list for addresses to be translated.
• R(config)# access-list 10 permit 60.0.0.0 0.0.0.255
• Enable dynamic NAT translation specifying that Access-list & the interface with the global IP.
• R(config)# ip nat inside source list 10 interface f1/1 overload (this keyword enables PAT).
• Define the local NAT interface.
• R(config-if)# ip nat inside
• Define the outside NAT interface.
• R(config-if)# ip nat outside
• To view active nat translations.
• R# sh ip nat translations
• To view nat & PAT statistics.
• R# sh ip nat statistics
• To clear all dynamic address translations.
• R# clear ip nat translation *
• Policy NAT/PAT.
• Based on a set of rules, such as what is the source|destinastion IP, which ports are used that would qualify that
packet to have NAT/PAT applied to it.
• Other packets will be routed normally.
------------------------------------------------------------------------------------------------------------------------
• Firewall Design Considerations.
• Firewalls should be placed at security boundaries, such as between two networks with different levels of trust.
• Firewalls should be a primary security device, but not the only security device.
• Make sure that physical security controls and management access to the firewall devices.
• Regularly look at the firewall logs.

CCNA Sec Page 60

• Regularly look at the firewall logs.
• AAA accounting and proper documentation is important to have a record of which administrator made
which changes and when they were made.
• Packet-Filtering Access Rule Structure.
• An ACL is applied to an interface either inbound or outbound.
• Access lists are processed in a top-down.
• As soon as the firewall identifies a match from a single ACE, it then implements the action of permit or deny.
• If there is no match in the ACL, packet is denied.
• You can only configure one ACL per interface, per protocol, and per direction.
• ACLs can control traffic through or to the Cisco device, but not traffic originating from the Cisco device.
• Never allow more access than is necessary.
• Take care for the order of ACEs in the ACL.

• CBAC (Context-based access control).

• A solution available within the Cisco IOS Firewall.
• Provides stateful Application Layer filtering.
• Only provides filtering for those protocols that are specified by an administrator.
• Detects and prevents most of the popular attacks on a network.
• CBAC provides four main functions:
• Traffic filtering.
• Can permit specified TCP, UDP return traffic when the connection is initiated from the network.
• This is accomplished by creating temporary openings in an ACL.
• Uses the state table to build dynamic ACL entries that permit returning traffic.
• The state table dynamically changes and adapts with the traffic flow.
• Traffic inspection.
• Can inspect traffic for sessions that originate from either side of the firewall.
• Inspects packets at the Application Layer and maintains TCP and UDP session information.
• So, it can detect and prevent certain types of network attacks such as SYN-flooding.
• Also performs statefull packet inspection, and prevent specific DoS attacks.
• Can be configured to drop half-open connections
• Intrusion detection.
• Provides a limited amount of intrusion detection to protect against specific SMTP attacks.
• It resets the offending connections and sends syslog information to the syslog server.
• Generation of audits and alerts.
• Can generate real-time alerts and audit trails.
• Audit trail features use syslog to track all network transactions.
• CBAC mechanism.
• After the ACL permits the traffic, the CBAC inspection rules are examined.
• Then adds a dynamic extended ACL entry on the external interface in the inbound direction.
CCNA Sec Page 61
• Then adds a dynamic extended ACL entry on the external interface in the inbound direction.
• This temporary opening is only active for as long as the session is open.
• These dynamic ACL entries are not saved to NVRAM.
• When the session ends, these entries and dynamic information in the state table are removed.
• Also removed whenever the idle timeout period for the connection is reached.
• CBAC can't inspect encrypted traffic.
• Dynamic applications, such as FTP, open a channel on a well-known port, Then negotiate additional channels
through the initial session.
• When an attack is detected, the firewall can:
- Generate alert messages.
- Protect system resources that could impede performance.
- Block packets from suspected attackers.
• IOS Firewall provides three thresholds against TCP-based DoS attacks:
- Total number of half-opened TCP sessions.
- Number of half-opened sessions in a time interval.
- Number of half-opened TCP sessions per host.
• TCP and UDP inspection dynamically permits return traffic of active sessions.
• ICMP inspection allows ICMP echo reply according to previously seen ICMP echo request.
• CBAC inspection supports two types of logging functions:
• Alerts.
• Display messages, such as insufficient router resources, DoS attacks, and other threats.
• Enabled by default.
• The administrator can also disable and enable alerts per inspection rule.
• Audits.
• Displays messages when CBAC adds or removes an entry from the state table.
• Keeps track of the connections that CBAC inspects, including valid & invalid access attempts.
• Disabled by default.
• By default, alerts and audits are displayed on the console line.
• This information can be logged to the internal buffer of the router or syslog server.
• Configuration.
• ACLs before deploying CBAC.
• To allow internal users access the external.
• R(config)# access-list 150 permit tcp 60.0.0.0 0.255.255.255 any
• R(config)# access-list 150 permit udp 60.0.0.0 0.255.255.255 any
• R(config)# access-list 150 permit icmp 60.0.0.0 0.255.255.255 any
• R(config)# interface f1/0
• R(config-if)# ip access-group 150 in
• To block all coming connection from the external
• R(config)# access-list 160 deny ip any any log
• R(config)# interface f1/1
• R(config-if)# ip access-group 160 in
• To create an inspection rule.
• R(config)# ip inspect name rule1 tcp
• R(config)# ip inspect name rule1 udp
• The protocol can be tcp, udp, ftp, tftp, http, h323, rpc, smtp,….
• To apply an Inspection Rule to the internal Interface.
• R(config)# interface f1/0
• R(config-if)# ip inspect rule1 in
• R# show ip inspect all
CCNA Sec Page 62
• R# show ip inspect all
• R# show access-list
• To disable CBAC alerts.
• R(config)# ip inspect alert-off
• To enable CBAC auditing.
• R(config)# ip inspect audit-trail
• To view information about CBAC inspections.
• R# show ip inspect name rule-name
• R# show ip inspect interfaces
• R# show ip inspect config
• To display established sessions.
• R# show ip inspect sessions
• To debug CBAC operations for real-time monitoring.
• R# debug ip inspect protocol [tcp, udp, icmp, app protocol, events, object creation, …]
• This command replaced the debug policy-firewall command at Release 12.4(20)T.
• To view when idle timeouts are reached.
• R# debug ip inspect timers
• To remove CBAC from the router, use the global no ip inspect command.
• R(config)# no ip inspect
• Also will remove the state table, all temporary ACL entries created by CBAC, resets all timeout and threshold
values to their factory defaults.
Implementing Cisco IOS Zone-Based Firewalls
• Zone based policy firewall (ZBF, ZBPF, ZFW).
• Introduced with IOS Release 12.4(6)T.
• Interfaces are assigned to zones.
• Doesn't change ACLs.
• An inspection policy is applied to traffic moving between the zones.
• The default policy between zones is deny all.

• Supports features, as stateful inspection, application inspection, URL filtering, DoS mitigation.
• CBAC & Zones models can be enabled concurrently on a router.
• Interface cannot be configured as a zone member and configured for IP inspection simultaneously.
• Interfaces that have not been assigned to a zone can still use CBAC stateful inspection.

CCNA Sec Page 63

• Interfaces that have not been assigned to a zone can still use CBAC stateful inspection.
• ZBF actions.
• Inspect.
• Automatically allows for return traffic and potential ICMP messages.
• Equivalent to the CBAC ip inspect command.
• Drop.
• Analogous to a deny statement in an ACL.
• Pass.
• Analogous to a permit statement in an ACL.
• Does not track the state of connections or sessions within the traffic.
• Allows the traffic only in one direction.
• A corresponding policy must be applied to allow return traffic to pass in the opposite direction.
• ------------------------------------------------------------------------------------------------------------------------
• An administrator can assign a physical interface to only one security zone.
• Virtual interfaces (Dialer or virtual Template interfaces) can be assigned to multiple zones.
• Traffic is implicitly allowed among interfaces that are members of the same zone.
• If you don't want an interface to be part of the zone based firewall policy, put it in a zone & configure a pass-all
policy between that zone and any other zone.
• Traffic can't pass between an interface in a zone and one not in a zone.
• All the hosts connected to a zone-member interface are included in that zone.
• By default, all interfaces on the router are automatically part of the self zone when ZBF is used.
• The traffic to and from the router's interface itself is not controlled by the zone policies.
• The only exception to the default deny-all policy is the self zone.
• Traffic to any router interface (self zone) is allowed until traffic is explicitly denied.
• To limit traffic moving to the router's interfaces from other zones, policies must be applied.
• Self zone is a system-defined zone that doesn't require any interfaces to be configured as members.
• Create the zone.
• R(config)# zone security name
• To Assign Router Interfaces.
• R(config-if)# zone-member security zone-name
• Class map.
• A way to identify a set of packets based on its contents using “match” conditions.
• Identify traffic and traffic parameters for policy application.
• Applied within policy maps.
• Class maps sort the traffic based on specific criteria:
• Access group.
• A standard, extended, or named ACL can filter traffic.
• Protocol.
• L4 as TCP, UDP, and ICMP, or L7 as HTTP, SMTP, and DNS.
• Class map.
• A subordinate class map that provides additional match criteria can be nested inside another class map.
• Match-any Vs Match all.
• Match-any.
• Traffic must meet just one of the match criteria in the class map.
• Match-all (the default).
• Traffic must match all of the class map criteria to belong to that particular class.
• Define ZBF Traffic Classes.
• R(config)# class-map type inspect name

CCNA Sec Page 64

• R(config)# class-map type inspect name
• To define protocols are matched from within the class map.
• R(config-cmap)# match protocol protocol-name
• To match the traffic to a specific ACL.
• R(config-cmap)# match access-group ACL-n | name ACL-name
• Nested class maps can be configured as well using the syntax.
• R(config-cmap)# match class-map class-map-name
• Policy map.
• Applies actions to the traffic of the class maps.
• Actions are associated with traffic classified by class maps.
• Create a ZPF policy map.
• R(config)# policy-map type inspect name
• Specifiy traffic classes on which an action must be performed.
• R(config-pmap)# class type inspect class-name
• To specify the action to take on the traffic is specified.
• R(config-pmap-c)# pass | inspect | drop [log] | police
• To specify the default class (matching all remaining traffic).
• R(config-pmap)# class class-default
• To specify the action to take on the traffic is specified.
• R(config-pmap-c)# pass | inspect | drop [log] | police
• To apply deep-packet inspection on a specific traffic.
• R(config-pmap-c)# service-policy {h323 | http | im | imap | p2p | pop3 | smtp} policy-map-name
• Zone pair.
• Allows a unidirectional firewall policy between two security zones to be specified.
• The direction of the traffic is determined by specifying a source and destination security zone.
• A zone that is a member of a zone pair cannot be deleted.
• To create a zone-pair on which the policy will be applied.
• R(config)# zone-pair security name source src-name|self destination dst-name|self
• To attach a policy-map and its associated actions to a zone-pair.
• R(config-sec-zone-pair)# service-policy type inspect policy-map-name
• To view zone-based policy firewall session statistics.
• Router# show policy-map type inspect zone-pair session
• Implementing NAT in Addition to ZBF.
• Configure > Router > NAT > Basic NAT

Configuring Basic Firewall Policies on Cisco ASA

CCNA Sec Page 65

 Configuring Basic Firewall Policies on Cisco ASA

• ASA (Adaptive Security Appliance) Features and Services.

• Packet filtering.
• Simple packet filtering normally represents an access list.
• ASA supports both standard and extended access lists.
• ASA never ever uses a wildcard mask.
• Stateful filtering.
• By default, the ASA enters stateful tracking information about packets that have been initially allowed through
the firewall.
• Application inspection/awareness.
• The ASA can listen in on conversations between devices on one side and devices on the other side of the
firewall.
• Some applications, such as FTP, dynamically use additional ports.
• The client and the server negotiate the data connection, which is sourced from ports 20 at the server and
destined for whatever port number was agreed to by the client.
• The challenge with this is that the initial packets for this data connection are initiated from the server on the
outside.
• Network Address Translation (NAT).
• ASA supports both NAT, PAT and policy NAT.
• Policy NAT is only triggered based on specific matches of IP addresses or ports.
• Able to perform NAT exemption (called NAT zero) which is certain traffic should not be translated.
• DHCP server.
• ASA can act as a DHCP server or client or both.
• Routing.
• ASA supports RIP, OSPF, EIGRP and static routing.
• Layer 3 or Layer 2 implementation.
• Can run in routed mode or transparent mode.

CCNA Sec Page 66

• Can run in routed mode or transparent mode.
• VPN support.
• When using IPSec ASA can support remote-access VPN users and site-to-site VPN tunnels.
• When using SSL, it can support the client-less SSL VPN and the full AnyConnect SSL VPN tunnels.
• SSL is only used for remote access, not for site-to-site VPNs.
• Object groups.
• A configuration item on the ASA that refers to one or more items.
• Network object group: refers to one or more IP addresses or network address ranges.
• Botnet traffic filtering.
• Botnet is a collection of computers that have been compromised and are willing to follow the instructions of
someone who is attempting to centrally control them
• ASA works with an external system at Cisco that provides information about the Botnet Traffic Filter Database
and so can protect against this.
• Advanced malware protection (AMP).
• ASA provides NGFW capabilities that combine traditional firewall features with thread and advanced malware
protection in a single device.
• High availability.
• By using two firewalls in a high-availability failover combination.
• AAA support.
• Either locally or from an external server such as Access Control Server (ACS).
• ASA Security Levels.
• ASA uses security levels associated with each routable interface.
• A number between 0 and 100 (The bigger the number, the more trust you have for the network).
• Also assign a name to the interface.
• Inside interface will have a security level 100 , outside or any other name will have level 0
• Also assign ip to the interface and bring it up with the no shutdown command

CCNA Sec Page 67

• By default, if two interfaces are both at the exact same security level, traffic is not allowed.
• Tools to Manage the ASA.
• Command-line interface (CLI).
• ASA Security Device Manager (ASDM).
- You can connect to up to 5 separate firewalls and switch between them from ASDM.
• Cisco Security Manager (CSM).
- An enterprise (commercial grade) GUI tool that can manage most of your network devices, including routers,
switches, and security appliances such as the ASA.
• Packet Filtering on the ASA.
• Using ACLs applied inbound and outbound to a given interface.
• Inbound to an interface.
- Traffic that is going into an interface.
• Outbound to an interface.
- Traffic that is exiting an interface.
• Inbound from a security level perspective.
- Traffic that is being routed by the ASA from a lower-security interface to a higher-security interface, such as
from the outside to the DMZ, from the outside to the inside, ……….
• Outbound from a security level perspective.
- Traffic that is being routed by the ASA from a high-security interface to a lower-security interface, such as
inside to DMZ, inside to outside, ………..
• If you are using ACLs on each interface of the ASA, the security levels no longer control what the initial traffic
flows may be (cause of the deny any any at the end of the access list).
• Stateful inspection is still being done dynamically, allows the return traffic to come back.
• Modular Policy Framework (MPF).
• Use class maps to identify traffic.
• Use policy maps to identify the actions you are going to take on that traffic.
• Use service policy commands to implement the policy.
• The service policies can attach the policy to a specific interface or can be applied globally.
CCNA Sec Page 68
• The service policies can attach the policy to a specific interface or can be applied globally.
• Use to classify traffic for:
- Application layer inspection.
- Forward traffic to the IPS module.
- Prioritize the forwarding of voice traffic.
• Class maps can identify traffic based on Layer 3 and Layer 4.
• Also for Layers 5 to 7 that identify traffic based on application layer information (not in this course)
• Actions to take on each class of traffic:
- Reroute the traffic to a hardware module such as the IPS module that is inside the ASA.
- Perform inspection on that traffic (related to stateful filtering or application layer inspection/filtering).
- Give priority treatment to the forwarding of that traffic.
- Rate-limit or police that traffic.
- Perform advanced handling of the traffic.
• Configuring the ASA.

• ASDM
• Pre-configurations.
• Ciscoasa(config)# http server enable
• Ciscoasa(config)# http host-ip|network-id mask interface-name
• Ciscoasa(config)# username name password the-password (or use blank user and enable password)
• Ciscoasa(config)# interface g0/0
• Ciscoasa(config-if)# ip add 30.0.0.100 255.0.0.0
• Ciscoasa(config-if)# no shut
• Ciscoasa(config-if)# nameif name
• Ciscoasa(config-if)# security-level 100
• Ciscoasa# copy tftp: flash: asdm-647.bin
• Open browser, https://ASA-ip , Install ASDM Launcher and Run ASDM
CCNA Sec Page 69
• Open browser, https://ASA-ip , Install ASDM Launcher and Run ASDM
• To view interfaces ip addresses.
• Ciscoasa# sh interface ip brief
• Ciscoasa# sh ip address
• Ciscoasa# sh nameif

• For setup wizard.

• Wizards tab, setup wizard.
• Configuring the Interfaces.
• Configuration > Device Setup > Interfaces
• ASA does not like to route a packet out the exact same interface that the packet came in on.
• ASA1(config)# interface Vlan4
• ASA1(config-if)# no shutdown
• ASA1(config-if)# description WAN interface
• ASA1(config-if)# nameif outside
• ASA1(config-if)# security-level 0
• ASA1(config-if)# ip address 23.1.2.3 255.255.255.240
• ASA1(config-if)# exit
• To link an interface to a VLAN.
• ASA1(config)# interface Ethernet0/1
• ASA1(config-if)# switchport access vlan 4
• ASA1(config)# show run interface
• DHCP server.
• Configuration > Device Management > DHCP > DHCP Server,

CCNA Sec Page 70

• ASA1(config)# dhcpd address 30.0.0.101-30.0.0.132 inside
• ASA1(config)# dhcpd enable inside
• ASA1(config)# dhcpd dns 8.8.8.8 interface inside
• ASA1(config)# dhcpd domain test.local interface inside
• The ASA, by default, assigns itself as the default gateway for the DHCP clients to use.
• Basic Routing to the Internet.
• Configuration > Device Setup > Routing > Static Routes > Add
• ASA1(config)# route outside 10.0.0.0 255.0.0.0 172.16.0.1
• ASA1(config)# route outside 0.0.0.0 0.0.0.0 172.16.0.1

• NAT and PAT.

• Configuration > Firewall > NAT Rules and click Add

• To use PAT, use Dynamic PAT (Hide) mode and then select the outside interface.

CCNA Sec Page 71

• To use PAT, use Dynamic PAT (Hide) mode and then select the outside interface.
• ASA1(config)# object network Inside_Hosts
• ASA1(config-network-object)# subnet 30.0.0.0 255.255.255.0
• ASA1(config)# nat (inside,outside) source dynamic Inside_Hosts interface
• To apply an ACL.
• Configuration > Firewall > Access Rules

• Creating and Applying an ACL at the CLI.

• ASA1(config)# access-list inside_access_in deny tcp any any eq telnet
• ASA1(config)# access-list inside_access_in permit ip any any
• ASA1(config)# access-group inside_access_in in interface inside
• Using Packet Tracer to Verify Which Packets Are Allowed.
• A built-in tool called Packet Tracer that enables you to identify whether the ASA will forward or drop a packet,
before the user even powers on her computer.
• Packet Tracer even indicates the reason why a packet would be dropped by the ASA.

CCNA Sec Page 72

• The literal IP of the source and destination do not have to be valid hosts.

• ASA1# packet-tracer input inside tcp 30.0.0.101 1065 22.33.44.55 80

CCNA Sec Page 73

 CCNA Sec 05

Cisco IDS/IPS Fundamentals

• Sensor.
• A device that looks at traffic on the network and then makes a decision based on a set of rules.
• IPS (Intrusion Prevention System).
• Deploying the sensor in inline mode.
• Traffic going through your network is forced to go in one physical port on the sensor.
• Sensor takes decisions based on rules configured.
• Sesnor failure is a great issue.
• You can configure the sensor to "fail open" to pass all traffic (good and malicious) if failed.
• "Fail close" mode: if the sensor fail, no traffic (good or malicious) will pass.
• A slight additional delay occurs as traffic is analyzed and then forwarded through the inline IPS.

• Intrusion Detection System (IDS).

• Copies the traffic stream, and analyzes the monitored traffic rather than the actual forwarded packets.
• Works in Promiscuous mode, so passively monitor the traffic on a network.
• Does not negatively affect the actual packet flow of the forwarded traffic.
• Cannot stop malicious single-packet attacks from reaching the target.
• Requires assistance from other networking devices, such as routers and firewalls.

CCNA Sec Page 74

•

• Sensor Platforms.
• A dedicated IPS appliance, such as the 4200 series.
• Software running on the router in versions of IOS that support it.
• A module in an IOS router, such as the AIM-IPS or NME-IPS modules
• A module on an ASA firewall in the form of the AIP module for IPS.
• A blade that works in a 6500 series multilayer switch.
• Cisco FirePOWER 8000/7000 series appliances.
• Virtual Next-Generation IPS (NGIPSv) for Vmware.
• ASA with FirePOWER services.
• Alarm type.

CCNA Sec Page 75

•

• Identifying Malicious Traffic on the Network.

• Signature-based IPS/IDS
• Signature: a set of rules looking for some specific pattern or characteristic in either a single packet or a stream of
packets.
• A new sensor may have thousands of default signatures provided by Cisco.
• Not all the signatures are enabled.
• Does not detect attacks outside of the rules.
• Signatures must be updated periodically to remain current and effective against new threats.
• Policy-based IPS/IDS
• Implemented based on the security policy for your network.
• Ex. If your company doesn't allow telnet, you can create custom rule for the IPS to drop and alert traffic destined
to port 23.
• Anomaly-based IPS/IDS
• Ex. creating a baseline of how many TCP sender requests are generated on average each minute that do not get
a response.
• Can detect worms based on anomalies, even if specific signatures have not been created yet for that type of
traffic.
• Reputation-based IPS/IDS
• Collects input from systems all over the planet that are participating in global correlation;
• So can detect and prevent global attack that is propagating its way across the networks of the world but
has not hit your network yet.
• This may include descriptors such as blocks of IP addresses, URLs, DNS domains,…...
• Global correlation services are managed by Cisco as a cloud service.
• Possible Sensor Responses to Detected Attacks.
• Deny Attacker Inline.
• Drops the offending packet and future packets from this attacker address for a specified period of time.
• Entries can be removed from this list or allowed to expire based on a timer
• Deny connection inline.
• Terminate current and future packets of TCP flow (same TCP connection).
• The attacker could open up a new TCP session (using different port numbers).
• Deny packet inline.
• Drops the offending packet that has caused the signature to trigger.
CCNA Sec Page 76
• Drops the offending packet that has caused the signature to trigger.
• Log-attacker-packets.
• Starts IP logging on packets that contain the attacker address and sends an alert.
• IPS starts capturing packets that contain the IP address of the attacker.
• Log Victim Packets.
• Starts IP logging on packets that contain the victim IP address.
• Log-pair-packets.
• Starts IP logging on packets that contain the attacker/victim address pair.
• Produce Alert.
• An alert is the basic mechanism that is used by the IDS/IPS to identify that an event has occurred
• Produce Verbose Alert.
• Generates an alert that contains a pcap of the packet that caused the signature to trigger [capture trigger packet
and send with the alert].
• Request Block Connection.
• This action sends a request to a remote blocking device to block a connection.
• Connection blocks and network blocks are not supported on ASA.
• This action causes the sensor to request a blocking device to block based on the source IP address of the
attacker, the destination IP address of the victim, and the ports involved in the packet that triggered the alert.
• Request Block Host.
• This action sends a request to a remote blocking device to block an attacker host.
• Blocks based on the source IP address of the attacker (or destination IP address) regardless of the ports in use for
future packets.
• Request-snmp-trap.
• Sends a request to the Notification Application component of the sensor to perform SNMP notification.
• You must have SNMP configured on the sensor to implement this action.
• Reset TCP Connection.
• Sends spoofed TCP reset (RST) segments to terminate the offending TCP connection.
• ERR (Event Risk Rating).
• A value from 0 to 100 used by the sensor to calculate and provide the severity of an event.
• SFR (Signature Fidelity Rating).
• An indication of confidence in a signature’s performance given the environment in which it is deployed.
• Has a value between 0 and 100.
• ASR (Attack Severity Rating).
• Assigned to each signature by the Cisco IPS sensor.
• Determined by the severity configured for each signature (by the person who created that signature).
• TVR (Target Value Rating).
• Used to assign value to a particular asset.
• To set the TVR, it is necessary to provide the sensor with the destination IP addresses or subnets that are the
most critical.
• TVR is not a property of any specific signature, but rather is a configured general parameter in the IPS.
-------------------------------------------------------------------------------------------------
• Global Correlation.
• An IPS feature that enables the IPS to receive regular threat updates from a centralized Cisco threat database
called the Cisco SensorBase Network.
• Global correlation is available on the sensor appliances but does not have to be enabled.
• The IPS must periodically download global correlation updates from the global correlation servers.
• SensorBase Network is part of the SIO (Security Intelligence Operation).
• SIO facilitates global threat information, reputation-based services, and sophisticated analysis.

CCNA Sec Page 77

• SIO facilitates global threat information, reputation-based services, and sophisticated analysis.
• IPS/IDS Evasion Techniques.
• Traffic fragmentation.
• The attacker splits malicious traffic into multiple parts.
• Complete session reassembly is performed by the sensor.
• Traffic substitution and insertion.
• The attacker substitutes characters in the data using different formats that have the same final meaning.
• IPS uses Data normalization and de-obfuscation techniques to look for Unicode, case sensitivity spaces.
• Protocol level misinterpretation.
• An attacker may attempt to cause a sensor to misinterpret the end-to-end meaning of a network protocol.
• Timing attacks.
• Sending packets at a rate low enough to avoid triggering a signature.
• Encryption and tunneling.
• The encrypted payload cannot be inspected by Cisco IPS.
• Starting with the latest Sourcefire version of the NGIPS solution, encrypted traffic can now be decrypted and
inspected.
• Resource exhaustion.
• If thousands of alerts are being generated by attacks, an attacker may just be trying to disguise or cloak the
single attack that he hopes succeeds.
• Managing Signatures.
• Cisco organizes its signatures into groups that have similar characteristics.
• For each of its groups, a signature micro-engine is used to govern that set of signatures.
• Micro-engines types:
• Atomic.
• Signatures that can match on a single packet, as compared to a string of packets.
• Service.
• Signatures that examine application layer services, regardless of the operating system.
• String.
• Supports flexible pattern matching and can be identified in a single packet or group of packets, such as a session.
• Other.
• Miscellaneous Signatures that may not specifically fit into the previously mentioned other categories.
• Internal engine that handles miscellaneous signatures.
• Signature or Severity Levels.
• Also called ASR (attack severity rating).
• A rating between 0 and 100 (in the eyes of the individual who created the signature).
• The higher the severity, the greater the number.
• The severity level can be:
- Informational (25).
- Low (50).
- Medium (75).
- High (100).
• Alarms can be sent to the managed device by:
• Syslog.
• SNMP.
• SDEE protocol.
- Used for real-time delivery of alerts, and is the most secure method for delivering alerts.
- Can be sent to an application as IME (IPS Manager Express), CSM (Cisco Security Manager).

CCNA Sec Page 78

• CCP can monitor syslog and SDEE-generated events.
• IPS/IDS Best Practices.
• Implement an IPS so that you can analyze traffic going to your critical servers
• If you cannot afford dedicated appliances, use modules or IOS software-based IPS/IDS.
• Take advantage of global correlation to improve your resistance against attacks.
• Use automated signature updates when possible instead of manually installing updates.
• Continue to tune the IPS/IDS infrastructure as traffic flows and network devices and topologies change.
• IOS IPS configuration.
• R(config)# format disk0:
• R(config)# dir disk0:
• R(config)# copy tftp: disk0: IOS-S636-CLI.pkg
• R(config)# dir disk0:
• install the cisco public key to ensure that files are signed by cisco.
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
exit
exit
• Cretae ips rule to start ips services.
• R(config)# ip ips name ips-rule1
• R(config)# ip ips config location disk0:
• For SDEE run http service first
CCNA Sec Page 79
• For SDEE run http service first
• R(config)# ip http server
• R(config)# ip ips notify sdee
• R(config)# ip ips signature-category
• To stop (retire) the all category and only enable (unretire) the basic category.
• R(config-ips-category)# category all
• R(config-ips-category-action)# retired true
• R(config-ips-category)# category ios_ips basic
• R(config-ips-category-action)# retired false
• R(config-ips-category-action)# exit to save
• link the ips rule to an interface.
• R(config-if)# ip ips ips-rule1 in
• To clear ips statistics only.
• R# clear ip ips statistics
• To stop and clear ips configurtions.
• R# clear ip ips configuration
• Configuration with ccp
• Security, Intrusion Prevention, Launch IPS rule wizard,

CCNA Sec Page 80

CCNA Sec Page 81
 ----------------------------------------------------------------------------------------------------------------------------------
• Cisco Next-Generation IPS Solutions (NGIPS).
• Cisco FirePOWER 8000/7000 series appliances.
• Provide a combination of real-time contextual awareness, full-stack visibility, and intelligent security
automation.
• Threat protection with these devices can be extended through the purchase and installation of optional
subscription licenses to provide advanced malware protection (AMP) along with application visibility and
control.
• Virtual Next-Generation IPS (NGIPSv) for Vmware.
• Provides threat protection, real-time contextual awareness, intelligent security automation, and visibility into the
entire IP stack.
• ASA with FirePOWER Services.
• Combines the proven and effective security protection of the existing Cisco ASA 5500-X series and ASA 5585-
X firewall products with the added b enef its provided by the newly released FirePOWER NGIPS and AMP
technologies.
CCNA Sec Page 82
 technologies.
• FireSIGHT Management Center.
• Can centerally manage and maintain the Cisco ASA with FirePOWER services.
• Provides automatic aggregation and correla-tion of network security data collected by the ASA with
FirePOWER.
Mitigation Technologies for E-mail-Based and Web-Based Threats
• ESA & WSA provide a great solution designed to protect corporate users against these threats.
• Cisco has added advanced malware protection (AMP) to the ESA and WSA to allow security admins to detect
and block malware and perform continuous analysis and retrospective alerting.
• E-mail-Based Threats.
• Spam.
• Unsolicited e-mail messages that can be advertising a service or (typically) a scam or a message with malicious
intent.
• E-mail spam continuous to be a major threat because it can be used to spread malware.
• Malware attachments.
• E-mail messages containing malicious software (malware).
• Phishing.
• An attacker’s attempt to fool a user that such e-mail communication comes from a legitimate entity or site, such
as banks, social media websites, online payment pro-cessors, or even corporate IT communications.
• This can steal user’s sensitive information such as user credentials, bank accounts, and so on.
• Spear phishing.
• Phishing attempts that are more targeted.
• These phishing e-mails are directed to specific individuals or organizations.
• For instance, an attacker may perform a passive reconnaissance on the individual or organization by gathering
information from social media sites (ex. Twitter, LinkedIn, Facebook) and other online resources.
• Cisco Cloud E-mail Security.
• Provides a cloud-based solution that allows companies to out-source the management of their e-mail security
management.
• Provides e-mail security instances in multiple Cisco data centers to enable high availability.

• Cisco Hybrid E-mail Security.

• Combines both cloud-based and on-premises ESAs.
• Helps Cisco customers reduce their on-site e-mail security foot-print, outsourcing a portion of their e-mail
security to Cisco.
• Cisco E-mail Security Appliance.
CCNA Sec Page 83
• Cisco E-mail Security Appliance.
• X-Series ESA.
- Cisco X1070: High-performance ESA for service providers and large enterprises
• C-Series ESA
- Cisco C680: The high-performance ESA for service providers and large enterprises
- Cisco C670: Designed for medium-size enterprises
- Cisco C380: Designed for medium-size enterprises
- Cisco C370: Designed for small- to medium-size enterprises
- Cisco C170: Designed for small businesses and branch offices
• ESA runs the Cisco AsyncOS operating system that supports numerous features as:
• Access control.
• Controlling access for inbound senders according to the sender’s IP, IP range, or domain name.
• Antispam.
• Multilayer filters based on Cisco SenderBase reputation and Cisco antispam integration.
• Network Antivirus.
• Cisco partnered with Sophos and McAfee, supporting their antivirus scanning engines.
• Advanced malware protection (AMP).
• Allows security admins to detect, block malware and perform continuous analysis and retrospective alerting.
• DLP (Data Loss Preventation).
• The ability to detect any sensitive e-mails and documents leaving the corporation.
• ESA integrates RSA e-mail DLP for outbound traffic.
• E-mail encryption.
• The ability to encrypt outgoing mail to address regulatory requirements.
• The admin can configure an encryption policy on the ESA and use a local key server or hosted key service to
encrypt the message.
• E-mail authentication.
• A few e-mail authentication mechanisms are supported, includ-ing Sender Policy Framework (SPF), Sender ID
Framework (SIDF), and DomainKeys Identified Mail (DKIM) verification of incoming mail, as well as
DomainKeys and DKIM signing of outgoing mail.
• Outbreak filters.
• Preventive protection against new security outbreaks and e-mail-based scams using Cisco’s SIO threat
intelligence information.
• Cisco SenderBase.
- The world largest e-mail and web traffic monitoring network.
- Provides real-time threat intelligence powered by Cisco Security Intelligence Operations.
• ESA.
• Acts as the e-mail gateway to the organization.
• Handls all e-mail connections, accepting messages, and relaying them to the appropriate systems.
• Can service e-mail connections from the Internet to users inside your network, and Vs.
• ESA services all SMTP connections by default acting as the SMTP gateway.
• Mail gateways are also known as a mail exchangers or MX.
• ESA Listeners (SMTP daemons).
• ESA uses listeners to handle incoming SMTP connection requests.
• A listener defines an e-mail processing service that is configured on an interface in the Cisco ESA.
• Apply to e-mail entering the appliance from either the Internet or from internal systems.
• Listeners can be configured:
• Public listeners.
• For e-mail comingin from the Internet.
• Private listeners.
CCNA Sec Page 84
• Private listeners.
- For e-mail coming from hosts in the corporate (inside) network.
- These e-mails are typically from an internal groupware, Exchange, POP, or IMAP e-mail servers.
• Listener properties:
- A specific interface in the Cisco ESA.
- The TCP port that will be used.
- Whether it is a public or a private listener.
• An administrator can specify which remote hosts can connect to the listener.
• The local domains for which public listeners accept messages.

• Cisco ESA Initial Configuration.

• The default username is admin, and the default password is ironport.
• Initial Setup with the systemsetup Command

CCNA Sec Page 85

CCNA Sec Page 86
• Cisco WSA.
• Uses cloud-based intelligence from Cisco to help protect the organization before, during, and after an attack.
• Can be deployed in explicit proxy mode or as a transparent proxy using the WCCP.
• WCCP (Web Cache Communication Protocol).
• A protocol originally developed by Cisco, but several other vendors have integrated it in their products to allow
transparent proxy deployments on networks using (routers, switches, firewalls, and so on).

CCNA Sec Page 87

 transparent proxy deployments on networks using (routers, switches, firewalls, and so on).

• WCCP Registration.

• During the WCCP registration process, the WCCP client sends a registration announcement (“Here I am”) every
10 seconds.
• The WCCP server (the Cisco router) accepts the registration request and acknowledges it with an “I See You”
WCCP message.
• The WCCP server waits 30 seconds before it declares the client as “inactive” (engine failed).
• Cisco WSA models:
- Cisco WSA S680
- Cisco WSA S670
- Cisco WSA S380
- Cisco WSA S370
- Cisco WSA S170
• WSA runs Cisco AsyncOS operating system that supports these features:
• Real-time antimalware adaptive scanning.
• Can be configured to dynamically select an antimalware scanning engine based on URL reputation, content type,
type,
• and
Layerscanner effectiveness.
4 traffic monitor.
• Used to detect and block spyware.
• It dynamically adds IP addresses of known malware domains to a database of sites to block.
• Third-party DLP integration.
• Redirects all outbound traffic to a third-party DLP appliance, allowing deep content inspection for regulatory
compliance and data exfiltration protection.
• Enables an administrator to inspect web content by title, metadata, and size.
• Can even prevent users from storing files to cloud services, such as Dropbox, Google Drive, and others.
CCNA Sec Page 88
• Can even prevent users from storing files to cloud services, such as Dropbox, Google Drive, and others.
• File reputation.
• Using threat information from Cisco Talos.
• This file reputation threat intelligence is updated every 3 to 5 minutes.
• File sandboxing.
• If malware is detected, the Cisco AMP capabilities can put files in a sandbox to inspect its behavior, combining
the inspection with machine-learning analysis to determine the threat level.
• File retrospection.
• After a malicious attempt or malware is detected, the Cisco WSA continues to cross-examine files over an
extended period of time.
• Application visibility and control.
• Allows the ASA to inspect and even block applications that are not allowed by the corporate security polity.
• Ex. an administrator can allow users to use social media sites like Facebook but block micro-applications
such as Facebook games.
• Cisco Cloud Web Security (CWS).
• A cloud-based security service from Cisco that provides worldwide threat intelligence, advanced threat defense
capabilities, and roaming user protection.
• Uses web proxies in Cisco’s cloud environment that scan traffic for malware and policy enforcement.
• Cisco customers can connect to the Cisco CWS service directly by using a proxy autoconfiguration (PAC) file in
the user endpoint.
• PAC is a file defines how web browsers and other user agents can automatically choose the appropriate proxy
server (access method) for fetching a given URL.
• Or through transparent connectors integrated into the following Cisco products:
- Cisco ISR G2 routers
- Cisco ASA
- Cisco WSA
- Cisco AnyConnect Secure Mobility Client

• Cisco SMA (Security Management Appliance).

• Cisco product that centralizes the management and reporting for one or more Cisco ESAs and Cisco WSAs.

CCNA Sec Page 89

•

• SMA models:
- Cisco SMA M680: Designed for large organizations with over 10,000 users.
- Cisco SMAV M600v: Designed for large enterprises or service providers.
- Cisco SMA M380: Designed for organizations with 1000 to 10,000 users.
- Cisco SMAV M300v: Designed for organizations with 1000 to 5000 users.
- Cisco SMA M170: Designed for small business or branch offices w ith up to 1000 users.
- Cisco SMAV M100v: Designed for small business or branch offices with up to 1000 users.

Mitigation Technologies for Endpoint Threats

• Antivirus and Antimalware Solutions.
• Computer viruses.
• A malicious software that infects a host file or system area to perform undesirable outcomes such as erasing
data, stealing information, or corrupting the integrity of the system.
• Worms.
• Viruses that replicate themselves over the network infecting numerous vulnerable systems.
• Mailers and mass-mailer worms.
• A type of worm that sends itself in an e-mail message.
• Logic bombs.
• A type of malicious code that is injected into a legitimate application.
• An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the
system.
• Examples of these malicious tasks include deleting or corrupting files or databases and executing a specific
instruction after certain system condi-tions are met.
• Trojan horses.
• Can delete files, steal data, and compromise the integrity of the underlying operating system.
• Can also act as back doors.
• Back doors.
• Allows attackers to control the victim’s system remotely.
• Exploits.
• Program designed to “exploit” or take advantage of a single vulnerability or set of vulnerabilities.
• Downloaders.
• Malware that downloads and installs other malicious content from the Internet to perform additional exploitation

CCNA Sec Page 90

• Malware that downloads and installs other malicious content from the Internet to perform additional exploitation
on an affected system.
• Spammers.
• The act of sending unsolicited messages via e-mail, instant messaging, newsgroups.
• The primary goal of fooling users to click on malicious links, reply to e-mails or such messages with sensitive
information.
• Key loggers.
• Malware that captures the user’s keystrokes on a compromised computer or mobile device.
• Collects sensitive data such as passwords, PINs, credit card numbers.
• Rootkits.
• Used to elevate the privilege to obtain root-level access to be able to completely take control.
• Ransomware.
• A malware that compromises a system and then demands a ransom from the victim to pay the attacker for the
malware to be removed from the affected system.
• Ex. Crypto Locker and CryptoWall that encrypt the victim’s data and demands the user to pay a ransom in order
for the data to be decrypted.
• Commercial and free antivirus software:
• avast!
• AVG Internet Security
• Bitdefender Antivirus Free
• ZoneAlarm PRO Antivirus + Firewall and ZoneAlarm Internet Security Suite
• F-Secure Antivirus
• Kaspersky Anti-Virus
• McAfee Antivirus
• Panda Antivirus
• Sophos Antivirus
• Norton AntiVirus
• ClamAV
- An open source antivirus engine sponsored and maintained by Cisco and non-Cisco engineers.
• Immunet.
- A free community-based antivirus software maintained by Cisco Sourcefire.
• Personal Firewalls and Host Intrusion Prevention Systems.
• Software applications that you can install on end-user machines or servers to protect them from external security
threats and in trusions.
• Personal firewall.
• Software that can control Layer 3 and Layer 4 access to client machines.
• HIPS.
• Provides prevention and protection against spyware, viruses, worms, Trojans, and other types of malware.
• Ex. Cisco Advanced Malware Protection (AMP) for Endpoints.
• AMP runs on Windows, Mac OS X, Android
• E-mail Encryption.
• Examples of e-mail encryption programs:
- Pretty Good Privacy (PGP)
- GNU Privacy Guard (GnuPG)
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
- Web-based encryption e-mail service like Sendinc or JumbleMe
• S/MIME requires you to install a security certificate on your computer.
• The intended recipients of your encrypted e-mail must install a security certificate on their workstation.
• You can obtain a certificate from commercial service such as Digicert,Verisign, and others.
CCNA Sec Page 91
• You can obtain a certificate from commercial service such as Digicert,Verisign, and others.
• You can also obtain a free e-mail certificate from organizations such as Comodo.
• Encrypting Endpoint Data at Rest.
• GPG.
• Free software to to encrypt files and folders on a Windows, Mac, or Linux system.
• The built-in MAC OS X Disk Utility.
• Enables you to create secure disk images by encrypting files with AES 128-bit or AES 256-bit encryption.
• TrueCrypt.
• A free encryption tool for Windows, Mac, and Linux systems.
• AxCrypt.
• A free Windows-only file encryption tool.
• BitLocker.
• Full disk encryption feature included in several Windows operating systems.
• Many Linux distributions such as Ubuntu.
• Allow you to encrypt the home directory of a user with built-in utilities.
• MAC OS X FileVault.
• Supports full disk encryption on Mac OS X systems.
• Examples of commercial file encryption software:
• Symantec Endpoint Encryption
• PGP Whole Disk Encryption
• McAfee Endpoint Encryption (SafeBoot)
• Trend Micro Endpoint Encryption
• Virtual Private Networks.
• Organizations deploy VPN to provide data integrity, authentication, and encryption of the packets sent over an
unprotected network or the Internet.
• Designed to avoid the cost of unnecessary leased lines.
• Protocols are used for VPN implementations:
- Point-to-Point Tunneling Protocol (PPTP)
- Layer 2 Forwarding (L2F) Protocol
- Layer 2 Tunneling Protocol (L2TP)
- Generic routing encapsulation (GRE)
- Multiprotocol Label Switching (MPLS) VPN
- Internet Protocol Security (IPsec)
- Secure Sockets Layer (SSL)
• Site-to-site VPNs.
• Establish VPN tunnels between two or more network infrastructure devices in different sites.
• Many organizations use IPsec, GRE, or MPLS VPN as site-to-site VPN protocols.
• Remote-access VPNs.
• Enable users to work from remote locations such as their homes, as if they were directly connected to their
corporate network.
• Many organizations use IPsec and SSL VPN for remote access VPNs.

CCNA Sec Page 92