CCIE Security Techtorial

TECCCIE-3001

TECCCIE-3001_c2

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agenda
Section

Topic

CCIE Program Overview

CCIE Security Overview

Core Knowledge Section Overview

Implement secure networks using Cisco ASA Firewalls

Implement secure networks using Cisco IOS Firewalls

Implement secure networks using Cisco VPN solutions

Configure Cisco IPS to mitigate network threats

Implement Identity Management

Implement Control Plane & Management Plane Security

10

Configure Advanced Security

11

Identify and Mitigate Network Attacks

12

Preparation Resources and Test-Taking Tips

Disclaimer
Not all the topics discussed today appear on
every exam
For time reasons, were unable to discuss every
feature and topic possible on the exam

Section 1
CCIE Program Overview

CCIEs Worldwide
Most highly respected IT certification for more than 15 years
Industryy standard for validating
g expert
p skills and experience
p
More than 20,000 CCIEs worldwideless than 3% of all
professionals certified by Cisco
Demonstrate strong commitment and investment
to networking career, life-long learning, and
dedication to remaining an active CCIE

New Certification Logos

https://cisco.hosted.jivesoftware.com/docs/DOC-3813
The Learning@Cisco organization is pleased to
introduce new logos for its Cisco Career Certification
Program.
The logos were designed with input from the Cisco
certified community, and represent the prestige and
dedication defined by the program.
Effective January 12, 2009, all certificates and plaques
include the new logos
logos.
Certified individuals can access and download the
logos by logging into the Certifications Tracking System
at: www.cisco.com/go/certifications/login

New Certification Logos

Overview: CCIE Tracks

Routing and
Switching

Security

Voice

Introduced 2002

Introduced 2003

Core networking cert

13% off bookings

b ki

16% off bookings

b ki

64% of all bookings

Labs in Beijing, Hong Kong,

Brussels, RTP, San Jose,
Sydney, Dubai, Bangalore
and Tokyo

Labs in Brussels, San

Jose, RTP, Sydney and
Tokyo

Labs in all regions, all

worldwide locations

Storage Networking
Introduced 2004
1% of bookings
Labs in Brussels and RTP

Service Provider
Networks
Introduced 2002
6% of bookings
Labs in Brussels, Beijing,
Hong Kong, RTP, Sao
Paulo, Sydney

Wireless
Introduced 2009
Labs in Brussels and San
Jose

Available in Six Technical Specialties

CCIE Information Worldwide

Total of Worldwide CCIEs: 19,134*
Total of Routing and Switching CCIEs:

16,727

Total of Security CCIEs:

2,147

Total of Service Provider CCIEs:

1,182

Total of Storage Networking CCIEs:

140

Total of Voice CCIEs:

901

Multiple Certifications
Many CCIEs Have Gone on to Pass the Certification
Exams In Additional Tracks,
Tracks Becoming a Multiple
Multiple
CCIE. Below Are Selected Statistics on CCIEs Who
Are Certified in More Than One Track

*Updated 23-Feb-2009

Total with Multiple Certifications

Worldwide:

1,974

Total of Routing and Switching and

Security CCIEs:

739

Total of Routing and Switching and

Service Provider CCIEs:

496

Total of Routing and Switching and

Storage Networking CCIEs:

35

Total of Routing and Switching and Voice

258
CCIEs:
Total with 3 or More Certifications

316

http://www.cisco.com/web/learning/le3/ccie/certified_ccies/worldwide.html

CCIE Exam Development Process

Input Sought From:
Cisco Business Units/
Technology Groups
Cisco Standard Architectures
(AVVID, SAFE)

Reaching out to Extended

Team Ensures Exam Is Realistic
and Relevant

Advisory Subject
Matter Experts
Technical Support
TAC Cases
Technical Bulletins, Best
Practices, Whitepapers

Feedback:
Input:

CCIE [Track]
Program
Manager

Enterprise Technical
Advisory Board
Focus Groups/Customer
Sessions
CCIE Field Surveys

Exam Objectives
and CCIE Written and
Lab Blueprints

Content
Advisory
Group

CCIE
Program
Team

Certification Process
CCIEs must pass two exams
The written qualification exam has
100 multiple-choice questions
The lab exam is what makes CCIE
different. The full-day, hands-on lab
exam tests the ability to configure
and troubleshoot equipment
Not all lab exams are offered at all
lab locations

Step 1: CCIE Written Exam: #350-018

Available worldwide at any Pearson VUE testing facility for ~$350
USD. Costs may vary due to exchange rates and local taxes
(VAT GST)
(VAT,
Two-hour exam with 100 multiple-choice questions
Closed book; no outside reference materials allowed
Pass/fail results are available immediately following the exam;
the passing score is set by statistical analysis and is subject to
periodic change
Waiting
W iti period
i d off fifive calendar
l d d
days tto retake
t k th
the exam
Candidates who pass a CCIE written exam must wait a minimum
of six months before taking the same number exam
From passing written, candidate must take first lab exam attempt
within 18 months
No skip-question functionality

Step 2: CCIE Lab Exam

Available in select Cisco locations for $1,400 USD,
adjusted for exchange rates and local taxes where
applicable, not including travel and lodging
Eight-hour exam requires working configurations and
troubleshooting to demonstrate expertise
Cisco documentation available via Cisco Web; no
personal materials of any kind allowed in lab
Minimum score of 80% to pass
Scores can be viewed normally online within 48 hours
and failing score reports indicate areas where
additional study may be useful

Section 2
CCIE Security Overview

CCIE Security Overview

Security is one of the fastest-growing areas in
the industry
Information security is on top agenda to all
organizations
There is an ever-growing demand for Security
professionals in the industry
The CCIE Security certification was introduced in 2002
and has evolved into one of the industrys most
respected high-level security certifications
Just around 2,200 CCIE Security worldwide

Market and Job Specialization

Companies are dedicating job roles
now and expecting to increase the
trend within 5 years

Voice
From 40% now to 69% in 5 years

Security
Growth

Security
From 46% dedicated now to 80%
in 5 years

Advanced Technology Market Growth

Voice

Wireless
From 39% now to 66% in 5 years
2008 Worldwide Survey by Forrester Consulting on Behalf of Cisco

Wireless

Time

CCIE Security Written Exam

CCIE Security Written Exam

Covers networking theory related to:
General Networking
Security Protocols
Application Protocols
Security Technologies
Cisco Security Appliances and Apps
Cisco Security Management
Cisco Security General
Security Solutions
Security General

Lays foundation for Security lab exam

v2.0

CCIE Security Written Exam

v2.0

The CCIE Security v2.0 written exam strengthens

coverage of technologies critical to highly-secure
enterprise networks
Topics such as ASA, IPS, NAC/ATD, CS-MARS, IPv6,
security policies and standards are added to test
candidates on the security technologies and best
practices in use today
Note: Candidates who have passed v2
v2.0
0 written exam
can schedule their Lab for v3.0. There is no additional
requirement to schedule v3.0 lab exam.

Security Written Exam:

Sample Question 1
Which Is a Benefit of Implementing RFC-2827?
A. Prevents DoS attacks based on ARP spoofing
B Prevents DoS attacks based on IP source spoofing
B.
C. Prevents DoS attacks based on MAC spoofing
D. Prevents leaking of Private Internet address space
E. Prevents leaking of Special-Use IPv4 Addresses

Answer is B

Security Written Exam:

Sample Question 2
Which One of the Secure Access Methods Below Can
CS-MARS Use to Get Configuration Information from
an Adaptive Security Appliance (ASA)?
A SSH
A.
B. SFTP
C. SCP
D. SSL
E. HTTPS

Answer is A

New v3.0

CCIE Security Lab Exam

CCIE Security Lab Exam

Candidates build a secure network to a series of
supplied specifications
The point values for each question are shown on
the exam
Some questions depend upon completion of previous
parts of the network
Report any suspected equipment issues to the proctor
as soon as possible; adjustments cannot be made once
the exam is over

Security Lab Exam: Locations

RTP

Beijing
Tokyo

Brussels

Hong Kong

San Jose
Sydney

Dubai

Bangalore

Nine Worldwide CCIE Lab Locations for Security

Security Lab Exam: Changes

New v3.0

The CCIE Security Lab exam content was revised and

implemented worldwide on 20th April 2009, to include
some of the current trends and technologies in the
security industry
New topics and hardware and software upgrades have
been introduced
End-of-Life devices were also removed;
PIX500 and
d VPN3000 were removed
d
Routers were replaced with ISR series models
Catalyst 3550 Switches were replaced with 3560

Security Lab Exam: Equipment

and Software Versions

New v3.0

Lab May Test Any Feature That Can Be

Configured on the Equipment and Cisco IOS
Versions Listed Below, or on the CCIE Website;
More Recent Versions May Be Installed in the
Lab, But You Wont Be Tested on Them
Cisco Integrated Services Routers (ISR) series running
Cisco IOS version 12.4T
Cisco Catalyst 3560 series switches running 12.2SE
Cisco ASA 5500 series Firewalls running version 8.x
Cisco IPS 4240 Appliance Sensor running version 6.x
Cisco Secure ACS version 4.1
Test PC for Testing and Troubleshooting
Candidate PC for rack access

Security Lab Exam: Blueprint

New v3.0

1. Implement secure networks using Cisco ASA

Firewalls
2. Implement secure networks using Cisco IOS Firewalls
3. Implement secure networks using Cisco VPN
solutions
4. Configure Cisco IPS to mitigate network threats
5 Implement Identity Management solutions
5.
6. Implement Control Plane & Management Plane
Security
7. Configure Advanced IOS Security
8. Identify and Mitigate Network Attacks

Security Lab Exam: Pre-Configuration

The Routers and Switches in Your Topology Are
Preconfigured With:
Basic IP addressing, hostname, passwords
Switching: Trunking, VTP, VLANs
WAN: Frame Relay DLCI mappings, HDLC, PPP
Routing: OSPF, RIP, EIGRP, BGP
All pre-configured passwords are cisco
Occasionally, security devices may also have some
pre-configuration. If not, candidate is required to
initialize all security devices
Do Not Change Any Pre-Configuration on Any
Devices Unless Explicitly Stated in a Question

Security Lab Exam: Sample Topology

Context 1

Context 2

BB1

BB2

ACS

ASA Multi-Context
with Failover

vs0
vs1

BB3

FR

PPP

TEST PC

Security Lab Exam: Rack and PC Access

CCIE Lab
Central Location

CCIE Lab
Remote Location
Remote GW
Router

Rack
CommSrv

Central GW
Router
Cisco
Intranet

CCIE
BB

Candidate PC

BB1

BB2

NIC1
NIC2

ACS

TEST PC
Remote Desktop Enabled on NIC1

Security Lab Exam:

The Equipment in Rack
The equipment on the rack assigned to you is
physically cabled and should not be tampered with.
Before starting the exam, confirm working order of all
devices in your rack
During the exam, if any device is locked or inaccessible
for any reason, you must recover it
When finishing the exam, ensure all devices are
accessible for the grading proctor
proctor. Any devices that are
not accessible for grading; can not be marked and may
cause you to lose substantial points

Security Lab Exam: Grading

Proctors grade all lab exams
Automatic tools aid proctors with simple grading tasks
Automatic tools are never solely responsible for lab
exam gradingproctors are
Proctors complete grading of the exam and submits the
final score within 48 hours
No Partial credit awarded on questions
Points are awarded for working solutions only
Some questions have multiple solutions

Summary
Topics Covered in the Exam:
1. Firewalls (ASA and IOSFW)
2 VPNs
2.
3. Intrusion protection
4. Identity authentication
5. Router plane protection
6. Advanced IOS security technologies
7. Mitigation techniques to respond to network attacks

Section 3
Core Knowledge Section Overview

Core Knowledge SectionOverview

Cisco CCIE team has implemented a new type of
question format to the CCIE Security Lab exam called
Core Knowledge Section a.k.a. Interview Section.
In addition to the live configuration scenarios,
candidates will be asked a series of open-ended shortanswer questions, covered from the lab exam blueprint.
No new topics are being added.
The new short-answer questions will be randomly
selected for each candidate every day

Core Knowledge SectionWhy

Why Are You Adding Short-Answer Questions to
the CCIE Lab Exam?
One of the primary goals to introduce the new Core
K
Knowledge
l d S
Section
ti iis maintain
i t i exam security
it and
d
integrity and ensure only qualified candidates achieve
certification.
The questions will be designed to validate concepts,
theory, architecture and fundamental knowledge of
products and protocols.

Core Knowledge SectionFormat

Candidates will be asked four open-ended questions,
computer-delivered, drawn from a pool of questions
based on the material covered on the lab exam
blueprint.
Core Knowledge section format will not be multiplechoice type questions.
Candidates will be required to type out their answers,
which typically require five words or less
less.
Candidates cannot use Cisco Documentation.
No changes are being made to the lab exam blueprint
or to the length of the lab exam.

Core Knowledge SectionTime

Candidates are allowed a maximum of 30 minutes to
complete the questions. The 30 minutes is inclusive in
the total length of the lab exam.
The total length of the CCIE lab exam will remain eight
hours.
Well-prepared candidates should be able to answer the
questions in 15 minutes or less and move immediately
to the configuration section
section.

Core Knowledge SectionScoring

The Core Knowledge section is scored Pass/Fail and
every candidate will be required to pass in order to
achieve CCIE certification.
A candidate must answer at least three of the four
short-answer questions correctly to Pass the Core
Knowledge section, which will be indicated with a 100%
mark on the score report.
If a candidate answers fewer than three correctly,
correctly the
Core Knowledge section will be marked 0%, indicating
a Fail. A 0% does not necessarily indicate the
candidate answered all the questions incorrectly.

Core Knowledge SectionSample Q1

SA

Header 1
Header
SA
2 Header

Initiator

Nonce Key Header 3

4 Header Key Header
Nonce

Responder

Sig [Cert] ID Header 5

Header
Sig
6 Header ID [Cert]

MSG 1:

Initiator offers acceptable encryption and authentication algorithms (3DES,

MD5, RSA)i.e. the transform-set

MSG 2:

Responder presents acceptance of the proposal (or not)

MSG 3:

Initiator Diffie Helman key and nounce (key value is usually a number of 1024
bit length)
l
th)

MSG 4:

Responder Diffie Helman key and nounce

MSG 5:

Initiator signature, ID and keys (maybe cert), i.e. authentication data

MSG 6:

Responder signature, ID and keys (maybe cert)

Which ISAKMP mode is shown above?

Answer = Main Mode

Core Knowledge SectionSample Q2

Conditions for IPS signature to fire:
Version: IPv4

Hacker

Protocol: TCP

Port Destination: 21

String:CWD~root

@IP Dest. 10.0.0.1

Dest Port: 21
first Segment TCP

@IP Dest. 10.0.0.1

Dest Port: 21
sec Segment TCP

Yyy~ryyy

@IP Dest. 10.0.0.1

Dest: 21
last Segment TCP

yyyootzzz

xxxCWDyyy

Fire alarm if packet is an IPv4 TCP packet destined for port 21

and contains the string CWD~root

Target

FTP
server
@IP
10.0.0.1

Which type of pattern matching must be used to mitigate

this multi-vector attack?
Answer = Stateful Pattern Matching

Section 4
Implement Secure Networks Using
Cisco ASA Firewalls

Exam Objectives

Perform basic firewall Initialization

Configure device management
C fi
Configure
address
dd
ttranslation
l ti ((nat,
t global,
l b l static)
t ti )
Configure ACLs
Configure IP routing
Configure object groups
Configure VLANs
Configure filtering
Configure failover
Configure Layer 2 Transparent Firewall
Configure security contexts (virtual firewall)
Configure Modular Policy Framework
Configure Application-Aware Inspection
Configure high availability solutions
Configure QoS policies

FirewallDefined
A firewall is a security device which is configured to
permit, deny or proxy data connections set by the
organization's
i ti ' security
it policy.
li
Fi
Firewalls
ll can either
ith b
be
hardware or software based
A firewall's basic task is to control traffic between computer
networks with different zones of trust
Todays firewalls combine multilayer stateful packet
inspection and multiprotocol application inspection
Virtual Private Network (VPN) services and Intrusion
Prevention Services (IPS) have been combined with the
firewall inspection engine(s)
Despite these enhancements, the primary role of the firewall
is to enforce security policy
Source: Wikipedia (www.wikipedia.com)

Cisco ASA Firewall

Basic Overview

Firewall DesignModes of Operation

There Are a Variety of Choices When Designing a
Firewall Deployment
Routed Mode
Is the traditional mode of the firewall that acts as a routed hop and acts
as a default gateway for hosts that connect to one of its screened
subnets. Two or more interfaces that separate L3 domains.

Transparent Mode
Is where the firewall acts as a bridge functioning mostly at Layer2, that
acts like a "bump in the wire," or a "stealth firewall," and is not seen as a
p to connected devices
router hop

Single Mode
Is the regular basic firewall

Multi-context Mode
Involves the use of virtual firewalls (security contexts)

Interface and Security Levels

Inside Interface always has a security level of 100.
Most Secure level
Outside Interface always has a security level of 0.
Least Secure level
Multiple perimeter networks can exist. Use DMZ
Interface. Security levels between 199

Initializing Cisco ASA

Firewall Mode (Router vs. Transparent)
Single vs.
vs Multiple Context
Enable/Allocate interfaces
Assign IP address for each active Interface
Un-shut Interfaces
Configure Address Translation (optional)
Configure Static/Dynamic Routing

VLAN Interface
Virtual LANs (VLANs) are used to create separate
broadcast domains within a single switched network
You can configure multiple logical interfaces on a single
physical interface and assign each logical interface to a
specific VLAN
ASA supports 802.1q, allowing it to send and receive
traffic for multiple VLANs on a single interface

Routing Protocols
ASA supports RIP, OSPF and EIGRP routing protocols
Practice clear text and MD5 authentication
Practice route filtering and summarization for protocols
Running multiple routing protocols concurrently on the
same Firewall is now supported
Routing protocol in multi-context mode is not
supported use static routes instead
supported,

Address Translation
Subject to NAT-Control
Dynamic translations are built using:
Network Address Translation (NAT)
(one-to-one mapping)
or
Port Address Translation (PAT)
(many-to-one mapping)

Static translations are built using:

St ti command
Static
d
(create permanent mapping between a local
IP address and a global IP address)

Policy NAT
Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses (or ports) in an access list
Regular NAT uses source addresses/ports only,
whereas policy NAT uses both source and destination
addresses/ports
With policy NAT, you can create multiple static
statements that identify the same local address as long
as the source/port and destination/port combination is
unique for each statement
Use an access list with the static command to enable
policy NAT

Object Grouping
Used for simplifying complex access control policies.
Object grouping provides a way to reduce the number
of access rule entries required to describe complex
security policies
Following types of objects:
Protocolgroup of IP protocols. It can be one of the following
keywords; icmp, ip, tcp, or udp, or an integer in the range 1 to
254 representing an IP protocol number. To match any Internet
protocol including ICMP,
protocol,
ICMP TCP,
TCP and UDP,
UDP use the keyword ip
ip.
Servicegroup of TCP or UDP port numbers assigned to
different services
icmp-typegroup of ICMP message types to which you
permit or deny access
Networkgroup of hosts or subnets

Basic Feature Summary:

Practice Them All
Address Translation

AAA

Source/Destination NAT

Object
j
Grouping
p g

VLAN

DHCP

RIP

PPPoE

OSPF

URL Filtering

EIGRP

IDS

Syslog

SSH

Failover

SNMP

TCP Intercept

NTP

Java Filtering

Packet Capture

ActiveX Filtering

Packet Tracer

Cisco ASA Firewall

Advanced Features

Advanced FeaturesImportant
1. Virtual Firewall (Security Contexts)
2 Transparent Firewall
2.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control

Advanced FeaturesImportant
1. Virtual Firewall (Security Contexts)
2 Transparent Firewall
2.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control

Virtual Firewall
Virtualization provides a way to create multiple
firewalls in the same physical chassis
Virtual Firewallwhen a single Firewall device
can support multiple contexts
A context defines connected networks and the
policies that the Firewall enforces

Virtual FW allows a device to

enforce many (up to 100s) policies
between different networks
Virtualization is a licensed feature

Virtual Firewall on ASA

Context = a virtual firewall
All virtualized firewalls must define a System
y
context and an Admin
context at a minimum
Admin context:
Remote root access
and access to all
contexts

Virtual Firewall
contexts

A
Admin

(mandatory)

C
System context:
Physical ports assigned

There is no policy inheritance between contexts

The system space uses the admin context for network connectivity;
system space creates other contexts

Virtual Firewall:
Multiple Security Context
Configuration
Changing single mode to Multiple Mode:
mode {single | multiple}

To Show system or Context information:

From the system execution space:
show context [[name] [detail] | count]
From a context execution space:
show context [detail]

To specify contexts configuration file:

config-url url
Where URL can be flash/Disk/ftp server/http server

T allocate
To
ll
t physical/VLAN
h i l/VLAN interfaces
i t f
to
t the
th contexts
t t
context {context name}
allocate-interface Ethernet0
allocate-interface Ethernet1

Accessing the contexts:

changeto {system | context name}
context [name] - Changes to the context with the specified name.
system - Changes to the system execution space.

Virtual Firewall:
Multiple Security Context
Sample Configuration: System Context
hostname ASA
enable password cisco
no mac-address auto
!
interface Ethernet0/0
speed auto
duplex auto
!
interface Ethernet0/0.30
vlan 30
!
interface Ethernet0/0.40
vlan 40
!
interface Ethernet0/1
speed auto
duplex auto
!
interface Ethernet0/2
speed auto
duplex auto
!

admin-context admin
!
context admin
allocate-interface Ethernet0/0
config-url flash:/admin.cfg
!
context custA
allocate-interface Ethernet0/0.30
allocate-interface Ethernet0/1
config-url flash:custA.cfg
!
context custB
allocate-interface Ethernet0/0.40
allocate-interface Ethernet0/2
config-url flash:custB.cfg

System Context
The context is not operational until the
config-url command has been entered.

Virtual Firewall:
Multiple Security Context
Inside a Context
Context CustA
ASA# changeto context custA
ASA/
ASA/custA#
tA# show
h
run
<..>
hostname custA
enable password cisco
!
interface Ethernet0/0.30
nameif outside
security-level 0
ip address 172.16.30.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ASA/custA# changeto system
ASA#

Context CustB
ASA/custA# changeto context custB
ASA/
ASA/custB#
tB# show
h
run
<..>
hostname custB
enable password cisco
!
interface Ethernet0/0.40
nameif outside
security-level 0
ip address 172.16.40.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ASA/custB# changeto system
ASA#

Advanced FeaturesImportant
1. Virtual Firewall (Security Contexts)
2 Transparent Firewall
2.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control

Transparent Firewall Mode (L2 Firewall)

Transparent Firewalls have the capability of operating
at layer 2same level as a bridge
This Firewall is transparent to the data
IP addresses (the network) on either side of the
Firewall are the same
Same subnet exists on inside and outside, different
VLANs on inside and outside
NAT is now supported in Transparent Firewall (v8.0 on
the ASA)
VPN traffic terminating on the firewall is not supported
with the exception of management traffic ONLY

Transparent Firewall
Backbone

9 HSRP, VRRP, GLBP

Router
10.1.1.2
Vlan 20

10.1.1.2

224.0.0.x

9 OSPF, EIGRP, RIP, etc.

OK if ACL
permits

9 PIM, multicast traffic

9 BPDUs, IPX, MPLS

Vlan 30
10.1.1.3
Router

Routers can establish routing protocols adjacencies through the firewall

Protocols such as HSRP, VRRP, GLBP can cross the firewall
Multicast streams can also traverse the firewall
Non-IP traffic can be allowed (IPX, MPLS, BPDUs)

Transparent Firewall
Sample Configuration
ciscoasa# show firewall
Firewall mode: Router
ciscoasa(config)# firewall transparent
Switched to transparent mode
ciscoasa(config)# ip address 10.1.1.254 255.255.255.0
ciscoasa(config)# interface Ethernet0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shut
ciscoasa(config)# interface Ethernet1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config)# access-list 101 permit icmp any any
ciscoasa(config)# access-group 101 in interface outside

Advanced FeaturesImportant
1. Virtual Firewall (Security Contexts)
2 Transparent Firewall
2.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control

New HA FeatureInterface Redundancy

Compatible with all firewall
modes (routed/transparent and
single/multiple) and all HA
deployments (A/A and A/S)
When the active physical
interface fails, traffic fails to the
standby physical interface and
routing adjacencies,
connection, and auth state
wont need to be relearned.
Feature available on ASA5510
and above.
Sub-interfaces (dot1q) need to
be built on top of the logical
redundant interface, not
physical member interfaces.

interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface Redundant1.4
vlan 4
nameif inside
security-level 100
ip address 172.16.10.1 255.255.255.0
!
interface Redundant1.10
vlan 10
nameif outside
security-level 0
ip address 172.16.50.10 255.255.255.0

New HA FeatureRoute Tracking

Method for tracking the availability of static routes with the ability to
install a backup route should the primary route fail
Commonly used for static default routes, often in a dual ISP
environment
Uses ICMP echo replies to monitor the availability of a target host,
usually the next hop gateway
Can only be used in single routed mode
asa(config)# sla monitor 1234
asa(config-sla-monitor)# type echo protocol ipIcmpEcho
10.1.1.1 interface outside
asa(config-sla-monitor-echo)# frequency 3
asa(config)# sla monitor 1234 life forever start-time now
asa(config)# track 1 rtr 1234 reachability
asa(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1

Firewall HA Failover: Basics

Active/standby vs.
primary/ secondary
Stateful failover (optional)
A failover only occurs
when either FW
determines the standby
FW is healthier than the
active FW
Both FWs swap MAC and
IP addresses when a
failover occurs
Level 1 syslogs will give
reason of failover

Stateful

LAN FO

Active
Unit

Standby
Unit

Firewall HAActive/Standby FO
Supported on all ASA models
ASA only supports
LAN Based failover (no
serial cable).
Both platforms must be
identical in software,
licensing, memory and
interfaces
Not recommended to share
the state and failover link, use
a dedicated link for each
Preferably these cables will
be connected into the same
switch with no hosts
Not recommended to use a
direct connection between
firewalls (i.e. straight through
or X-over)

Firewall HA: Active/Active FO

Supported on all
platforms except the
ASA5505
Requires virtualization
(multi-context) which
requires additional
licensing
contexts

Use FO Group command

Requires
q
FO ((AA)) or
UR license
No load-balancing
or load-sharing
support today

Firewall HA: A/A Failover with

Asymmetric Routing Support
A/A ASR mode adds support
for asymmetric traffic flows
though an A/A system.
system

Internet

ISP-A

.1
Logical1-A

.4
Logical2-S

.1

ISP-B

A/A ASR is enabled by adding

multiple A/A units to the same
ASR Group.

.2

If traffic returns via ISP-B

which does not contain state
info so packets are forwarded
to the other member of the
ASR group

Logical1-S

.4

.3
Logical2-A

.2

Inside Network B-1

.3

Inside Network B-2

Inside
Network

Advanced FeaturesImportant
1. Virtual Firewall (Security Contexts)
2 Transparent Firewall
2.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. No NAT-Control

Modular Policy Framework (MPF)

All of My Flows Were Treated Pretty Much the Same

Rules

Inside

Outside

Granular and Flexible Policies

Rules

Rules about
HTTP Rules about
FTP

Modular Policy Framework (MPF)

There is a growing need to provide greater granularity
and flexibility in configuring network policies
For example, the ability to include destination IP
address as one of the criteria to identify traffic for
Network Address Translation, or the ability to create
a timeout configuration that is specific to a particular
TCP application, as opposed to the current timeout
scheme which applies a timeout value to all TCP
applications, etc.
MPF provides the tools to meet these specific needs

Modular Policy Framework (MPF)

MPF features are derived from QoS as implemented in
Cisco IOS; not all features have been carried across though
MPF is built on three related CLI commands
class-mapThis command identifies the traffic that needs a specific
type of control. Class-maps have specific names which tie them into the
policy-map
policy-mapThis command describes the actions to be taken on the
traffic described in the class-map. Class-maps are listed by name under
the appropriate policy-map. Policy-maps have specific names too which
tie
i them
h
iinto the
h service-policy
i
li
service-policyThis command describes where the traffic should be
intercepted for control. Only one service-policy can exist per interface.
An additional service-policy, global-service-policy, is defined for
traffic and general policy application. This policy applies to traffic on
all interfaces

Modular Policy Framework (MPF)

Understand how show service-policy command works
Example shows using the flow keyword; the policies
that the ASA would apply to that flow. You can use this
to check that your service policy configuration will
provide the services you want for specific connections.
ASA1# show service-policy flow tcp host 0.0.0.0 host YY.YY.1.1 eq 80
Global policy:
Service-policy: global_policy
Class-map: WebServer
Match: access-list WebServer
Access rule: permit tcp any host YY.YY.1.1 eq www
Action:
Input flow: set connection embryonic-conn-max 100 per-client-max 5

Advanced FeaturesImportant
1. Virtual Firewall (Security Contexts)
2 Transparent Firewall
2.
3. Firewall High Availability (HA)
4. Modular Policy Framework (MPF)
5. Application Firewall
6. NAT-Control

NAT Control
The security appliance has always been a device
supporting, even requiring Network Address Translation
(NAT) for
f maximum
i
flexibility
fl ibilit and
d security.
it
Introduced in v7.0 is NAT as an option. Specifying NATCONTROL specifies the requirement to use NAT for outside
communications
To enable NAT control, use the nat-control command in
global configuration mode
To disable NAT control, which allows inside hosts to
communicate with outside networks without configuring a
NAT rule, use the command, no nat-control in global
configuration mode
By default, NAT control is disabled

NAT Control
Syntax
nat-control

Configuration
The nat-control statement is valid in routed firewall
mode and in single and multiple security context mode.
No new NAT functionality is provided with this feature.
All existing NAT functionality remains the same.

NAT Control
Consider NAT-CONTROL (v6.3 behavior)
All traffic leaving a firewall from a higher to lower security
interface requires a NAT/GLOBAL pair
All traffic entering a firewall from a lower to higher security
requires a STATIC/ACCESS-LIST pair
All other traffic is dropped

Consider NO NAT-CONTROL (v7.0 behavior)

All ttraffic
ffi leaving
l
i a firewall
fi
ll from
f
a higher
hi h tto lower
l
security
it
interface moves freely
All traffic entering a firewall from a lower to higher security only
requires an ACCESS-LIST
NAT/GLOBAL pairs are needed only for traffic requiring
address translation

Troubleshooting Firewall

Firewall Troubleshooting Tools

Understanding the packet flow
Syslog
Debug commands
Show commands
Packet capture

Understanding the Packet Flow

To effectively troubleshoot a problem, one must first
understand the packet path through the network
Attempt to isolate the problem down to a single device
Then perform a systematic walk of the packet path
through the device to determine where the problem
could be
For problems relating to the ASA, always:
Determine the flow: SRC IP, DST IP, SRC port, DST port,
and protocol
Determine the interfaces through which the flow passes
Note: All Firewall Issues Can Be Simplified to Two Interfaces (Ingress and Egress)
and the Rules Tied to Both

Packet Processing Flow Diagram

1

Recv
Pkt

Ingress
Interface

3
Existing No
Conn
Y
Yes

ACL
Permit

Match
xlate
Yes

Receive Packet
Ingress Interface
Existing Connection?
y Inbound ACL
Permit by
on Interface?
5. Match Translation Rule
(NAT, Static)
6. NAT Embedded IP and
Perform Security Checks/
Randomize Sequence Number
7. NAT IP Header
8. Pass Packet to Outgoing
Interface
9. Layer 3 Route Lookup?
10. Layer 2 Next Hop?
11. Transmit Packet

No

Yes
5

1.
2.
3.
4.

D
Drop
No
Drop

L7 NAT No
Sec
Checks
Drop

Once the Device and

Flow Have Been
Identified, Walk the Path
of the Packet Through
the Device

NAT IP
Header

Egress
Egress
Interface
Interface

Yes 10 L2
L3
Route
Addr

No
Drop

No
Drop

Yes 11 Xmit
Pkt

Translation and NAT Order of Operations

First Mattch

1.

nat 0 access-list (nat-exempt)

2.

Match existing xlates

3.

4.

Match static commands (first match)

a.

Static NAT with and without access-list

b.

Static PAT with and without access-list

Match nat commands

a.

nat <id> access-list (first match)

b.

nat <id> <address> <mask> (best match)

i.

If the ID is 0, create an identity xlate

ii.

Use global pool for dynamic NAT

iii.

Use global pool for dynamic PAT

Syslog
Three different syslog destinations:
TrapSyslog
Trap
Syslog server
ConsoleSerial console port
MonitorTelnet sessions

Log Host defines ASA interface, IP address, protocol

and port for syslog server
Syslog standard protocol is UDP, port is 514
Note: ASA supports syslog over TCP (port 514)

Dont forget Logging On to enable syslog

Most common pilot error

Logging Levels and Events

Log
Level

Alert

Event Messages

Emergencies

Not used, only for RFC compliance

Alerts

Mostly failover-related events

Critical

Denied packets/connections

Errors

Warnings

Notifications

Informational

Debugging

AAA failures, CPU/memory issues, routing

issues, some VPN issues
Denied conns due to ACL, IDS events,
fragmentation OSPF errors
fragmentation,
User and Session activity and firewall
configuration changes
ACL logging, AAA events, DHCP activity,
TCP/UDP connection and teardown
Debug events, TCP/UDP request handling,
IPSEC and SSL VPN connection information

Debug ICMP Trace

Network
Ping

Valuable tool used to troubleshoot connectivity issues

Provides interface and translation information to quickly
determine flow
Echo-replies
E h
li mustt b
be explicitly
li itl permitted
itt d th
through
h ACL
Example of debug icmp trace output
ICMP echo-request from inside:10.1.1.2 to 198.133.219.25 ID=3239 seq=4369 length=80
ICMP echo-request: translating inside:10.1.1.2 to outside:209.165.201.22
ICMP echo-reply from outside:198.133.219.25 to 209.165.201.22 ID=3239 seq=4369 length=80
ICMP echo-reply: untranslating outside:209.165.201.22 to inside:10.1.1.2

Show Traffic
The Show Traffic Command Displays the Traffic
Received and Transmitted out Each Interface of the ASA
fw# show traffic
outside:
received (in 124.650 secs):
295468 packets 167218253 bytes
2370 pkts/sec
1341502 bytes/sec
transmitted (in 124.650 secs):
260901 packets 120467981 bytes
2093 pkts/sec
966449 bytes/sec
<..>
inside:
received (in 124.650 secs):
261478 packets 120145678 bytes
2097 pkts/sec
963864 bytes/sec
transmitted (in 124.650 secs):
294649 packets 167380042 bytes
2363 pkts/sec
1342800 bytes/sec

Show Local-Host
A local-host entry is created for any source IP on a higher security
level interface
It groups the xlates, connections, and AAA information together
Very useful for seeing the connections terminating on servers
fw# show local-host
Interface inside: 1131 active, 2042 maximum active, 0 denied
local host: <10.1.1.9>,
TCP connection count/limit = 1/unlimited
TCP embryonic count = 0
TCP intercept watermark = 50
UDP connection count/limit = 0/unlimited
AAA:
user 'cisco' at 10.1.1.9, authenticated (idle for 00:00:10)
absolute
timeout: 0:05:00
inactivity timeout: 0:00:00
Xlate(s):
Global 172.18.124.69 Local 10.1.1.9
Conn(s):
TCP out 198.133.219.25:80 in 10.1.1.9:11055 idle 0:00:10 Bytes 127 flags UIO

Show Xlate and Show Xlate Debug

show xlate [global|local <ip1[-ip2]> [netmask <mask>]]
[gport |lport <port1[-port2]>] [debug]
fw# show xlate
2 in use, 2381 most used
Global 172.18.124.68 Local 10.1.1.9
PAT Global 172.18.124.65(1024) Local 10.9.9.3(11066)
fw# show xlate debug
2 in use, 2381 most used
Flags:
g
D - DNS, d - dump,
p I - identity,
y i - inside, n - no random,
o - outside, r - portmap, s - static
NAT from inside:10.1.1.9 to outside:172.18.124.68
flags - idle 0:02:03 timeout 3:00:00
TCP PAT from inside:10.9.9.3/11066 to outside:172.18.124.65/1024
flags r idle 0:00:08 timeout 0:00:30

Show Conn and Show Conn Detail

fw# show conn

2 in use, 64511 most used

Idle Time,
Bytes
Transferred

Connection
Flags

TCP out 198.133.219.25:23 in 10.9.9.3:11068 idle 0:00:06 Bytes 127 flags UIO
UDP out 172.18.124.1:123 in 10.1.1.9:123 idle 0:00:13 flags

detail Adds
Interface Names
fw# show conn detail
2 in use, 64511 most used
Flags: A
B
E
G
i
k
P
R
s

awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
outside back connection, F - outside FIN, f - inside FIN,
group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
incomplete, J - GTP, j - GTP data, K - GTP t3-response
Skinny media, M - SMTP data, m - SIP media, O - outbound data,
inside back connection, q - SQL*Net data, R - outside acknowledged FIN,
UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
awaiting outside SYN, T - SIP, t - SIP transient, U - up

TCP outside:198.133.219.25/23 inside:10.9.9.3/11068 flags UO

UDP outside:172.18.124.1/123 inside:10.1.1.9/123 flags -

Connection Flags: Quick Reference

Outbound Connection
TCP Flags

Inbound Connection

FW Flags
saA
A
U
UI
UIO
Uf
UfFR
UfFRr

SYN
SYN+ACK
ACK
Inbound Data
Outbound Data
FIN
FIN+ACK
ACK

Inside

TCP Flags
SYN
SYN+ACK
ACK
Inbound Data
Outbound Data
FIN
FIN+ACK
ACK

Outside

Client

Inside
Server

FW Flags
saAB
aB
UB
UIB
UIOB
UBF
UBfFr
UBfFRr

Outside

Server

Client

Packet Capture
capture <capture-name> [access-list <acl-name>] [buffer <buf-size>]
[ethernet-type <type>] [interface <if-name>] [packet-length <bytes>]

Capture sniffs packets on an interface that match

an ACL
Traffic can be captured both before and after it passes
through the ASA
Key steps:
Create an ACL that will match interesting traffic
Define the capture and bind it to an access-list and interface
View the capture on the ASA, or copy it off in pcap format
Capture In

Capture Out
Inside

Outside

Packet Tracer
packet-tracer input [src-interface] [protocol] [SrcAddr] [SrcPort]
[DstAddr] [DstPort] detailed

Packet-tracer
Packet tracer command was introduced in v7
v7.2
2
In addition to capturing packets, you can trace the
lifespan of a packet through the security appliance to
see whether the packet is operating correctly. This tool
lets you do the following:
Debug all packet drops in a production network.
V if the
Verify
th configuration
fi
ti iis working
ki as iintended.
t d d
Show all rules applicable to a packet, along with the CLI
commands that caused the rule addition.
Show a time line of packet changes in a data path.
Inject tracer packets into the data path.

Packet Tracer (Cont.)

The packet-tracer command provides detailed
information about the packets and how they are
processed by the security appliance.
For example; run packet-tracer to verify NAT translation
for any host accessing web server 198.133.219.25/80,
then the source is translated to YY.YY.5.21.
ASA# packet-tracer input inside tcp 0.0.0.0 1025 198.133.219.25 80
<...>
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 access-list policynat
nat-control
match ip inside 0.0.0.0 255.255.255.255 outside 198.133.219.25 255.255.255.255
dynamic translation to pool 1 (YY.YY.5.21)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.1.1.1/1025 to YY.YY.5.21/1024 using netmask 255.255.255.255
<...>

Section 5
Implement Secure Networks Using Cisco IOS Firewalls

Exam Objectives

Configure Zone-Based Firewall

Configure CBAC

Configure Layer 2 Transparent Firewall

Configure Flexible Packet Matching

Configure URL Filtering

Configure Audit

Configure Auth Proxy

Configure PAM

Configure access control

Configure performance tuning

Configure advanced IOS Firewall features

Cisco IOS Firewall Overview

Advanced Layer 37 Firewall

Advanced
Firewall

Stateful filtering
Application inspection (Layer 3 through Layer 7)
Application controlApplication Layer Gateway (ALG)
engines with wide range of protocols and applications
Built-in DoS protection capabilities
y
with Virtualization ((VRFs),
)
Supports deployments
transparent mode and stateful failover
IPv6 support
http://www.cisco.com/go/iosfw

Cisco IOS Zone-Based Policy

Firewall (ZFW)

Zone-Based Policy Firewall (ZFW)

Introduced in Cisco IOS v12.4(6)T, where the CBAC model is
being replaced with the new configuration model that uses ZFW
Allows grouping of physical and virtual interfaces into zones
Firewall policies are applied to traffic traversing zones
Simple to add or remove interfaces and integrate into
firewall policy
This new feature was added mainly to overcome the limitations of
the CBAC that was employing stateful inspection policy on an
interface based model.
interface-based
model The limitation was that all traffic passing
through the interface was subject to the same inspection policy,
thereby limiting the granularity and policy enforcement particularly
in scenarios where multiple interfaces existed.
With ZFW, stateful inspection can now be applied on a zone-based
model. Interfaces are assigned to zones, and policy inspection is
applied to traffic moving between zones.

Zone-Based Policy Firewall (ZFW)

Security Zones and Policy
Security Zones establish the security boundaries of the network
where traffic is subjected to policy restrictions as it crosses to
another region within the network.
network
By default, traffic between the zones is blocked unless an explicit
policy dictates the permission.
Private-DMZ
Policy
DMZ-Private
Policy

DMZ Zone

DMZ

Public-DMZ
Policy
Public Zone
Internet

Trusted
Private Zone
Private-Public
Policy

Untrusted

Zone-Based Policy Firewall (ZFW)

Supported Features and New Syntax
Supported Features
Stateful Inspection
Application Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP
URL filtering
Per-policy parameter
Transparent firewall
VRF-aware firewall (Virtual Firewall)

ZFW does not use the classical CBAC ip inspect

command set.
ZFW policies are configured with the new Cisco Policy
Language (CPL), which employs a hierarchical structure to
define inspection for network protocols and the groups of
hosts to which the inspection will be applied.

Zone-Based Policy Firewall (ZFW)

Configuration Example
class-map type inspect match-any services
Define Services
match protocol tcp
Inspected by Policy
!
policy-map type inspect firewall-policy
Configure Firewall Action
class type inspect services
for Traffic
inspect
!
zone security private
zone security public
Define Zones
!
interface fastethernet 0/0
zone-member security private
A i
Assign
IInterfaces
t f
to
t
!
Zones
interface fastethernet 0/1
zone-member security public
!
zone-pair security private-public source private destination public
service-policy type inspect firewall-policy

Establish Zone Pair, and

Apply Policy

Cisco IOS Context-Based Access

Control (CBAC)

CBAC Overview
Cisco router performs traffic filtering, traffic inspection,
sends alerts, and tracks audit trails
Traffic filtering
Protocol filtering based on application-layer session information.
Filters packets originating in sessions from either the protected
or non-protected networks, but only forwards traffic originating
from protected network

Traffic inspection
p
Inspects packets at a firewall interface and manages state
information of TCP/UDP sessions. State information is used to
create temporary openings in access lists to permit return traffic.
Inspection helps prevent DoS attacks

Creating an Inspection Rule

An inspection rule specifies each application-layer
protocol that is to be inspected by CBAC
Typically, only one inspection rule is defined
Inspection rule can be applied to the interface on
an inbound or outbound basis
One inspection rule per interface

CBAC: Configuration Example

Access Control List (ACL) on the outside interface
stops everything
Inspected traffic will open up temporary access for
return traffic
ip inspect name MYFW tcp
ip inspect name MYFW udp
access-list 101 deny ip any any log-input
interface Serial0
description outside
ip access-group 101 in
Unsecured
Network

Internet

interface Serial0
description outside
ip inspect MYFW out

CBAC

s0
ACL
101 Inspect

Secured
Network
e0

Temporary Access Opened to Permit Matching

Return Traffic (Stateful Cisco IOSFW)

Cisco IOS Layer 2 Transparent Firewall

Layer 2 Transparent Firewall

Introduces stealth firewall capability
No IP address associated with firewall (nothing to attack)
p IP subnets
No need to renumber or break up
IOS Router is bridging between the two halves of the network

Use Case: Firewall Between Wireless and Wired LANs

Both wired and wireless segments are in same subnet 192.168.1.0/24
VLAN 1 is the private protected network.
Wireless is not allowed to access wired LAN
192.168.1.3

Wireless
Fa 0/0

Internet
VLAN 1

192.168.1.2

Transparent
Firewall

Layer 2 Transparent Firewall

Configuration Example
Classification:
class-map type inspect match-any protocols
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
Security Policy:
policy-map type inspect firewall-policy
class type inspect protocols
Inspect
Security Zones:
zone security wired
zone security wireless

Cisco IOS URL Filtering

Security Zone Policy:

zone-pair security zone-policy source wired
destination wireless
service-policy
i
li ttype iinspectt fi
firewall-policy
ll li
!
interface VLAN 1
description private interface
bridge-group 1
zone-member security wired
!
interface VLAN2
description public interface
bridge-group 1
zone-member security wireless
Layer2 Configuration:
bridge configuration
bridge irb
bridge 1 protocol ieee
bridge 1 route ip

URL Filtering
Internet Usage Control
Control employee access to entertainment sites during
work hours
Control downloads of objectionable or offensive material,
limit liabilities
Cisco IOS supports static whitelist and blacklist URL filtering
External filtering servers such as Websense, Smartfilter can
be used at the corporate office, with Cisco IOS static lists
p
as backup
Internet
Branch
Office

Web
Surfing

URL Filtering (Web Access Control)

URL Filtering Options
Blocked
Get www.badsites.com
Get www.cisco.com
Get www.badsites.com

Get www.cisco.com

Allowed

Black/white lists
Third-party filter server
N2H2
Websense
SmartFilter

Section 6
Implement Secure Networks Using
Cisco VPN Solutions

Exam Objectives
Configure IPsec LAN-to-LAN (IOS/ASA)
Configure SSL VPN (IOS/ASA)
Configure Dynamic Multipoint VPN (DMVPN)
Configure Group Encrypted Transport (GET) VPN
Configure Easy VPN (IOS/ASA)
Configure CA (PKI)
Configure Remote Access VPN
Configure Cisco Unity Client
Configure Clientless WebVPN
Configure AnyConnect VPN
Configure XAuth, Split-Tunnel, RRI, NAT-T
Configure High Availability
Configure QoS for VPN
Configure GRE, mGRE
Configure L2TP
Configure advanced Cisco VPN features

This Section Is Divided into Six Parts:

1. IPsec
2 Dynamic Multipoint VPN (DMVPN)
2.
3. Group Encrypted Transport (GET) VPN
4. Easy VPN
5. SSL VPN
6. PKI (IOS CA Server)

Part 1:
IPSec

Network Security
Data Security Assurance Model (CIA)

Confidentiality

Integrity

Authentication

Benefit

Benefit

Benefit

Ensures data privacy

Ensures data
is unaltered
during transit

Ensures identity
of originator or
recipient of data

Shuns

Shuns

Alteration

Impersonation

Replay

Replay

Shuns
Sniffing
Replay

What Is IPsec?
Internet Protocol Security
A set of security protocols and algorithms used to
secure IP data at the network layer
IPsec provides data confidentiality (encryption),
integrity (hash), authentication (signature/certificates)
of IP packets while maintaining the ability to route them
through existing IP networks

IPsec: Building a Connection

IKE (Phase 1)
IPsec (Phase 2)
Data
Two-phase protocol:
Phase 1 exchange: two peers establish a secure, authenticated
channel with which to communicate; Main mode or Aggressive mode
accomplishes a Phase 1 exchange
There is also a Transaction Mode in between which is used for EzVPN client
scenario performing XAUTH and/or Client attributes (Mode Config)
Phase 2 exchange: security associations are negotiated on behalf
of IPsec services; Quick mode accomplishes a Phase 2 exchange

Each phase has its SAs: ISAKMP SA (Phase 1)

and IPsec SA (Phase 2)

Deployment Scenarios:
Basic Peer-to-Peer Topology

Site-to-Site VPN Deployment Scenarios

Basic peer-to-peer topology
Basic site-to-site
site to site IPsec configuration
Static vs. dynamic mapping
Split tunneling consideration
Filtering/Access Control
Crypto ACL consideration
High Availability

STEP 1IKE Phase 1 Policy

Site-2-Site Configuration
IP
R1

R2
IPsec

3.1.0.0/24
2.0.0.1/30

crypto isakmp policy 1

authentication pre-shared
hash sha
encr aes 128
group 2
!
crypto isakmp key 123 address 2.0.0.2

3.2.0.0/24
2.0.0.2/30

crypto isakmp policy 1

authentication pre-shared
hash sha
encr aes 128
group 2
!
crypto isakmp key 123 address 2.0.0.1

STEP 2IKE Phase 2 Policy

Site-2-Site Configuration
IP
R1

R2
IPsec

3.1.0.0/24
2.0.0.1/30

3.2.0.0/24
2.0.0.2/30

crypto ipsec transform-set ts esp-aes

128 esp-sha-hmac
!
access-list 101 permit ip 3.1.0.0
0.0.0.255 3.2.0.0 0.0.0.255
!
crypto map cm 10 ipsec-isakmp
set peer 2.0.0.2
match
t h address
dd
101
set transform-set ts

crypto ipsec transform-set ts esp-aes

128 esp-sha-hmac
!
access-list 101 permit ip 3.2.0.0
0.0.0.255 3.1.0.0 0.0.0.255
!
crypto map cm 10 ipsec-isakmp
set peer 2.0.0.1
match
t h address
dd
101
set transform-set ts

STEP 3Applying the VPN Policy

Site-2-Site Configuration
IP
R1

R2
IPsec

3.1.0.0/24
2.0.0.1/30

interface serial 1/0

ip address 2.0.0.1 255.255.255.0
crypto map cm
!
ip route 3.2.0.0 255.255.255.0 2.0.0.2

3.2.0.0/24
2.0.0.2/30

interface serial 1/0

ip address 2.0.0.2 255.255.255.0
crypto map cm
!
ip route 3.1.0.0 255.255.255.0 2.0.0.1

Static vs. Dynamic Crypto Map

Static Crypto Map

Site_A

crypto map vpn 10 IPSec-isakmp

set peer Site_A

ISP

set transform-set
match address 101
crypto map vpn 20 IPSec-isakmp

Site B
Site_B

Dynamic Crypto Map

crypto map vpn 10 IPSec-isamkp
dynamic dynamap

set peer Site_B

set transform-set
match address 102

crypto dynamic-map dynamap 10

set transform-set
match address

Static vs. Dynamic Crypto Map (Cont.)

Static Crypto Map

Dynamic Crypto Map

Need to VPN p
peer, crypto
yp
ACL, IPsec transform-set

Onlyy need to configure

g
IPsec
transform-set,
crypto ACL is optional

Use multiple crypto map

instances to define multiple
VPN peers
Bidirectional tunnel initiation
Requires more intensive
management,
t deployment
d l
t and
d
troubleshooting

One dynamic map as

a template
Only the remote peer
can initiate tunnel
U
Used
d when
h remote
t peer
has dynamic IP address
Simple to manage
and deploy

Split Tunneling
Definition: Split Tunneling Is the Ability of a Device to
Forward Clear and Encrypted Traffic at the Same Time
over the
th Same
S
I t f
Interface
In site-to-site VPN, use routing and crypto ACL to control
split tunneling
Without Split Tunneling

With Split Tunneling

http://www.cisco.com/

http://www.cisco.com/

Central Site

VPN Head-End

Central Site

VPN

VPN Head-End

VPN

Filtering/Access Control
When filtering at the edge theres not much to see
IKE
UDP port 500
ESP, AH
IP protocol numbers 50, 51 respectively
NAT transparency-enabled
UDP port 4500

Internal access control should be implemented via the

internal interface ACLs or group policy and not the
crypto ACLs for performance reasons

High Availability
Common High Availability (HA) practice in conjunction
with IPsec HA features
Design options
Local HA using link resiliency
Local HA using HSRP and RRI
Cisco IOS IPsec Stateful Failover
Geographical HA using IPsec backup peers
Local/geographical HA using GRE over IPsec
(dynamic routing)

Local HA Using Link Resiliency

ISPs

Link resiliency: ISDN backup, backup Frame Relay

DLCI, etc.
Choose multiple ISPs to achieve link diversity
Use a loopback interface as the ISAKMP identity for the
VPN router
Failover mechanism: backup interface, dialer watch,
floating static routes

Local HA Using HSRP and RRI

(1)

SA Established to Primary
Sending IKE Keepalives

(2) Router P RRI:I can reach 10.1.1.0

R
Remote
t
P

Internet

(3) 10.1.1.0/24 via P

Head-End

10.1.1.0/24
(6) New SA Established to Secondary
Sending IKE Keepalives

(8) 10.1.1.0/24 via S

S
(5) Secondary Active
(7) Router S RRI:I Can Reach 10.1.1.0

= Unscheduled Immediate Memory Initialization Routine (4)

HSRP is enable on outside (WAN facing) interface

Cisco IOS IPsec HA enhancement features:
Allow IPsec use HSRP virtual IP as the peer address
Reverse route injection (RRI) injects IPsec remote proxy IDs
into dynamic routing process

Cisco IOS IPsec Stateful Failover

HA-1
Peer

Internet

I t
Internal
l
Network

N t
Net
Gateway
HA-2

IPsec stateful failover greatly improves failover time

compared to the stateless IPSec/HSPR failure
Stateful failover for IPSec is designed to work in conjunction
with stateful switchover (SSO) and Hot Standby Routing
Protocol (HSRP).
SSO allows the active and standby routers to share IKE and
IPSec state information so that each router has enough
information to become the active router at any time.

Geographic HA Using Backup Peers

200.1.1.1

Branch
B
h
Office

Corporate
Network

ISPs

crypto isakmp keepalive 20 3

200.1.5.1

crypto map vpn 10 ipsec-isakmp

set peer 200.1.1.1
set peer 200.1.5.1
set transform
transform-set
set myset
match address 101

During IKE negotiation, IKE timer (three retries) detects

the peer failure
IKE keepalive or DPD detected failed peer after tunnel is
established1

Local/Geographical HA Using
GRE over IPsec: Dynamic Routing

San Jose
s1

Corporate
Network

Branch
Internet

h1
h2
s2

New York
Geographical HA

Primary Tunnel
Secondary Tunnel
Local HA with Redundant Hub Design

Except under failure conditions:

The IPsec and GRE tunnels are always up since routing
protocols are always running
The remote sites always have two apparent paths to all networks
available via the head-end

Use dynamic routing for path selection and failover

Troubleshooting IPsec

Troubleshooting IPsec
Determine the Problem Characteristics
Is the problem in connection establishment?
Phase 1 failure
Transaction Mode/XAUTH
Phase 2 failure

Is the problem in passing traffic?

All traffic
Specific traffic

Always Use Show Command

Before Debug
show crypto isakmp sa
Important
Show

show crypto ipsec sa

sho crypto
show
cr pto engine connection active
acti e

Interesting Traffic Received

Main Mode IKE Negotiation
Quick Mode Negotiation
Show
Functionality
Flowchart

Establishment off Tunnel

IKE
IPsec
Data

Debug Commands
debug crypto isakmp
Important
Debugs

debug crypto ipsec

deb g crypto
debug
cr pto engine

Interesting Traffic Received

Main Mode IKE Negotiation
Quick Mode Negotiation
Debug
Functionality
Flowchart

Establishment off Tunnel

IKE
IPsec
Data

Basic Hub and Spoke Topology:

GRE over IPsec

Hub and Spoke Topology

90% hub

spoke, 10% spoke

spoke traffic

Design options:
Cisco IOS: uses crypto ACL summarization for smaller scale
deployment; uses GRE over IPsec with dynamic routing protocol
for larger scale deployment
ASA use summarized network lists for small scale deployment

Best option: GRE over IPsec with dynamic routing

protocol

Why GRE over IPsec

L3
IP
HDR

Data

IPsec Tunnel

GRE Tunnel
IP GRE
HDR HDR

IP Data
HDR

IP
HDR

ESP
HDR

IP
HDR

GRE
HDR

IP
HDR

IP
Data
HDR

Encrypted

Data

Decapsulate
Twice

IPsec (ESP) tunnels only IP unicast traffic

GRE encapsulates non-IP and IP multicast or
b d
broadcast
t packets
k t iinto
t IP unicast
i
t packets
k t

GRE over IPsec Configuration Evolution

Before 12.2(13)T, crypto maps are required to apply to
both GRE tunnel interface and physical interface
From 12.2(13)T and later
Only need to apply crypto map on physical interface or
Use tunnel protection IPsec profile under tunnel interface

GRE over IPsec Configuration

crypto isakmp policy 1

authentication pre-share
crypto isakmp key cisco47 address 172.17.63.18
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
!
crypto map vpnmap2 local-address Ethernet1
crypto map vpnmap2 10 IPSec-isakmp
set peer 172.17.63.18
set transform-set trans2
match address 110
interface Ethernet1
ip address 172.16.175.75 255.255.255.0
crypto map vpnmap2
interface Tunnel0
ip address 10.10.2.1 255.255.255.252
ip mtu 1400
tunnel source Ethernet1
tunnel destination 172.17.63.18
crypto map vpnmap2
ip route 0.0.0.0 0.0.0.0 172.16.175.1
!
access-list 110 permit gre host 172.16.175.75 host 172.17.63.18

12.2(13)T and Later

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 172.16.175.75
!
crypto ipsec transform-set trans2 esp-3des esp-md5hmac

crypto ipsec profile vpnprof

set transform-set trans2
!
interface Ethernet1
i address
ip
dd
172.17.63.18
172 17 63 18 255
255.255.255.0
255 255 0
interface Tunnel0
ip address 10.10.2.2 255.255.255.252
ip mtu 1400
tunnel source Ethernet1
tunnel destination 172.16.175.75

tunnel protection ipsec profile vpnprof

ip route 0.0.0.0 0.0.0.0 172.17.63.1z

IPsec Virtual Tunnel Interface

(VTI) and Dynamic VTI (DVTI)

192.168.100.0/30

.1

.2

Tunnel0

.1

192
2.168.2.0/24

IPsec Static Virtual Tunnel Interfaces

. .

192
2.168.1.0/24

Virtual Tunnel Interface

.1

Simplifies VPN configuration by eliminating crypto maps, access

control lists (ACLs), and Generic Router Encapsulation (GRE)
Simplifies
p
VPN design:
g
1:1 relationship between tunnels and sites with a dedicated logical interface

More scalable alternative to GRE

VTI can support Quality of Service (QoS), multicast, and other
routing functions that previously required GRE
Improves VPN interoperability with other vendors

VTI Peer-to-Peer Configuration:

IKE (Phase One) Policy
172.16.172.10

172.16.171.20

Backbone
Router1
10.1.1.0/24

crypto isakmp policy 1

Router2
10.1.2.0/24

crypto isakmp policy 1

authentication pre-shared

authentication pre-shared

hash sha

hash sha

encr aes 256

encr aes 256

group 5
crypto isakmp key cisco address
172.16.171.20 netmask 255.255.255.255

group 5
crypto isakmp key cisco address
172.16.172.10 netmask 255.255.255.255

IPsec (Phase Two) Policy

172.16.172.10

172.16.171.20

Backbone
Router1
10.1.1.0/24

Router2
10.1.2.0/24

crypto ipsec transform-set tset aes_sha

esp-aes 256 esp-sha-hmac
h h
crypto ipsec profile VTI
set transform-set tset

crypto ipsec transform

transform-set
set tset aes
aes_sha
sha esp
espaes 256 esp-sha-hmac
crypto ipsec profile VTI
set transform-set tset

Apply VPN Configuration

172.16.172.10

172.16.171.20

Backbone
Router1
10.1.1.0/24

interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel source 172.16.172.10
tunnel destination 172.16.171.20
tunnel protection ipsec profile VTI

Router2
10.1.2.0/24

interface Tunnel0
ip address 11.11.11.1
11 11 11 1 255
255.255.255.0
255 255 0
tunnel mode ipsec ipv4
tunnel source 172.16.172.20
tunnel destination 172.16.171.10
tunnel protection ipsec profile VTI

Dynamic Virtual Interfaces Taxonomy

Term

Description
Virtual Template Is a Generic Infrastructure Which
Provides Template for Configuration

Virtual Template

Virtual Template Provides Mechanisms to Dynamically

Create and Delete Interfaces
Defined on Router
Dynamically Created Interface for Each New User

Virtual Access Interface

Configuration from Virtual Templates

Applying Virtual Templates Cisco IOS Commands
onto a Virtual Access Interface

Cloning

Dynamic Virtual Interface: How It Works?

User 1
Remote
LAN
Bridge/
Router
Single User
Client with
ISDN Card

Local
Auth.
auth
1
2

ISDN
DSL

Single User
Client

Virtual
Template
Interface

Physical
Interface

4
4

Router

Virtual
Access
Interface

1. User 1 calls the router

2. Router 1 checks authentication locally/AAA server
3. Authentication succeeds
4. Clone virtual access interface from virtual template interface

Dynamic Virtual Interface: Example

User 1
Remote
LAN
Bridge/
Router
Single User
Client with
ISDN Card

AAA
2

ISDN
DSL

Physical
Interface
Router

aaa authe login list vpn-client group radius

aaa author network list vpn-client group radius

4
4

Single User
Client

crypto isakmp profile vpn1-ra

match identity group vpn 1
client authentication list vpn-client
isakmp authorization list vpn-client
client address respond
virtual-template 1

Virtual
Template
T
l t
Interface

Virtual
Access
Interface

interface Virtual-Template1 type tunnel

ip unnumbered loopback1
load-interval 30
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn1-ra

Head-end configuration
Old way: easy VPN server with dynamic crypto map
New way: IPsec virtual interface

Authorization, authentication, and accounting via RADIUS

Part 2:
Dynamic Multipoint VPN (DMVPN)

Dynamic Multipoint VPN (DMVPN)

Provides full meshed connectivity with simple
configuration of hub and spoke
Supports dynamically addressed spokes
Facilitates zero-touch configuration for addition of
new spokes
Features automatic IPsec triggering for building an
IPsec tunnel

Dynamic Multipoint VPN (DMVPN)

=

Dynamic and Permanent

Spoke-to-Hub IPsec Tunnels

Dynamic and Temporary

S k t S k IP
Spoke-to-Spoke
IPsec Tunnels
T
l

10.1.0.0 255.255.255.0
10.1.0.1

Static
Public IP
Address

130.25.13.1

Dynamic
(or Static)
Public IP
Addresses

10.1.3.1
10.1.3.0 255.255.255.0

Spoke

10.1.1.1
10.1.1.0 255.255.255.0

10.1.2.1
10.1.2.0 255.255.255.0

DMVPN Advantages
Supports IP Unicast, IP Multicast, and dynamic
routing protocols
Supports spoke routers behind dynamic NAT
and hub routers behind static NAT
Dynamic partial-mesh or full-mesh VPNs
Usable with or without IPsec encryption

DMVPN Components
Next Hop Resolution Protocol (NHRP)
NHRP Registration
NHRP Resolution and Redirect

Multipoint GRE Tunnel Interface (mGRE)

Single GRE interface to support multiple GRE/IPSec tunnels
Simplifies size and complexity of configuration

IPsec Tunnel Protection

Dynamically creates and applies encryption policies

Routing
Dynamic advertisement of branch networks; almost all routing
protocols (EIGRP, RIP, OSPF, BGP, ODR) are supported

DMVPN Components: NHRP Registration

Spokes register to hub as clients of the NHRP server
using static NHRP mapping
Hub creates a dynamic NHRP entry, mapping spokes
private tunnel address to the spokes dynamic
public address
Using the routing protocol, spokes advertise their LAN
network to hub and learn about remote LAN addresses
via hub
With routing and NHRP mappings in place, traffic flows
over newly created spoke to hub GRE tunnels
These spoke to hub tunnels permanently stay up

DMVPN Components: NHRP Resolution

and Redirect
Traffic from LAN behind one spoke is always forwarded
to LAN behind another spoke via the hub initially
Hub realizes traffic entered and exited the same tunnel
interface and sends an NHRP redirect to the spoke
The originating spoke sends an NHRP resolution
request trying to resolve the public address for
destination prefix
Hub forwards this query to spoke that owns the prefix
Remote spoke responds back to this query by initiating
a new dynamic GRE tunnel

Network Designs
Hub-and-spoke Design
Spoke-to-spoke traffic via hub
Spokes configured with pt-to-pt GRE tunnels
Dual DMVPN Clouds

Hub-and-Spoke

Spokes configured with mGRE tunnels

Single DMVPN cloud

Spoke-to-spoke Design
Spoke to spoke data traffic over dynamic tunnels

Spoke-to-Spoke

Spokes configured with mGRE tunnels

Single or Dual DMVPN clouds

Large Scale IOS SLB Design

Hub and Spoke as well as Spoke to Spoke support
Multiple identical hubs increase the CPU power
Server Load Balancing

Network Designs

Spoke-to-hub tunnels
Spoke-to-spoke path

Hub and spoke (Phase 1)

Spoke-to-spoke (Phase 2)

Server Load Balancing

Hierarchical (Phase 3)

DMVPN Phases Summarized

Phase 1

Phase 2

Phase 3

Hub and spoke

functionality 12.2(13)T

Spoke to spoke
functionality 12.3(4)T

Architecture and
scaling 12.4(6)T

Simplified and smaller

config for hub & spoke

Single mGRE
interface in spokes

Support dynamically
address CPE

Direct spoke to spoke

data traffic reduced
load on hub

Increase number of
hub with same hub
and spoke ratio

Support for multicast

traffic from hub
to spoke
Summarize routing
at hub

Cannot summarize
spoke routes on hub
Route on spoke must
have IP next hop of
remote spoke

Troubleshooting DMVPN

No hub daisy-chain
Spokes dont
don t need full
routing table
OSPF routing protocol
not limited to 2 hubs
Cannot mix phase 2
and phase 3 in same
DMVPN cloud

Debug and Show Commands

Introduced in 12.4(9)T
Show
show dmvpn
[ peer {{{ nbma | tunnel } ip_address } |
{ network ip_address mask } | { interface tunnel# } |
{ vrf vrf_name }}]
[ detail ] [ static ]

Debug
debug dmvpn [ { error | event | detail | packet | all }
{ nhrp
h | crypto
t | tunnel
t
l | socket
k t | allll } ]
debug dmvpn condition [ peer
{{{ nbma | tunnel } ip_address } | { network ip_address mask } |
{ interface tunnel# } | { vrf vrf_name }}]

Logging
logging dmvpn { <cr> | rate-limit < 0-3600 > }

DMVPN Show Commands

show dmvpn

Hub-1
192.100.1.0
Tu1: 172.20.1.100
3.3.3.3
1.1.1.1

2.2.2.2
Tu1: 172.20.1.2

Tu1: 172.20.1.1
192.1.1.0
Spoke-1

HUB-1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----1
1.1.1.1
172.20.1.1
UP 00:04:32 D
1
2.2.2.2
172.20.1.2
UP 00:01:25 D
SPOKE-1#show dmvpn
p
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- ----1
3.3.3.3
172.20.1.100
UP 00:21:56 S

192.2.2.0
Spoke-2

Hub-1
192.100.1.0
Tu1: 172.20.1.100

DMVPN Show Commands

show dmvpn detail

3.3.3.3
1.1.1.1

2.2.2.2
Tu1: 172.20.1.2

Tu1: 172.20.1.1
192.1.1.0
Spoke-1

192.2.2.0
Spoke-2

HUB-1#show dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel1 info: -------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100
Source addr: 3.3.3.3, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:
Type:Hub, NBMA Peers:2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
Target Network
----- --------------- --------------- ----- -------- ----- ----------------1
1.1.1.1
172.20.1.1
UP 00:26:38 D
172.20.1.1/32
IKE SA: local 3.3.3.3/500 remote 1.1.1.1/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 3.3.3.3 host 1.1.1.1
Active SAs: 2, origin: crypto map
Outbound SPI : 0xB28957C6, transform : esp-3des esp-sha-hmac
Socket State: Open

DMVPN Show Commands

show dmvpn peer

Hub-1
192.100.1.0
Tu1: 172.20.1.100
3.3.3.3
1.1.1.1

2.2.2.2
Tu1: 172.20.1.2

Tu1: 172.20.1.1
192.1.1.0
Spoke-1

192.2.2.0
Spoke-2

HUB-1#show dmvpn peer nbma 2.2.2.2 detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel1 info: -------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100
Source addr: 3.3.3.3, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:
Type:Hub, NBMA Peers:1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
Target Network
----- --------------- --------------- ----- -------- ----- ----------------1
2.2.2.2
172.20.1.2
UP 00:35:01 D
172.20.1.2/32
IKE SA: local 3.3.3.3/500 remote 2.2.2.2/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none)
IPSEC FLOW: permit 47 host 3.3.3.3 host 2.2.2.2
Active SAs: 2, origin: crypto map
Outbound SPI : 0x74146521, transform : esp-3des esp-sha-hmac
Socket State: Open

DMVPN Show Commands

Hub-1
192.100.1.0
Tu1: 172.20.1.100
3.3.3.3
1.1.1.1

show ip nhrp traffic

2.2.2.2
Tu1: 172.20.1.2

Tu1: 172.20.1.1
192.1.1.0
Spoke-1

192.2.2.0
Spoke-2

HUB-1#show ip nhrp traffic

Tunnel1: Max-send limit:100Pkts/10Sec, Usage:0%
Sent: Total 2
0 Resolution Request
2 Registration Reply
0 Error Indication 0
Rcvd: Total 2
0 Resolution Request
0 Registration Reply
0 Error Indication 0

0 Resolution Reply 0 Registration Request

0 Purge Request 0 Purge Reply
Traffic Indication
0 Resolution Reply 2 Registration Request
0 Purge Request 0 Purge Reply
Traffic Indication

Part 3:
Group Encrypted Transport (GET) VPN

Cisco Group Encrypted Transport (GET)

VPNSolution for Tunnel-Less VPNs
Cisco GET VPN Delivers a Revolutionary Solution
for Tunnel-Less, Any-to-Any Branch Confidential
Communications
Large-scale any-to-any encrypted
communications
Native routing without tunnel overlay
Optimal for QoS and Multicast
supportimproves application
performance

Any-to-Any
Any-to-Any
Connectivity
Connectivity

Transport agnosticprivate
LAN/WAN, FR/AATM, IP, MPLS

Cisco GET

Offers flexible span of control among

subscribers and providers

VPN
Scalable

Real Time

Available on Cisco Integrated Services

Routers; Cisco 7200 and Cisco 7301
with Cisco IOS 12.4(11)T

Benefits of Cisco GET VPN

Previous Limitations

New Feature and Benefits

M lti
Multicast
t traffic
t ffi encryption
ti through
th
h E
Encryption
ti
supported
t d for
f Native
N ti Multicast
M lti
t and
d
IPsec tunnels:
Unicast traffic with GDOI
Not scalable
Allows higher scalability
Difficult to troubleshoot
Simplifies Troubleshooting
Extensible standards-based framework
Overlay VPN Network
Overlay Routing
Sub-optimal Multicast
replication
li ti
Lack of Advanced QoS

No Overlay
Leverages Core network for Multicast
replication via IP Header preservation
Optimal
O ti l Routing
R ti iintroduced
t d
d iin VPN
Advanced QoS for encrypted traffic

Full Mesh Connectivity

Hub and Spoke primary
support
Spoke to Spoke not scalable

Any to Any Instant Enterprise Connectivity

Leverages core for instant communication
Optimal for Voice over VPN deployments

GET VPN
Overview

Group Security Functions

Key Server
Validate Group Members
Manage
M
S
Security
it Policy
P li
Create Group Keys
Distribute Policy / Keys

Key Server

Routing Member
Forwarding
Replication
Routing

Group
Member
Routing
Members
Group
Member

Group Member
Encryption Devices
Route Between Secure / Unsecure
Regions
Multicast Participation

Group
Member
Group
Member

Group Security Elements

Key Servers

Group Policy

Proprietary: KS
Cooperative Protocol

Key Encryption Key

(KEK)
Traffic Encryption
Key (TEK)

Group
Member
Routing
Members
Group
Member
Group
Member

RFC3547:
Group Domain of
Interpretation
(GDOI)

Group
Member

Group Keys
Key Encryption Key (KEK)
Used to encrypt GDOI (i.e. control
traffic) between KS and GM

Key Server
KEK
TEK1

Traffic Encryption Key (TEK)

Used to encrypt data (i.e. user
traffic) between GM

IP VPN

Group Member
Group Member

Group Member

GET VPN
Data Plane

IPsec Tunnel Mode with IP Address

Preservation

IP Packet

Group
E
Encrypted
t d
Transport

IP Header

Copy of Original
IP Header

IP Payload

ESP
S

IP Header

IP Payload

IPsec header preserved by VPN

Gateway
Preserved IP address uses original
routing plane

Secure Data Plane Multicast

Data Protection
Secure
Multicast

Premise: Sender does

not know the potential
recipients
GM

?
GM

GM
GM

Secure Data Plane Multicast

Premise: Sender does
not know the potential
recipients
Sender assumes that
legitimate group
members
obtain Traffic
Encryption
Key from key server
for the group

Data Protection
Secure
Multicast

KS

GM
GM
GM
GM

Data Protection
Secure
Multicast

Secure Data Plane Multicast

Premise: Sender does not
know the potential recipients

KS

Sender assumes that legitimate

group members obtain traffic
encryption key from key
server for the group
Encrypt Multicast
with IP address
preservation

GM

GM
GM
GM

Replication in the core

based on original (S,G)

Corollary:
Secure Data Plane Unicast

Data Protection
Secure
Unicast

Premise: Receiver advertises

destination prefix but does
not know the potential
encryption sources

?
GM

?
?
GM

GM

GM

Corollary:
Secure Data Plane Unicast
Premise: Receiver advertises
destination prefix but does
not know the potential
encryption sources

Data Protection
Secure
Unicast

KS

Receiver assumes
that legitimate
group members
GM
obtain Traffic Encryption
Key from key server
for the group

GM

GM
GM

Corollary:
Secure Data Plane Unicast
Premise: Receiver advertises
destination prefix but does
not know the potential
encryption sources
Receiver assumes
that legitimate
group members
GM
obtain Traffic Encryption
Key from key server
for the group
Receiver can authenticate
the group membership

Data Protection
Secure
Unicast

KS

GM

GM
GM

GET VPN
Control Plane GM-KS

Group Member: Membership

Management
Group Member Join: Registration
Immediately upon boot
Immediately upon applying crypto map
Protected by IKE SA (Pre-shared Keys or PKI Certificate)

Group Member Maintenance: Rekey

Periodic Update Protected by Rekey SA (IKE SA expires)
New Policies, Time Sync, or New Keys (TEK or KEK)
Acknowledgement with Unicast Rekey
Unacknowledged with Multicast Rekey

Group Member States

Unknown

Unknown
Reboot

Initialize

Initialize

Reset

Mis-configured
Cleared

Fail-Closed
Blocking/Dropping

Fail-Closed
Expired,
Retry

Fail-Open

Fail-Open

Authentication

Fail-Open
Registration

Fail-Closed
Registration

Forwarding

Registration

Expiring
TEK

Authenticating

Group Member

Authorization

Authorization

Group Member

Forwarding/Encrypting

Retry

Authentication

Rekey

Receiving Rekeys

GDOI Protocol
Registration

RFC3547 Definitions

IKE Phase 1

Group Member

Initiator is a Group Member

GROUP-ID

Receiver or GCKS is a Key Server

GROUPKEY-PULL (a.k.a
Registration)

Key Server
Policy / Key

SA-Policy

Protection
IKE SA

Acknowledge

Group Member Request

Group Info

KEK, TEK, Seq. #

Key
Lifetime

Key Server Supplies Policy

Rekey

p Member Acknowledges
g
Group
and asks for Keys
Key Server Supplies Keys

GROUPKEY-PUSH
(a.k.a Rekey)
Key Server refreshes Keys
and/or Policy

Rekey
y
Protection
REKEY SA
Rekey

Key
Lifetime
X

Rekey

Registration

IKE Phase 1
Protection
IKE SA

GROUP-ID

Group Member
Secured Group Member Interface
interface Serial0/0
ip address 192.168.1.14 255.255.255.252
crypto map svn
access-group fail-closed out

<- WAN ENCRYPTION

<- BLOCK EVERYTHING BUT CONTROL

F il l
Fail-closed
d Policy
P li
ip access-list extended fail-closed
permit esp any any
permit ip host 192.168.1.14 host 192.168.1.13
permit tcp host 192.168.1.14 eq ssh any

<- ALLOW ENCRYPTED

<- ALLOW ROUTE ADJACENCY
<- ALLOW SECURE SHELL

Crypto Map Association to Group Security

crypto map svn 10 gdoi
set group secure-wan
match address control_plane

<- GROUP CRYPTO MAP ENTRY

<- GROUP MEMBERSHIP
<- EXCLUDE ENCRYPTION

Group Member Policy Exceptions

ip access-list extended control_plane
<- CONTROL PLANE PROTOCOLS
deny ip host 192.168.1.14 host 192.168.1.13 <- PE-CE LINK (BGP, ICMP)
deny tcp host 192.168.1.14 eq ssh any
<- MANAGEMENT SECURE SHELL

Group Member Association

crypto gdoi group secure-wan
identity number 3333
server address ipv4 <ks1_address>
server address ipv4 <ks2_address>

<<<<-

GROUP ENCRYPTION
MEMBERS GROUP IDENTITY
KS ADDRESS TO REGISTER
ALTERNATE KS REGISTRATION

Key Server States

Unknown
Reboot

Unknown

Mis-configured
Cleared

Initialize

Reset

Secondary
Receiving Policies and Keys via
Primary Announcements

Evaluate

Serving Registration

Election

Announcement of new GM

Primary
Creating Policies and Keys
Service Registration
Announcing Policies and Keys
Rekey
Announcement of GM database

Secondary

Evaluate &
Announce

Primary

Yield &
Demote

Reset

Key Server

Key Server Configuration

crypto gdoi group secure-wan

identity number 3333
server local
rekey address ipv4 102
rekey retransmit 40 number 3
rekey authentication mypubkey rsa my_rsa
authorization address ipv4 member-list
sa ipsec 1
profile gdoi-p
match address ipv4 lans-only
no replay
address ipv4 <ks_address>

<<<<<<<<<<<-

GROUP ID
KEY SERVER
REKEY ADDRESSES REKEY
REKEY RETRANSMITS
KS MSG AUTHENTICATION
GROUP MEMBER AUTHORIZATION
SECURITY ASSOCIATION
CRYPTO ATTRIBUTES SELECTION
ENCRYPTION POLICY LAN-to-LAN
NO ANTI-REPLAY
KS ADDRESS

Rekey Profile (needed for multicast rekey only)

access-list 102 permit any host 239.192.1.1

<- REKEY SOURCE / DESTINATION

G
Group
Member
M b Authorization
A th i ti List
Li t (optional)
( ti
l)
ip access-list extended member-list
permit <ks_peer_address>
permit <gm_address>

<- GM AUTH LIST

<- PEER KS
<- GROUP MEMBER

Encryption IPsec Proxy (mandatory)

ip access-list extended lans-only
<deny udp any eq 848 any eq 848
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 232.0.0.0 0.255.255.255

Part 4:
Easy VPN

ENCRYPTION POLICY
<- ALLOW GDOI
<- UNICAST
<- MULTICAST

Cisco Easy VPN Overview

Branch Office

Central Site

Easy VPN Server:

Internet

Cisco IOS Router or

Cisco ASA

Easy VPN Remote:

Cisco IOS Router or
Cisco ASA

Small Offices and

Home Offices

Software Client:
Cisco VPN Client on
PC/MAC/Unix

Mobile Users

1. Cisco Easy VPN Unity Framework: Remote/branch device can be Cisco IOS
router, ASA or PC/Mac/Unix computer running VPN Client software
2. Call Home/Authentication: Remote device contacts central-site router/concentrator,
and provides authentication credentials
3. Centralized Policy Push: Central-site checks credentials and pushes configuration
securely to the remote device
4. VPN is established

Easy VPN Remote Connection Modes

Easy VPN Remote Feature Supports Three
Modes of Operation
Client mode
Server pushes down an IP address to the client and all traffic from the
client is internally translated to this address before being encrypted and
sent into the tunnel
NAT or PAT is performed at the remote end of the VPN tunnel, forming
a private network and protecting the remote hosts behind the router

Network extension
Remote subnet IP addresses are fully routable and reachable by the
server side network over the tunnel

Network extension plus

Typically used for management purposes
Identical to network extension mode with one addition:
Remote requests an IP address through mode-config from the server,
and ties it to an available loopback interface

Easy VPN Remote Connection Modes

Client Mode:
Address is pushed down and all
outgoing traffic is translated to
use this assigned
g
IP
172.19.168.8

Network Extension Mode:

Fully routable network

172.19.168.0/24

Internet
10.10.10.0/24

Cisco Easy
VPN Server
172.19.168.9
10.10.10.0/24

Network Extension Plus Mode:

Address is pushed down and
bound to a loopback interface

Enhanced Easy VPN Architecture

Problem Statement
Certain deployments require the ability to treat VPN
(encrypted) and non-VPN (plain text) traffic as distinct
entities within the router, and apply separate IP
services such as QoS, multicast and NAT
Traditional Easy VPN architecture had limitations
in this respect
Solution
Enhanced Easy VPN defines a logical interface (a
virtual interface) in which packets are encapsulated
with IPsec
Each interface has the capability to tie several services
such as QoS, multicast and NAT to Easy VPN

Enhanced Easy VPN Architecture

Administrator defines a virtual template containing
Cisco IOS commands applicable for all users
Easy VPN Remote (hardware client) has a separate interface
context allowing tunnel specific features to be applied e.g., ACL,
NAT and QoS

As each new user seeks to gain VPN access, a virtual

access interface is cloned automatically based on the
virtual template
Per-user attributes allow individual users to be treated
preferentially for QoS, ACLs, etc.

Virtual Templates for Easy VPN Server

Use the specified
virtual template
interface for
creating and
cloning the virtual
access interface

Dynamic IPsec
interface is
required

The IPsec profile is

applied on the virtual
template
IPsec profiles define
the phase 2 policy

Interface Virtual-template1 tunnel

ip unnumbered Lo0
...
tunnel mode IPsec ipv4
tunnel protection IPsec profile IPSEC_PROFILE
IPSEC PROFILE
...
!
Crypto isakmp profile FOO
virtual-template 1
...
!
14

Part 5:
SSL VPN

What Is SSL VPN?

Mechanism for secure communication over IP like
IPsec VPN (Internet Protocol Security)
SSL is the security technology for establishing an
encrypted link between the browser and the web server
Encrypted link ensure all data passed between the
client and server remains private and integrity is
maintained
For an SSL connection to be established the head end
device requires an SSL certificate

Types of SSL VPN

Two Types of SSL VPN
1 Clientless SSL VPN
1.
2. Cisco AnyConnect VPN Client (full client)
All above types access the VPN appliance through https protocol

Clientless SSL VPN

No VPN client needs to be installed on the end
user machine
Uses a standard web browser (Internet Explorer,
Firefox)
Can access web applications http, https, Common
Internet File Sharing (CIFS), File Transfer
Protocol (FTP)
Client-Server
Client Server Plug
Plug-ins
ins for Remote Desktop Protocol
(RDP), Virtual Network Computing (VNC), Secure
Shell (SSH) access, Telnet and Citrix
VPN appliance gives web-based look and feel for the
application access (customizable) through content
rewrite process

Clientless SSL VPN

HTTPSTCP/443
HTTPTCP/80
If HTTP redirection desired

Cisco AnyConnect VPN Client

Thick Client, Full Tunneling, or Tunnel Client
Traditional-style client
delivered via automatic
download
Requires administrative
privileges for initial
install only
Pre-deployment MSI
package available
Can use TLS or DTLS
as transport
Can be upgraded from a previous
version upon connection

Cisco AnyConnect VPN Client

Installation Options
WebLaunch
Initiate via web browser
Login via portal
Auto-download (ActiveX/Java)
Manual download

Manual
MSI installer

Cisco AnyConnect VPN Client

Key Differences
Cisco VPN Client

Cisco AnyConnect
VPN client

Approximate size

~10 MB

~1.2 MB

Initial install

distribute

Admin rights required

P t
Protocol
l
Head End
Client reboot required

yes

auto download
distribute
yes
initial install only

IP
IPsec

DTLS TLS
DTLS,

ASA/PIX/IOS

ASA/IOS

yes

no

Part 6:
Public Key Infrastructure (PKI)IOS
CA Server

Why PKI?
Need a method to authenticate IKE
Wildcard preshared keys are scalable but are not
secure
Pair-wise preshared keys are more secure but is not
scalable
PKI is both secure and scalable

Public Key Cryptography

Core Concepts

Building Blocks for Core Concepts

Asymmetric key pairs
Digital signatures
Certificates

Public Key Cryptography

Core Concepts

Building Block 1Asymmetric Key Pairs

Two keys are involved, the public key and the
private key
A user gives his or her public key to other users,
keeping the private key to himself or herself
Data encrypted with a public key can only be decrypted
with the corresponding private key, and vice versa
Key pairs are asymmetric

Core Concepts

Digital Signatures
Building Block 2How Signatures Are Built
One-way function; easy to produce
hash from message, impossible
to produce message from hash

Hash
Function

Alice
Hash of Message

Sign Hash with Private Key

s74hr7sh7040236fw
7sr7ewq7ytoj56o457

Signature = Encrypted Hash of Message

Digital Signature Verification

Core Concepts

Separate the message from the signature

Message
1. Hash the
message

Signature
1. Decrypt the signature
using the public key
2. Decrypted signature
should contain the
hash of the message

If Hashes
Are Equal
Signature
Is Verified

Digital Certificate

Core Concepts

Building Block 3What Is a Digital Certificate?

Each client generates a private/public key pair
Each client sends its public key to a third party
That third party digitally signs the clients public key
with its private key (process discussed in previous
digital signature section)
The trusted third party is called a certificate authority

Certificate Authorities

Core Concepts

A Certificate Authority (CA) is an entity which can

issue a certificate to a user or network device
Before any PKI operations can begin, the CA generates
its own public key pair and creates a self-signed
CA certificate

PKI/CA Enrollment

Core Concepts

A router requesting a certificate sends an enrollment

request to a certificate authority using SCEP (Simple
Certificate Enrollment Protocol)
SCEP runs over TCP port 80 (HTTP)
Entire 43-page IETF draft on the protocol details are
available (focus of this presentation is on infrastructure)
http://www.ietf.org/internet-drafts/draft-noursescep-16.txt

How to Set up a Basic CA Server

High-Level Steps
Generate RSA key pairs (Step 1)
Enable HTTP server on the router (Step 1)
Configure the PKI server on the CA (Step 2)
Configure PKI trust point for self signage (Step 2)

How to Set up a Basic CA Server

Steps 1Configure RSA and HTTP Server

R1(config)#crypto key generate rsa general-keys label cisco1

exportable
R1(config)#ip http server

How to Set up a Basic CA Server

Steps 2 Configure a Basic PKI Server
The certificate server must use the same name as
the key pair
R1(config)#crypto pki server cisco1

Specify where to store the CAs file system

R1(cs-server)#database url nvram:
{or external ftp url is preferred}

Specify the lifetime for the self signed and

issued certificates
R1(cs-server)#lifetime ca-certificate 365
R1(cs-server)#lifetime certificate 200

How to Set up a Basic CA Server

Steps 2 Configure a Basic PKI Server (Cont.)
For self signage created the local trust point
R1(config)#crypto pki trustpoint cisco1

Specify your local RSA key pair for the CA

R1(cs-server)# revocation-check crl none
R1(cs-server)# rsakeypair cisco1

Section 7
Configure Cisco IPS to Mitigate
Network Threats

Exam Objectives
Configure IPS 4200 Series Sensor Appliance
Initialize the Sensor Appliance
Configure Sensor Appliance management
Configure virtual Sensors on the Sensor Appliance
Configure security policies
Configure promiscuous and inline monitoring on the Sensor Appliance
Configure and tune signatures on the Sensor Appliance
Configure custom signatures on the Sensor Appliance
Configure blocking on the Sensor Appliance
Configure TCP resets on the Sensor Appliance
Configure rate limiting on the Sensor Appliance
Configure signature engines on the Sensor Appliance
Use IDM to configure the Sensor Appliance
Configure event action on the Sensor Appliance
Configure event monitoring on the Sensor Appliance
Configure advanced features on the Sensor Appliance
Configure and tune Cisco IOS IPS
Configure SPAN & RSPAN on Cisco switches

IPS Terminology:
The Marketing of IPS/IDS
IDS Intrusion Detection SystemTypically limited to
promiscuous sensors (out of packet stream)
IPS Intrusion Prevention/Protection SystemThe term
most commonly applied to a sensor that sits inline (in
the packet stream) and can drop malicious packets,
flows or attackers
IDP Intrusion Detection and PreventionMarketing
term coined by a vendor for product differentiation

IPS Terminology: What Is IPS?

IPS Closely Resembles a Layer 2 Bridge or Repeater
Identical to a wire is the closest analogy
Inline interfaces have no MAC or IP and cannot be
detected directly
Network IPS passes all packets without directly participating in
any communications including spanning tree (but spanning tree
packets are passed)
Default behavior is to pass all packets even if unknown, (i.e. IPX,
Appletalk, etc.) unless specifically denied by policy or detection

IPS Components
Network-based sensors
Specialized software and/or hardware used to collect and
analyze network traffic (either in IPS or IDS mode: inline or
promiscuous)
Appliances, modules, embedded in network infrastructure (either
inline or promiscuous)
Network IDS: Appliances, modules, embedded
Host IDS: Server-specific agent

Security management and monitoring

Performs configuration and deployment services
Performs alert collection, aggregation, and correlation

Network-Based IDS: The Sensor

Command & Control Interface
Has an IP Address

Network Link to the

Management Console

Promiscuous Interface
No IP Address
Data Capture using
SPAN, TAP, VACL
capture, etc

Client-Server on Same
Layer 2 VLAN
e.g. VLAN 10

Data Flow
Client

Same Layer 3 Segment

Server

Monitoring the Network

(Promiscuous out-of-band)

Transparent Inline Interface #1

No MAC or IP Address

Network Link to the

Management Console

Network-Based IPS: The Sensor

Command & Control Interface

Has an IP Address

Server & Interface #2

on Separate
Layer 2 VLAN
e.g. VLAN 20

Client & Interface #1

on Separate
Layer 2 VLAN
e.g. VLAN 10

Data Flow
Client

Transparent Inline Interface #2

No MAC or IP Address

Data Flow
Same Layer 3 Segment

Monitoring the Network

(inline within packet stream)

Server

IPS Functions and Capabilities

Monitors all traffic traversing between two interfaces
transparently
Can also monitor traffic promiscuously: SPAN, TAP, VACL
capture, etc.
Compare traffic against well known attack patterns
(signatures); also look for heuristic attack patterns (i.e.
multihost scans, DoS) and protocol anomalies
g
and stream reassembly
y logic
g for
Includes fragmentation
de-obfuscation of attacks as well as TCP/IP packet stream
normalization
Both an alarming and visibility tool as well as preventative
capability through packet filtering; also allows active
response: TCP reset, blocking, IP session logging, and
deny packet/flow/attacker

Management
IPS Device Manager (IDM)
Web-based Java GUI, providing management of a
single device

IPS Appliance Deployment Examples

IPS Appliance Sensor Deployment Examples:
Two L2 devices (non trunk)
Two L2 devices (trunked; 802
802.1q)
1q)
Two L3 devices
Bridging 2 VLANs on same switch

IPS Appliance Deployment Examples

Two L2 devices
((non-Trunk))

Two L2 devices
((Trunk 802.1q)
q)

Two L3 devices

Bridging Two VLANs

Inline-on-a-Stick

VLAN X
Trunk

Trunk

VLAN Y

Inline VLAN Pairing Example

VLAN pairing a.k.a. Inlineon-a-stick, allows a sensor
t bridge
to
b id VLAN
VLANs ttogether
th
on the same physical
interface by creating, in
effect, sub-interfaces that
allow the sensor to bring
packets in on VLAN X and
out on VLAN Y
Multiple VLAN pairs per
physical interface reduces
the need to have many
physical interfaces
per chassis

Bridging Two VLANs

Inline VLAN Pair
(I li
(Inline-on-a-Stick)
Sti k)
Switchport Fa0/5
(Trunk Port)

VLAN 10

VLAN 20

IPS Sensing Interface Gig2/0

Switchport configured as Trunk Port

Inline Interface Pair Example

Inline Interface Pair
(Between Two L3 devices)
R1
VLAN 10

IPS Sensing Interface Gig2/0

IPS Sensing Interface Gig2/1

Connection

Switchport

VLAN

R1 Ethernet0/0

Fa0/1

10

IPS Gig2/0

Fa0/10

10

R2 Ethernet0/0

Fa0/2

20

IPS Gig2/1

Fa0/20

20

VLAN 20

Switchport are configured as Access Ports

R2

Same Layer 3 Segment

172.16.1.0/24
Separate Layer 2 VLANs

Initializing the Sensor in Lab Exam

Default username/password will be changed in the lab
exam. Follow the instructions/guidelines in your
workbook. In most cases, username and password will
be set to cisco/123cisco123. Do not change this
user credentials, else; you will lose all points
Configure basic parameters such as the
host name, IP address, netmask, gateway and
communications options
Use IPS Device Manager (IDM) to browse the sensor
management IP address to complete remaining exam

Signatures and Anomalies

Signatures explicitly define what activity should be
considered malicious
Simple pattern matching
E.g. look for root
Stateful pattern matching
E.g. decode a telnet session to look for root
Protocol decode-based analysis (including protocol anomalies)
E.g. RPC session decoding and analysis; SNMP protocol
anomaly detected from use of protos tool
Heuristic-based analysis
E.g. rate of inbound SYNsSYN flood?

Anomaly detection involves defining or learning

normal activity and looking for deviations from this
baseline

Signature Implementations and

Structures
Signature implementation
Contexttrigger
Context
trigger data contained in packet header
Contenttrigger data contained in packet payload

Signature structure
Atomictrigger contained in a single packet
Compositetrigger contained in a series of
multiple packets

Signature Tuning
Sensors are shipped with default signature configuration
Signature specific:
Ports, protocols, services, analysis length, etc.
Filtering: what networks to alarm on

Event count: number of events to see before alarm

Severity: what level of alarm to send
gg g
how many
y alarms to send
Alarm aggregation:
Summary mode: fire all, summarize, global summarize
Summary interval: summarization window
Summary threshold: high water mark to change summarization

Event action: what to do following when the sig is triggered

(includes producing an alert)

Custom Signatures

New environment specific signatures can be created

Custom signature configuration tasks:

1. Select the signature micro-engine that best meets
your requirements
2. Enter values for the signature parameters that are required
and meet your requirements
3. Save and apply the custom signature to the sensor

IPS v6.x New Feature Highlights

Virtualization
IPS 6.0 and 6.1 Allows the Creation of Multiple
Virtual Sensors
Each physical sensor can have a maximum of four
Vi t l Sensors
Virtual
S
configured,
fi
d with
ith the
th exception
ti off the
th
IPS-4215, which does not support virtualization at all.
Each virtual sensor can have its own:
Interfaces/Pairs
Signature Definition Policy
Event Action Rule Policy (filters and overrides)
Anomaly Detection Policy
Anomaly Detection Operational Mode
TCP Session Tracking Mode

Anomaly Detection
IPS 6.x learns normal network behavior, and alerts
when abnormal behavior appears to be caused by
a network worm
Anomaly Detection detects the following situations:
When the network starts on the path of becoming congested
by worm traffic
When a single worm-infected source enters the network and
starts scanning
g for other vulnerable hosts

IPS 6.1 Default Protection Policy

Understanding Default Inline Behavior

Beginning in IPS 6.1, if a sensor is placed inline

(IPS mode), High Risk attacks are denied by
default.

IPS 6.1 Default Protection Policy

Risk Rating Thresholds are set under Risk Category.
The Risk Rating is a mathematical calculation based on:
1.Signature
g
Severity
y
2.Attack Relevancy
3.Signature Fidelity
4.Value of the Victim Host
Risk Rating is a value from 1 100.

IPS 6.1 Default Protection Policy

By default, if this HIGHRISK policy

denies a packet inline, it also sends a
TCP Reset,
Reset in one direction only (to the
victim). This behavior frees resources
on the victim and hangs applications on
the attacker.

IPS 6.1 Default Protection Policy

If you do not want the One-Way

TCP Reset to occur, disable it
here.

Other New Features of 6.0 and 6.1

Rate-Limiting as a Response Action (added in 6.0)
Support for Unauthenticated NTP Servers
(added in 6.1)
Login Password Restrictions (added in 6.1)
Auto-Update from Cisco.com (added in 6.1)
Sensor Health Monitoring (added in 6.1)
Enhanced Response Actions (added in 6.1)
Support for Asymmetric Flow Protection (added in 6.1)

Understanding IPS Engines

IPS 6.1 Engines

AIC FTP
AIC HTTP
Atomic ARP
Atomic IP

Application Inspection & Control for FTP

Application Inspection & Control for HTTP
Inspection of Single ARP Packets
Inspection of Single IP Protocol Packets

Atomic IPv6

Inspection of Single IPv6 Protocol Packets

Flood Host

Denial of Service Against a Single Host

Flood Net

Denial of Service Against a Network

Meta

Combines Signatures, Including Across Multiple Engines

IPS 6.1 Engines (Cont.)

Multi String

Inspection of Multiple String Matches

Normalizer*

Inspects Malformed, Fragmented or Illegal Traffic

Service DNS

Protocol Inspection of DNS

Service FTP

Protocol Inspection of FTP

Service Generic

Generic Protocol Protocol Inspection

Service H225

Protocol Inspection of H.225

Service HTTP

Protocol Inspection of HTTP

Service Ident

Protocol Inspection of Ident

* Inline Only

IPS 6.1 Engines (Cont.)

Service MSRPC

Protocol Inspection of MSRPC

Service MSSQL

Protocol Inspection of Microsoft SQL Server Traffic

Service NTP

Protocol Inspection of NTP

Service RPC

Protocol Inspection of RPC

Service SMB

Protocol Inspection of SMB

Service SMB
Advanced

Enhanced Protocol Inspection of SMB

Service SNMP
Service SSH

Protocol Inspection of SNMP

Protocol Inspection of SSH

IPS 6.1 Engines (Cont.)

Service TNS
State

Protocol Inspection of TNS

Primarily Inspects Mail and IOS State Commands

String ICMP

String Matching within ICMP

String TCP

String Matching within TCP

String UDP

String Matching within UDP

Sweep
Sweep other TCP
Traffic Anomaly

Reconnaissance Activities
Additional Reconnaissance Activities
Watches for Changes in Host Behavior

IPS 6.1 Engines (Cont.)

Traffic ICMP

Flood Conditions via ICMP

Trojan Bo2k

Back Orifice Trojan Activity

Trojan Tfn2k

Tribe Flood Network Activity

Trojan UDP

Trojan Activity via UDP

Understanding IPS Actions

IPS 6.1 Actions

Logging or Monitoring Actions

Produce Alert

Provide an Alert

Produce Verbose Alert

Provide an Alert, including the Trigger Packet

Log Attacker Packets

Create IP Log of Packets To/From Attacker

Log Victim Packets

Log Pair Packets

Create IP Log of Packets To/From Victim

Create IP Log of Packets Between Attacker and Victim

Request SNMP Trap

Send SNMP Trap to a Management Station

IPS 6.1 Actions

Deny ActionsInline Operations Only

Deny Packet Inline

IPS Does Not Transmit This Packet

Deny Connection Inline*

IPS Does Not Transmit This Packet, or Any Other

Packet in this TCP Flow

Deny Attacker Victim

Pair Inline

IPS Does Not Transmit This Packet, or Any Other

Packet Between These Two Hosts

Deny Attacker Service

Pair Inline

IPS Does Not Transmit This Packet, or Any Other

Packet From Attacker On This Destination Port

Deny Attacker Inline

IPS D
Does N
Nott T
Transmit
it Thi
This P
Packet,
k t or A
Any Oth
Other
Packet From Attacker to Any Host

* TCP Traffic Only

IPS 6.1 Actions

Other Actions

Reset TCP Connection*

Modify Packet Inline**

IPS Sends TCP RST Packets Bi-directionally,

Bi-directionally To
Both Attacker and Victim
IPS Modifies Packet In Various Methods

Request Block Connection

A Blocking Request Is Sent to a Router, Switch, or

Firewall to Block Traffic. IPS Also Executes Deny
Connection Inline If Possible.

Request Block Host

A Blocking Request Is Sent to a Router, Switch, or

Firewall to Block Traffic. IPS Also Executes Deny
Attacker Inline If Possible.

Request Rate-Limit

A Rate-Limit Request Is Sent to a Router

* TCP Traffic Only

** Valid Only For Normalizer Engine, Inline Operation Only

Useful Show Commands on IDS Console

show statistics eventStore
show events alert {high|medium|low}
show events status
show interface
show configuration
show version
show statistics

Cisco IOS IPS

Cisco IOS Intrusion Prevention (IPS)

Cisco IOS IPS stops attacks at the entry point, conserves WAN
bandwidth, and protects the router and remote network from DoS attacks
cost effective and viable to deploy IPS in
Integrated form factor makes it cost-effective
Small and Medium Business and Enterprise branch/telecommuter sites
Supports 2000+ signatures sharing the same signature database available
with Cisco IPS sensors
Allows custom signature sets and actions to react quickly to new threats
Protect router
and local network
from DoS attacks
Branch Office

Stop attacks
before they fill
up the WAN
Internet

Small Branch

Small Office and

Telecommuter

Corporate Office

Apply IPS on traffic from

branches to kill worms
from infected PCs

http://www.cisco.com/go/iosips

Cisco IOS IPS

Configuration Example
Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt

Cisco IOS IPS Configuration (Cont)

retired false
interface fast Ethernet 0
ip ips ips-policy in

Configure Cisco IOS IPS Crypto Key

mkdir ipstore (Create directory on flash)
Paste the crypto key from
realm-cisco.pub.key.txt

Load the signatures from TFTP server

copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

show ip ips signature count

Total Compiled Signatures:
338 -Total active compiled signatures

Cisco IOS IPS Configuration

ip ips config location flash:ipstore retries 1
ip ips notify SDEE
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic

Cisco IOS Transparent IPS

Use Case: IPS Between Wireless and Wired LANs
Introduces stealth IPS capability
No IP address associated with IPS (nothing to attack)
IOS Router is bridging between the two halves of the network

Both wired and wireless segments are in same subnet

192.168.1.0/24
VLAN 1 is the private protected network.
192.168.1.3

Wireless
Fa 0/0

Internet
VLAN 1

192.168.1.2

Transparent
IPS

Cisco IOS Transparent IPS

Configuration Example
Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt
Configure Cisco IOS IPS Crypto Key
mkdir ips5 (Create directory on flash)
Paste the crypto key from
realm-cisco.pub.key.txt
Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1
ip ips notify SDEE
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic

retired false

Section 8
Implement Identity Management

Cisco IOS IPS Configuration (Cont)

interface VLAN 1
description private interface
bridge-group 1
ip ips ips-policy out
interface VLAN 2
description private interface
bridge-group 1
ip ips ips-policy in
Load the signatures from TFTP server
copy tftp://192.168.10.4/IOS-S289-CLI.pkg
idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
show ip ips signature count
Total Compiled Signatures:
338 -Total active compiled signatures

Exam Objectives
Configure RADIUS and TACACS+ security protocols
Configure LDAP
Configure Cisco Secure ACS
Configure certificate-based authentication
Configure proxy authentication
Configure 802.1x
Configure advanced identity management features
Configure Cisco NAC Framework

AAA Overview
Authentication, Authorization, and Accounting (AAA)
network security services provide the primary
framework through which you set up access control
The CiscoSecure ACS uses authentication,
authorization, and accounting (AAA) to provide network
security. Each facet of AAA significantly contributes to
the overall security of your network:
Authentication determines the identityy of users and whether they
y
should be allowed access to the network
Authorization determines the level of network services available
to authenticated users after they are connected
Accounting keeps track of each users network activity

RADIUS vs. TACACS+

RADIUS

TACACS+

RADIUS uses UDP port

1645/1646 and as per
RFC 2138; 1812/1813

TACACS+
TACACS uses TCP
port 49

RADIUS encrypts only the

password in the packet
Single challenge response
Combines authentication
and authorization
Industry standard (created
by Livingston)

TACACS+ encrypts
entire packet
Multiple challenge response
Uses the AAA architecture and
separates each process
Cisco proprietary
Supports command
authorization

Does not support command

authorization

CiscoSecure ACS
CiscoSecure ACS Server supports both; RADIUS and
TACACS+ protocols
Full access will be provided for configuration,
verification and troubleshooting purpose
How to bring up ACS GUI remotely?
http://ip_address:2002

Device Management
Practice device management using AAA on router and
Cisco Catalyst switches equally
Device management via Telnet, SSH, HTTP/HTTPS
are the most commonly authenticated protocols
Console/Aux port should not be affected by any AAA
commands unless otherwise specified
Device management can be performed on all devices
such as routers, Cisco Catalyst switches, and ASA (IDS
does not support AAA)
TACACS+ gives you the best control for managing a
device by allowing you to restrict commands used while
on the device using various privilege levels

Centralized Authentication Example

Use centralized authentication system
Use RADIUS or TACACS+

AAA Configuration

aaa new-model
aaa authentication login mymethod group tacacs+ enable
ip tacacs source-interface Ethernet 0

Optional Source
Interface

tacacs-server host 10.1.1.254

tacacs-server
tacacs
server key cisco
line vty 0 4
login authentication mymethod

Define AAA Server and

Shared-Secret
Shared
Secret Key
Apply AAA
Method Online

Command Authorization
A device can be configured to authorize commands
through a AAA server at all or specific levels
The following router configuration allows all users to
have per-command authorization set up on the server
Here we authorize all commands through CiscoSecure
ACS using TACACS+; but if the AAA server is down,
fallback authorization is set to local database
Example:
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

ASA Management
AAA support is available to authenticate Telnet, SSH
and Console access on ASA using TACACS+
and RADIUS
Make sure you can Telnet from the inside network
to the inside interface of the ASA without any
AAA authentication
Always have an active connection open to the ASA
while adding authentication statements in the event
that backing out the commands is necessary
The RADIUS authentication and accounting ports can
be changed to other than the default 1645/1646

ASA Management (Cont.)

ASA command authorization and expansion of local
authentication was introduced in version 6.2
Commands performed may be controlled locally on the
firewall or remotely through TACACS+
RADIUS command authorization is not supported; this
is a limitation of the RADIUS protocol
Example:
aaa-server <tag> [<(if_name)>] host <ip_address> [<key>]
aaa-server <tag> protocol tacacs+|radius
aaa authentication serial|telnet|ssh|http|enable console {LOCAL |
tacacs_server_tag}
aaa authorization command {LOCAL | tacacs_server_tag}

Cisco ASA Service Authentication

RADIUS and TACACS+ authentication can be done
for HTTP, HTTPS, FTP, Telnet, SSH, and ICMP
connections through the Firewall using AAA
Authentication for other less common protocols, nonstandard services and/or other TCP/UDP ports can also
be made to work using tcp/<port> and udp/<port>
Note that TACACS+ authorization is supported,
however RADIUS authorization is not
however,

AAA Test Command

AAA test command provides protocol connectivity test
from the NAS to the RADIUS/TACACS+ server. It validates
if the NAS can establish connectivity with the server using
RADIUS/TACACS+ ports
At times, the test aaa may yield a failed result even if the
ping (ip connectivity) is successful. Why?
Example:
Router# test aaa group tacacs+ testuser mypassword legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated
Or
Router# test aaa group radius testuser mypassword legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated
Or
ASA# test aaa authentication acs host 10.1.1.254 username cisco password cisco
INFO: Attempting Authentication test to IP address <10.1.1.254>.......
INFO: Authentication Successful

Troubleshooting AAA
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug radius
debug tacacs
test aaa group radius|tacacs+ username pwd legacy

Section 9
Implement Control Plane and Management Plane Security

Exam Objectives
Implement routing plane security features (protocol authentication, route
filtering)
Configure
C fi
C
Control
t l Pl
Plane P
Policing
li i
Configure CP protection and management protection
Configure broadcast control and switchport security
Configure additional CPU protection mechanisms (options drop, logging
interval)
Disable unnecessary services
Control device access (Telnet
(Telnet, HTTP
HTTP, SSH,
SSH Privilege levels)
Configure SNMP, Syslog, AAA, NTP
Configure service authentication (FTP, Telnet, HTTP, other)
Configure RADIUS and TACACS+ security protocols
Configure device management and security

Understanding Routers and Planes

Routers and Planes

A network device typically handles traffic in several
different forwarding planes
There are nuances to the definition of these planes
IETF RFC3654 defines two planes: control and forwarding
ITU X805 defines three planes: control, management,
and end-user
Cisco defines three planes: control, management, and data

Routers and Planes

Traffic to the control and management plane is
always destined to the device and is handled at
process level ultimately:
In hardware switched platforms, control/management
plane traffic is sent to the RP/MSFC and then sent to
the process level for processing
In software switched platforms, it is sent directly to
the process level for processing

Traffic in the data plane is always destined

through the device and is:
Implemented in hardware on high end platforms
CEF switched (in the interrupt) in software switched platforms

Data Plane
Data Plane

Forwarding/Feature
ASIC Cluster
Forwarded Packets

Ingress Packets

All Packets
Forwarded Through
the Platform

Punted Packets
s

Data Plane

ToFab
T
F b to
t Other
Oth
Line Cards

ASICs
Supporting
CPU

Receive Path Packets

Route
Processor
CPU

Control Plane
Forwarding/Feature
ASIC Cluster
Forwarded Packets

Ingress Packets

ToFab
T
F b to
t Other
Oth
Line Cards

Control Plane

Punted Packets
s

Control Plane
ARP, BGP, OSPF, and
Other Protocols that Glue
the Network Together

ASICs
Supporting
CPU

Most Control
Plane Packets
Go to the RP

Receive Path Packets

Route
Processor
CPU

Management Plane
Forwarding/Feature
ASIC Cluster
Forwarded Packets

Ingress Packets

ToFab
T
F b to
t Other
Oth
Line Cards

Management Plane
Punted Packets
s

Management Plane
Telnet, SSH, TFTP, SNMP,
FTP, NTP, and Other
g
Protocols Used to Manage
the Device

ASICs
Supporting
CPU

All Management
Plane Traffic
Goes to the RP

Receive Path Packets

Route
Processor
CPU

IP Control Plane Security

IP Control Plane Security

The control plane is the logical group containing all
routing, signaling, link-state, and other control protocols
used to create and maintain the state of the network
and interfaces
It is, therefore, critical that control plane resources and
protocols are protected to:
Keep the network up and running at all times
Prevent traffic redirection which could result in a DoS
condition, eavesdropping or manipulation of application
layer (data) content

The control plane also enables other protection

mechanisms to help mitigate the risk of security attacks

IP Control Plane Security Techniques

Disable unused control plane services
ICMP techniques
Selective packet discard
Control plane policing
MD5 authentication
BGP techniques
Generalized TTL security mechanism
Protocol specific filters

Disable Unused Control Plane Services

Gratuitous ARP: filter unsolicited ARP replies which
may be used by an attacker to intercept traffic flows
IP Source Routing: prevent source IP hosts from being
able to specify an explicit route it wishes a packet to
traverse through the network
MOP: proprietary and legacy protocol used for utility
services such as transferring system software and
remote troubleshooting
Proxy ARP: generally only required on shared LANs
Others as appropriate

ICMP Techniques
ICMP is handled at the Cisco IOS process level, hence,
is often leveraged within DoS attacks
By default, Cisco IOS software enables certain ICMP
processing functions in accordance with IETF
standards
These default configurations may not conform to
security best practices or to security policies you
may have for your network

ICMP Techniques
To Reduce the Risk of ICMP-Related DoS
Attacks, Consider the Following Techniques:
no ip unreachables: disables the interface from generating ICMP
Destination Unreachable (Type 3) messages
messages, thereby reducing the impact
of certain ICMP-based DoS attacks on the router CPU
no ip redirects: disables the interface from generating ICMP Redirect
(ICMP Type 5) messages when it is forced to send an IP packet through
the same interface on which it was received
no ip information-reply: disables the router from generating ICMP
Information Reply (Type 16) messages when it receives unsolicited ICMP
Information Request (Type 15) messages (applied by default)
no ip mask-reply: disables the router from generating ICMP Address
Mask Reply (Type 18) messages when it receives unsolicited ICMP
Address Mask Request (Type 17) messages (applied by default)
Interface ACLs: infrastructure and transit ACLs may be used to filter
unnecessary ICMP messages destined to network infrastructure, including
but not limited to ICMP Source Quench (Type 4), ICMP Echo (Type 8; in
other words, ping), and ICMP Timestamp (Type 13) messages

Selective Packet Discard

Selective Packet Discard (SPD) is an IOS internal
mechanism that manages the process level input queues
on the Route Processor (RP)
SPD seeks to prioritize routing protocol packets and other
important control plane traffic such as Layer 2 keepalives
during periods of process level queue congestion
SPD only applies to ingress packets destined to the IOS
process-level
SPD does not apply
pp y to locally
y sourced router p
packets
On distributed processing platforms (e.g., 12000), only packets
punted to the RP are subject to SPD

SPD functions have proven effective during heavy IOS

process level packet floods, because it gives priority service
to important packets and ensures fairness among router
interfaces of IOS process level router resources

Control Plane Policing (CoPP)

Provides filtering and rate-limiting capabilities for all
packets punted to the route processor for handling
not just control plane packets
CEF receive adjacency traffic
Exceptions IP and non-IP traffic (e.g., router alert IP header
options, ARP, etc.)

Provides improved flexibility in packet control

Traffic may be permitted,
permitted but at a controlled rate
Transit (exceptions) IP traffic can be policed, further protecting
the route processor

CoPP is widely available within IOS

Control Plane Policing (CoPP)

CoPP uses the IOS Modular QoS CLI (MQC) for policy
definition
Consistent approach on all boxes
Dedicated control-plane interface
Single point of application

Highly flexible: permit, deny, rate limit

CoPP Conceptual View

Control Plane
Management
SNMP, Telnet

ICMP

IPv6

Routing
Updates

Management
SSH, SSL

Input

Output

to the Control Plane

from the Control Plane

Control Plane Policing

(Alleviating DoS Attack)

..

Silent Mode
(Reconnaissance
Prevention)
Processor
Switched Packets

CEF Input
Forwarding Path

Output Packet
B ff
Buffer
Locally
Switched Packets

NAT

ACL

Packet
B ff
Buffer

uRPF

Incoming
P k
Packets

CEF/FIB LOOKUP

Applies to all ingress packets punted to IOS process level

Silent mode available for output (locally sourced) control packets

Configuring CoPP
Four Required Steps:
1. Define ACLs
Classify traffic

2. Define class-maps
Setup class of traffic

3. Define policy-map
Assign QoS policy action to class of traffic (police, drop)

4 Apply
4.
A l C
CoPP
PP policy
li tto control
t l plane
l
i
interface
t f

Routerr CPU

Protec
ction

untrusted
untrusted

CoP
PP

Control Plane Policing

Attacks, junk

Provides a cross-platform methodology for protecting

the control plane
Consistent show command and MIB support

Granular: Permit, Deny and Rate-limit

MD5 Neighbor Authentication

A variety of IOS protocols support MD5 authentication including
BGP, OSPF, RIPv2, EIGRP, HSRP, NTP, etc.
MD5 helps to prevent
pre ent attackers from injecting false information into
the control plane
Adds yet another layer of defense that an attacker must overcome
Does not protect against packet flood DoS attacks
Configured Shared Key = X

Configured Shared Key = X

If MAC1 = MAC2,
Then Routing
Advertisement
Authenticated.
Else Routing
Advertisement
Discarded.

MAC1 + Routing
Advertisement
2
Routing Advertisement +
Shared Key

Routing Advertisement +
Shared Key

MD5
Hash

MD5
Hash

MAC1
1

MAC1
3

BGP Security Techniques

BGP is the common external control protocol, hence,
it is a common target for external attacks
MD5 authentication is technique available to help
reduce the risk of BGP attacks
Others include
Prefix filters
Prefix limits
AS-PATH limits
Graceful restart
BGP TTL security check (GTSM)

Generalized TTL Security Mechanism

eBGP
Session

AS2
RTR-A

RTR-C

badnet

AS1
RTR B
RTR-B

RTR-D

1
2
3

TTL Distance
(Diameter)

The GTSM feature, also known as BGP TTL Security Hack (BTSH),
provides a lightweight security mechanism to protect external eBGP
peering sessions from attacks using forged IP packets
GTSM enforces a minimum TTL-value on all BGP p
packets associated
with the eBGP session
Initial TTL values are set to 255. Per-hop decrements determine the final value upon
reaching the eBGP peer. The BGP TTL security mechanism requires configuring this
hop count value.
Spoofed IP packets may have correct IP source and destination addresses (and TCP source
and destination ports). However, unless these packets originate on a network segment that is
between the eBGP peers, the received TTL values will be less than the minimum
configured in the BGP TTL security check.
If the received TTL value is less than the configured value, the packet is silently discarded

Protocol Specific ACL Filters

Protocol-specific ACL policies can be applied directly to
a specific IOS control plane protocol
IP interface ACL policies are applied to specific router interfaces
CoPP policies are applied to the IOS receive interface

Protocol-specific ACL policies provide added control for

defining valid protocol peers
Protocol-specific ACL filters consider only the associated
protocol, which helps with policy management

Example
E ample protocol specific ACL filters
filters:
MPLS LDP
PIM
IGMP
SNMP
Telnet/SSH

IP Management Plane Security

IP Management Plane Security

The management plane is the logical group containing
all management traffic supporting provisioning,
maintenance, and monitoring functions for the network
It is, therefore, critical that management plane
resources and protocols are:
Secured to mitigate the threat of unauthorized access and
malicious network reconnaissance, which inevitably leads to
attacks within the IP data, control, and services planes
Protected to mitigate the risk of DoS attacks
Remain available during attacks such that attack sources can be
identified and attacks themselves can be mitigated

Management Plane Security Techniques

Out-of-band management
Password security
SNMP security
Remote terminal access security
Disable unused management plane services
Disable idle user sessions
System banners
y
Secure IOS file systems
Role-based CLI access
Management plane protection
AAA
AutoSecure
Network telemetry

Management Interface Types

In-band: a physical (or logical) interface that carries
both management and data plane traffic
Out-of-band: a physical interface that connects to
a physically separate, isolated network dedicated
exclusively to the operation and management of all
network elements
OOB management networks are deployed today for
two primary reasons
Availability: an OOB network provides an alternate path to
reach network elements if in-band management connectivity
is lost, or vice versa
Scalability: large-scale network management operations,
including service provisioning, monitoring, billing, alarms,
software upgrades, configuration backups, and so on, may
be better served with a separate management network

Out-of-Band Management Interfaces

Console port: the console port (CTY) is an
asynchronous serial port that uses a DCE RJ-45
receptacle
t l for
f connecting
ti a data
d t terminal
t
i l (DTE)
Auxiliary port: the auxiliary port (AUX) is also an
asynchronous serial port that uses a DTE RJ-45
receptacle for connecting a modem or other DCE
device (such as a CSU/DSU or another router
Management Ethernet port: on certain routers, a
separate Ethernet port is made available strictly
for OOB management connectivity
CEF is disabled by default to prevent traffic forwarding between
the OOB network and the in-band network
Cisco strongly recommends against enabling CEF routing
functions on this port to prevent IP reachability between the
in-band and OOB networks

Management Lines
In addition to CTY and AUX lines, IOS supports VTY
and TTY lines
Virtual terminal lines (VTY) have no associated physical
interface and are used exclusively for remote terminal
access (e.g., Telnet, SSH)
TTY lines represent standard asynchronous lines,
which are separate from the console and auxiliary
ports and the VTY lines
lines, and are used for inbound or
outbound modem and terminal connections
By default, no password is defined for either the
console or auxiliary parts
VTY lines require a password (by default) to gain access to user
EXEC mode

Password Security
password: sets a password for a line and user EXEC mode
password: sets a p
password for a local username
username p
enable password: sets a local password to restrict access
to the various EXEC mode privilege levels. By default,
password is stored in clear text.
enable secret: sets a local router password for EXEC
privilege levels and stores the password using a
nonreversible cryptographic hash function
service password-encryption: encrypts all local passwords
including line, username, enable, and authentication
key passwords
Useful if an unauthorized user obtains a copy of your configuration file
It should be noted that this command invokes the same Type 7
encryption algorithm used by the enable password CLI

SNMP Security
Community string: included within each SNMP protocol message and
functions much like a password. Two types of community strings:
Read Only (ro) community string
Read-Only
Read-Write (rw) community string
Note, that no technique is available to encrypt or hash the assigned community strings within
the router configuration file.
Service password-encryption does not apply to SNMP community strings

snmp-server packetsize: establishes control over the largest SNMP

packet size permitted when the SNMP server is receiving a request or
generating a reply. Default 1500 bytes.
SNMPv3: adds advanced security mechanisms, including MD5 or SHA
authentication of messages, DES encryption of messages, a view-based
Access Control Model (VACM), SNMP contexts, and enforcement of
message timeliness to defend against reply attacks. It is worth noting
that many versions of IOS also support AES and 3DES encryption of
SNMPv3 messages. SNMPv3 also uses a username and encrypted
password. SNMPv3 user passwords are also not visible within the
router configuration.

Remote Terminal Access Security

VTY access lists: restricts the source IP addresses that
are allowed access to the VTY lines
Secure shell: a protocol that may be used to provide
encrypted remote terminal access to a network device
Transport input: defines which incoming protocols
are allowed to connect to a specific line of the router.
To deny all forms of remote terminal access for a line,
use the transport preferred none command
command.
Secure HTTP (HTTPS): provides secure web-based
administration of a device

Disable Unused Management Services

BOOTP services

NTP

HTTP

PAD

MOP

Small TCP servers

Finger service
EXEC mode on unused lines
DHCP server and
relay functions
CDP: best practice to disable
on e
external
ternal ((untrusted)
ntr sted)
interfaces
DNS-based host
name-to-address translation
(i.e., no ip domain lookup);
alternatively configure name
servers explicitly

Small UDP servers

Disable Idle User Sessions

To mitigate the risk associated with idle user sessions:
exec-timeout:
exec
timeout: disconnects incoming user sessions after a
specific period of idle time
ip http timeout-policy idle: disconnects idle HTTP (or HTTPS)
client connections after a specific period of idle time

To verify whether a remote host associated with a

previously connected TCP session is still active
and reachable:
service tcp-keepalives-in: to generate keepalive packets on
inactive incoming network connections (initiated by the
remote host)
service tcp-keepalives-out: to generate keepalive packets on
inactive outgoing network connections (initiated by a local user)

System Banners
A banner serves as a legal notice, such as
no trespassing or a warning statement. A proper
legal notice protects you such that it enables you to
pursue legal actions against unauthorized users.
EXEC banner: specifies a message (or EXEC banner)
to be displayed when an EXEC process is created
MOTD banner (message-of-the-day): specifies a MOTD
to be displayed immediately to all user sessions and
when new users first connect to the router
Incoming banner: specifies an incoming banner to be
displayed for incoming reverse Telnet sessions
Login banner: specifies a login banner to be displayed
before username and password prompts

Secure Cisco IOS File Systems

Cisco IOS supports features to mitigate the risk of
malicious attempts to erase the contents of persistent
storage (NVRAM and flash) and features to prevent
corrupted Cisco IOS images from being loaded
secure boot-config (IOS Resilient Configuration): takes a
snapshot of the router running configuration and securely
archives it in persistent storage
secure boot-image (IOS Resilient Configuration): makes a
copy of the router image running and securely archives it in
file verify auto (IOS Image Verification): enables automatic image
verification
ip scp server enable: the IOS Secure Copy (SCP) feature
provides a secure and authenticated method for copying router
configuration and IOS image files to and from an IOS router

Role-Based CLI Access

Allows you to define CLI views, which provide
selective access and visibility to EXEC commands and
configuration information
Similar to EXEC privilege levels, CLI views restrict user
access to EXEC mode commands and limit visibility of
router configuration information
Unlike EXEC privilege levels, CLI views:
Are independent of one another
Multiple
M
lti l kkeyword
d commands
d can be
b assigned
i
d tto a CLI view
i
without
ith t the
th
view being automatically assigned the command associated with the
first keyword
May specify an interface or a group of interfaces to a CLI view, thereby
allowing command access on the basis of specified interfaces
Operates completely independently of EXEC mode privileges and lists
commands allowed within a CLI view can span multiple privilege levels

Management Plane Protection

Cisco IOS Software Release 12.4(6)T introduced the
Management Plane Protection (MPP) feature, which
allows
ll
any iin-band
b d ((physical)
h i l) iinterface
t f
tto b
be d
dedicated
di t d
for OOB management
Provides greater flexibility because you are no longer
restricted to using the fixed console, auxiliary, and
management Ethernet ports for OOB management
Not only can you dedicate in-band interfaces for OOB
management, you can also
l restrict
i which
hi h management
protocols are allowed (for example, SSH versus Telnet)
Behavior of the console, auxiliary, and management Ethernet
interfaces does not change
Other interfaces not enabled for MPP are no longer accessible
in-band for MPP management protocols

AAA
Provides a highly flexible and scaleable framework
through which you can set up centralized access
control
t l for
f IP network
t
k access and/or
d/ remote
t terminal
t
i l
access to AAA clients such as Cisco IOS routers
AAA servers facilitate the configuration of three
independent security functions in a consistent and
modular manner, including:
Authentication: the process of validating the claimed identity
of a user
Authorization: the act of granting access rights to a user or group
of users, on a command basis.
Accounting: the methods of logging user connectivity
and activity

The AAA protocol used between AAA clients and AAA

servers can be TACACS+, RADIUS, or Kerberos

AutoSecure

Do not use this CMD in lab exam

unless explicitly mentioned

AutoSecure facilitates IP router security by simplifying

the configuration process of security policies
Offers a one-touch device lockdown capability
Supported in IOS Software Releases 12.3(1), 12.2(18)S,
and later

Rather than apply each of the individual Cisco IOS

security-related commands manually, AutoSecure
uses a single command to:
Disable nonessential system services and protocols that can be
exploited for network attacks
Enable IP services and features to help protect against attacks

This feature is directed toward customers lacking a

detailed understanding of Cisco IOS services and the
associated security implications

Network Telemetry and Security

In addition to securing the network and network
elements themselves, it is also critically important to be
able
bl tto identify
id tif and
d classify
l
if security
it events
t
Some of the network telemetry tools available include:
Log neighbor changes (BGP, OSPF, EIGRP, etc.)
BGP policy accounting
Embedded Event Manager (EEM)
IP source tracker
IP traffic export
NetFlow
NTP
SNMP
Syslog
RMON

Section 10
Configure Advanced Security

Exam Objectives

Configure mitigation techniques to respond to network attacks

Configure packet marking techniques
Implement security RFCs (RFC1918/3330
(RFC1918/3330, RFC2827/3704)
Configure Black Hole and Sink Hole solutions
Configure RTBH filtering (Remote Triggered Black Hole)
Configure Traffic Filtering using Access-Lists
Configure IOS NAT
Configure TCP Intercept
Configure uRPF
Configure CAR
Configure NBAR
Configure NetFlow
Configure Anti-Spoofing solutions
Configure Policing
Capture and utilize packet captures
Configure Transit Traffic Control and Congestion Management
Configure Cisco Catalyst advanced security features

Global Services That Should Be Disabled

Some Services, Turned on by Default, Should
Be Turned off to Save Memory and Prevent
Security Breaches/Attacks
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no ip bootp server

Interface Services You Turn Off

All Interfaces on a Backbone Router Should Have the
Following as a Default:
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no ip source-routing

No Source Routing

Network
100.97.0.0

interface Serial 1
ip address 64.100.2.32 255.255.255.252
no ip source routing
!
Intranet

Im 100.97.5.23
and Heres the
Route Back to Me

On by Default per RFC 1812

Requirements for IP Version 4 Routers
RFC 792: Internet Protocol

SNMP
Change your community strings; do not use public,
private, secret
Use different community strings for the RO and
RW communities
Use mixed alphanumeric characters in the community
strings: SNMP community strings can be cracked, too
Turn off SNMP if it isnt needed:
Cisco IOS: no snmp-server

Block SNMP access to outsiders

ICMP Message Types

Control the Direction of a Ping
access-list 111 permit icmp any 10.1.1.0 0.0.0.255 echo-reply
!
interface Serial 0
access-group 111 in

Summary of ICMP Message Types

0
3
4
5
8

Echo Reply
Destination Unreachable
Source Quench
Redirect
Echo

11
12
13
14
15
16

Time Exceeded
Parameter Problem
Timestamp
Timestamp Reply
Information Request
Information Reply

64 100 1 12
64.100.1.12

64
4.100.1.0/28

IP Spoofing

64.100.1.14

Attacker

Hacker claims he is one of the inside hosts

Inside host may have a trust relationship
with spoofed host

IP Spoofing: How to Avoid It

Deny incoming packets if source address
is one of yours
Deny outbound packets if source address
is not one of yours

Ingress Packet Filtering

You should not be sending
g any
y IP p
packets out to the
Internet with a source address other than the
addresses you have been allocated!

RFC 2827 (BCP 38)

Unicast Reverse Path Forwarding (uRPF)

Mitigates source address spoofing by checking that
a packets return path uses the same interface it
arrived on
Source IP packets are checked to ensure that the route
back to the source uses the same interface
Requires CEF
Not always appropriate where asymmetric paths exist
ip cef
!
interface Serial 0
ip verify unicast (reverse-path | source reachable-via rx |
source reachable-via any) <ACL_Number>

Unicast RPF Techniques

uRPF Operates in Several Different Modes
Strict uRPF: requires that the source IP address of an
incoming packet has a FIB return path via the exact
same interface as that on which the packet arrived; if
otherwise, the packet is dropped
Loose uRPF: requires that a valid FIB path entry via
any interface exist, excluding Null0, for the source IP
address of an incoming packet; if otherwise
otherwise, the packet
is dropped

uRPF Strict and Loose Modes

router(config-if)# ip verify unicast source reachable-via rx
i/f 2
i/f 1

i/f 2
i/f 3

1
S D i/f
Data

i/f 1

i/f 3

1
S D i/f
Data
FIB:
...
S i/f 1
D i/f 3
...

FIB:
...
S i/f 2
D i/f 3
...

Same i/f:
Forward

Other i/f:
Drop

Strict Mode
(a.k.a. v1)

router(config-if)# ip verify unicast source reachable-via any

i/f 2
i/f 1

i/f 2
i/f 3

1
S D i/f
Data

i/f 1

i/f 3

1
S D i/f
Data
FIB:
...
S i/f x
D i/f 3
...

Any i/f:
Forward

Loose Mode
(a.k.a. v2)

FIB:
...
...
D i/f 3
...

Src not in FIB

or route = null0:
Drop

Flexible Packet Matching (FPM)

Access Lists on Steroids

Considered the next generation of ACL

Introduced in IOS 12.4T and 12.2(18)ZY

Performs stateless deep packet inspection providing more granular

control than ACLS
Enables you to specify powerful custom pattern matching deep within the
packet header or payload to block viruses, worms, and attacks while
minimizing inadvertent filtering of legitimate network traffic
Traditional ACLs take a shotgun approachlegitimate traffic could
be blocked
Example: Stopping Slammer with ACLs meant blocking port 1434denying business
transactions involving Microsoft SQL

FPM delivers flexible

flexible, granular Layer 2
27
7 matching at any offset within
the packet
e.g: port 1434 + packet length 404B + specific pattern within payload Slammer

0111111010101010000111000100111110010001000100100010001001
Match Pattern

AND

OR

Cisco.com/go/fpm

NOT

Flexible Packet Matching (FPM)

Configuration ExampleSlammer Filter
load protocol flash:ip.phdf
load protocol flash:udp.phdf
!
class-map type stack match-all ip-udp
match field IP protocol eq 17 next UDP
class-map type access-control match-any slammer
match field UDP dest-port eq 1434

access-control typed class

defines traffic pattern: udp
dest port 1434, starting
from IP header, offset 224
byte, the 4 byte value
should be 0x04041010

match start IP version offset 224 size 4 eq 0x4041010

match start l3-start offset 224 size 4 eq 0x4041010
!
policy-map type access-control udp-policy

Allows a choice of
response actions

class slammer
drop
policy-map type access-control fpm-policy
class ip-udp
service-policy udp-policy
!
interface GigabitEthernet0/1
service-policy type access-control input fpm-policy

Limit the Impact of DoS Attacks:

Committed Access Rate
Traffic
Matching
Specification

Traffic
Measurement
Instrumentation

Action Policy

Rate limiting
Several ways
to filter

Tokens

Token bucket
implementation

Burst
Limit

Next
Policy

Conforming
Traffic
Excess
Traffic

Committed Access Rate (CAR)

Use on edge routers to classify and/or rate
limit traffic
Can be applied to all traffic or a subset of the traffic
selected by an access list
Configured on an interface
rate-limit {input|output} access-group
index bps normal-burst max-burst conformaction
ti
action
ti
exceed-action
d
ti
action
ti

Class-Based Weighted Fair Queuing

(Modular QoS CLIMQC)
Traffic is queued by user defined classes
A queue is reserved for each class
Queue uses tail drop or WRED
Unclassified traffic is flow-based

Configuring MQC
Three Required Steps:
1. Define Class-maps
Setup classes for traffic using ACL or Matching Ports

2. Define Policy-map
Assign action to class of traffic (bandwidth, police, drop, set)

3. Apply Service-Policy
Apply policy to desired interface

NBAR: Network-Based
Application Recognition
NBAR is used for classifying traffic
Classification of applications that dynamically assign
TCP/UDP port numbers
Classification of HTTP traffic by URL, HOST, or
Multipurpose Internet Mail Extension (MIME) type
Classification of application traffic using
sub-port information

Use the classification in conjunction

j
with CAR
or traffic policing

Policing with NBAR Example

Use NBAR to classify the traffic:
class-map match-any p2p
match
t h protocol
t
l f
fasttrack
tt
k
match protocol gnutella
match protocol napster
match protocol http url \.hash=*
match protocol http url /.hash=*
match protocol kazaa2

Use traffic policing to limit the traffic:

policy map p2p
policy-map
class p2p
police cir 8000 bc 1500 be 1500 conform-action drop
exceed-action drop
!
Interface FastEthernet 0/0
ip nbar protocol-discovery
service-policy input p2p

NetFlow
Provides network administrators with
packet flow information
Allows for:
Traffic flow analysis
Security monitoring
Anomaly detection

Enabling NetFlow
Receive NetFlow information only on the specific
interface(s) of interest
Typical use case for NetFlow: Accounting, Security and
Capacity Planning
Router(config-if)# ip flow ingress

Starting
g Cisco IOS v12.2(15)T
( ) a simple ip flow
ingress interface command starts collecting
NetFlow data on that interface
This New Command Was Added in Cisco IOS v12.2(15)T
Older Command ip route-cache flow Also Enables Ingress
NetFlow on the Interface but Should No Longer Be Used

Verifying NetFlow (Sample Output)

Router# show ip cache flow
IP packet size distribution (85435 total packets):
1-32
64
96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 1.00 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
2728 active, 1368 inactive, 85310 added
463824 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol
Total
Flows
Packets Bytes
-------Flows
/Sec
/Flow /Pkt
TCP-Telnet
20
0.0
1 1440
TCP-other
82580
11.2
1 1440
Total:
82582
11.2
1 1440
SrcIf
Et0/0
Et0/0
Et0/0

SrcIPaddress
132.122.25.60
139.57.220.28
165.172.153.65

DstIf
Se0/0
Se0/0
Se0/0

Traffic Classification
Flow Info Summary
Packets Active(Sec) Idle(Sec)
/Sec
/Flow
/Flow
0.0
0.0
9.5
Flow
11.2
0.0Details
12.0
11.2
0.0
12.0

DstIPaddress
192.168.1.1
192.168.1.1
192.168.1.1

Pr
06
06
06

SrcP
9AEE
708D
CB46

DstP
0017
0017
0017

Pkts
1
1
1

Hex

Cisco Catalyst Security and

Advance Features
Practice Cisco Catalyst Security Features and Other
Advanced Cisco Catalyst Configuration; Some
Examples Are:
Port
P Security
S
i
Root/BPDU Guard
802.1x
Router ACLs, Port ACLs, VLAN ACLs
AAA on Switch
Traffic Control
802.1Q Protocol
SPAN, RSPAN

Section 11
Identify and Mitigate Network Attacks

Exam Objectives

Identify and protect against fragmentation attacks

Identify and protect against malicious IP option usage
Identify and protect against network reconnaissance attacks
Identify and protect against IP spoofing attacks
Identify and protect against MAC spoofing attacks
Identify and protect against ARP spoofing attacks
Identify and protect against Denial of Service (DoS) attacks
Identify and protect against Distributed Denial of Service (DDoS) attacks
Identify and protect against Man-in-the-Middle (MiM) attacks
Identify and protect against port redirection attacks
Identify and protect against DHCP attacks
Identify and protect against DNS attacks
Identify and protect against Smurf attacks
Identify and protect against SYN attacks
Identify and protect against MAC Flooding attacks
Identify and protect against VLAN hopping attacks
Identify and protect against various Layer2 and Layer3 attacks

Proactive vs. Reactive

The Questions in This Section of the Exam Are Mainly
Focused on Reactive Measures
Focus on techniques used to mitigate network attacks
Same tools and techniques are used as discussed in
previous section Advanced Security
Questions will also test knowledge of protocols, e.g.
TCP, HTTP, ICMP
Questions will also test knowledge of Headers and
standard
t d d packet
k t fformat,
t e.g. TCP H
Header
d
Questions will also test knowledge of reading packet
captures and various show and debug outputs

Common Attacks
Network reconnaissance

MAC spoofing

Denial of Service (DoS)

ARP snooping

IP spoofing

Fragment attack

DHCP snooping

Smurf attack

DNS spoofing

TCP SYN attack

Knowledge of Protocols
Traffic Characterization
Packet Classification
Marking Techniques
Identifying Attack Patterns
Understanding Attack Vectors
Example: SYN, TCP/UDP options, ICMP Type/Code

Common Protocol and Port Numbers

Understanding Protocol Headers

Understanding & Interpreting ARP Header Structure
Understanding & Interpreting IP Header Structure
Understanding & Interpreting TCP Header Structure
Understanding & Interpreting UDP Header Structure
Understanding & Interpreting ICMP Header Structure
Understanding & Interpreting ICMP Type/Code
Understanding & Interpreting SYSLOG Messages
Understanding & Interpreting Sniffer Capture Outputs

Mitigation Using Various Techniques

Preventing SYN Attack using ACL
Preventing SYN Attack using NBAR
Preventing SYN Attack using Policing
Preventing SYN Attack using CBAC
Preventing SYN Attack using CAR
Preventing SYN Attack using TCP Intercept
Preventing SYN Attack using MPF

Mitigation Using Various Techniques

Preventing IP Spoofing Attack using anti-spoofing ACLs
Preventing IP Spoofing Attack using uRPF
Preventing IP Spoofing Attack using IP Source Guard

Mitigation Using Various Techniques

Preventing MAC Spoofing Attack using Port Security
Preventing ARP Spoofing Attack using DAI
Preventing STP Attack using Root/BPDU Guard
Preventing DHCP Spoofing Attack using Port Security
Preventing DHCP Spoofing Attack using DAI
Preventing Fragment Attack using ACL

Section 12
Preparation Resources and Test-Taking
Tips

Preparation Resources

Planning Resources
There is an abundance of material available to prepare
for the CCIE certification. However, you have to be very
selective of the material you choose to use
Choose materials that offer configuration examples and
take a hands-on approach
Look for materials approved or provided by Cisco and
its Learning Partners
Customize your study plan to reflect your own personal
strengths and weaknesses

A Good Study Plan Is Key to Your Success

Assessing Strengths
Evaluate your experience and knowledge in the major
topic areas listed on blueprint
Using the content blueprint, determine your experience
and knowledge level in the major topic areas
For areas of strength: practice for speed
For weaker areas: boost knowledge with training or
book study first, then practice

Trainings
Although No Formal Training Is Required for the
CCIE Security Certification, Cisco Recommends
the Following Training Courses, Which Are
Described Further on the Cisco Website at:
http://www.cisco.com/web/learning/le3/ccie/security/training.html

Books
Many Cisco Press and other vendor books are
available to assist in preparing for CCIE exams
A current list can be found on the CCIE website at
http://www.cisco.com/web/learning/le3/ccie/security/book_
list.html

No single resource is uniformly great; you will likely

need to add multiple books to your collection

Cisco Press Resources

Enhances Classroom or Web-Based
Web Based Training
Cisco Press Learning Path

Learn

Experience

Prepare

Practice

Expert-Level

www.ciscopress.com

Cisco Website CCO

Many candidates overlook one of the best resources
for useful material and technical informationthe
Cisco website
There are many sample scenarios available on the
Tech Support pages for each Cisco product and
technology. For instance, the Tech Support page for
IPsec has more than 100 samples and tips available
These articles are written to reflect current trends and
demands and include sample diagrams, configurations,
and invaluable show and debug command outputs

Forums
Forums Can Play an Essential Role for a Candidate
During Preparation; You Can Generally Find Qualified
CCIEs and Other Security Engineers Available 24x7 to
Answer Your Queries and Work Through Your Technical
Problems
Ciscos Networking Professional Connection
http://www.cisco.com/go/netpro
Networking Professionals can post questions for technical assistance, seek suggestions
or share experiences at NetPro

Cisco Learning Network (CLN)

http //
http://www.cisco.com/go/learnnetspace
cisco com/go/learnnetspace
Offers online learning network to enhance and advance your IT career. Browse technical
content and connect and share insights, opinions, and knowledge with the community.

Ciscos Certification Online Support

http://www.cisco.com/go/certsupport
Q and A on certification related topics such as exam info, books, trainings, requirements,
resources, tools and utilities and much more

Documentation CD (Your Lifeline)

You need to be able to navigate the Cisco
documentation CD with confidence
This is the only resource you are allowed during
the exam and you will need to be able to look up
anything you need with speed and confidence
Make it part of your regular practice; if you are familiar
with it, it can save you time during the exam

Practice Labs
Practice lab exercises with a high level of complexity
will assist you in making improvements in your exam
strategy and identifying areas requiring extra study.
Practice labs can be used to gauge your readiness and
help identify your strengths and weaknesses. This will
help you refocus and revise your study plan and
adjust it according to your findings
Technical skill is not the only thing you need to work
on; time management and your exam-taking strategy
is also important to succeed in the CCIE exam.
Practice labs also assist you in improving your time
management and test-taking approach

Equipment (Home Lab vs. Rental Racks)

Although acquiring a personal home lab is an ideal
scenario, it can be costly to gather all the equipment to
build a security rack. You can start with just a few
devicesthree to four routers, a switch and a ASA
firewall. The goal is to obtain a thorough understanding
of the technologies and the architecture and also know
how they integrate with each other
For the hardware devices which are more costly to
obtain, such as the ASA firewall or IDS Sensor, I
would advise looking at renting the equipment online.
There are many vendors who provide such services.
This is far less expensive than purchasing a home
security rack

Test-Taking Tips

Lab Preparation: Hands-On Practice

Essential for passing lab
Borrow or rent equipment you can practice on
Two or three routers will support most scenarios
Build and practice scenarios for each topic
Go beyond the basicspractice additional features
If a technology has multiple configurationspractice
all of them
Learn show and debug commands for each topic

Lab Exam Tips

Reduce stressarrive early
yourself timeexam can run over
Leave y
Read entire exam
Redraw topology to clarify scenario
Manage your time
Make no assumptions
Keep a list
Work questions as a unit
Test your work
Save configurations often
Minimize last-minute changes

Lab Exam Proctors

Ask the Proctor Questions
Proctors role is to keep exam fair
Talk to proctor if you dont
don t understand question
Ask the proctor clarifying questions
Report any equipment or technical problems to proctor
as soon as it occurs

For More Information

Beware of rumors
Visit the CCIE web page
http://www.cisco.com/go/ccie

Online Support
www.cisco.com/go/certsupport

E-mail
[email protected]

Cheating
[email protected]

Recommended Reading
Network Security Technologies
and Solutions (CCIE Professional
Development Series)
ISBN: 1587052466
By Yusuf Bhaiji

Available Onsite at the Cisco Company Store

Recommended Reading (Cont.)

CCIE Security Practice Labs
(CCIE Self-Study)
ISBN: 1587051346
By Yusuf Bhaiji

Available Onsite at the Cisco Company Store

Recommended Reading (Cont.)

CCIE Security Exam
Quick Reference Sheets
ISBN: 1587053349
By Lancy Lobo, Umesh
Lakshman

Available Onsite at the Cisco Company Store

Q and A

Please Visit the Cisco Booth in the

World of Solutions
See the technology in action
Programs and Services
Presentations in the solutions theater
within the Cisco booth
View the schedule of presentations in your
conference guide

Recommended Reading
Network Security Technologies
and Solutions,
ISBN: 1
1-58705-246-6
58705 246 6
CCIE Security Practice Labs,
ISBN: 1-58705-134-6
CCIE Security Exam Quick
Reference Sheets (Digital Short
Cut), ISBN: 1-58705-334-9
Cisco Access Control Security:
AAA Administration Services,
ISBN: 1-58705-124-9

Complete Your Online

Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for
each session evaluation you
complete.
Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal) or
visit one of the Internet stations
throughout the Convention
Center.

Dont forget to activate your

Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.