Security super notes – CCIE Written

My next topic for writing up my notes is the security section.

For this post and all posts following I will be using the CCIE blueprint from Cisco here (you may need CCO access to access that document but that is free).

My reasoning for structuring it like this is to make it easier both myself to reference and hopefully someone else will find it easier as well.

Some of the information is a little basic and will have been covered at CCNA and CCNP levels but seen as CCIE doesn’t actually have any pre-requisites I thought it best not to leave any stone unturned.

Security

Implement access lists

There are two types of access lists that can be used on Cisco platforms; the standard access list and the extended access list.

Standard access lists are a little basic in their use and can only match on the source address of the traffic you are matching.

Extended access lists differ from standard access lists in that they can not only match on both source and destination addresses but they can also match a whole plethora of other things such as L4 src/dst port number, DSCP marking, packet size etc.

Just like there are two different types of access list there are also two different methods of configuring them.

Firstly there is the numbered access-list method (which is the older method) where depending on what number you give to your ACL will depend on what type it is:

1-99        - Standard access list
100-199     - Extended access list
1300-1999   - Expanded standard access list (useful if you have >100 standard ACL's)
2000-2699   - Expanded extended access list (useful if you have >100 extended ACL's)

There is also the named access-list method in which the name that you give to the access list is completely agnostic to type of ACL it is. When you are using named access-lists you have to explicitly tell the CLI which type of access-list you are creating.

Things to remember about all ACL’s: – All ACL’s end with an implicit deny all – Order of statements in the ACL is critical (they match on a top down approach)

Creating ACL’s

To create a numbered ACL you do as follows:

R1(config)#access-list ?
  <1-99>            IP standard access list
  <100-199>         IP extended access list
  <1300-1999>       IP standard access list (expanded range)
  <2000-2699>       IP extended access list (expanded range)

Once you are in numbered access-list mode it depends on which type it is to what options you will have, as has already been mentioned standard access-lists can only match on one IP/subnet tuple where as the extended type can match on many more things.

Standard:

R1(config)#access-list 50 permit 192.168.1.0 0.0.0.255 ?
  log  Log matches against this entry
  <cr>

Extended:

R1(config)#access-list 150 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq www ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  established  Match established connections
  fin          Match on the FIN bit
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

As you can see above you can be a lot more granular with the options when you are using extended ACL’s.

When using named access-list mode the options are all the same only the way that you create them is a little different:

R1(config)#ip access-list standard STANDARD_ACL 
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255

R1(config)#ip access-list extended EXTENDED_ACL
R1(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq www

Implement CBAC

CBAC or Context-Based access control is a feature in the firewall feature set of IOS routers that allows for ACL’s to be dynamically modified to allow return traffic.

For CBAC to work properly you have to have an ACL applied in the opposite direction than the CBAC inspection rule to block the traffic you are going to allow with CBAC, this sounds like quite a un-nerving thing at first but hopefully the info below should sum it up pretty well.

For the below example we will first create an ACL to block all traffic (but still allow routing traffic, as this is not being inspected) and apply in in the inbound direction of our ‘outside’ interface.

Once we have created this ACL we will also create our CBAC rulebase and apply it in the opposite direction to the above ACL, therefore completing the requirements for CBAC to work.

You will notice that for the icmp rule I also add the ‘router-traffic’ option, what this means is that traffic that is originated from the router will also be inspected, as default only traffic that passes through the router is considered for inspection.

R1(config)#ip access-list extended CBAC_ACL
R1(config-ext-nacl)#permit ospf any any
R1(config-ext-nacl)#permit pim any any
R1(config-ext-nacl)#deny ip any any log
R1(config-ext-nacl)#exit
R1(config)#
R1(config)#ip inspect name CBAC tcp router-traffic
R1(config)#ip inspect name CBAC icmp router-traffic
R1(config)#ip inspect name CBAC ftp
R1(config)#
R1(config)#int f0/0
R1(config-if)#ip access-group CBAC_ACL in
R1(config-if)#ip inspect CBAC out

Now that the above is applied we will be able to ping from R1->R2 as the CBAC inspection will allow the ICMP echo-reply’s. However any traffic that is not originated by R1 (for instance R2 pinging R1) would still be blocked as there will be no rule dynamically added by CBAC for it.

### Ping from R1 to R2 ###
R1#ping 10.0.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/28 ms
R1#sh ip inspect sessions 
Established Sessions
 Session 67F0C51C (10.10.1.1:8)=>(10.0.1.2:0) icmp SIS_OPEN

### Ping from R2 to R1
R2#ping 10.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

What CBAC Does

  • Traffic filtering
  • Traffic inspection
  • Alerts and audit trails
  • Intrusion prevention

What CBAC Doesn’t DO

CBAC does not provide a method of filtering all types of traffic, only a limited amount of protocols are supported by CBAC, for protocols that are not supported they will need to be handled normally using extended ACL’s to permit/deny the traffic.

Once again with these notes, in places they are a little bare and there are far more features to CBAC than I have covered in this post, for more information please take a look at the Cisco doc pages here.

Implement Zone Based Firewall

Zone based firewall was a feature that was originally introduced in 12.4(6)T and allowed for the pervious firewall-like behaviour of CBAC/ACL’s to be improved further.

ZBFW allows an IOS device to behave more like a regular PIX/ASA firewall in that it utilises zones.

By default traffic is allowed to pass between interfaces that are in the same zone but traffic is NOT allowed to pass between different zones or between interfaces that are in zones to interfaces that are not in a zone.

ZBFW uses a structure similar to that of the MQC to define class and policy maps using the new ‘inspect’ type.

The steps to setting up ZBFW are as follows:

  1. Create your zones (inside, outside, DMZ etc.)
  2. Decide how traffic will flow on the device and create zone-pairs for these flows.
  3. Create class-maps to identify the inter-zone traffic that will be inspected by the firewall.
  4. Assign policies to the traffic by creating policy maps and associating class maps with them.
  5. Assign the aforementioned policy map to a specific zone-pair.
  6. Assign interfaces to a zone, interfaces are only allowed to be a member in one zone at a time.

To create zones and zone-pairs follow the following steps:

R1(config)# zone security inside
R1(config-sec-zone)# description inside zone

R1(config)# zone security outside
R1(config-sec-zone)# description outside zone

R1(config)# zone-pair security inside_out source inside destination outside
R1(config)# zone-pair security outside_in source outside destination inside

By default when you create ZBFW policy maps there is a class-default (like other MQC based policies) however all traffic in this class is dropped and therefore you need to ensure that all traffic that you want to be allowed is allowed.

When creating class-maps or policy-maps for use by ZBFW you need to use the ‘type inspect’ option when creating them:

R1(config)# class-map type inspect HTTP_TRAFFIC
R1(config)# policy-map type inspect inside_out

To assign a ZBFW policy map to a zone-pair it is fairly similar to applying a QoS policy, to do this follow the below:

R1(config)# zone-pair security inside_out source inside destination outside
R1(config-sec-zone-pair)# service-policy type inspect inside_out

To assign an interface to a zone do the following:

R1(config)# interface Fa0/0
R1(config-if)# zone-member security inside

As with other topics in these notes there are more details on the Cisco documentation pages here.

Implement Unicast Reverse Path Forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF) is a feature that can help protect the network against spoofed or malformed IP packets.

Much like the similarly named RPF check in Multicast forwarding the router implements this feature by checking an incoming packet against the unicast routing table (FIB).

Cisco Express Forwarding (CEF) is required for uRPF as it uses the FIB to carry out its check.

When a packet comes into the router on an interface with uRPF enabled it takes the source IP address of the packet and compares it to the FIB entry for that IP. If the incoming interface and interface listed in the FIB do not match then the packet will be dropped.

The uRPF feature is enabled using the ip verify unicast reverse-path interface configuration command.

Implement IP Source Guard

IP source guard is usually used alongside another feature, DHCP snooping.

The below is an extract from the Cisco document here.

IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbour.

You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IP source guard is enabled on an interface, the switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.

The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.

IP source guard is supported only on Layer 2 ports, including access and trunk ports.You can configure IP source guard with source IP address filtering or with source IP and MAC address filtering.

Implement AAA

AAA stands for Authentication, Authorisation and Accounting but for now we are only really bothered about the first of the A’s Authentication.

When connecting to a device there are many different ways that you can authenticate to it, you can use no password, you could use a line password, you could use a local username database or you could use an external server such as RADIUS or TACACS+.

One of the major plus points for using a centralised solution such as RADIUS or TACACS+ is that if you have a large deployment of devices there is one central place that all usernames/passwords are stored and therefore easier to maintain for additions/removals.

The two technologies that IOS devices support for external authentication are RADIUS and TACACS+ (as mentioned earlier), both are fairly similar in their use however there are a few things that are different between them:

RADIUSTACACS+
Scope of encryption (what is encrypted)Password onlyEntire payload
Layer 4 protocolUDPTCP
Well-known port / IOS default port1812/164549/49
Standards based or proprietaryRFC 2865Proprietary

Below I am enabling the use of AAA and authenticating to a TACACS+ server, in-case of a failure in the TACACS+ server the device will fallback to using its own local database:

R1(config)#aaa new-model
R1(config)#username david secret p4ssw0rd
R1(config)#tacacs-server host 192.168.1.10
R1(config)#tacacs-server key s3cre3tk3y
R1(config)#aaa authentication login default group tacacs+ local
R1(config)#aaa authentication enable default group tacacs+ enable

Implement Control Plane Policing (CoPP)

Control Plane Policiing (CoPP) is used for protecting and ensuring that the control plane of a Cisco device is not overloaded with traffic that it does not need.

The control plane is where the ‘network’ is run from, it is where the routing protocol processes live, it is where BPDU’s for STP are processed and it is where all the management process also live (SSH, Telnet, SNMP, AAA).

All you need is one malicious device (deliberate or accidental) to bring down the control plane on the device, if this happens then everything will be brought down.

When using CoPP you configure it using the MQC (as used in QoS) to define class and policy maps to classify the different types of traffic and what to do with them.

With CoPP class-maps you can only match on IP precedence markings, DSCP markings or ACL’s. You cannot use anything like NBAR as you can with QoS class-maps.

As with when you are configuring a QoS policy you do not want to create too many class-maps as this could be detrimental to your goal, at the same time you do not want to create too little class-maps as this could mean that you end up grouping too many things and locking yourself out of the router.

For L2 traffic and CoPP the only type of traffic that can be explicitly matched in a class-map is ARP, all other L2 traffic such as BPDU’s are handled by the class-default class.

R1(config)#ip access-list extended CoPP_MANAGEMENT
R1(config-ext-nacl)#permit tcp any eq 22 any established
R1(config-ext-nacl)#permit tcp any any eq 22
R1(config-ext-nacl)#permit tcp any eq telnet any established
R1(config-ext-nacl)#permit tcp any any eq telnet
R1(config)#ip access-list extended CoPP_ROUTING
R1(config-ext-nacl)#permit tcp any eq bgp any established
R1(config-ext-nacl)#permit tcp any any eq bgp
R1(config-ext-nacl)#permit ospf any any
R1(config-ext-nacl)#permit eigrp any any

R1(config)#class-map CoPP_ROUTING
R1(config-cmap)#match access-group name CoPP_ROUTING
R1(config)#class-map CoPP_MANAGEMENT
R1(config-cmap)#match access-group name CoPP_MANAGEMENT

R1(config-cmap)#policy-map CoPP
R1(config-pmap)#class CoPP_MANAGEMENT
R1(config-pmap-c)#police cir 10000
R1(config-pmap-c-police)#conform-action transmit
R1(config-pmap-c-police)#exceed-action drop
R1(config-pmap)#class CoPP_ROUTING
R1(config-pmap-c)#police cir 100000
R1(config-pmap-c-police)#conform-action transmit
R1(config-pmap-c-police)#exceed-action transmit

R1(config)#control-plane 
R1(config-cp)#service-policy input CoPP
*Nov 23 14:13:20.846: %CP-5-FEATURE: Control-plane Policing feature enabled on Control plane aggregate path

R1#sh policy-map control-plane 
 Control Plane 

  Service-policy input: CoPP

    Class-map: CoPP_MANAGEMENT (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name CoPP_MANAGEMENT
      police:
          cir 10000 bps, bc 1500 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        violated 0 packets, 0 bytes; actions:
          drop 
        conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: CoPP_ROUTING (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name CoPP_ROUTING
      police:
          cir 100000 bps, bc 3125 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          transmit 
        violated 0 packets, 0 bytes; actions:
          transmit 
        conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
      24 packets, 2580 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Implement Cisco IOS Intrusion Prevention System (IPS)

IPS (Intrusion Prevention System) is a feature that you can enable on Cisco routers. Once enabled it acts as an inline IPS device and inspects every packet that passes through the router to a set of signatures that it has stored in its memory.

IPS allows routers to scan all packets and hopefully stop worms, virii etc before they spread further, this feature is most readily used in small branche offices where the traffic level is not enough to warrant a dedicated IPS device.

The amount of IPS signatures that a device can store is only dependant on the amount of memory that the device has available.

New signature databases can be obtained from Cisco to those who have a valid service agreement for the service.

Whilst (as usual) there are a lot more features to IPS than what I have brushed over here, for more information please check out the Cisco documentation page here.

Due to the extra load on the devices CPU you should always disable/retire any signatures that aren’t needed.

R1(config)#ip ips signature-category
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true 
R1(config-ips-category-action)#exit 
R1(config-ips-category)#category ios_ips basic 
R1(config-ips-category-action)#retired false

R1#mkdir flash:IPS
Create directory filename [IPS]?
Created dir flash:ipsR1

R1(config)#ip ips name CCIE
R1(config)#ip ips config location flash:IPS

R1(config)#int Fa0/1
R1(config-if)#ip ips CCIE outbound

Implement Secure Shell (SSH)

in order to use SSH you need a K9 image which is capable of encryption/decryption

Telnet has been around since time begun (I believe archaeologists have found proof that dinosaurs originally used it!) and as such has a few flaws, the biggest of those is that all telnet traffic is transmitted in clear-text, meaning that anyone that happens to be lurking around and sniffing up your 1’s and 0’s will be able to see exactly what you are doing, including passwords!

SSH is a nice alternative to Telnet which encrypts all traffic to/from the server and therefore is a lot more secure.

As default all IOS powered devices (that have a K9 image) are able to be used as SSH clients however to be enabled as an SSH server you first have to jump through a few hoops:

  1. Configure a hostname on the device (if you haven’t already!)
  2. Configure a domain name on the device
  3. Generate the RSA key pairs for the device (which is why you needed steps 1 & 2)
  4. Create a local username/password to authenticate the SSH users (or set up some other AAA server)

As default IOS will enable SSH version 1 when you enable SSH, unfortunately this older version of SSH is known to have its fair share of bugs and therefore Cisco recommend that you enable SSHv2.

Below is an example of how to enable SSH on a router:

Router(config)#hostname R1
R1(config)#ip domain-name CCIELAB
R1(config)#crypto key generate rsa
The name for the keys will be: R1.CCIELAB
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
*Nov 21 22:52:51.131: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#username david secret p4ssw0rd
R1(config)#
## Now enable SSHv2 ##
R1(config)#ip ssh version 2

Implement 802.1x

802.1x or Dot1x is a feature that can be used on switches in order to secure switchports from unauthorised use.

Whilst not usually use in server facing or secure ports it would be considered useful in public ports or ports that are not in a secure area.

When a switchport is in an unauthorised state the only traffic that is allowed to pass over it is EAPOL (used for the dot1x authentication), CDP and STP. Once the port has fully authenticated other traffic will be allowed as normal.

Switches utilise a protocol called EAPOL to communicate with the end-user device and then a protocol such as RADIUS to speak to the central authentication server.

Ports can be in a number of different ‘modes’ in terms of dot1x:

  • force-authorized ? disables 802.1x authentication and causes the port to change to the authorised state without any authentication exchange required. The port sends and receives normal traffic without 802.1x-based authentication of the client. This is the default setting.

  • force-unauthorized ? causes the port to remain in the unauthorised state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the port.

  • auto ? enables 802.1x authentication and causes the port to begin in the unauthorised state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client MAC address

There are several steps that are needed in order to rollout dot1x, below is a config excerpt (the below assumes you have already configured your RADIUS server):

SW1(config)#aaa new-model
SW1(config)#aaa authentication dot1x default group radius
SW1(config)#dot1x system-auth-control
SW1(config)#
SW1(config)#interface Fa0/1
SW1(config)#dot1x port-control auto

As default all ports are in the force-authorized unless otherwise instructed by the per-interface config (above).

There is a lot more information on the nitty gritty of dot1x and the many other features that it contains (such as dynamic VLAN assignment) over on the Cisco documentation website here.

Implement NAT

In NAT addresses are considered Global or Local:

  • Global – seen on outside network
  • Local – seen on local network

In NAT when you are looking at translation tables etc you need to know and understand the following address types:

  • Inside Local – Address assigned to a host inside the network (usually an RFC1918 address)
  • Inside Global – Non-private address that represents the inside host
  • Outside Local – IP address of an outside host as it appears on the inside network
  • Outside Global – IP address assigned to a host on the outside network

In the CCIE Written exam we do not need to know a LOT of detail about NAT or any of the very complex solutions it can create, we only need to know about static NAT translations (which are by far the easiest!).

When configuring NAT you define the interfaces that are classed as ‘inside’ and ‘outside’, this is so that when you configure the actual translations the IOS NAT engine knows which addresses to translate and in which direction etc.

R2(config)#int f0/0
R2(config-if)#ip nat inside  ## Define the 'inside' interface
R2(config-if)#int s1/0
R2(config-if)#ip nat outside  ## Define the 'outside' interface
R2(config-if)#exit
R2(config)#ip nat inside source static 10.10.1.1 172.16.1.1  ## Configured so that 10.10.1.1 appears as 172.16.1.1 to the outside world
R2(config)#end
R2#sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- 172.16.1.1         10.10.1.1          ---                ---

Port address translation (PAT)

PAT is used because lets face it, there are a lot more private hosts that need internet access than there actually are public IP’s.

If you were just using regular NAT then for each inside host that needed external access you would need a public IP. This kind of negates the main functionality of NAT (conserving IP space).

Instead of just translating the IP addresses to/from global addresses PAT also uses port numbers and then keeps a state table to know which port on the external facing interface matches up to which port on an internal host. This way multiple hosts can appear to come from the same IP address.

PAT is configured by using the ‘overload’ keyword when configuring NAT but as mentioned above is not needed/used in the CCIE written exam.

6 thoughts on “Security super notes – CCIE Written

  1. my friend i have a problem and i need some help , i have 2951 ISR but i cant configure encryption router has UniversalK9 IOS and i cant find any other ios that will support crypto map ? can you help me ?

    if you have an answare please inform me @ [email protected]

    BR Artan Vitia

    • The 2951 is an ISR G2 and therefore has a universal IOS that then has features activated according to the license that you have for it.

      Take a look at the ‘show version’ and see what license is listed, for crypto you will need something like the security license.

  2. Pingback: Micellaneous Notes « dtechquest

  3. Pingback: Cisco IOS Based Firewall « dtechquest

  4. Pingback: Implement Access Lists « dtechquest

Leave a Reply

Your email address will not be published.