Module 1: Securing Networks

1.0 Introduction
1.0.1 First Time in This Course
Welcome to the Network Security course. This course provides an introduction to the
core security concepts and skills needed for the installation, troubleshooting, and
monitoring of network devices to maintain the integrity, confidentiality, and
availability of enterprise data.
These course materials will assist you in developing the skills necessary to do the
following:
 Describe the security threats facing modern network infrastructures.
 Secure Cisco devices.
 Secure the network infrastructure.
 Implement AAA on Cisco routers using a local router database and external AAA
servers.
 Mitigate threats to Cisco routers and networks using access control lists (ACLs).
 Implement secure network design, management, and reporting.
 Implement the Cisco IOS firewall feature set.
 Mitigate common Layer 2 attacks.
 Implement a site-to-site VPN.
 Implement a remote access VPN.
1.0.2 Ethical Hacking Statement
The Cisco Networking Academy Program is focused on creating the global problem
solvers needed to build, scale, secure, and defend the networks that are used in our
businesses and daily lives. The need for well-trained network security specialists
continues to grow at an exponential rate. Training to become a network security
specialist requires in-depth understanding and exposure to how network attacks occur,
as well as how they are detected and prevented. These skills will naturally also include
learning about the techniques that threat actors use to circumvent computer and
network security.
Unauthorized access to data, computer, and network systems is a crime in many
jurisdictions and often is accompanied by severe consequences, regardless of the
perpetrator’s motivations. It is the learner’s responsibility, as the user of this material,
to be cognizant of and compliant with computer use laws.
1.0.3 Inclusive Language
Cisco Networking Academy’s purpose is to power an inclusive future for all. With our
purpose at the heart of everything we do, you can count on Cisco to be bold, brave and
deliberate about our role and the actions we will take in support of social justice.
We are proud to join the technology community in evolving the language we use.
Rethinking the words we use is just one of the ways to reduce barriers to equity and
respect. As a matter of policy, Cisco Networking Academy content should be free of
offensive or suggestive language, graphics, and scenarios. We are changing terms, as
noted below, to more appropriate alternatives.
Term/Phrase Replacements

primary/secondary OR
master/slave primary/subordinate OR
control/data (for clustering)

1
 permit (list)/block (list) OR
whitelist/blacklist
allow (list)/block (list)
You may still see industry terms such as “black hat” in the course curriculum. Our team
is working to modify these terms, as well.
1.0.4 Why Should I Take this Module?
Networks are under attack! In this module you will learn about the current state of the
network security landscape and also learn about the different types of networks that
require protection.
1.0.5 What Will I Learn in this Module?
Module Title: Securing Networks
Module Objective: Explain network security
Topic Title Topic Objective
Current State of Affairs Describe the current network security landscape.
Network Topology Overview Describe how all types of networks need to be protected.
1.1 Current State of Affairs
1.1.1 Networks Are Targets
Networks are routinely under attack. It is common to read in the news about yet
another network that has been compromised. A quick internet search for network
attacks will return many articles about network attacks, including news about
organizations which have been compromised, the latest threats to network security,
tools to mitigate attacks, and more.
To help you comprehend the gravity of the situation, Kapersky maintains the
interactive Cyberthreat Real-Time Map display of current network attacks. The attack
data is submitted from Kapersky network security products that are deployed
worldwide. The figure displays a sample screenshot of this web tool, which shows
these attacks in real time. Many similar tools are available on the internet and can be
found by searching for cyberthreat maps.

1.1.2 Reasons for Network Security

Network security relates directly to an organization's business continuity. Network
security breaches can disrupt e-commerce, cause the loss of business data, threaten

2
people’s privacy, and compromise the integrity of information. These breaches can
result in lost revenue for corporations, theft of intellectual property, lawsuits, and can
even threaten public safety.
Maintaining a secure network ensures the safety of network users and protects
commercial interests. Keeping a network secure requires vigilance on the part of an
organization’s network security professionals. They must constantly be aware of new
and evolving threats and attacks to networks, and vulnerabilities of devices and
applications.
Many tools are available to help network administrators adapt, develop, and
implement threat mitigation techniques. For instance, the Cisco Talos Intelligence
Group website, shown in the figure, provides comprehensive security and threat
intelligence to defend customers and protect their assets.

Another group, called the Cisco Product Security Incident Response Team (PSIRT), is
responsible for investigating and mitigating potential vulnerabilities in Cisco products.
The figure displays a sample Cisco Security Advisories page which lists these
vulnerabilities in real time and provides network administrators with information to
help mitigate them.

3
1.1.3 Vectors of Network Attacks
An attack vector is a path by which a threat actor can gain access to a server, host, or
network. Attack vectors originate from inside or outside the corporate network, as
shown in the figure. For example, threat actors may target a network through the
internet, to disrupt network operations and create a denial of service (DoS) attack.
External and Internal Threats

4
Note: A DoS attack occurs when a network device or application is incapacitated and
no longer capable of supporting requests from legitimate users.
An internal user, such as an employee, can accidentally or intentionally:
 Steal and copy confidential data to removable media, email, messaging software,
and other media.
 Compromise internal servers or network infrastructure devices.
 Disconnect a critical network connection and cause a network outage.
 Connect an infected USB drive into a corporate computer system.
Internal threats have the potential to cause greater damage than external threats
because internal users have direct access to the building and its infrastructure devices.
Employees may also have knowledge of the corporate network, its resources, and its
confidential data.
Network security professionals must implement tools and apply techniques for
mitigating both external and internal threats.
1.1.4 Data Loss
Data is likely to be an organization’s most valuable asset. Organizational data can
include research and development data, sales data, financial data, human resource
and legal data, employee data, contractor data, and customer data.
Data loss, or data exfiltration, is when data is intentionally or unintentionally lost,
stolen, or leaked to the outside world. The data loss can result in:
 Brand damage and loss of reputation
 Loss of competitive advantage
 Loss of customers
 Loss of revenue
 Litigation/legal action that results in fines and civil penalties
 Significant cost and effort to notify affected parties and recover from the
breach
Network security professionals must protect the organization’s data. Various Data Loss
Prevention (DLP) controls must be implemented that combine strategic, operational,
and tactical measures.
Common data loss vectors are displayed in the table.
Term Definition
The most common vector for data loss includes instant messaging
Email/Social
software and social media sites. For instance, intercepted email or IM
Networking
messages could be captured and reveal confidential information.
A stolen corporate laptop typically contains confidential
Unencrypted
organizational data. If the data is not stored using an encryption
Devices
algorithm, then the thief can retrieve valuable confidential data.
Saving data to the cloud has many potential benefits. However,
Cloud Storage
sensitive data can be lost if access to the cloud is compromised due
Devices
to weak security settings.
One risk is that an employee could perform an unauthorized transfer
Removable
of data to a USB drive. Another risk is that a USB drive containing
Media
valuable corporate data could be lost.

5
 Corporate data should be disposed of thoroughly. For example,
confidential data should be shredded when no longer required.
Hard Copy
Otherwise, a thief could retrieve discarded reports and gain valuable
information.
Passwords are the first line of defense. Stolen passwords or weak
Improper
passwords which have been compromised can provide an attacker
Access Control
easy access to corporate data.
1.1.5 Video - Anatomy of an Attack

1.2 Network Topology Overview

1.2.1 Campus Area Networks
All networks are targets. However, the main focus of this course is on securing Campus
Area Networks (CANs). Campus Area Networks consists of interconnected LANs within
a limited geographic area.
Network professionals must implement various network security techniques to protect
the organization’s assets from outside and inside threats. Connections to untrusted
networks must be checked in-depth by multiple layers of defense before reaching
enterprise resources. This is known as defense-in-depth.
The figure displays a sample CAN with a defense in-depth approach that uses various
security features and security devices to secure it. The table provides an Eexplanation
of the elements of the defense-in-depth design that are shown in the figure.

6
Term Definition
The Cisco ISR is secured. It protects data in motion that is flowing from the
VPN CAN to the outside world by establishing Virtual Private Networks (VPNs).
VPNs ensure data confidentiality and integrity from authenticated sources.
A Cisco Adaptive Security Appliance (ASA) firewall performs stateful packet
ASA
filtering to filter return traffic from the outside network into the campus
Firewall
network.
A Cisco Intrusion Prevention System (IPS) device continuously monitors
IPS incoming and outgoing network traffic for malicious activity. It logs
information about the activity, and attempts to block and report it.
These distribution layer switches are secured and provide secure
Layer 3 redundant trunk connections to the Layer 2 switches. Several different
Switches security features can be implemented, such as ACLs, DHCP snooping,
Dynamic ARP Inspection (DAI), and IP source guard.
These access layer switches are secured and connect user-facing ports to
Layer 2
the network. Several different security features can be implemented, such
Switches
as port security, DHCP snooping, and 802.1X user authentication.
A Cisco Email Security Appliance (ESA) and Web Security Appliance (WSA)
ESA/WSA provide advanced threat defense, application visibility and control,
reporting, and secure mobility to secure and control email and web traffic.
An authentication, authorization, and accounting (AAA) server
AAA
authenticates users, authorizes what they are allowed to do, and tracks
Server
what they are doing.
End points are secured using various features including antivirus and
Hosts antimalware software, Host Intrusion Protection System features, and
802.1X authentication features.

7
1.2.2 Small Office and Home Office Networks
It is important that all types of networks, regardless of size, are protected. Attackers
are also interested in home networks and small office and home office (SOHO)
networks. They may want to use someone's internet connection for free, use the
internet connection for illegal activity, or view financial transactions, such as online
purchases.
Home and SOHO networks are typically protected using a consumer grade router.
These routers provide basic security features that adequately protect inside assets
from outside attackers.
The figure displays a sample SOHO that uses a consumer-grade wireless router to
secure it. A consumer-grade wireless router provides integrated firewall features and
secure wireless connections. The Layer 2 Switch is an access layer switch that is
hardened with various security measures. It connects user-facing ports that use port
security to the SOHO network. Wireless hosts connect to the wireless network using
Wireless Protected Access 2 (WPA2) data encryption technology. Hosts typically have
antivirus and antimalware software installed. Combined, these security measures
provide comprehensive defense at different layers of the network.

1.2.3 Wide Area Networks

Wide Area Networks (WANs), as shown in the figure, span a wide geographical area,
often over the public internet. Organizations must ensure secure transport for the data
in motion as it travels between sites over the public network.
Network security professionals must use secure devices on the edge of the networks.
In the figure, the main site is protected by an ASA, which provides stateful firewall
features and establishes secure VPN tunnels to various destinations.

8
The figure shows a branch site, a regional site, a SOHO site, and a mobile worker. A
branch site connects to the corporate main site using a hardened ISR. The ISR can
establish a permanent always-on VPN connection to the main site ASA firewall. A
regional site is larger than a branch site and connects to the corporate main site using
an ASA. The ASA can establish a permanent always-on VPN connection to the main site
ASA. A SOHO site is a small branch site that connects to the corporate main site using a
Cisco wireless router. The wireless router can establish a permanent always-on VPN
connection to the main site ASA. Alternatively, the internal SOHO users could use the
Cisco AnyConnect VPN client to establish a secure VPN connection to the main site
ASA. A mobile worker is a teleworker who may use the Cisco AnyConnect VPN client to
establish a secure VPN connection to the main site ASA from any location.
1.2.4 Data Center Networks
Data center networks are typically housed in an off-site facility to store sensitive or
proprietary data. These sites are connected to corporate sites using VPN technology
with ASA devices and integrated data center switches, such as a high-speed Cisco
Nexus switches.
Today’s data centers store vast quantities of sensitive, business-critical information.
Therefore, physical security is critical to their operation. Physical security not only
protects access to the facility but also protects people and equipment. For example,
fire alarms, sprinklers, seismically-braced server racks, redundant heating, ventilation,
and air conditioning (HVAC), and UPS systems are in place to protect people,
equipment, and data.
As highlighted in the figure, data center physical security can be divided into two areas:
 Outside perimeter security - This can include on-premise security officers, fences,
gates, continuous video surveillance, and security breach alarms.
 Inside perimeter security - This can include continuous video surveillance,
electronic motion detectors, security traps, and biometric access and exit sensors.

9
Data Center Physical Security

Security traps provide access to the data halls where data center data is stored. As
shown in the figure below, a security trap is similar to an air lock. A person must first
enter the security trap using their badge ID proximity card. After the person is inside
the security trap, facial recognition, fingerprints, or other biometric verifications are
used to open the second door. The user must repeat the process to exit the data hall.
Security Traps

The figure shows a data center with the roof removed to display the layout of the
building. The security trap is highlighted.

10
Biometric Access

1.2.5 Cloud Networks and Virtualization

The cloud is playing an increasing role in enterprise networks. Cloud computing allows
organizations to use services such as data storage or cloud-based applications, to
extend their capacity or capabilities without adding infrastructure. By its very nature,
the cloud is outside of the traditional network perimeter, allowing an organization to
have a data center that may or may not reside behind the traditional firewall.
The terms “cloud computing” and “virtualization” are often used interchangeably;
however, they mean different things. Virtualization is the foundation of cloud
computing. Without it, cloud computing, as it is most-widely implemented, would not
be possible. Cloud computing separates the application from the hardware.
Virtualization separates the operating system from the hardware.
The cloud network consists of physical and virtual servers which are commonly housed
in data centers. However, data centers are increasingly using virtual machines (VM) to
provide server services to their clients. Server virtualization takes advantage of idle
computing resources and consolidates the number of required servers. This also allows
for multiple operating systems to exist on a single hardware platform. However, VMs
are also prone to specific targeted attacks as listed below.
 Hyperjacking - An attacker could hijack a VM hypervisor (VM controlling software)
and then use it as a launch point to attack other devices on the data center
network.
 Instant On Activation - When a VM that has not been used for a period of time is
brought online, it may have outdated security policies that deviate from the
baseline security and can introduce security vulnerabilities.
 Antivirus Storms - This happens when all VMs attempt to download antivirus data
files at the same time.
For security teams, an easy to implement yet comprehensive strategy that addresses
business demands and defends the data center is a necessity. Cisco developed the
Secure Data Center solution to operate in this unpredictable threat landscape. The
11
Cisco Secure Data Center solution blocks internal and external threats at the data
center edge.
The core components of the Cisco Secure Data Center solution provide the following
services:
 Secure Segmentation - ASA devices and a Virtual Security Gateway integrated into
the Cisco Nexus Series switches are deployed in a data center network to provide
secure segmentation. This provides granular inter-virtual-machine security.
 Threat Defense - ASAs and IPS devices in data center networks use threat
intelligence, passive OS fingerprinting, and reputation and contextual analysis to
provide threat defense.
 Visibility - Visibility solutions are provided using software such as the Cisco Security
Manager which help simplify operations and compliance reporting.
1.2.6 The Evolving Network Border
In the past, employees and data resources remained within a predefined perimeter
that was protected by firewall technology. Employees typically used company-issued
computers connected to a corporate LAN that were continuously monitored and
updated to meet security requirements.
Today, consumer endpoints, such as iPhones, smartphones, tablets, and thousands of
other devices, are becoming powerful substitutes for, or complements to, the
traditional PC. More and more people are using these devices to access enterprise
information. This trend is known as Bring Your Own Device (BYOD).
To accommodate the BYOD trend, Cisco developed the Borderless Network. In a
Borderless Network, access to resources can be initiated by users from many locations,
on many types of endpoint devices, using various connectivity methods.
To support this blurred network edge, Cisco devices support Mobile Device
Management (MDM) features. MDM features secure, monitor, and manage mobile
devices, including corporate-owned devices and employee-owned devices. MDM-
supported and managed devices include not only handheld devices, such as
smartphones and tablets, but also laptop and desktop computing devices.
Click each button below to learn about the critical functions performed by MDM.
Data Encryption
Most devices have built-in encryption capabilities, both at the device and file level.
MDM features can ensure that only devices that support data encryption and have it
enabled can access the network and corporate content.
PIN Enforcement
Enforcing a PIN lock is the first and most effective step in preventing unauthorized
access to a device. Furthermore, strong password policies can also be enforced by an
MDM, reducing the likelihood of brute-force attacks.
Data Wipe
Lost or stolen devices can be remotely fully- or partially-wiped, either by the user or by
an administrator via the MDM.
Data Loss Prevention (DLP)
While data protection functions (like PIN locking, data encryption and remote data
wiping) prevent unauthorized users from accessing data, DLP prevents authorized
users from doing careless or malicious things with critical data.
Jailbreak/Root Detection

12
Jailbreaking (on Apple iOS devices) and rooting (on Android devices) are a means to
bypass the management of a device. MDM features can detect such bypasses and
immediately restrict a device’s access to the network or other corporate assets.
1.2.7 Check Your Understanding - Network Topology Protection Overview
Check your understanding of Network Topologies by choosing the best answer to the
following questions.
Question 1
Which network type includes a consumer grade router with basic security features to
protect inside assets from outside attackers?
SOHO
CAN
WAN
Cloud
Question 2
Which network type uses high-speed Nexus switches to connect an off-site facility to
the corporate site?
SOHO
CAN
Data Center
Cloud
1.3 Securing Networks Summary
1.3.1 What Did I Learn in this Module?
Current State of Affairs
Network security relates directly to an organization's business continuity. Network
security breaches can disrupt e-commerce, cause the loss of business data, threaten
people’s privacy, and compromise the integrity of information. These breaches can
result in lost revenue for corporations, theft of intellectual property, lawsuits, and can
even threaten public safety. Many tools are available to help network administrators
adapt, develop, and implement threat mitigation techniques, including the Cisco Talos
Intelligence Group. An attack vector is a path by which a threat actor can gain access to
a server, host, or network. Attack vectors originate from inside or outside the
corporate network. Data is likely to be an organization’s most valuable asset. Various
DLP controls must be implemented, that combine strategic, operational, and tactical
measures. Common data loss vectors include email and social networking,
unencrypted data devices, cloud storage devices, removable media, hard copy, and
improper access control.
Network Topology Overview
There are many types of networks. CANs consist of interconnected LANS within a
limited geographical area. Elements of the defense-in-depth design include VPN, ASA
firewall, IPS, Layer 3 switches, layer 2 switches, ESA/WSA, AAA server, and hosts. SOHO
networks are typically protected using consumer grade routers that provide integrated
firewall features and secure wireless connections. Wireless hosts connect to the
wireless network using WPA2 data encryption technology. WANs span a wide
geographical area. Network security professionals must use secure devices on the edge
of the network. Data center networks are typically housed in an off-site facility to store

13
sensitive or proprietary data. Data center physical security is divided into two areas:
outside perimeter security and inside perimeter security. Security traps require a
person to use their badge ID to enter the first area. After the person is inside the
security trap, facial recognition, fingerprints, or other biometric verifications are used
to open the second door. Cloud computing allows organizations to use services such as
data storage or cloud-based applications, to extend their capacity or capabilities
without adding infrastructure. The actual cloud network consists of physical and virtual
servers which are commonly housed in data centers. However, data centers are
increasingly using VMs to provide server services to their clients. VMs are also prone to
specific targeted attacks including hyperjacking, instant on activation, and antivirus
storms. The Cisco Secure Data Center solution blocks internal and external threats at
the data center edge. The core components of the Cisco Secure Data Center solution
provide secure segmentation, threat defense, and visibility. More and more people are
using these devices to access enterprise information. This trend is known as BYOD. To
accommodate the BYOD trend, Cisco developed the Borderless Network. In a
Borderless Network, access to resources can be initiated by users from many locations,
on many types of endpoint devices, using various connectivity methods. To support
this blurred network edge, Cisco devices support MDM features.
1.3.2 Module 1 - Securing Networks Quiz
Question 1
Which security measure is typically found both inside and outside a data center
facility?
A gate
Exit sensors
Security traps
Biometrics access
Continuous video surveillance
Question 2
Which statement accurately characterizes the evolution of threats to network
security?
Internal threats can cause even greater damage than external threats.
Internet architects planned for network security from the beginning.
Early Internet users often engaged in activities that would harm other users.
Threats have become less sophisticated while the technical knowledge needed by an
attacker has grown.
Question 3
Which security technology is commonly used by a teleworker when accessing
resources on the main corporate office network?
IPS
VPN
SecureX
Biometric Access
Question 4
A security intern is reviewing the corporate network topology diagrams before
participating in a security review. Which network topology would commonly have a
large number of wired desktop computers?
CAN

14
SOHO
Data center
Cloud
Question 5
In the video that describes the anatomy of an attack, a threat actor was able to gain
access through a network device, download data, and destroy it. Which flaw allowed
the threat actor to do this?
Open ports on the firewall
Lack of a strong password policy
A flat network with no subnets or VLANs
Improper physical security to gain access to the building
Question 6
Which type of network commonly makes use of redundant air conditioning and a
security trap?
CAN
WAN
Cloud
Data center
Question 7
Which technology is used to secure, monitor, and manage mobile devices?
MDM
VPN
Rootkit
ASA firewall
Question 8
When considering network security, what is the most valuable asset of an
organization?
Customers
Data
Financial resources
Personnel
Question 9
What is hyperjacking?
Taking over a virtual machine hypervisor as part of a data center attack
Overclocking the mesh network which connects the data center servers
Adding outdated security software to a virtual machine to gain access to a data center
server
Using processors from multiple computers to increase data processing power
Question 10
Which resource is affected due to weak security settings for a device owned by the
company, but housed in another location?
Cloud storage device
Hard copy
Removable media
Social networking
Question 11

15
Refer to the exhibit. An IT security manager is planning security updates on this
particular network. Which type of network is displayed in the exhibit and is being
considered for updates?
CAN
WAN
SOHO
Data center

16
Module 2: Network Threats
2.0 Introduction
2.0.1 Why Should I Take this Module?
Who is attacking our network and why? In this module you will learn about the various
threat actors. You will also learn about the techniques and tools used by these
“hackers”. Keep reading to learn more!
2.0.2 What Will I Learn in this Module?
Module Title: Network Threats
Module Objective: Explain the various types of threats and attacks.
Topic Title Topic Objective
Explain how network threats have
Who is Attacking Our Network?
evolved.
Describe the various types of attack tools
Threat Actor Tools
used by Threat Actors.
Malware Describe types of malware.
Common Network Attacks -
Explain reconnaissance, access, and
Reconnaissance, Access, and Social
social engineering network attacks.
Engineering
Network Attacks - Denial of Service, Buffer Explain Denial of Service, buffer overflow,
Overflows, and Evasion and evasion attacks.
We are under attack and attackers want access to our assets. Assets are anything of
value to an organization, such as data and other intellectual property, servers,
computers, smart phones, tablets, and more.

To better understand any discussion of network security, it is important to know the

following terms:
Term Explanation
Threat A potential danger to an asset such as data or the network itself.

17
Vulnerability A weakness in a system or its design that could be exploited by a threat.
An attack surface is the total sum of the vulnerabilities in a given system
that are accessible to an attacker. The attack surface describes different
points where an attacker could get into a system, and where they could
Attack
get data out of the system. For example, your operating system and web
surface
browser could both need security patches. They are each vulnerable to
attacks and are exposed on the network or the internet. Together, they
create an attack surface that the threat actor can exploit.
The mechanism that is used to leverage a vulnerability to compromise an
asset. Exploits may be remote or local. A remote exploit is one that
works over the network without any prior access to the target system.
The attacker does not need an account in the end system to exploit the
Exploit
vulnerability. In a local exploit, the threat actor has some type of user or
administrative access to the end system. A local exploit does not
necessarily mean that the attacker has physical access to the end
system.
The likelihood that a particular threat will exploit a particular
Risk
vulnerability of an asset and result in an undesirable consequence.
Risk management is the process that balances the operational costs of providing
protective measures with the gains achieved by protecting the asset. There are four
common ways to manage risk, as shown in the table:
Risk
Management Explanation
Strategy
This is when the cost of risk management options outweighs the cost
Risk acceptance
of the risk itself. The risk is accepted, and no action is taken.
This means avoiding any exposure to the risk by eliminating the
activity or device that presents the risk. By eliminating an activity to
Risk avoidance
avoid risk, any benefits that are possible from the activity are also
lost.
This reduces exposure to risk or reducing the impact of risk by taking
action to decrease the risk. It is the most commonly used risk
Risk reduction mitigation strategy. This strategy requires careful evaluation of the
costs of loss, the mitigation strategy, and the benefits gained from the
operation or activity that is at risk.
Some or all of the risk is transferred to a willing third party such as an
Risk transfer
insurance company.
Other commonly used network security terms include:
 Countermeasure - The actions that are taken to protect assets by mitigating a
threat or reducing risk.
 Impact - The potential damage to the organization that is caused by the threat.
Note: A local exploit requires inside network access such as a user with an account on
the network. A remote exploit does not require an account on the network to exploit
that network’s vulnerability.
2.1.2 Hacker vs. Threat Actor

18
As we know, “hacker” is a common term used to describe a threat actor. However, the
term “hacker” has a variety of meanings, as follows:
 A clever programmer capable of developing new programs and coding changes to
existing programs to make them more efficient.
 A network professional that uses sophisticated programming skills to ensure that
networks are not vulnerable to attack.
 A person who tries to gain unauthorized access to devices on the internet.
 An individual who run programs to prevent or slow network access to a large
number of users, or corrupt or wipe out data on servers.

As shown in the figure, the terms white hat hacker, black hat hacker, and grey hat
hacker are often used to describe hackers.
1. White hat hackers are ethical hackers who use their programming skills for good,
ethical, and legal purposes. They may perform network penetration tests in an
attempt to compromise networks and systems by using their knowledge of
computer security systems to discover network vulnerabilities. Security
vulnerabilities are reported to developers and security personnel who attempt to
fix the vulnerability before it can be exploited. Some organizations award prizes or
bounties to white hat hackers when they provide information that helps to identify
vulnerabilities.
2. Grey hat hackers are individuals who commit crimes and do arguably unethical
things, but not for personal gain or to cause damage. An example would be
someone who compromises a network without permission and then discloses the
vulnerability publicly. Grey hat hackers may disclose a vulnerability to the affected
organization after having compromised their network. This allows the organization
to fix the problem.
3. Black hat hackers are unethical criminals who violate computer and network
security for personal gain, or for malicious reasons, such as attacking networks.

19
 Black hat hackers exploit vulnerabilities to compromise computer and network
systems.
Good or bad, hacking is an important aspect of network security. In this course, the
term threat actor is used when referring to those individuals or groups that could be
classified as gray or black hat hackers.
2.1.3 Evolution of Threat Actors
Hacking started in the 1960s with phone freaking, or phreaking, which refers to using
various audio frequencies to manipulate phone systems. At that time, telephone
switches used various tones, or tone dialing, to indicate different functions. Early
threat actors realized that by mimicking a tone using a whistle, they could exploit the
phone switches to make free long-distance calls.
In the mid-1980s, computer dial-up modems were used to connect computers to
networks. Threat actors wrote “war dialing” programs which dialed each telephone
number in a given area in search of computers, bulletin board systems, and fax
machines. When a phone number was found, password-cracking programs were used
to gain access. Since then, general threat actor profiles and motives have changed
quite a bit.
There are many different types of threat actors.
Click the buttons to see definitions for the different types of threat actors.
Script kiddies
Script kiddies emerged in the 1990s and refers to teenagers or inexperienced threat
actors running existing scripts, tools, and exploits, to cause harm, but typically not for
profit.
Vulnerability brokers
Vulnerability brokers typically refers to grey hat hackers who attempt to discover
exploits and report them to vendors, sometimes for prizes or rewards.
Hacktivists
Hacktivists is a term that refers to grey hat hackers who rally and protest against
different political and social ideas. Hacktivists publicly protest against organizations or
governments by posting articles, videos, leaking sensitive information, and performing
distributed denial of service (DDoS) attacks.
Cybercriminals
Cybercriminal is a term for black hat hackers who are either self-employed or working
for large cybercrime organizations. Each year, cyber criminals are responsible for
stealing billions of dollars from consumers and businesses.
State-sponsored
State-Sponsored hackers are threat actors who steal government secrets, gather
intelligence, and sabotage networks of foreign governments, terrorist groups, and
corporations. Most countries in the world participate to some degree in state-
sponsored hacking. Depending on a person’s perspective, these are either white hat or
black hat hackers.
2.1.4 Cybercriminals
Cybercriminals are threat actors who are motivated to make money using any means
necessary. While sometimes cybercriminals work independently, they are more often
financed and sponsored by criminal organizations. It is estimated that globally,
cybercriminals steal billions of dollars from consumers and businesses every year.

20
Cybercriminals operate in an underground economy where they buy, sell, and trade
exploits and tools. They also buy and sell the personal information and intellectual
property that they steal from victims. Cybercriminals target small businesses and
consumers, as well as large enterprises and industries.

2.1.5 Cybersecurity Tasks

Threat actors do not discriminate. They target the vulnerable end devices of home
users and small-to-medium sized businesses, as well as large public and private
organizations.
To make the internet and networks safer and more secure, we must all develop good
cybersecurity awareness. Cybersecurity is a shared responsibility which all users must
practice. For example, we must report cybercrime to the appropriate authorities, be
aware of potential threats in email and the web, and guard important information
from theft.
Organizations must take action and protect their assets, users, and customers. They
must develop and practice cybersecurity tasks such as those listed in the figure.
The figure shows a cybersecurity checklist consisting of trustworthy i t vender
(checked), security software up to date, regular penetration tests, backup to cloud and
hard disk, periodically change wi fi password, security policy up to date, enforce use of
strong passwords, and two factor authentication.

21
2.1.6 Cyber Threat Indicators
Many network attacks can be prevented by sharing information about indicators of
compromise (IOC). Each attack has unique identifiable attributes. Indicators of
compromise are the evidence that an attack has occurred. IOCs can be features that
identify malware files, IP addresses of servers that are used in attacks, filenames, and
characteristic changes made to end system software, among others. IOCs help
cybersecurity personnel identify what has happened in an attack and develop defenses
against the attack. A summary of the IOC for a piece of malware is shown in the figure.
Malware File - "studiox-link-standalone-v20.03.8-stable.exe"
sha256 6a6c28f5666b12beecd56a3d1d517e409b5d6866c03f9be44ddd9efffa90f1
e0
sha1 eb019ad1c73ee69195c3fc84ebf44e95c147bef8
md5 3a104b73bb96dfed288097e9dc0a11a8
DNS requests
domain log.studiox.link
domain my.studiox.link
domain _sips._tcp.studiox.link
domain sip.studiox.link
Connections
ip 198.51.100.248
ip 203.0.113.82
For instance, a user receives an email claiming they have won a big prize. Clicking on
the link in the email results in an attack. The IOC could include the fact the user did not
enter that contest, the IP address of the sender, the email subject line, the URL to click,
or an attachment to download, among others.
Indicators of attack (IOA) focus more on the motivation behind an attack and the
potential means by which threat actors have, or will, compromise vulnerabilities to
gain access to assets. IOAs are concerned with the strategies that are used by

22
attackers. For this reason, rather than informing response to a single threat, IOAs can
help generate a proactive security approach. This is because strategies can be reused
in multiple contexts and multiple attacks. Defending against a strategy can therefore
prevent future attacks that utilize the same, or similar strategy.
2.1.7 Threat Sharing and Building Cybersecurity Awareness
Governments are now actively promoting cybersecurity. For instance, the US
Cybersecurity Infrastructure and Security Agency (CISA) is leading efforts to automate
the sharing of cybersecurity information with public and private organizations at no
cost. CISA uses a system called Automated Indicator Sharing (AIS). AIS enables the
sharing of attack indicators between the US government and the private sector as soon
as threats are verified. CISA offers many resources that help to limit the size of the
United States attack surface.
The CISA and the National Cyber Security Alliance (NCSA) promote cybersecurity to all
users. For example, they have an annual campaign in every October called “National
Cybersecurity Awareness Month” (NCASM). This campaign was developed to promote
and raise awareness about cybersecurity.
The theme for the NCASM for 2019 was “Own IT. Secure IT. Protect IT.” This campaign
encouraged all citizens to be safer and more personally accountable for using security
best practices online. The campaign provides material on a wide variety of security
topics including:
 Social media safety
 Updating privacy settings
 Awareness of device app security
 Keeping software up-to-date
 Safe online shopping
 Wi-Fi safety
 Protecting customer data

The European Union Agency for Cybersecurity (ENISA) delivers advice and solutions for
the cybersecurity challenges of the EU member states. ENISA fills a role in Europe that
is similar to the role of CISA in the US.
2.1.8 Check Your Understanding - What Color is my Hat?
Click the appropriate response for each characteristic to indicate the type of hacker it
describes.

23
2.2 Threat Actor Tools
2.2.1 Introduction of Attack Tools
To exploit a vulnerability, a threat actor must have a technique or tool. Over the years,
attack tools have become more sophisticated, and highly automated. These new tools
require less technical knowledge to implement.
In the figure, drag the white circle across the timeline to view the relationship between
the sophistication of attack tools versus the technical knowledge required to use them.
Sophistication of Attack Tools vs. Technical Knowledge

24
2.2.2 Evolution of Security Tools
Ethical hacking involves using many different types of tools to test the network and
end devices. To validate the security of a network and its systems, many network
penetration testing tools have been developed. However, many of these tools can also
be used by threat actors for exploitation.
Threat actors have also created various hacking tools. These tools are explicitly written
for nefarious reasons. Cybersecurity personnel must also know how to use these tools
when performing network penetration tests.
Explore the categories of common network penetration testing tools. Notice how some
tools are used by white hats and black hats. Keep in mind that the list is not exhaustive
as new tools are continually being developed.
Note: Many of these tools are UNIX or Linux based; therefore, a security professional
should have a strong UNIX and Linux background.
Categories of
Description
Tools
Passwords are the most vulnerable security threat. Password
cracking tools are often referred to as password recovery tools and
can be used to crack or recover the password. This is accomplished
either by removing the original password, after bypassing the data
password
encryption, or by outright discovery of the password. Password
crackers
crackers repeatedly make guesses in order to crack the password
and access the system. Examples of password cracking tools include
John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack,
and Medusa.
Wireless networks are more susceptible to network security threats.
Wireless hacking tools are used to intentionally hack into a wireless
wireless hacking
network to detect security vulnerabilities. Examples of wireless
tools
hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC,
Firesheep, and NetStumbler.
Network scanning tools are used to probe network devices, servers,
network scanning
and hosts for open TCP or UDP ports. Examples of scanning tools
and hacking tools
include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Packet crafting tools are used to probe and test a firewall’s
packet crafting robustness using specially crafted forged packets. Examples of such
tools tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and
Nemesis.
Packet sniffers tools are used to capture and analyze packets within
traditional Ethernet LANs or WLANs. Tools include Wireshark,
packet sniffers
Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and
SSLstrip.
A rootkit detector is a directory and file integrity checker used by
rootkit detectors white hats to detect installed root kits. Example tools include AIDE,
Netfilter, and PF: OpenBSD Packet Filter.
Fuzzers are tools used by threat actors when attempting to discover
fuzzers to search
a computer system’s security vulnerabilities. Examples of fuzzers
vulnerabilities
include Skipfish, Wapiti, and W3af.

25
 White hat hackers use forensic tools to sniff out any trace of
forensic tools evidence existing in a particular computer system. Example of tools
include Sleuth Kit, Helix, Maltego, and Encase.
Debugger tools are used by black hats to reverse engineer binary
files when writing exploits. They are also used by white hats when
debuggers
analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro,
and Immunity Debugger.
Hacking operating systems are specially designed operating systems
hacking
preloaded with tools and technologies optimized for hacking.
operating
Examples of specially designed hacking operating systems include
systems
Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
These tools safeguard the contents of an organization’s data when it
is stored or transmitted. Encryption tools use algorithm schemes to
encryption tools encode the data to prevent unauthorized access to the data.
Examples of these tools include VeraCrypt, CipherShed, Open SSH,
OpenSSL, OpenVPN, and Stunnel.
These tools identify whether a remote host is vulnerable to a
vulnerability security attack. Examples of vulnerability exploitation tools include
exploitation tools Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and
Netsparker.
These tools scan a network or system to identify open ports. They
vulnerability can also be used to scan for known vulnerabilities and scan VMs,
scanners BYOD devices, and client databases. Examples of these tools include
Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.
2.2.3 Categories of Attacks
Threat actors can use the previously mentioned tools or a combination of tools to
create various attacks. The table displays common types of attacks. However, the list of
attacks is not exhaustive as new ways to attack networks are continually being
discovered.
It is important to understand that threat actors use a variety of security tools to carry
out these attacks.
Category of
Description
Attack
An eavesdropping attack is when a threat actor captures and listens
eavesdropping
to network traffic. This attack is also referred to as sniffing or
attack
snooping.
Data modification attacks occur when a threat actor has captured
data modification
enterprise traffic and has altered the data in the packets without the
attack
knowledge of the sender or receiver.
An IP address spoofing attack is when a threat actor constructs an IP
IP address
packet that appears to originate from a valid address inside the
spoofing attack
corporate intranet.
password-based Password-based attacks occur when a threat actor obtains the
attacks credentials for a valid user account. Threat actors then use that
account to obtain lists of other users and network information. They
could also change server and network configurations, and modify,

26
 reroute, or delete data.
A DoS attack prevents normal use of a computer or network by valid
users. After gaining access to a network, a DoS attack can crash
denial-of-service applications or network services. A DoS attack can also flood a
(DoS) attack computer or the entire network with traffic until a shutdown occurs
because of the overload. A DoS attack can also block traffic, which
results in a loss of access to network resources by authorized users.
A MiTM attack occurs when threat actors have positioned
man-in-the-
themselves between a source and destination. They can now
middle attack
actively monitor, capture, and control the communication
(MiTM)
transparently.
A compromised-key attack occurs when a threat actor obtains a
secret key. This is referred to as a compromised key. A
compromised key
compromised key can be used to gain access to a secured
attack
communication without the sender or receiver being aware of the
attack.
A sniffer is an application or device that can read, monitor, and
capture network data exchanges and read network packets. If the
packets are not encrypted, a sniffer provides a full view of the data
sniffer attack
inside the packet. Even encapsulated (tunneled) packets can be
broken open and read unless they are encrypted and the threat
actor does not have access to the key.
2.2.4 Check Your Understanding - Classify Cyber Attacks
Check your understanding of types of cyber attacks by answering the following
questions.
Hackers have gained access to account information and can now login into a system
with the same rights as authorized users. What type of attack is this?
Compromised key
Password-based
DoS
Social engineering
Question 2
In what type of attack can threat actors change the data in packets without the
knowledge of the sender or receiver?
Eavesdropping
Denial of service
Data modification
IP address spoofing
Question 3
Threat actors have positioned themselves between a source and destination to
monitor, capture, and control communications without the knowledge of network
users. What type of attack is this?
MiTM
Eavesdropping
DoS
IP address spoofing
Question 4

27
A threat actor has gained access to encryption keys that will permit them to read
confidential information. What type of attack is this?
Eavesdropping
Man-in-the-middle
Password-based
Compromised key
Question 5
¿In what type of attack does a threat attacker attach to the network and read
communications from network users?
Data modification
Eavesdropping
Denial of service
Password-based
Question 6
A threat actor constructs IP packets that appear to come from a valid source within
the corporate network. What type of attack is this?
Eavesdropping
Password-based
MiTM
IP address spoofing
Question 7
What type of attack prevents the normal use of a computer or network by valid
users?
DoS
Password-based
MiTM
IP address spoofing
2.3 Malware
2.3.1 Types of Malware
End devices are especially prone to malware attacks. Therefore, the focus of this topic
is on threats to end devices. Malware is short for malicious software or malicious code.
It is code or software that is specifically designed to damage, disrupt, steal, or
generally inflict some other “bad” or illegitimate action on data, hosts, or networks. It
is important to know about malware because threat actors and online criminals
frequently try to trick users into installing malware to help exploit security gaps. In
addition, malware morphs so rapidly that malware-related security incidents are
extremely common because antimalware software cannot be updated quickly enough
to stop the new threats.
Play the animation to view examples of the three most common types of malware;
virus, worm, and Trojan horse.

28
2.3.2 Viruses
A virus is a type of malware that spreads by inserting a copy of itself into another
program. After the program is run, viruses then spread from one computer to another,
infecting the computers. Most viruses require human help to spread. For example,
when someone connects an infected USB drive to their PC, the virus will enter the PC.
The virus may then infect a new USB drive, and spread to new PCs. Viruses can lay
dormant for an extended period and then activate at a specific time and date.
A simple virus may install itself at the first line of code in an executable file. When
activated, the virus might check the disk for other executables so that it can infect all
the files it has not yet infected. Viruses can be harmless, such as those that display a
picture on the screen, or they can be destructive, such as those that modify or delete
files on the hard drive. Viruses can also be programmed to mutate to avoid detection.
Most viruses are now spread by USB memory drives, CDs, DVDs, network shares, and
email. Email viruses are a common type of virus.
2.3.3 Trojan Horses
The term Trojan horse originated from Greek mythology. Greek warriors offered the
people of Troy (the Trojans) a giant hollow horse as a gift. The Trojans brought the
giant horse into their walled city, unaware that it contained many Greek warriors. At
night, after most Trojans were asleep, the warriors burst out of the horse, opened the
city gates, and allowed a sizeable force to enter and take over the city.
Trojan horse malware is software that appears to be legitimate, but it contains
malicious code which exploits the privileges of the user that runs it, as shown in the
figure.

29
2.3.4 Trojan Horse Classification
Trojan horses are usually classified according to the damage that they cause, or the
manner in which they breach a system, as shown in the table.
Type of Trojan
Description
Horse
Remote-access Enables unauthorized remote access.
Data-sending Provides the threat actor with sensitive data, such as passwords.
Destructive Corrupts or deletes files.
Uses the victim's computer as the source device to launch attacks
Proxy
and perform other illegal activities.
FTP Enables unauthorized file transfer services on end devices.
Security software
Stops antivirus programs or firewalls from functioning.
disabler
Denial of Service
Slows or halts network activity.
(DoS)
Actively attempts to steal confidential information, such as credit
Keylogger
card numbers, by recording keystrokes entered into a web form.
2.3.5 Worms
Computer worms are similar to viruses because they replicate and can cause the same
type of damage. Specifically, worms replicate themselves by independently exploiting
vulnerabilities in networks. Worms can slow down networks as they spread from
system to system.
Whereas a virus requires a host program to run, worms can run by themselves. Other
than the initial infection, they no longer require user participation. After a host is
infected, the worm is able to spread very quickly over the network.

30
Worms are responsible for some of the most devastating attacks on the internet. In
2001, the Code Red worm had initially infected 658 servers. Within 19 hours, the worm
had infected over 300,000 servers.
Initial Code Red Worm Infection

Code Red Infection 19 hours later

The initial infection of the SQL Slammer worm is known as the worm that ate the
internet. SQL Slammer was a denial of service (DoS) attack that exploited a buffer
overflow bug in Microsoft’s SQL Server. At its peak, the number of infected servers
doubled in size every 8.5 seconds. This is why it was able to infect 250,000+ hosts
within 30 minutes. When it was released on the weekend of January 25, 2003, it
disrupted the internet, financial institutions, ATM cash machines, and more. Ironically,

31
a patch for this vulnerability had been released 6 months earlier. The infected servers
did not have the updated patch applied. This was a wake-up call for many
organizations to implement a security policy requiring that updates and patches be
applied in a timely fashion.
Initial SQL Slammer Infection

SQL Slammer Infection 30 minutes later

Worms share similar characteristics. They all exploit an enabling vulnerability, have a
way to propagate themselves, and they all contain a payload.
2.3.6 Worm Components
Despite the mitigation techniques that have emerged over the years, worms have
continued to evolve and pose a persistent threat. Worms have become more

32
sophisticated over time, but they still tend to be based on exploiting weaknesses in
software applications.
Common Worm Pattern

Most worm attacks consist of three components, as listed in the animation above.
 Enabling vulnerability - A worm installs itself using an exploit mechanism, such as
an email attachment, an executable file, or a Trojan horse, on a vulnerable system.
 Propagation mechanism - After gaining access to a device, the worm replicates
itself and locates new targets.
 Payload - Any malicious code that results in some action is a payload. Most often
this is used to create a backdoor that allows a threat actor access to the infected
host or to create a DoS attack.
Worms are self-contained programs that attack a system to exploit a known
vulnerability. Upon successful exploitation, the worm copies itself from the attacking
host to the newly exploited system and the cycle begins again. Their propagation
mechanisms are commonly deployed in a way that is difficult to detect.
The propagation technique used by the Code Red worm is shown in the figure.
Code Red Worm Propagation

33
Note: Worms never really stop spreading on the internet. After they are released,
worms continue to propagate until all possible sources of infection are properly
patched.
2.3.7 Ransomware
Threat actors have used viruses, worms, and Trojan horses to carry their payloads and
for other malicious reasons. However, malware continues to evolve.
Currently, the most dominating malware is ransomware. Ransomware is malware that
denies access to the infected computer system or its data. The cybercriminals then
demand payment to release the computer system.
Ransomware has evolved to become the most profitable malware type in history. In
the first half of 2016, ransomware campaigns targeting both individual and enterprise
users became more widespread and potent.
There are dozens of ransomware variants. Ransomware frequently uses an encryption
algorithm to encrypt system files and data. The majority of known ransomware
encryption algorithms cannot be easily decrypted, leaving victims with little option but
to pay the asking price. Payments are typically paid in Bitcoin because users of bitcoin
can remain anonymous. Bitcoin is an open-source, digital currency that nobody owns
or controls.
Email and malicious advertising, also known as malvertising, are vectors for
ransomware campaigns. Social engineering is also used, as when cybercriminals who

34
identify themselves as security technicians call homes and persuade users to connect
to a website that downloads the ransomware to the user’s computer.
2.3.8 Other Malware
These are some examples of the varieties of modern malware:
Type of
Description
Malware
Used to gather information about a user and send the information to
Spyware another entity without the user’s consent. Spyware can be a system
monitor, Trojan horse, Adware, tracking cookies, and key loggers.
Displays annoying pop-ups to generate revenue for its author. The
Adware malware may analyze user interests by tracking the websites visited. It can
then send pop-up advertising pertinent to those sites.
Includes scam software which uses social engineering to shock or induce
anxiety by creating the perception of a threat. It is generally directed at an
Scareware
unsuspecting user and attempts to persuade the user to infect a computer
by taking action to address the bogus threat.
Attempts to convince people to divulge sensitive information. Examples
Phishing include receiving an email from their bank asking users to divulge their
account and PIN numbers.
Installed on a compromised system. After it is installed, it continues to
Rootkits
hide its intrusion and provide privileged access to the threat actor.
This list will continue to grow as the internet evolves. New malware will always be
developed. A major goal of cybersecurity operations is to learn about new malware
and how to promptly mitigate it.
2.3.9 Common Malware Behaviors
Cybercriminals continually modify malware code to change how it spreads and infects
computers. However, most produce similar symptoms that can be detected through
network and device log monitoring.
Computers infected with malware often exhibit one or more of the following
symptoms:
 Appearance of strange files, programs, or desktop icons
 Antivirus and firewall programs are turning off or reconfiguring settings
 Computer screen is freezing or system is crashing
 Emails are spontaneously being sent without your knowledge to your contact list
 Files have been modified or deleted
 Increased CPU and/or memory usage
 Problems connecting to networks
 Slow computer or web browser speeds
 Unknown processes or services running
 Unknown TCP or UDP ports open
 Connections are made to hosts on the Internet without user action
 Strange computer behavior
Note: Malware behavior is not limited to the above list.
2.3.10 Check Your Understanding - Malware
Check your understanding of malware by answering the following questions.
Question 1

35
What type of malware executes arbitrary code and installs copies of itself in the
memory of the infected computer? The main purpose of this malware is to
automatically replicate from system to system across the network.
Trojan horse
Adware
Ransomware
Worm
Question 2
What type of malware typically displays annoying pop-ups to generate revenue for
its author?
Adware
Ransomware
Scareware
Phishing
Question 3
What type of malware encrypts all data on a drive and demands payment in Bitcoin
cryptocurrence to unencrypt the files?
Phishing
Scareware
Ransomware
Virus
Question 4
What type of malware attempts to convince people to divulge their personally
identifable information (PII)?
Phishing
Rootkit
Ransomware
Trojan horse
2.4 Common Network Attacks - Reconnaissance, Access, and Social Engineering
2.4.1 Types of Network Attacks
Malware is a means to get a payload delivered. When it is delivered and installed, the
payload can be used to cause a variety of network-related attacks from the inside.
Threat actors can also attack the network from outside.
Why do threat actors attack networks? There are many motives including money,
greed, revenge, or political, religious, or sociological beliefs. Network security
professionals must understand the types of attacks used to counter these threats to
ensure the security of the LAN.
To mitigate attacks, it is useful to first categorize the various types of attacks. By
categorizing network attacks, it is possible to address types of attacks rather than
individual attacks.
Although there is no standardized way of categorizing network attacks, the method
used in this course classifies attacks in three major categories.
 Reconnaissance Attacks
 Access Attacks
 DoS Attacks
2.4.2 Reconnaissance Attacks

36
Reconnaissance is information gathering. It is analogous to a thief surveying a
neighborhood by going door-to-door pretending to sell something. What the thief is
actually doing is looking for vulnerable homes to break into, such as unoccupied
residences, residences with easy-to-open doors or windows, and those residences
without security systems or security cameras.
Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and
mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks
or DoS attacks.
Some of the techniques used by malicious threat actors to conduct reconnaissance
attacks are described in the table.
Technique Description
Perform an The threat actor is looking for initial information about a target.
information query Various tools can be used, including the Google search,
of a target organizations website, whois, and more.
Initiate a ping The information query usually reveals the target’s network
sweep of the target address. The threat actor can now initiate a ping sweep to
network determine which IP addresses are active.
Initiate a port scan This is used to determine which ports or services are available.
of active IP Examples of port scanners include Nmap, SuperScan, Angry IP
addresses Scanner, and NetScanTools.
This is to query the identified ports to determine the type and
Run vulnerability version of the application and operating system that is running on
scanners the host. Examples of tools include Nipper, Secuna PSI, Core
Impact, Nessus v6, SAINT, and Open VAS.
The threat actor now attempts to discover vulnerable services
Run exploitation that can be exploited. A variety of vulnerability exploitation tools
tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer
Toolkit, and Netsparker.
Click each button to view the progress of a reconnaissance attack from information
query, to ping sweep, to port scan.
Internet Information Queries
Click Play in the figure to view an animation of a threat actor using the whois
command to find information about a target.

37
Performing Ping Sweeps
Click Play in the figure to view an animation of a threat actor doing a ping sweep of the
target’s network address to discover live and active IP addresses.

Performing Port Scans

Click Play in the figure to view an animation of a threat actor performing a port scan on
the discovered active IP addresses using Nmap.

38
2.4.3 Video - Reconnaissance Attacks

2.4.4 Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP services,
and web services. The purpose of this type of attack is to gain entry to web accounts,
confidential databases, and other sensitive information.
Threat actors use access attacks on network devices and computers to retrieve data,
gain access, or to escalate access privileges to administrator status.
Password Attacks
In a password attack, the threat actor attempts to discover critical system passwords
using various methods. Password attacks are very common and can be launched using
a variety of password cracking tools.
39
Spoofing Attacks
In spoofing attacks, the threat actor device attempts to pose as another device by
falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP
spoofing. These spoofing attacks will be discussed in more detail later in this module
Other Access attacks include:
 Trust exploitations
 Port redirections
 Man-in-the-middle attacks
 Buffer overflow attacks
Click each button to view an illustration and explanation of these access attacks.
Trust Exploitation Example
In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access
to a system, possibly compromising the target. Click Play in the figure to view an
example of trust exploitation.

Port Redirection Example

In a port redirection attack, a threat actor uses a compromised system as a base for
attacks against other targets. The example in the figure shows a threat actor using SSH
(port 22) to connect to a compromised Host A. Host A is trusted by Host B and,
therefore, the threat actor can use Telnet (port 23) to access it.

40
Man-in-the-Middle Attack Example
In a man-in-the-middle attack, the threat actor is positioned in between two legitimate
entities in order to read or modify the data that passes between the two parties. The
figure displays an example of a man-in-the-middle attack.

Buffer Overflow Attack

In a buffer overflow attack, the threat actor exploits the buffer memory and
overwhelms it with unexpected values. This usually renders the system inoperable,
creating a DoS attack. The figure shows that the threat actor is sending many packets
to the victim in an attempt to overflow the victim’s buffer.

41
2.4.5 Video - Access and Social Engineering Attacks

2.4.6 Social Engineering Attacks

Social engineering is an access attack that attempts to manipulate individuals into
performing actions or divulging confidential information. Some social engineering
techniques are performed in-person while others may use the telephone or internet.
Social engineers often rely on people’s willingness to be helpful. They also prey on
people’s weaknesses. For example, a threat actor could call an authorized employee
with an urgent problem that requires immediate network access. The threat actor
could appeal to the employee’s vanity, invoke authority using name-dropping
techniques, or appeal to the employee’s greed.
Information about social engineering techniques is shown in the table.
Social Description

42
Engineering
Attack
A threat actor pretends to need personal or financial data to confirm
Pretexting
the identity of the recipient.
A threat actor sends fraudulent email which is disguised as being
from a legitimate, trusted source to trick the recipient into installing
Phishing
malware on their device, or to share personal or financial
information.
A threat actor creates a targeted phishing attack tailored for a
Spear phishing
specific individual or organization.
Also known as junk mail, this is unsolicited email which often
Spam
contains harmful links, malware, or deceptive content.
Sometimes called “Quid pro quo”, this is when a threat actor
Something for
requests personal information from a party in exchange for
Something
something such as a gift.
A threat actor leaves a malware infected flash drive in a public
Baiting location. A victim finds the drive and unsuspectingly inserts it into
their laptop, unintentionally installing malware.
In this type of attack, a threat actor pretends to be someone else to
Impersonation
gain the trust of a victim.
This is where a threat actor quickly follows an authorized person
Tailgating
into a secure location to gain access to a secure area.
This is where a threat actor inconspicuously looks over someone’s
Shoulder surfing
shoulder to steal their passwords or other information.
This is where a threat actor rummages through trash bins to
Dumpster diving
discover confidential documents.
The Social Engineer Toolkit (SET) was designed to help white hat hackers and other
network security professionals create social engineering attacks to test their own
networks. It is a set of menu-based tools that help launch social engineering attacks.
The SET is for educational purposes only. It is freely available on the internet.
Enterprises must educate their users about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person.
The figure shows recommended practices that should be followed by all users.

Recommended Social Engineering Protection Practices

43
2.4.7 Strengthening the Weakest Link
Cybersecurity is only as strong as its weakest link. Since computers and other internet-
connected devices have become an essential part of our lives, they no longer seem
new or different. People have become very casual in their use of these devices and
rarely think about network security. The weakest link in cybersecurity can be the
personnel within an organization, and social engineering a major security threat.
Because of this, one of the most effective security measures that an organization can
take is to train its personnel and create a “security-aware culture.”
2.4.8 Lab - Social Engineering
In this lab, you will research examples of social engineering and identify ways to
recognize and prevent it.

2.5 Network Attacks - Denial of Service, Buffer Overflows, and Evasion

2.5.1 Video - Denial of Service Attacks

2.5.2 DoS and DDoS Attacks

44
A Denial of Service (DoS) attack creates some sort of interruption of network services
to users, devices, or applications. There are two major types of DoS attacks:
 Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of
data at a rate that the network, host, or application cannot handle. This causes
transmission and response times to slow down. It can also crash a device or
service.
 Maliciously Formatted Packets - The threat actor sends a maliciously formatted
packet to a host or application and the receiver is unable to handle it. This causes
the receiving device to run very slowly or crash.
Click each button for an illustration and explanation of DoS and DDoS attacks.
DoS Attack
DoS attacks are a major risk because they interrupt communication and cause
significant loss of time and money. These attacks are relatively simple to conduct, even
by an unskilled threat actor.
Click Play in the figure to view the animation of a DoS attack.

DDoS Attack
A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from
multiple, coordinated sources. For example, A threat actor builds a network of infected
hosts, known as zombies. The threat actor uses a command and control (CnC) system
to send control messages to the zombies. The zombies constantly scan and infect more
hosts with bot malware. The bot malware is designed to infect a host, making it a
zombie that can communicate with the CnC system. The collection of zombies is called
a botnet. When ready, the threat actor instructs the CnC system to make the botnet of
zombies carry out a DDoS attack.
Click Play in the figure to view the animations of a DDoS attack.

45
2.5.3 Components of DDoS Attacks
If threat actors can compromise many hosts, they can perform a Distributed DoS
Attack (DDoS). DDoS attacks are similar in intent to DoS attacks, except that a DDoS
attack increases in magnitude because it originates from multiple, coordinated
sources, as shown in the figure. A DDoS attack can use hundreds or thousands of
sources, as in IoT-based DDoS attacks.

The following terms are used to describe components of a DDoS attack:

Componen Description

46
t
This refers to a group of compromised hosts (i.e., agents). These hosts run
zombies malicious code referred to as robots (i.e., bots). The zombie malware
continually attempts to self-propagate like a worm.
Bots are malware that is designed to infect a host and communicate with
bots a handler system. Bots can also log keystrokes, gather passwords, capture
and analyze packets, and more.
This refers to a group of zombies that have been infected using self-
botnet
propagating malware (i.e., bots) and are controlled by handlers.
This refers to a primary command-and-control (CnC or C2) server
controlling groups of zombies. The originator of a botnet can use Internet
handlers
Relay Chat (IRC) or a web server on the C2 server to remotely control the
zombies.
botmaster This is the threat actor who is in control of the botnet and handlers.
Note: There is an underground economy where botnets can be bought (and sold) for a
nominal fee. This can provide threat actors with botnets of infected hosts ready to
launch a DDoS attack against the target of choice.
2.5.4 Video - Mirai Botnet
Mirai is malware that targeted Internet of Things (IoT) devices that are configured with
default login information. Closed-circuit television (CCTV) cameras made up the
majority of Mirai’s targets. Using a brute force dictionary attack, Mirai ran through a
list of default usernames and passwords that were widely known on the internet.
 root/default
 root/1111
 root/54321
 admin/admin1234
 admin1/password
 guest/12345
 tech/tech
 support/support
After gaining successful access, Mirai targeted the Linux-based BusyBox utilities that
run on these devices. These utilities were used to turn the devices into bots that could
be remotely controlled as part of a botnet. The botnet was then used as part of a
distributed denial of service (DDoS) attack. In September 2016, a Mirai botnet of over
152,000 CCTVs and digital video recorders (DVRs) was responsible for the largest DDoS
attack known until that time. With peak traffic of over 1 Tb/s, it took down the hosting
services of a France-based web hosting company.
In October 2016 the services of Dyn, a Domain Name System (DNS) provider, were
attacked, causing internet outages for millions of users in the United States and
Europe.
Play the video to view a demonstration of how a botnet-based DDoS attack makes
services unavailable.
Note: In December 2017, three American threat actors pleaded guilty to conspiring to
“conduct DDoS attacks against websites and web hosting companies located in the
United States and abroad.” The three felons face up to 10 years in prison and $250,000
in fines.

47
2.5.5 Buffer Overflow Attack

The goal of a threat actor when using a buffer overflow DoS attack is to find a system
memory-related flaw on a server and exploit it. Exploiting the buffer memory by
overwhelming it with unexpected values usually renders the system inoperable,
creating a DoS attack.
For example, a threat actor enters input that is larger than expected by the application
running on a server. The application accepts the large amount of input and stores it in
memory. The result is that it may consume the associated memory buffer and
potentially overwrite adjacent memory, eventually corrupting the system and causing
it to crash.
An early example of using malformed packets was the Ping of Death. In this legacy
attack, the threat actor sent a ping of death, which was an echo request in an IP packet
larger than the maximum packet size of 65,535 bytes. The receiving host would not be
able to handle a packet of that size and it would crash.

48
Buffer overflow attacks are continually evolving. For instance, a remote denial of
service attack vulnerability was recently discovered in Microsoft Windows 10.
Specifically, a threat actor created malicious code to access out-of-scope memory.
When this code is accessed by the Windows AHCACHE.SYS process, it attempts to
trigger a system crash, denying service to the user. Search the Internet on “TALOS-
2016-0191 blog” to go to the Cisco Talos threat intelligence website and read a
description of such an attack.
Note: It is estimated that one third of malicious attacks are the result of buffer
overflows.
2.5.6 Evasion Methods
Threat actors learned long ago that “to hide is to thrive”. This means their malware
and attack methods are most effective when they are undetected. For this reason,
many attacks use stealthy evasion techniques to disguise an attack payload. Their goal
is to prevent detection by evading network and host defenses.
Some of the evasion methods used by threat actors include:
Evasion Method Description
This evasion technique uses tunneling to hide, or encryption to
scramble, malware files. This makes it difficult for many security
Encryption and
detection techniques to detect and identify the malware.
tunneling
Tunneling can mean hiding stolen data inside of legitimate
packets.
Resource This evasion technique makes the target host too busy to properly
exhaustion use security detection techniques.
This evasion technique splits a malicious payload into smaller
packets to bypass network security detection. After the
Traffic
fragmented packets bypass the security detection system, the
fragmentation
malware is reassembled and may begin sending sensitive data out
of the network.
This evasion technique occurs when network defenses do not
Protocol-level
properly handle features of a PDU like a checksum or TTL value.
misinterpretation
This can trick a firewall into ignoring packets that it should check.
In this evasion technique, the threat actor attempts to trick an IPS
by obfuscating the data in the payload. This is done by encoding it
in a different format. For example, the threat actor could use
Traffic substitution
encoded traffic in Unicode instead of ASCII. The IPS does not
recognize the true meaning of the data, but the target end system
can read the data.
Similar to traffic substitution, but the threat actor inserts extra
Traffic insertion bytes of data in a malicious sequence of data. The IPS rules miss
the malicious data, accepting the full sequence of data.
This technique assumes the threat actor has compromised an
inside host and wants to expand their access further into the
compromised network. An example is a threat actor who has
Pivoting
gained access to the administrator password on a compromised
host and is attempting to login to another host using the same
credentials.

49
 A rootkit is a complex attacker tool used by experienced threat
actors. It integrates with the lowest levels of the operating
system. When a program attempts to list files, processes, or
Rootkits network connections, the rootkit presents a sanitized version of
the output, eliminating any incriminating output. The goal of the
rootkit is to completely hide the activities of the attacker on the
local system.
Network traffic can be redirected through intermediate systems in
order to hide the ultimate destination for stolen data. In this way,
known command-and-control not be blocked by an enterprise
because the proxy destination appears benign. Additionally, if
Proxies
data is being stolen, the destination for the stolen data can be
distributed among many proxies, thus not drawing attention to
the fact that a single unknown destination is serving as the
destination for large amounts of network traffic.
New attack methods are constantly being developed. Network security personnel must
be aware of the latest attack methods in order to detect them.
2.5.7 Check Your Understanding - Identify the Types of Network Attacks
Check your understanding of network attacks by answering the following questions.
Question 1
What is the weakest link in network security?
Reconnaissance
Access
DoS
Social engineering
Question 2
What type of attack is tailgating?
Reconnaissance
Access
DoS
Social engineering
Question 3
What type of attack is port scanning?
Reconnaissance
Access
DoS
Social engineering
Question 4
What is the weakest link in network security?
Routers
People
TCP/IP
Social engineering
2.6 Network Threats Summary
2.6.1 What Did I Learn in this Module?
Who is Attacking Our Network?

50
Understanding network security requires you to understand the following terms:
threat, vulnerability, attack surface, exploit, and risk. Risk management is the process
that balances the operational costs of providing protective measures with the gains
achieved by protecting the asset. Four common ways to manage risk are risk
acceptance, risk avoidance, risk reduction, and risk transfer. Hacker is a term used to
describe a threat actor. White hat hackers are ethical hackers using their skills for
good, ethical, and legal purposes. Grey hat hackers are individuals who commit crimes
and do unethical things, but not for personal gain or to cause damage. Black hat
hackers are criminals who violate computer and network security for personal gain, or
for malicious reasons, such as attacking networks. Threat actors include script kiddies,
vulnerability brokers, hacktivists, cybercriminals, and state-sponsored hackers. Many
network attacks can be prevented by sharing information about IOCs. Many
governments are promoting cybersecurity. CISA and NCSA are examples of such
organizations.
Introduction of Attack Tools
Threat actors use a technique or tool. Attack tools have become more sophisticated,
and highly automated. Many of the tools are Linux or UNIX based and a knowledge of
these are useful to a cybersecurity professional. Tools include password crackers,
wireless hacking tools, network security scanning and hacking tools, packet crafting
tools, packet crafting tools, packet sniffers, rootkit detectors, fuzzers to search
vulnerabilities, forensic tools, debuggers, hacking operating systems, encryption tools,
vulnerability exploitation tools, and vulnerability scanners. Categories of attacks
include eavesdropping attacks, data modification attacks, IP address spoofing attacks,
password-based attacks, denial-of-service attacks, man-in the-middle attacks,
compromised key attacks, and sniffer attacks.
Malware
Malware is short for malicious software or malicious code. Threat actors frequently try
to trick users into installing malware to help exploit end device vulnerabilities. Often
antimalware software cannot be updated quickly enough to stop new threats. Three
common types are virus, worm, and Trojan horse. A virus is a type of malware that
spreads by inserting a copy of itself into another program. Most viruses are spread
through USB memory drives, CDs, DVDs, network shares, and email. Trojan horse
malware is software that appears to be legitimate, but it contains malicious code that
exploits the privileges of the user that runs it. Often, Trojans are found on online
games. Trojan horses are usually classified according to the damage they cause. Types
of Trojan horses include remote-access, data-sending, destructive, proxy, FTP, security
software disabler, DoS, and keylogger. Worms are similar to viruses because they
replicate and can cause the same type of damage. Viruses require a host program to
run. Worms can run themselves. Most worm attacks consist of three components:
enabling vulnerability, propagation mechanism, and payload. Currently, ransomware is
the most dominant malware. It denies access to the infected system or its data. The
cybercriminals then demand payment to release the computer system. Other malware
examples include spyware, adware, scareware, phishing, and rootkits.
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Threat actors can also attack the network from outside. To mitigate attacks, it is useful
to categorize the various types of attacks. The three major categories are
reconnaissance, access, and DoS attacks. Reconnaissance is information gathering.

51
Threat actors do unauthorized discovery and mapping of systems, services, or
vulnerabilities. Recon attacks precede access or DoS attacks. Some of the techniques
used include the following: performing an information query of a target, initiating a
ping sweep of the target network, initiating a port scan of active IP addresses, running
vulnerability scanners, and running exploitation tools. Access attacks exploit known
vulnerabilities in authentication services, FTP services, and web services. These attacks
include password attacks, spoofing attacks, trust exploitation attacks, port redirections,
man-in-the-middle attacks, and buffer overflow attacks. Social engineering is an access
attack that attempts to manipulate individuals into performing unsafe actions or
divulging confidential information. These attacks include pretexting, phishing, spear
phishing, spam, something for something, baiting, impersonation, tailgating, shoulder
surfing, and dumpster diving.
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
DoS attacks create some sort of interruption of network services to users, devices, or
applications. There are two major types: overwhelming quantity of traffic, and
maliciously formatted packets. DDoS attacks are similar in intent to DoS attacks, except
that the DDoS attack increases in magnitude because it originates from multiple,
coordinated sources. The following terms are used to describe DDoS attacks: zombies,
bots, botnet, handlers, and botmaster. Mirai is malware that targets IoT devices
configured with default login information. Mirai uses a brute force dictionary attack.
After successful access, Mirai targets the Linux-based BusyBox utilities that are
designed for these devices. The goal of a threat actor when using a buffer overflow
DoS attack is to find a system memory-related flaw on a server and exploit it. Exploiting
the buffer memory by overwhelming it with unexpected values usually renders the
system inoperable, creating a DoS attack. Many attacks use stealthy evasion
techniques to disguise an attack payload. Evasion methods include encrypting and
tunneling, resource exhaustion, traffic fragmentation, protocol-level misinterpretation,
traffic substitution, traffic insertion, pivoting, rootkits, and proxies.
2.6.2 Module 2 - Network Threats Quiz
Question 1
In what way are zombies used in security attacks?
They are maliciously formed code segments used to replace legitimate applications.
They target specific individuals to gain corporate or personal information.
They are infected machines that carry out a DDoS attack.
They probe a group of machines for open ports to learn which services are running.
Question 2
What is an example of a local exploit?
Port scanning is used to determine if the Telnet service is running on a remote server.
A threat actor performs a brute force attack on an enterprise edge router to gain illegal
access.
A buffer overflow attack is launched against an online shopping website and causes the
server crash.
A threat actor tries to gain the user password of a remote host by using a keyboard
capture software installed on it by a Trojan.
Question 3
Which two statements describe access attacks? (Choose two.)

52
Port redirection attacks use a network adapter card in promiscuous mode to capture
all network packets that are sent across a LAN.
Password attacks can be implemented by the use of brute-force attack methods,
Trojan horses, or packet sniffers.
Buffer overflow attacks write data beyond the allocated buffer memory to overwrite
valid data or to exploit systems to execute malicious code.
To detect listening services, port scanning attacks scan a range of TCP or UDP port
numbers on a host.
Trust exploitation attacks often involve the use of a laptop to act as a rogue access
point to capture and copy all network traffic in a public location, such as a wireless
hotspot.
Question 4
Why would a rootkit be used by a hacker?
To do reconnaissance
To try to guess a password
To gain access to a device without being detected
To reverse engineer binary files
Question 5
Which statement describes the term attack surface?
It is the network interface where attacks originate.
It is the group of hosts that experiences the same attack.
It is the total number of attacks toward an organization within a day.
It is the total sum of vulnerabilities in a system that is accessible to an attacker.
Question 6
Which risk management plan involves discontinuing an activity that creates a risk?
Risk reduction
Risk retention
Risk avoidance
Risk sharing
Question 7
What name is given to an amateur hacker?
Black hat
Red hat
Script kiddie
Blue team
Question 8
What is the term used when a malicious party sends a fraudulent email disguised as
being from a legitimate, trusted source?
Phishing
Vishing
Backdoor
Trojano
Question 9
Which two characteristics describe a worm? (Choose two.)
Executes when software is run on a computer
Is self-replicating
Hides in a dormant state until needed by an attacker

53
Infects computers by attaching to software code
Travels to new computers without any intervention or knowledge of the user
Question 10
A user receives a phone call from a person who claims to represent IT services and
then asks that user for confirmation of username and password for auditing
purposes. Which security threat does this phone call represent?
DDoS
Spam
Social engineering
Anonymous keylogging
Question 11
Which evasion method describes the situation that after gaining access to the
administrator password on a compromised host, a threat actor is attempting to login
to another host using the same credentials?
Pivoting
Traffic substitution
Resource exhaustion
Protocol-level misinterpretation
Question 12
¿In what type of attack is a cybercriminal attempting to prevent legitimate users
from accessing network services?
DoS
MITM
Session hijacking
Address spoofing

54
Module 3: Mitigating Threats
3.0 Introduction
3.0.1 Why Should I Take this Module?
Defending the network is the job of a security professional. How can you stay informed
of the current security climate? What organizations can help keep you informed of the
latest risks and tools? What do onions and artichokes have to do with security? Take
this module to learn more!
3.0.2 What Will I Learn in this Module?
Module Title: Mitigating Threats
Module Objective: Explain tools and procedures to mitigate the effects of malware
and common network attacks.
Topic Title Topic Objective
Describe methods and resources to protect the
Defending the Network
network.
Network Security Policies Explain several types of network security policies.
Secure the Network Explain the purpose of security platforms.
Mitigating Common Network Describe the techniques used to mitigate common
Attacks network attacks.
Cisco Network Foundation Explain how to secure the three functional areas of
Protection Framework Cisco routers and switches.
3.1 Defending the Network
3.1.1 Network Security Professionals
Organizations experience productivity loss when their networks are slow or
unresponsive. Business goals and profits are negatively impacted by data loss and data
corruption. Therefore, from a business perspective, it is necessary to minimize the
effects of hackers with bad intentions.
Network security professionals are responsible for maintaining data assurance for an
organization and ensuring the integrity and confidentiality of information. Ironically,
hacking has had the unintended effect of creating a high demand for network security
professionals. As a result of increasing hacker exploits, the sophistication of hacker
tools, and because of government legislation, network security solutions developed
rapidly in the 1990s, creating new job opportunities in the field of network security.
Security specialist job roles within an enterprise include Chief Information Officer
(CIO), Chief Information Security Officer (CISO), Security Operations (SecOps) Manager,
Chief Security Officer (CSO), Security Manager, and Network Security Engineer.
Regardless of job titles, network security professionals must always stay one step
ahead of the hackers:
 They must constantly upgrade their skill set to keep abreast of the latest threats.
 They must attend training and workshops.
 They must subscribe to real-time feeds regarding threats.

55
 They must peruse security websites on a daily basis.
 They must maintain familiarity with network security organizations. These
organizations often have the latest information on threats and vulnerabilities.
The Cyber Security Education organization describes a number of Cyber Security
careers and provides resources that can help prepare you for those careers.
Note: Relative to other technology professions, network security has a very steep
learning curve and requires a commitment to continuous professional development.
3.1.2 Network Intelligence Communities
To effectively protect a network, security professionals must stay informed about
threats and vulnerabilities as they evolve. There are many security organizations which
provide network intelligence. They provide resources, workshops, and conferences to
help security professionals. These organizations often have the latest information on
threats and vulnerabilities.
The table lists a few important network security organizations.
Organization Description
SysAdmin, Audit, Network, Security (SANS) Institute resources are
largely free upon request and include:
 The Internet Storm Center - the popular internet early
warning system
 NewsBites, the weekly digest of news articles about
computer security.
SANS  @RISK, the weekly digest of newly discovered attack
vectors, vulnerabilities with active exploits, and explanations
of how recent attacks worked
 Flash security alerts
 Reading Room - more than 1,200 award-winning, original
research papers.
 SANS also develops security courses.
The Mitre Corporation maintains a list of common vulnerabilities
and exposures (CVE) used by prominent security organizations
Mitre making it easier for them to share data. The CVE serves as a
dictionary of common names (i.e., CVE Identifiers) for known
cybersecurity vulnerabilities.
Forum of Incident Response and Security Teams (FIRST) is a security
organization that brings together a variety of computer security
FIRST incident response teams from government, commercial, and
educational organizations to foster cooperation and coordination in
information sharing, incident prevention and rapid reaction.
SecurityNewsWir A security news portal that aggregates the latest breaking news
e pertaining to alerts, exploits, and vulnerabilities.
International Information Systems Security Certification Consortium
(ISC2) provides vendor neutral education products and career
(ISC)2
services to more than 75,000+ industry professionals in more than
135 countries.
CIS The Center for Internet Security (CIS) is a focal point for cyber
threat prevention, protection, response, and recovery for state,
local, tribal, and territorial (SLTT) governments through the Multi-

56
 State Information Sharing and Analysis Center (MS-ISAC). The MS-
ISAC offers 24x7 cyber threat warnings and advisories, vulnerability
identification, and mitigation and incident response.
To remain effective, a network security professional must:
 Keep abreast of the latest threats - This includes subscribing to real-time feeds
regarding threats, routinely perusing security-related websites, following security
blogs and podcasts, and more.
 Continue to upgrade skills - This includes attending security-related training,
workshops, and conferences.
Note: Network security has a very steep learning curve and requires a commitment to
continuous professional development.
3.1.3 Network Security Certifications
Hundreds of thousands of network security-related jobs go unfilled each year. The
demand for network security professionals greatly outstrips the number of qualified
applicants. Obtaining recognized network security certifications greatly enhances your
qualifications for these positions. Numerous certifications exist. Certifications for
network security professionals are offered by the following organizations:
 Global Information Assurance Certification (GIAC)
 International Information System Security Certification Consortium (ISC) 2
 Information Systems Audit and Control Association (ISACA)
 International Council of E-Commerce Consultants (EC-Council)
 Certified Wireless Security Professional (CWSP)
Cisco has replaced the Cisco Certified Network Associate Security (210-260 IINS)
certification with a new CCNP Security certification. This certification consists of two
exams, a security core exam, and a concentration exam. Only one concentration exam
is required. The Implementing and Operating Cisco Security Core Technologies (350-
701 SCOR) exam serves as a gateway to both CCNP and CCIE Security certifications. It
also provides security core certification. The core exam covers security concepts,
threats, and mitigation techniques and technologies. The specializations place in-depth
focus on specific Cisco security technologies. The Cisco Certified Specialist security
concentration exams are as follows:
 300-710 SNCF - Network Security Firepower
 300-715 SISE - Implementing and Configuring Cisco Identity Services Engine
 300-720 SESA - Securing Email with Cisco Email Security Appliance
 300-725 SWSA - Securing the Web with Cisco Web Security Appliance
 300-730 SVPN - Implementing Secure Solutions with Virtual Private Networks
 300-735 SAUTO - Automating and Programming Cisco Security Solutions
There are many ways to prepare for these certifications including self-study, private
exam education, and higher education. The Learning at Cisco organization, along with
its learning partners, provides information and training for most of the Cisco
certification exams.
3.1.4 Communications Security - CIA
Information security deals with protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction. The CIA
Triad serves as a conceptual foundation for the field.
CIA Triad
The figure shows the C I A Triad consisting of Confidentiality, Integrity, and Availability.

57
As shown in the figure, the CIA triad consists of three components of information
security:
 Confidentiality - Only authorized individuals, entities, or processes can access
sensitive information.
 Integrity - This refers to the protection of data from unauthorized alteration.
 Availability - Authorized users must have uninterrupted access to the network
resources and data that they require.
Network data can be encrypted (made unreadable to unauthorized users) using
various cryptography applications. The conversation between two IP phone users can
be encrypted. The files on a computer can also be encrypted. These are just a few
examples. Cryptography can be used almost anywhere that there is data
communication. In fact, the trend is toward all communication being encrypted.
3.2 Network Security Policies
3.2.1 Network Security Domains
It is vital for network security professionals to understand the reasons for network
security. They must also be familiar with the organizational requirements for network
security as embodied by the 14 network security domains.
Domains provide a framework for discussing network security and understanding the
operational needs that should be addressed by each organization.
There are 14 network security domains specified by the International Organization for
Standardization (ISO)/International Electrotechnical Commission (IEC). Described by
ISO/IEC 27001, these 14 domains serve to organize, at a high level, the vast realm of
information and activities under the umbrella of network security. These domains have
some significant parallels with domains defined by the Certified Information Systems
Security Professional (CISSP) certification.
The 14 domains are intended to serve as a common basis for developing organizational
security standards and effective security management practices. They also help to
facilitate communication between organizations.

58
These 14 domains provide a convenient separation of the elements of network
security. While it is not important to memorize these 14 domains, it is important to be
aware of their existence and formal declaration by the ISO. In the ISO 27001 standard
these are known as the 14 control sets of Annex A. They will serve as a useful
reference in your work as a network security professional.
The table below gives a brief description of each domain.
Network Security
Description
Domain
Information Security This annex is designed to ensure that security policies are
Policies created, reviewed, and maintained.
This is the governance model set out by an organization for
Organization of
information security. It assigns responsibilities for information
Information Security
security tasks within an organization.
Human Resources This addresses security responsibilities relating to employees
Security joining, moving within, and leaving an organization.
This concerns the way that organizations create an inventory of
Asset Management
and classification scheme for information assets.
This describes the restriction of access rights to networks,
Access Control
systems, applications, functions, and data.
This concerns data encryption and the management of
Cryptography sensitive information to protect confidentiality, integrity, and
availability of data.
Physical and
This describes the protection of the physical computer facilities
Environmental
and equipment within an organization.
Security
This describes the management of technical security controls in
systems and networks including malware defenses, data
Operations Security backup, logging and monitoring, vulnerability management,
and audit considerations. This domain is also concerned with
the integrity of software that is used in business operations.
This concerns the security of data as it is communicated on
Communications
networks, both within an organization or between and
Security
organization and third parties such as customers or suppliers.
System Acquisition, This ensures that information security remains a central
Development, and concern in an organization’s processes across the entire
Maintenance lifecycle, in both private and public networks.
This concerns the specification of contractual agreements that
protect an organization’s information and technology assets
Supplier Relationships
that are accessible by third parties that provide supplies and
services to the organization.
Information Security This describes how to anticipate and respond to information
Incident Management security breaches.
Business Continuity This describes the protection, maintenance, and recovery of
Management business-critical processes and systems.
This describes the process of ensuring conformance with
Compliance
information security policies, standards, and regulations.

59
3.2.2 Business Policies
Business policies are the guidelines that are developed by an organization to govern its
actions. The policies define standards of correct behavior for the business and its
employees. In networking, policies define the activities that are allowed on the
network. This sets a baseline of acceptable use. If behavior that violates business policy
is detected on the network, it is possible that a security breach has occurred.
An organization may have several guiding policies, as listed in the table.
Policy Description
 These policies establish the rules of conduct and the
responsibilities of both employees and employers.
 Policies protect the rights of workers as well as the business
Company interests of employers.
policies  Depending on the needs of the organization, various policies and
procedures establish rules regarding employee conduct,
attendance, dress code, privacy and other areas related to the
terms and conditions of employment.
 These policies are created and maintained by human resources
Employee staff to identify employee salary, pay schedule, employee benefits,
policies work schedule, vacations, and more.
 They are often provided to new employees to review and sign.
 These policies identify a set of security objectives for a company,
define the rules of behavior for users and administrators, and
specify system requirements.
 These objectives, rules, and requirements collectively ensure the
Security
security of a network and the computer systems in an
policies
organization.
 Much like a continuity plan, a security policy is a constantly
evolving document based on changes in the threat landscape,
vulnerabilities, and business and employee requirements.
3.2.3 Security Policy
A comprehensive security policy has a number of benefits, including the following:
 Demonstrates an organization’s commitment to security
 Sets the rules for expected behavior
 Ensures consistency in system operations, software and hardware acquisition and
use, and maintenance
 Defines the legal consequences of violations
 Gives security staff the backing of management
Security policies are used to inform users, staff, and managers of an organization’s
requirements for protecting technology and information assets. A security policy also
specifies the mechanisms that are needed to meet security requirements and provides
a baseline from which to acquire, configure, and audit computer systems and networks
for compliance.
The table lists policies that may be included in a security policy.
Policy Description
Identification and Specifies authorized persons that can have access to network
authentication policy resources and identity verification procedures.
Password policies Ensures passwords meet minimum requirements and are

60
 changed regularly.
Identifies network applications and uses that are acceptable
Acceptable Use Policy
to the organization. It may also identify ramifications if this
(AUP)
policy is violated.
Identifies how remote users can access a network and what
Remote access policy
is accessible via remote connectivity.
Network maintenance Specifies network device operating systems and end user
policy application update procedures.
Incident handling
Describes how security incidents are handled.
procedures
One of the most common security policy components is an AUP. This can also be
referred to as an appropriate use policy. This component defines what users are
allowed and not allowed to do on the various system components. This includes the
type of traffic that is allowed on the network. The AUP should be as explicit as possible
to avoid misunderstanding.
For example, an AUP might list specific websites, newsgroups, or bandwidth-intensive
applications that are prohibited from being accessed by company computers or from
the company network. Every employee should be required to sign an AUP, and the
signed AUPs should be retained for the duration of employment.
3.2.4 BYOD Policies
Many organizations must now also support Bring Your Own Device (BYOD). This
enables employees to use their own mobile devices to access company systems,
software, networks, or information. BYOD provides several key benefits to enterprises,
including increased productivity, reduced IT and operating costs, better mobility for
employees, and greater appeal when it comes to hiring and retaining employees.
However, these benefits also bring an increased information security risk because
BYOD can lead to data breaches and greater liability for the organization.
A BYOD security policy should be developed to accomplish the following:
 Specify the goals of the BYOD program.
 Identify which employees can bring their own devices.
 Identify which devices will be supported.
 Identify the level of access employees are granted when using personal devices.
 Describe the rights to access and activities permitted to security personnel on the
device.
 Identify which regulations must be adhered to when using employee devices.
 Identify safeguards to put in place if a device is compromised.
The table lists BYOD security best practices to help mitigate BYOD vulnerabilities.
Best Practice Description
Password protected
Use unique passwords for each device and account.
access
Manually control Turn off Wi-Fi and Bluetooth connectivity when not in use.
wireless connectivity Connect only to trusted networks.
Always keep the device OS and other software updated.
Keep updated Updated software often contains security patches to
mitigate against the latest threats or exploits.
Back up data Enable backup of the device in case it is lost or stolen.

61
 Subscribe to a device locator service with remote wipe
Enable “Find my Device”
feature.
Provide antivirus
Provide antivirus software for approved BYOD devices.
software
Use Mobile Device MDM software enables IT teams to implement security
Management (MDM) settings and software configurations on all devices that
software connect to company networks.
3.2.5 Regulatory and Standards Compliance
There are also external regulations regarding network security. Network security
professionals must be familiar with the laws and codes of ethics that are binding on
Information Systems Security (INFOSEC) professionals.
Many organizations are mandated to develop and implement security policies.
Compliance regulations define what organizations are responsible for providing and
the liability if they fail to comply. The compliance regulations that an organization is
obligated to follow depend on the type of organization and the data that the
organization handles. Specific compliance regulations will be discussed later in the
course.
3.3 Security Tools, Platforms, and Services
3.3.1 The Security Onion and The Security Artichoke
There are two common analogies that are used to describe a defense-in-depth
approach.
Security Onion
A common analogy used to describe a defense-in-depth approach is called “the
security onion.” As illustrated in figure, a threat actor would have to peel away at a
network’s defenses layer by layer in a manner similar to peeling an onion. Only after
penetrating each layer would the threat actor reach the target data or system.
Note: The security onion described on this page is a way of visualizing defense-in-
depth. This is not to be confused with the Security Onion suite of network security
tools.

Security Artichoke

62
The changing landscape of networking, such as the evolution of borderless networks,
has changed this analogy to the “security artichoke”, which benefits the threat actor.
As illustrated in the figure, threat actors no longer have to peel away each layer. They
only need to remove certain “artichoke leaves.” The bonus is that each “leaf” of the
network may reveal sensitive data that is not well secured.
For example, it’s easier for a threat actor to compromise a mobile device than it is to
compromise an internal computer or server that is protected by layers of defense.
Each mobile device is a leaf. And leaf after leaf, it all leads the hacker to more data.
The heart of the artichoke is where the most confidential data is found. Each leaf
provides a layer of protection while simultaneously providing a path to attack.
Not every leaf needs to be removed in order to get at the heart of the artichoke. The
hacker chips away at the security armor along the perimeter to get to the “heart” of
the enterprise.
While internet-facing systems are usually very well protected and boundary
protections are typically solid, persistent hackers, aided by a mix of skill and luck, do
eventually find a gap in that hard-core exterior through which they can enter and go
where they please.

3.3.2 Security Testing Tools

Ethical hacking involves using many different types of tools to test the network and
end devices. To validate the security of a network and its systems, many network
security testing tools have been developed. Penetration testing involves the use of
hacker techniques and tools to evaluate the strength of network security measures.
However, many of these tools can also be used by threat actors for exploitation.
Threat actors have also created various hacking tools. These tools are explicitly written
for nefarious reasons. Cybersecurity personnel must also know how to use these tools
when performing network penetration tests.

63
Explore the categories of common network penetration testing tools. Notice how some
tools are used by white hats and black hats. Keep in mind that the list is not exhaustive
as new tools are continually being developed.
Note: Many of these tools are UNIX or Linux based; therefore, a security professional
should have a strong UNIX and Linux background.
Categories of
Description
Tools
Passwords are the most vulnerable security threat. Password
cracking tools are often referred to as password recovery tools and
can be used to crack or recover the password. This is accomplished
either by removing the original password, after bypassing the data
password
encryption, or by outright discovery of the password. Password
crackers
crackers repeatedly make guesses in order to crack the password
and access the system. Examples of password cracking tools include
John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack,
and Medusa.
Wireless networks are more susceptible to network security threats.
Wireless hacking tools are used to intentionally hack into a wireless
wireless hacking
network to detect security vulnerabilities. Examples of wireless
tools
hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC,
Firesheep, and NetStumbler.
Network scanning tools are used to probe network devices, servers,
network scanning
and hosts for open TCP or UDP ports. Examples of scanning tools
and hacking tools
include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Packet crafting tools are used to probe and test a firewall’s
packet crafting robustness using specially crafted forged packets. Examples of such
tools tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and
Nemesis.
Packet sniffers tools are used to capture and analyze packets within
traditional Ethernet LANs or WLANs. Tools include Wireshark,
packet sniffers
Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and
SSLstrip.
A rootkit detector is a directory and file integrity checker used by
rootkit detectors white hats to detect installed root kits. Example tools include AIDE,
Netfilter, and PF: OpenBSD Packet Filter.
Fuzzers are tools used by threat actors when attempting to discover
fuzzers to search
a computer system’s security vulnerabilities. Examples of fuzzers
vulnerabilities
include Skipfish, Wapiti, and W3af.
White hat hackers use forensic tools to sniff out any trace of
forensic tools evidence existing in a particular computer system. Example of tools
include Sleuth Kit, Helix, Maltego, and Encase.
Debugger tools are used by black hats to reverse engineer binary
files when writing exploits. They are also used by white hats when
debuggers
analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro,
and Immunity Debugger.
hacking Hacking operating systems are specially designed operating systems

64
 preloaded with tools and technologies optimized for hacking.
operating
Examples of specially designed hacking operating systems include
systems
Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
These tools safeguard the contents of an organization’s data when it
is stored or transmitted. Encryption tools use algorithm schemes to
encryption tools encode the data to prevent unauthorized access to the data.
Examples of these tools include VeraCrypt, CipherShed, Open SSH,
OpenSSL, OpenVPN, and Stunnel.
These tools identify whether a remote host is vulnerable to a
vulnerability security attack. Examples of vulnerability exploitation tools include
exploitation tools Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and
Netsparker.
These tools scan a network or system to identify open ports. They
vulnerability can also be used to scan for known vulnerabilities and scan VMs,
scanners BYOD devices, and client databases. Examples of these tools include
Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.
3.3.3 Data Security Platforms
Data Security Platforms (DSP) are an integrated security solution that combines
traditionally independent tools into a suite of tools that are made to work together.
Security tools that protect and monitor networks are often made by different vendors.
It can be difficult to integrate these tools in such a way that a single view of network
security can be achieved. Significant resources can be required to have different
devices and software under a single controlling solution. In addition, integrating data
from such diverse tools into a comprehensive monitoring view of the network can be
very difficult to create and maintain.
One such DSP is the Helix platform from FireEye. FireEye Helix is a cloud-based security
operations platform that enables organizations to integrate many security
functionalities into a single platform. Helix provides event management, network
behavior analytics, advanced threat detection, and incident security orchestration,
automation, and response (SOAR) for response to threats as they are detected. Helix
also draws on FireEye Mandiant threat intelligence, incident response, and security
expertise.

Another integrated DSP is Cisco SecureX. SecureX goes a step farther with its strong
integration with the Cisco Secure portfolio. The Cisco Secure portfolio consists of a
broad set of technologies that function as a team - providing interoperability with the
security infrastructure, including third-party technologies. This results in unified
visibility, automation, and stronger defenses. The Cisco SecureX platform works with
diverse products that combine to safeguard your network, users and endpoints, cloud
edge, and applications. SecureX functionality is built in to a large and diverse portfolio
of Cisco security products including next-generation firewalls, VPN, network analytics,
identity service engine, advanced malware protection (AMP), and many other systems

65
that work to secure all aspects of a network. SecureX also integrates a range of third-
party security tools.

3.3.4 Video - Cisco SecureX Demonstration

3.3.5 Security Services

Threat intelligence and security services allow the exchange of threat information such
as vulnerabilities, indicators of compromise (IOC), and mitigation techniques. This
information is not only shared with personnel, but also with security systems. As
threats emerge, threat intelligence services create and distribute firewall rules and
IOCs to the devices that have subscribed to the service.
One such service is the Cisco Talos Threat Intelligence Group, shown in the figure.
Talos is one of the largest commercial threat intelligence teams in the world, and is
comprised of world-class researchers, analysts, and engineers. The goal of Talos is to
help protect enterprise users, data, and infrastructure from active adversaries. The
Talos team collects information about active, existing, and emerging threats. Talos
then provides comprehensive protection against these attacks and malware to its
subscribers.

66
Cisco Security products can use Talos threat intelligence in real time to provide fast
and effective security solutions. Cisco Talos also provides free software, services,
resources, and data. Talos maintains the security incident detection rule sets for
the Snort.org, ClamAV, and SpamCop network security tools.

A number of managed network security services are available from providers such as
Cisco, Sentinel Intrusion Prevention Systems, IBM, AT&T, and Core Security. These
organizations provide a wide range of services including comprehensive managed
Security as a Service (SECcaaS or SaaS)
3.4 Mitigating Common Network Attacks
3.4.1 Defending the Network
Constant vigilance and ongoing education are required to defend your network against
attack. The following are best practices for securing a network:
 Develop a written security policy for the company.
 Educate employees about the risks of social engineering, and develop strategies to
validate identities over the phone, via email, or in person.
 Control physical access to systems.
 Use strong passwords and change them often.
 Encrypt and password-protect sensitive data.
 Implement security hardware and software such as firewalls, IPSs, virtual private
network (VPN) devices, antivirus software, and content filtering.
 Perform backups and test the backed-up files on a regular basis.
 Shut down unnecessary services and ports.
 Keep patches up-to-date by installing them weekly or daily, if possible, to prevent
buffer overflow and privilege escalation attacks.
 Perform security audits to test the network.
3.4.2 Mitigating Malware
Malware, including viruses, worms, and Trojan horses, can cause serious problems on
networks and end devices. Network administrators have several means of mitigating
these attacks.

67
Note: Mitigation techniques are often referred to in the security community as
“countermeasures”.
One way of mitigating virus and Trojan horse attacks is antivirus software. Antivirus
software helps prevent hosts from getting infected and spreading malicious code. It
requires much more time to clean up infected computers than it does to maintain up-
to-date antivirus software and antivirus definitions on the same machines.
Antivirus software is the most widely deployed security product on the market today.
Several companies that create antivirus software, such as Symantec, McAfee, and
Trend Micro, have been in the business of detecting and eliminating viruses for more
than a decade. Many corporations and educational institutions purchase volume
licensing for their users. The users are able to log in to a website with their account
and download the antivirus software on their desktops, laptops, or servers.
Antivirus products have update automation options so that new virus definitions and
new software updates can be downloaded automatically or on demand. This practice is
the most critical requirement for keeping a network free of viruses and should be
formalized in a network security policy.
Antivirus products are host-based. These products are installed on computers and
servers to detect and eliminate viruses. However, they do not prevent viruses from
entering the network, so a network security professional must be aware of the major
viruses and keep track of security updates regarding emerging viruses.
Another way to mitigate malware threats is to prevent malware files from entering the
network at all. Security devices at the network perimeter can identify known malware
files based on their indicators of compromise. The files can be removed from the
incoming data stream before they can cause an incident. Unfortunately, threat actors
are aware of this countermeasure and frequently alter their malware enough that it
evades detection. These exploits will enter the network and will also evade antivirus
software. No mitigation technique can be 100% effective. Security incidents are going
to happen.
3.4.3 Mitigating Worms
Worms are more network-based than viruses. Worm mitigation requires diligence and
coordination on the part of network security professionals.
As shown in the figure, the response to a worm attack can be broken down into four
phases: containment, inoculation, quarantine, and treatment.

68
3.4.4 Mitigating Reconnaissance Attacks
Reconnaissance attacks are typically the precursor to other attacks that have the intent
of gaining unauthorized access to a network or disrupting network functionality. A
network security professional can detect when a reconnaissance attack is underway by
receiving notifications from preconfigured alarms. These alarms are triggered when
certain parameters are exceeded, such as the number of ICMP requests per second. A
variety of technologies and devices can be used to monitor this type of activity and
generate an alarm. Cisco’s Adaptive Security Appliance (ASA) provides intrusion
prevention in a standalone device. Additionally, the Cisco ISR supports network-based
intrusion prevention through the Cisco IOS security image.
Reconnaissance attacks can be mitigated in several ways, including the following:
 Implementing authentication to ensure proper access.
 Using encryption to render packet sniffer attacks useless.
 Using anti-sniffer tools to detect packet sniffer attacks.
 Implementing a switched infrastructure.
 Using a firewall and IPS.
Anti-sniffer software and hardware tools detect changes in the response time of hosts
to determine whether the hosts are processing more traffic than their own traffic loads
would indicate. While this does not completely eliminate the threat, as part of an
overall mitigation system, it can reduce the number of instances of threat.
Encryption is also effective for mitigating packet sniffer attacks. If traffic is encrypted,
using a packet sniffer is of little use because captured data is not readable.
It is impossible to mitigate port scanning, but using an intrusion prevention system
(IPS) and firewall can limit the information that can be discovered with a port scanner.
Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge
routers; however, when these services are turned off, network diagnostic data is lost.
Additionally, port scans can be run without full ping sweeps. The scans simply take
longer because inactive IP addresses are also scanned.
Reconnaissance Attack Mitigation Techniques

69
The figure shows methods for mitigating reconnaissance attacks. An attacker is show
connected between two networks. There is a large red X over the attacker.

3.4.5 Mitigating Access Attacks

Several techniques are available for mitigating access attacks. These include strong
password security, principle of minimum trust, cryptography, applying operating
system and application patches.
A surprising number of access attacks are carried out through simple password
guessing or brute-force dictionary attacks against passwords. To defend against this,
create and enforce a strong authentication policy which includes:
 Use strong passwords - Strong passwords are at least eight characters and contain
uppercase letters, lowercase letters, numbers, and special characters.
 Disable accounts after a specified number of unsuccessful logins has occurred -
This practice helps to prevent continuous password attempts.
The network should also be designed using the principle of minimum trust. This means
that systems should not use one another unnecessarily. For example, if an organization
has a trusted server that is used by untrusted devices, such as web servers, the trusted
server should not trust the untrusted devices unconditionally.
Cryptography is a critical component of any modern secure network. Using encryption
for remote access to a network is recommended. Routing protocol traffic should also
be encrypted. The more that traffic is encrypted, the fewer opportunities hackers have
for intercepting data with man-in-the-middle attacks.
The use of encrypted or hashed authentication protocols, along with a strong
password policy, greatly reduces the probability of successful access attacks.
Finally, educate employees about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person. Multifactor
authentication (MFA) has become increasingly common. In this approach,
authentication requires two or more independent means of verification. For example,
a password may be combined with a code that is sent over a text message. Software or
separate devices may be used to generate tokens that are good for only one use.
These token values, when provided with a password, provide an additional layer of
security that prevents the use of passwords that have been guessed or stolen by threat
actors.
In general, access attacks can be detected by reviewing logs, bandwidth utilization, and
process loads. The network security policy should specify that logs are formally
maintained for all network devices and servers. By reviewing logs, network security
personnel can determine if an unusual number of failed login attempts have occurred.

70
3.4.6 Mitigating DoS Attacks
One of the first signs of a DoS attack is a large number of user complaints about
unavailable resources or unusually slow network performance. To minimize the
number of attacks, a network utilization software package should be running at all
times. Network behavior analysis can detect unusual patterns of usage that indicate
that a DoS attack is occurring. A means of detecting unusual network behavior should
be required by the organization’s network security policy. A network utilization graph
showing unusual activity could also indicate a DoS attack.
DoS attacks could be a component of a larger offensive. DoS attacks can lead to
problems in the network segments of the computers being attacked. For example, the
packet-per-second capacity of a router between the internet and a LAN might be
exceeded by an attack, compromising not only the target system but also the network
devices that the traffic must pass through. If the attack is conducted on a sufficiently
large scale, entire geographical regions of internet connectivity could be compromised.
Historically, many DoS attacks were sourced from spoofed addresses. Cisco routers
and switches support a number of antispoofing technologies, such as port security,
Dynamic Host Configuration Protocol (DHCP) snooping, IP Source Guard, Dynamic
Address Resolution Protocol (DAI) Inspection, and access control lists (ACLs).
3.5 Cisco Network Foundation Protection Framework
3.5.1 NFP Framework
The Cisco Network Foundation Protection (NFP) framework provides comprehensive
guidelines for protecting the network infrastructure. These guidelines form the
foundation for continuous delivery of service.
NFP logically divides routers and switches into three functional areas, as shown in the
figure:
 Control plane - Responsible for routing data correctly. Control plane traffic consists
of device-generated packets required for the operation of the network itself, such
as ARP message exchanges, or OSPF routing advertisements.
 Management plane - Responsible for managing network elements. Management
plane traffic is generated either by network devices or network management
stations using processes and protocols such as Telnet, SSH, TFTP, FTP, NTP, AAA,
SNMP, syslog, TACACS+, RADIUS, and NetFlow.
 Data plane (Forwarding plane) - Responsible for forwarding data. Data plane traffic
normally consists of user-generated packets being forwarded between end
devices. Most traffic travels through the router, or switch, via the data plane.
Cisco NFP

71
3.5.2 Securing the Control Plane
Control plane traffic consists of device-generated packets required for the operation of
the network itself. Control plane security can be implemented using the following
features, as shown in the figure:
 Routing protocol authentication - Routing protocol authentication, or neighbor
authentication, prevents a router from accepting fraudulent routing updates. Most
routing protocols support neighbor authentication.
 Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature designed to allow users
to control the flow of traffic that is handled by the route processor of a network
device.
 AutoSecure - AutoSecure can lock down the management plane functions and the
forwarding plane services and functions of a router.
CoPP is designed to prevent unnecessary traffic from overwhelming the route
processor. The CoPP feature treats the control plane as a separate entity with its own
ingress (input) and egress (output) ports. A set of rules can be established and
associated with the ingress and egress ports of the control plane.
The Control Plane

72
3.5.3 Securing the Management Plane
Management plane traffic is generated either by network devices or network
management stations using processes and protocols such as Telnet, SSH, and TFTP, etc.
The management plane is a very attractive target to hackers. For this reason, the
management module was built with several technologies designed to mitigate such
risks.
The information flow between management hosts and the managed devices can be
out-of-band (OOB), where information flows within a network on which no production
traffic resides. It can also be in-band, where information flows across the enterprise
production network, the internet, or both.
Management plane security can be implemented using the following features, as
shown in the figure:
 Login and password policy - Restricts device accessibility. Limits the accessible
ports and restricts the “who” and “how” methods of access.
 Present legal notification - Displays legal notices. These are often developed by
legal counsel of a corporation.
 Ensure the confidentiality of data - Protects locally stored sensitive data from
being viewed or copied. Uses management protocols with strong authentication to
mitigate confidentiality attacks aimed at exposing passwords and device
configurations.
 Role-based access control (RBAC) - Ensures access is only granted to authenticated
users, groups, and services. RBAC and authentication, authorization, and
accounting (AAA) services provide mechanisms to effectively manage access
control.
 Authorize actions - Restricts the actions and views that are permitted by any
particular user, group, or service.

73
 Enable management access reporting - Logs and accounts for all access. Records
who accessed the device, what occurred, and when it occurred.
RBAC restricts user access based on the role of the user. Roles are created according to
job or task functions, and assigned access permissions to specific assets. Users are then
assigned to roles, and are granted the permissions that are defined for that role.
In Cisco IOS, the role-based CLI access feature implements RBAC for router
management access. The feature creates different “views” that define which
commands are accepted and what configuration information is visible. For scalability,
users, permissions, and roles are usually created and maintained in a central repository
server. This makes the access control policy available to multiple devices. The central
repository server can be a Cisco Identity Services Engine (ISE) which can provide
authentication, authorization, and accounting (AAA) network services.
The Management Plane

3.5.4 Securing the Data Plane

Data plane traffic consists mostly of user packets being forwarded through the router
via the data plane. Data plane security can be implemented using ACLs, antispoofing
mechanisms, and Layer 2 security features, as shown in the figure.
The Data Plane

74
ACLs perform packet filtering to control which packets move through the network and
where those packets are allowed to go. ACLs are used to secure the data plane in a
variety of ways:
 Blocking unwanted traffic or users - ACLs can filter incoming or outgoing packets
on an interface. They can be used to control access based on source addresses,
destination addresses, or user authentication.
 Reducing the chance of DoS attacks - ACLs can be used to specify whether traffic
from hosts, networks, or users, can access the network. The ASA TCP intercept
feature is a mechanism that can be used to protect end hosts, especially servers,
from TCP SYN-flooding attacks.
 Mitigating spoofing attacks - ACLs allow security practitioners to implement
recommended practices to mitigate spoofing attacks.
 Providing bandwidth control - ACLs on a slow link can prevent excess traffic.
 Classifying traffic to protect the Management and Control planes - ACLs can be
applied on the vty lines.
ACLs can also be used as an antispoofing mechanism by discarding traffic that has an
invalid source address. This means that attacks must be initiated from valid, reachable
IP addresses, which allows the packets to be traced to the originator of an attack.
Features, such as Unicast Reverse Path Forwarding (uRPF), can be used to complement
the antispoofing strategy.
Cisco Catalyst switches can use integrated features to help secure the Layer 2
infrastructure. The following Layer 2 security tools are integrated into the Cisco
Catalyst switches:
 Port security - Prevents MAC address spoofing and MAC address flooding attacks.
 DHCP snooping - Prevents client attacks on the DHCP server and switch.
 Dynamic ARP Inspection (DAI) - Adds security to ARP by using the DHCP snooping
table to minimize the impact of ARP poisoning and spoofing attacks.
 IP Source Guard (IPSG) - Prevents spoofing of IP addresses by using the DHCP
snooping table.

75
This course focuses on the various technologies and protocols used to secure the
Management and Data planes.
3.5.5 Check Your Understanding - Cisco Network Foundation Protection Framework
Check your understanding of the Cisco Network Foundation Protection Framework
by choosing the correct answer to the following questions.
Question 1
Which NFP plane would typically use out-of-band (OOB) access?
Control plane
Management plane
Data plane
Question 2
Which NFP plane uses CoPP?
Control plane
Management plane
Data plane
Question 3
Which NFP plane is responsible for applying access control lists (ACLs)?
Control plane
Management plane
Data plane
Question 4
The control plane is responsible for which of the following features? (Choose three.)
Routing protocol authentication
Blocking unwanted traffic or users
Logs and accounts for all access
Port security
Route processor traffic
Mitigating spoof attacks
Role-based access control
Password policy
check_box_outline_blank
AutoSecure
Question 5
The management plane is responsible for which of the following features? (Choose
three.)
Routing protocol authentication
Blocking unwanted traffic or users
Logs and accounts for all access
Port security
Route processor traffic
Mitigating spoof attacks
Role-based access control
Password policy
AutoSecure
Question 6
The data plane is responsible for which of the following features? (Choose three.)
Routing protocol authentication

76
Blocking unwanted traffic or users
Logs and accounts for all access
Port security
Route processor traffic
Mitigating spoof attacks
Role-based access control
Password policy
AutoSecure
3.6 Mitigating Threats Summary
3.6.1 What Did I Learn in this Module?
Defending the Network
Network security professionals are responsible for maintaining data assurance for an
organization and ensuring the integrity and confidentiality of information. A security
professional must stay informed about threats and vulnerabilities as they evolve. There
are several network security organizations to keep you informed, including SANS,
Mitre, FIRST, SecurityNewsWire, ISC 2, and CIS. Certifications for network security
professionals are offered by the following organizations:
 GIAC
 ISC2
 ISACA
 EC-Council
 CWSP
Information security deals with protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction. The CIA
Triad serves as a conceptual foundation for the field. The CIA triad consists of three
components of information security: Confidentiality, Integrity, and Availability.
Network Security Policies
There are 14 network security domains specified by the ISO/IEC. Described by ISO/IEC
27002, these 14 domains serve to organize, at a high level, the vast realm of
information under the umbrella of network security. These domains have some
significant parallels with domains defined by the CISSP certification. The 14 domains
are intended to serve as a common basis for developing organizational security
standards and effective security management practices. They also help to facilitate
communication between organizations.
In networking, policies define the activities that are allowed on the network. Policies
that may be included in a security policy include identification and authentication
policy, password policies, acceptable use policy, remote access policy, network
maintenance policy, and incident handling procedures. A security policy is a "living
document", meaning that the document is regularly updated as technology, business,
and employee requirements change. Many companies also need to place policies
around BYOD. There are also external regulations regarding network security. Network
security professionals must be familiar with the laws and codes of ethics that are
binding on INFOSEC professionals.
Security Tools, Platforms, and Services
There are two common analogies that are used to describe a defense-in-depth
approach: Security Onion and Security Artichoke. With Security Onion, a threat actor
would have to peel away at a network’s defenses layer by layer in a manner similar to

77
peeling an onion. The changing landscape of networking, such as the evolution of
borderless networks, has changed this analogy to the “security artichoke”, which
benefits the threat actor. Threat actors no longer have to peel away each layer. They
only need to remove certain “artichoke leaves.” To validate the security of a network
and its systems, many network penetration testing tools have been developed.
Categories of these tools include password crackers, wireless hacking tools, network
scanning and hacking tools, packet crafting tools, packet sniffers, rootkit detectors,
fuzzers to search for vulnerabilities, forensic tools, debuggers, hacking operating
systems, encryption tools, vulnerability exploitation tools, and vulnerability scanners.
Threat intelligence services allow the exchange of threat information such as
vulnerabilities, IOCs, and mitigation techniques. One such service is the Cisco Talos
Threat Intelligence Group.
Mitigating Common Network Attacks
The following best practices are used for securing a network: develop a written
security policy, educate employees, control physical access to systems, use strong
passwords and change them often, encrypt and password- protect sensitive data,
implement security hardware and software, perform backups and test the back up
files, shut down unnecessary services and ports, keep patches up-to-date, and perform
security audits and tests. Network administrators have several means of mitigating
malware attacks. The primary means of mitigating virus and Trojan horse attacks is
antivirus software, the most widely deployed security product on the market today.
However, they do not prevent viruses from entering the network, so a network
security professional must be aware of the major viruses and keep track of security
updates regarding emerging viruses. Worms are more network-based than viruses. The
response to a worm attack can be broken down into four phases: containment,
inoculation, quarantine, and treatment. Reconnaissance attacks are typically the
precursor to additional attacks, with the intent of gaining unauthorized access to a
network or disrupting network functionality. A network security professional can
detect when a reconnaissance attack is underway by receiving notifications from
preconfigured alarms. Reconnaissance attacks can be mitigated in several ways,
including the following: implement authentication to ensure proper access, use
encryption to render packet sniffer attacks useless, use anti-sniffer tools to detect
packet sniffer attacks, implement a switched infrastructure, and use a firewall and IPS.
Encryption is also effective for mitigating packet sniffer attacks. Several techniques are
available for mitigating access attacks. These include strong password security,
principle of minimum trust, cryptography, applying operating system and application
patches. To minimize the number of DoS attacks, a network utilization software
package should be running at all times. DoS attacks could be a component of a larger
offensive. DoS attacks can lead to problems in the network segments of the computers
being attacked. Historically, many DoS attacks were sourced from spoofed addresses.
Cisco routers and switches support a number of antispoofing technologies, such as
port security, DHCP snooping, IP Source Guard, Dynamic ARP Inspection, and ACLs.
Cisco Network Foundation Protection Framework
The Cisco NFP framework provides comprehensive guidelines for protecting the
network infrastructure. These guidelines form the foundation for continuous delivery
of service. NFP logically divides routers and switches into three functional areas:
control plane, management plane, and data plane (forwarding plane). Control plane

78
security can be implemented using the following features: routing protocol
authentication, CoPP, and AutoSecure. CoPP is designed to prevent unnecessary traffic
from overwhelming the route processor. The management module was built with
several technologies designed to mitigate risks from threat actors. Management plane
security can be implemented using the following features: login and password policy,
present legal notification, ensure the data confidentiality, RBAC, authorize actions, and
enable management access reporting. Data plane security can be implemented using
ACLs, antispoofing mechanisms, and Layer 2 security features. ACLs are used to secure
the data in a variety of ways including: blocking unwanted traffic or users, reducing the
chance of DoS attacks, mitigating spoofing attacks, providing bandwidth control,
classifying traffic to protect the Management and Control planes. ACLs can also be
used as an antispoofing mechanism by discarding traffic that has an invalid source
address. features, such as uRPF, can be used to complement the antispoofing strategy.
The following Layer 2 security tools are integrated into the Cisco Catalyst switches:
port security, DHCP snooping, DAI, and IPSG.
The Cisco NFP framework provides comprehensive guidelines for protecting the
network infrastructure. These guidelines form the foundation for continuous delivery
of service. NFP logically divides routers and switches into three functional areas:
control plane, management plane, and data plane (forwarding plane). Control plane
security can be implemented using the following features: routing protocol
authentication, CoPP, and AutoSecure. CoPP is designed to prevent unnecessary traffic
from overwhelming the route processor. The management module was built with
several technologies designed to mitigate risks from threat actors. Management plane
security can be implemented using the following features: login and password policy,
present legal notification, ensure the data confidentiality, RBAC, authorize actions, and
enable management access reporting. Data plane security can be implemented using
ACLs, antispoofing mechanisms, and Layer 2 security features. ACLs are used to secure
the data in a variety of ways including: blocking unwanted traffic or users, reducing the
chance of DoS attacks, mitigating spoofing attacks, providing bandwidth control,
classifying traffic to protect the Management and Control planes. ACLs can also be
used as an antispoofing mechanism by discarding traffic that has an invalid source
address. features, such as uRPF, can be used to complement the antispoofing strategy.
The following Layer 2 security tools are integrated into the Cisco Catalyst switches:
port security, DHCP snooping, DAI, and IPSG.
3.6.2 Module 3 - Mitigating Threats Quiz
Question 1
What is the primary means for mitigating virus and Trojan horse attacks?
Antivirus software
Encryption
Antisniffer software
Blocking ICMP echo and echo-replies
Question 2
What three items are components of the CIA triad? (Choose three.)
Access
Integrity
Scalability
Availability

79
Confidentiality
Intervention
Question 3
Which security implementation will provide control plane protection for a network
device?
Routing protocol authentication
Encryption for remote access connections
NTP for consistent timestamps on logging messages
AAA for authenticating management access
Question 4
What threat intelligence group provides blogs and podcasts to help network security
professionals remain effective and up-to-date?
FireEye
Talos
CybOX
Mitre
Question 5
Which section of a security policy is used to specify that only authorized individuals
should have access to enterprise data?
Statement of scope
Statement of authority
Internet access policy
Acceptable use policy
Campus access policy
Identification and authentication policy
Question 6
What worm mitigation phase involves actively disinfecting infected systems?
Quarantine
Inoculation
Treatment
Containment
Question 7
With the evolution of borderless networks, which vegetable is now used to describe
a defense-in-depth approach?
Artichoke
Lettuce
Onion
Cabbage
Question 8
How does BYOD change the way in which businesses implement networks?
BYOD requires organizations to purchase laptops rather than desktops.
close
BYOD users are responsible for their own network security, thus reducing the need for
organizational security policies.
BYOD devices are more expensive than devices that are purchased by an organization.
BYOD provides flexibility in where and how users can access network resources.
Question 9

80
What functional area of the Cisco Network Foundation Protection framework uses
protocols such as Telnet and SSH to manage network devices?
Data plane
Management plane
Control plane
Forwarding plane
Question 10
What security tool allows a threat actor to hack into a wireless network and detect
security vulnerabilities?
NMap
SuperScan
KisMac
Click fuzzers
Question 11
What is the primary function of SANS?
To maintain the Internet Storm Center
To maintain the list of common vulnerabilities and exposures (CVE)
To foster cooperation and coordination in information sharing, incident prevention,
and rapid reaction
To provide vendor neutral education products and career services
Question 12
What method can be used to mitigate ping sweeps?
Blocking ICMP echo and echo-replies at the network edge
Deploying antisniffer software on all network devices
Using encrypted or hashed authentication protocols
Installing antivirus software on hosts

Module 4: Secure Device Access

4.0 Introduction
4.0.1 Why Should I Take this Module?
Securing device access is a critical task for a network security professional. You can
think of a router as the locked gate to your fenced in yard. If someone gains entry to
that gate, they are one step closer to gaining access to your property in your yard and
in your house! Who should be allowed access? How do you secure the edge router?

81
What steps do you take to configure secure administrative access? How can you
configure enhanced security for virtual logins? Keep reading to learn more!
4.0.2 What Will I Learn in this Module?
Module Title: Secure Device Access
Module Objective: Configure secure administrative access.
Topic Title Topic Objective
Secure the Edge Router Explain how to secure a network perimeter.
Configure Secure Administrative Use the correct commands to configure passwords
Access on a Cisco IOS device.
Configure Enhanced Security for Use the correct commands to configure enhanced
Virtual Logins security for virtual logins.
Configure an SSH daemon for secure remote
Configure SSH
management.
4.1 Secure the Edge Router
4.1.1 Secure the Network Infrastructure
Securing the network infrastructure is critical to overall network security. The network
infrastructure includes routers, switches, servers, endpoints, and other devices.
Consider a disgruntled employee casually looking over the shoulder of a network
administrator while the administrator is logging into an edge router. It is a surprisingly
easy way for an attacker to gain unauthorized access.
If an attacker gains access to a router, the security and management of the entire
network can be compromised. For example, an attacker can erase the startup
configuration and is make the router reload in five minutes. When the router reboots,
it will not have a startup configuration.
To prevent unauthorized access to all infrastructure devices, appropriate security
policies and controls must be implemented. Routers are a primary target for attacks
because these devices act as traffic police, which direct traffic into, out of, and
between networks.
The edge router shown in the figure is the last router between the internal network
and an untrusted network, such as the internet. All of an organization’s internet traffic
goes through an edge router, which often functions as the first and last line of defense
for a network. The edge router helps to secure the perimeter of a protected network
and implements security actions that are based on the security policies of the
organization. For these reasons, securing network routers is imperative.

The Edge Router

82
4.1.2 Edge Router Security Approaches
The edge router implementation varies depending on the size of the organization and
the complexity of the required network design. Router implementations can include a
single router protecting an entire inside network or a router functioning as the first line
of defense in a defense-in-depth approach. Simplified topologies for the three
approaches are shown in the figure.

Single Router Approach

In the figure, a single router connects the protected network or internal local area
network (LAN), to the internet. All security policies are configured on this device. This
is more commonly deployed in smaller site implementations, such as branch and small
office, home office (SOHO) sites. In smaller networks, the required security features
can be supported by Integrated Services Routers (ISRs) without impeding the router’s
performance capabilities.

Defense-in-Depth Approach

83
A defense-in-depth approach is more secure than the single router approach. It uses
multiple layers of security prior to traffic entering the protected LAN. There are three
primary layers of defense: the edge router, the firewall, and an internal router that
connects to the protected LAN. The edge router acts as the first line of defense and is
known as a screening router. After performing initial traffic filtering, the edge router
passes all connections that are intended for the internal LAN to the second line of
defense, which is the firewall.
The firewall typically picks up where the edge router leaves off and performs additional
filtering. It provides additional access control by tracking the state of the connections
and acts as a checkpoint device. By default, the firewall denies the initiation of
connections from the outside (untrusted) networks to the inside (trusted) network.
However, it allows internal users to establish connections to the untrusted networks
and permits the responses to come back through the firewall. It can also perform user
authentication (authentication proxy) in which users must be authenticated to gain
access to network resources.
Routers are not the only devices that can be used in a defense-in-depth approach.
Other security tools, such as intrusion prevention systems (IPSs), web security
appliances (proxy servers), and email security appliances (spam filtering) can also be
implemented.
DMZ Approach
A variation of the defense-in-depth approach is shown in the figure. This approach
includes an intermediate area, often called the demilitarized zone (DMZ). The DMZ can
be used for servers that must be accessible from the internet or some other external
network. The DMZ can be set up between two routers, with an internal router
connecting to the protected network and an external router connecting to the
unprotected network. Alternatively, the DMZ can simply be an additional port off of a
single router. The firewall is located between the protected and unprotected
networks. The firewall is set up to permit the required connections, such as HTTP, from
the outside (untrusted) networks to the public servers in the DMZ. The firewall serves
as the primary protection for all devices in the DMZ.
4.1.3 Three Areas of Router Security
Securing the edge router is a critical first step in securing the network. If there are
other internal routers, they also must be securely configured. Three areas of router
security must be maintained.
Physical Security
Provide physical security for the routers:
 Place the router and physical devices that connect to it in a secure locked room
that is accessible only to authorized personnel, is free of electrostatic or magnetic
interference, has fire suppression, and has temperature and humidity controls.
 Install an uninterruptible power supply (UPS) or diesel backup power generator.
Use redundant power supplies in network devices if possible. This reduces the
possibility of a network outage from power loss or failed power equipment.
Operating System Security
There are a few procedures involved in securing the features and performance of
router operating systems:

84
 Equip routers with the maximum amount of memory possible. The availability of
memory can help mitigate risks to the network from some denial of service (DoS)
attacks while supporting the widest range of security services.
 Use the latest, stable version of the operating system that meets the feature
specifications of the router or network device. Security and encryption features in
an operating system are improved and updated over time, which makes it critical
to have the most up-to-date version.
 Keep a secure copy of router operating system images and router configuration
files as backups.
Router Hardening
Eliminate potential abuse of unused ports and services:
 Secure administrative control. Ensure that only authorized personnel have access
and that their level of access is controlled.
 Disable unused ports and interfaces. Reduce the number of ways a device can be
accessed.
 Disable unnecessary services. Similar to many computers, a router has services that
are enabled by default. Some of these services are unnecessary and can be used by
an attacker to gather information about the router and the network. This
information can then be used in an exploitation attack.
4.1.4 Secure Administrative Access
Securing administrative access is an extremely important security task. If an
unauthorized person gains administrative access to a router, that person could alter
routing parameters, disable routing functions, or discover and gain access to other
systems within the network.
Several important tasks are involved in securing administrative access to an
infrastructure device:
 Restrict device accessibility - Limit the accessible ports, restrict the permitted
communicators, and restrict the permitted methods of access.
 Log and account for all access - Record anyone who accesses a device, what
happened during the access, and when the access occurred for auditing purposes.
 Authenticate access - Ensure that access is granted only to authenticated users,
groups, and services. Limit the number of failed login attempts and the time
allowed between logins.
 Authorize actions - Restrict the actions and views permitted by any particular user,
group, or service.
 Present legal notification - Display a legal notice, which should be developed with
company legal counsel, for different types of access to the device.
 Ensure the confidentiality of data - Protect locally stored and sensitive data from
being viewed and copied. Consider the vulnerability of data in transit over a
communication channel to sniffing, session hijacking, and man-in-the-middle
(MITM) attacks.
4.1.5 Secure Local and Remote Access
A router can be accessed for administrative purposes locally or remotely:
 Local access - All network infrastructure devices can be accessed locally. Local
access to a router usually requires a direct connection to a console port on the
Cisco router, and using a computer that is running terminal emulation software, as
shown in the figure. The administrator must have physical access to the router and

85
 use a console cable to connect to the console port. Local access is typically used for
initial configuration of the device.
 Remote access - Administrators can also access infrastructure devices remotely, as
shown in the figure. Although the aux port option is available, the most common
remote access method involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP
connections to the router from a computer. The computer can be on the local
network or a remote network. However, if network connectivity to the device is
down, the only way to access it might be over telephone lines.
Administrative Access Methods
The figure shows the local access method using a serial connection, the remote access
using SSH method, and the remote access using modem and aux port method using a
serial connection over telephone lines.

Some remote access protocols send data, including usernames and passwords, to the
router in plaintext. If an attacker can collect network traffic while an administrator is
remotely logging in to a router, the attacker can capture passwords or router
configuration information. For this reason, it is preferable to allow only local access to
the router. However, in some situations, remote access might still be necessary.
Precautions should be taken when accessing the network remotely:
 Encrypt all traffic between the administrator computer and the router. For
example, instead of using Telnet, use SSH version 2; or instead of using HTTP, use
HTTPS.
 Establish a dedicated management network. The management network should
include only identified administration hosts and connections to a dedicated
interface on the router. Access to this network can be strictly controlled.
 Configure a packet filter to allow only the identified administration hosts and
preferred protocols to access the router. For example, permit only SSH requests
from the IP address of an administration host to initiate a connection to the routers
in the network.

86
 Configure and establish a VPN connection to the local network before connecting
to a router management interface.
These precautions are valuable, but they do not protect the network completely. Other
methods of defense must also be implemented. One of the most basic and important
methods is the use of secure passwords.
4.2 Configure Secure Administrative Access
4.2.1 Passwords
To protect network devices, it is important to use strong passwords. Here are standard
guidelines to follow:
 Use a password length of at least eight characters, preferably 10 or more
characters. A longer password is a more secure password.
 Make passwords complex. Include a mix of uppercase and lowercase letters,
numbers, symbols, and spaces, if allowed.
 Avoid passwords based on repetition, common dictionary words, letter or number
sequences, usernames, relative or pet names, biographical information, such as
birthdates, ID numbers, ancestor names, or other easily identifiable pieces of
information.
 Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security
= 5ecur1ty.
 Change passwords often. If a password is unknowingly compromised, the window
of opportunity for the threat actor to use the password is limited.
 Do not write passwords down and leave them in obvious places such as on the
desk or monitor.
The tables show examples of strong and weak passwords.
Weak Password Why it is Weak
secret Simple dictionary password
smith Maiden name of mother
toyota Make of a car
bob1967 Name and birthday of the user
Blueleaf23 Simple words and numbers
Strong Password Why it is Strong
b67n42d39c Combines alphanumeric characters
12^h u4@1p7 Combines alphanumeric characters, symbols, and includes a space
On Cisco routers, leading spaces are ignored for passwords, but spaces after the first
character are not. Therefore, one method to create a strong password is to use the
space bar and create a phrase made of many words. This is called a passphrase. A
passphrase is often easier to remember than a simple password. It is also longer and
harder to guess.
Password Managers
Use a password manager to secure passwords for your online internet activity.
Considered to be the best practice to secure passwords, the password manager
automatically generates complex passwords for you and will automatically enter them
when you access those sites. You only have to enter a primary password to enable this
feature.
Multi-Factor Authentication

87
Use multi-factor authentication when available. This means that authentication
requires two or more independent means of verification. For example when you enter
a password, you would also have to enter a code that is sent to you through email or
text message.
4.2.2 Configure Passwords
When you initially connect to a device, you are in user EXEC mode. This mode is
secured using the console.
To secure user EXEC mode access, enter line console configuration mode using the line
console 0 global configuration command, as shown in the example. The zero is used to
represent the first (and in most cases the only) console interface. Next, specify the user
EXEC mode password using the password password command. Finally, enable user
EXEC access using the login command.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line console 0
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#
Console access will now require a password before allowing access to the user EXEC
mode.
To have administrator access to all IOS commands including configuring a device, you
must gain privileged EXEC mode access. It is the most important access method
because it provides complete access to the device.
To secure privileged EXEC access, use the enable secret password global config
command, as shown in the example.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# enable secret class
Sw-Floor-1(config)# exit
Sw-Floor-1#
Virtual terminal (VTY) lines enable remote access using Telnet or SSH to the device.
Many Cisco switches support up to 16 VTY lines that are numbered 0 to 15. Most
routers support four VTY lines that are number 0 to 4. In this example, we are
configuring an access layer switch.
To secure VTY lines, enter line VTY mode using the line vty 0 15 global config
command. Next, specify the VTY password using the password password command.
Last, enable VTY access using the login command.
An example of securing the VTY lines on a switch is shown.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line vty 0 15
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#
4.2.3 Encrypt Passwords
Strong passwords are only useful if they are secret. There are several steps that can be
taken to help ensure that passwords remain secret on a Cisco router and switch
including these:

88
 Encrypting all plaintext passwords
 Setting a minimum acceptable password length
 Deterring brute-force password guessing attacks
 Disabling an inactive privileged EXEC mode access after a specified amount of time.
The startup-config and running-config files display most passwords in plaintext. This is
a security threat because anyone can discover the passwords if they have access to
these files.
To encrypt all plaintext passwords, use the service password-encryption global config
command as shown in the example.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# service password-encryption
Sw-Floor-1(config)#
The command applies weak encryption to all unencrypted passwords. This encryption
applies only to passwords in the configuration file, not to passwords as they are sent
over the network. The purpose of this command is to keep unauthorized individuals
from viewing passwords in the configuration file.
Use the show running-config command to verify that passwords are now encrypted.
Sw-Floor-1(config)# end
Sw-Floor-1# show running-config
!
(Output omitted)
!
line con 0
password 7 094F471A1A0A
login
!
line vty 0 4
password 7 094F471A1A0A
login
line vty 5 15
password 7 094F471A1A0A
login
!
!
end
4.2.4 Additional Password Security
As shown in the sample configuration, the service password-encryption global
configuration command prevents unauthorized individuals from viewing plaintext
passwords in the configuration file. This command encrypts all plaintext passwords.
Notice in the example, that the password "cisco" has been encrypted as
"094F471A1A0A".
To ensure that all configured passwords are a minimum of a specified length, use
the security passwords min-length length command in global configuration mode.
Threat actors may use password cracking software to conduct a brute-force attack on a
network device. This attack continuously attempts to guess the valid passwords until
one works. Use the login block-for seconds attempts number within seconds global
configuration command to deter this type of attack.

89
Network administrators can become distracted and accidently leave a privileged EXEC
mode session open on a terminal. This could enable an internal threat actor access to
change or erase the device configuration. By default, Cisco routers will logout an EXEC
session after 10 minutes of inactivity. However, you can reduce this setting using
the exec-timeout minutes seconds line configuration command. This command can be
applied online console, auxiliary, and vty lines.
For example, the following commands configure:
 All plaintext passwords are encrypted.
 New configured passwords must be eight characters or more.
 If there are more than three failed VTY login attempts within 60 seconds, then
lockout the VTY lines for 120 seconds.
 Set the router to automatically disconnect an inactive user on a VTY line if the line
has been idle for 5 minutes and 30 seconds.
R1(config)# service password-encryption
R1(config)# security passwords min-length 8
R1(config)# login block-for 120 attempts 3 within 60
R1(config)# line vty 0 4
R1(config-line)# password cisco123
R1(config-line)# exec-timeout 5 30
R1(config-line)# transport input ssh
R1(config-line)# end
R1#
R1# show running-config | section line vty
line vty 0 4
password 7 094F471A1A0A
exec-timeout 5 30
login
transport input ssh
R1#
4.2.5 Secret Password Algorithms
MD5 hashes are no longer considered secure because attackers can reconstruct valid
certificates. This can allow attackers to spoof any website. The enable
secret password command shown in the figure uses an MD5 hash by default.
Therefore, it is now recommended that you configure all secret passwords using either
type 8 or type 9 passwords. Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M.
Type 8 and type 9 use SHA encryption. Because type 9 is slightly stronger than type 8,
it will be used throughout this course whenever it is allowed by the Cisco IOS.
R1(config)# enable secret cisco12345
R1(config)# do show run | include enable
enable secret 5 $1$cam7$99EfzkvmJ5h1gEbryLVRy.
R1(config)# enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies a MD5 HASHED secret will follow
8 Specifies a PBKDF2 HASHED secret will follow
9 Specifies a SCRYPT HASHED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password

90
R1(config)# line con 0
R1(config-line)# password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
R1(config-line)#
The figure shows that configuring type 9 encryption is not as easy as it may appear.
You cannot simply enter enable secret 9 and the unencrypted password. To use this
form of the command, you must paste in the encrypted password, which can be
copied from another router configuration.
R1(config)# enable secret 9 cisco12345
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
R1(config)# enable secret 9
$9$HZWdzLHwhPtZ3U$D9OlUDSGvBy.m8Tf9vCGDJRcYy8zIMbyRJgtxgRkwzY
R1(config)#
To enter an unencrypted password, use the enable algorithm-type command syntax:
Router(config)# enable algorithm-type { md5 | scrypt | sha256 | secret }
unencrypted password
Algorithm
Description
Keyword
Type 5; selects the message digest algorithm 5 (MD5) as the hashing
md5
algorithm.
Script Type 9; selects scrypt as the hashing algorithm.
Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2)
sha256 with Secure Hash Algorithm, 256-bits (SHA-256) as the hashing
algorithm.
An example configuration is shown in the figure. Notice that the running configuration
now shows a type 9 enable secret password.
R1(config)# enable algorithm-type ?
md5 Encode the password using the MD5 algorithm
scrypt Encode the password using the SCRYPT hashing algorithm
sha256 Encode the password using the PBKDF2 hashing algorithm
R1(config)# enable algorithm-type scrypt ?
secret Assign the privileged level secret (MAX of 25 characters)
R1(config)# enable algorithm-type scrypt secret cisco12345
R1(config)# do show run | include enable
enable secret 9 $9$Gyk9x3Ve4c0n5k$8.cR3yReBduzHymEyCOcErgPKW8MSKokRN
9KjEg4WQA
R1(config)#
Type 8 and type 9 encryption was also introduced in Cisco IOS 15.3(3)M for
the username secret command. Similar to the enable secret command, if you simply
enter a user with the username secret command, the default encryption will be MD5.
Use the username name algorithm-type command to specify type 9 encryption. The
syntax is shown followed by an example.

91
Router(config)# username name algorithm-type { md5 | scrypt | sha256 | secret }
unencrypted password
R1(config)# username Bob secret cisco54321
R1(config)# do show run | include username
username Bob privilege 15 secret 5 $1$lmBB$UjOC6JA4f1WgI3/La8wGz/
R1(config)#
R1(config)# username Bob algorithm-type scrypt secret cisco54321
R1(config)# do show run | include username
username Bob privilege 15 secret 9 $9$9FkS.zTuLs89pk$v5P2y.M6reR18lS
92moKHdFauk8joK0xHICXxGDuurs
R1(config)#
For backwards compatibility reasons, the enable password, username password,
and line password commands are available in the Cisco IOS. These commands use no
encryption by default. At best, they can only use type 7 encryption, as shown in the
figure. Therefore, these commands will not be used in this course.
R1(config)# enable password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password
R1(config)# username Bob password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
R1(config)# line con 0
R1(config-line)# password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
4.2.6 Syntax Checker - Secure Administrative Access on R2
In this Syntax Checker activity, you will configure secure administrative access on R2.
Encrypt all passwords
R2(config)#service password-encryption
Set the minimum password length to 10 characters.
R2(config)#security passwords min-length 10
Create the user account JR-ADMIN with a secret password of cisco12345 using the
SCRYPT hashing algorithm.
R2(config)#username JR-ADMIN algorithm-type scrypt secret cisco12345
Create the user account ADMIN with a secret password of cisco54321 using the
SCRYPT hashing algorithm.
R2(config)#username ADMIN algorithm-type scrypt secret cisco54321
Configure the console line using the following instructions:
 Set the executive timeout to 3 minutes on the console line.
 Set the console line to use the local database for authentication.
 After configuration, exit line configuration mode.
R2(config)#line console 0
R2(config-line)#exec-timeout 3 0

92
R2(config-line)#login local
R2(config-line)#exit
Configure the vty lines using the following instructions:
 Set the executive timeout to 3 minutes on the VTY lines.
 Set the VTY lines to use the local database for authentication.
R2(config)#line vty 0 4
R2(config-line)#exec-timeout 3 0
R2(config-line)#login local
Return to privileged EXEC mode. Display the running-config and filter it to include
only the lines with username to verify the user account configurations.
R2(config-line)#end
*Mar 3 08:25:09.868: %SYS-5-CONFIG_I: Configured from console by console
R2#show running-config | include username
username JR-ADMIN secret 9
$9$IznnuC6.5I0YmE$e8kvyaOBRuem54LJIhdAom8pQw3xGkGPeoEbNYU9BnY
username ADMIN secret 9
$9$.9hhYsuBDAaF3.$k5fhqvneSfOa.0ms89TjQX1ant9W3l09zLJjAHAERaU
R2#
You successfully secured administrative access on R2.
4.3 Configure Enhanced Security for Virtual Logins
4.3.1 Enhance the Login Process
Assigning passwords and local authentication does not prevent a device from being
targeted for attack. The Cisco IOS login enhancements provide more security by
slowing down attacks, such as dictionary attacks and DoS attacks. Enabling a detection
profile allows you to configure a network device to react to repeated failed login
attempts by refusing further connection requests (or login blocking). This block can be
configured for a period of time, which is called a quiet period. Access control lists
(ACLs) can be used to permit legitimate connections from addresses of known system
administrators.
Banners are disabled by default and must be explicitly enabled. Use the banner global
configuration mode command to specify appropriate messages.
Router(config)# banner { motd | exec | login } delimiter message delimiter
Banners protect the organization from a legal perspective. Choosing the appropriate
wording to place in banner messages is important and should be reviewed by legal
counsel before being placed on network routers. Never use the word welcome or any
other familiar greeting that may be misconstrued as an invitation to use the network.
The following is an example of an appropriate banner.
This equipment is privately owned and access
is logged. Disconnect immediately if you are
not an authorized user. Violators will be
prosecuted to the fullest extent of the law.
User Access Verification:
Username:
4.3.2 Configure Login Enhancement Features
The Cisco IOS login enhancements commands, which are shown below, increase the
security of virtual login connections.
Router(config)# login block-for seconds attempts tries within seconds

93
Router(config)# login quiet-mode access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-success log [every login]
Router(config)# login on-failure log [every login]
The figure shows an example configuration. The login block-for command can defend
against DoS attacks by disabling logins after a specified number of failed login
attempts. The login quiet-mode command maps to an ACL that identifies the
permitted hosts. This ensures that only authorized hosts can attempt to login to the
router. The login delay command specifies a number of seconds the user must wait
between unsuccessful login attempts. The login on-success and login on-
failure commands log successful and unsuccessful login attempts.
These login enhancements do not apply to console connections. When dealing with
console connections, it is assumed that only authorized personnel have physical access
to the devices.
Note: These login enhancements can only be enabled if the local database is used for
authentication for local and remote access. If the lines are configured for password
authentication only, then the enhanced login features are not enabled.
R1(config)# login block-for 15 attempts 5 within 60
R1(config)# ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)# remark Permit only Administrative hosts
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# permit 192.168.11.10
R1(config-std-nacl)# exit
R1(config)# login quiet-mode access-class PERMIT-ADMIN
R1(config)# login delay 10
R1(config)# login on-success log
R1(config)# login on-failure log
R1(config)#
4.3.3 Enable Login Enhancements
To help a Cisco IOS device provide DoS detection, use the login block-for command. All
other login enhancement features are disabled until the login block-for command is
configured.
Specifically, the login block-for command monitors login device activity and operates
in two modes:
 Normal mode - This is also known as watch mode. The router keeps count of the
number of failed login attempts within an identified amount of time.
 Quiet mode - This is also known as the quiet period. If the number of failed logins
exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP
are denied for the time specified in the login block-for command.
When quiet mode is enabled, all login attempts, including valid administrative access,
are not permitted. However, to provide critical hosts, such as specific administrative
hosts access at all times, this behavior can be overridden using an ACL. The ACL is
created and identified using the login quiet-mode access-class command. Only the
hosts identified in the ACL have access to the device during quiet mode.
The example in the figure shows a configuration that uses an ACL that is named
PERMIT-ADMIN. Hosts that match the PERMIT-ADMIN conditions are exempt from
quiet mode.

94
R1(config)# ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)# remark Permit only Administrative hosts
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# permit 192.168.11.10
R1(config-std-nacl)# exit
R1(config)# login quiet-mode access-class PERMIT-ADMIN
When implementing the login block-for command, a one-second delay between login
attempts is automatically invoked. To make it more difficult for an attacker, the delay
time between login attempts can be increased using the login
delay seconds command, as shown in the figure. The command introduces a uniform
delay between successive login attempts. The delay occurs for all login attempts,
including failed or successful attempts. The example configures, a delay of three
seconds between successive login attempt.
This command helps mitigate dictionary attacks. It is an optional command. If it is not
set, a default delay of one second is enforced after the login block-for command is
configured.
The login block-for, login quiet-mode access-class and login delay commands help
block failed login attempts for a limited period of time. However, they cannot prevent
an attacker from trying again. How can an administrator know when someone tries to
gain access to the network by guessing the password?
R1(config)# login delay 3
4.3.4 Log Failed Attempts
There are three commands that can be configured to help an administrator detect a
password attack, as shown in the figure. Each command enables a device to generate
syslog messages for failed or successful login attempts.
The first two commands, login on-success log and login on-failure log, generate syslog
messages for successful and unsuccessful login attempts. The number of login
attempts before a logging message is generated can be specified using the
[every login] syntax, where the default login value is 1 attempt. The valid range is from
1 to 65,535.
Router(config)# login on-success log [every login]
Router(config)# login on-failure log [every login]
As an alternative to the login on-failure log command, the security authentication
failure rate command can be configured to generate a log message when the login
failure rate is exceeded.
Router(config)# security authentication failure rate threshold-rate log
Use the show login command to verify the login block-for command settings and
current mode. In the figure, R1 was configured to block login hosts for 120 seconds if
more than five login requests fail within 60 seconds. R1 also confirms that the current
mode is normal and that there have been four login failures within the last 55 seconds
because there are five seconds left in normal mode.
R1# show login
A login delay for 10 sec is applied.
Quiet-Mode access list PERMIT-ADMIN is applied.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 60 sec or less,
login will be disabled for 120 secs.

95
 Router presently in Normal-Mode.
Current Watch Window
Time remaining: 5 seconds.
Login failures for current window: 4.
Total login failures:4.
The following two figures display examples of what occurs when the failed attempt
threshold is exceeded.
Failed Login Attempts

Exceeding the Failed Attempt Threshold

The following command output displays the resulting status using the show
login command. Notice that it is now in quiet mode and will remain in quiet mode for
another 105 seconds. R1 also identifies that the PERMIT-ADMIN ACL contains a list of
hosts allowed to connect during quiet mode.
R1#
*Dec 10 15:38:54.455: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching
failures
is 12 secs, [user: admin] [Source: 10.10.10.10] [localport: 23] [Reason: Login
Authentication Failed - BadUser] [ACL: PERMIT-ADMIN] at 15:38:54 UTC Wed Dec 10
2008
R1# show login
96
 A login delay of 3 seconds is applied.
Quiet-Mode access list PERMIT-ADMIN is applied.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 60 seconds or
less,logins will be disabled for 120 seconds.
Router presently in Quiet-Mode.
Will remain in Quiet-Mode for 105 seconds.
Restricted logins filtered by applied ACL PERMIT-ADMIN.
R1#
The show login failures command displays additional information regarding the
failed attempts, such as the IP address from which the failed login attempts
originated. The figure displays sample output of the show login failures command.
R1# show login failures
Total failed logins: 22
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp
admin 1.1.2.1 23 5 15:38:54 UTC Wed Dec 10 2008
Admin 10.10.10.10 23 13 15:58:43 UTC Wed Dec 10 2008
admin 10.10.10.10 23 3 15:57:14 UTC Wed Dec 10 2008
cisco 10.10.10.10 23 1 15:57:21 UTC Wed Dec 10 2008
R1#
4.3.5 Syntax Checker - Configure Enhanced Login Security on R2
Use the Syntax Checker to configure enhanced login security on R2.
On R2, create a named standard access list called:
 Permit the host at IP address 192.168.10.10.
 Use the name PERMIT-ADMIN.
 After configuration, return to global configuration mode.
R2(config)#ip access-list standard PERMIT-ADMIN
R2(config-std-nacl)#permit 192.168.10.10
R2(config-std-nacl)#exit
Enhance the login process using the following instructions:
Disable login for 15 seconds if more than 5 failed logins are attempted within 60
seconds.
The host specified in the PERMIT-ADMIN ACL should never be denied login access.
Specify a login delay of 10 seconds between failed login attempts.
Generate Syslog messages for successful login attempts.
Generate Syslog messages for failed login attempts.
After configuration, exit global configuration mode.
R2(config)#login block-for 15 attempts 5 within 60
R2(config)#login quiet-mode access-class PERMIT-ADMIN
R2(config)#login delay 10
R2(config)#login on-success log
R2(config)#login on-failure log
R2(config)#exit
R2#
*Nov 30 16:14:32.495: %SYS-5-CONFIG_I: Configured from console by console
Display the login settings.

97
R2#show login
A login delay of 10 seconds is applied.
Quiet-Mode access list PERMIT-ADMIN is applied.
All successful login is logged.
All failed login is logged.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 60 seconds or less,
logins will be disabled for 15 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 15 seconds.
Login failures for current window: 0.
Total login failures: 0.
R2#
You successfully secured enhanced login security on R2.
4.3.6 Video - Configure Passwords and Enhanced Login Security

4.4 Configure SSH

4.4.1 Video - The Need for SSH

98
4.4.2 Enable SSH
Telnet simplifies remote device access, but it is not secure. Data contained within a
Telnet packet is transmitted unencrypted. For this reason, it is highly recommended to
enable Secure Shell (SSH) on devices for secure remote access.
It is possible to configure a Cisco device to support SSH using the following six steps:
Step 1. Configure a unique device hostname. A device must have a unique hostname
other than the default.
Step 2. Configure the IP domain name. Configure the IP domain name of the network
by using the global configuration mode command ip domain name name. In the
example, router R1 is configured in the span.com domain. This information is used
along with the bit value specified in the crypto key generate rsa general-keys
modulus command to create an encryption key
Step 3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and
destination. However, to do so, a unique authentication key must be generated by
using the global configuration command crypto key generate rsa general-keys
modulus bits. The modulus bits determines the size of the key and can be configured
from 360 bits to 2048 bits. The larger the bit value, the more secure the key. However,
larger bit values also take longer to encrypt and decrypt information. The minimum
recommended modulus length is 1024 bits.
Step 4. Verify or create a local database entry. Create a local database username
entry using the username global configuration command. In the example, the
parameter secret is used so that the password will be encrypted using MD5.
Step 5. Authenticate against the local database. Use the login local line configuration
command to authenticate the vty line against the local database.
Step 6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty
lines. You can specify multiple input protocols including Telnet and SSH using
the transport input {ssh | telnet} command.
Router# configure terminal
Router(config)# hostname R1
R1(config)# ip domain name span.com
R1(config)# crypto key generate rsa general-keys modulus 1024

99
The name for the keys will be: Rl.span.com % The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#
R1(config)# username Bob secret cisco
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
R1(config)#
To verify SSH and display the generated keys, use the show crypto key mypubkey
rsa command in privileged EXEC mode. If there are existing key pairs, it is
recommended that they are overwritten using the crypto key zeroize rsa command. If
there are existing key pairs, it is recommended that they are removed using the crypto
key zeroize rsa command. Figure 2 provides an example of verifying the SSH crypto
keys and removing the old keys.
R1# show crypto key mypubkey rsa
% Key pair was generated at: 21:18:41 UTC Feb 16 2015
Key name: R1.span.com
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181
00CF35DB
A58A1BDB F7C7E600 F189C2F3 2EC6E584 D923EE5B 71841D98 B5472A03
D19CD620
ED125825 5A58412B B7F29234 DE2A1809 6C421AC3 07F298E6 80BE149D
2A262E13
74888DAF CAC8F187 B11111AF A413E76F 6C157CDF DFEF0D82 2961B58C
BE1CAD21
176E82B9 6D81F893 06E66C93 94E1C508 887462F6 90AC63CE 5E169845 C1020301
0001
% Key pair was generated at: 21:18:42 UTC Feb 16 2015
Key name: R1.span.com.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AB914D
8172DFBE
DE57ACA9 7B844239 1F3B5942 3943AC0D F54E7746 3895CF54 606C3961
8A44FEB3
1A019F27 D9E71AAE FC73F423 A59CB8F5 50289272 3392CEBC 4C3CBD6D
DB9233DE

100
 9DDD9DAD 79D56165 4293AA62 FD1CBAB2 7AB859DC 2890C795 ED020301 0001
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# crypto key zeroize rsa
% All keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
R1(config)#
4.4.3 Enhance SSH Login Security
To verify the optional SSH command settings, use the show ip ssh command, as shown
in the figure. You can also modify the default SSH timeout interval and the number of
authentication tries. Use the ip ssh time-out seconds global configuration mode
command to modify the default 120-second timeout interval. This configures the
number of seconds that SSH can use to authenticate a user. After it is authenticated,
an EXEC session starts and the standard exec-timeout configured for the vty applies.
By default, a user logging in has three attempts to enter the correct password before
being disconnected. To configure a different number of consecutive SSH retries, use
the ip ssh authentication-retries integer global configuration mode command.
R1# show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3
(output omitted)
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 2
R1(config)# ^Z
R1#
*Feb 16 21:23:51.237: %SYS-5-CONFIG_I: Configured from console by console
R1# show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 60 secs; Authentication retries: 2
(output omitted)
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 2
R1(config)# ^Z
R1#
*Feb 16 21:23:51.237: %SYS-5-CONFIG_I: Configured from console by console
R1# show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 60 secs; Authentication retries: 2
(output omitted)

101
4.4.4 Syntax Checker - Enable SSH on R2
Use the Syntax Checker to enable SSH on R2.
Configure the following:
 Assign the domain name span.com.
 Generate the general RSA keys using the crypto key generate rsa general-keys
modulus 1024 command.
R2(config)#ip domain-name span.com
R2(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R2.span.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
*Feb 27 16:41:37.363: %SSH-5-ENABLED: SSH 1.99 has been enabled
Create a local database entry for a user named Bob using algorithm-type SCRYPT
hashing with a secret password of cisco54321.
R2(config)#username Bob algorithm-type scrypt secret cisco54321
Configure the vty lines 0-4 to use:
 The local database for login authentication.
 Enable SSH on the vty lines using the transport input ssh command.
 Exit from vty line configuration.
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#transport input ssh
R2(config-line)#exit
Configure SSH:
 Enable SSH version 2.
 Set the number of authentication retries to 2.
 Set the SSH timeout period of 1 minute.
 Issue the end command to exit configuration mode.
R2(config)#ip ssh version 2
R2(config)#ip ssh authentication-retries 2
R2(config)#ip ssh time-out 60
R2(config)#end
Verify the SSH configuration using the show ip ssh command.
R2#show ip ssh
SH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 60 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDNJV02ayJzPD/Ys/HKpy78XVR+QlnBaHaAB
MEOKGlj
oC4DQf8Z2XRJTzORPrYUfk1FFFVku+ejsy0G+3LoCAUgSdfpg1X4c8DbJhvA1PwPgxPVP
klS5yWS+URk
ur4ijJl/cPksQpXQ8i26ye5SlLslV+3I+3TSI3MOEmJP++3vvw==
R2#

102
You successfully configured SSH on R2.
4.4.5 Connect a Router to an SSH-Enabled Router
To verify the status of the client connections, use the show ssh command. There are
two different ways to connect to an SSH-enabled router.
By default, when SSH is enabled, a Cisco router can act as an SSH server or SSH client.
As a server, a router can accept SSH client connections. As a client, a router can
connect via SSH to another SSH-enabled router shown in the following three steps.
Router-to-Router SSH

In the following examples, the administrator on R1 uses the show ssh command to
check for current SSH connections. Then another administrator logs into R1 from R2.
The administrator on R1 checks again for current SSH connections.
R1# show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
R1#
R2# ssh -l Bob 192.168.2.101
Password:
R1>
R1# show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started Bob
0 2.0 OUT aes128-cbc hmac-sha1 Session started Bob
%No SSHv1 server connections running.
R1#
4.4.6 Connect a Host to an SSH-Enabled Router
Connect using an SSH client running on a host as shown in the following four figures.
Examples of these clients include PuTTY, OpenSSH, and TeraTerm.
The procedure for connecting to a Cisco router varies depending on the SSH client
application being used. Generally, the SSH client initiates an SSH connection to the
router. The router SSH service prompts for the correct username and password
combination. After the login is verified, the router can be managed as if the
administrator was using a standard Telnet session.
Host-to-Router SSH

103
4.4.7 Lab - Configure Secure Administrative Access
In this lab, you will complete the following objectives:
 Part 1: Configure Basic Device Settings
 Part 2: Configure and Encrypt Passwords on Routers R1 and R3
 Part 3: Configure Enhanced Username Password Security on Routers R1 and R3
 Part 4: Configure the SSH Server on Routers R1 and R3

4.4.8 Packet Tracer - Configure Secure Passwords and SSH

The network administrator has asked you to prepare RTA and SW1 for deployment.
Before they can be connected to the network, security measures must be enabled.

4.4.9 Lab - Configure Network Devices with SSH

In this lab, you will complete the following objectives:
 Part 1: Configure Basic Device Settings
 Part 2: Configure the Router for SSH Access
 Part 3: Configure the Switch for SSH Access
 Part 4: SSH from the CLI on the Switch

4.5 Secure Device Access Summary

4.5.1 What Did I Learn in this Module?
Secure the Edge Router
Routers are a primary target for attacks because these devices act as traffic police,
which direct traffic into, out of, and between networks. The edge router is the last
router between the internal network and an untrusted network, such as the internet.
Securing the router is imperative. The three approaches to this are the single router
approach, defense-in-depth approach, and the DMZ approach. In the single router
approach, all security is configured on this router. This is common for smaller sites

104
such as SOHO sites. A defense-in-depth approach is more secure than the single router
approach. It uses multiple layers of security prior to traffic entering the protected LAN.
There are three primary layers of defense: the edge router, the firewall, and an
internal router that connects to the protected LAN. Other security tools, such as
intrusion prevention systems (IPSs), web security appliances (proxy servers), and email
security appliances (spam filtering) can also be implemented. The DMZ approach
includes an intermediate area, often called the demilitarized zone (DMZ). The DMZ can
be set up between two routers, with an internal router connecting to the protected
network and an external router connecting to the unprotected network. Alternatively,
the DMZ can simply be an additional port off of a single router. The firewall serves as
the primary protection for all devices in the DMZ. The three areas of router security
that must be maintained are physical security, operating system security, and router
hardening. Securing administrative access to prevent an unauthorized person from
gaining access to an infrastructure device includes restricting device accessibility,
logging and accounting for all access, authenticating access, authorizing actions,
presenting legal notification, and ensuring the confidentiality of data. A router can be
accessed for administrative purposes locally or remotely. Additional precautions
should be taken when accessing the network remotely.
Configure Secure Administrative Access
To protect network devices, it is important to use strong passwords. The standard
guidelines to follow are using longer passwords (10 or more characters), complex
passwords, avoid common dictionary words, change passwords often, and keep
passwords confidential. Passwords and VTY lines should be secured. To encrypt all
plaintext passwords, use the service password-encryption global config command. Use
the show running-config command to verify that passwords are now encrypted.
The service password-encryption global configuration command prevents
unauthorized individuals from viewing plaintext passwords in the configuration file.
MD5 hashes are no longer considered secure because attackers can reconstruct valid
certificates. It is now recommended that you configure all secret passwords using
either type 8 or type 9 passwords.
Configure Enhanced Security for Virtual Logins
The Cisco IOS login enhancements provide more security by slowing down attacks,
such as dictionary attacks and DoS attacks. Enabling a detection profile allows you to
configure a network device to react to repeated failed login attempts by refusing
further connection requests (or login blocking). This block can be configured for a
period of time, which is called a quiet period. Access control lists (ACLs) can be used to
permit legitimate connection from addresses of known system administrators. Banners
protect the organization from a legal perspective. The Cisco IOS login enhancements
commands increase the security of virtual login connections. The login block-
for command can defend against DoS attacks by disabling logins after a specified
number of failed login attempts. The login quiet-mode command maps to an ACL that
identifies the permitted hosts. This ensures that only authorized hosts can attempt to
login to the router. The login delay command specifies a number of seconds the user
must wait between unsuccessful login attempts. The login on-success and login on-
failure commands log successful and unsuccessful login attempts. To enhance security,
you can also modify the default SSH timeout interval and the number of authentication
tries. Use the ip ssh time-out seconds global configuration mode command to modify

105
the default 120-second timeout interval. There are two different ways to connect to an
SSH-enabled router. By default, when SSH is enabled, a Cisco router can act as an SSH
server or SSH client. As a server, a router can accept SSH client connections. As a client,
a router can connect via SSH to another SSH-enabled router
Configure SSH
Telnet simplifies remote device access, but it is not secure. Data contained within a
Telnet packet is transmitted unencrypted. For this reason, it is highly recommended to
enable Secure Shell (SSH) on devices for secure remote access. It is possible to
configure a Cisco device to support SSH using the following six steps: configure a
unique device hostname, configure the IP domain name, generate a key to encrypt SSH
traffic, verify or create a local database entry, authenticate against the local database,
and enable vty inbound SSH sessions.
4.5.2 Module 4 - Secure Device Access Quiz
Question 1
At what point in the enterprise network are packets arriving from the internet
examined prior to entering the network?
Campus core
Internet edge
Network edge
WAN edge
Question 2
What three configuration steps must be performed to implement SSH access to a
router? (Choose three.)
A password on the console line
An IP domain name
A user account
An enable mode password
A unique hostname
An encrypted password
Question 3
What is one difference between using Telnet or SSH to connect to a network device
for management purposes?
Telnet uses UDP as the transport protocol whereas SSH uses TCP.
Telnet does not provide authentication whereas SSH provides authentication.
Telnet supports a host GUI whereas SSH only supports a host CLI.
Telnet sends a username and password in plain text, whereas SSH encrypts the
username and password.
Question 4
Which three areas of router security must be maintained to secure an edge router at
the network perimeter? (Choose three.)
Physical security
Flash security
Operating system security
Remote access security
Router hardening
Zone isolation
Question 5

106
What is a good password recommendation for a Cisco router?
Zeroize all passwords used.
Use a minimum of 7 characters.
Use one or more spaces within a multiword phrase.
Use the service password-encryption command to protect a password used to log into
a remote device across the network.
Question 6
What is the purpose of using a banner message on a Cisco network device?
It can provide more security by slowing down attacks.
It can protect the organization from a legal perspective.
It can be used to create a quiet period where remote connections are refused.
It is effective in deflecting threat actors from entering the device.
Question 7
A network administrator establishes a connection to a switch via SSH. What
characteristic uniquely describes the SSH connection?
Out-of-band access to a switch through the use of a virtual terminal with password
authentication
Remote access to the switch through the use of a telephone dialup connection
On-site access to a switch through the use of a directly connected PC and a console
cable
Remote access to a switch where data is encrypted during the session
Direct access to the switch through the use of a terminal emulation program
Question 8
What command will prevent all unencrypted passwords from displaying in plain text
in a configuration file?
(config)# enable password secret
(config)# enable secret Secret_Password
(config-line)# password secret
(config)# service password-encryption
(config)# enable secret Encrypted_Password
Question 9
A network administrator is issuing the login block-for 180 attempts 2 within 30
command on a router. Which threat is the network administrator trying to prevent?
A user who is trying to guess a password to access the router
A worm that is attempting to access another part of the network
An unidentified individual who is trying to access the network equipment room
A device that is trying to inspect the traffic on a link
Question 10
Which recommended security practice prevents attackers from performing password
recovery on a Cisco IOS router for the purpose of gaining access to the privileged
EXEC mode?
Keep a secure copy of the router Cisco IOS image and router configuration file as a
backup.
Disable all unused ports and interfaces to reduce the number of ways that the router
can be accessed.
Configure secure administrative control to ensure that only authorized personnel can
access the router.

107
Locate the router in a secure locked room that is accessible only to authorized
personnel.
Provision the router with the maximum amount of memory possible.
Question 11
A company is planning to use a DMZ for their servers and is concerned about
securing the network infrastructure. Which device should the network security team
use for the edge router?
Cisco Nexus switch
Firewall
Layer 2 switch with port security features enabled
VPN gateway
Question 12
Which type of access is secured on a Cisco router or switch with the enable secret
command?
Virtual terminal
Privileged EXEC
AUX port
Console line
Question 13
What is a common security task performed when securing administrative access to a
network infrastructure device?
Block local access.
Log and account for all access.
Enable at least two ports for remote access.
Disable discovery protocols for all user-facing ports.
Checkpoint Exam: Securing Networks Group Exam
This exam will cover material from Modules 1-4 of the Network Security 1.0
curriculum.
Copyright 2021, Cisco Systems, Inc.
Question 1
Which security feature or device would more likely be used within a CAN than a
SOHO or data center?
ESA/WSA
Virtual security gateway
Exit sensors
Security trap
Wireless router
Question 2
A company has several sales offices distributed within a city. Each sales office has a
SOHO network. What are two security features that are commonly found in such a
network configuration? (Choose two.)
Port security on user facing ports
Virtual Security Gateway within Cisco Nexus switches
Cisco ASA firewall
done
WPA2
Biometric verifications

108
Question 3
Which condition describes the potential threat created by Instant On in a data
center?
when a VM that may have outdated security policies is brought online after a long
period of inactivity
when the primary IPS appliance is malfunctioning
when the primary firewall in the data center crashes
when an attacker hijacks a VM hypervisor and then launches attacks against other
devices in the data center
Question 4
What are two data protection functions provided by MDM? (Choose two.)
quarantine
physical security
inoculation
remote wiping
PIN locking
Question 5
A user is curious about how someone might know a computer has been infected with
malware. What are two common malware behaviors? (Choose two.)
The computer freezes and requires reboots.
The computer gets increasingly slower to respond.
The computer beeps once during the boot process.
The computer emits a hissing sound every time the pencil sharpener is used.
No sound emits when an audio CD is played.
Question 6
What is the motivation of a white hat attacker?
discovering weaknesses of networks and systems to improve the security level of
these systems
taking advantage of any vulnerability for illegal personal gain
fine tuning network devices to improve their performance and efficiency
studying operating systems of various platforms to develop a new system
Question 7
Match the security concept to the description.

Question 8

109
Which attack involves threat actors positioning themselves between a source and
destination with the intent of transparently monitoring, capturing, and controlling
the communication?
ICMP attack
DoS attack
Man-in-the-middle attack
signal_cellular_4_bar
SYN flood attack
Question 9
What is the purpose of a reconnaissance attack on a computer network?
to prevent users from accessing network resources
to redirect data traffic so that it can be monitored
to gather information about the target network and system
to steal data from the network servers
Question 10
What are two evasion methods used by hackers? (Choose two.)
phishing
resource exhaustion
scanning
encryption
access attack
Question 11
What is the purpose of mobile device management (MDM) software?
It is used to identify potential mobile device vulnerabilities.
It is used by threat actors to penetrate the system.
It is used to create a security policy.
It is used to implement security policies, setting, and software configurations on
mobile devices.
Question 12
Which security implementation will provide management plane protection for a
network device?
access control lists
routing protocol authentication
antispoofing
role-based access control
Question 13
Which security measure is best used to limit the success of a reconnaissance attack
from within a campus area network?
Implement access lists on the border router.
Implement encryption for sensitive traffic.
Implement a firewall at the edge of the network.
Implement restrictions on the use of ICMP echo-reply messages.
Question 14
What functional area of the Cisco Network Foundation Protection framework is
responsible for device-generated packets required for network operation, such as
ARP message exchanges and routing advertisements?
forwarding plane

110
control plane
management plane
data plane
Question 15
On which two interfaces or ports can security be improved by configuring executive
timeouts? (Choose two.)
serial interfaces
vty ports
fast Ethernet interfaces
loopback interfaces
console ports
Question 16
A network administrator enters the service password-encryption command into the
configuration mode of a router. What does this command accomplish?
This command prevents someone from viewing the running configuration
passwords.
This command enables a strong encryption algorithm for the enable secret
password command.
This command automatically encrypts passwords in configuration files that are
currently stored in NVRAM.
This command provides an exclusive encrypted password for external service
personnel who are required to do router maintenance.
This command encrypts passwords as they are transmitted across serial WAN links.
Question 17
Which command will block login attempts on RouterA for a period of 30 seconds if
there are 2 failed login attempts within 10 seconds?
RouterA(config)# login block-for 30 attempts 2 within 10
RouterA(config)# login block-for 30 attempts 10 within 2
RouterA(config)# login block-for 2 attempts 30 within 10
RouterA(config)# login block-for 10 attempts 2 within 30
Question 18
An administrator defined a local user account with a secret password on router R1
for use with SSH. Which three additional steps are required to configure R1 to accept
only encrypted SSH connections? (Choose three.)
Configure DNS on the router.
Configure a host name other than "Router".
Generate two-way pre-shared keys.
Configure the IP domain name on the router.
Enable inbound vty Telnet sessions.
Generate crypto keys.
Question 19
Passwords can be used to restrict access to all or parts of the Cisco IOS. Select the
modes and interfaces that can be protected with passwords. (Choose three.)
VTY interface
Ethernet interface
Boot IOS mode
Privileged EXEC mode

111
Console interface
Router configuration mode
Question 20
Which two practices are associated with securing the features and performance of
router operating systems? (Choose two.)
Configure the router with the maximum amount of memory possible.
Keep a secure copy of router operating system images.
Reduce the number of ports that can be used to access the router.
Install a UPS.
Disable default router services that are not necessary.
Question 21
A security service company is conducting an audit in several risk areas within a major
corporation. What statement describes an attack vector?
the unauthorized transfer of data containing valuable corporate information to a USB
drive
intercepted emails that reveal confidential corporate or personal information
data loss through access to personal or corporate instant messaging and social media
sites
the path by which a threat actor can gain access to a server, host, or network

Module 5: Assigning Administrative Roles

5.0 Introduction
5.0.1 Why Should I Take this Module?
In this module, you will learn how to configure administrative privilege levels and role-
based CLI. These steps are critical of limiting access to network devices based on the
job role of administrative users. Let’s get started!
5.0.2 What Will I Learn in this Module?
Module Title: Assigning Administrative Roles
Module Objective: Configure command authorization using privilege levels and role-
based CLI.
Topic Title Topic Objective
Configure Privilege Use the correct commands to configure administrative privilege
Levels levels to control command availability.
Configure Role- Use the correct commands to configure role-based CLI access to
Based CLI control command availability.
5.1 Configure Privilege Levels
5.1.1 Limiting Command Availability
Large organizations have many varied job functions within an IT department. Not all
job functions should have the same level of access to the infrastructure devices. Cisco
IOS software has two methods of providing infrastructure access: privilege level and

112
role-based CLI. Both methods help determine who should be allowed to connect to the
device and what that person should be able to do with it. Role-based CLI access
provides more granularity and control.
By default, the Cisco IOS software CLI has two levels of access to commands:
 User EXEC mode (privilege level 1) - This provides the lowest EXEC mode user
privileges and allows only user-level commands available at the Router> prompt.
 Privileged EXEC mode (privilege level 15) - This includes all enable-level commands
at the Router# prompt.
There are 16 privilege levels in total, as listed below. The higher the privilege level, the
more router access a user has. Commands that are available at lower privilege levels
are also executable at higher levels.
 Level 0: Predefined for user-level access privileges. Seldom used, but includes five
commands: disable, enable, exit, help, and logout.
 Level 1: The default level for login with the router prompt Router >. A user cannot
make any changes or view the running configuration file.
 Levels 2 -14: May be customized for user-level privileges. Commands from lower
levels may be moved up to another higher level, or commands from higher levels
may be moved down to a lower level.
 Level 15: Reserved for the enable mode privileges (enable command). Users can
change configurations and view configuration files.
To assign commands to a custom privilege level, use the privilege global configuration
mode command shown below.
Router(config)# privilege mode {level level|reset} command
Comman
Description
d
Specifies the configuration mode. Use the privilege ? command to see a
mode
complete list of router configuration modes available on your router.
level (Optional) Enables setting a privilege level with a specified command.
(Optional) The privilege level that is associated with a command. You can
level
specify up to 16 privilege levels, using numbers 0 to 15.
reset (Optional) Resets the privilege level of a command.
command (Optional) Argument to use when you want to reset the privilege level.
5.1.2 Configuring and Assigning Privilege Levels
To configure a privilege level with specific commands, use the privilege exec
level level [command]. The example shows examples for three different privilege
levels.
 Privilege level 5 has access to all the commands available for the predefined level 1
and the ping command.
 Privilege level 10 has access to all the commands available for level 5 as well as
the reload command.
 Privilege level 15 is predefined and does not need to be explicitly configured. This
privilege level has access to all commands including viewing and changing the
configuration.
R1# conf t
R1(config)# !Level 5 and SUPPORT user configuration
R1(config)# privilege exec level 5 ping
R1(config)# enable algorithm-type scrypt secret level 5 cisco5

113
R1(config)# username SUPPORT privilege 5 algorithm-type scrypt secret cisco5
R1(config)# !Level 10 and JR-ADMIN user configuration
R1(config)# privilege exec level 10 reload
R1(config)# enable algorithm-type scrypt secret level 10 cisco10
R1(config)# username JR-ADMIN privilege 10 algorithm-type scrypt secret cisco10
R1(config)# !Level 15 and ADMIN user configuration
R1(config)# enable algorithm-type scrypt secret level 15 cisco123
R1(config)# username ADMIN privilege 15 algorithm-type scrypt secret cisco123
There are two methods for assigning passwords to the different privilege levels:
 To a user that is granted a specific privilege level, use
the username name privilege level secret password global configuration mode
command
 To the privilege level, use the enable secret level level password global
configuration mode command
Note: Both the username secret and the enable secret commands are configured for
type 9 encryption.
Use the username command to assign a privilege level to a specific user. Use
the enable secret command to assign a privilege level to a specific EXEC mode
password. For example, the SUPPORT user is assigned privilege level 5 with the
password cisco5. However, as shown in the example below, any user can access
privilege level 5 if that user knows that the enable secret password is cisco5. The
example also demonstrates that privilege level 5 cannot reload the router.
R1> enable 5
Password: <cisco5>
R1# show privilege Current privilege level is 5
R1# ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1# reload
Translating "reload"
% Bad IP address or host name
Translating "reload"
% Unknown command or computer name, or unable to find computer address
R1#
In the example below, the user enables privilege level 10 which has access to
the reload command. However, users at privilege level 10 cannot view the running
configuration.
R1# enable 10
Password: <cisco10>
R1# show privilege
Current privilege level is 10
R1# ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!

114
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1# reload
System configuration has been modified. Save? [yes/no]: ^C
R1# show running-config
^
% Invalid input detected at '^' marker.
R1#
In the next example, the user enables privilege level 15 which has full access to view
and change the configuration, including viewing the running configuration.
R1# enable 15
Password:
R1# show privilege
Current privilege level is 15
R1# show running-config Building configuration...
Current configuration : 1979 bytes
!
! Last configuration change at 15:30:07 UTC Tue Feb 17 2015
!
version 15.4
R1#
5.1.3 Limitations of Privilege Levels
The use of privilege levels has its limitations:
 There is no access control to specific interfaces, ports, logical interfaces, and slots
on a router.
 Commands available at lower privilege levels are always executable at higher
levels.
 Commands specifically set at a higher privilege level are not available for lower
privileged users.
 Assigning a command with multiple keywords allows access to all commands that
use those keywords. For example, allowing access to show ip route allows the user
access to all show and show ip commands.
Note: If an administrator must create a user account that has access to most but not
all commands, privilege exec statements need to be configured for every command
that must be executed at a privilege level lower than 15.
5.1.4 Syntax Checker - Configure Privilege Levels on R2
Use this Syntax Checker to configure privilege levels on R2.
Configure privilege level 5:
 Use the privilege exec level command to provide access to the ping command.
 Enable a level 5 secret password of cisco5 that is encrypted with the algorithm-
type scrypt hashing.
 Create a local database entry for a user named Support with a privilege level of 5,
encrypt the password with type 9 (algorithm-type scrypt) hashing, and set the
password to cisco5.
R2(config)#privilege exec level 5 ping
R2(config)#enable algorithm-type scrypt secret level 5 cisco5
R2(config)#username Support privilege 5 algorithm-type scrypt secret cisco5
Configure privilege level 10:

115
 Use the privilege exec level command to be allowed access to
the reload command.
 Enable a level 10 secret password of cisco10 that is encrypted with the algorithm-
type scrypt hashing.
 Create a local database entry for a user named Jr-Admin with a privilege level of
10, encrypt the password with a type 9 (algorithm-type scrypt) hashing, and set the
password to cisco10.
R2(config)#privilege exec level 10 reload
R2(config)#enable algorithm-type scrypt secret level 10 cisco10
R2(config)#username Jr-Admin privilege 10 algorithm-type scrypt secret cisco10
Configure privilege level 15:
 Enable a level 15 secret password of cisco123 that is encrypted with the algorithm-
type scrypt hashing.
 Create a local database entry for a user named Admin with a privilege level of 15,
encrypt the password with a type 9 (algorithm-type scrypt) hashing, and set the
password to cisco123.
 Exit configuration mode.
R2(config)#enable algorithm-type scrypt secret level 15 cisco123
R2(config)#username Admin privilege 15 algorithm-type scrypt secret cisco123
R2(config)#exit
R2#
You successfully configured privilege levels on R2.
5.2 Configure Role-Based CLI
5.2.1 Role-Based CLI Access
In an effort to provide more flexibility than privilege levels allow, Cisco introduced the
role-based CLI access feature in Cisco IOS Release 12.3(11)T. This feature provides
finer, more granular access by controlling which commands are available to specific
roles. Role-based CLI access enables the network administrator to create different
views of router configurations for different users. Each view defines the CLI commands
that each user can access.
Security
Role-based CLI access enhances the security of the device by defining the set of CLI
commands that are accessible by a specific user. Additionally, administrators can
control user access to specific ports, logical interfaces, and slots on a router. This
prevents a user from accidentally or purposely changing a configuration or collecting
information to which they should not have access.
Availability
Role-based CLI access prevents unintentional execution of CLI commands by
unauthorized personnel and minimizes downtime.
Operational Efficiency
Users only see the CLI commands applicable to the ports and CLI to which they have
access. Therefore, the router appears to be less complex, and commands are easier to
identify when using the help feature on the device.
5.2.2 Role-Based Views
Role-based CLI provides three types of views that dictate which commands are
available:
Root View

116
To configure any view for the system, the administrator must be in root view. Root
view has the same access privileges as a user who has level 15 privileges. However, a
root view is not the same as a level 15 user. Only a root view user can configure a new
view and add or remove commands from the existing views.
CLI View
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI
view has no command hierarchy and no higher or lower views. Each view must be
assigned all commands associated with that view. A view does not inherit commands
from any other view. Additionally, the same commands can be used in multiple views.
Superview
A superview consists of one or more CLI views. Administrators can define which
commands are accepted and which configuration information is visible. Superviews
allow a network administrator to assign users and groups of users multiple CLI views at
once, instead of having to assign a single CLI view per user with all commands
associated with that one CLI view.
Superviews have several specific characteristics:
 A single CLI view can be shared within multiple superviews.
 Commands cannot be configured for a superview. An administrator must add
commands to the CLI view and add that CLI view to the superview.
 Users who are logged into a superview can access all the commands that are
configured for any of the CLI views that are part of the superview.
 Each superview has a password that is used to switch between superviews or from
a CLI view to a superview.
 Deleting a superview does not delete the associated CLI views. The CLI views
remain available to be assigned to another superview.
Click Play in the animation for an explanation of the views.

117
Demonstrating Role-Based Views

5.2.3 Configure Role-Based Views

Before an administrator can create a view, AAA must be enabled using the aaa new-
model command. To configure and edit views, an administrator must log in as the root
view using the enable view privileged EXEC command. The enable view root command
can also be used. When prompted, enter the enable secret password.
There are five steps to create and manage a specific view.
Step 1. Enable AAA with the aaa new-model global configuration mode command. Exit
and enter the root view with the enable view command.

Parameter Description
This parameter enters root view if no view-name is specified, which
view enables an administrator to configure CLI views. The view parameter is
required to configure a CLI view.
view- (Optional) This parameter enters or exits a specified CLI view. This
name parameter can be used to switch from one CLI view to another CLI view.
Router# enable [view [view-name]]
Step 2. Create a view using the parser view view-name global configuration mode
command. This enables the view configuration mode. Excluding the root view, there is
a maximum limit of 15 views in total.
Router(config)# parser view view-name
Step 3. Assign a secret password to the view using the secret password view
configuration mode command.
This sets a password to protect access to the view. The password must be created
immediately after creating a view, otherwise, an error message will appear.
Router(config-view)# secret password
Step 4. Assign commands to the selected view using the commands parser-
mode command in view configuration mode.

118
Router(config-view)# commands parser-mode {include | include-exclusive | exclude}
[all] [interface interface-name | command]
Commands Description
commands Adds commands or interfaces to a view.
The mode in which the specified command exists; for example,
parser-mode
EXEC mode.
Adds a command or an interface to the view and allows the same
include
command or interface to be added to other views.
Adds a command or an interface to the view and excludes the
include-exclusive
same command or interface from being added to all other views.
exclude Excludes a command or an interface from the view.
A "wildcard" that allows every command in a specified
all configuration mode that begins with the same keyword or every
subinterface for a specified interface to be part of the view.
interface interface-
Interface that is added to the view.
name
command Command that is added to the view.
Step 5. Exit view configuration mode by typing the exit command.
The example below shows the configuration of three views. Notice in the example,
that the secret command only supports MD5 encryption (type 5). Also, notice that
when a command was added to a view before the password was assigned, an error
occurred.
R1(config)# aaa new-model
R1(config)# parser view SHOWVIEW
R1(config-view)# secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) view secret string
R1(config-view)# secret cisco
R1(config-view)# commands exec include show
R1(config-view)# exit
R1(config)# parser view VERIFYVIEW
R1(config-view)# commands exec include ping
% Password not set for the view VERIFYVIEW
R1(config-view)# secret cisco5
R1(config-view)# commands exec include ping
R1(config-view)# exit
R1(config)# parser view REBOOTVIEW
R1(config-view)# secret cisco10
R1(config-view)# commands exec include reload
R1(config-view)# exit
R1(config)#
Verify the view configuration using the show running-config command.
R1# show running-config
<output omitted>
parser view SHOWVIEW

119
 secret 5 $1$GL2J$8njLecwTaLAc0UuWo1/Fv0
commands exec include show
!
parser view VERIFYVIEW
secret 5 $1$d08J$1zOYSI4WainGxkn0Hu7lP1
commands exec include ping
!
parser view REBOOTVIEW
secret 5 $1$L7lZ$1Jtn5IhP43fVE7SVoF1pt.
commands exec include reload
!
5.2.4 Syntax Checker - Configure Views on R2
Use this Syntax Checker to configure three views with different privileges on R2.
Enable AAA.
R2(config)#aaa new-model
Configure the first view:
 Create a view called SHOWVIEW.
 Assign the view the password cisco.
 Allow the view to use all EXEC commands that begin with show.
 After configuration, return to global configuration mode.
R2(config)#parser view SHOWVIEW
R2(config-view)#secret cisco
R2(config-view)#commands exec include show
R2(config-view)#exit
Configure the second view.
 Create a view called VERIFYVIEW.
 Assign the view the password cisco5.
 Allow the view to use the ping command.
 After configuration, return to global configuration mode.
R2(config)#
R2(config)#parser view VERIFYVIEW
R2(config-view)#secret cisco5
R2(config-view)#commands exec include ping
R2(config-view)#exit
Configure the third view.
 Create a view called REBOOTVIEW.
 Assign the view the password cisco10.
 Allow the view to use the reload command.
 After configuration, return directly to privileged EXEC mode.
R2(config)#parser view REBOOTVIEW
R2(config-view)#secret cisco10
R2(config-view)#commands exec include reload
R2(config-view)#end
Verify the configured views using the show running-config | section
parser command.
R2#show running-config | section parser
parser view SHOWVIEW

120
 secret 5 $1$4c8S$8ayWlp1brumavcCek7OUz.
commands exec include show
parser view VERIFYVIEW
secret 5 $1$mV.n$Wl99F.nQQQvuP7QiEzE.40
commands exec include ping
parser view REBOOTVIEW
secret 5 $1$BBYq$L6prAiM.wrcuGbst/9JY51
commands exec include reload
R2#
You successfully configured three views with different privileges on R2.
5.2.5 Lab - Configure Administrative Roles
In this lab, you will complete the following objectives:
 Part 1: Configure basic device settings.
 Part 2: Configure administrative roles.

5.2.6 Configure Role-Based CLI Superviews

The steps to configure a superview are essentially the same as configuring a CLI view,
except that the view view-name command is used to assign commands to the
superview. The administrator must be in root view to configure a superview. To
confirm that root view is being used, use either the enable view or enable view
root command. When prompted, enter the secret password.
There are four steps to create and manage a superview.
Click each step below to learn more.
Step 1
Create a view using the parser view view-name superview command and enter
superview configuration mode. Appending the keyword superview to parser view
creates a superview and enters configuration mode.
Router(config)# parser view view-name superview

Step 2
Assign a secret password to the view using the secret password command. This sets a
password to protect access to the superview. The password must be created
immediately after creating a view; otherwise an error message will appear.
Router(config-view)# secret password
Step 3
Assign an existing view using the view view-name command in view configuration
mode. This adds a CLI view to superview. Multiple views can be added. Views may be
shared between superviews.
Router(config-view)# view view-name
Step 4
Exit superview configuration mode by typing the exit command.
More than one view can be assigned to a superview, and views can be shared between
superviews. The example shows configuring three superviews: the USER, SUPPORT,
and JR-ADMIN.
R1(config)# parser view USER superview

121
R1(config-view)# secret cisco
R1(config-view)# view SHOWVIEW
R1(config-view)# exit
R1(config)#
R1(config)# parser view SUPPORT superview
R1(config-view)# secret cisco1
R1(config-view)# view SHOWVIE
% Invalid view name SHOWVIE
R1(config-view)# view SHOWVIEW
R1(config-view)# view VERIFYVIEW
R1(config-view)# exit
R1(config)#
R1(config)# parser view JR-ADMIN superview
R1(config-view)# secret cisco2
R1(config-view)# view SHOWVIEW
R1(config-view)# view VERIFYVIEW
R1(config-view)# view REBOOTVIEW
R1(config-view)# exit
R1(config)#
The example below displays the configured superviews in the running configuration.
To access existing views, enter the enable view view-name command in user mode
and enter the password that was assigned to the custom view. Use the same
command to switch from one view to another.
R1# show running-config
<output omitted>
!
parser view SUPPORT superview
secret 5 $1$Vp1O$BBB1N68Z2ekr/aLHledts.
view SHOWVIEW
view VERIFYVIEW
!
parser view USER superview
secret 5 $1$E4k5$ukHyfYP7dHOC48N8pxm4s/
view SHOWVIEW
!
parser view JR-ADMIN superview
secret 5 $1$8kx2$rbAe/ji220OmQ1yw.568g0
view SHOWVIEW
view VERIFYVIEW
view REBOOTVIEW
!
5.2.7 Syntax Checker - Configure Superviews on R2
Use this Syntax Checker to configure three superviews on R2.
Configure the first superview.
 Create a superview called USER.
 Assign the superview the password cisco.
 Assign it the SHOWVIEW view.

122
 After configuration, return to global configuration view.
R2(config)#parser view USER superview
R2(config-view)#secret cisco
R2(config-view)#view SHOWVIEW
R2(config-view)#exit
Configure the second superview.
 Create a superview called SUPPORT.
 Assign the superview the password cisco1.
 Assign it the SHOWVIEW view.
 Assign it the VERIFYVIEW view.
 After configuration, return to global configuration mode.
R2(config)#parser view SUPPORT superview
R2(config-view)#secret cisco1
R2(config-view)#view SHOWVIEW
R2(config-view)#view VERIFYVIEW
R2(config-view)#exit
Configure the third superview.
 Create a superview called JR-ADMIN.
 Assign the superview the password cisco2.
 Assign it the SHOWVIEW view.
 Assign it the VERIFYVIEW view.
 Assign it the REBOOTVIEW view.
 After configuration, return to privilege EXEC mode.
R2(config)#parser view JR-ADMIN superview
R2(config-view)#secret cisco2
R2(config-view)#view SHOWVIEW
R2(config-view)#view VERIFYVIEW
R2(config-view)#view REBOOTVIEW
R2(config-view)#end
Verify the configured superviews using the show running-config | section
superview command.
R2#show running-config | section superview
parser view USER superview
secret 5 $1$PkVE$fWQNcCofjNnSNO5T5fR9b0
view SHOWVIEW
parser view SUPPORT superview
secret 5 $1$AJdD$KXsrFpyr8nsoZaoyJcZGz.
view SHOWVIEW
view VERIFYVIEW
parser view JR-ADMIN superview
secret 5 $1$jDUK$v1DodSqackdof/Dbg11eJ1
view SHOWVIEW
view VERIFYVIEW
view REBOOTVIEW
R2#
You successfully configured superviews on R2.
5.2.8 Verify Role-Based CLI Views

123
To verify a view, use the enable view command. Enter the name of the view to verify,
and provide the password to log into the view. Use the question mark (?) command to
verify that the commands available in the view are correct.
The example enables the USER superview and lists the commands available in the
view.
R1# enable view USER
Password: <cisco1>
R1# ?
Exec commands:
<0-0>/<0-4> Enter card slot/sublot number
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1# show ? banner Display banner information
flash0: display information about flash0: file system
flash1: display information about flash1: file system
flash: display information about flash: file system
parser Display parser information
usbflash0: display information about usbflash0: file system
The example below enables the SUPPORT superview and lists the commands
available in the view.
R1# enable view SUPPORT
Password: <cisco1>
R1# ?
Exec commands:
<0-0>/<0-4> Enter card slot/sublot number
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information
R1#
This example enables the JR-ADMIN view and lists the commands available in the
view.
R1# enable view JR-ADMIN
Password:
R1# ?
Exec commands:
<0-0>/<0-4> Enter card slot/sublot number
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
reload Halt and perform a cold restart
show Show running system information
R1#

124
By not specifying a view for the enable view command, as shown here, you can log in
as root. From the root view, use the show parser view all command to see a
summary of all views. Notice how the asterisk identifies superviews.
R1# show parser view
Current view is 'JR-ADMIN'
R1# enable view
Password:
R1# show parser view
Current view is 'root'
R1# show parser view all
Views/SuperViews Present in System:
SHOWVIEW
VERIFYVIEW
REBOOTVIEW
USER *
SUPPORT *
JR-ADMIN *
-------(*) represent superview-------
R1#
5.3 Assigning Administrative Roles Summary
5.3.1 What Did I Learn in this Module?
Configure Privilege Levels
Cisco IOS software has two methods of providing infrastructure access: privilege level
and role-based CLI. By default, the Cisco IOS software CLI has two levels of access to
commands: User EXEC mode (privilege level 1) and Privileged EXEC mode (privilege
level 15). There are 16 privilege levels in total. The higher the privilege level, the more
router access a user has. To configure a privilege level with specific commands, use
the privilege exec level level [command]. Use the username command to assign a
privilege level to a specific user. Use the enable secret command to assign a privilege
level to a specific EXEC mode password. The use of privilege levels has its limitations:
 There is no access control to specific interfaces, ports, logical interfaces, and slots
on a router.
 Commands available at lower privilege levels are always executable at higher
levels.
 Commands specifically set at a higher privilege level are not available for lower
privileged users.
 Assigning a command with multiple keywords allows access to all commands that
use those keywords. For example, allowing access to show ip route allows the user
access to all show and show ip commands.
Configure Role-Based CLI
In an effort to provide more flexibility than privilege levels allow, Cisco introduced the
role-based CLI access feature in Cisco IOS Release 12.3(11)T. Role-based CLI access
enables the network administrator to create different views of router configurations
for different users. Role-based CLI provides three types of views that dictate which
commands are available. Root view has the same access privileges as a user who has
level 15 privileges. However, a root view is not the same as a level 15 user. Only a root
view user can configure a new view and add or remove commands from the existing

125
views. A specific set of commands can be bundled into a CLI view. Unlike privilege
levels, a CLI view has no command hierarchy and no higher or lower views. A view does
not inherit commands from any other view. A superview consists of one or more CLI
views. Administrators can define which commands are accepted and which
configuration information is visible. Superviews allow a network administrator to
assign users and groups of users multiple CLI views at once, instead of having to assign
a single CLI view per user with all commands associated with that one CLI view. Before
an administrator can create a view, AAA must be enabled using the aaa new-
model command. To configure and edit views, an administrator must log in as the root
view using the enable view privileged EXEC command. The enable view root command
can also be used. When prompted, enter the enable secret password. There are five
steps to create and manage a specific view. The steps to configure a superview are
essentially the same as configuring a CLI view, except that the view view-
name command is used to assign commands to the superview.
5.3.2 Module 5 - Assign Administrative Roles Quiz
Question 1
What must be done before any role-based CLI views can be created?
Issue the aaa new-model command.
Assign multiple privilege levels.
Create the secret password for the root user.
Configure usernames and passwords.
Question 2
Which three statements describe limitations in using privilege levels for assigning
command authorization? (Choose three.)
There is no access control to specific interfaces on a router.
The root user must be assigned to each privilege level that is defined.
Commands set on a higher privilege level are not available for lower privilege users.
Views are required to define the CLI commands that each user can access.
Creating a user account that needs access to most but not all commands can be a
tedious process.
It is required that all 16 privilege levels be defined, whether they are used or not.

Question 3
Which two router commands can a user issue when granted privilege level 0?
(Choose two.)
help
ping
configure
disable
show
Question 4
What does level 5 in the following enable secret global configuration mode
command indicate?
Router(config)# enable secret level 5 csc5io
The enable secret password is hashed using MD5.
The enable secret password is hashed using SHA.

126
The enable secret password grants access to privileged EXEC level 5.
The enable secret password can only be set by individuals with privileges for EXEC level
5.
Question 5
What are three network enhancements achieved by implementing the Cisco IOS
software role-based CLI access feature? (Choose three.)
Security
Scalability
Availability
Cost reduction
Fault tolerance
Operational efficiency
Question 6
A network administrator wants to create a new view so that a user only has access to
certain configuration commands. In role-based CLI, which view should the
administrator use to create the new view?
Root view
CLI view
Superview
Admin view
Question 7
A network administrator enters the command R1# enable view adminview. What is
the purpose of this command?
To enter the root view
To enter a CLI view named adminview
To enter a superview named adminview
To create a CLI view named adminview
Question 8
Which range of custom privilege levels can be configured on Cisco routers?
1 through 15
1 through 16
2 through 14
2 through 15
0 through 15
Question 9
Which command will move the show interface command to privilege level 10?
Router(config)# privilege level 10 show interface
Router(config)# show interface level 10
Router(config)# privilege exec level 10 show interface
Router(config-if)# privilege level 10 show interface
Router(config-if)# show interface level 10
Router(config-if)# privilege exec level 10 show interface
Question 10
What is the default privilege level of user accounts created on Cisco routers?
0
1
15

127
16
Question 11
An administrator assigned a level of router access to the user ADMIN using the
commands below.
Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10
Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-
level-10
Which two actions are permitted to the user ADMIN? (Choose two.)
The user can execute all subcommands under the show ip interfaces command.
The user can issue the ip route command.
The user can issue all commands because this privilege level can execute all Cisco IOS
commands.
The user can issue the show version command.
The user can only execute the subcommands under the show ip route command.

Module 6: Device Monitoring and Management

6.0 Introduction
6.0.1 Why Should I Take this Module?
Cybercriminals try to exploit every vulnerability possible. For example, cybercriminals
could:
 Gain access to your core edge router and erase the IOS and Startup configuration
files (known collectively as the bootset files).
 Access an unused service that is still operational on the device.
 Inject false routing information into a converged OSPF network.
The first part of the module will provide mitigation techniques against such attacks.
How would you know if your network is under attack? The second part of this module
discusses network monitoring and network monitoring tools help us defend and
protect the network.
6.0.2 What Will I Learn in this Module?

128
Module Title: Device Monitoring and Management
Module Objective: Implement the secure management and monitoring of network
devices.
Topic Title Topic Objective
Explain how the Cisco IOS resilient configuration feature
Secure Cisco IOS Image
and Secure Copy are used to secure the Cisco IOS image
and Configuration Files
and configuration files.
Lock Down a Router Using Use the correct commands for AutoSecure to enable
AutoSecure security on IOS-based routers.
Routing Protocol Use the correct command to configure routing protocol
Authentication authentication.
Secure Management and
Compare in-band and out-of-band management access.
Reporting
Network Security Using
Explain how to configure syslog to log system events.
Syslog
Configure NTP to enable accurate timestamping between
NTP Configuration
all devices.
SNMP Configuration Configure SNMP to monitor system status.
6.1 Secure Cisco IOS Image and Configuration Files
6.1.1 Cisco IOS Resilient Configuration Feature
The Cisco IOS resilient configuration feature allows for faster recovery if someone
maliciously or unintentionally reformats flash memory or erases the startup
configuration file in nonvolatile random-access memory (NVRAM). The feature
maintains a secure working copy of the router IOS image file and a copy of the running
configuration file. These secure files cannot be removed by the user and are referred
to as the primary bootset.
Here are a few facts about the Cisco IOS resilient configuration:
 The configuration file in the primary bootset is a copy of the running configuration
that was in the router when the feature was first enabled.
 The feature secures the smallest working set of files to preserve persistent storage
space.
 No extra space is required to secure the primary Cisco IOS image file. The feature
automatically detects image or configuration version mismatch.
 Only local storage is used for securing files, eliminating scalability maintenance
challenges from storing multiple images and configurations on TFTP servers.
 The feature can be disabled only through a console session.
Note: The feature is only available on older routers that support a PCMCIA Advanced
Technology Attachment (ATA) flash interface. Newer routers such as the ISR 4000 do
not support this feature.
6.1.2 Enable the IOS Image Resilience Feature
The commands to secure the IOS image and running configuration file are shown in the
example. To secure the IOS image and enable Cisco IOS image resilience, use
the secure boot-image global configuration mode command. When enabled for the
first time, the running Cisco IOS image is secured and a log entry is generated. The
Cisco IOS image resilience feature can only be disabled through a console session using
the no form of the command. This command functions properly only when the system

129
is configured to run an image from a flash drive with an ATA interface. Additionally, the
running image must be loaded from persistent storage to be secured as primary.
Images that are loaded from a remote location, such as a TFTP server, cannot be
secured.
To take a snapshot of the router running configuration and securely archive it in
persistent storage, use the secure boot-config global configuration mode command, as
shown in the figure. A log message is displayed on the console notifying the user that
configuration resilience is activated. The configuration archive is hidden and cannot be
viewed or removed directly from the CLI prompt. You can use the secure boot-
config command repeatedly to upgrade the configuration archive to a newer version
after new configuration commands have been issued.
Secured files do not appear in the output of a dir command that is issued from the CLI.
This is because the Cisco IOS file system prevents secure files from being listed. The
running image and running configuration archives are not visible in the dir command
output. Use the show secure bootset command to verify the existence of the archive,
as shown in the figure.
R1(config)# secure boot-image
R1(config)#
Sep 22 12:47:10.183: %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured
running image
R1(config)#
R1(config)# secure boot-config
R1(config)#
Sep 22 12:47:18.259: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully
secured config archive [flash0:.runcfg-20200922-124717.ar]
R1(config)#
R1(config)# exit
R1#
Sep 22 12:47:22.783: %SYS-5-CONFIG_I: Configured from console by console
R1# show secure bootset
IOS resilience router id FTX1449AJBJ
IOS image resilience version 15.4 activated at 12:47:09 UTC Tue Sep 22 2020
Secure archive flash0:c2900-universalk9-mz.SPA.154-3.M.bin type is image (elf) []
file size is 103727964 bytes, run size is 103907016 bytes
Runnable image, entry point 0x81000000, run from ram
IOS configuration resilience version 15.4 activated at 12:47:18 UTC Tue Sep 22 2020
Secure archive flash0:.runcfg-20200922-124717.ar type is config
configuration archive size 1683 bytes
R1#
6.1.3 The Primary Bootset Image
Restore a primary bootset from a secure archive after the router has been tampered
with, as shown in the following steps and example:
Step 1. Reload the router using the reload command. If necessary, issue the break
sequence to enter ROM monitor (ROMmon) mode.
Step 2. From ROMmon mode, enter the dir command to list the contents of the device
that contains the secure bootset file.

130
Step 3. Boot the router with the secure bootset image using the boot command
followed by the flash memory location (e.g. flash0), a colon, and the filename found in
Step 2.
Step 4. Enter global configuration mode and restore the secure configuration to a
filename of your choice using the secure boot-config restore command followed by
the flash memory location (e.g. flash0), a colon, and a filename of your choice. In the
figure, the filename rescue-cfg is used.
Step 5. Exit global configuration mode and issue the copy command to copy the
rescued configuration file to the running configuration.
Router# reload
<Issue Break sequence, if necessary>
rommon 1 > dir flash0:
program load complete, entry point: 0x80803000, size: 0x1b340
Directory of flash0:
4 103727964 -rw- c2900-universalk9-mz.SPA.154-3.M.bin
rommon 2 > boot flash0:c2900-universalk9-mz.SPA.154-3.M.bin <Router reboots
with specified image>
Router> enable
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# secure boot-config restore flash0:rescue-cfg
ios resilience:configuration successfully restored as flash0:rescue-cfg
Router(config)# end
Router# copy flash0:rescue-cfg running-config
Destination filename [running-config]?
%IOS image resilience is already active
%IOS configuration resilience is already active
2182 bytes copied in 0.248 secs (8798 bytes/sec)
R1#
6.1.4 Configure Secure Copy
The Cisco IOS Resilient feature provides a method for securing the IOS image and
configuration files locally on the device. The Secure Copy Protocol (SCP) feature is used
to remotely copy these files. SCP provides a secure and authenticated method for
copying router configuration or router image files to a remote location.
SCP relies on:
 SSH to secure communication
 AAA to provide authentication and authorization
Note: AAA configuration will be covered in greater detail in a later chapter.
Use the following steps to configure a router for server-side SCP with local AAA:
Step 1. Configure SSH, if not already configured.
Step 2. For local authentication, configure at least one local database user with
privilege level 15.
Step 3. Enable AAA with the aaa new-model global configuration mode command.
Step 4. Use the aaa authentication login default local command to specify that the
local database be used for authentication.
Step 5. Use the aaa authorization exec default local command to configure command
authorization. In this example, all local users will have access to EXEC commands.

131
Step 6. Enable SCP server-side functionality with the ip scp server enable command.
In the example, R1 is now an SCP server and will use SSH connections to accept secure
copy transfers from authenticated and authorized users. Transfers can originate from
any SCP client whether that client is another router, switch, or workstation.
R1(config)# ip domain-name span.com
R1(config)# crypto key generate rsa general-keys modulus 2048
R1(config)# username Bob privilege 15 algorithm-type scrypt secret cisco12345
R1(config)# aaa new-model
R1(config)# aaa authentication login default local
R1(config)# aaa authorization exec default local
R1(config)# ip scp server enable
Now assume that we want to securely copy the backup configuration of a router
named R2 to the SCP server, which is R1. As shown in the command output below, we
would use the copy command on R2, and specify specify the source file location first
(flash0:R2backup.cfg), and then the destination (scp:). After answering the series of
prompts to establish a connection to the SCP server on R1, the file will be copied.
R2# copy flash0:R2backup.cfg scp:
Address or name of remote host []? 10.1.1.1
Destination username [R2]? Bob
Destination filename [R2backup.cfg]?
Writing R2backup.cfg
Password: <cisco12345>
!
1381 bytes copied in 8.596 secs (161 bytes/sec)
R2#
On R1, you can enter the debug ip scp command to watch the transfer proceed, as
shown in the following example. The most common authentication issue is an incorrect
username/password combination. There is also an authentication failure if the
username/password combination was not configured with the privilege 15 keyword on
the SCP server.
R1# debug ip scp
Incoming SCP debugging is on
R1#
*Feb 18 20:37:15.363: SCP: [22 -> 10.1.1.2:61656] send *Feb 18 20:37:15.367: SCP:
[22 <- 10.1.1.2:61656] recv C0644 1381 R2backup.cfg *Feb 18 20:37:15.367: SCP: [22 -
> 10.1.1.2:61656] send
6.1.5 Recover a Router Password
If a router is compromised or needs to be recovered from a misconfigured password,
an administrator must use password recovery procedures, such as those shown in the
steps below. For security reasons, password recovery requires the administrator to
have physical access to the router through a console cable. Depending on the device,
the detailed procedure for password recovery varies.
Step 1. Connect to the console port.
Step 2. Use the show version command to display the configuration register setting
and document the value (e.g., 0x2102).
Step 3. Power cycle the router.
Step 4. Issue the break sequence (e.g., CTRL-BREAK) to enter ROMMON mode.

132
Step 5. Change the default configuration register with the confreg 0x2142 command.
Step 6. Reboot the router by using the reset command in ROMMON mode.
Step 7. Press Ctrl-C to skip the initial setup procedure.
Step 8. Enter privileged EXEC mode.
Step 9. Copy the startup configuration to the running configuration using the copy
startup-config running-config command.
Step 10. Verify the configuration.
Step 11. Change the enable secret password.
Step 12. Enable all interfaces using the no shutdown command.
Step 13. Return the configuration register setting to the original setting that was
documented in Step 2 with the config-register global configuration command. On the
next reboot, the router will use these settings and load the new startup configuration
file that contains the changed password.
Step 14. Save the configuration changes.
6.1.6 Password Recovery
If someone gained physical access to a router, they could potentially gain control of
that device through the password recovery procedure. This procedure, if performed
correctly, leaves the router configuration intact. If the attacker makes no major
changes, this type of attack is difficult to detect. An attacker can use this attack method
to discover the router configuration and other pertinent information about the
network, such as traffic flows and access control restrictions.
An administrator can mitigate this potential security breach by using the no service
password-recovery global configuration mode command. This command is a hidden
Cisco IOS command and has no arguments or keywords. If a router is configured with
the no service password-recovery command, all access to ROMmon mode is disabled.
When the no service password-recovery command is entered, a warning message
displays and must be acknowledged before the feature is enabled, as shown in the
example.
R1(config)# no service password-recovery
WARNING:
Executing this command will disable password recovery
mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: yes
R1(config)#
When it is configured, the show running-config command displays a no service
password-recovery statement, as shown here.
R1# show running-config
Building configuration...
Current configuration : 836 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery

133
As shown below, when the router is booted, the initial boot sequence displays a
message stating PASSWORD RECOVERY FUNCTIONALITY IS DISABLED.
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 131072 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x8000f000, size:0xcb80
To recover a device after the no service password-recovery command is entered,
initiate the break sequence within five seconds after the image decompresses during
the boot. You are prompted to confirm the break key action. After the action is
confirmed, the startup configuration is completely erased, the password recovery
procedure is enabled, and the router boots with the factory default configuration. If
you do not confirm the break action, the router boots normally with the no service
password-recovery command enabled.
CAUTION: If the router flash memory does not contain a valid Cisco IOS image because
of corruption or deletion, the ROMmon xmodem command cannot be used to load a
new flash image. To repair the router, an administrator must obtain a new Cisco IOS
image on a flash SIMM or on a PCMCIA card. However, if an administrator has access
to ROMmon they can restore an IOS file to flash memory using a TFTP server. Refer
to Cisco.com for more information regarding backup flash images.
6.2 Lock Down a Router Using AutoSecure
6.2.1 Discovery Protocols CDP and LLDP
Cisco routers are initially deployed with many services that are enabled by default. This
is done for convenience and to simplify the configuration process required to get the
device operational. However, some of these services can make the device vulnerable
to attack if security is not enabled. Administrators can also enable services on Cisco
routers that can expose the device to significant risk. Both of these scenarios must be
considered when securing the network.
The Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default
on Cisco routers. The Link Layer Discovery Protocol (LLDP) is an open standard that can
be enabled on Cisco devices, as well as other vendor devices that support LLDP.
LLDP configuration and verification is similar to CDP. In the figure, R1 and S1 are both
configured with LLDP, using the lldp run global configuration command. Both devices
are running CDP by default. The output for show cdp neighbors detail and show lldp
neighbors detail will reveal a device’s address, platform, and operating system details.
R1(config)# lldp run
R1(config)# end
R1# show cdp neighbors detail
-------------------------
Device ID: S1
Entry address(es):
IP address: 192.168.1.254
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP

134
Interface: GigabitEthernet0/1, Port ID (outgoing port): FastEthernet0/5
Holdtime : 164 sec
Version :
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE7,
RELEASE SOFTWARE (fc1)
<output omitted>
R1# show lldp neighbors detail
------------------------------------------------
Local Intf: Gi0/1
Chassis id: 0022.9121.0380
Port id: Fa0/5
Port Description: FastEthernet0/5
System Name: S1
System Description:
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE7,
RELEASE SOFTWARE (fc1)
<output omitted>
Unfortunately, attackers do not need to have CDP-enabled or LLDP-enabled devices to
gather this sensitive information. Readily available software, such as Universal
Network CDP & LLDP Evaluator (UNCLE), enable any computer on the network to
capture and view CDP and LLDP information that is sent on a LAN. In addition, CDP is
vulnerable to CDP spoofing attacks because CDP uses a well known multicast MAC
address. This is a form of denial of service attack that can overwhelm device CDP tables
with false CDP messages.
6.2.2 Settings for Protocols and Services
Attackers choose services and protocols that make the network more vulnerable to
malicious exploitation.
Many of these features should be disabled or restricted in their capabilities based on
the security needs of an organization. These features range from network discovery
protocols, such as CDP and LLDP, to globally available protocols such as ICMP and
other scanning tools.
Some of the default settings in Cisco IOS software are there for historical reasons. They
were logical default settings at the time the software was originally written. Other
default settings make sense for most systems, but can create security exposures if they
are used in devices that form part of a network perimeter defense. Still other defaults
are required by standards but are not always desirable from a security point of view.
The table summarizes the feature and default settings for protocols and services.
Feature Default
Cisco Discovery Protocol (CDP) Enabled
Link Layer Discovery Protocol (LLDP) Disabled
Configuration autoloading Disabled
FTP server Disabled
TFTP server Disabled
Network Time Protocol (NTP) service Disabled
Packet assembler/disassembler (PAD) service Enabled
TCP and User Datagram Protocol (UDP) minor Enabled in versions 11.3 and later

135
services
Enabled on most Ethernet
Maintenance Operation Protocol (MOP) service
interfaces
Simple Network Management Protocol (SNMP) Enabled
HTTP or HTTPS configuration and monitoring Setting is Cisco device dependent.
Domain Name System (DNS) Enabled
Internet Control Message Protocol (ICMP) redirects Enabled
IP source routing Enabled
Finger service Enabled
ICMP unreachable notifications Enabled
ICMP mask reply Disabled
IP identification service Enabled
TCP keepalives Disabled
Gratuitous ARP (GARP) Enabled
Proxy ARP Enabled
The table below shows recommended security settings for protocols and services.
There are several important practices available to help ensure a device is secure:
 Disable unnecessary services and interfaces.
 Disable and restrict commonly configured management services, such as
SNMP.
 Disable probes and scans, such as ICMP. Ensure terminal access security.
 Disable gratuitous and proxy Address Resolution Protocols (ARPs).
 Disable IP-directed broadcasts.
Feature Recommendation
Cisco Discovery Protocol Should be disabled globally or on a per-interface basis if it
(CDP) is not required.
Link Layer Discovery Should be disabled globally or on a per-interface basis if it
Protocol (LLDP) is not required.
Configuration autoloading Should remain disabled when not in use by the router.
FTP server Should be disabled when it is not required.
TFTP server It should be disabled when it is not required.
Network Time Protocol
It should remain disabled when it is not required.
(NTP) service
Packet
assembler/disassembler It should be explicitly disabled when not in use.
(PAD) service
TCP and User Datagram
Protocol (UDP) minor Disable this service explicitly.
services
Maintenance Operation
It should be explicitly disabled when it is not in use.
Protocol (MOP) service
Simple Network
Management Protocol Disable this service when it is not required.
(SNMP)
HTTP or HTTPS configuration Disable service if it is not required. If this service is

136
 required, restrict access to the router HTTP or HTTPS
and monitoring
service using access control lists (ACLs).
Disable when it is not required. If the DNS lookup service
Domain Name System (DNS) is required, ensure that you set the DNS server address
explicitly.
Internet Control Message
Disable when it is not required.
Protocol (ICMP) redirects
IP source routing Disable this service when it is not required.
Finger service Disable this service when it is not required.
ICMP unreachable
Disable on interfaces to untrusted networks.
notifications
ICMP mask reply Disable on interfaces to untrusted networks.
IP identification service Service should be explicitly disabled.
Should be enabled globally to manage TCP connections
and prevent certain denial of service (DoS) attacks.
Service is enabled in Cisco IOS Software releases before
TCP keepalives
Cisco IOS Release 12.0 and is disabled in Cisco IOS
Release 12.0 and later. Disable this service when it is not
required.
Disable gratuitous ARPs on each router interface unless
Gratuitous ARP (GARP)
this service is needed.
Disable this service on each interface unless the router is
Proxy ARP
being used as a LAN bridge.
6.2.3 Cisco AutoSecure
Released in IOS version 12.3, Cisco AutoSecure is a feature that is initiated from the CLI
and executes a script. AutoSecure first makes recommendations for fixing security
vulnerabilities and then modifies the security configuration of the router, as shown in
the figure.
AutoSecure can lock down the management plane functions and the forwarding plane
services and functions of a router. There are several management plane services and
functions:
 Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, and TCP small servers, MOP, ICMP
(redirects, mask-replies), IP source routing, Finger, password encryption, TCP
keepalives, gratuitous ARP, proxy ARP, and directed broadcast
 Legal notification using a banner
 Secure password and login functions
 Secure NTP
 Secure SSH access
 TCP intercept services
There are three forwarding plane services and functions that AutoSecure enables:
 Cisco Express Forwarding (CEF)
 Traffic filtering with ACLs
 Cisco IOS firewall inspection for common protocols
AutoSecure is often used in the field to provide a baseline security policy on a new
router. Features can then be altered to support the security policy of the organization.
R1# auto secure

137
 --- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security
of the router but it will not make router
absolutely secure from all security attacks ***
All the configuration done as part of AutoSecure
will be shown here. For more details of why and
how this configuration is useful, and any possible
side effects, please refer to Cisco documentation of
AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for
AutoSecure
Is this router connected to internet? [no]:yes
6.2.4 Cisco AutoSecure Command Syntax
Use the auto secure command to enable the Cisco AutoSecure feature setup. This
setup can be interactive or non-interactive. The figure shows the command syntax for
the auto secure command.
Router# auto secure {no-interact | full} [forwarding | management] [ntp | login | ssh
| firewall | top-intercept]
Here are the command parameters.
R1# auto secure ?
forwarding Secure Forwarding Plane
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
<cr>
R1#
Note: Options may vary by platform.
In interactive mode, the router prompts with options to enable and disable services
and other security features. This is the default mode, but it can also be configured
using the auto secure full command.
The non-interactive mode is configured with the auto secure no-interact command.
This will automatically execute the Cisco AutoSecure feature with the recommended
Cisco default settings. The auto secure command can also be entered with keywords to
configure specific components, such as the management plane
(management keyword) and forwarding plane (forwarding keyword).
Optional
Description
Parameters
The user will not be prompted for any interactive configurations. No
no-interact interactive dialogue parameters will be configured, including
usernames or passwords.
The user will be prompted for all interactive questions. This is the
full
default setting.
forwarding Only the forwarding plane will be secured.
management Only the management plane will be secured.
ntp Specifies the configuration of the NTP feature in the AutoSecure CLI.
login Specifies the configuration of the login feature in the AutoSecure CLI.

138
ssh Specifies the configuration of the SSH feature in the AutoSecure CLI.
Specifies the configuration of the firewall feature in the AutoSecure
firewall
CLI.
Specifies the configuration of the TCP intercept feature in the
tcp-intercept
AutoSecure CLI.
6.2.5 Cisco AutoSecure Configuration Example
When the auto secure command is initiated, a CLI wizard steps the administrator
through the configuration of the device. User input is required.
Click below to learn more about the CLI wizard steps.
1
The auto secure command is entered. The router displays the AutoSecure
configuration wizard welcome message, as shown.
R1# auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router, but it will not
make it
absolutely resistant to all security attacks ***
AutoSecure will modify the configuration of your device. All configuration changes
will be
shown. For a detailed explanation of how the configuration changes enhance
security and any
possible side effects, please refer to Cisco.com for Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
<continued>
2
The wizard gathers information about the outside interfaces, as shown
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]:
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
FastEthernet0/1 192.168.11.1 YES manual up up
FastEthernet0/1/0 unassigned YES unset up down
FastEthernet0/1/1 unassigned YES unset up down
FastEthernet0/1/2 unassigned YES unset up down
FastEthernet0/1/3 nassigned YES unset up down
Serial0/0/0 192.168.2.101 YES manual up up
Serial0/0/1 unassigned YES manual administratively down down
Vlan1 unassigned YES manual up down
Enter the interface name that is facing the internet: Serial 0/0/0
Invalid interface name
Enter the interface name that is facing the internet: Serial0/0/0
<continued>
3

139
AutoSecure secures the management plane by disabling unnecessary services, as
shown.
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
<continued>
4
AutoSecure prompts for a banner, as shown.
Here is a sample Security Banner to be shown at every access to device. Modify it
to suit your enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between k and k, where k is any character}:
#
********* AUTHORIZED ACCESS ONLY ***********
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. Any violations of access policy will result
in disciplinary action.
#
<continued>
5
AutoSecure prompts for passwords and enables password and login features, as
shown.
Enable secret is either not configured or is the same as enable password
Enter the new enable secret: cisco123
Confirm the enable secret : cisco123
Enter the new enable password: cisco1
% Password too short - must be at least 6 characters. Password configuration failed
Enter the new enable password: cisco321
Confirm the enable password: cisco321
Configuring AAA local authentication

140
Configuring Console, Aux and VTY lines for local authentication, exec-timeout,
and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 120
Maximum Login failures with the device: 2
Maximum time period for crossing the failed login attempts: 60
Configure SSH server? [yes]: y
<continued>
6
Interfaces are secured, as shown.
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
<continued>
7
The forwarding plane is secured, as shown..
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected to internet
Configure CBAC Firewall feature? [yes/no]: yes
When the wizard is complete, a running configuration displays all configuration
settings and changes.
Note: AutoSecure should be used when a router is initially being configured. It is not
recommended on production routers.
6.2.6 Syntax Checker - Using the auto secure Command
In this Syntax Checker, you will use AutoSecure to secure R1.
 Configure Serial0/0/0 as the interface facing the internet. Note: The interface
name is case-specific.
 Create an motd banner using #Unauthorized Access is Prohibited!#.
 Create a local username Admin01 and password Admin01pa55 to access the
router.
 Configure a 60 second login shutdown if 2 failed login attempts are made
within 30 seconds.
 Use example.com as the domain name for the SSH server.
 Do not configure CBAC firewall.
 Apply the configuration from AutoSecure to the running-config.
Use AutoSecure to lock down the router.
R1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant

141
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
AutoSecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to Internet? [no]#yes
Enter the number of interfaces facing the internet [1]#1
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 192.168.1.1 YES manual up up
Serial0/0/0 10.1.1.1 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
Enter the interface name that is facing the internet#Serial0/0/0
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
#Unauthorized Access is Prohibited!#
Configuration of local user database
Enter the username#Admin01
Enter the password#Admin01pa55

142
Confirm the password#Admin01pa55
Configuring AAA local authentication
Configuring console, Aux and vty lines for
local authentication, exec-timeout, transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected#60
Maximum Login failures with the device#2
Maximum time period for crossing the failed login attempts#30
Configure SSH server? [yes]#yes
Enter the domain-name#example.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]#no
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^CUnauthorized Access is PROHIBITED^C
security passwords min-length 6
security authentication failure rate 10 log
username Admin01 password 7 15330F010D247B7538326077
aaa new-model
aaa authentication login local_auth local
line console 0
login authentication local_auth
exec-timeout 5 0

143
 transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1 2
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface Embedded-Service-Engine0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface GigabitEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface GigabitEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0

144
 no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/0
ip verify unicast source reachable-via rx allow-default 100
!
end
Apply this configuration to running-config? [yes]#yes
Applying the config generated to running-config
The name for the keys will be: R1.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)
R1#
000046: *Dec 30 22:44:35.503 UTC: %AUTOSEC-1-MODIFIED: AutoSecure
configuration has been Modified on this device
You successfully secured R1 using AutoSecure.
6.2.7 Lab - Configure Automated Security Features
In this lab, you will complete the following objectives:
 Part 1: Configure basic device settings.
 Part 2: Configure automated security features.

6.3 Routing Protocol Authentication

6.3.1 Dynamic Routing Protocols
Dynamic routing protocols are used by routers to automatically share information
about the reachability and status of remote networks. Dynamic routing protocols
perform several activities, including network discovery and maintaining routing tables.
Important advantages of dynamic routing protocols are the ability to select a best
path, and the ability to automatically discover a new best path when there is a change
in the topology.
Network discovery is the ability of a routing protocol to share information about the
networks that it knows about with other routers that are also using the same routing
protocol. Instead of depending on manually configured static routes to remote
networks on every router, a dynamic routing protocol allows the routers to
automatically learn about these networks from other routers. These networks, and the

145
best path to each, are added to the routing table of the router, and identified as a
network learned by a specific dynamic routing protocol.
The figure shows routers R1 and R2 using a common routing protocol to share network
information.

6.3.2 Routing Protocol Spoofing

Routing systems can be attacked by disrupting peer network routers, or by falsifying or
spoofing the information carried within the routing protocols. Spoofing routing
information may generally be used to cause systems to misinform (lie to) each other,
cause a DoS attack, or cause traffic to follow a path it would not normally follow. There
are several consequences of routing information being spoofed:
 Redirecting traffic to create routing loops
 Redirecting traffic so it can be monitored on an insecure link
 Redirecting traffic to discard it
Click the Play button on the animation to see an example of an attack that creates a
routing loop.
Assume an attacker has been able to connect directly to the link between R1and R2.
The attacker sends R1 false routing information indicating that R2 is the preferred
destination to the 192.168.10.0/24 network. Although R1 already has a routing table
entry to the 192.168.10.0/24 network, the new route has a lower metric and therefore
is the preferred entry in the routing table.
Consequently, when PC3 sends a packet to PC1 (192.168.10.10/24), R3 forward the
packet to R2 which in turn forwards it to R1. R1 does not forward the packet to the
PC1 host. Instead, it routes the packet to R2 because the apparent best path to
192.168.10.0 /24 is through R2. When R2 gets the packet, it looks in its routing table
and finds a legitimate route to the 192.168.10.0/24 network through R1 and forwards
the packet back to R1, creating the loop. The loop was caused by the misinformation
injected into R1.

146
For more information about generic threats to routing protocols, search the internet
for RFC 4593. Mitigate against routing protocol attacks by configuring OSPF
authentication.
Attackers Can Manipulate Unauthenticated Routing Updates

6.3.3 OSPF MD5 Routing Protocol Authentication

OSPF supports routing protocol authentication using MD5. MD5 authentication can be
enabled globally for all interfaces or on a per interface basis.
Enable OSPF MD5 authentication globally:
 ip ospf message-digest-key key md5 password interface configuration command.
 area area-id authentication message-digest router configuration command.
 This method forces authentication on all OSPF enabled interfaces. If an interface is
not configured with the ip ospf message-digest-key command, it will not be able to
form adjacencies with other OSPF neighbors.
Enable MD5 authentication on a per interface basis:
 ip ospf message-digest-key key md5 password interface configuration command.
 ip ospf authentication message-digest interface configuration command.
The interface setting overrides the global setting. MD5 authentication passwords do
not have to be the same throughout an area. However, they do need to be the same
between neighbors.
In this figure, R1 and R2 are configured with OSPF and routing is functioning properly.
However, OSPF messages are not authenticated or encrypted.
OSPF Configured Without Authentication

R1# show run | begin router ospf

router ospf 1

147
 passive-interface GigabitEthernet0/1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
<output omitted>
!--------------------------------
R2# show run | begin router ospf
router ospf 1
passive-interface GigabitEthernet0/1
network 10.1.1.0 0.0.0.3 area 0
network 192.168.2.0 0.0.0.255 area 0
!
<output omitted>
In the figure below, R1 and R2 are configured with OSPF MD5 authentication.
Authentication is configured on a per interface basis because both routers are using
only one interface to form OSPF adjacencies. Notice that when R1 is configured, OSPF
adjacency is lost with R2 until R2 is configured with the matching MD5 authentication.
OSPF Configured With MD5 Authentication

R1# conf t
R1(config)# interface s0/0/0
R1(config-if)# ip ospf message-digest-key 1 md5 cisco12345
R1(config-if)# ip ospf authentication message-digest
R1(config-if)#
000209: Feb 20 13:59:35.091 UTC: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.1.2 on
Serial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#
000210: Feb 20 14:01:09.975 UTC: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.1.2 on
Serial0/0/0 from LOADING to FULL, Loading Done
----------------------------
R2# conf t
000137: Feb 20 13:59:35.091 UTC: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on
Serial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R2(config)# interface s0/0/0
R2(config-if)# ip ospf message-digest-key 1 md5 cisco12345
R2(config-if)# ip ospf authentication message-digest
R2(config-if)#
000138: Feb 20 14:01:09.975 UTC: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on
Serial0/0/0 from LOADING to FULL, Loading Done
R2(config-if)#
6.3.4 OSPF SHA Routing Protocol Authentication
MD5 is now considered vulnerable to attacks and should only be used when stronger
authentication is not available. Cisco IOS release 15.4(1)T added support for OSPF SHA
authentication, as detailed in RFC 5709. Therefore, the administrator should use SHA

148
authentication as long as all of the router operating systems support OSPF SHA
authentication.
OSPF SHA authentication includes two major steps. The syntax for the commands is
shown in the figure:
Step 1. Specify an authentication key chain in global configuration mode:
 Configure a key chain name with the key chain command.
 Assign the key chain a number and a password with the key and key-
string commands.
 Specify SHA authentication with the cryptographic-algorithm command.
 (Optional) Specify when this key will expire with the send-lifetime command.
The syntax for these commands are as follows:
Router(config)# key chain name
Router(config-keychain)# key key-id
Router(config-keychain-key)# key-string string
Router(config-keychain-key)# cryptographic-algorithm {hmac-sha-1 | hmac-sha-256 |
hmac-sha-384 | hmac-sha-512 | md5}
Router(config-keychain-key)# send-lifetime start-time {infinite | end-time | duration
seconds}
Step 2. Use the following syntax to assign the authentication key to the desired
interfaces with the ip ospf authentication key-chain command.
Router(config)# interface type number
Router(config-if)# ip ospf authentication key-chain name
In the example that follows the figure, R1 and R2 are configured with OSPF SHA
authentication using a key named SHA256 and the key string ospfSHA256. Notice that
when R1 is configured, OSPF adjacency is lost with R2 until R2 is configured with the
matching SHA authentication.
OSPF Configured with SHA Authentication

R1(config)# key chain SHA256

R1(config-keychain)# key 1
R1(config-keychain-key)# key-string ospfSHA256
R1(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R1(config-keychain-key)# exit
R1(config-keychain)# exit
R1(config)# interface s0/0/0
R1(config-if)# ip ospf authentication key-chain SHA256
R1(config-if)#
000218: Feb 20 15:06:07.607 UTC: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.1.2 on
Serial0/0/0
from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#
--------------------------------------

149
R2(config)# key chain SHA256
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string ospfSHA256
R2(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R2(config-keychain-key)# exit
R2(config-keychain)# exit
R2(config)# interface s0/0/0
R2(config-if)# ip ospf authentication key-chain SHA256
R2(config-if)#
000142: Feb 20 15:07:22.631: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on
Serial0/0/0
from LOADING to FULL, Loading Done
R2(config-if)#
6.3.5 Syntax Checker- OSPF SHA Routing Protocol Authentication
Use this Syntax Checker to configure OSPF authentication using SHA 256.
To configure OSPF with SHA authentication, you must first configure a key chain:
 Issue the key chain command to create a key chain named SHA256.
 Assign the key chain number 1
 Assign the key-string name of ospfSHA256.
 Assign hmac-sha-256 as the cryptographic-algorithm.
 Enter exit twice to exit key chain configuration.
R1(config)#key chain SHA256
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string ospfSHA256
R1(config-keychain-key)#cryptographic-algorithm hmac-sha-256
R1(config-keychain-key)#exit
R1(config-keychain)#exit
Enter interface configuration mode and assign the key-chain SHA256 for OSPF
authentication on S0/0/0.
R1(config)#interface S0/0/0
R1(config-if)#ip ospf authentication key-chain SHA256
R1(config-if)#
*Mar 1 16:52:26.615: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.2 on Serial0/0/0 from
LOADING to FULL, Loading Done
Issue the end command to exit configuration mode.
R1(config-if)#end
R1#
You successfully configured NTP authentication on R1.
6.3.6 Lab - Basic Device Configuration and OSPF Authentication
In this lab, you will complete the following objectives:
 Part 1: Configure basic device settings.
 Part 2: Secure the control plane.

6.3.7 Packet Tracer - Configure OSPF Authentication

In this Packet Tracer activity, you will configure OSPF MD5 authentication.

150
6.4 Secure Management and Reporting
6.4.1 Types of Management Access
In a small network, managing and monitoring a small number of network devices is a
straightforward operation. However, in a large enterprise with hundreds of devices,
monitoring, managing, and processing log messages can be challenging. From a
reporting standpoint, most networking devices can send log data that can be
invaluable when troubleshooting network problems or security threats. This data can
be viewed in real time, on demand, and in scheduled reports.
When logging and managing information, the information flow between management
hosts and the managed devices can take two paths:
 In-band - Information flows across an enterprise production network, the internet,
or both, using regular data channels.
 Out-of-band (OOB) - Information flows on a dedicated management network on
which no production traffic resides.
For example, the network in the figure has two network segments separated by a Cisco
IOS router that is providing firewall services to protect the management network. The
connection to the production network allows management hosts to access the internet
and provides limited in-band management traffic. In-band management occurs only
when OOB management is not possible or available. If in-band management is
required, then that traffic should be sent securely using a private encrypted tunnel or
VPN tunnel.
In-Band Management

The figure below shows more detail for the protected management network. This is
where the management hosts and terminal servers reside. When placed within the
management network, terminal servers offer OOB direct console connections over the
management network to any network device requiring management on the production
network. Most devices should be connected to this management segment and be
configured using OOB management.
Because the management network has administrative access to nearly every area of
the network, it can be a very attractive target for hackers. The management module on
the firewall incorporates several technologies designed to mitigate such risks. The
primary threat is a hacker attempting to gain access to the management network. This
can be accomplished through a compromised managed host that a management
device must access. To mitigate the threat of a compromised device, strong access
control should be implemented at the firewall and at every other device. Management

151
devices should be set up in a fashion that prevents direct communication with other
hosts on the same management subnet by using separate LAN segments or VLANs.
Out of-Band Management

6.4.2 Out-of-Band and In-Band Access

As a general rule, for security purposes, OOB management is appropriate for large
enterprise networks. However, it is not always desirable. The decision to use OOB
management depends on the type of management applications running and the
protocols being monitored. For example, consider a situation in which two core
switches are managed and monitored using an OOB network. If a critical link between
these two core switches fails on the production network, the application monitoring
those devices may never determine that the link has failed and never alert the
administrator. This is because the OOB network makes all devices appear to be
attached to a single OOB management network. The OOB management network
remains unaffected by the downed link. With management applications such as these,
it is preferable to run the management application in-band in a secure fashion.
OOB management guidelines are:
 Provide the highest level of security.
 Mitigate the risk of passing insecure management protocols over the production
network.
In-band management is recommended in smaller networks as a means of achieving a
more cost-effective security deployment. In such architectures, management traffic
flows in-band in all cases. It is made as secure as possible using secure management
protocols, for example using SSH instead of Telnet. Another option is to create secure
tunnels, using protocols such as IPsec, for management traffic. If management access
is not necessary at all times, temporary holes can be placed in a firewall while

152
management functions are performed. This technique should be used cautiously, and
all holes should be closed immediately when management functions are completed.
In-band management guidelines are:
 Apply only to devices that need to be managed or monitored.
 Use IPsec, SSH, or SSL when possible.
 Decide whether the management channel needs to be open at all times.
Finally, if using remote management tools with in-band management, be wary of the
underlying security vulnerabilities of the management tool itself. For example, SNMP
managers are often used to ease troubleshooting and configuration tasks on a
network. However, SNMP should be treated with the utmost care because the
underlying protocol has its own set of security vulnerabilities.
6.5 Network Security Using Syslog
6.5.1 Introduction to Syslog
Like a Check Engine light on your car dashboard, the components in your network can
tell you if there is something wrong. The syslog protocol was designed to ensure that
you can receive and understand these messages. When certain events occur on a
network, networking devices have trusted mechanisms to notify the administrator
with detailed system messages. These messages can be either non-critical or
significant. Network administrators have a variety of options for storing, interpreting,
and displaying these messages. They can also be alerted to those messages that could
have the greatest impact on the network infrastructure.
The most common method of accessing system messages is to use a protocol called
syslog.
Syslog is a term used to describe a standard. It is also used to describe the protocol
developed for that standard. The syslog protocol was developed for UNIX systems in
the 1980s but was first documented as RFC 3164 by IETF in 2001.
Many networking devices support syslog, including routers, switches, application
servers, firewalls, and other network appliances. The syslog protocol allows
networking devices to send their system messages across the network to syslog
servers.
Specifically, syslog uses UDP port 514 to send event notification messages across IP
networks to event message collectors. For example, the figure displays a router (R1)
and a switch (S1) sending system messages to a syslog server.

There are several syslog server software packages for Windows and UNIX available.
Many of them are freeware.
The syslog logging service provides three primary functions, as follows:
 The ability to gather logging information for monitoring and troubleshooting

153
 The ability to select the type of logging information that is captured
 The ability to specify the destinations of captured syslog messages
6.5.2 Syslog Operation
On Cisco network devices, the syslog protocol starts by sending system messages
and debug output to a local logging process that is internal to the device. How the
logging process manages these messages and outputs is based on device
configurations. For example, syslog messages may be sent across the network to an
external syslog server. Messages on the syslog server can then be filtered without
needing to access the actual device. Log messages and outputs stored on the external
server can be pulled into various reports for easier reading.
Alternatively, syslog messages may be sent to an internal buffer. Messages sent to the
internal buffer are only viewable through the CLI of the device.
Finally, the network administrator may specify that only certain types of system
messages be sent to various destinations. For example, the device may be configured
to forward all system messages to an external syslog server. However, debug-level
messages are forwarded to the internal buffer and are only accessible by the
administrator from the CLI.
As shown in the figure, popular destinations for syslog messages include the:
 Logging buffer (RAM inside a router or switch)
 Console line
 Terminal line
 Syslog server
The figure illustrates popular destinations for syslog messages. A switch has arrows
pointing to a logging buffer, a P C labeled Console line, another P C labeled Terminal
Line and a syslog server.

It is possible to remotely monitor system messages by viewing the logs on a syslog

server, or by accessing the device through Telnet, SSH, or through the console port.
6.5.3 Syslog Message Format
Cisco devices produce syslog messages as a result of network events. Every syslog
message contains a severity level and a facility.
The smaller numerical levels are the more critical syslog alarms. The severity level of
the messages can be set to control where each type of message is displayed (i.e. on
the console or the other destinations). The complete list of syslog levels is shown in the
table.
Severity Name Severity Number Description

154
Emergency Level 0 System Unusable
Alert Level 1 Immediate Action Needed
Critical Level 2 Critical Condition
Error Level 3 Error Condition
Warning Level 4 Warning Condition
Notification Level 5 Normal, but Significant Condition
Informational Level 6 Informational Message
Debugging Level 7 Debugging Message
Each syslog level has its own meaning:
 Emergency Level 0 - Warning Level 4: These messages are error messages about
software or hardware malfunctions; these types of messages mean that the
functionality of the device is affected. The severity of the issue determines the
actual syslog level applied.
 Notification Level 5: This notifications level is for normal, but significant events. For
example, interface up or down transitions, and system restart messages are
displayed at the notifications level.
 Informational Level 6: This is a normal information message that does not affect
device functionality. For example, when a Cisco device is booting, you might see
the following informational message: %LICENSE-6-EULA_ACCEPT_ALL: The Right to
Use End User License Agreement is accepted.
 Debugging Level 7: This level indicates that the messages are output generated
from issuing various debug commands.

6.5.4 Syslog Facilities

In addition to specifying the severity, syslog messages also contain information on the
facility. Syslog facilities are service identifiers that identify and categorize system state
data for error and event message reporting. The logging facility options that are
available are specific to the networking device. For example, Cisco 2960 Series
switches running Cisco IOS Release 15.0(2) and Cisco 1941 routers running Cisco IOS
Release 15.2(4) support 24 facility options that are categorized into 12 facility types.
Some common syslog message facility codes reported on Cisco IOS routers include:
 IF - Identifies that the syslog message was generated by an interface.
 IP - Identifies that the syslog message was generated by IP.
 OSPF - Identifies that the syslog message was generated by the OSPF routing
protocol.
 SYS - Identifies that the syslog message was generated by the device operating
system.
 IPSEC - Identifies that the syslog message was generated by the IP Security
encryption protocol.
By default, the format of syslog messages on the Cisco IOS Software is as follows:
%facility-severity-MNEMONIC: description
For example, sample output on a Cisco switch for an EtherChannel link changing state
to up is:
%LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Here the facility is LINK and the severity level is 3, with a MNEMONIC of UPDOWN.

155
The most common messages are link up and down messages, and messages that a
device produces when it exits from configuration mode. If ACL logging is configured,
the device generates syslog messages when packets match a parameter condition.
6.5.5 Configure Syslog Timestamps
By default, log messages are not timestamped. In the example, the R1 GigabitEthernet
0/0/0 interface is shutdown. The message logged to the console does not identify
when the interface state was changed. Log messages should be timestamped so that
when they are sent to another destination, such as a Syslog server, there is record of
when the message was generated.
Use the command service timestamps log datetime to force logged events to display
the date and time. As shown in the command output, when the R1 GigabitEthernet
0/0/0 interface is reactivated, the log messages now contain the date and time.
R1# configure terminal
R1(config)# interface g0/0/0
R1(config-if)# shutdown
%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to
administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed
state to down
R1(config-if)# exit
R1(config)# service timestamps log datetime
R1(config)# interface g0/0/0
R1(config-if)# no shutdown
*Mar 1 11:52:42: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state
to down
*Mar 1 11:52:45: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state
to up
*Mar 1 11:52:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/0/0,
changed state to up
R1(config-if)#
Note: When using the datetime keyword, the clock on the networking device must be
set, either manually or through NTP, as previously discussed.
6.5.6 Check Your Understanding - Syslog Operation
Refer to the following syslog output to answer the questions.
*Jun 12 17:46:01.619: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-
table No such file or directory
Question 1
Refer to the syslog output. What security level generated the message?
Error
Informational
Warning
Debugging
Question 2
Refer to the syslog output. What is the mnemonic for this syslog message?
IFMGR
Unable to open nvram

156
NO_IFINDEX_FILE
ifIndex-table
Question 3
Refer to the syslog output. What is the syslog reporting facility?
IFMGR
NO_IFINDEX_FILE
IFMGR-7
ifIndex-table
6.5.7 Syslog Systems
Syslog implementations always contain two types of systems:
 Syslog servers - Also known as log hosts, these systems accept and process log
messages from syslog clients.
 Syslog clients - Routers or other types of equipment that generate and forward log
messages to syslog servers.
The topology in the figure identifies the syslog server at IP address 10.2.2.6. The rest of
the servers and devices in the topology can be configured as syslog clients, which send
syslog messages to the syslog server.

Syslog Reference Topology

6.5.8 Syslog Configuration

157
Configure system logging:
Step 1. Set the destination logging host using the logging [host] command.
Step 2. (Optional) Set the log severity (trap) level using the logging trap command.
Step 3. (Optional) Set the source interface using the logging source-
interface command.
Step 4. (Optional) Enable logging to all enabled destinations with the logging
on command.
Click below to learn about the steps for configuring system logging.
Step 1
Identify the destination syslog server using the logging host command
Parameter Description
hostname Specifies the name of the host you want to use as a syslog server.
ip-address Specifies the IP address of the host you want to use as a syslog server.
Router(config)# logging host [hostname | ip-address]
Step 2
(Optional) Set the log severity (trap) level using the logging trap command
Note: An ISR defaults to Level 7 (debugging).
Router(config)# logging trap level
Step 3
Router(config)# logging source-interface interface-type interface-number
Step 4
(Optional) Enable logging to all enabled destinations with the logging on command.
Note: Syslog logging is enabled by default.
Router(config)# logging on
The figure shows the syslog reference topology.

The figure below shows a sample syslog configuration for R1. Use the show
logging command to view logging configuration and buffered syslog messages.
Sample Syslog Configuration
R1(config)# logging 10.2.2.6
R1(config)#

158
*Sep 25 12:57:14.120: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.2.2.6
port 514 started - CLI initiated
R1(config)#
R1(config)# logging trap informational
R1(config)# logging source-interface lo0
R1(config)# logging on
R1(config)# exit
R1#
*Sep 25 12:58:29.591: %SYS-5-CONFIG_I: Configured from console by console
R1#
R1# show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0
overruns, xml disabled, filtering disabled)
<Output omitted>
Trap logging: level informational, 83 message lines logged
Logging to 10.2.2.6 (udp port 514, audit disabled,
link up),
7 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:
Loopback0
<Output omitted>

6.6 NTP Configuration

6.6.1 Time and Calendar Services
Before you get really deep into network management, the one thing that will help
keep you on track is ensuring that all of your components are set to the same time and
date.
The software clock on a router or switch starts when the system boots. It is the
primary source of time for the system. It is important to synchronize the time across all
devices on the network because all aspects of managing, securing, troubleshooting,
and planning networks require accurate timestamping. When the time is not
synchronized between devices, it will be impossible to determine the order of the
events and the cause of an event.
The date and time settings on a router or switch can be manually configured, as shown
in the example.
R1# clock set 16:01:00 sept 25 2020
*Sep 25 16:01:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from
13:09:49 UTC Fri Sep 25 2020 to 16:01:00 UTC Fri Sep 25 2020, configured from
console by console.
Sep 25 16:01:00.001: %PKI-6-AUTHORITATIVE_CLOCK: The system clock has been set.
R1#
Although manually setting the time is easy, it is not practical in most networks. As a
network grows, it becomes difficult if not impossible to ensure that all infrastructure

159
devices are operating with synchronized time. Even in a smaller network environment,
the manual method is not ideal. If a router reboots, how will it get an accurate date
and timestamp?
A better and more scalable solution is to implement Network Time Protocol (NTP)
which is documented in RFC 1305. NTP enables network devices (i.e., NTP clients) to
synchronize their time settings with an NTP authoritative time source such as an NTP
server. The NTP time source can be a device (e.g., a router) on the network that is
selected as the private primary clock or it can be a publicly available NTP server on the
internet.
NTP source and clients open UDP port 123 to send and receive timestamps.
6.6.2 NTP Operation
NTP networks use a hierarchical system of time sources. Each level in this hierarchical
system is called a stratum. The stratum level is defined as the number of hop counts
from the authoritative source.
The figure displays a sample NTP network.

The sample network consists of four stratum levels who acquire their times as follows:
 Stratum 1 server gets its time from the stratum 0 time source.
 Stratum 2 server gets its time from the stratum 1 server.
 Stratum 3 server gets its time from the stratum 2 server.
Stratum 0
This identifies a device providing the most authoritative time source. Stratum 0 devices
including atomic and GPS clocks are the most accurate authoritative time sources.
Specifically, NTP stratum 0 devices are non-network high-precision timekeeping
devices assumed to be accurate and with little or no delay associated with them. In the
figure, they are represented by the clock icon.
Stratum 1
NTP stratum 1 devices are network devices that are directly connected to the
authoritative time sources. They function as the primary network time standard to
stratum 2 devices.
Stratum 2 and Lower
NTP stratum 2 servers are connected on a network to a stratum 1 device. Stratum 2
devices are NTP clients and synchronize their time by using the NTP packets from a
stratum 1 server such as a router. They in turn can be NTP servers for stratum 3
devices.

160
NTP stratum levels are based on a scale of 0 (highest stratum level) to 15 (lowest
stratum level). For example, an NTP server in a low number stratum level is closer to
the authorized time source than a server in a high number stratum level.
The maximum stratum hop count is 15 (i.e., 0 - 15). Note that an NTP client that is not
synchronized with a server is assigned a stratum 16 level.
NTP servers in the same stratum level can be configured as peers to provide redundant
time sources for clients or to synchronize each other.
6.6.3 Configure and Verify NTP
The figure shows the topology used to demonstrate NTP configuration and verification.

Before NTP is configured on the network, the show clock command displays the
current time on the software clock, as shown in the example. With the detail option,
notice that the time source is user configuration. That means the time was manually
configured with the clock command.
R1# show clock detail
20:55:10.207 UTC Fri Nov 15 2019
Time source is user configuration
In our topology, and internet NTP server is the authoritative time source. However, a
local network device could be selected as the NTP authoritative time source using
the ntp master [stratum] global configuration command.
In the topology, R1 is an NTP client of the NTP server. Use the ntp server ip-
address global config command to configure 209.165.200.225 as the NTP server for R1.
To verify the time source is set to NTP, use the show clock detail command. Notice
that now the time source is NTP.
R1(config)# ntp server 209.165.200.225
R1(config)# end
R1# show clock detail
21:01:34.563 UTC Fri Nov 15 2019
Time source is NTP
In the next example, the show ntp associations and show ntp status commands are
used to verify that R1 is synchronized with the NTP server at 209.165.200.225. Notice
that R1 is synchronized with a stratum 1 NTP server at 209.165.200.225, which is
synchronized with a GPS clock. The show ntp status command displays that R1 is now
a stratum 2 device that is synchronized with the NTP server at 209.165.220.225.
Note: The highlighted st stands for stratum.
R1# show ntp associations
address ref clock st when poll reach delay offset disp
*~209.165.200.225 .GPS. 1 61 64 377 0.481 7.480 4.261
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1# show ntp status
Clock is synchronized, stratum 2, reference is 209.165.200.225

161
nominal freq is 250.0000 Hz, actual freq is 249.9995 Hz, precision is 2**19
ntp uptime is 589900 (1/100 of seconds), resolution is 4016
reference time is DA088DD3.C4E659D3 (13:21:23.769 PST Fri Nov 15 2019)
clock offset is 7.0883 msec, root delay is 99.77 msec
root dispersion is 13.43 msec, peer dispersion is 2.48 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000001803 s/s
system poll interval is 64, last update was 169 sec ago.
Next, the clock on S1 is configured to synchronize to R1 with the ntp
server command and then the configuration is verified with the show ntp
associations command, as displayed.
S1(config)# ntp server 192.168.1.1
S1(config)# end
S1# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.1.1 209.165.200.225 2 12 64 377 1.066 13.616 3.840
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
Output from the show ntp associations command verifies that the clock on S1 is now
synchronized with R1 at 192.168.1.1 via NTP. R1 is a stratum 2 device and NTP server
to S1. Now S1 is a stratum 3 device that can provide NTP service to other devices in
the network, such as end devices.
S1# show ntp status
Clock is synchronized, stratum 3, reference is 192.168.1.1
nominal freq is 119.2092 Hz, actual freq is 119.2088 Hz, precision is 2**17
reference time is DA08904B.3269C655 (13:31:55.196 PST Tue Nov 15 2019)
clock offset is 18.7764 msec, root delay is 102.42 msec
root dispersion is 38.03 msec, peer dispersion is 3.74 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000003925 s/s
system poll interval is 128, last update was 178 sec ago.
6.6.4 Packet Tracer - Configure and Verify NTP
NTP synchronizes the time of day among a set of distributed time servers and clients.
While there are a number of applications that require synchronized time, this lab will
focus on the need to correlate events when listed in the system logs and other time-
specific events from multiple network devices.

6.7 SNMP Configuration

6.7.1 Introduction to SNMP
Now that your network is mapped and all of your components are using the same
clock, it is time to look at how you can manage your network by using Simple Network
Management Protocol (SNMP).
SNMP was developed to allow administrators to manage nodes such as servers,
workstations, routers, switches, and security appliances, on an IP network. It enables
network administrators to monitor and manage network performance, find and solve
network problems, and plan for network growth.

162
SNMP defines how management information is exchanged between network
management applications and management agents. It is an application layer protocol
that provides a message format for communication between managers and agents.
The SNMP system consists of three elements:
 SNMP manager
 SNMP agents (managed node)
 Management Information Base (MIB)
To configure SNMP on a networking device, it is first necessary to define the
relationship between the manager and the agent.
The SNMP manager is part of a network management system (NMS). The SNMP
manager runs SNMP management software.
As shown in the figure, the SNMP manager can collect information from an SNMP
agent by using the “get” action. It can change configurations on an agent by using the
“set” action. In addition, SNMP agents can forward information directly to a network
manager by using “traps”.

The SNMP agent and MIB reside on SNMP client devices. Network devices that must
be managed, such as switches, routers, servers, firewalls, and workstations, are
equipped with an SNMP agent software module. The MIB stores data and operational
statistics about the device.
The SNMP Manager sends a get request to SNMP agent to access stored data in the
local MIB. Specifically, the SNMP manager polls the agents and queries the MIB for
SNMP agents on UDP port 161. SNMP agents send any SNMP traps to the SNMP
manager on UDP port 162.
6.7.2 SNMP Operation
SNMP agents that reside on managed devices collect and store information about the
device and its operation. This information is stored by the agent locally in the MIB. The
SNMP manager then uses the SNMP agent to access information within the MIB.
There are two primary SNMP manager requests:
 get request - Used by the NMS to query the device for data.
 set request - Used by the NMS to change configuration variables in the agent
device. A set request can also initiate actions within a device. For example, a set

163
 request can cause a router to reboot, send a configuration file, or receive a
configuration file.
The SNMP manager uses the get and set actions to perform the operations described
in the table.
Operation Description
get-request Retrieves a value from a specific variable.
Retrieves a value from a variable within a table; the SNMP manager does
get-next-
not need to know the exact variable name. A sequential search is
request
performed to find the needed variable from within a table.
Retrieves large blocks of data, such as multiple rows in a table, that would
get-bulk-
otherwise require the transmission of many small blocks of data. (Only
request
works with SNMPv2 or later.)
get- Replies to a get-request, get-next-request, and set-request sent by an
response NMS.
set-request Stores a value in a specific variable.
The SNMP agent responds to SNMP manager requests as follows:
 Get an MIB variable - The SNMP agent performs this function in response to a
GetRequest-PDU from the network manager. The agent retrieves the value of the
requested MIB variable and responds to the network manager with that value.
 Set an MIB variable - The SNMP agent performs this function in response to a
SetRequest-PDU from the network manager. The SNMP agent changes the value of
the MIB variable to the value specified by the network manager. An SNMP agent
reply to a set request includes the new settings in the device.
The figure illustrates the use of an SNMP GetRequest to determine if interface G0/0/0
is up/up.

6.7.3 Management Information Base (MIB)

The MIB organizes variables hierarchically. MIB variables enable the management
software to monitor and control the network device. Formally, the MIB defines each
variable as an object ID (OID). OIDs uniquely identify managed objects in the MIB
hierarchy. The MIB organizes the OIDs based on RFC standards into a hierarchy of
OIDs, usually shown as a tree.
The MIB tree for any given device includes some branches with variables common to
many networking devices and some branches with variables specific to that device or
vendor.
RFCs define some common public variables. Most devices implement these MIB
variables. In addition, networking equipment vendors, like Cisco, can define their own
private branches of the tree to accommodate new variables specific to their devices.

164
The figure shows portions of the MIB structure defined by Cisco. Note how the OID can
be described in words or numbers to help locate a particular variable in the tree. OIDs
belonging to Cisco, are numbered as follows: .iso (1).org (3).dod (6).internet (1).private
(4).enterprises (1).cisco (9). Therefore, the OID is 1.3.6.1.4.1.9.

6.7.4 SNMP Versions

There are several versions of SNMP:
 SNMPv1 - This is the Simple Network Management Protocol, a Full Internet
Standard, that is defined in RFC 1157.
 SNMPv2c - This is defined in RFCs 1901 to 1908. It uses a community-string-based
Administrative Framework.
 SNMPv3 - This is an interoperable standards-based protocol originally defined in
RFCs 2273 to 2275. It provides secure access to devices by authenticating and
encrypting packets over the network. It includes these security features: message
integrity to ensure that a packet was not tampered with in transit, authentication
to determine that the message is from a valid source, and encryption to prevent
the contents of a message from being read by an unauthorized source.
All versions use SNMP managers, agents, and MIBs. Cisco IOS software supports the
above three versions. Version 1 is a legacy solution and is not often encountered in
networks today. Therefore, this course focuses on versions 2c and 3.
Both SNMPv1 and SNMPv2c use a community-based form of security. The community
of managers that is able to access the MIB of the agent is defined by a community
string.
Unlike SNMPv1, SNMPv2c includes a bulk retrieval mechanism and more detailed error
message reporting to management stations. The bulk retrieval mechanism retrieves
tables and large quantities of information, minimizing the number of round-trips
required. The SNMPv2c improved error-handling includes expanded error codes that
distinguish different kinds of error conditions. These conditions are reported through a
single error code in SNMPv1. Error return codes in SNMPv2c include the error type.
Note: SNMPv1 and SNMPv2c offer minimal security features. Specifically, SNMPv1 and
SNMPv2c can neither authenticate the source of a management message nor provide
encryption. SNMPv3 is most currently described in RFCs 3410 to 3415. It adds methods
to ensure the secure transmission of critical data between managed devices.

165
SNMPv3 provides for both security models and security levels. A security model is an
authentication strategy set up for a user and the group within which the user resides.
A security level is the permitted level of security within a security model. A
combination of the security level and the security model determine which security
mechanism is used when handling an SNMP packet.
There are available security models for SNMPv1, SNMPv2c, and SNMPv3. The table
identifies the characteristics of the different combinations of security models and
levels.
Click each button for more information about the characteristics of the different
combinations of security models and levels.
SNMPv1
SNMPv1
Level noAuthNoPriv
Authentication Community string
Encryption No
Result Uses a community string match for authentication.
SNMPv2c

SNMPv3 noAuthNoPriv

SNMPv3 authNoPriv

166
SNMPv3 authPriv

A network administrator must configure the SNMP agent to use the SNMP version
supported by the management station. Because an agent can communicate with
multiple SNMP managers, it is possible to configure the software to support
communications by using SNMPv1, SNMPv2c, or SNMPv3.
6.7.5 SNMP Vulnerabilities
In any network topology, at least one manager node should run SNMP management
software. Network devices that can be managed, such as switches, routers, servers,
and workstations, are equipped with the SNMP agent software module. These agents
are responsible for providing the SNMP manager access to a local MIB, which stores
data about device operation.
SNMP is vulnerable to attack precisely because SNMP agents can be polled with get
requests and accept configuration changes with set requests, as shown in the figure.
For example, a set request can cause a router to reboot, send a configuration file, or
receive a configuration file. An SNMP agent can also be configured to send out traps or
notifications. In SNMPv1 and SNMPv2c, these requests and notifications are not
authenticated or encrypted.
SNMP Operation

167
6.7.6 SNMPv3
SNMPv3 authenticates and encrypts packets over the network to provide secure
access to devices. This addressed the vulnerabilities of earlier versions of SNMP.
SNMPv3 provides three security features:
 Message integrity and authentication - Ensures that a packet has not been
tampered with in transit, and is from a valid source.
 Encryption - Scrambles the contents of a packet to prevent it from being seen by
an unauthorized source.
 Access control - Restricts each principal to certain actions on specific portions of
data.
6.7.7 SNMPv3 Security Configuration
SNMPv3 can be secured with only a few commands, as shown in the following steps.
Note: A full discussion of the configuration options for SNMPv3 is beyond the scope of
this course.
Step 1. Configure an ACL that will permit access to authorized SNMP managers.
Router(config)# ip access-list acl-name
Router(config-std-nacl)# permit source_net
Step 2. Configure an SNMP view with the snmp-server view command to identify the
MIB OIDs that the SNMP manager will be able to read. Configuring a view is required
to limit SNMP messages to read-only access.
Router(config)# snmp-server view view-name oid-tree
SNMPv3 can be secured with only a few commands, as shown in the figure.
Step 3. Configure SNMP group features with the snmp-server group command:
 Configure a name for the group.
 Set the SNMP version to 3 with the v3 keyword.
 Require authentication and encryption with the priv keyword.
 Associate a view to the group and give it read only access with the read command.
 Specify the ACL configured in Step 1.
Router(config)# snmp-server group group-name v3 priv read view-name access [acl-
number | acl-name]
Step 4. Configure SNMP group user features with the snmp-server user command:

168
 Configure a username and associate the user with the group name configured in
Step 3.
 Set the SNMP version to 3 with the v3 keyword.
 Set the authentication type to either md5 or sha and configure an authentication
password. SHA is preferred and should be supported by the SNMP management
software.
 Require encryption with the priv keyword and configure an encryption password.
Router(config)# snmp-server user username group-name v3 auth {md5 | sha} auth-
password priv {des | 3des | aes {128 | 192 | 256} priv-password
6.7.8 SNMPv3 Security Configuration Example
The figure shows an example configuration for securing SNMPv3.
Step 1. A standard ACL is named PERMIT-ADMIN and is configured to permit only the
192.168.1.0/24 network. All hosts attached to this network will be allowed to access
the SNMP agent running on R1.
Step 2. An SNMP view is named SNMP-RO and is configured to include the entire iso
tree from the MIB. On a production network, the network administrator would
probably configure this view to include only the MIB OIDs that were necessary for
monitoring and managing the network.
Step 3. An SNMP group is configured with the name ADMIN. SNMP is set to version 3
with authentication and encryption required. The group is allowed read-only access to
the view (SNMP-RO). Access for the group is limited by the PERMIT-ADMIN ACL.
Step 4. An SNMP user, BOB, is configured as a member of the group ADMIN. SNMP is
set to version 3. Authentication is set to use SHA, and an authentication password is
configured. Although R1 supports up to AES 256 encryption, the SNMP management
software only supports AES 128. So, the encryption is set to AES 128, and an
encryption password is configured.

R1(config)# ip access-list standard PERMIT-ADMIN

R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)# snmp-server view SNMP-RO iso included
R1(config)# snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-
ADMIN
R1(config)# snmp-server user BOB ADMIN v3 auth sha cisco12345 priv aes 128
cisco54321
R1(config)# end
R1#
6.7.9 Syntax Checker - SNMPv3 Security Configuration Example
Use this Syntax Checker to configure R1 with SNMPv3 authentication using an ACL.

169
Configure a standard access list named PERMIT-ADMIN on R1 to permit only the
192.168.1.0/24 network. Exit from ACL configuration to continue.
R1(config)#ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)#exit
Using the snmp-server view command, configure an SNMP view named SNMP-RO to
include the entire ISO tree from the MIB.
R1(config)#snmp-server view SNMP-RO iso included
Using the snmp-server group command, configure an SNMP group with the
name ADMIN. Set SNMP to version 3 with authentication and encryption required.
Allow read-only access to the view SNMP-RO, and limit access using the PERMIT-
ADMIN ACL.
R1(config)#snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
Using the snmp-server user command, add an snmp user named BOB as a member of
the ADMIN group. Set SNMP to version 3 and set authentication to use SHA with a
password of cisco12345. Set the encryption to AES 128 with a password of cisco54321.
After configuration is complete, use the end command to exit configuration mode.
R1(config)#snmp-server user BOB ADMIN v3 auth sha cisco12345 priv aes 128
cisco54321
R1(config)#end
R1#
You successfully configured SNMPv3 authentication using an ACL on R1.
6.7.10 SNMPv3 Verification
Verify most of the SNMPv3 security configuration by viewing the running
configuration, as shown in in the figure. Notice that the snmp-server user configuration
is hidden. Use the show snmp user command to view the user information.

R1# show run | include snmp

snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
snmp-server view SNMP-RO iso included
R1# show snmp user
User name: BOB
Engine ID: 80000009030030F70DA30DA0
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ADMIN
R1#

170
Verify that the SNMP manager can send get requests to R1 by using an SNMP
management tool, such as the ManageEngine’s free SNMP MIB Browser. Configure the
tool with the user details, as shown in the figure. When a user is configured, use the
SNMP management tool’s features to test that the configured user can access the
SNMP agent.
Configure SNMP Manager Access to SNMP Agent

In the figure below, the network administrator entered the OID for the IP addressing
table. The get request returned all the addressing information for R1. The network
administrator authenticated with the appropriate credentials.
Configure SNMP Manager Get Request Example

171
Verify that the data was encrypted by running a protocol analyzer, such as Wireshark,
and capture the SNMP packets.
Do an internet search to see Keith Barker’s demonstration of configuring and verifying
SNMPv3.
Wireshark Capture of Encrypted SNMPv3 Packets

6.7.11 Lab - Configure Cisco IOS Resilience Management and Reporting

In this lab, you will complete the following objectives:
 Part 1: Configure basic device settings.
 Part 2: Configure SNMPv3 security using an ACL.

172
 Part 3: Configure a router as a synchronized time source for other devices using
NTP.
 Part 4: Configure syslog support on a router.

6.7.12 Packet Tracer - Configure Cisco Devices for Syslog, NTP, and SSH Operations
In this Packet Tracer activity, you will complete the following objectives:
 Configure Syslog Service
 Generate Logged EventsPart
 Manually Set Switch ClocksPart
 Configure NTP ServicePart
 Verify Timestamped Logs

6.8 Device Monitoring and Management Summary

6.8.1 What Did I Learn in this Module?
Secure Cisco IOS Image and Configuration Files
The Cisco IOS resilient configuration feature allows for faster recovery if someone
maliciously or unintentionally reformats flash memory or erases the startup
configuration file in nonvolatile random-access memory (NVRAM). The feature
maintains a secure working copy of the router IOS image file and a copy of the running
configuration file. These secure files cannot be removed by the user and are referred
to as the primary bootset. The feature is only available on older routers that support a
PCMCIA Advanced Technology Attachment (ATA) flash interface. Newer routers such
as the ISR 4000 do not support this feature. To secure the IOS image and enable Cisco
IOS image resilience, use the secure boot-image global configuration mode command.
When enabled for the first time, the running Cisco IOS image is secured and a log entry
is generated. To take a snapshot of the router running configuration and securely
archive it in persistent storage, use the secure boot-config global configuration mode
command. The router can be configured to boot the secure image from ROMmon
mode. The configuration file can be copied from the secure location with secure boot-
config restore command. The Secure Copy Protocol (SCP) feature provides a secure
and authenticated method for copying router configuration or router image files to a
remote location. SCP relies on SSH for secure communication and AAA for
authentication and authorization. If a router has been compromised and the
passwords changed to unknown values, a password recovery procedure exists for
booting the router without its configuration so passwords can be changed to known
values. This procedure may differ between different device models. Physical access to
the router and ROMmon mode are required. It is possible to disable access to the
password recovery procedure with the no service password-recovery command.

Lock Down a Router Using AutoSecure

Cisco routers are initially deployed with many services that are enabled by default.
However, some of these services, such as Cisco Discovery Protocol (CDP) and Link

173
Layer Discovery Protocol (LLDP), can make the network vulnerable to attack. Both of
these protocols can allow attackers to learn detailed information about a router.
Guidelines are provided for how each service on the router should be configured for
maximum security. The Cisco AutoSecure feature executes a script that makes
recommendations for fixing security vulnerabilities and then modifies the security
configuration of the router. AutoSecure enables three forwarding plane services, Cisco
Express Forwarding (CEF), traffic filtering with ACLs, and Cisco IOS firewall inspection.
AutoSecure is often used in the field to provide a baseline security policy on a new
router. Features can then be altered to support the security policy of the organization.
When the auto secure command is entered, the device will display the AutoSecure
welcome message. AutoSecure will then gather information about the current device
configuration and enter a configuration dialog. It will then disable and enable services
and make other configuration changes to the device. When the wizard is complete, the
running configuration displays all configuration settings and changes. AutoSecure
should be used when a router is initially being configured. It is not recommended on
production routers.
Routing Protocol Authentication
Dynamic routing protocols are used by routers to automatically share information
about the reachability and status of remote networks. Dynamic routing protocols
perform several activities, including network discovery and maintaining routing tables.
Important advantages of dynamic routing protocols are the ability to select a best path
and the ability to automatically discover a best new path when there is a change in the
topology. Network discovery is the ability of a routing protocol to dynamically share
information about the networks that it knows about with other routers that are using
the same routing protocol. Routing systems can be attacked by disrupting peer
network routers, or by falsifying or spoofing the information carried within the routing
protocols. This may be used to cause systems to misinform (lie to) each other, cause a
DoS attack, or cause traffic to follow a path it would not normally follow. Routing
protocol updates can be configured to use MD5 or SHA authentication. This helps
ensure that routing protocol updates are coming from trusted sources. MD5
authentication is available for the OSPF routing protocol, however SHA is preferred for
greater security.
Secure Management and Reporting
Most network devices can gather and transmit log information that can be very
valuable for diagnosing network problems and detecting security incidents. In a small
network, managing and monitoring a small number of network devices is a
straightforward operation. However, in a large enterprise with hundreds of devices,
monitoring, managing, and processing log messages can be challenging. Information
flow between log file collecting hosts and managed network devices can take two
paths. In-band information paths use the production network, the internet or both.
Management traffic is sent on the same network as user traffic. Out-of-band (OOB)
management paths use dedicated management networks which do not transmit user
traffic. As a general rule, for security purposes, OOB management is appropriate for
large enterprise networks. However, it is not always desirable. It depends on the
management applications and protocols being monitored. In-band management is
recommended in smaller networks as a means of achieving a more cost-effective
security deployment. OOB management security guidelines are to provide the highest

174
level of security and mitigate the risk of passing insecure management protocols over
the production network. For in-band management, guidelines are to apply only to
devices that need to be managed or monitored, use IPSec, SSH, or SSL when possible,
and decide whether the management channel needs to be available at all times. If
using remote management tools with in-band management, be wary of the underlying
security vulnerabilities of the management tool itself.
Network Security Using Syslog
The most common method of accessing system messages is to use a protocol called
syslog. Many networking devices support the syslog standard. The syslog protocol
allows networking devices to send their system messages across the network to syslog
servers. The syslog logging service provides the ability to gather logging information,
select the type of information that is logged, and specify the destination devices that
will receive and store syslog messages. On Cisco network devices, the syslog protocol
can send system messages and debug command output to a local logging process that
is internal to the device or can send messages to an internal buffer. Messages sent to
the internal buffer can only be viewed through the CLI of the device. A device can be
configured to send syslog messages to a logging buffer, the console line, a terminal
line, or an external syslog server. Syslog messages contain a severity level that can
range from Level 0 to Level 7. The lower the level number, the higher the severity. For
example, messages at Level 0 to Level 4 are about software or hardware malfunctions.
Level 5 messages indicate normal operation but are significant. Level 6 regards normal
operating events, and Level 7 is for debugging messages. In addition, syslog messages
include a syslog facility code. Some facilities indicate the system, component, or
protocol that reported the message. The service timestamps log datetime command
configures the device to use system timestamps for all messages. The timestamps can
come from the local device clock, or can be synchronized between devices that are
using the Network Time Protocol (NTP) for system time. Syslog implementations
consist of syslog servers, known as log hosts, that receive and store syslog messages
from across the network, and syslog clients that generate and forward syslog messages
to the syslog servers. A Cisco device is configured to use syslog by specifying the
logging host with the logging command, optionally setting the severity level of the
messages to be logged with the logging trap command, optionally setting the interface
that should be a message source with the logging source-interface command, and
activating the logging process with the logging on command.
NTP Configuration
The software clock on a router or switch starts when the system boots. It is the
primary source of time for the system. It is important to synchronize the time across all
devices on the network because all aspects of managing, securing, troubleshooting,
and planning networks require accurate timestamping. When the time is not
synchronized between devices, it will be impossible to determine the order of the
events and the cause of an event. Although the system time can be manually set, it is
much more desirable to configure devices to use the Network Time protocol (NTP) to
synchronize time between all network devices. NTP enables network devices (i.e., NTP
clients) to synchronize their time settings with an NTP authoritative time source such
as an NTP server. The NTP time source can be a device (e.g., a router) on the network
that is selected as the private primary clock or it can be a publicly available NTP server
on the internet. NTP uses a hierarchical system of time sources that are arranged in

175
strata. Stratum 0 is the most authoritative time source and it may use atomic or GPS
clocks. Stratum 1 devices obtain their time information from Stratum 0 sources.
Stratum 1 devices are connected to the Stratum 0 time sources and are also accessible
to enterprise networks. Stratum 2 and lower devices function as network servers that
provide time information to network devices. They are connected to Stratum 1 devices
or other network devices that are acting as NTP servers. There are up to 16 NTP strata.
The lower the strata number, the closer the source is to the Strata 0 authoritative
source. NTP is configured on a device with the ntp server command.
SNMP Configuration
Simple Network Management Protocol (SNMP) was developed to allow administrators
to manage nodes such as servers, workstations, routers, switches, and security
appliances, on an IP network. SNMP defines how management information is
exchanged between network management applications and management agents. It is
an application layer protocol that provides a message format for communication
between managers and agents. The SNMP system requires three elements and
consists of an SNMP manager, SNMP agent, and the management information base
(MIB). The SNMP manager is part of a network management system (NMS) that runs
SNMP management software. SNMP agents reside on network devices and enable
network data collection and sharing. The MIB stores standardized variables that
contain network data. The network manager can send a get request to retrieve
information from an agent's local MIB, or it can send a set request to change the value
of a variable in the MIB. The MIB organizes variables hierarchically. MIB variables
enable the management software to monitor and control the network device. RFCs
define some common public variables that most devices support. In addition,
networking equipment vendors, like Cisco, can define their own private branches of
the tree to accommodate new variables specific to their devices. There are three
versions of SNMP. SNMPv1 is obsolete and mentioned only but SNMPv2c and SNMPv3
are relevant to this course. SNMPv2c should be used at a minimum with SNMPv3
strongly recommended. SNMPv1 and SNMPv2c offer minimal security features.
Specifically, SNMPv1 and SNMPv2c can neither authenticate the source of a
management message nor provide encryption. SNMPv3 adds methods to ensure the
secure transmission of critical data between managed devices. SNMPv3 provides for
both security models and security levels. A security model is an authentication strategy
set up for a user and the group within which the user resides. A security level is the
permitted level of security within a security model. A combination of the security level
and the security model determine which security mechanism is used when handling an
SNMP packet. SNMPv3 authenticates and encrypts packets over the network to
provide secure access to devices. This addressed the vulnerabilities of earlier versions
of SNMP.
6.8.2 Module 6 - Device Monitoring and Management Quiz
Question 1
What service or protocol does the Secure Copy Protocol rely on to ensure that secure
copy transfers are from authorized users?
AAA
IPsec
SNMP
RADIUS

176
Question 2
When password recovery on a router is being performed and the settings in NVRAM
have been bypassed, which step should be taken next?
Reset the router.
Reload the router.
Copy the contents of NVRAM to the RAM.
Copy the contents of RAM to the NVRAM.
Question 3
Which protocol or service is used to automatically synchronize the software clocks on
Cisco routers?
NTP
DHCP
DNS
SNMP
Question 4
A network engineer wants to synchronize the time of a router with an NTP server at
the IPv4 address 209.165.200.225. The exit interface of the router is configured with
an IPv4 address of 192.168.212.11. Which global configuration command should be
used to configure the NTP server as the time source for this router?
ntp server 209.165.200.225
ntp peer 209.165.200.225
ntp server 192.168.212.11
ntp peer 192.168.212.11
Question 5
What are three functions provided by the syslog service? (Choose three.)
To gather logging information for monitoring and troubleshooting
To select the type of logging information that is captured
To specify the destinations of captured messages
To periodically poll agents for data
To provide statistics on packets that are flowing through a Cisco device
To provide traffic analysis
Question 6
Which service should be disabled on a router to prevent a malicious host from falsely
responding to ARP requests with the intent to redirect the Ethernet frames?
CDP
LLDP
Proxy ARP
Reverse ARP
Question 7
What is the purpose of issuing the ip ospf message-digest-
key key md5 password command and the area area-id authentication message-
digest command on a router?
To encrypt OSPF routing updates
To enable OSPF MD5 authentication on a per-interface basis
To configure OSPF MD5 authentication globally on the router
To facilitate the establishment of neighbor adjacencies
Question 8

177
Which service is enabled on a Cisco router by default that can reveal significant
information about the router and potentially make it more vulnerable to attack?
HTTP
CDP
FTP
LLDP
Question 9
Which statement describes SNMP operation?
An NMS periodically polls the SNMP agents that are residing on managed devices by
using traps to query the devices for data.
A get request is used by the SNMP agent to query the device for data.
An SNMP agent that resides on a managed device collects information about the
device and stores that information remotely in the MIB that is located on the NMS.
A set request is used by the NMS to change configuration variables in the agent
device.
Question 10
When SNMPv1 or SNMPv2 is being used, which feature provides secure access to
MIB objects?
Packet encryption
Message integrity
Community strings
Source validation
Question 11
What are two reasons to enable OSPF routing protocol authentication on a network?
(Choose two.)
To ensure more efficient routing
To ensure faster network convergence
To provide data security through encryption
To prevent data traffic from being redirected and then discarded
To prevent redirection of data traffic to an insecure link
Question 12
What are SNMP trap messages?
Messages that are used by the NMS to query the device for data
Unsolicited messages that are sent by the SNMP agent and alert the NMS to a
condition on the network
Messages that are used by the NMS to change configuration variables in the agent
device
Messages that are sent periodically by the NMS to the SNMP agents that reside on
managed devices to query the device for data
Question 13
Which technology allows syslog messages to be filtered to different devices based on
event importance?
Syslog service timestamps
Syslog severity levels
Syslog facilities
Syslog service identifiers

178
Question 14
What is a characteristic of the Cisco IOS Resilient Configuration feature?
It maintains a secure working copy of the bootstrap startup program.
The secure boot-image command works properly when the system is configured to
run an image from a TFTP server.
Once issued, the secure boot-configcommand automatically upgrades the
configuration archive to a newer version after new configuration commands have been
entered.
A snapshot of the router running configuration can be taken and securely archived in
persistent storage.

179
Module 7: Authentication, Authorization, and Accounting (AAA)
7.0 Introduction
7.0.1 Why Should I Take this Module?
AAA is a technology that allows authentication and authorization of users based on
user ID and password. AAA can be configured locally on networking devices or AAA
servers can be used. Accounting can log details of user sessions for the purposes of
billing or for visibility into user behavior. It is important that network security
personnel have a strong understanding of AAA and how to configure it.
7.0.2 What Will I Learn in this Module?
Module Title: Authentication, Authorization and Accounting (AAA)
Module Objective: Configure AAA to secure a network.
Topic Title Topic Objective
AAA Characteristics Describe AAA.
Configure Local AAA Configure AAA authentication to validate users
Authentication against a local database.
Server-Based AAA
Describe the server-based AAA protocols.
Characteristics and Protocols
Configure Server-Based Configure server-based AAA authentication on Cisco
Authentication routers.
Configure Server-Based Use correct commands to configure server-based
Authorization AAA authorization and accounting.
7.1 AAA Characteristics
7.1.1 Authentication without AAA
Network hackers can potentially gain access to sensitive network equipment and
services. Access control limits who or what can use specific resources. It also limits the
services or options that are available after access is granted. Many types of
authentication can be performed on a Cisco device, and each method offers varying
levels of security.
The simplest method of remote access authentication is to configure a login and
password combination on console, vty lines, and aux ports, as shown in the figure.

R1(config)# line vty 0 4

R1(config-line)# password cis5cio

180
R1(config-line)# login
This method is the easiest to implement, but it is also the weakest and least secure.
This method provides no accountability. Anyone with the password can gain entry to
the device and alter the configuration.
SSH is a more secure form of remote access. It requires both a username and a
password, both of which are encrypted during transmissions. The local database
method provides additional security because an attacker is required to know a
username and a password. It also provides more accountability because the username
is recorded when a user logs in. Although Telnet can be configured using a username
and password, both are sent in plaintext, which makes it vulnerable to being captured
and exploited. The local database method has some limitations. The user accounts
must be configured locally on each device, as shown for the configuration of SSH in the
figure.

R1(config)# username Admin algorithm-type scrypt secret Str0ng5rPa55w0rd

R1(config)# ip domain-name netsec.com
R1(config)# crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.netsec.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
*Jan 17 14:32:53.846: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named
R1.netsec.com has been generated or imported by crypto-engine
*Jan 17 14:32:53.847: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Jan 17 14:32:54.116: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named
R1.netsec.com.server has been generated or imported by crypto-engine
R1(cofig)#
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
In a large enterprise environment that has multiple routers and switches to manage, it
can take time to implement and change local databases on each device. Additionally,
the local database configuration provides no fallback authentication method. For

181
example, what if the administrator forgets the username and password for that
device? With no backup method available for authentication, password recovery
becomes the only option.
A better solution is to have all devices refer to the same database of usernames and
passwords from a central server. This module explores the various methods of securing
network access using AAA to secure Cisco routers.
7.1.2 AAA Components
AAA network security services provide the primary framework to set up access control
on a network device. AAA is a way to control who is permitted to access a network
(authenticate) and what they can do while they are there (authorize). AAA also allows
auditing of the actions that users perform while accessing the network (accounting).
Network and administrative AAA security in the Cisco environment has three
functional components:
 Authentication - Users and administrators must prove their identity before
accessing the network and network resources. Authentication can be established
using username and password combinations, challenge and response questions,
token cards, and other methods. For example: “I am user ‘student’ and I know the
password to prove it.”
 Authorization - After the user is authenticated, authorization services determine
which resources the user can access and which operations the user is allowed to
perform. An example is “User ‘student’ can access host serverXYZ using SSH only.”
 Accounting and auditing - Accounting records what the user does, including what
is accessed, the amount of time the resource is accessed, and any changes that
were made. Accounting keeps track of how network resources are used. An
example is "User 'student' accessed host serverXYZ using SSH for 15 minutes."
This concept is similar to using a credit card, as indicated by the figure. The credit card
identifies who can use it, how much that user can spend, and keeps account of what
items or services the user purchased.

182
7.1.3 Authentication Modes
AAA Authentication can be used to authenticate users for administrative access or it
can be used to authenticate users for remote network access. Cisco provides two
common methods of implementing AAA services:
 Local AAA Authentication -Local AAA uses a local database for authentication. This
method is sometimes known as self-contained authentication. In this course, it will
be referred to as local AAA authentication. This method stores usernames and
passwords locally in the Cisco router, and users authenticate against the local
database, as shown in the figure. This database is the same one that is required for
establishing role-based CLI. Local AAA is ideal for small networks.

1. The client establishes a connection with the router.

2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and
the user is provided access to the network based on information in the local
database.
 Server-Based AAA Authentication - With the server-based method, the router
accesses a central AAA server, such as the Cisco Secure Access Control System
(ACS) for Windows, which is shown in the figure. The central AAA server contains

183
 the usernames and password for all users. The router uses either the Remote
Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access
Control System (TACACS+) protocols to communicate with the AAA server. When
there are multiple routers and switches, server-based AAA is more appropriate
because accounts can be administered from a central location rather than on
individual devices.
Note: In this course, the focus is on implementing network security with IPv4 on Cisco
routers, switches, and Adaptive Security Appliances. On occasion, references are made
to IPv6-specific technologies and protocols.
Server-Based AAA Authentication

1. The client establishes a connection with the router.

2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a AAA server.
4. The user is provided access to the network based on information on the remote
AAA server.
7.1.4 Authorization
After users are successfully authenticated against the selected AAA data source, either
local or server-based, they are then authorized for specific network resources, as
shown in the figure.
AAA Authorization

1. When a user has been authenticated, a session is established between the router
and the server.
2. The router requests authorization from the AAA server for the client's requested
service.
3. The AAA server returns a PASS/FAIL for authorization.
Authorization controls what users can and cannot do on the network after they are
authenticated. This is similar to how privilege levels and role-based CLI give users
specific rights and privileges to certain commands on the router.
Authorization is typically implemented using a AAA server. Authorization uses a set of
attributes that describes the user’s access to the network. These attributes are

184
compared to the information contained within the AAA database, and a determination
of restrictions for that user is made and delivered to the local router where the user is
connected.
Authorization is automatic and does not require users to perform additional steps after
authentication. Authorization is implemented immediately after the user is
authenticated.
7.1.5 Accounting
AAA Accounting collects and reports usage data. This data can be used for such
purposes as auditing or billing. The collected data might include the start and stop
connection times, the commands executed, the number of packets, and the number of
bytes.
Accounting is implemented using a AAA server. This service reports usage statistics
back to the ACS server. These statistics can be extracted to create detailed reports
about the configuration of the network.
One widely deployed use of accounting is to combine it with AAA authentication. This
helps with managing access to internetworking devices by network administrative
staff. Accounting provides more security than just authentication. The AAA servers
keep a detailed log of exactly what the authenticated user does on the device, as
shown in the figure. This includes all EXEC and configuration commands issued by the
user. The log contains numerous data fields, including the username, the date and
time, and the actual command that was entered by the user. This information is useful
when troubleshooting devices. It also provides leverage against individuals who
perform malicious actions.
AAA Accounting

1. When a user has been authenticated, the AAA accounting process generates a start
message to begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting process
ends.
Click below to learn more about the types of information that are collected by AAA
accounting.
Network Accounting
Network accounting collects usage records for network access over various remote
access connections.
Connection Accounting
Connection accounting captures information about all outbound connections made
from the AAA client, such as Telnet or SSH.
EXEC Accounting

185
EXEC accounting captures information about user EXEC terminal sessions (user shells)
on the network access server, including username, date, start and stop times, and the
access server IP address.
System Accounting
System accounting captures information about all system-level events (for example,
when the system reboots or when accounting is turned on or off).
Command Accounting
Command accounting captures information about the EXEC shell commands for a
specified privilege level that are being executed on a network access server. Each
command accounting record includes a list of the commands executed for that
privilege level, as well as the date and time each command was executed, and the user
who executed it.
7.1.6 Check Your Understanding - Identify the Characteristics of AAA
Check your understanding of AAA characteristics by identifying whether the statement
describes Authentication, Authorization, or Accounting.
Question 1
Records what the user does, including what is accessed, the amount of time the
resource is accessed, and any changes that were made.
Authentication
Authorization
Accounting
Question 2
Uses a created set of attributes that describes the user’s access to the network.
Authentication
Authorization
Accounting
Question 3
Established using username and password combinations, challenge and response
questions, token cards, and other methods.
Authentication
Authorization
Accounting
Question 4
Collects and reports usage data so that it can be employed for purposes such as
auditing or billing.
Authentication
Authorization
Accounting
Question 5
Users and administrators must prove that they are who they say they are.
Authentication
Authorization
Accounting
Question 6
What a user can and cannot do on the network.
Authentication
Authorization

186
Accounting
Question 7
Specifies which resources the user can access and which operations the user is
allowed to perform.
Authentication
Authorization
Accounting
Question 8
Provides leverage against individuals who perform malicious actions.
Authentication
Authorization
Accounting
Question 9
A way to control who is permitted to access a network.
Authentication
Authorization
Accounting
7.2 Configure Local AAA Authentication
7.2.1 Authenticate Administrative Access
Local AAA Authentication should be configured for smaller networks. Smaller networks
are those networks that have one or two networking devices that provide access to a
limited number of users. This method uses the local usernames and passwords that
have been configured and stored on a device. The system administrator must populate
the local security database by specifying username and password profiles for each user
that might log in.
The Local AAA Authentication method is similar to using the login local command with
one exception. AAA also provides a way to configure backup methods of
authentication.
Configuring local AAA services to authenticate administrator access requires a few
basic steps:
Step 1. Add usernames and passwords to the local router database for users that need
administrative access to the router.
Step 2. Enable AAA globally on the router.
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
The aaa authentication login command in the figure allows the ADMIN and JR-ADMIN
users to log into the router via the console or vty terminal lines. The default keyword
means that the authentication method applies to all lines, except those for which a
specific line configuration overrides the default. The authentication is case-sensitive,
indicated by the local-case keyword. This means that both the password and the
username are case sensitive.
R1(config)# username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case
R1(config)#
7.2.2 Authentication Methods

187
To enable AAA, the aaa new-model global configuration command must first be
configured. To disable AAA, use the no form of this command.
No other AAA commands are available until this command is entered.
Note: It is important to know that when the aaa new-model command is first entered,
that an unseen “default” authentication using the local database is automatically
applied to all lines except the console. For this reason, always configure a local
database entry before enabling AAA.
Use the aaa authentication login command, shown below, to enable authentication of
the console, aux, and vty lines. The default keyword applies authentication to all lines.
Alternatively, a custom authentication method can be configured using a list-name.
Router(config)# aaa authentication login {default | list-name} method1…[ method4 ]
Command Description
Uses the listed authentication methods that follow this keyword
default
as the default list of methods when a user logs in.
Instead of using default list name, the administrator may wish to
list-name specify a name for documentation purposes. The name can be
up to 31 characters.
Identifies the list of methods that the AAA authentication
process will query in the given sequence. At least one method
method1...[method4]
must be specified. A maximum of four methods may be
specified.
The final portion of the command identifies the type of methods that will be queried to
authenticate the users. Up to four methods can be defined, providing fallback methods
should one method not be available. When a user attempts to log in, the first method
listed is used. Cisco IOS software attempts authentication with the next listed
authentication method only when there is no response or an error from the previous
method occurs. If the authentication method denies the user access, the
authentication process stops and no other authentication methods are allowed.
To enable local authentication using a preconfigured local database, use the
keyword local or local-case. The difference between the two options is
that local accepts a username regardless of case, whereas local-case is case-sensitive.
For example, if a local database entry with the username ADMIN was configured,
the local method would accept ADMIN, Admin, or even admin. If the local-
case method was configured, then only ADMIN would be acceptable.
To specify that a user can authenticate using the enable password, use
the enable keyword. To ensure that the authentication succeeds even if all methods
return an error, specify none as the final method.
Note: For security purposes, use the none keyword only when testing the AAA
configuration. It should never be applied on a live network.
The table displays common methods that can be specified.
Method Type
Description
Keywords
enable Uses the enable password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.

188
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
Uses a subset of RADIUS or TACACS+ servers for authentication as
group group-
defined by the aaa group server radius or aaa group server tacacs+
name
command.
7.2.3 Default and Named Methods
For flexibility, different method lists can be applied to different interfaces and lines
using the aaa authentication login list-name command.
For example, an administrator could apply a special login for SSH and then have the
default login method for the line console, as shown in the example.
R1(config)# username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login SSH-LOGIN local-case
R1(config)# line vty 0 4
R1(config-line)# login authentication SSH-LOGIN
In this example, the vty line would only use the local database for authentication. All
other lines (i.e., console and aux lines) would use the local database and use the
enable password as a fallback if there were no database entries on the device.
Notice that the named list has to be explicitly enabled on the line using the login
authentication line configuration command. If a line has a custom authentication
method list applied to it, that method list overrides the default method list for that
interface.
When a custom authentication method list is applied to an interface, it is possible to
return to the default method list by using the no authentication login command.
7.2.4 Fine-Tuning the Authentication Configuration
Additional security can be implemented on the line using the aaa local authentication
attempts max-fail global configuration mode command, as show in the example. This
command secures AAA user accounts by locking out accounts that have excessive
failed attempts.
Router(config)# aaa local authentication attempts max-fail [number-of-unsuccessful-
attempts]
Command Description
number-of- Number of unsuccessful authentication attempts before a
unsuccessful-attempts connection is dropped and the user account is locked.
Unlike the login delay command which introduces a delay between failed login
attempts without locking the account, the aaa local authentication attempts max-
fail command locks the user account if the authentication fails. The locked out user
account remains locked until it is manually cleared by an administrator using the clear
aaa local user lockout privileged EXEC mode command.
To display a list of all locked-out users, use the show aaa local user lockout command
in privileged EXEC mode, as shown in the example.
R1# show aaa local user lockout
Local-user Lock time
JR-ADMIN 04:28:49 UTC Tue Feb 16 2021

189
When a user logs into a Cisco router that uses AAA, a unique ID is assigned to that
user's session. Throughout the life of the session, various attributes that are related to
the session are collected and stored internally within the AAA database. These
attributes can include the IP address of the user, the protocol that is used to access the
router (e.g., PPP), the speed of the connection, and the number of packets or bytes
that are received or transmitted.
To display the attributes that are collected for one AAA session, use the show aaa
user command in privileged EXEC mode. This command does not provide information
for all users who are logged into a device, but only for those who have been
authenticated or authorized using AAA, or whose sessions are being accounted for by
the AAA module.
The show aaa sessions command can be used to show the unique ID of a session, as
shown in the example.
R1# show aaa sessions
Total sessions since last reload: 4
Session Id: 1
Unique Id: 175
User Name: ADMIN
IP Address: 192.168.1.10
Idle Time: 0
CT Call Handle: 0
7.2.5 Lab - Configure Local AAA Authentication
In this lab, you will complete the following objectives:
 Part 1: Configure Basic Device Settings.
 Part 2: Configure Local Authentication.
 Part 3: Configure Local Authentication using AAA.

7.2.6 Packet Tracer - Configure Local AAA for Console and VTY Access
In this PT activity, you will configure AAA local authentication on the console line and
VTY lines with SSH.

7.3 Server-Based AAA Characteristics and Protocols

7.3.1 Compare Local AAA and Server-Based AAA Implementations
Local implementations of AAA are acceptable in very small networks. However, local
authentication does not scale well.
Most corporate environments have multiple routers, switches, and other
infrastructure devices, multiple router administrators, and hundreds or thousands of
users needing access to the corporate LAN. Maintaining a local database on each
device for this size of network is not feasible.
To solve this challenge, one or more AAA servers can be used to manage the user and
administrative access needs for an entire corporate network. AAA server software can
create a central user and administrative access database to which all devices in the
network can refer. It may also work with many external databases, including Active
Directory and Lightweight Directory Access Protocol (LDAP). These databases store

190
user account information and passwords, allowing for central administration of user
accounts. For increased redundancy, multiple servers can be implemented. The figure
shows the process of authenticating router administrator users.
Server-Based Authentication

1. The user establishes a connection with the router.

2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or
engine).
4. The Cisco Secure ACS authenticates the user. The user is provided access to the
router (administrative access) or the network, based on information found in the
Cisco Secure ACS database.
7.3.2 Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE) is an identity and access control policy platform that
enables enterprises to enforce compliance, enhance infrastructure security, and
streamline their service operations. The architecture of Cisco ISE allows enterprises to
gather real-time contextual information from networks, users, and devices. The
administrator can then use that information to make proactive governance decisions
by tying identity to various network elements. These network elements include access
switches, wireless LAN controllers (WLCs), VPNs, gateways, and data center switches.
BYOD (Bring Your Own Device) is becoming more common and even necessary in many
enterprises. Cisco ISE defines fair access policies and enforces compliance for all end
devices including BYOD.
Cisco ISE is the main policy component for Cisco TrustSec and is a Cisco technology
that protects assets such as data, applications, and mobile devices from unauthorized
access. Cisco ISE combines policy definition, control, and reporting in one appliance.
ISE works with existing network infrastructure to provide network administrators with
information about the end devices (known as endpoints) that attach to the network.
Several features of ISE are:
 Asset Visibility - Provides visibility and control over who and what is on the
network consistently, across wireless, wired, and VPN connections. Cisco ISE uses
probes and device sensors to listen to the way devices connect to the network. The
Cisco ISE profile database, which is extensive, then classifies the device. This gives
the visibility and context that is required to grant the right level of network access..

191
 Posture assessment - Determines if the device complies with device security
policies before it connects to the network. It can determine if a device is clean of
viruses and suspicious applications and can even make sure that a device’s
antivirus software is up to date.
 Segmentation - Cisco ISE uses contextual data about network devices and
endpoints to facilitate network segmentation. Security group tags, access control
lists, network access protocols, and policy sets that define authorization, access,
and authentication, are some ways in which Cisco ISE enables secure network
segmentation.
 Guest management and secure wireless - Enables providing secure network access
to visitors, contractors, consultants, and customers.
 Threat Containment - If Cisco ISE detects threat or vulnerability attributes from an
endpoint, adaptive network control policies are sent to dynamically change the
access levels of the endpoint. After the threat or vulnerability is evaluated and
addressed, the endpoint can be given back its original access policy.
ISE provides context-aware identity management:
 To determine whether users are accessing the network on an authorized, policy-
compliant device
 To establish user identity, location, and access history, which can be used for
compliance and reporting
 To assign services based on the assigned user role, group, and associated policy
(job role, location, device type, etc.)
 To grant authenticated users access to specific segments of the network, or specific
applications and services, or both, based on authentication results
The figure shows a view of the Cisco ISE management console.

7.3.3 The TACACS+ and RADIUS Protocols

TACACS+ and RADIUS are both authentication protocols that are used to communicate
with AAA servers. As shown in the table, each supports different capabilities.
Capabilities TACACS+ RADIUS

192
 Separates AAA according to the Combines authentication and
AAA architecture, allowing authorization but separates
Functionality
modularity of the security server accounting, allowing less flexibility in
implementation implementation than TACACS+
Standard Mostly Cisco supported Open/RFC standard
Transport
TCP UDP
Protocol
Bidirectional challenge and
Unidirectional challenge and
response as used in Challenge
CHAP response from the RADIUS security
Handshake Authentication
server to the RADIUS client
Protocol (CHAP)
Confidentiality Entire packet encrypted Password encrypted
Provides authorization of router Has no option to authorize router
Customization commands on a per-user or per- commands on a per-user or per-
group basis group basis
Accounting Limited Extensive
Whether TACACS+ or RADIUS is selected depends on the needs of the organization. For
example, a large ISP might select RADIUS because it supports the detailed accounting
required for billing users. An organization with various user groups might select
TACACS+ because it requires authorization policies to be applied on a per-user or per-
group basis.
It is important to understand the many differences between the TACACS+ and RADIUS
protocols.
These are three critical factors for TACACS+:
 Separates authentication and authorization
 Encrypts all communication
 Utilizes TCP port 49
These are four critical factors for RADIUS:
 Combines RADIUS authentication and authorization as one process
 Encrypts only the password
 Utilizes UDP
 Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
While both protocols can be used to communicate between a router and AAA servers,
TACACS+ is considered the more secure protocol. This is because all TACACS+ protocol
exchanges are encrypted, while RADIUS only encrypts the user’s password. RADIUS
does not encrypt user names, accounting information, or any other information carried
in the RADIUS message.
7.3.4 TACACS+ Authentication
TACACS+ is a Cisco enhancement to the original TACACS protocol. Despite its name,
TACACS+ is an entirely new protocol that is incompatible with any previous version of
TACACS. TACACS+ is supported by the Cisco family of routers and access servers.
TACACS+ provides separate AAA services. Separating the AAA services provides
flexibility in implementation because it is possible to use TACACS+ for authorization
and accounting while using another method of authentication.
The extensions to the TACACS+ protocol provide more types of authentication
requests and response codes than were in the original TACACS specification. TACACS+
offers multiprotocol support, such as IP and legacy AppleTalk. Normal TACACS+
193
operation encrypts the entire body of the packet for more secure communications and
utilizes TCP port 49.
Click Play in the figure to view the TACACS+ authentication process.
Process for TACACS+ Authentication

7.3.5 RADIUS Authentication

RADIUS, which was developed by Livingston Enterprises, is an open IETF standard AAA
protocol for applications such as network access or IP mobility. RADIUS works in both
local and roaming situations and is commonly used for accounting purposes. RADIUS is
currently defined by RFCs 2865, 2866, 2867, 2868, 3162 and 6911.
The RADIUS protocol hides passwords during transmission, even with the Password
Authentication Protocol (PAP), using a rather complex operation that involves Message
Digest 5 (MD5) hashing and a shared secret. However, the rest of the packet is sent in
plaintext.
RADIUS combines authentication and authorization as one process. When a user is
authenticated, that user is also authorized. RADIUS uses UDP port 1645 or 1812 for
authentication and UDP port 1646 or 1813 for accounting.
RADIUS is widely used by VoIP service providers. It passes login credentials of a SIP
endpoint, such as a broadband phone, to a SIP registrar using digest authentication,
and then to a RADIUS server using RADIUS. RADIUS is also a common authentication
protocol that is utilized by the 802.1X security standard.
Click Play in the figure to view a RADIUS authentication process.
Process for RADIUS Authentication

194
7.3.6 Check Your Understanding - Identify the AAA Communication Protocol
Click the appropriate field next to each feature to indicate the communication
protocol.

195
7.4 Configure Server-Based Authentication
7.4.1 Steps to Configure Server-Based AAA Authentication
Unlike Local AAA Authentication, server-based AAA must identify various TACACS+ and
RADIUS servers that the AAA service should consult when authenticating and
authorizing users.
There are four basic steps to configure server-based authentication.
Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a
prerequisite for all other AAA commands.
Step 2. Specify the server that will provide AAA services for the router. This can be a
TACACS+ or RADIUS server.
Step 3. Configure the encryption key needed to encrypt the data transfer between the
network device and AAA server.
Step 4. Configure the AAA authentication method list to refer to the TACACS+ or
RADIUS server. For redundancy, it is possible to configure more than one server.
7.4.2 Configure TACACS+ Servers
TACACS+ and RADIUS protocols are used to communicate between clients and the AAA
security servers. The figure displays the AAA reference topology for this topic.

Server-Based AAA Reference Topology

196
To configure a TACACS+ server, globally enable AAA using the aaa new-
model command. Next, use the tacacs server name command. In TACACS+ server
configuration mode, configure the IPv4 address of the TACACS+ server using
the address ipv4 command. The address ipv4 command allows the option to modify
the authentication port and the accounting port. You can also specify an IPv6 address
with the address ipv6 ipv6-address command.
Next, use the single-connection command to enhance TCP performance by
maintaining a single TCP connection for the life of the session. Otherwise, by default, a
TCP connection is opened and closed for each session. If required, multiple TACACS+
servers can be identified by entering their respective IPv4 addresses using the tacacs
server name command.
The key key command is used to configure the shared secret key to encrypt the data
transfer between the TACACS+ server and AAA-enabled router. This key must be
configured exactly the same way on both the router and the TACACS+ server.
The example displays a sample TACACS+ server configuration.
R1(config)# aaa new-model
R1(config)#
R1(config)# tacacs server Server-T
R1(config-server-tacacs)# address ipv4 192.168.1.101
R1(config-server-tacacs)# single-connection
R1(config-server-tacacs)# key TACACS-Pa55w0rd
R1(config-server-tacacs)# exit
R1(config)#
7.4.3 Configure RADIUS Servers
To configure a RADIUS server, use the radius server name command. This puts you
into radius server configuration mode.
Because RADIUS uses UDP, there is no equivalent single-connection keyword. If
required, multiple RADIUS servers can be identified by entering a radius
server name command for each server.

197
In RADIUS server configuration mode, configure the IPv4 address of the RADIUS server
using the address ipv4 ipv4-address command. You can also specify an IPv6 address
with the address ipv6 ipv6-address command.
By default, Cisco routers use port 1645 for the authentication and port 1646 for the
accounting. However, IANA has reserved ports 1812 for the RADIUS authentication
port and 1813 for the RADIUS accounting port. It is important to make sure these ports
match between the Cisco router and the RADIUS server.
To configure the shared secret key for encrypting the password, use the key command.
This key must be configured exactly the same way on the router and the RADIUS
server.
The example displays a sample RADIUS server configuration.
R1(config)# aaa new-model
R1(config)#
R1(config)# radius server SERVER-R
R1(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
R1(config-radius-server)# key RADIUS-Pa55w0rd
R1(config-radius-server)# exit
R1(config)#
7.4.4 Authenticate to the AAA Server Configuration Commands
When the AAA security servers have been identified, the servers must be included in
the method list of the aaa authentication login command. AAA servers are identified
using the group tacacs+ or group radius keywords. Refer to the example to see
command syntax options available with the aaa authentication login command.
R1(config)# aaa authentication login default ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
R1(config)# aaa authentication login default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
To configure a method list for the default login to authenticate first using a TACACS+
server, second with a RADIUS server, and finally with a local username database,
specify the order with the aaa authentication login default command, as highlighted in
the example. It is important to realize that R1 will only attempt to authenticate using
RADIUS if the TACACS+ server is not reachable. Likewise, R1 would only attempt to
authenticate using the local database if the TACACS+ and RADIUS servers are
unavailable

198
R1(config)# aaa new-model
R1(config)#
R1(config)# tacacs server Server-T
R1(config-server-tacacs)# address ipv4 192.168.1.100
R1(config-server-tacacs)# single-connection
R1(config-server-tacacs)# key TACACS-Pa55w0rd
R1(config-server-tacacs)# exit
R1(config)#
R1(config)# radius server SERVER-R
R1(config-radius-server)# address ipv4 192.168.1.101 auth-port 1812 acct-port 1813
R1(config-radius-server)# key RADIUS-Pa55w0rd
R1(config-radius-server)# exit
R1(config)#
R1(config)# aaa authentication login default group tacacs+ group radius local-case
7.4.5 Syntax Checker - Configure Server-Based AAA Authentication
Use the Syntax Checker to configure server-based AAA authentication on R1. The local
username database has been configured and TACACS+ and RADIUS servers have been
implemented on the network.
Configure TACACS+ server settings on router R1 using the following instructions:
 Enable AAA.
 Enter TACACS+ server configuration mode and name the server
configuration SERVER-T.
 Configure the TACACS+ server address to 192.168.1.100.
 Configure a single persistent TCP connection to the TACACS+ server.
 Configure the shared secret key TACACS-Pa55w0rd.
 Exit TACACS+ server configuration mode.
R1(config)#aaa new-model
R1(config)#tacacs server SERVER-T
R1(config-server-tacacs)#address ipv4 192.168.1.100
R1(config-server-tacacs)#single-connection
R1(config-server-tacacs)#key TACACS-Pa55w0rd
R1(config-server-tacasc)#exit
Enter RADIUS server configuration mode and name the configuration SERVER-R.
 Configure the RADIUS server address to 192.168.1.101 with the authentication port
set to 1812 and the accounting port set to 1813.
 Configure the shared secret key RADIUS-Pa55w0rd.
 Exit RADIUS server configuration mode.
R1(config)#radius server SERVER-R
R1(config-radius-server)#address ipv4 192.168.1.101 auth-port 1812 acct-port 1813
R1(config-radius-server)#key RADIUS-Pa55w0rd
R1(config-radius-server)#exit
Specify a default authentication method list with primary option TACACS+, secondary
option RADIUS, and tertiary option local username case-sensitive authentication. After
configuration, exit configuration mode.
R1(config)#aaa authentication login default group tacacs+ group radius local-case
R1(config)#exit
R1#

199
*Mar 3 17:02:15.123: %SYS-5-CONFIG_I: Configured from console by console
R1#
You successfully configured server-based AAA authentication.
7.4.6 Video Demonstration - Configure a Cisco Router to Access a AAA RADIUS Server
This video demonstrates how to configure a Cisco router to access a AAA RADIUS
server by completing the following:
Step 1. Create users on the RADIUS server.
Step 2. Set a secret key on the RADIUS server.
Step 3. Verify port 1812 for the RADIUS authentication port and 1813 for the RADIUS
accounting port.
Step 4. Set up SSH on the router for remote access.
Step 5. Set up a local user on the router in case of RADIUS server failure.
Step 6. Enable AAA authentication on the router.
Step 7. Set AAA authentication login method lists.
Step 8. Enable the router to use the RADIUS server for authentication by configuring
the following on the router:
1. RADIUS server name
2. RADIUS server IP address, authentication port 1812, and accounting port 1813
3. shared secret key
Step 9. Configure the console line and specify the AAA login authentication method list
to use
Step 10. Configure the VTY lines for SSH and specify the AAA login authentication
method list to use.
Step 11. Test and verify.

7.4.7 Lab - Install the Virtual Machine

In this lab, you will complete the following objectives:
 Part 1: Prepare a Personal Computer for Virtualization
 Part 2: Import a Virtual Machine into VirtualBox Inventory

7.4.8 Lab - Configure Server-Based Authentication with RADIUS

In this lab, you will complete the following objective:

200
Configure Centralized Authentication Using AAA and RADIUS

7.4.9 Packet Tracer - Configure Server-Based Authentication with TACACS+ and

RADIUS
In this Packet Tracer activity, you will complete the following objectives:
 Configure server-based AAA authentication using TACACS+.
 Verify server-based AAA authentication from the PC-B client.
 Configure server-based AAA authentication using RADIUS.
 Verify server-based AAA authentication from the PC-C client.

7.5 Configure Server-Based Authorization and Accounting

7.5.1 Introduction to Server-Based AAA Authorization
While authentication must ensure that the device or end user is legitimate,
authorization is concerned with allowing and disallowing authenticated users access to
functions of the network device interface.
The TACACS+ protocol allows the separation of authentication from authorization. A
router can be configured to restrict the user to performing only certain functions after
successful authentication. Keep in mind that RADIUS does not separate the
authentication from the authorization process.
Another important aspect of authorization is the ability to control user access to
specific services. Controlling access to configuration commands greatly simplifies the
infrastructure security in large enterprise networks.
In the animation, the JR-ADMIN has successfully established an SSH session with the
router and authenticated to the TACACS+ AAA server. Click Play to see how the server
responds to different commands.
AAA Server Authorization

In the animation, the JR-ADMIN is permitted to access the show version command, but
not the configure terminal command. The router queries the AAA server for
permission to execute the commands on behalf of the user. When the user issues
the show version command, the server sends an ACCEPT response. If the user issues
a configure terminal command, the server sends a REJECT response.
By default, TACACS+ establishes a new TCP session for every authorization request,
which can lead to delays when users enter commands. To improve performance, AAA
201
supports persistent TCP sessions that are configured with the single-connection tacacs
server configuration mode command.
7.5.2 AAA Authorization Configuration
To configure authorization, use the aaa authorization command, as shown in the
examples below . The authorization type can specify the types of commands or
services:
 network - for network services such as PPP and SLIP
 exec - for User EXEC terminal sessions
 commands level - command authorization attempts authorization for all EXEC
mode commands, including global configuration commands, associated with a
specific privilege level
Router(config)# aaa authorization (network | exec | commands level) {default | list-
name} method1… [method4]
R1(config)# aaa authorization exec ?
WORD Named authorization list.
default The default authorization list.
R1(config)# aaa authorization exec default?
cache Use Cached-group
group Use server-group.
if-authenticated Succeed if user has authenticated.
krb5-instance Use Kerberos instance privilege maps.
local Use local database.
none No authorization (always succeeds).
R1(config)# aaa authorization exec default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
When AAA authorization is not enabled, all users are allowed full access. After
authentication is started, the default changes to allow no access. This means that the
administrator must create a user with full access rights before authorization is
enabled, as shown in the example. Failure to do so immediately locks the
administrator out of the system the moment the aaa authorization command is
entered. The only way to recover from this is to reboot the router. If this is a
production router, rebooting might be unacceptable. Be sure that at least one user
always has full rights.
R1(config)# username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
7.5.3 Introduction to Server-Based AAA Accounting
Companies often need to keep track of which resources individuals or groups use. AAA
accounting enables usage tracking. An example of usage tracking is when one
department charges another department for access, or when one company provides
internal support to another company. The accounting function is similar to the

202
accounting information provided in a credit card billing statement as shown in the
figure.

Credit Card Accounting Example

Although accounting is generally considered a network management or financial

management issue, it is discussed briefly here because it is so closely linked with
security. One security issue that is addressed by accounting is the creation of a list of
users and the time of day they logged into the system. If, for example, the
administrator knows that a worker logs in to the system in the middle of the night, this
information can be used to further investigate the purpose of the login.
Another reason to implement accounting is to create a list of changes occurring on the
network, the user that made the changes, and the exact nature of the changes.
Knowing this information helps the troubleshooting process if the changes cause
unexpected results.
When accounting is configured on a AAA server it functions as a central repository for
accounting information. It tracks events that occur on the network, similar to the way
in which financial activity is tracked for a credit card account. Each session that is
established through Cisco Secure ACS can be fully accounted for and stored on the
server. This stored information can be very helpful for management, security audits,
capacity planning, and network usage billing.
Like authentication and authorization method lists, method lists for accounting define
the way accounting is performed and the sequence in which these methods are
performed. After it is enabled, the default accounting method list is automatically

203
applied to all interfaces, except those that have a user-defined, or custom, accounting
method list that has been explicitly defined.
7.5.4 AAA Accounting Configuration
To configure AAA accounting, use the aaa accounting command that is shown in the
example.
The following three parameters are commonly used aaa accounting keywords:
 network - Runs accounting for all network-related service requests, including PPP.
 exec - Runs accounting for the EXEC shell session.
 connection - Runs accounting on all outbound connections such as SSH and Telnet.
Router(config)# aaa accounting {network | exec | connection} {default | list-name}
{start-stop | stop-only | none } [broadcast] method1...[method4]
R1(config)# aaa accounting exec ?
WORD Named Accounting list.
default The default accounting list
As with AAA authentication, either the keyword default or a list-name can be used.
Next, the record type, or trigger, is configured. The trigger specifies what actions cause
accounting records to be updated. Possible triggers include:
 start-stop - Sends a "start" accounting notice at the beginning of a process and a
"stop" accounting notice at the end of a process.
 stop-only - Sends a "stop" accounting record for all cases including authentication
failures.
 none - Disables accounting services on a line or interface.
The examples show the command syntax and method list options available.
R1(config)# aaa accounting exec default start-stop ?
broadcast Use Broadcast for Accounting
group Use Server-group
R1(config)# aaa accounting exec default start-stop group ?
WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
The example shows an accounting configuration that logs the use of EXEC commands
and network connections.
R1(config)# username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa5w0rd
R1(config)# username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config)# aaa accounting exec default start-stop group tacacs+
R1(config)# aaa accounting network default start-stop group tacacs+
7.5.5 Syntax Checker - Configure AAA Accounting
Use the Syntax Checker to configure server-based AAA authorization and accounting
on R1. A local username database has been configured, AAA has been enabled, AAA
authentication has been configured, and TACACS+ and RADIUS servers have been
implemented on the network

204
On router R1, a local username database has been configured, AAA has been enabled,
and AAA authentication has been configured. TACACS+ and RADIUS servers have been
implemented on the network. Configure R1 using the following instructions:
 Configure default AAA authorization method list for EXEC shells and network
services using TACACS+.
 Configure default AAA accounting method list for EXEC shells and network services
using TACACS+, with start and stop notices sent at the beginning and end of a
process.
 After configuration, exit configuration mode.
R1(config)#aaa authorization exec default group tacacs+
R1(config)#aaa authorization network default group tacacs+
R1(config)#aaa accounting exec default start-stop group tacacs+
R1(config)#aaa accounting network default start-stop group tacacs+
R1(config)#exit
R1#
*Mar 3 18:22:23.443: %SYS-5-CONFIG_I: Configured from console by console
R1#
You successfully configured AAA accounting.
7.6 Authentication, Authorization, and Accounting (AAA) Summary
7.6.1 What Did I Learn in this Module?
AAA Characteristics
Local authentication can be configured on networking devices with usernames and
passwords that protect console, vty lines, and User EXEC mode. This is the easiest
authentication to implement, but also the weakest and least secure. SSH should be
used for remote access to vty lines because telnet is not secure. AAA provides a means
by which users can be authenticated against a centralized database of users. AAA
authentication requires users and admins to prove their identity with usernames and
passwords or through other methods. AAA authorization can be used to limit the
access of users or groups of users to only the network resources that they need to
access. It also can control what the user can do with various resources. Authorization
can be configured to control what different users can do on network devices. AAA
accounting records user actions including when the user accessed the network or
device, the length of time for the session, and the resources or functions that were
accessed by the user. AAA can be configured to access a local user database that has
been configured on a router or switch, or centralized AAA server. After authentication
has successfully occurred, authorization for user access is determined. After successful
authentication, AAA accounting records the beginning of the session.
Configure Local AAA Authentication
Local AAA authentication should be configured for smaller networks. Usernames and
passwords are configured on the networking device, similar to when login local is
configured on the console and vty lines. AAA local authentication provides additional
options that are not available when AAA is not used. For example, different
authentication methods can be configured on different lines, including using local
authentication for some lines and server-based authentication for others. In addition,
local AAA authentication can be configured to lock users out after a specified number
of login attempts. The user will remain locked out until an administrator manually
clears the user from the list of locked-out local users.

205
Server-Based AAA Characteristics and Protocols
Local authentication does not scale well to large networks that have many networking
devices and users. The legacy Cisco Secure ACS AAA server has been replaced by Cisco
ISE. ISE provides many access-related security functions beyond AAA functionality. The
TACACS+ and RADIUS protocols provide communication between a network device
and a AAA server. The choice of protocol defends on the needs of the enterprise.
TACACS+ encrypts all communication while RADIUS only encrypts passwords. TACACS+
separates the authentication and authorization processes, while they are combined in
RADIUS. In addition, TACACS+ uses TCP while RADIUS uses UDP. It is important to note
that RADIUS supports remote access technologies such as 802.1X and SIP. There are
other important differences between the protocols.
TACACS+ is a Cisco enhancement of the original TACACS protocol and is not compatible
with the original version. RADIUS is an open standard IETF protocol. It is widely used
with VoIP because it supports SIP. The next generation protocol that is an alternative
to RADIUS is Diameter AAA.
Configure Server-Based Authentication
There are four basic steps to configuring AAA server-based authentication. First AAA
must be globally enabled on the device. Second, the AAA server IP address and
protocol are specified. Then, the matching encryption key that will be used by the
network device and AAA server is specified. The device must also be configured to use
the AAA server or servers for authentication by specifying the aaa
authentication method list that includes the login group as either RADIUS, TACACS+ or
both. Note that by default, Cisco routers use port 1645 for authentication and port
1646 for accounting. However, IANA has reserved ports 1812 for RADIUS
authentication and 1813 for RADIUS accounting. It is important to make sure these
ports match between the networking device and the RADIUS server.
Configure Server-Based Authentication and Accounting
AAA authorization is concerned with allowing authenticated users access to only the
resources that they need to access. For network administrators, the type of access that
is permitted to the device command line and network services can be controlled. The
type of authorization is configured with the aaa authorization command. Types can
be network, for network services, exec, for the User EXEC mode, and command for all
EXEC mode commands including configuration commands. When AAA authorization is
not enabled, all users are allowed full access. After authentication is started, the
default changes to allow no access. This means that the administrator must create a
user with full access rights before authorization is enabled. Failure to do so
immediately locks the administrator out of the system the moment the aaa
authorization command is entered. The only way to recover from this is to reboot the
router.
AAA accounting tracks the resources accessed by a user, or the device functions that
an administrator has accessed. One reason to implement accounting is to create a list
of changes that occurred on the network device, the user that made the changes, and
the exact nature of the changes. Knowing this information helps the troubleshooting
process if the changes cause unexpected results. The aaa accounting command options
track the following types of information:
 network - all network-related service requests, including PPP
 exec - accounting for the EXEC shell session

206
 connection - accounting on all outbound connections such as SSH and Telnet
The record type or trigger specifies what actions cause accounting records to be
updated. Triggers include the beginning and end of a process or authentication
failures. Accounting can also be disabled on a device line or interface.

7.6.2 Module 7 - Authentication, Authorization, and Accounting (AAA) Quiz

Question 1
What is a feature of the TACACS+ protocol?
It combines authentication and authorization as one process.
It encrypts the entire body of the packet for more secure communications.
It utilizes UDP to provide more efficient packet transfer.
It hides passwords during transmission using PAP and sends the rest of the packet in
plaintext.
Question 2
Which two protocols are used to provide server-based AAA authentication? (Choose
two.)
SSH
TACACS+
RADIUS
802.1x
SNMP
Question 3
Which functionality does the TACACS single-connection keyword provide to AAA
services?
Maintains a single UDP connection for the life of the session
Enhances the performance of the TCP connection
Encrypts the data transfer between the TACACS+ server and the AAA client
Allows the use of differing keys between the TACACS+ server and the AAA client
Question 4
What are three access control security services? (Choose three.)
Availability
Authentication
Authorization
Repudiation
Accounting
Access
Question 5
What is the purpose of the network security accounting function?
To require users to prove who they are
To determine which resources a user can access
To keep track of the actions of a user
To provide challenge and response questions
Question 6
What does the TACACS+ protocol provide in a AAA deployment?
Authorization on a per-user or per-group basis
AAA connectivity via UDP

207
Compatibility with previous TACACS protocols
Password encryption without encrypting the packet
Question 7
Which term describes the ability of a web server to keep a log of the users who
access the server, as well as the length of time they use it?
Authentication
Authorization
Accounting
Assigning permissions
Question 8
What is the first required task when configuring server-based AAA authentication?
Configure the type of AAA authentication.
Enable AAA globally.
Specify the type of server providing the authentication.
Configure the IP address of the server.
Question 9
What is a characteristic of AAA accounting?
Accounting can only be enabled for network connections.
Users are not required to be authenticated before AAA accounting logs their activities
on the network.
Possible triggers for the aaa accounting exec default command include start-
stop and stop-only.
Accounting is concerned with allowing and disallowing authenticated users access to
certain areas and programs on the network.
Question 10
When a method list for AAA authentication is being configured, what is the effect of
the keyword local?
It accepts a locally configured username, regardless of case.
It defaults to the vty line password for authentication.
The login succeeds, even if all methods return an error.
It uses the enable password for authentication.
Question 11
Which statement describes a difference between RADIUS and TACACS+?
RADIUS uses TCP whereas TACACS+ uses UDP.
RADIUS is supported by the Cisco Secure ACS software whereas TACACS+ is not.
RADIUS encrypts only the password whereas TACACS+ encrypts all communication.
RADIUS separates authentication and authorization whereas TACACS+ combines them
as one process.
Question 12
A user complains about not being able to gain access to a network device configured
with AAA. How would the network administrator determine if login access for the
user account is disabled?
Use the show aaa user command.
Use the show aaa sessions command.
Use the show aaa local user lockout command.
Use the show running-configuration command.
Question 13

208
Which component of AAA is used to determine which resources a user can access
and which operations the user is allowed to perform?
Auditing
Accounting
Authorization
Authentication
Checkpoint Exam: Monitoring and Managing Devices Group Exam
This exam will cover material from Modules 5-7 of the Network Security 1.0
curriculum.
Copyright 2023, Cisco Systems, Inc.
Question 1
A student is learning about role-based views and role-based view configurations. The
student enters the Router(config)# parser view TECH-view command. What is the
purpose of this command?
to create a CLI view named TECH-view
to enter the CLI view named TECH-view
to check the current setup of the CLI view named TECH-view
to enter the superview named TECH-view
Question 2
Which command will move the show access-lists command to privilege level 14?
router(config)# privilege exec level 14 show access-lists
router(config)# privilege level 14 command show access-lists
router(config)# set privilege level 14 show access-lists
router(config)# show access-lists privilege level 14
Question 3
A student is learning role-based CLI access and CLI view configurations. The student
opens Packet Tracer and adds a router. Which command should be used first for
creating a CLI view named TECH-View?
Router(config)# parser view TECH-view
Router# enable view
Router(config)# aaa new-model
Router# enable view TECH-view
Question 4
Which privilege level is predefined for the privileged EXEC mode?
level 1
level 15
level 0
level 16
Question 5

209
Refer to the exhibit. Based on the output of the show running-config command,
which type of view is SUPPORT?
CLI view, containing SHOWVIEW and VERIFYVIEW commands
secret view, with a level 5 encrypted password
superview, containing SHOWVIEW and VERIFYVIEW views
root view, with a level 5 encrypted secret password
Question 6
What IOS privilege levels are available to assign for custom user-level privileges?
levels 1 through 15
levels 0 and 1
levels 2 through 14
levels 0, 1, and 15
Question 7
What are three characteristics of superviews in the Cisco role-based CLI access
feature? (Choose three.)
A user uses the command enable viewto enter a superview.
A user uses a superview to configure commands inside associated CLI views.
A single CLI view can be shared within multiple superviews.
Deleting a superview does not delete the associated CLI views.
Commands cannot be configured for a superview.
Level 15 privilege access is used to configure a new superview.
Question 8
A network engineer is implementing security on all company routers. Which two
commands must be issued to force authentication via the password 1A2b3C for all
OSPF-enabled interfaces in the backbone area of the company network? (Choose
two.)
area 1 authentication message-digest
ip ospf message-digest-key 1 md5 1A2b3C
area 0 authentication message-digest
username OSPF password 1A2b3C
enable password 1A2b3C
Question 9

Refer to the exhibit. What information in the syslog message identifies the facility?
ADJCHG
Loading Done
level 5
OSPF
Question 10
A network administrator is analyzing the features supported by the multiple versions
of SNMP. What are two features that are supported by SNMPv3 but not by SNMPv1
or SNMPv2c? (Choose two.)
Message encryption
Community-based security
Bulk retrieval of MIB information
Message source validation

210
SNMP trap mechanism
Question 11

Refer to the exhibit. What two statements describe the NTP status of the router?
(Choose two.)
The router is serving as an authoritative time source.
The software clock for the router must be configured with the set clock command so
that NTP will function properly.
The IP address of the time source for the router is 192.168.1.1.
The router is attached to a stratum 2 device.
The router is serving as a time source for the device at 192.168.1.1.
Question 12
Which three items are prompted for a user response during interactive
AutoSecure setup? (Choose three.)
enable password
services to disable
IP addresses of interfaces
enable secret password
interfaces to enable
content of a security banner
Question 13
What are two characteristics of the Cisco IOS Resilient Configuration feature?
(Choose two.)
It sends a backup copy of the IOS image to a TFTP server.
It minimizes the downtime of a device that has had the image and configuration
deleted.
It maintains a mirror image of the configuration file in RAM.
It is a universal feature that can be activated on all Cisco devices.
It saves a secure copy of the primary image and device configuration that cannot be
removed by a user.
Question 14
What is a requirement to use the Secure Copy Protocol feature?
The Telnet protocol has to be configured on the SCP server side.
A transfer can only originate from SCP clients that are routers.
At least one user with privilege level 1 has to be configured for local authentication.
A command must be issued to enable the SCP server side functionality.
Question 15
A network administrator is configuring an AAA server to manage TACACS+
authentication. What are two attributes of TACACS+ authentication? (Choose two.)
UDP port 1645
TCP port 40
encryption for only the password of a user

211
single process for authentication and authorization
encryption for all communication
separate processes for authentication and authorization
Question 16
Which task is necessary to encrypt the transfer of data between the ACS server and
the AAA-enabled router?
Use identical reserved ports on the server and the router.
Create a VPN tunnel between the server and the router.
Specify the single-connection keyword.
Configure the key exactly the same way on the server and the router.
Question 17
What is the biggest issue with local implementation of AAA?
Local implementation supports only RADIUS servers.
Local implementation supports only TACACS+ servers.
Local implementation cannot provide secure authentication.
Local implementation does not scale well.
Question 18
Which AAA component can be established using token cards?
authentication
auditing
authorization
accounting
Question 19
Which authentication method stores usernames and passwords in the router and is
ideal for small networks?
server-based AAA over RADIUS
server-based AAA
server-based AAA over TACACS+
local AAA over TACACS+
local AAA
local AAA over RADIUS
Question 20
What is the one major difference between local AAA authentication and using
the login local command when configuring device access authentication?
The login local command requires the administrator to manually configure the
usernames and passwords, but local AAA authentication does not.
Local AAA authentication allows more than one user account to be configured,
but login local does not.
Local AAA authentication provides a way to configure backup methods of
authentication, but login local does not.
The login local command uses local usernames and passwords stored on the router,
but local AAA authentication does not.
Question 21
Which two UDP port numbers may be used for server-based AAA RADIUS
authentication? (Choose two.)
1812
1645

212
49
1646
1813

Module 8: Access Control Lists

8.0 Introduction
8.0.1 Why Should I Take this Module?
In the gated community where your grandparents live, there are rules for who can
enter and leave the premises. The guard will not raise the gate to let you in to the
community until someone confirms that you are on an approved visitor list. Much like
the guard in the gated community, network traffic passing through an interface
configured with an access control list (ACL) has permitted and denied traffic. How do
you configure these ACLs? How do you modify them if they are not working correctly
or if they require other changes? Get started with this module to learn more!
8.0.2 What Will I Learn in this Module?
Module Title: Access Control Lists
Module Objective: Implement access control lists (ACLs) to filter traffic and mitigate
network attacks.
Topic Title Topic Objective
Introduction to Access Control
Describe standard and extended IPv4 ACLs.
Lists
Wildcard Masks Explain how ACLs use wildcard masks.
Configure ACLs Explain how to configure ACLs.
Use sequence numbers to edit existing standard
Modify ACLs
IPv4 ACLs
Implement ACLs Implement ACLs.
Mitigate Attacks with ACLs Use ACLs to mitigate common network attacks.
IPv6 ACLs Configure IPv6 ACLs using the CLI.
8.1 Introduction to Access Control Lists
8.1.1 What is an ACL?
Routers make routing decisions based on information in the packet header. Traffic
entering a router interface is routed solely based on information within the routing
table. The router compares the destination IP address with routes in the routing table
to find the best match and then forwards the packet based on the best match route.
That same process can be used to filter traffic using an access control list (ACL).
An ACL is a series of IOS commands that are used to filter packets based on
information found in the packet header. By default, a router does not have any ACLs
configured. However, when an ACL is applied to an interface, the router performs the
additional task of evaluating all network packets as they pass through the interface to
determine if the packet can be forwarded.
An ACL uses a sequential list of permit or deny statements, known as access control
entries (ACEs).

213
Note: ACEs are also commonly called ACL statements.
When network traffic passes through an interface configured with an ACL, the router
compares the information within the packet against each ACE, in sequential order, to
determine if the packet matches one of the ACEs. This process is called packet filtering.
Several tasks performed by routers require the use of ACLs to identify traffic. The table
lists some of these tasks with examples.

Task
Limit network traffic to
increase network
performance
Provide traffic flow control
Provide a basic level of
security for network access
Filter traffic based on
traffic type
Screen hosts to permit or
deny access to network
services
Provide priority to certain
classes of network traffic
8.1.2 Packet Filtering
Packet filtering controls access to a network by analyzing the incoming and/or
outgoing packets and forwarding them or discarding them based on given criteria.
Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure.
Example
 A corporate policy prohibits video traffic on the
network to reduce the network load.
 A policy can be enforced using ACLs to block video
traffic.
 A corporate policy requires that routing protocol
traffic be limited to certain links only.
 A policy can be implemented using ACLs to
restrict the delivery of routing updates to only
those that come from a known source.
 Corporate policy demands that access to the
Human Resources network be restricted to
authorized users only.
 A policy can be enforced using ACLs to limit access
to specified networks.
 Corporate policy requires that email traffic be
permitted into a network, but that Telnet access
be denied.
 A policy can be implemented using ACLs to filter
traffic by type.
 Corporate policy requires that access to some file
types (e.g., FTP or HTTP) be limited to user
groups.
 A policy can be implemented using ACLs to filter
user access to services.
 Corporate traffic specifies that voice traffic be
forwarded as fast as possible to avoid any
interruption.
 A policy can be implemented using ACLs and QoS
services to identify voice traffic and process it
immediately.

214
Cisco routers support two types of ACLs:
 Standard ACLs - ACLs only filter at Layer 3 using the source IPv4 address only.
 Extended ACLs - ACLs filter at Layer 3 using the source and / or destination
IPv4 address. They can also filter at Layer 4 using TCP, UDP ports, and
optional protocol type information for finer control.
8.1.3 Numbered and Named ACLs
Numbered ACLs
ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to
199, or 2000 to 2699 are extended ACLs, as shown in the output.
R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
rate-limit Simple rate-limit specific access list
template Enable IP template acls
R1(config)# access-list
Named ACLs
Named ACLs is the preferred method to use when configuring ACLs. Specifically,
standard and extended ACLs can be named to provide information about the purpose
of the ACL. For example, naming an extended ACL FTP-FILTER is far better than having
a numbered ACL 100.
The ip access-list global configuration command is used to create a named ACL, as
shown in the following example.
R1(config)# ip access-list extended FTP-FILTER
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data
R1(config-ext-nacl)#
The following summarizes the rules to follow for named ACLs.
 Assign a name to identify the purpose of the ACL.
 Names can contain alphanumeric characters.

215
 Names cannot contain spaces or punctuation.
 It is suggested that the name be written in CAPITAL LETTERS.
 Entries can be added or deleted within the ACL.
8.1.4 ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound
interfaces of the router.
ACLs can be configured to apply to inbound traffic and outbound traffic, as shown in
the figure.

Note: ACLs do not act on packets that originate from the router itself.
An inbound ACL filters packets before they are routed to the outbound interface. An
inbound ACL is efficient because it saves the overhead of routing lookups if the packet
is discarded. If the packet is permitted by the ACL, it is then processed for routing.
Inbound ACLs are best used to filter packets when the network attached to an inbound
interface is the only source of packets that need to be examined.
An outbound ACL filters packets after being routed, regardless of the inbound
interface. Incoming packets are routed to the outbound interface and then they are
processed through the outbound ACL. Outbound ACLs are best used when the same
filter will be applied to packets coming from multiple inbound interfaces before exiting
the same outbound interface.
When an ACL is applied to an interface, it follows a specific operating procedure. For
example, here are the operational steps used when traffic has entered a router
interface with an inbound standard IPv4 ACL configured.
1. The router extracts the source IPv4 address from the packet header.
2. The router starts at the top of the ACL and compares the source IPv4 address to
each ACE in a sequential order.
3. When a match is made, the router carries out the instruction, either permitting or
denying the packet, and the remaining ACEs in the ACL, if any, are not analyzed.
4. If the source IPv4 address does not match any ACEs in the ACL, the packet is
discarded because there is an implicit deny ACE automatically applied to all ACLs.
The last ACE statement of an ACL is always an implicit deny that blocks all traffic. By
default, this statement is automatically implied at the end of an ACL even though it is
hidden and not displayed in the configuration.
Note: An ACL must have at least one permit statement otherwise all traffic will be
denied due to the implicit deny ACE statement.
8.1.5 Packet Tracer - ACL Demonstration
In this activity, you will observe how an access control list (ACL) can be used to prevent
a ping from reaching hosts on remote networks. After removing the ACL from the
configuration, the pings will be successful.

216
8.2 Wildcard Masking
8.2.1 Wildcard Mask Overview
In the previous topic, you learned about the purpose of ACLs. This topic explains how
ACLs use wildcard masks. An IPv4 ACE uses a 32-bit wildcard mask to determine which
bits of the address to examine for a match. Wildcard masks are also used by the Open
Shortest Path First (OSPF) routing protocol.
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to
identify which bits in an IPv4 address to match. However, they differ in the way they
match binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match
and binary 0 is not a match, in a wildcard mask, the reverse is true.
Wildcard masks use the following rules to match binary 1s and 0s:
 Wildcard mask bit 0 - Match the corresponding bit value in the address
 Wildcard mask bit 1 - Ignore the corresponding bit value in the address
The table lists some examples of wildcard masks and what they would identify.
Wildcard Last Octet (in
Meaning (0 - match, 1 - ignore)
Mask Binary)
0.0.0.0 00000000 Match all octets.
 Match the first three octets
 Match the two left most bits of the last
0.0.0.63 00111111
octet
 Ignore the last 6 bits
 Match the first three octets
 Match the four left most bits of the last
0.0.0.15 00001111
octet
 Ignore the last 4 bits of the last octet
 Match the first three octets
 Ignore the six left most bits of the last
0.0.0.252 11111100
octet
 Match the last two bits
 Match the first three octet
0.0.0.255 11111111
 Ignore the last octet
8.2.2 Wildcard Mask Types
Using wildcard masks will take some practice. Refer to the examples to learn how the
wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4
addresses.
Click each button to see how the wildcard mask is used in ACLs.
 Wildcard to Match a Host
 Wildcard Mask to Match an IPv4 Subnet
 Wildcard Mask to Match an IPv4 Address Range
Wildcard to Match a Host
In this example, the wildcard mask is used to match a specific host IPv4 address.
Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1.
Recall that “0” equals a match and “1” equals ignore. To match a specific host IPv4
address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.
The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted
IPv4 address.

217
The 0.0.0.0 wildcard mask stipulates that every bit must match exactly. Therefore,
when the ACE is processed, the wildcard mask will permit only the 192.168.1.1
address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1
0.0.0.0.
Decimal Binary
192.168.1.
IPv4 address 11000000.10101000.00000001.00000001
1
Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000
Permitted IPv4 Address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask to Match an IPv4 Subnet
In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24
network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must
match exactly but the fourth octet does not.
The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted
IPv4 addresses.
When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24
network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0
0.0.0.255.
Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask 0.0.0.255 00000000.00000000.00000000.11111111
192.168.1.1
11000000.10101000.00000001.00000000
Permitted Host IPv4 to
Addresses 192.168.1.25
11000000.10101000.00000001.11111111
4
Wildcard Mask to Match an IPv4 Address Range
In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24,
192.168.17.0/24, …, 192.168.31.0/24 networks. The wildcard mask 0.0.15.255 would
correctly filter that range of addresses.
The table lists in binary the host IPv4 address, the wildcard mask, and the permitted
IPv4 addresses.
The highlighted wildcard mask bits identify which bits of the IPv4 address must match.
When processed, the wildcard mask 0.0.15.255 permits all hosts in the
192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would
be access-list 10 permit 192.168.16.0 0.0.15.255.
Decimal Binary
IPv4 address 192.168.16.0 11000000.10101000.00010000.00000000
Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111
192.168.16.1 11000000.10101000.00010000.00000000
Permitted Host IPv4
to
Addresses
192.168.31.254 11000000.10101000.00011111.11111111
8.2.3 Wildcard Mask Calculation

218
Calculating wildcard masks can be challenging. One shortcut method is to subtract the
subnet mask from 255.255.255.255. Refer to the examples to learn how to calculate
the wildcard mask using the subnet mask.
Click each button to see how to calculate each wildcard mask.
 Example 1
 Example 2
 Example 3
 Example 4
Example 1
Assume you wanted an ACE in ACL 10 to permit access to all users in the
192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask
(i.e., 255.255.255.0) from 255.255.255.255, as shown in the table.
The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE would
be access-list 10 permit 192.168.3.0 0.0.0.255.
Starting value 255.255.255.255
Subtract the subnet
- 255.255.255. 0
mask
Resulting wildcard mask 0. 0. 0.255
Example 2
In this example, assume you wanted an ACE in ACL 10 to permit network access for the
14 users in the subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240)
from 255.255.255.255, as shown in the table.
This solution produces the wildcard mask 0.0.0.15. Therefore, the ACE would
be access-list 10 permit 192.168.3.32 0.0.0.15.
Starting value 255.255.255.255
-
Subtract the subnet mask
255.255.255.240
Resulting wildcard mask 0. 0. 0. 15
Example 3
In this example, assume you needed an ACE in ACL 10 to permit only networks
192.168.10.0 and 192.168.11.0. These two networks could be summarized as
192.168.10.0/23 which is a subnet mask of 255.255.254.0. Again, you subtract
255.255.254.0 subnet mask from 255.255.255.255, as shown in the table.
This solution produces the wildcard mask 0.0.1.255. Therefore, the ACE would
be access-list 10 permit 192.168.10.0 0.0.1.255.
255.255.255.25
Starting value
5
Subtract the subnet mask - 255.255.254. 0
Resulting wildcard mask 0. 0. 1.255
Example 4
Consider an example in which you need an ACL number 10 to match networks in the
range between 192.168.16.0/24 to 192.168.31.0/24. This network range could be
summarized as 192.168.16.0/20 which is a subnet mask of 255.255.240.0. Therefore,
subtract 255.255.240.0 subnet mask from 255.255.255.255, as shown in the table.

219
This solution produces the wildcard mask 0.0.15.255. Therefore, the ACE would
be access-list 10 permit 192.168.16.0 0.0.15.255.
255.255.255.25
Starting value
5
Subtract the subnet mask - 255.255.240. 0
Resulting wildcard mask 0. 0. 15.255
8.2.4 Wildcard Mask Keywords
Working with decimal representations of binary wildcard mask bits can be tedious. To
simplify this task, the Cisco IOS provides two keywords to identify the most common
uses of wildcard masking. Keywords reduce ACL keystrokes but more importantly,
keywords make it easier to read the ACE.
The two keywords are:
 host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4
address bits must match to filter just one host address.
 any - This keyword substitutes for the 255.255.255.255 mask. This mask says to
ignore the entire IPv4 address or to accept any addresses.
For example, in the command output, two ACLs are configured. The ACL 10 ACE
permits only the 192.168.10.10 host and the ACL 11 ACE permits all hosts.
R1(config)# access-list 10 permit 192.168.10.10 0.0.0.0
R1(config)# access-list 11 permit 0.0.0.0 255.255.255.255
R1(config)#
Alternatively, the keywords host and any could have been used to replace the
highlighted output.
The following commands accomplishes the same task as the previous commands.
R1(config)# access-list 10 permit host 192.168.10.10
R1(config)# access-list 11 permit any
R1(config)#
8.2.5 Check Your Understanding - Wildcard Masks in ACLs
Check your understanding wildcard masks in ACLs by choosing the BEST answer to the
following questions.
Question 1
Which wildcard mask would permit only host 10.10.10.1?
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
Question 2
Which wildcard mask would permit only hosts from the 10.10.0.0/16 network?
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
Question 3
Which wildcard mask would permit all hosts?

220
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
Question 4
Which wildcard mask would permit all hosts from the 192.168.10.0/24 network?
0.0.0.0
0.0.0.31
0.0.0.255
0.0.255.255
255.255.255.255
8.3 Configure ACLs
8.3.1 Create an ACL
In a previous topic, you learned about what an ACL does and why it is important. In
this topic, you will learn about creating ACLs.
All access control lists (ACLs) must be planned. However, this is especially true for ACLs
requiring multiple access control entries (ACEs).
When configuring a complex ACL, it is suggested that you:
 Use a text editor and write out the specifics of the policy to be implemented.
 Add the IOS configuration commands to accomplish those tasks.
 Include remarks to document the ACL.
 Copy and paste the commands onto the device.
 Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
These recommendations enable you to create the ACL thoughtfully without impacting
the traffic on the network.
8.3.2 Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the following global configuration command:
Router(config)# access-list access-list-number {deny | permit | remark text} source
[source-wildcard] [log]
Use the no access-list access-list-number global configuration command to remove a
numbered standard ACL.
The table provides a detailed explanation of the syntax for a standard ACL.
Parameter Description
access-list-  This is the decimal number of the ACL.
number  Standard ACL number range is 1 to 99 or 1300 to 1999.
deny This denies access if the condition is matched.
permit This permits access if the condition is matched.
 (Optional) This adds a text entry for documentation purposes.
 Remarks are extremely useful, especially in longer or more
remark text
complex ACLs.
 Each remark is limited to 100 characters.
 This identifies the source network or host address to filter.
 Use the any keyword to specify all networks.
source  Use the host ip-address keyword or simply enter an ip-
address (without the host keyword) to identify a specific IP
address.

221
source- (Optional) This is a 32-bit wildcard mask that is applied to the source. If
wildcard omitted, a default 0.0.0.0 mask is assumed.
 (Optional) This keyword generates an informational message
whenever the ACE is matched.
 Message includes ACL number, matched condition (i.e.,
permitted or denied), source address, and number of packets.
log
 This message is generated for the first matched packet.
 Unfortunately, ACL logging can be CPU intensive and can
negatively affect other functions therefore it should only be
implemented for troubleshooting or security reasons.
8.3.3 Named Standard IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. To create a named standard
ACL, use the following global configuration command:
Router(config)# ip access-list standard access-list-name
This command enters the named standard configuration mode where you configure
the ACL ACEs.
ACL names are alphanumeric, case sensitive, and must be unique. Capitalizing ACL
names is not required but makes them stand out when viewing the running-config
output. It also makes it less likely that you will accidentally create two different ACLs
with the same name but with different uses of capitalization.
Note: Use the no ip access-list standard access-list-name global configuration
command to remove a named standard IPv4 ACL.
In the example, a named standard IPv4 ACL called NO-ACCESS is created. Notice that
the prompt changes to named standard ACL configuration mode. ACE statements are
entered in the named standard ACL sub configuration mode. Use the help facility to
view all the named standard ACL ACE options.
The three highlighted options are configured similar to the numbered standard ACL.
Unlike the numbered ACL method, there is no need to repeat the initial ip access-
list command for each ACE.
R1(config)# ip access-list standard NO-ACCESS
R1(config-std-nacl)# ?
Standard Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
R1(config-std-nacl)#
8.3.4 Numbered Extended IPv4 ACL Syntax
The procedural steps for configuring extended ACLs are the same as for standard ACLs.
The extended ACL is first configured, and then it is activated on an interface. However,
the command syntax and parameters are more complex to support the additional
features provided by extended ACLs.
To create a numbered extended ACL, use the following global configuration command:
Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}

222
Use the no access-list access-list-number global configuration command to remove an
extended ACL.
Although there are many keywords and parameters for extended ACLs, it is not
necessary to use all of them when configuring an extended ACL. The table provides a
detailed explanation of the syntax for an extended ACL.
Parameter Description
access-list-  This is the decimal number of the ACL.
number  Extended ACL number range is 100 to 199 and 2000 to 2699.
deny This denies access if the condition is matched.
permit This permits access if the condition is matched.
 (Optional) Adds a text entry for documentation purposes.
remark text
 Each remark is limited to 100 characters.
 Name or number of an internet protocol.
protocol  Common keywords include ip, tcp, udp, and icmp.
 The ip keyword matches all IP protocols.
 This identifies the source network or host address to filter.
 Use the any keyword to specify all networks.
source  Use the host ip-address keyword or simply enter an ip-
address (without the host keyword) to identify a specific IP
address.
source-
(Optional) A 32-bit wildcard mask that is applied to the source.
wildcard
 This identifies the destination network or host address to filter.
destination  Use the any keyword to specify all networks.
 Use the host ip-address keyword or ip-address.
destination- (Optional) This is a 32-bit wildcard mask that is applied to the
wildcard destination.
 (Optional) This compares source or destination ports.
operator  Some operators include lt (less than), gt (greater
than), eq (equal), and neq (not equal).
port (Optional) The decimal number or name of a TCP or UDP port.
 (Optional) For the TCP protocol only.
established
 This is a 1st generation firewall feature.
 (Optional) This keyword generates and sends an informational
message whenever the ACE is matched.
 This message includes ACL number, matched condition (i.e.,
log permitted or denied), source address, and number of packets.
 This message is generated for the first matched packet.
 This keyword should only be implemented for troubleshooting
or security reasons.
The command to apply an extended IPv4 ACL to an interface is the same as the
command used for standard IPv4 ACLs.
Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
To remove an ACL from an interface, first enter the no ip access-group interface
configuration command. To remove the ACL from the router, use the no access-
list global configuration command.

223
Note: The internal logic applied to the ordering of standard ACL statements does not
apply to extended ACLs. The order in which the statements are entered during
configuration is the order they are displayed and processed.
8.3.5 Protocols and Port Numbers
Extended ACLs can filter on many different types of internet protocols and ports. Click
each button for more information about the internet protocols and ports on which
extended ACLs can filter.
 Protocol Options
 Port Keyword Options
Protocol Options
The four highlighted protocols are the most popular options.
Note: Use the ? to get help when entering a complex ACE.
Note: If an internet protocol is not listed, then the IP protocol number could be
specified. For instance, the ICMP protocol number 1, TCP is 6, and UDP is 17.
R1(config)# access-list 100 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
dvmrp dvmrp
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
object-group Service object group
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
R1(config)# access-list 100 permit
Port Keyword Options
Selecting a protocol influences port options. For instance, selecting the:
 tcp protocol would provide TCP related ports options
 udp protocol would provide UDP specific ports options
 icmp protocol would provide ICMP related ports (i.e., message) options
Again, notice how many TCP port options are available. The highlighted ports are
popular options.
Port names or number can be specified. However, port names make it easier to
understand the purpose of an ACE. Notice how some common ports names (e.g., SSH
and HTTPS) are not listed. For these protocols, port numbers will have to be specified.
R1(config)# access-list 100 permit tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)

224
 cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name System (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
msrpc MS Remote Procedure Call (135)
nntp Network News Transport Protocol (119)
onep-plain Onep Cleartext (15001)
onep-tls Onep TLS (15002)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
8.3.6 Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options. This
example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses
the www port name. The second ACE uses the port number 80. Both ACEs achieve
exactly the same result.
R1(config)# access-list 100 permit tcp any any eq www
R1(config)# !or...
R1(config)# access-list 100 permit tcp any any eq 80
Configuring the port number is required when there is not a specific protocol name
listed such as SSH (port number 22) or an HTTPS (port number 443), as shown in the
next example.
R1(config)# access-list 100 permit tcp any any eq 22
R1(config)# access-list 100 permit tcp any any eq 443

225
R1(config)#
8.3.7 TCP Established Extended ACL
TCP can also perform basic stateful firewall services using the
TCP established keyword. The keyword enables inside traffic to exit the inside private
network and permits the returning reply traffic to enter the inside private network, as
shown in the figure.

However, TCP traffic generated by an outside host and attempting to communicate

with an inside host is denied.
The established keyword can be used to permit only the return HTTP traffic from
requested websites, while denying all other traffic.
In the topology, the design for this example shows that ACL 110, which was previously
configured, will filter traffic from the inside private network. ACL 120, using
the established keyword, will filter traffic coming into the inside private network from
the outside public network.

In the example, ACL 120 is configured to only permit returning web traffic to the inside
hosts. The new ACL is then applied outbound on the R1 G0/0/0 interface. The show
access-lists command displays both ACLs. Notice from the match statistics that inside
hosts have been accessing the secure web resources from the internet.
R1(config)# access-list 120 permit tcp any 192.168.10.0 0.0.0.255 established
R1(config)# interface g0/0/0
R1(config-if)# ip access-group 120 out
R1(config-if)# end
R1# show access-lists

226
Extended IP access list 110
10 permit tcp 192.168.10.0 0.0.0.255 any eq www
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 (657 matches)
Extended IP access list 120
10 permit tcp any 192.168.10.0 0.0.0.255 established (1166 matches)
R1#
Notice that the permit secure HTTPS counters (i.e., eq 443) in ACL 110 and the return
established counters in ACL 120 have increased.
The established parameter allows only responses to traffic that originates from the
192.168.10.0/24 network to return to that network. Specifically, a match occurs if the
returning TCP segment has the ACK or reset (RST) flag bits set. This indicates that the
packet belongs to an existing connection. Without the established parameter in the
ACL statement, clients could send traffic to a web server, and receive traffic returning
from the web server. All traffic would be permitted.
8.3.8 Named Extended IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. To create a named extended
ACL, use the following global configuration command:
Router(config)# ip access-list extended access-list-name
This command enters the named extended configuration mode. Recall that ACL names
are alphanumeric, case sensitive, and must be unique.
In the example, a named extended ACL called NO-FTP-ACCESS is created and the
prompt changed to named extended ACL configuration mode. ACE statements are
entered in the named extended ACL sub configuration mode.
R1(config)# ip access-list extended NO-FTP-ACCESS
R1(config-ext-nacl)#
8.3.9 Named Extended IPv4 ACL Example
Named extended ACLs are created in essentially the same way that named standard
ACLs are created.
The topology in the figure is used to demonstrate configuring and applying two named
extended IPv4 ACLs to an interface:
 SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
 BROWSING - This will only permit returning web traffic to the inside hosts while all
other traffic exiting the R1 G0/0/0 interface is implicitly denied.

The example shows the configuration for the inbound SURFING ACL and the outbound
BROWSING ACL.
The SURFING ACL permits HTTP and HTTPS traffic from inside users to exit the G0/0/1
interface connected to the internet. Web traffic returning from the internet is
permitted back into the inside private network by the BROWSING ACL.

227
The SURFING ACL is applied inbound and the BROWSING ACL applied outbound on the
R1 G0/0/0 interface, as shown in the output.
Inside hosts have been accessing the secure web resources from the internet. The
show access-lists command is used to verify the ACL statistics. Notice that the permit
secure HTTPS counters (i.e., eq 443) in the SURFING ACL and the return established
counters in the BROWSING ACL have increased.
R1(config)# ip access-list extended SURFING
R1(config-ext-nacl)# Remark Permits inside HTTP and HTTPS traffic
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# exit
R1(config)#
R1(config)# ip access-list extended BROWSING
R1(config-ext-nacl)# Remark Only permit returning HTTP and HTTPS traffic
R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 established
R1(config-ext-nacl)# exit
R1(config)# interface g0/0/0
R1(config-if)# ip access-group SURFING in
R1(config-if)# ip access-group BROWSING out
R1(config-if)# end
R1# show access-lists
Extended IP access list SURFING
10 permit tcp 192.168.10.0 0.0.0.255 any eq www
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 (124 matches)
Extended IP access list BROWSING
10 permit tcp any 192.168.10.0 0.0.0.255 established (369 matches)
R1#
8.4 Modify ACLs
8.4.1 Two Methods to Modify an ACL
After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be
complex to configure. Sometimes the configured ACE does not yield the expected
behaviors. For these reasons, ACLs may initially require a bit of trial and error to
achieve the desired filtering result.
This section will discuss two methods to use when modifying an ACL:
 Use a Text Editor
 Use Sequence Numbers
8.4.2 Text Editor Method
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface. It also
simplifies the tasks to edit and fix an ACL.
For example, assume ACL 1 was entered incorrectly using 19 instead of 192 for the first
octet, as shown in the running configuration.
R1# show run | section access-list
access-list 1 deny 19.168.10.10
access-list 1 permit 192.168.10.0 0.0.0.255
R1#

228
In the example, the first ACE should have been to deny the host at 192.168.10.10.
However, the ACE was incorrectly entered.
To correct the error:
 Copy the ACL from the running configuration and paste it into the text editor.
 Make the necessary changes.
 Remove the previously configured ACL on the router. Otherwise, pasting the edited
ACL commands will only append (i.e., add) to the existing ACL ACEs on the router.
 Copy and paste the edited ACL back to the router.
Assume that ACL 1 has now been corrected. Therefore, the incorrect ACL must be
deleted, and the corrected ACL 1 statements must be pasted in global configuration
mode, as shown in the output.
R1(config)# no access-list 1
R1(config)#
R1(config)# access-list 1 deny 192.168.10.10
R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)#
8.4.3 Sequence Number Method
An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence
numbers are automatically assigned when an ACE is entered. These numbers are listed
in the show access-lists command. The show running-config command does not
display sequence numbers.
In the previous example, the incorrect ACE for ACL 1 is using sequence number 10, as
shown in the example.
R1# show access-lists
Standard IP access list 1
10 deny 19.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
R1#
Use the ip access-list standard command to edit an ACL. Statements cannot be
overwritten using the same sequence number as an existing statement. Therefore, the
current statement must be deleted first with the no 10 command. Then the correct
ACE can be added using sequence number 10 is configured. Verify the changes using
the show access-lists command, as shown in the example.
R1# conf t
R1(config)# ip access-list standard 1
R1(config-std-nacl)# no 10
R1(config-std-nacl)# 10 deny host 192.168.10.10
R1(config-std-nacl)# end
R1# show access-lists
Standard IP access list 1
10 deny 192.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
R1#
8.4.4 Syntax Checker - Modify IPv4 ACLs
Modify an ACL using sequence numbers.

229
Use the show access-lists command to verify the configured ACLs.
R1#show access-lists
Standard IP access list 1
10 deny 19.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
You notice that ACE 10 is incorrect and needs to be edited. Enter global configuration
mode and use the ip access-list standard command for ACL 1.
R1#configure terminal
R1(config)#ip access-list standard 1
An incorrect ACE must be deleted and then re-entered. Remove the ACE with
sequence number 10.
R1(config-std-nacl)#no 10
Next, re-enter the correct ACE using sequence number 10 to deny the host with the
IP address 192.168.10.10 access outside of LAN 1 and return to privileged EXEC mode
using the end command.
R1(config-std-nacl)#10 deny host 192.168.10.10
R1(config-std-nacl)#end
Verify the new entry using the show access-lists command.
R1#show access-lists
Standard IP access list 1
10 deny 192.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
You have successfully modified an IPv4 numbered ACL on R1.
Use the show access-lists command to verify the configured ACLs.

230
R1#show access-lists
Standard IP access list 1
10 deny 19.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
You notice that ACE 10 is incorrect and needs to be edited. Enter global configuration
mode and use the ip access-list standard command for ACL 1.
R1#configure terminal
R1(config)#ip access-list standard 1
An incorrect ACE must be deleted and then re-entered. Remove the ACE with
sequence number 10.
R1(config-std-nacl)#no 10
Next, re-enter the correct ACE using sequence number 10 to deny the host with the
IP address 192.168.10.10 access outside of LAN 1 and return to privileged EXEC mode
using the end command.
R1(config-std-nacl)#10 deny host 192.168.10.10
R1(config-std-nacl)#end
Verify the new entry using the show access-lists command.
R1#show access-lists
Standard IP access list 1
10 deny 192.168.10.10
20 permit 192.168.10.0, wildcard bits 0.0.0.255
You have successfully modified an IPv4 numbered ACL on R1.

R1(config)# ip access-list standard NO_ACCESS

R1(config-std-nacl)# deny host 192.168.11.10
R1(config-std-nacl)# permit any
R1(config-std-nacl)# exit
R1(config)# interface g0/0
R1(config-if)# ip access-group NO_ACCESS out

231
This figure shows two named extended ACLs. The SURFING ACL is applied to inbound
traffic and the BROWSING ACL is applied to outbound traffic.
Named Extended ACL Example

R1(config)# ip access-list extended SURFING

R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# exit
R1(config)# ip access-list extended BROWSING
R1(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 established
R1(config-ext-nacl)# exit
R1(config)# interface g0/0
R1(config-if)# ip access-group SURFING in
R1(config-if)# ip access-group BROWSING out
Named ACL on VTY Lines with Logging

Enabling the log parameter on a Cisco router or switch seriously affects the
performance of that device. The log parameter should only be used when the network
is under attack, and an administrator is trying to determine who the attacker is.
Applying ACLs to interfaces and lines is just one of their many possible uses. ACLs are
also an integral part of other security configurations, such as network address
translation (NAT), zone-based firewalls, and virtual private networks.
R1(config)# ip access-list standard VTY_ACCESS
R1(config-std-nacl)# permit 192.168.10.10 log

232
R1(config-std-nacl)# deny any
R1(config-std-nacl)# exit
R1(config)# line vty 0 4
R1(config-line)# access-class VTY_ACCESS in
R1(config-line)# end
R1#
R1# !The administrator accesses the vty lines from 192.168.10.10
R1#
*Feb 26 18:58:30.579: %SEC-6-IPACCESSLOGNP: list VTY_ACCESS permitted 0
192.168.10.10 -> 0.0.0.0, 5 packets
R1# show access-lists
Standard IP access list VTY_ACCESS
10 permit 192.168.10.10 log (6 matches)
20 deny any
To remove an ACL from an interface, first enter the no ip access-group interface
configuration command. However, the ACL will still be configured on the router. To
remove the ACL from the router, use the no access-list global configuration command.
8.5.3 Where to Place ACLs
Every ACL should be placed where it is the most efficient.
The figure illustrates where standard and extended ACLs should be located in an
enterprise network. Assume the objective is to prevent traffic that originates in the
192.168.10.0/24 network from reaching the 192.168.30.0/24 network.

Extended ACLs should be located as close as possible to the source of the traffic to be
filtered. This way, undesirable traffic is denied close to the source network without
crossing the network infrastructure.
Standard ACLs should be located as close to the destination as possible. If a standard
ACL was placed at the source of the traffic, the "permit" or "deny" will occur based on
the given source address no matter where the traffic is destined.

233
Placement of the ACL and therefore, the type of ACL used, may also depend on a
variety of factors as listed in the table.
Factors Influencing
Explanation
ACL Placement
The extent of Placement of the ACL can depend on whether or not the
organizational organization has control of both the source and destination
control networks.
Bandwidth of the It may be desirable to filter unwanted traffic at the source to
networks involved prevent transmission of bandwidth-consuming traffic.
 It may be easier to implement an ACL at the destination,
but traffic will use bandwidth unnecessarily.
Ease of  An extended ACL could be used on each router where the
configuration traffic originated. This would save bandwidth by filtering
the traffic at the source, but it would require creating
extended ACLs on multiple routers.
8.5.4 Standard ACL Placement Example
Following the guidelines for ACL placement, standard ACLs should be located as close
to the destination as possible.
In the figure, the administrator wants to prevent traffic originating in the
192.168.10.0/24 network from reaching the 192.168.30.0/24 network.

Following the basic placement guidelines, the administrator would place a standard
ACL on router R3. There are two possible interfaces on R3 to apply the standard ACL:
 R3 S0/1/1 interface (inbound) - The standard ACL can be applied inbound on the
R3 S0/1/1 interface to deny traffic from .10 network. However, it would also
filter .10 traffic to the 192.168.31.0/24 (.31 in this example) network. Therefore,
the standard ACL should not be applied to this interface.
 R3 G0/0/0 interface (outbound) - The standard ACL can be applied outbound on
the R3 G0/0/0 interface. This will not affect other networks that are reachable by
R3. Packets from .10 network will still be able to reach the .31 network. This is the
best interface to place the standard ACL to meet the traffic requirements.

234
8.5.5 Packet Tracer - Configure Named Standard IPv4 ACLs
The senior network administrator has asked you to create a named standard ACL to
prevent access to a file server. All clients from one network and one specific
workstation from a different network should be denied access.

8.5.6 Packet Tracer - Configure Numbered Standard IPv4 ACLs

Standard access control lists are router configuration scripts that control whether a
router permits or denies packets based on the source address. This activity focuses on
defining filtering criteria, configuring standard ACLs, applying ACLs to router interfaces,
and verifying and testing the ACL implementation. The routers are already configured.

8.5.7 Extended ACL Placement Example

Extended ACLs should be located as close to the source as possible. This prevents
unwanted traffic from being sent across multiple networks only to be denied when it
reaches its destination.
However, the organization can only place ACLs on devices that they control. Therefore,
the extended ACL placement must be determined in the context of where
organizational control extends.
In the figure, for example, Company A wants to deny Telnet and FTP traffic to
Company B’s 192.168.30.0/24 network from their 192.168.11.0/24 network while
permitting all other traffic.

There are several ways to accomplish these goals. An extended ACL on R3 would
accomplish the task, but the administrator does not control R3. In addition, this

235
solution allows unwanted traffic to cross the entire network, only to be blocked at the
destination. This affects overall network efficiency.
The solution is to place an extended ACL on R1 that specifies both source and
destination addresses.
There are two possible interfaces on R1 to apply the extended ACL:
 R1 S0/1/0 interface (outbound) - The extended ACL can be applied outbound on
the S0/1/0 interface. However, this solution will process all packets leaving R1
including packets from 192.168.10.0/24.
 R1 G0/0/1 interface (inbound) - The extended ACL can be applied inbound on the
G0/0/1 so that only packets from the 192.168.11.0/24 network are subject to ACL
processing on R1. Because the filter is to be limited to only those packets leaving
the 192.168.11.0/24 network, applying the extended ACL to G0/0/1 is the best
solution.
8.5.8 Check Your Understanding - Guidelines for ACL Placement
Check your understanding of the types of IPv4 ACLs by choosing the BEST answer to
the following questions.
Question 1
Which ACL is capable of filtering based on TCP port number?
Extended ACL
Standard ACL
Question 2
Which statement about ACLs is true?
Extended ACLs are numbered 1300 - 2699.
Named ACLs can be standard or extended.
Numbered ACLs is the preferred method to use when configuring ACLs.
Standard ACLs are numbered 1 - 199.
Question 3
Where should a standard ACL be placed?
Standard ACL location is not important.
Standard ACLs should be placed as close to the destination as possible.
Standard ACLs should be placed as close to the source as possible.
Standard ACLs should be placed on serial interfaces.
Question 4
Where should an extended ACL be placed?
Extended ACL location is not important.
Extended ACLs should be located as close to the destination as possible.
Extended ACLs should be located as close to the source as possible.
Extended ACLs should be located on serial interfaces.
8.5.9 Check Your Understanding - Configure Standard ACLs
Use this network topology diagram to answer the three scenarios.

236
Scenario 1
Refer to the network topology diagram as needed to complete this scenario. Select the
commands in the drop-down lists that are provided. Configure the router to acheive
the ACL goal by putting the commands in the correct order to control entry into the
192.168.1.0 LAN. The 192.168.3.77 host should not be able to access this LAN but all
other hosts on the 192.168.3.0 network, and then the 192.168.4.0 network should be
permitted access. Click the Scenario 2 button to continue this activity.

Scenario 2
Refer to the network topology diagram as needed to complete this scenario. Select the
commands in the drop-down lists that are provided. Configure the router to acheive
the ACL goal by putting the commands in the correct order to control access to host
192.168.4.12. Both the 192.168.1.66 host and all hosts in the 192.168.2.0 LAN should
be permitted access to this host. All other networks should not be able to access the
192.168.4.12 host. Click the Scenario 3 button to continue this activity.

237
Scenario 3
Refer to the network topology diagram as needed to complete this scenario. Select the
commands in the drop-down lists that are provided. Configure the router to acheive
the ACL goal by putting the commands in the correct order to control access to both
the 192.168.3.0 and 192.168.4.0 LANs. All hosts in the 192.168.1.0 LAN should be
permitted access to these two networks. The 192.168.2.0 network should not have
access to these networks.
Refer to the network topology diagram as needed to complete this scenario. Select the
commands in the drop-down lists that are provided. Configure the router to acheive
the ACL goal by putting the commands in the correct order to control access to both
the 192.168.3.0 and 192.168.4.0 LANs. All hosts in the 192.168.1.0 LAN should be
permitted access to these two networks. The 192.168.2.0 network should not have
access to these networks.

8.5.10 Check Your Understanding - Create an Extended ACL Statement

Scenario 1
Create a numbered ACL statement that will only allow users on the 10.1.1.0/24
network to have HTTP access to the web server on the 10.1.3.0/24 network. The ACL is
applied to R2 S0/0/0 outbound.
Create an extended ACL based on the requirements and the topology shown. Select
the ACL statement components from the drop-down lists so that, when read from left
to right, you have created a valid ACL for the scenario. Some components will not be
used.

238
Scenario 2

Scenario 3
Create a numbered ACL statement that will allow only host 10.1.3.8 on the 10.1.3.0/24
network to reach destinations beyond that network. The ACL is applied to R1 G0/0
inbound.
Create an extended ACL based on the requirements and the topology shown. Select
the ACL statement components from the drop-down lists so that, when read from left
to right, you have created a valid ACL for the scenario. Some components will not be
used.

239
8.5.11 Check Your Understanding - Evaluate Extended ACLs
Click button Scenario 1, Scenario 2, Scenario 3 to complete the activity.
Refer the below Image to review the topology at any time.

Scenario 1
Refer to the topology in the above figure. This scenario provides the extended ACL 103
and the source and destination combinations in the table. Based on this information,
determine whether packets will be permitted or denied. Select Permit or Deny in the
dropdown next to each source and destination combination. Click Scenario 2 to
continue.

240
Refer to the topology in the above figure. This scenario provides the extended ACL 104
and the source and destination combinations in the table. Based on this information,
determine whether packets will be permitted or denied. Drag Permit or Deny to the
field next to each source and destination combination. Click Scenario 3 to continue.
Scenario 2
Refer to the topology in the above figure. This scenario provides the extended ACL 104
and the source and destination combinations in the table. Based on this information,
determine whether packets will be permitted or denied. Drag Permit or Deny to the
field next to each source and destination combination. Click Scenario 3 to continue.

8.5.12 Packet Tracer - Configure Extended ACLs Scenario 1

In this Packet Tracer activity, you will complete the following objectives:

241
 Part 1: Configure, Apply, and Verify an Extended Numbered IPv4 ACL
 Part 2: Configure, Apply, and Verify an Extended Named IPv4 ACL
Refer to the topology in the above figure. This scenario provides the extended ACL 105
and the source and destination combinations in the table. Based on this information,
determine whether packets will be permitted or denied. Drag Permit or Deny to the
field next to each source and destination combination.

8.5.12 Packet Tracer - Configure Extended ACLs Scenario 1

In this Packet Tracer activity, you will complete the following objectives:
 Part 1: Configure, Apply, and Verify an Extended Numbered IPv4 ACL
 Part 2: Configure, Apply, and Verify an Extended Named IPv4 ACL

8.5.13 Packet Tracer - Configure Extended ACLs Scenario 2

In this Packet Tracer activity, you will complete the following objectives:
 Part 1: Configure a Named Extended IPv4 ACL
 Part 2: Apply and Verify the Extended IPv4 ACL

8.6 Mitigate Attacks with ACLs

8.6.1 Mitigate Spoofing Attacks
ACLs can be used to mitigate many network threats, such as IP address spoofing and
denial of service (DoS) attacks. Most DoS attacks use some type of spoofing. IP address
spoofing overrides the normal packet creation process by inserting a custom IP header

242
with a different source IP address. Attackers can hide their identity by spoofing the
source IP address.
There are many well-known classes of IP addresses that should never be seen as
source IP addresses for traffic entering an organization’s network. For example, in the
figure the S0/0/0 interface is attached to the internet and should never accept inbound
packets from the following addresses:
 All zeros addresses
 Broadcast addresses
 Local host addresses (127.0.0.0/8)
 Automatic Private IP Addressing (APIPA) addresses (169.254.0.0/16)
 Reserved private addresses (RFC 1918)
 IP multicast address range (224.0.0.0/4)
The 192.168.1.0/24 network is attached to the R1 G0/0 interface. This interface should
only allow inbound packets with a source address from that network. The ACL for G0/0
shown in the figure will only permit inbound packets from the 192.168.1.0/24
network. All others will be discarded.

Inbound on S0/0/0:
R1(config)# access-list 150 deny ip host 0.0.0.0 any
R1(config)# access-list 150 deny ip 10.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any
R1(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any
R1(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any
R1(config)# access-list 150 deny ip host 255.255.255.255 any
Inbound on G0/0:
R1(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any
8.6.2 Permit Necessary Traffic through a Firewall
An effective strategy for mitigating attacks is to explicitly permit only certain types of
traffic through a firewall. For example, Domain Name System (DNS), Simple Mail
Transfer Protocol (SMTP), and File Transfer Protocol (FTP) are services that often must
be allowed through a firewall. It is also common to configure a firewall so that it
permits administrators remote access through the firewall. Secure Shell (SSH), syslog,
and Simple Network Management Protocol (SNMP) are examples of services that a
router may need to include. While many of these services are useful, they should be
controlled and monitored. Exploitation of these services leads to security
vulnerabilities.

243
Inbound on Serial 0/0/0
R1(config)# access-list 180 permit udp any host 192.168.20.2 eq domain
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq smtp
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq ftp
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22
R1(config)# access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq syslog
R1(config)# access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq snmptrap
8.6.3 Mitigate ICMP Attacks
Hackers can use Internet Control Message Protocol (ICMP) echo packets (pings) to
discover subnets and hosts on a protected network and to generate DoS flood attacks.
Hackers can use ICMP redirect messages to alter host routing tables. Both ICMP echo
and redirect messages should be blocked inbound by the router.
Several ICMP messages are recommended for proper network operation and should
be allowed into the internal network:
 Echo reply - Allows users to ping external hosts.
 Source quench - Requests that the sender decrease the traffic rate of messages.
 Unreachable - Generated for packets that are administratively denied by an ACL.
Several ICMP messages are required for proper network operation and should be
allowed to exit the network:
 Echo - Allows users to ping external hosts.
 Parameter problem - Informs the host of packet header problems.
 Packet too big - Enables packet maximum transmission unit (MTU) discovery.
 Source quench - Throttles down traffic when necessary.
As a rule, block all other ICMP message types outbound.
ACLs are used to block IP address spoofing, selectively permit specific services through
a firewall, and to allow only required ICMP messages. The figure shows a sample
topology and possible ACL configurations to permit specific ICMP services on the G0/0
and S0/0/0 interfaces.

Inbound on S0/0/0:

244
R1(config)# access-list 112 permit icmp any any echo-reply
R1(config)# access-list 112 permit icmp any any source-quench
R1(config)# access-list 112 permit icmp any any unreachable
R1(config)# access-list 112 deny icmp any any
R1(config)# access-list 112 permit ip any any
Inbound on G0/0:
R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echo
R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-
problem
R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
R1(config)# access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench
R1(config)# access-list 114 deny icmp any any
R1(config)# permit ip any any
8.6.4 Mitigate SNMP Attacks
Management protocols, such as SNMP, are useful for remote monitoring and
management of networked devices. However, they can still be exploited. If SNMP is
necessary, exploitation of SNMP vulnerabilities can be mitigated by applying interface
ACLs to filter SNMP packets from non-authorized systems. An exploit may still be
possible if the SNMP packet is sourced from an address that has been spoofed and is
permitted by the ACL.
These security measures are helpful, but the most effective means of exploitation
prevention is to disable the SNMP server on IOS devices for which it is not required. As
shown in the figure, use the command no snmp-server to disable SNMP services on
Cisco IOS devices.

Router(config)# no snmp-server
8.6.5 Packet Tracer - Configure IP ACLs to Mitigate Attacks
In this Packet Tracer, you will complete the following objectives:
 Verify connectivity among devices before firewall configuration.
 Use ACLs to ensure remote access to the routers is available from only
management station PC-C.
 Configure ACLs on R1 and R3 to mitigate attacks.
 Verify ACL functionality.

8.7 IPv6 ACLs

8.7.1 IPv6 ACL Overview

245
In recent years, many networks have begun the transition to an IPv6 environment. Part
of the need for the transition to IPv6 is because of the inherent weaknesses in IPv4.
Unfortunately, as the migration to IPv6 continues, IPv6 attacks are becoming more
pervasive. IPv4 will not disappear overnight. IPv4 will coexist with IPv6 and then
gradually be replaced by IPv6. This creates potential security holes. An example of a
security concern is threat actors leveraging IPv4 to exploit IPv6 in dual stack
environments. Dual stack is an integration method in which a device has connectivity
to both IPv4 and IPv6 networks. In a dual stack environment devices operate with two
IP protocol stacks.
Threat actor can accomplish stealth attacks that result in trust exploitation by using
dual-stacked hosts, rogue Neighbor Discovery Protocol (NDP) messages, and tunneling
techniques. Teredo tunneling, for example, is an IPv6 transition technology that
provides automatic IPv6 address assignment when IPv4/IPv6 hosts are located behind
IPv4 network address translation (NAT) devices. It accomplishes this by embedding the
IPv6 packets inside IPv4 UDP packets. The threat actor gains a foothold in the IPv4
network. The compromised host sends rogue router advertisements (RAs), which
triggers dual stacked hosts to obtain an IPv6 address. The threat actor can then use
this foothold to move around, or pivot, inside the network. The threat actor can
compromise additional hosts before sending traffic back out of the network, as shown
in the figure.
Sample IPv6 Exploit

It is necessary to develop and implement a strategy to mitigate attacks against IPv6

infrastructures and protocols. This mitigation strategy should include filtering at the
edge using various techniques, such as IPv6 ACLs.
8.7.2 IPv6 ACL Syntax
The ACL functionality in IPv6 is similar to ACLs in IPv4. However, there is no equivalent
to IPv4 standard ACLs. In addition, all IPv6 ACLs must be configured with a name. IPv6
ACLs allow filtering based on source and destination addresses that are traveling
inbound and outbound to a specific interface. They also support traffic filtering based
on IPv6 option headers and optional, upper-layer protocol type information for finer
granularity of control, similar to extended ACLs in IPv4.
To configure an IPv6 ACL, use the ipv6 access-list command to enter into IPv6 ACL
configuration mode. Next, use the syntax shown in the figure to configure each access

246
list entry to specifically permit or deny traffic. The syntax shown is a simplified version
of the IPv6 ACE syntax. There are additional options. It should be clear from the
provided syntax that IPv6 ACLs are considerably more flexible than IPv4 ACLs.
Apply an IPv6 ACL to an interface with the ipv6 traffic-filter command.
Router(config)# ipv6 access-list access-list-name
Router(config-ipv6-acl)# deny | permit protocol {source-ipv6-prefix / prefix-length |
any | host source-ipv6-address} [ operator [ port-number ]] { destination-ipv6-
prefix / prefix-length | any | host destination-ipv6-address } [ operator [ port-
number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ sequence value ] [ time-
range name ]
Parameter Description
deny | permit Specifies whether to deny or permit the packet.
Enter the name or number of an Internet protocol, or an integer
protocol
representing an IPv6 protocol number.
source-ipv6-prefix
/
prefix-length The source or destination IPv6 network or class of networks for
destination-ipv6- which to set deny or permit conditions.
address / prefix-
length
Enter any as an abbreviation for the IPv6 prefix ::/0. This matches
any
all addresses.
For host source-ipv6-address or destination-ipv6-address , enter
host the source or destination IPv6 host address for which to
set deny or permit conditions.
(Optional) An operand that compares the source or destination
operator ports of the specified protocol. Operands are lt (less
than), gt (greater than), eq (equal), neq (not equal), and range.
(Optional) A decimal number or the name of a TCP or UDP port
port-number
for filtering TCP or UDP, respectively.
(Optional) Matches a differentiated services codepoint value
dscp against the traffic class value in the Traffic Class field of each IPv6
packet header. The acceptable range is from 0 to 63.
(Optional) Matches non-initial fragmented packets where the
fragment extension header contains a non-zero fragment offset.
The fragments keyword is an option only if the operator [port-
fragments
number ] arguments are not specified. When this keyword is
used, it also matches when the first fragment does not have Layer
4 information.
(Optional) Causes an informational logging message about the
packet that matches the entry to be sent to the console. (The
log
level of messages logged to the console is controlled by
the logging console command.)
(Optional) Provides the same function as the log keyword, except
log input
that the logging message also includes the input interface.
sequence value (Optional) Specifies the sequence number value for the access list

247
 statement. The acceptable range is from 1 to 4294967295.
(Optional) Specifies the time range that applies to the permit
statement. The name of the time range and its restrictions are
time-range name
specified by the time-range and absolute or periodic commands,
respectively.
8.7.3 Configure IPv6 ACLs
An IPv6 ACL contains an implicit deny ipv6 any any. Each IPv6 ACL also contains implicit
permit rules to enable IPv6 neighbor discovery. The IPv6 Neighbor Discovery Protocol
(NDP) requires the use of the IPv6 network layer to send neighbor advertisements
(NAs) and neighbor solicitations (NSs). If an administrator configures the deny ipv6 any
any command without explicitly permitting neighbor discovery, then the NDP will be
disabled.
In the figure, R1 is permitting inbound traffic on G0/0 from the 2001:DB8:1:1::/64
network. NA and NS packets are explicitly permitted. Traffic sourced from any other
IPv6 address is explicitly denied. If the administrator only configured the first permit
statement, the ACL would have the same effect. However, it is a good practice to
document the implicit statements by explicitly configuring them.

R1(config)# ipv6 access-list LAN_ONLY

R1(config-ipv6-acl)# permit 2001:db8:1:1::/64 any
R1(config-ipv6-acl)# permit icmp any any nd-na
R1(config-ipv6-acl)# permit icmp any any nd-ns
R1(config-ipv6-acl)# deny ipv6 any any
R1(config-ipv6-acl)# end
R1# show ipv6 access-list
IPv6 access list LAN_ONLY
permit ipv6 2001:DB8:1:1::/64 any sequence 10
permit icmp any any nd-na sequence 20
permit icmp any any nd-ns sequence 30
deny ipv6 any any sequence 40
R1#
8.7.4 Packet Tracer - Configure IPv6 ACLs
In this Packet Tracer, you will complete the following objectives:
 Configure, apply, and verify an IPv6 ACL
 Configure, apply, and verify a second IPv6 ACL

8.8 Access Control Lists Summary

8.8.1 What Did I Learn in this Module?

248
Introduction to Access Control Lists
An ACL is a series of IOS commands that are used to filter packets based on
information found in the packet header. By default, a router does not have any ACLs
configured. An ACL uses a sequential list of permit or deny statements, known as ACEs.
The packet filtering process occurs when network traffic passes through an interface
configured with an ACL, and the router compares the information within the packet
against each ACE, in sequential order, to determine if the packet matches one of the
ACEs. Packet filtering can occur at Layer 3 or Layer 4. Cisco routers support Standard
ACLs and Extended ACLs. ACLs number 1 to 99, or 1300 to 1999 are standard ACLs
while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs. Named ACLs are
the preferred method to use when configuring ACLs. The name provides information
about the purpose of the ACL. ACLs define the set of rules that give added control for
packets that enter inbound interfaces, packets that relay through the router, and
packets that exit outbound interfaces of the router.
Wildcard masking
An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to
examine for a match. Wildcard masks are also used by the OSPF routing protocol. A
wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify
which bits in an IPv4 address to match. However, they differ in the way they match
binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and
binary 0 is not a match, in a wildcard mask, the reverse is true. One shortcut method to
calculate wildcard masks is to subtract the subnet mask from 255.255.255.255. The
Cisco IOS provides two keywords, host and any, to simplify the most common uses of
wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the ACE.
Configuring ACLs
When configuring a complex ACL, it is suggested that you use a text editor and write
out the specifics of the policy to be implemented, add the IOS configuration
commands to accomplish those tasks, include remarks to document the ACL, and copy
and paste the commands onto the device. Always thoroughly test an ACL to ensure
that it correctly applies the desired policy. To create a numbered standard ACL, use the
command access-list access-list-number {deny | permit | remark text} source [source-
wildcard] [log]. To create a named standard ACL, use the command ip access-list
standard access-list-name. ACL names are alphanumeric, case sensitive, and must be
unique. The procedural steps for configuring extended ACLs are the same as for
standard ACLs. The command to apply an extended IPv4 ACL to an interface is the
same as the command used for standard IPv4 ACLs is ip access-group {access-list-
number | access-list-name} {in | out}. Extended ACLs can filter on many different types
of internet protocols and ports. TCP can also perform basic stateful firewall services
using the TCP established keyword. The keyword enables inside traffic to exit the
inside private network and permits the returning reply traffic to enter the inside
private network.
Modifying ACLs
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface, and makes
editing the ACL simpler. An ACL ACE can also be deleted or added using the ACL
sequence numbers. Sequence numbers are automatically assigned when an ACE is
entered. These numbers are listed in the show access-lists command.

249
Implementing ACLs
When configuring and applying an ACL, be aware of the guidelines summarized in this
list:
 Create an ACL globally and then apply it.
 Ensure the last statement is an implicit deny any or deny ip any any.
 Remember that statement order is important because ACLs are processed top-
down.
 As soon as a statement is matched the ACL is exited.
 Always filter from the most specific to the most generic. For example, deny a
specific host and then permit all other hosts.
 Remember that only one ACL is allowed per interface, per protocol, per direction.
 Remember that new statements for an existing ACL are added to the bottom of the
ACL by default.
 Remember that router-generated packets are not filtered by outbound ACLs.
 Place standard ACLs as close to the destination as possible.
 Place extended ACLs as close to the source as possible.
Every ACL should be placed where it is the most efficient. Extended ACLs should be
located as close as possible to the source of the traffic to be filtered. Standard ACLs
should be located as close to the destination as possible. Factors influencing ACL
placement include the extent of organizational control, bandwidth of the networks
involved, and ease of configuration.
Mitigate Attacks with ACLs
ACLs can be used to mitigate many network threats, such as IP address spoofing and
DoS attacks. An effective strategy for mitigating attacks is to explicitly permit only
certain types of traffic through a firewall. Both ICMP echo and redirect messages
should be blocked inbound by the router. If SNMP is necessary, exploitation of SNMP
vulnerabilities can be mitigated by applying interface ACLs to filter SNMP packets from
non-authorized systems. Several ICMP messages are recommended for proper
network operation and should be allowed into the internal network including echo
reply, source quench, and unreachable. Several ICMP messages should be allowed to
exit the network including echo, parameter problem, packet too big, and source
quench. As a rule, block all other ICMP message types outbound.
IPv6 ACLs
IPv6 has several features that meet modern-day network requirements: IPsec, Mobile
IP, RSVP, and address scalability. Dual stack is an integration method in which a device
has connectivity to both IPv4 and IPv6 networks. In a dual stack environment devices
operate with two IP protocol stacks. Attackers can accomplish stealth attacks that
result in trust exploitation by using dual-stacked hosts, rogue NDP messages, and
tunneling techniques. To mitigate attacks against IPv6 infrastructures and protocols,
the strategy should include filtering at the edge using various techniques, such as IPv6
ACLs. The ACL functionality in IPv6 is similar to ACLs in IPv4. However, there is no
equivalent to IPv4 standard ACLs. In addition, all IPv6 ACLs must be configured with a
name. IPv6 ACLs allow filtering based on source and destination addresses that are
traveling inbound and outbound to a specific interface. They also support traffic
filtering based on IPv6 option headers and optional, upper-layer protocol type
information for finer granularity of control, similar to extended ACLs in IPv4.
8.8.2 Module - Access Control Lists Quiz

250
Question 1
In applying an ACL to a router interface, which traffic is designated as outbound?
Traffic that is coming from the source IP address into the router
Traffic that is leaving the router and going toward the destination host
Traffic that is going from the destination IP address into the router
Traffic for which the router can find no routing table entry
Question 2
What is the quickest way to remove a single ACE from a named ACL?
Use the no keyword and the sequence number of the ACE to be removed.
Use the no access-list command to remove the entire ACL, then recreate it without the
ACE.
Copy the ACL into a text editor, remove the ACE, then copy the ACL back into the
router.
Create a new ACL with a different number and apply the new ACL to the router
interface.
Question 3
Which ICMP message type should be stopped inbound?
Echo
Echo-reply
Unreachable
Source quench
Question 4
Which scenario would cause an ACL misconfiguration and deny all traffic?
Apply a standard ACL in the inbound direction.
Apply a named ACL to a VTY line.
Apply an ACL that has all deny ACE statements.
Apply a standard ACL using the ip access-group out command.

Question 5

251
Refer to the exhibit. A network administrator is configuring an IPv6 ACL to allow
hosts on the 2001:DB8:CAFE:10::/64 network to access remote web servers, except
for PC1. However, a user on PC1 can successfully access the web server PC2. Why is
this possible?
The IPv6 ACL Deny_WEB is spelled incorrectly when applied to the interface.
The IPv6 ACL Deny_WEB is applied to the wrong interface of router R1.
The IPv6 ACL Deny_WEB is applied in the incorrect direction on router R1.
The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is
blocked.
Question 6

Refer to the exhibit. A network administrator wants to create a standard ACL to

prevent Network 1 traffic from being transmitted to the Research and Development
network. On which router interface and in which direction should the standard ACL
be applied?
R1 Gi0/0 inbound
R1 Gi0/0 outbound
R1 S0/0/0 outbound
R2 S0/0/0 inbound
R2 Gi0/0 outbound
R2 Gi0/0 inbound
Question 7
Which two statements describe appropriate general guidelines for configuring and
applying ACLs? (Choose two.)

252
Multiple ACLs per protocol and per direction can be applied to an interface.
If an ACL contains no permit statements, all traffic is denied by default.
The most specific ACL statements should be entered first because of the top-down
sequential nature of ACLs.
Standard ACLs are placed closest to the source, whereas extended ACLs are placed
closest to the destination.
If a single ACL is to be applied to multiple interfaces, it must be configured with a
unique number for each interface.
Question 8

Refer to the exhibit. Which statement describes the function of the ACEs?
These ACEs allow for IPv6 neighbor discovery traffic.
These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing
to occur.
These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to
occur.
These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP
messages that are defined in object groups named nd-na and nd-ns.
Question 9
What wild card mask will match networks 172.16.0.0 through 172.19.0.0?
0.0.3.255
0.0.255.255
0.252.255.255
0.3.255.255
Question 10
What method is used to apply an IPv6 ACL to a router interface?
The use of the access-class command
The use of the ip access-group command
The use of the ipv6 traffic-filter command
signal_cellular_4_bar
The use of the ipv6 access-list command
Question 11
What type of ACL offers greater flexibility and control over network access?
Flexible
Named standard
Extended
Numbered standard
Question 12
Which operator is used in an ACL statement to match packets of a specific
application?
eq
lt
gt
established

253
Question 13
Which two keywords can be used in an access control list to replace a wildcard mask
or address and wildcard mask pair? (Choose two.)
most
host
all
any
some
gt
Question 14
Consider the following access list.
access-list 100 permit ip host 192.168.10.1 any
access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo
access-list 100 permit ip any any
Which two actions are taken if the access list is placed inbound on a router Gigabit
Ethernet port that has the IP address 192.168.10.254 assigned? (Choose two.)
A Telnet or SSH session is allowed from any device on the 192.168.10.0 into the
router with this access list assigned.
Devices on the 192.168.10.0/24 network are allowed to reply to any ping requests.
Only Layer 3 connections are allowed to be made from the router to any other
network device.
Only the network device assigned the IP address 192.168.10.1 is allowed to access the
router.
Devices on the 192.168.10.0/24 network can sucessfully ping devices on the
192.168.11.0 network.

254
Module 9: Firewall Technologies
9.0 Introduction
9.0.1 Why Should I Take this Module?
With the many threats to network security, how can networks be designed to protect
data resources and ensure that network services are provided as required? The
network security infrastructure defines the way in which devices are connected
together to achieve end-to-end secure communications. Just as there are many sizes of
networks, there are also many ways to build a secure network infrastructure.
However, there are standard designs that the network industry recommends for
achieving networks that are available and secure. This chapter covers the basic ways
that firewalls can be used to create a network security architecture.
9.0.2 What Will I Learn in this Module?
Module Title: Firewall Technologies
Module Objective: Explain how firewalls are implemented to provide network security.
Topic Title Topic Objective
Secure Networks with
Explain how firewalls are used to help secure networks.
Firewalls
Firewalls in Network Explain design considerations for implementing firewall
Design technologies.
9.1 Secure Networks with Firewalls
9.1.1 Firewalls
A firewall is a system, or group of systems, that enforces an access control policy
between networks.
Play the animation in the figure to view a firewall in operation.
Firewall Operation

Click each button to learn more about firewalls.

Common Firewall Properties

255
All firewalls share some common properties:
 Firewalls are resistant to network attacks.
 Firewalls are the only transit point between internal corporate networks and
external networks because all traffic flows through the firewall.
 Firewalls enforce the access control policy.
Firewall Benefits
There are several benefits of using a firewall in a network:
 They prevent the exposure of sensitive hosts, resources, and applications to
untrusted users.
 They sanitize protocol flow, which prevents the exploitation of protocol flaws.
 They block malicious data from servers and clients.
 They reduce security management complexity by off-loading most of the network
access control to a few firewalls in the network.
Firewalls also have some limitations:
 A misconfigured firewall can have serious consequences for the network, such as
becoming a single point of failure.
 The data from many applications cannot be passed over firewalls securely.
 Users might proactively search for ways around the firewall to receive blocked
material, which exposes the network to potential attack.
 Network performance can slow down.
 Unauthorized traffic can be tunneled or hidden as legitimate traffic through the
firewall.
Firewall Limitations
Firewalls also have some limitations:
 A misconfigured firewall can have serious consequences for the network, such as
becoming a single point of failure.
 The data from many applications cannot be passed over firewalls securely.
 Users might proactively search for ways around the firewall to receive blocked
material, which exposes the network to potential attack.
 Network performance can slow down.
 Unauthorized traffic can be tunneled or hidden as legitimate traffic through the
firewall.
9.1.2 Types of Firewalls
It is important to understand the different types of firewalls and their specific
capabilities so that the right firewall is used for each situation.
Packet Filtering (Stateless) Firewall
Packet filtering firewalls are usually part of a router firewall, which permits or denies
traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a
simple policy table look-up that filters traffic based on specific criteria.
For example, SMTP servers listen to port 25 by default. An administrator can configure
the packet filtering firewall to block port 25 from a specific workstation to prevent it
from broadcasting an email virus.

256
Stateful Firewall
Stateful firewalls are the most versatile and the most common firewall technologies in
use. Stateful firewalls provide stateful packet filtering by using connection information
maintained in a state table. Stateful filtering is a firewall architecture that is classified
at the network layer. It also analyzes traffic at OSI Layer 4 and Layer 5.

Application Gateway Firewall

An application gateway firewall (proxy firewall), as shown in the figure, filters
information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall
control and filtering is done in software. When a client needs to access a remote
server, it connects to a proxy server. The proxy server connects to the remote server
on behalf of the client. Therefore, the server only sees a connection from the proxy
server.

257
Next Generation Firewall
Next-generation firewalls (NGFW) go beyond stateful firewalls by providing:
 Integrated intrusion prevention
 Application awareness and control to see and block risky apps
 Upgrade paths to include future information feeds
 Techniques to address evolving security threats

Other methods of implementing firewalls include:

 Host-based (server and personal) firewall - A PC or server with firewall software
running on it.
 Transparent firewall - Filters IP traffic between a pair of bridged interfaces.
 Hybrid firewall - A combination of the various firewall types. For example, an
application inspection firewall combines a stateful firewall with an application
gateway firewall.
9.1.3 Check Your Understanding - Identify the Type of Firewall
Check your understanding of the types of firewalls by answering the following
questions.
Question 1

258
Which type of firewall filters information at Layers 3, 4, 5, and 7 of the OSI reference
model?
Host-based
Hybrid
Application gateway
tateful
Question 2
Which type of firewall is a combination of various firewall types?
Host-based
Hybrid
Packet filtering
Proxy
Stateful
Transparent
Question 3
Which type of firewall is part of a router firewall, permitting or denying traffic based
on Layer 3 and Layer 4 information?
Host-based
Hybrid
Next generation
Packet filtering
Proxy
Stateful
Transparent
Question 4
Which type of firewall is a PC or server with firewall software running on it?
Host-based
Hybrid
Next generation
Packet filtering
Proxy
Stateful
Transparent
Question 5
Which type of firewall filters IP traffic between a pair of bridged interfaces?
Host-based
Hybrid
Next generation
Packet filtering
Proxy
Statful
Transparent
9.1.4 Packet Filtering Firewall Benefits and Limitations
Packet filtering firewalls are usually part of a router firewall, which permits or denies
traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a
simple policy table look-up that filters traffic based on specific criteria, as shown in the
figure. For example, SMTP servers listen to port 25 by default. An administrator can

259
configure the packet filtering firewall to block port 25 from a specific workstation to
prevent it from broadcasting an email virus.
There are several advantages of using a packet filtering firewall:
 Packet filters implement simple permit or deny rule sets.
 Packet filters have a low impact on network performance.
 Packet filters are easy to implement, and are supported by most routers.
 Packet filters provide an initial degree of security at the network layer.
 Packet filters perform almost all the tasks of a high-end firewall at a much lower
cost.
Packet filters do not represent a complete firewall solution, but they are an important
element of a firewall security policy. There are several disadvantages of using a packet
filtering firewall:
 Packet filters are susceptible to IP spoofing. Threat actors can send arbitrary
packets that meet ACL criteria and pass through the filter.
 Packet filters do not reliably filter fragmented packets. Because fragmented IP
packets carry the TCP header in the first fragment and packet filters filter on TCP
header information, all fragments after the first fragment are passed
unconditionally. Decisions to use packet filters assume that the filter of the first
fragment accurately enforces the policy.
 Packet filters use complex ACLs, which can be difficult to implement and maintain.
 Packet filters cannot dynamically filter certain services. For example, sessions that
use dynamic port negotiations are difficult to filter without opening access to a
whole range of ports.
Packet filters are stateless. They examine each packet individually rather than in the
context of the state of a connection.

9.1.5 Stateful Firewall Benefits and Limitations

There are several benefits to using a stateful firewall in a network:
 Stateful firewalls are often used as a primary means of defense by filtering
unwanted, unnecessary, or undesirable traffic.
 Stateful firewalls strengthen packet filtering by providing more stringent control
over security.
 Stateful firewalls improve performance over packet filters or proxy servers.

260
 Stateful firewalls defend against spoofing and DoS attacks by determining whether
packets belong to an existing connection or are from an unauthorized source.
 Stateful firewalls provide more log information than a packet filtering firewall.
Stateful firewalls also present some limitations:
 Stateful firewalls cannot prevent application layer attacks because they do not
examine the actual contents of the HTTP connection.
 Not all protocols are stateful. For example, UDP and ICMP do not generate
connection information for a state table, and, therefore, do not garner as much
support for filtering.
 It is difficult to track connections that use dynamic port negotiation. Some
applications open multiple connections. This requires a whole new range of ports
that must be opened to allow this second connection.
 Stateful firewalls do not support user authentication.
Benefits Limitations
Primary means of defense No Application Layer inspection
Strong packet filtering Limited tracking of stateless protocols
Improved performance over packet Difficult to defend against dynamic port
filters negotiation
Defends against spoofing and DoS
No authentication support
attacks
Richer data log
9.2 Firewalls in Network Design
9.2.1 Common Security Architectures
Firewall design is primarily about device interfaces permitting or denying traffic based
on the source, the destination, and the type of traffic. Some designs are as simple as
designating an outside network and inside network, which are determined by two
interfaces on a firewall.
Here are three common firewall designs.
 Private and Public
 Demilitarized Zone
 Zone-Based Policy Firewalls
Private and Public
As shown in the figure, the public network (or outside network) is untrusted, and the
private network (or inside network) is trusted.
Typically, a firewall with two interfaces is configured as follows:
 Traffic originating from the private network is permitted and inspected as it travels
toward the public network. Inspected traffic returning from the public network and
associated with traffic that originated from the private network is permitted.
 Traffic originating from the public network and traveling to the private network is
generally blocked.

261
Delimitarized Zone
A demilitarized zone (DMZ) is a firewall design where there is typically one inside
interface connected to the private network, one outside interface connected to the
public network, and one DMZ interface, as shown in the figure.
 Traffic originating from the private network is inspected as it travels toward the
public or DMZ network. This traffic is permitted with little or no restriction.
Inspected traffic returning from the DMZ or public network to the private network
is permitted.
 Traffic originating from the DMZ network and traveling to the private network is
usually blocked.
 Traffic originating from the DMZ network and traveling to the public network is
selectively permitted based on service requirements.
 Traffic originating from the public network and traveling toward the DMZ is
selectively permitted and inspected. This type of traffic is typically email, DNS,
HTTP, or HTTPS traffic. Return traffic from the DMZ to the public network is
dynamically permitted.
 Traffic originating from the public network and traveling to the private network is
blocked.

262
Zone-based policy firewalls
Zone-based policy firewalls (ZPFs) use the concept of zones to provide additional
flexibility. A zone is a group of one or more interfaces that have similar functions or
features. Zones help you specify where a Cisco IOS firewall rule or policy should be
applied. In the figure, security policies for LAN 1 and LAN 2 are similar and can be
grouped into a zone for firewall configurations. By default, the traffic between
interfaces in the same zone is not subject to any policy and passes freely. However, all
zone-to-zone traffic is blocked. In order to permit traffic between zones, a policy
allowing or inspecting traffic must be configured.
The only exception to this default deny any policy is the router self zone. The self zone
is the router itself and includes all the router interface IP addresses. Policy
configurations that include the self zone would apply to traffic destined to and sourced
from the router. By default, there is no policy for this type of traffic. Traffic that should
be considered when designing a policy for the self zone includes management plane
and control plane traffic, such as SSH, SNMP, and routing protocols.

263
9.2.2 Layered Defense
A layered defense uses different types of firewalls that are combined in layers to add
depth to the security of an organization. Policies can be enforced between the layers
and inside the layers. These policy enforcement points determine whether traffic is
forwarded or discarded. For example, traffic that comes in from the untrusted network
first encounters a packet filter on the edge router. If allowed by the policy, the traffic
goes to the screened firewall or bastion host system that applies more rules to the
traffic and discards suspect packets. A bastion host is a hardened computer that is
typically located in the DMZ. Then the traffic goes to an interior screening router. The
traffic moves to the internal destination host only after successfully passing through all
policy enforcement points between the outside router and the inside network. This
type of DMZ setup is called a screened subnet configuration.
A layered defense approach is not all that is needed to ensure a safe internal network.
A network administrator must consider many factors when building a complete in-
depth defense:
 Firewalls typically do not stop intrusions that come from hosts within a network or
zone.
 Firewalls do not protect against rogue access point installations.
 Firewalls do not replace backup and disaster recovery mechanisms resulting from
attack or hardware failure.
 Firewalls are no substitute for informed administrators and users.
Considerations for Layered Network Defense

264
1. Network Core security - Protects against malicious software and traffic anomalies,
enforces network policies, and ensures survivability
2. Perimeter security - Secures boundaries between zones
3. Communications security - Provides information assurance
4. Endpoint security - Provides identity and device security policy compliance
This partial list of best practices can serve as a starting point for a firewall security
policy.
 Position firewalls at security boundaries. Firewalls are a critical part of network
security, but it is unwise to rely exclusively on a firewall for security.
 Deny all traffic by default.
 Permit only services that are needed.
 Ensure that physical access to the firewall is controlled.
 Regularly monitor firewall logs.
 Practice change management for firewall configuration changes.
 Remember that firewalls primarily protect from technical attacks originating from
the outside.
9.2.3 Check Your Understanding - Network Security Design Concepts
 Check your understanding of firewalls in network design by answering the
following questions.
Question 1
Which network security design typically uses one inside interface, one
outside interface, and one DMZ interface
Layered defense
Public
Demilitarized
Two-interface firewall
ZPF
Question 2
Which security design uses different types of firewalls and security
measures that are combined at different areas of the network to add depth
to the security of an organization ?

265
ZPF
Private-public
Demilitarized
Layered defense
Stateful firewall
Question 3
Which three statements describe trusted and untrusted areas of the
network? (Choose three.)
The public internet is generally considered untrusted.
A DMZ is considered a trusted area of the network.
Each network security layer is considered trusted and requires no security
measures.
Internal networks, except the DMZ, are considered trusted.
In a ZPF network, traffic that moves within zones is generally considered
trusted.
Question 4
Which network design groups interfaces into zones with similar functions
or features?
Layered
Private
Demilitarized
Self-zone
ZPF
Question 5
What are two best practices when implementing firewall security policies?
Permit all traffic and then implement rules to block specific traffic.
Disable unnecessary network services.
Strictly control physical access to firewall devices.
Firewall logging is not required due to the complexity of log entries.
Firewalls should only be used at the network edge.
9.2.4 Packet Tracer - Identify Packet Flow
In this Packet Tracer activity, you will observe packet flow in a LAN and WAN
topology. You will also observe how the packet flow path may change when
there is a change in the network topology.

9.3 Firewall Technologies Summary

9.3.1 What Did I Learn in this Module?
Secure Networks with Firewalls
There are several different types of firewalls. Packet filtering (stateless) firewalls
provide Layer 3 and sometimes Layer 4 filtering. A stateful inspection firewall
allows or blocks traffic based on state, port, and protocol. Application gateway
firewalls (proxy firewall) filter information at Layers 3, 4, 5, and 7. Next-
generation firewalls provide additional services beyond application gateways
such as Integrated intrusion prevention, application awareness and control to
see and block risky apps, access to future information feeds, and techniques to
address evolving security threats.

266
Firewalls in Network Designs
Common security architectures define the boundaries of traffic entering and
leaving the network. When looking at a topology that has access to outside or
public networks, you should be able to determine the security architecture.
Some designs are as simple as designating an outside network and inside
network which are determined by two interfaces on a firewall. Networks that
require public access to services will often include a DMZ that the public can
access, while strictly blocking access to the inside network. ZPFs use the
concept of zones to provide additional flexibility. A zone is a group of one or
more interfaces that have similar functions, features, and security requirements.
A layered security approach uses firewalls and other security measures to
provide security at different functional layers of the network.
9.3.2 Module 9 - Firewall Technologies Quiz
Question 1
What is one benefit of using a next-generation firewall rather than a
stateful firewall?
Integrated use of an intrusion prevention system (IPS)
Support of TCP-based packet filtering
Reactive protection against Internet threats
Support of logging
Question 2
Which three layers of the OSI model include information that is commonly
inspected by a stateful firewall? (Choose three.)
Layer 1
Layer 2
Layer 3
Layer 4
Layer 5
Layer 7
Question 3
Which statement is a characteristic of a packet filtering firewall?
They are susceptible to IP spoofing.
They have a high impact on network performance.
They filter fragmented packets.
They examine each packet in the context of the state of a connection.
Question 4
Which type of firewall is supported by most routers and is the easiest to
implement?
Packet filtering firewall
Next generation firewall
Stateful firewall
Application gateway firewall
Question 5
Which type of traffic is usually blocked when implementing a demilitarized
zone?
Traffic that is returning from the DMZ network and traveling to the private
network
Traffic that is returning from the public network and traveling to the DMZ
network
Traffic originating from the private network and traveling to the DMZ network

267
Traffic originating from the DMZ network and traveling to the private
network
Question 6
What are two characteristics of an application gateway firewall? (Choose
two.)
Uses a simple policy table look-up to filter traffic based on Layer 3 and Layer 4
information.
Analyzes traffic at Layers 3, 4, 5 and 7 of the OSI model.
Performs most filtering and firewall control in software.
Uses connection information maintained in a state table and analyzes traffic at
OSI Layers 3, 4, and 5.
Provides an integrated intrusion prevention and detection feature.
Question 7
Which type of firewall generally has a low impact on network
performance?
Application gateway firewall
Stateful firewall
Next generation firewall
Stateless firewall
Question 8
Which type of firewall is commonly part of a router firewall and allows or
blocks traffic based on Layer 3 or 4 information?
Stateful firewall
Packet filtering firewall
Next generation firewall
Proxy firewall
Question 9
How does a firewall handle traffic that is originating from the DMZ network
and traveling to a private network?
Traffic is usually blocked when it is originating from the DMZ network and
traveling to a private network.
Traffic is usually allowed when it is originating from the DMZ network and
traveling to a private network.
Traffic is usually not filtered using firewall rules when it is originating from the
DMZ network and traveling to a private network.
Traffic is allowed when it is originating from the private network, but the
response traffic from the DMZ network will be blocked.
Question 10
Which two protocols are stateless and do not generate connection
information needed to build a state table? (Choose two.)
ICMP
HTTP
UDP
FTP
TCP
Question 11
What are two benefits of implementing a firewall in a network? (Choose
two.)
A firewall will inspect network traffic and forward traffic based solely on the
Layer 2 Ethernet MAC address.

268
A firewall will reduce security management complexity.
A firewall will provide accessibility of applications and sensitive resources to
external untrusted users.
A firewall will sanitize protocol flow.
A firewall will prevent unauthorized traffic from being tunneled or hidden as
legitimate traffic through an enteprise network.
Question 12
When implementing a ZPF, which statement describes a zone?
A zone is a group of hardened computers known as bastion hosts.
A zone is a group of one or more interfaces that have similar functions or
features.
A zone is a group of one or more devices that provide backup and disaster
recovery mechanisms.
A zone is a group of administrative devices that protect against rogue access
point installations.

269
Module 10: Zone-Based Policy Firewalls
10.0 Introduction
10.0.1 Why Should I Take this Module?
Zone-based policy firewalls (ZPFs) are an evolutionary step beyond classic
firewalls. While classic firewalls based security configuration on router
interfaces, a ZPF allows interfaces to be assigned to zones. Security policies
are defined based on the zone, and the security relationships between zones.
Multiple interfaces can be made members of a zone and zone policies will be
applied to those interfaces. Security requirements can be defined by the nature
of the zones, not the IP networks that are communicating through a given
interface.
In this module you will learn about ZPFs and learn how to implement a basic
ZPF design.
10.0.2 What Will I Learn in this Module?
Module Title: Zone-Based Policy Firewalls
Module Objective: Implement Zone-Based Policy Firewall using CLI.
Topic Title Topic Objective
Explain how Zone-Based Policy Firewalls are used to help
ZPF Overview
secure a network.
ZPF Operation Explain the operation of a Zone-Based Policy Firewall.
Configure a
Configure a Zone-Based Policy Firewall with CLI.
ZPF
10.1 ZPF Overview
10.1.1 Benefits of a ZPF
There are two configuration models for Cisco IOS Firewall:
 Classic Firewall - The traditional configuration model in which firewall policy
is applied on interfaces.
 Zone-based Policy Firewall (ZPF) - The configuration model in which
interfaces are assigned to security zones, and firewall policy is applied to
traffic moving between the zones.
If an additional interface is added to the private zone, the hosts connected to
the new interface in the private zone can pass traffic to all hosts on the existing
interface in the same zone. A simple three-zone network is shown in the figure.
Basic Security Zone Topology

270
The primary motivations for network security professionals to migrate to the
ZPF model are structure and ease of use. The structured approach is useful for
documentation and communication. The ease of use makes network security
implementations more accessible to a larger community of security
professionals.
There are several benefits of a ZPF:
 It is not dependent on ACLs.
 The router security posture is to block unless explicitly allowed.
 Policies are easy to read and troubleshoot with the Cisco Common
Classification Policy Language (C3PL). C3PL is a structured method to
create traffic policies based on events, conditions, and actions. This
provides scalability because one policy affects any given traffic, instead of
needing multiple ACLs and inspection actions for different types of traffic.
 Virtual and physical interfaces can be grouped into zones.
 Policies are applied to unidirectional traffic between zones.
When deciding whether to implement IOS Classic Firewall or a ZPF, it is
important to note that both configuration models can be enabled concurrently on
a router. However, the models cannot be combined on a single interface. For
example, an interface cannot be simultaneously configured as a security zone
member and for IP inspection.
10.1.2 ZPF Design
Designing ZPFs involves several steps:
Step 1. Determine the zones - The administrator focuses on the separation of
the network into zones. Zones establish the security borders of a network. A
zone defines a boundary where traffic is subjected to policy restrictions as it
crosses to another region of the network. For example, the public network
would be one zone and the internal network would be another zone.
Step 2. Establish policies between zones - For each pair of "source-
destination" zones (for example, from the inside network to the outside internet),
define the sessions that clients in the source zones can request from servers in
destination zones. These sessions are most often TCP and UDP sessions, but
may also be ICMP sessions, such as ICMP echo. For traffic that is not based on
the concept of sessions, the administrator must define unidirectional traffic flows
from source to destination and vice versa. Policies are unidirectional and are

271
defined based on source and destination zones, which are known as zone
pairs.
Step 3. Design the physical infrastructure - After the zones have been
identified, and the traffic requirements between them documented, the
administrator must design the physical infrastructure. The administrator must
take into account security and availability requirements when designing the
physical infrastructure. This includes dictating the number of devices between
most-secure and least-secure zones and determining redundant devices.
Step 4. Identify subsets within zones and merge traffic requirements - For
each firewall device in the design, the administrator must identify zone subsets
that are connected to its interfaces and merge the traffic requirements for those
zones. For example, multiple zones might be indirectly attached to a single
interface of a firewall. This would result in a device-specific interzone policy.
Although an important consideration, implementing zone subsets is beyond the
scope of this curriculum.
Click each button to see examples of ZPF designs.

LAN-to-Internet

Firewall with public servers - 1

272
Firewall with public servers – 2

Redundant Firewalls

273
Complex Firewall

10.2 ZPF Operation

10.2.1 ZPF Actions
Policies identify actions that the ZPF will perform on network traffic. Three
possible actions can be configured to process traffic by protocol, source and
destination zones (zone pairs), and other criteria.
 Inspect - This performs Cisco IOS stateful packet inspection.

274
 Drop - This is analogous to a deny statement in an ACL. A log option is
available to log the rejected packets.
 Pass - This is analogous to a permit statement in an ACL. The pass action
does not track the state of connections or sessions within the traffic.
10.2.2 Rules for Transit Traffic
Traffic transiting through router interfaces is subject to several rules governing
interface behavior. For the transit traffic example, refer to the topology shown in
the figure.
Basic Security Zone Topology

The rules depend on whether or not the ingress and egress interfaces are
members of the same zone:
 If neither interface is a zone member, then the resulting action is to pass the
traffic.
 If both interfaces are members of the same zone, then the resulting action is
to pass the traffic.
 If one interface is a zone member, but the other is not, then the resulting
action is to drop the traffic regardless of whether a zone-pair exists.
 If both interfaces belong to the same zone-pair and a policy exists, then the
resulting action is inspect, allow, or drop as defined by the policy.
The table summarizes these rules.
Source Interface Destination Interface Zone-Pair Policy
Result
Member of Zone? Member of Zone? Exists? Exists?
NO NO N/A N/A PASS
YES NO N/A N/A DROP
NO YES N/A N/A DROP
YES (private) YES (private) N/A N/A PASS
YES (private) YES (public) NO N/A DROP
YES (private) YES (public) YES NO PASS
YES (private) YES (public) YES YES INSPECT

275
10.2.3 Rules for Traffic to the Self Zone
The self zone is the router itself and includes all of the IP addresses assigned to
the router interfaces. This is traffic that originates at the router or is addressed
to a router interface. Specifically, the traffic is either for device management, for
example SSH, or traffic forwarding control, such as routing protocol traffic. The
rules for a ZPF are different for the self zone. For the self zone traffic example,
refer to the topology shown in the previous figure.
The rules depend on whether the router is the source or the destination of the
traffic, as shown in the table. If the router is the source or the destination, then
all traffic is permitted. The only exception is if the source and destination are a
zone-pair with a specific service-policy. In that case, the policy is applied to all
traffic.
Source Interface Destination Interface Zone-Pair Policy
Result
Member of Zone? Member of Zone? Exists? Exists?
YES (self zone) YES NO N/A PASS
YES (self zone) YES YES NO PASS
YES (self zone) YES YES YES INSPECT
YES YES (self zone) NO N/A PASS
YES YES (self zone) YES NO PASS
YES YES (self zone) YES YES INSPECT
10.2.4 Check Your Understanding - Rules for Transit Traffic
Activity Part 1 - Rules for Transit Traffic
Identify the correct rules for transit traffic by selecting your answers from the 7
drop down menus.

Activity Part 2 - Rules for Self Zone Traffic

Identify the correct rules for self zone traffic by selecting your answers from the
6 drop down menus.

276
10.3 Configure a ZPF
10.3.1 Configure a ZPF
The topology shown in the figure will be used throughout the remainder of this
topic to demonstrate ZPF configuration. The sequence of steps is not required.
However, some configurations must be completed in order. For instance, you
must configure a class-map before you assign a class-map to a policy-map.
Similarly, you cannot assign a policy-map to a zone-pair until you have
configured the policy. If you try to configure a section that relies on another
portion of the configuration that you have not yet configured, the router
responds with an error message.
Zone-Based Policy Firewall Configuration Steps

Step 1: Create the zones.

Step 2: Identify traffic with a class-map.
Step 3: Define an action with a policy-map.
Step 4: Identify a zone pair and match it to a policy-map.
Step 5: Assign zones to the appropriate interfaces.
10.3.2 Step 1. Create the Zones
The first step, is to create the zones. However, before creating the zones
answer a few questions:
 What interfaces should be included in the zones?

277
 What will be the name for each zone?
 What traffic is necessary between the zones and in which direction?
In the example topology, we have two interfaces, two zones, and traffic flowing
in one direction. Traffic sourced from the public zone will not be allowed. Create
the private and public zones for the firewall with the zone security command, as
shown here.
Router(config)# zone security zone-name
R1(config)# zone security PRIVATE
R1(config-sec-zone)# exit
R1(config)# zone security PUBLIC
R1(config-sec-zone)# exit
R1(config)#
10.3.3 Step 2. Identify Traffic
The second step is to use a class-map to identify the traffic to which a policy will
be applied. A class is a way of identifying a set of packets based on its contents
using “match” conditions. Typically, you define a class so that you can apply an
action to the identified traffic that reflects a policy. A class is defined with class-
maps.
The example below shows the syntax for the class-map command. There are
several types of class-maps. For a ZPF configuration, use the inspect keyword
to define a class-map. Determine how packets are evaluated when multiple
match criteria exist. Packets must meet one of the match criteria (match-any) or
all of the match criteria (match-all) to be considered a member of the class.
Router(config)# class-map type inspect [match-any | match-all] class-map-
name
Parameter Description
Packets must meet one of the match criteria to be
match-any
considered a member of the class.
Packets must meet all of the match criteria to be considered
match-all
a member of the class.
class-map- Name of the class-map that will be used to configure the
name policy for the class in the policy-map.
The example below shows the syntax for the match statements in class-
map sub-configuration mode. Match traffic to an ACL, a specific protocol, or
even another class-map.
Router(config-cmap)# match access-group {acl-# | acl-name }
Router(config-cmap)# match protocol protocol-name
Router(config-cmap)# match class-map class-map-name
Parameter Description
match access- Configures the match criteria for a class-map based on
group the specified ACL number or name.
Configures the match criteria for a class-map based on
match protocol
the specified protocol.
match class-
Uses another class-map to identify traffic.
map
In the topology, HTTP traffic is being allowed to cross R1 from the PRIVATE to
the PUBLIC zone. When allowing HTTP traffic, it is recommended to specifically
include HTTPS and DNS protocols, as shown in the example below. Traffic can
match any of the statements to become a member of the HTTP-TRAFFIC class.

278
R1(config)# class-map type inspect match-any HTTP-TRAFFIC
R1(config-cmap)# match protocol http
R1(config-cmap)# match protocol https
R1(config-cmap)# match protocol dns
10.3.4 Step 3. Define an Action
The third step is to use a policy-map to define what action should be taken for
traffic that is a member of a class. The example below shows the command
syntax to configure a policy-map. An action is a specific functionality. It is
typically associated with a traffic class. For example, inspect, drop,
and pass are actions.
R1(config)# policy-map type inspect policy-map-name
R1(config-pmap)# class type inspect class-map-name
R1(config-pmap-c)# {inspect | drop | pass}
Parameter Description
An action that offers state−based traffic control. The router
inspect maintains session information for TCP and UDP and permits
return traffic.
drop Discards unwanted traffic
A stateless action that allows the router to forward traffic from
pass
one zone to another
The example below shows an example of a policy-map configuration. The class
HTTP-TRAFFIC that was configured in the previous step is associated with a
new policy-map named PRIV-TO-PUB-POLICY. The third inspect command
configures R1 to maintain state information for all traffic that is a member of the
class HTTP-TRAFFIC.
R1(config)# policy-map type inspect PRIV-TO-PUB-POLICY
R1(config-pmap)# class type inspect HTTP-TRAFFIC
R1(config-pmap-c)# inspect
 inspect - This action offers state-based traffic control. For example, if traffic
traveling from the PRIVATE zone to the PUBLIC zone is inspected, the
router maintains connection or session information for TCP and UDP traffic.
The router would then permit return traffic sent from PUBLIC zone hosts in
reply to PRIVATE zone connection requests.
 drop - This is the default action for all traffic. Similar to the implicit deny
any at the end of every ACL, there is an explicit drop applied by the IOS to
the end of every policy−map. It is listed as class class-default in the last
section of any policy-map configuration. Other class−maps within a
policy−map can also be configured to drop unwanted traffic. Unlike ACLs,
traffic is silently dropped, and no ICMP unreachable messages are sent to
the source of the traffic.
 pass - This action allows the router to forward traffic from one zone to
another. The pass action does not track the state of connections. Pass only
allows the traffic in one direction. A corresponding policy must be applied to
allow return traffic to pass in the opposite direction. The pass action is ideal
for secure protocols with predictable behavior, such as IPsec. However,
most application traffic is better handled in the ZPF with the inspect action.
10.3.5 Step 4. Identify a Zone-Pair and Match to a Policy
The fourth step is to identify a zone pair and associate that zone pair to a policy-
map. The example below shows the command syntax. Create a zone-pair with
the zone-pair security command. Then use the service-policy type

279
inspect command to attach a policy-map and its associated action to the zone-
pair.
Router(config)# zone-pair security zone-pair-name source {source-zone-
name | self} destination {destination-zone-name | self}
Router(config-sec-zone-pair)# service-policy type inspect policy-map-
name
Parameter Description
Specifies the name of the zone from which
source source-zone-name
traffic is originating.
destination destination- Specifies the name of the zone to which
zone-name traffic is destined.
Specifies the system-defined zone. Indicates
self whether traffic will be going to or from the
router itself.
The example below shows an example of a zone-pair configuration. A zone-pair
named PRIV-PUB is created with PRIVATE assigned as the source zone and
PUBLIC assigned as the destination zone. Then the policy-map created in the
previous step is associated to the zone-pair.
After the firewall policy has been configured, the administrator applies it to traffic
between a pair of zones using the zone-pair security command. To apply a
policy, it is assigned to a zone pair. The zone pair needs to specify the source
zone, the destination zone, and the policy for handling the traffic between the
source and destination zones.
R1(config)# zone-pair security PRIV-
PUB source PRIVATE destination PUBLIC
R1(config-sec-zone-pair)# service-policy type inspect PRIV-TO-PUB-
POLICY
10.3.6 Step 5. Assign Zones to Interfaces
The fifth step is to assign zones to the appropriate interfaces. Associating a
zone to an interface will immediately apply the service-policy that has been
associated with the zone. If no service-policy is yet configured for the zone, all
transit traffic will be dropped. Use the zone-member security command to
assign a zone to an interface, as shown in the example below.
Router(config-if)# zone-member security zone-name
In the following example, GigabitEthernet 0/0 is assigned the PRIVATE zone,
and Serial 0/0/0 is assigned the PUBLIC zone.
R1(config)# interface GigabitEthernet 0/0
R1(config-if)# zone-member security PRIVATE
R1(config-if)# interface Serial 0/0/0
R1(config-if)# zone-member security PUBLIC
The service-policy is now active. HTTP, HTTPS, and DNS traffic sourced from
the PRIVATE zone and destined for the PUBLIC zone will be inspected. Traffic
sourced from the PUBLIC zone and destined for the PRIVATE zone will only be
allowed if it is part of sessions originally initiated by PRIVATE zone hosts.
10.3.7 Verify a ZPF Configuration
Verify a ZPF configuration by viewing the running configuration. Notice that the
class-map is listed first. Then the policy-map makes use of the class-map. Also,
notice the highlighted class class-default that will drop all other traffic that is not
a member of the HTTP-TRAFFIC class.

280
The zone configurations follow the policy-map configurations with zone naming,
zone pairing, and associating a service-policy to the zone pair. Finally, the
interfaces are assigned zones.
R1# show run | begin class-map
!
<some output omitted>
!
class-map type inspect match-any HTTP-TRAFFIC
match protocol http
match protocol https
match protocol dns
!
policy-map type inspect PRIV-TO-PUB-POLICY
class type inspect HTTP-TRAFFIC
inspect
class class-default
drop
!
zone security PRIVATE
zone security PUBLIC
zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
service-policy type inspect PRIV-TO-PUB-POLICY
!
interface GigabitEthernet0/0
zone-member security PRIVATE
!
interface Serial0/0/0
zone-member security PUBLIC
!
The example below shows verification information after a test of the ZPF
configuration. A PRIVATE zone host 192.168.1.3 established an HTTPS
session with a web server at 10.1.1.2. Notice further down in the command
output that four packets matched the class class-default. This verification
information was generated by having host 192.168.1.3 ping the web server at
10.1.1.2.
R1# show policy-map type inspect zone-pair sessions
policy exists on zp PRIV-PUB
Zone-pair: PRIV-PUB
Service-policy inspect : PRIV-TO-PUB-POLICY
Class-map: HTTP-TRAFFIC (match-any)
Match: protocol http
12 packets, 384 bytes
30 second rate 0 bps
Match: protocol https
5 packets, 160 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Inspect

281
 Number of Established Sessions = 1
Established Sessions
Session 2204E220 (192.168.1.3:1049)=>(10.1.1.2:443) https:tcp
SIS_OPEN/TCP_CLOSEWAIT
Created 00:00:14, Last heard 00:00:11
Bytes sent (initiator:responder) [821:1431]
Class-map: class-default (match-any)
Match: any
Drop
4 packets, 160 bytes
R1#
The example below shows four other ZPF verification commands that
allow a view of specific portions of the ZPF configuration..
R1# show class-map type inspect
Class Map type inspect match-any HTTP-TRAFFIC (id 1)
Match protocol http
Match protocol https
Match protocol dns
R1# show zone security
zone self
Description: System Defined Zone
zone PRIVATE
Member Interfaces:
GigabitEthernet0/0
zone PUBLIC
Member Interfaces:
Serial0/0/0
R1# show zone-pair security
Zone-pair name PRIV-PUB
Source-Zone PRIVATE Destination-Zone PUBLIC
service-policy PRIV-TO-PUB-POLICY
R1# show policy-map type inspect
Policy Map type inspect PRIV-TO-PUB-POLICY
Class HTTP-TRAFFIC
Inspect
Class class-default
Drop
10.3.8 Syntax Checker-Configure a ZPF
Step 1: Create the zones.
 Use the zone security command to create a zone called PRIVATE.
 Exit the config-sec-zone configuration mode.
 Use the zone security command to create a zone called PUBLIC.
 Exit the config-sec-zone configuration mode.
R1(config)#zone security PRIVATE
R1(config-sec-zone)#exit
R1(config)#zone security PUBLIC
R1(config-sec-zone)#exit
R1(config)#
Step 2: Identify traffic with a class-map.

282
  Create an inspect type class-map called HTTP-TRAFFIC. The class-
map should use the match-any inspection criteria.
 Use the match protocol command to allow the HTTP, HTTPS, DNS
protocols.
 Exit config-cmap configuration mode.
R1(config-cmap)#class-map type inspect match-any HTTP-TRAFFIC
R1(config-cmap)#match protocol http
R1(config-cmap)#match protocol https
R1(config-cmap)#match protocol dns
R1(config-cmap)#exit
Step 3: Define an action with a policy-map.
 Create an inspect type policy-map called PRIV-TO-PUB-POLICY.
 Associate the HTTP-TRAFFIC class-map that you created in Step 2
to the policy-map using the class type inspect command.
 Assign the action to inspect.
 Exit policy-map-c configuration mode.
 Exit policy-map configuration mode.
R1(config)#policy-map type inspect PRIV-TO-PUB-POLICY
R1(config-pmap)#class type inspect HTTP-TRAFFIC
R1(config-pmap-c)#inspect
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#
Step 4: Identify a zone pair and match it to a policy-map.
 Create a zone-pair called PRIV-PUB. The source should be
the PRIVATE zone, and the destination should be the PUBLIC zone.
 Use the service-policy command to assign the PRIV-TO-PUB-
POLICY policy-map that you created in Step 3.
 Exit config-sec-zone-pair mode.
R1(config)#zone-pair security PRIV-PUB source PRIVATE destination
PUBLIC
R1(config-sec-zone-pair)#service-policy type inspect PRIV-TO-PUB-
POLICY
R1(config-sec-zone-pair)#exit
Step 5: Assign zones to the appropriate interfaces.
 Assign the zone PRIVATE to interface G0/0.
 Assign the zone PUBLIC to interface S0/0/0.
 End configuration mode.
R1(config)#interface g0/0
R1(config-if)#zone-member security PRIVATE
R1(config-if)#interface s0/0/0
R1(config-if)#zone-member security PUBLIC
R1(config-if)#end
R1#
Enter the show run | begin class-map command to verify your
configuration.
R1#show run | begin class-map
!
<some output omitted>
!

283
class-map type inspect match-any HTTP-TRAFFIC
match protocol http
match protocol https
match protocol dns
!
policy-map type inspect PRIV-TO-PUB-POLICY
class type inspect HTTP-TRAFFIC
inspect
class class-default
drop
!
zone security PRIVATE
zone security PUBLIC
zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
service-policy type inspect PRIV-TO-PUB-POLICY
!
interface GigabitEthernet0/0
zone-member security PRIVATE
!
interface Serial0/0/0
zone-member security PUBLIC
!
R1#
You successfully configured a Zone-Based Policy Firewall on R1.
10.3.9 ZPF Configuration Considerations
When configuring a ZPF with the CLI, there are several factors to consider:
 The router never filters the traffic between interfaces in the same zone.
 An interface cannot belong to multiple zones. To create a union of security
zones, specify a new zone and appropriate policy map and zone pairs.
 ZPF can coexist with Classic Firewall although they cannot be used on the
same interface. Remove the ip inspect interface configuration command
before applying the zone-member security command.
 Traffic can never flow between an interface assigned to a zone and an
interface without a zone assignment. Applying the zone-
member configuration command always results in a temporary interruption
of service until the other zone-member is configured.
 The default inter-zone policy is to drop all traffic unless otherwise specifically
allowed by the service-policy configured for the zone-pair.
 The zone-member command does not protect the router itself (traffic to and
from the router is not affected) unless the zone- pairs are configured using
the predefined self zone.
10.3.10 Video Demonstration – ZPFs

284
10.3.11 Packet Tracer - Configure a ZPF
In this Packet Tracer, you will complete the following objectives:
 Verify connectivity among devices before firewall configuration.
 Configure a ZPF on router R3.
 Verify ZPF functionality using ping, Telnet, and a web browser.

10.3.12 Lab - Configure ZPFs

In this lab, you will complete the following objectives:
 Complete a basic router configuration.
 Use the CLI to configure a ZPF.
 Use the CLI to verify the configuration.

10.4 Zone-Based Firewalls Summary

10.4.1 What Did I Learn in this Module?
ZPF Overview
The IOS ZPF provides a flexible and powerful replacement for the older Classic IOS
Firewall. It provides a new configuration mode in which interfaces are assigned to
security zones and firewall policies are applied to traffic moving between the zones.
The ZPF provides a structured and simplified method of designing and implementing
network security on routers that are performing a firewall function.
ZPF Operation
ZPFs use user-defined policies to act on specific traffic that is travelling from a source
zone to a destination zone. Three actions can be specified:
 Inspect - The ZPF performs stateful packet inspection.
 Drop - The traffic is not permitted to travel to the destination. The rejected packets
can be logged.
 Pass - The traffic is permitted to travel to the destination zone. This does not track
the state of connections or sessions.
Default rules are applied to transit traffic based on the configuration of the ingress and
egress interfaces and the existence of policies. For example, if neither ingress or egress

285
interface is defined as member of a zone, traffic is permitted to exit the egress
interface. Similarly, if both interfaces are members of the same zone, then traffic is
allowed to pass. However, if one interface is a member of a zone and the other is not,
traffic will be dropped. It is important to understand these and the other rules covered
in the module.
A special zone exists that is known as the self zone. The self zone is the router itself. In
the self zone, the router interfaces serve as either the source or destination of the
traffic. Self zone traffic is either for management of the device, or for traffic forwarding
control. Similar to the rules for transit traffic, rules exist for how traffic in the self zone
will be handled.
Configure a ZPF
There are five steps in the process of configuring a ZPF. First the zones are created.
Next, one or more class maps are created to specify the traffic which should be
associated with a policy. Then, policies are created that associate the class-map traffic
with the pass, drop, or inspect actions. It is then necessary to create zone pairs that
will be associated with policy maps. Finally interfaces are associated with zones. At this
point, the ZPF policy is active.
10.4.2 Module 10 - Zone-Based Firewalls Quiz
Question 1
Which statement accurately describes Cisco IOS zone-based policy firewall
operation?
The pass action works in only one direction.
A router interface can belong to multiple zones.
Service policies are applied in interface configuration mode.
Router management interfaces must be manually assigned to the self zone.
Question 2
How does ZPF handle traffic between an interface that is a zone member and
another interface that does not belong to any zone?
Pass
Drop
Allow
Inspect
Question 3
Which statement describes a factor to be considered when configuring a zone-based
policy firewall?
An interface can belong to multiple zones.
The router always filters the traffic between interfaces in the same zone.
The classic firewall ip inspect command can coexist with ZPF as long as it is used on
interfaces that are in the same security zones.
A zone must be configured with the zone security global command before it can be
used in the zone-member security command.
Question 4
Which statement describes one of the rules that govern interface behavior in the
context of implementing a zone-based policy firewall configuration?
An administrator can assign an interface to multiple security zones.
An administrator can assign interfaces to zones, regardless of whether the zone has
been configured.

286
By default, traffic is allowed to flow among interfaces that are members of the same
zone.
By default, traffic is allowed to flow between a zone member interface and any
interface that is not a zone member.
Question 5
Designing a ZPF requires several steps. Which step involves defining boundaries
where traffic is subjected to policy restrictions as it crosses to another region of the
network?
Determine the zones
Establish policies between zones
Design the physical infrastructure
Identify subsets within zones and merge traffic requirements
Question 6
When a Cisco IOS zone-based policy firewall is being configured, which two actions
can be applied to a traffic class? (Choose two.)
Log
Hold
Drop
Inspect
Copy
Forward
Question 7
Which three statements describe zone-based policy firewall rules that govern
interface behavior and the traffic moving between zone member interfaces? (Choose
three.)
An interface can be assigned to multiple security zones.
Interfaces can be assigned to a zone before the zone is created.
Pass, inspect, and drop options can only be applied between two zones.
If traffic is to flow between all interfaces in a router, each interface must be a
member of a zone.
Traffic is implicitly prevented from flowing by default among interfaces that are
members of the same zone.
To permit traffic to and from a zone member interface, a policy allowing or
inspecting traffic must be configured between that zone and any other zone.
Question 8
Which statement describes a feature of a zone-based policy firewall?
It does not depend on ACLs.
All traffic through a given interface is subject to the same inspection.
The router security posture is to allow traffic unless explicitly blocked.
It uses a flat, non-hierarchical data structure making it easier to configure and
troubleshoot.
Question 9
In what step of zone-based policy firewall configuration is traffic identified for policy
application?
Assigning policy maps to zones
Creating policy maps
Configuring class maps

287
Defining zones
Question 10
When configuring a class map for a zone-based policy firewall, how is the match
criteria applied when using the match-all parameter?
Traffic must match all of the match criteria specified in the statement.
Traffic must match the first criteria in the statement.
Traffic must match at least one of the match criteria statements.
Traffic must match all of the criteria solely defined by ACLs.
Question 11
In ZPF design, what is described as the self zone?
A predefined cluster of servers with configured interfaces
A predefined cluster of routers with configured interfaces
The outward facing interface on the edge router
The router itself, including all interfaces with assigned IP addresses
Question 12
Which statement describes a zone when implementing ZPF on a Cisco router?
A zone establishes a security border of a network.
Only one zone can be attached to a single interface.
A zone is used to implement traffic filtering for either TCP or UDP.
A zone is used to define security policies for a unique interface on the router.
Checkpoint Exam: ACLs and Firewalls Group Exam
This exam will cover material from Modules 8-10 of the Network Security 1.0
curriculum.
Copyright 2021, Cisco Systems, Inc.
Question 1
Which two pieces of information are required when creating a standard access
control list? (Choose two.)
subnet mask and wildcard mask
access list number between 100 and 199
destination address and wildcard mask
source address and wildcard mask
access list number between 1 and 99
Question 2
When creating an ACL, which keyword should be used to document and interpret the
purpose of the ACL statement on a Cisco device?
established
description
eq
done
remark
Question 3
What single access list statement matches all of the following networks?
192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0
access-list 10 permit 192.168.16.0 0.0.15.255

288
access-list 10 permit 192.168.0.0 0.0.15.255
access-list 10 permit 192.168.16.0 0.0.0.255
access-list 10 permit 192.168.16.0 0.0.3.255
Question 4
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL
according to best practice?
permit udp any any range 10000 20000
permit tcp 172.16.0.0 0.0.3.255 any established
deny tcp any any eq telnet
deny udp any host 172.16.1.5 eq snmptrap
permit ip any any
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
Question 5
What two steps provide the quickest way to completely remove an ACL from a
router? (Choose two.)
Use the no access-list command to remove the entire ACL.
Use the no keyword and the sequence number of every ACE within the named ACL to
be removed.
Copy the ACL into a text editor, add no before each ACE, then copy the ACL back into
the router.
Removal of the ACEs is the only step required.
Remove the inbound/outbound reference to the ACL from the interface.
Modify the number of the ACL so that it doesn't match the ACL associated with the
interface.
Question 6
To facilitate the troubleshooting process, which inbound ICMP message should be
permitted on an outside interface?
time-stamp request
echo reply
router advertisement
time-stamp reply
echo request
Question 7
A network administrator configures an ACL with the command R1(config)# access-list
1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL
statement? (Choose two.)
172.16.65.21
172.16.0.255
172.16.16.12
172.16.31.24
172.16.15.36
Question 8
What are two characteristics of a stateful firewall? (Choose two.)
uses connection information maintained in a state table
prevents Layer 7 attacks
analyzes traffic at Layers 3, 4 and 5 of the OSI model
signal_cellular_4_bar

289
uses complex ACLs which can be difficult to configure
uses static packet filtering techniques
Question 9
What are two differences between stateful and stateless firewalls? (Choose two.)
A stateless firewall is able to filter sessions that use dynamic port negotiations while a
stateful firewall cannot.
A stateless firewall will examine each packet individually while a stateful firewall
observes the state of a connection.
A stateless firewall provides more stringent control over security than a stateful
firewall.
A stateless firewall will provide more logging information than a stateful firewall.
A stateful firewall will prevent spoofing by determining whether packets belong to
an existing connection while a stateless firewall follows pre-configured rule sets.
Question 10
Which type of firewall makes use of a proxy server to connect to remote servers on
behalf of clients?
application gateway firewall
stateless firewall
stateful firewall
packet filtering firewall
Question 11
What is one benefit of using a stateful firewall instead of a proxy server?
better performance
prevention of Layer 7 attacks
ability to perform packet filtering
ability to perform user authentication
Question 12
When implementing components into an enterprise network, what is the purpose of
a firewall?
A firewall is a system that inspects network traffic and makes forwarding decisions
based solely on Layer 2 Ethernet MAC addresses.
A firewall is a system that enforces an access control policy between internal
corporate networks and external networks.
A firewall is a system that stores vast quantities of sensitive and business-critical
information.
A firewall is a system that is designed to secure, monitor, and manage mobile devices,
including corporate-owned devices and employee-owned devices.
Question 13
What are two possible limitations of using a firewall in a network? (Choose two.)
A misconfigured firewall can create a single point of failure.
It cannot sanitize protocol flows.
It increases security management complexity by requiring off-loading network access
control to the device.
Network performance can slow down.
It provides accessibility of applications and sensitive resources to external untrusted
users.
Question 14

290
What is one limitation of a stateful firewall?
cannot filter unnecessary traffic
poor log information
not as effective with UDP- or ICMP-based traffic
weak user authentication
Question 15
Which two statements describe the two configuration models for Cisco IOS firewalls?
(Choose two.)
IOS Classic Firewalls must be enabled in the router configuration before enabling ZPF.
ZPF must be enabled in the router configuration before enabling an IOS Classic
Firewall.
IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.
The IOS Classic Firewall and ZPF cannot be combined on a single interface.
Both IOS Classic Firewall and ZPF models require ACLs to define traffic filtering policies.
Question 16
What is the result in the self zone if a router is the source or destination of traffic?
Only traffic that is destined for the router is permitted.
Only traffic that originates in the router is permitted.
No traffic is permitted.
All traffic is permitted.
Question 17
What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI?
Assign policy maps to zone pairs.
Define firewall policies.
Define traffic classes.
Assign router interfaces to zones.
Create zones.
Question 18
When using Cisco IOS zone-based policy firewall, where is the inspection policy
applied?
to an interface
to a global service policy
to a zone pair
to a zone
Question 19
Designing a ZPF requires several steps. Which step involves dictating the number of
devices between most-secure and least-secure zones and determining redundant
devices?
design the physical infrastructure
establish policies between zones
determine the zones
identify subsets within zones and merge traffic requirements
Question 20
Which two rules about interfaces are valid when implementing a Zone-Based Policy
Firewall? (Choose two.)
If both interfaces are members of the same zone, all traffic will be passed.
If neither interface is a zone member, then the action is to pass traffic.

291
If one interface is a zone member and a zone-pair exists, all traffic will be passed.
If one interface is a zone member, but the other is not, all traffic will be passed.
If both interfaces belong to the same zone-pair and a policy exists, all traffic will be
passed.
Question 21
When a Cisco IOS zone-based policy firewall is being configured, which three actions
can be applied to a traffic class? (Choose three.)
reroute
shape
drop
inspect
queue
pass

Module 11: IPS Technologies

11.0 Introduction
11.0.1 Why Should I Take this Module?
Various devices and systems combine to protect the network at multiple levels.
Security threats include malware and data theft. Devices at the network edge prevent
threat actor intrusions and malware from entering the network. Software systems on
hosts also work to protect against malware and data theft. In this module, you will
learn about intrusion detection and intrusion prevention systems that operate on
network devices and network hosts.
11.0.2 What Will I Learn in this Module?
Module Title: IPS Technologies
Module Objective: Explain how network-based Intrusion Prevention Systems are used
to help secure a network.
Topic Title Topic Objective
Explain the functions and operations of IDS and IPS
IDS and IPS Characteristics
systems.
IPS Implementations Explain how network-based IPS are implemented.
Describe the IPS technologies that are available on Cisco
IPS on Cisco ISRs
ISR routers.
Cisco Switched Port
Configure Cisco SPAN.
Analyzer
11.1 IDS and IPS Characteristics
11.1.1 Zero-Day Attacks
Malware can spread across the world in a matter of minutes. A network must instantly
recognize and mitigate malware threats. Firewalls can only do so much and cannot
provide protection against all malware and zero-day attacks.
A zero-day attack, sometimes referred to as a zero-day threat, is a cyberattack that
tries to exploit software vulnerabilities that are unknown or undisclosed by the

292
software vendor, as shown in the figure. The term zero-day describes the moment
when a previously unknown threat is identified.
Zero-Day Exploit Attack

During the time it takes the software vendor to develop and release a patch, the
network is vulnerable to these exploits, as shown in the figure. Defending against
these fast-moving attacks requires network security professionals to adopt a more
sophisticated view of the network architecture. It is no longer possible to contain
intrusions at a few points in the network.
Microsoft Internet Explorer Zero-Day Vulnerability

11.1.2 Monitor for Attacks

One approach to prevent malware exploits is for an administrator to continuously
monitor the network and analyze the log files generated by network devices. Security
operations center (SOC) tools, such as security information and event management
(SIEM) and security orchestration, automation, and response (SOAR) systems
automate the log file gathering and analysis process. It has become an accepted fact
that malware will enter the network despite the best defenses. For this reason, a
multilayered approach to malware protection must be employed. Logfiles generated
by devices at each layer will help to identify whether an exploit has occurred, the
diagnostic features of the exploit, and the extent of the damage within the enterprise.

293
The information gathered in logfiles will also help to inform measures taken in
response to the exploit, such as containment and mitigation.
Intrusion Detection Systems (IDS) were implemented to passively monitor the traffic
on a network. The figure shows that an IDS-enabled device copies the traffic stream
and analyzes the copied traffic rather than the actual forwarded packets.
Intrusion Detection System Operation

Working offline, the IDS compares the captured traffic stream with known malicious
signatures, similar to software that checks for viruses. Working offline means several
things:
 The IDS works passively.
 The IDS device is physically positioned in the network so that traffic must be
mirrored in order to reach it.
 Network traffic does not pass through the IDS unless it is mirrored.
 Very little latency is added to network traffic flow.
Although the traffic is monitored, logged, and perhaps reported, no action is taken on
packets by the IDS. This offline IDS implementation is referred to as promiscuous
mode.
The advantage of operating with a copy of the traffic is that the IDS does not negatively
affect the packet flow of the forwarded traffic. The disadvantage of operating on a
copy of the traffic is that the IDS cannot stop malicious single-packet attacks from
reaching the target. An IDS often requires assistance from other networking devices,
such as routers and firewalls, to respond to an attack.
A better solution is to use a device that can immediately detect and stop an attack. An
Intrusion Prevention System (IPS) performs this function.
11.1.3 Intrusion Prevention and Detection Devices
A networking architecture paradigm shift is required to defend against fast-moving and
evolving attacks. This must include cost-effective detection and prevention systems,
such as intrusion detection systems (IDS) or the more scalable intrusion prevention
systems (IPS). The network architecture integrates these solutions into the entry and
exit points of the network.
When implementing IDS or IPS, it is important to be familiar with the types of systems
available, host-based and network-based approaches, the placement of these systems,
the role of signature categories, and possible actions that a Cisco IOS router can take
when an attack is detected.

294
The figure shows how an IPS device handles malicious traffic.
IDS and IPS Characteristics

1. Malicious traffic is sent to the target host that is inside the network.
2. The traffic is routed into the network and received by an IPS-enabled sensor where
it is blocked.
3. The IPS-enabled sensor sends logging information regarding the traffic to the
network security management console.
4. The IPS-enabled sensor kills the traffic. (It is sent to the “Bit Bucket.”)
IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in
the form of several different devices:
 A router configured with IPS software
 A device specifically designed to provide dedicated IDS or IPS services
 A hardware module installed in an adaptive security appliance (ASA), switch, or
router
IDS and IPS technologies use signatures to detect patterns in network traffic. A
signature is a set of rules that an IDS or IPS uses to detect malicious activity. Signatures
can be used to detect severe breaches of security, to detect common network attacks,
and to gather information. IDS and IPS technologies can detect atomic signature
patterns (single-packet) or composite signature patterns (multi-packet).
11.1.4 Advantages and Disadvantages of IDS and IPS
IDS Advantages and Disadvantages
The table summarizes the advantages and disadvantages of IDS and IPS.
Solution Advantages Disadvantages
IDS  No impact on network  Response action cannot stop
(latency, jitter) trigger packets
 No network impact if there  Correct tuning required for
is a sensor failure response actions
 No network impact if there  More vulnerable to network

295
 is sensor overload security evasion techniques
 Sensor issues might affect
network traffic
 Stops trigger packets
 Sensor overloading impacts the
IPS  Can use stream
network
normalization techniques
 Some impact on network
(latency, jitter)
Click on each button to learn more about IDS and IPS sensors
IDS Advantages and Disadvantages
IDS Advantages
An IDS is deployed in offline mode and therefore:
 The IDS does not impact network performance. Specifically, it does not introduce
latency, jitter, or other traffic flow issues.
 The IDS does not affect network functionality if the sensor fails. It only affects the
ability of the IDS to analyze the data.
IDS Disadvantages
Disadvantages of an IDS include:
 An IDS sensor cannot stop the packets that have triggered an alert and are less
helpful in detecting email viruses and automated attacks, such as worms.
 Tuning IDS sensors to achieve expected levels of intrusion detection can be very
time-consuming. Users deploying IDS sensor response actions must have a well-
designed security policy and a good operational understanding of their IDS
deployments.
 An IDS implementation is more vulnerable to network security evasion techniques
because it is not inline.
IPS Advantages and Disadvantages
IPS Advantages
Advantages of an IPS include:
 An IPS sensor can be configured to drop the trigger packets, the packets associated
with a connection, or packets from a source IP address.
 Because IPS sensors are inline, they can use stream normalization. Stream
normalization is a technique used to reconstruct the data stream when the attack
occurs over multiple data segments.
IPS Disadvantages
Disadvantages of an IPS include:
 Because it is deployed inline, errors, failure, and overwhelming the IPS sensor with
too much traffic can have a negative effect on network performance.
 An IPS sensor can affect network performance by introducing latency and jitter.
 An IPS sensor must be appropriately sized and implemented so that time-sensitive
applications, such as VoIP, are not adversely affected.
Deployment Considerations
You can deploy both an IPS and an IDS. Using one of these technologies does not negate the
use of the other. In fact, IDS and IPS technologies can complement each other.
For example, an IDS can be implemented to validate IPS operation because the IDS can be
configured for deeper packet inspection offline. This allows the IPS to focus on fewer but more
critical traffic patterns inline.

296
Deciding which implementation to use is based on the security goals of the organization as
stated in their network security policy.
11.1.5 Check Your Understanding - Compare IDS and IPS Characteristics
Select the corresponding delivery method for each characteristic.

11.2.1 Types of IPS

There are two primary kinds of IPS available: host-based IPS and network-based IPS.

297
Host-based IPS
Host-based IPS (HIPS) is software installed on a host to monitor and analyze suspicious
activity. A significant advantage of HIPS is that it can monitor and protect operating
system and critical system processes that are specific to that host. With detailed
knowledge of the operating system, HIPS can monitor abnormal activity and prevent
the host from executing commands that do not match typical behavior. This suspicious
or malicious behavior might include unauthorized registry updates, changes to the
system directory, executing installation programs, and activities that cause buffer
overflows. Network traffic can also be monitored to prevent the host from
participating in a denial-of-service (DoS) attack or being part of an illicit FTP session.
HIPS can be thought of as a combination of antivirus software, antimalware software,
and a firewall. An example of a HIPS is Windows Defender. It provides a range of
protection measures for Windows hosts. Combined with a network-based IPS, HIPS is
an effective tool in providing additional protection for the host.
A disadvantage of HIPS is that it operates only at a local level. It does not have a
complete view of the network, or coordinated events that might be happening across
the network. To be effective in a network, HIPS must be installed on every host and
have support for every operating system. The table lists the advantages and
disadvantages of HIPS.
Advantages Disadvantages
 Provides protection specific to a host
operating system  Operating system
 Provides operating system and application dependent
level protection  Must be installed on all
 Protects the host after the message is hosts
decrypted
Network-based IPS
A network-based IPS can be implemented using a dedicated or non-dedicated IPS
device such as a router. Network-based IPS implementations are a critical component
of intrusion prevention. Host-based IDS/IPS solutions must be integrated with a
network-based IPS implementation to ensure a robust security architecture.
Sensors detect malicious and unauthorized activity in real time and can take action
when required. As shown in the figure, sensors are deployed at designated network
points. This enables security managers to monitor network activity while it is occurring,
regardless of the location of the attack target.
Sample IPS Sensor Deployment

298
11.2.2 Network-Based IPS
Network-based IPS Sensors can be implemented in several ways:
 On a Cisco Firepower appliance
 On an ASA firewall device
 On an ISR router
 As a virtual Next-Generation IPS (NGIPSv) for VMware
An example of a network-based IPS is the Cisco Firepower NGIPS. It is tuned for
intrusion prevention analysis. The underlying operating system of the platform is
stripped of unnecessary network services, and essential services are secured. This is
known as hardening.
The hardware of all network-based sensors includes three components:
 NIC - The network-based IPS must be able to connect to any network, such as
Ethernet, Fast Ethernet, and Gigabit Ethernet.
 Processor - Intrusion prevention requires CPU power to perform intrusion
detection analysis and pattern matching.
 Memory - Intrusion detection analysis is memory-intensive. Memory directly
affects the ability of a network-based IPS to efficiently and accurately detect an
attack.
Network-based IPS gives security managers real-time security insight into their
networks regardless of growth. Additional hosts can be added to protected networks
without requiring more sensors. Additional sensors are only required when their rated
traffic capacity is exceeded, when their performance does not meet current needs, or
when a revision in security policy or network design requires additional sensors to help
enforce security boundaries. When new networks are added, additional sensors are
easy to deploy.
11.2.3 Modes of Deployment
IDS and IPS sensors can operate in inline mode (also known as inline interface pair
mode) or promiscuous mode (also known as passive mode).
As shown in the figure, packets do not flow through the sensor in promiscuous mode.
The sensor analyzes a copy of the monitored traffic, not the actual forwarded packet.
The advantage of operating in promiscuous mode is that the sensor does not affect the

299
packet flow with the forwarded traffic. The disadvantage of operating in promiscuous
mode is that the sensor cannot stop malicious traffic from reaching its intended target
for certain types of attacks, such as atomic attacks (single-packet attacks). The
response actions implemented by promiscuous sensor devices are post-event
responses and often require assistance from other networking devices (for example,
routers and firewalls) to respond to an attack. Such response actions can prevent some
classes of attacks. However, in atomic attacks the single packet has the chance of
reaching the target system before the promiscuous-based sensor can apply an ACL
modification on a managed device (such as a firewall, switch, or router). In the figure,
Switched Port Analyzer (SPAN) is used to mirror the traffic entering, going to, and
coming from the host.

Promiscuous Mode

As shown in the figure below, operating in inline mode puts the IPS directly into the
traffic flow and makes packet-forwarding rates slower by adding latency. Inline mode
allows the sensor to stop attacks by dropping malicious traffic before it reaches the
intended target, thus providing a protective service. Not only is the inline device
processing information on Layers 3 and 4, but it is also analyzing the contents and
payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This
deeper analysis lets the system identify and stop or block attacks that would pass
through a traditional firewall device. An IDS sensor could also be deployed inline. The
IDS would be configured so that it only sends alerts and does not drop any packets.
Inline Mode

300
11.2.4 Check Your Understanding - Compare IDS and IPS Deployment
Check your understanding of IDS and IPS by choosing the correct answer to the
following questions.
Question 1
¿True or False? A HIPS can be configured in either promiscuous or inline mode.
True
False
Question 2
What is true of a NIPS that is running in inline mode?
It can not stop malicious traffic from reaching its destination.
NIPS post-event responses require assistance from other networking devices.
It can add latency to the network.
It requires SPAN to perform traffic mirroring in order to operate.
Question 3
What is true of a HIPS?
HIPS software combines anti-virus, anti-malware, and firewall functionality.
HIPS software makes a network-based IPS unnecessary.
HIPS software is aware of conditions throughout the network.
HIPS can not prevent hosts from participating in DDoS attacks.
Question 4
What is an example of a HIPS?
A Cisco Firepower appliance
Windows Defender
A router with IPS software
An ASA firewall device
11.3 IPS on Cisco ISRs
11.3.1 IPS Components
An IPS sensor has two components:
 IPS detection and enforcement engine - To validate traffic, the detection engine
compares incoming traffic with known attack signatures that are included in the IPS
attack signature package.
 IPS attack signatures package - This is a list of known attack signatures that are
contained in one file. The signature pack is updated frequently as new attacks are
discovered. Network traffic is analyzed for matches to these signatures.
As shown in the figure, the IPS detection and enforcement engine that can be
implemented depends on the router platform:
 Cisco IOS Intrusion Prevention System (IPS) - This is available on older Cisco 800,
1900, 2900, and 3900 Series ISRs. IOS IPS is no longer supported and should not be
used.
 Cisco Snort IPS - This is available on the Cisco 4000 Series ISRs and Cisco Cloud
Services Routers in the 1000v Series.

301
The Cisco Snort IPS delivers traditional intrusion detection and prevention by
comparing network traffic to continually updated databases of known malware and
threat signatures. The Cisco IOS IPS signatures are no longer updated.
Cisco IPS Options

11.3.2 Cisco IOS IPS

Enabling a router to work as an IPS is a cost-effective way to protect branch office
networks. Rather than purchasing a router and a dedicated IPS device, combining the
functionalities in one device not only saves money but also simplifies network designs
and administration.
In the past, a Cisco ISR could be enabled as an IPS sensor that scanned packets and
sessions to match any of the Cisco IOS IPS signatures. The legacy Cisco IOS IPS
operated in RAM as illustrated in the figure. This means that it shared device memory
with other Cisco IOS features.
When Cisco IOS IPS detected suspicious activity, it responded before network security
could be compromised. It logged the event as Cisco IOS syslog messages or through
Security Device Event Exchange (SDEE).
The network administrator could configure the Cisco IOS IPS to choose the appropriate
response to various threats. For example, when packets in a session matched a
signature, Cisco IOS IPS could be configured to respond as follows:
 Send an alarm to a syslog server or a centralized management interface
 Drop the packet
 Reset the connection
 Deny traffic from the source IP address of the threat for a specified amount of time
 Deny traffic on the connection for which the signature was seen for a specified
amount of time
Cisco IOS IPS

302
11.3.3 Snort IPS
Many of the devices that supported Cisco IOS IPS are no longer available, or no longer
supported. The newer Cisco 4000 Series Integrated Services Routers (ISR) no longer
support IOS IPS. Instead, they provide IPS services using the Snort IPS feature. Snort IPS
complements existing network security features of the 4000 Series without the need
to deploy a second appliance at branch locations.
Snort is the most widely deployed IPS solution in the world. It is an open source
network IPS that performs real-time traffic analysis and generates alerts when threats
are detected on IP networks. It can also perform protocol analysis, content searching
or matching, and detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, and so on.
The Snort engine runs in a virtual service container on Cisco 4000 Series ISRs. A virtual
service container is a virtual machine that runs on the ISR router operating system.
Service containers are applications that can be hosted directly on Cisco IOS XE routing
platforms. These apps use the Linux aspects of the IOS XE operating system to host
both Linux Virtual Containers (LXC) and Kernel virtual machines (KVM). The Snort
container is distributed as an Open Virtualization Appliance (OVA) file that is installed
on the router.
Unlike IOS IPS, Snort IPS can use the computer power of the service container to scale
security with the platform without affecting routing capabilities or other data plane
functionality. The virtual service supports three resource profiles that indicate how the
Snort container uses system CPU, RAM, and Flash or disk resources.
Snort IPS

303
11.3.4 Snort Operation
Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. There are
currently more than 30,000 signatures in the Snort rule set. It also supports the ability
to customize rule sets and provides centralized deployment and management
capabilities for 4000 Series ISRs.
Snort can be enabled in either of the following modes:
 IDS mode - Snort inspects the traffic and reports alerts, but does not take any
action to prevent attacks.
 IPS mode - In addition to intrusion detection, actions are taken to prevent attacks.
In the network intrusion detection and prevention mode, Snort performs the following
actions:
 Monitors network traffic and analyzes against a defined rule set.
 Performs attack classification.
 Invokes actions against matched rules.
The Snort IPS monitors the traffic and reports events to an external log server or the
IOS syslog. Enabling logging to the IOS syslog may impact performance due to the
potential volume of log messages. External third-party monitoring tools that support
Snort logs can be used for log collection and analysis.
11.3.5 Snort Features
The table lists the features and benefits of Snort IPS.
Feature Benefit
Signature-based
Snort open-source IPS, capable of performing real-time traffic
intrusion detection
analysis and packet logging on IP networks, runs on the 4000
system (IDS) and
Series ISR service container without the need to deploy an
intrusion prevention
additional device at the branch.
system (IPS)
Snort rule set updates for 4000 Series ISRs are generated by
Cisco Talos, a group of leading-edge network security experts
Snort rule set updates who work around the clock to proactively discover, assess,
and respond to the latest trends in hacking activities,
intrusion attempts, malware, and vulnerabilities.
The router will be able to download rule sets directly from
Snort rule set pull cisco.com or snort.org to a local server, using one-time
commands or periodic automated updates.

304
 A centralized management tool can push the rule sets based
Snort rule set push on preconfigured policy, instead of the router directly
downloading on its own.
Allowed listing allows the disabling of certain signatures from
Signature allowed
the rule set. Disabled signatures can be reenabled at any
listing
time.
11.3.6 Snort System Requirements
To run the service container infrastructure with IDS/IPS functionality, Snort IPS
requires an ISR 4000 (i.e., 4300 or higher) with a minimum of 8 GB of memory (DRAM)
and 8 GB of flash.
Note: The Cisco 4200 series ISR does not support the default Snort IPS
implementation.
A security K9 license (SEC) is required to activate Snort IPS functionality. Customers
also need to purchase a yearly subscription for the signature package distributed
on cisco.com. To keep current with the latest threat protection, Snort rule sets are
term-based subscriptions, available for one or three years.
There are two types of term-based subscriptions:
 Community Rule Set - This set offers limited coverage against threats, focusing on
reactive response to security threats versus proactive research work. There is 30-
day delayed access to updated signatures in the Community Rule Set, and this
subscription does not entitle the customer to Cisco support.
 Subscriber Rule Set - This set offers the best protection against threats. It includes
coverage in advance of exploits by using the research work of the Cisco Talos
security experts. The Subscriber Rule Set also provides the fastest access to
updated signatures in response to a security incident or the proactive discovery of
a new threat. This subscription is fully supported by Cisco.
PulledPork is a rule management application that can be used to automatically
download Snort rule updates. In order to use PulledPork, you must obtain an
authorization code, called an oinkcode, from your snort.org account. The oinkcode is
free with registration.
11.3.7 Check Your Understanding - IPS on Cisco ISRs
Check your understanding of Snort on Cisco ISRs by answering the following questions.
Question 1
Snort IPS is available on which router platform?
Cisco 800
Cisco 1800
Cisco 2900
Cisco 4000
Question 2
Where does the Snort engine run?
DRAM
NVRAM
Service container
Question 3
In which operating mode does Snort IDS inspect traffic and report alerts, but does
not take any action to prevent attacks?
IDS mode

305
IPS mode
Inline mode 3
Offline mode
11.4 Cisco Switched Port Analyzer
11.4.1 Network Monitoring Methods
The day-to-day operation of a network consists of common patterns of traffic flow,
bandwidth usage, and resource access. Together, these patterns identify normal
network behavior. Security analysts must be intimately familiar with normal network
behavior because abnormal network behavior typically indicates a problem.
To determine normal network behavior, network monitoring must be implemented.
Various tools are used to help discover normal network behavior including IDS, packet
analyzers, SNMP, NetFlow, and others.
Some of these tools require captured network data. There are two common methods
used to capture traffic and send it to network monitoring devices:
 Network taps, sometimes known as test access points (TAPs)
 Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring
approaches
11.4.2 Network Taps
A network tap is typically a passive splitting device implemented inline between a
device of interest and the network. A tap forwards all traffic, including physical layer
errors, to an analysis device while also allowing the traffic to reach its intended
destination.
The figure displays a sample topology displaying a tap installed between a network
firewall and the internal router.

Notice how the tap simultaneously sends both the transmit (TX) data stream from the
internal router and the receive (RX) data stream to the internal router on separate,
dedicated channels. This ensures that all data arrives at the monitoring device in real
time. Therefore, network performance is not affected or degraded by monitoring the
connection.

306
Taps are also typically fail-safe, which means if a tap fails or loses power, traffic
between the firewall and internal router is not affected.
Search the internet for information on NetScout Taps for copper UTP Ethernet, fiber
Ethernet, and serial links.
11.4.3 Traffic Mirroring and SPAN
Network switches segment the network by design. This limits the amount of traffic that
is visible to network monitoring devices. Because capturing data for network
monitoring requires all traffic to be captured, special techniques must be employed to
bypass the network segmentation imposed by network switches. Port mirroring is one
of these techniques. Supported by many enterprise switches, port mirroring enables
the switch to copy frames that are received on one or more ports to a Switch Port
Analyzer (SPAN) port that is connected to an analysis device.
The table identifies and describes terms used by the SPAN feature.
SPAN Term Description
Ingress traffic Traffic that enters the switch.
Egress traffic Traffic that leaves the switch.
Source (SPAN) Source ports are monitored as traffic entering them is replicated
port (mirrored) to the destination ports.
Destination A port that mirrors source ports. Destination SPAN ports often
(SPAN) port connect to analysis devices such as a packet analyzer or an IDS.
The figure shows a switch that interconnects two hosts and mirrors traffic to an
intrusion detection device (IDS) and network management server.
SPAN

The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the
destination SPAN port G0/1 that connects to an IDS.
The association between source ports and a destination port is called a SPAN session.
In a single session, one or multiple ports can be monitored. On some Cisco switches,
session traffic can be copied to more than one destination port. Alternatively, a source

307
VLAN can be specified in which all ports in the source VLAN become sources of SPAN
traffic. Each SPAN session can have ports or VLANs as sources, but not both.
Note: A variation of SPAN called Remote SPAN (RSPAN) enables a network
administrator to use the flexibility of VLANs to monitor traffic on remote switches.
11.4.4 Configure Cisco SPAN
The SPAN feature on Cisco switches sends a copy of each frame entering the source
port out the destination port and toward the packet analyzer or IDS.
A session number is used to identify a SPAN session. The examples show the monitor
session command, which is used to associate a source port and a destination port with
a SPAN session. A separate monitor session command is used for each session. A VLAN
can be specified instead of a physical port.
Switch(config)# monitor session number source [interface interface | vlan vlan]
Switch(config)# monitor session number destination [interface interface | vlan vlan]
In the figure below, PCA is connected to F0/1 and an IDS is connected to F0/2. The
objective is to capture all the traffic that is sent or received by PCA on port F0/1 and
send a copy of those frames to the IDS (or a packet analyzer) on port F0/2. The SPAN
session on the switch will copy all the traffic that it sends and receives on source port
F0/1 to the destination port F0/2.
Cisco SPAN Configuration

S1(config)# monitor session 1 source interface fastethernet 0/1

S1(config)# monitor session 1 destination interface fastethernet 0/2
The show monitor command is used to verify the SPAN session. The command displays
the type of the session, the source ports for each traffic direction, and the destination
port. In the example below, the session number is 1, the source port for both traffic
directions is F0/1, and the destination port is F0/2. The ingress SPAN is disabled on the
destination port, so only traffic that leaves the destination port is copied to that port.
S1# show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled
S1#

308
Note: Remote SPAN (RSPAN) can be used when the packet analyzer or IDS is on a
different switch than the traffic being monitored. RSPAN extends SPAN by enabling
remote monitoring of multiple switches across the network. The traffic for each RSPAN
session is carried over a user-specified RSPAN VLAN that is dedicated (for that RSPAN
session) in all participating switches.
11.4.5 Syntax Checker - Configure and Verify SPAN
Use this Syntax Checker to configure and verify SPAN.
Complete the following steps to configure SPAN on S1:
 Enter global configuration mode.
 Issue the SPAN command to monitor the traffic on source port fastethernet 0/1.
Use 1 for the session number.
 Capture the session 1 monitored traffic on destination port fastethernet 0/2.
 Exit global configuration mode.
S1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)#monitor session 1 source interface fastethernet 0/1
S1(config)#monitor session 1 destination interface fastethernet 0/2
S1(config)#exit
*Mar 1 00:19:53.908: %SYS-5-CONFIG_I: Configured from console by console
S1#
Verify that SPAN has been configured to monitor source port F0/1 with captured traffic
being sent to F0/2.
S1#show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled
S1#
You have successfully configured and verified SPAN.
11.4.6 Packet Tracer - Implement a Local SPAN
In this lab, you will complete the following objectives:
 Part 1: Build the Network and Verify Connectivity
 Part 2: Configure Local SPAN and Capture Copied Traffic with Wireshark

11.5 IPS Technologies Summary

11.5.1 What Did I learn in this Module?
IDS and IPS Characteristics
Malware is an ever-increasing threat to network security. New network attacks occur
daily. The threat landscape is constantly evolving. Monitoring network logs is one way
to know that an exploit has occurred. But by then it is too late. IDS and IPS make up
part of a multi-layered approach to network security. IDS work offline to detect

309
malicious traffic through traffic mirroring. IDS can alert security personnel about a
potential attack. While the IDS does nothing to stop network attacks, it has no effect
on network performance. IPS devices work inline to prevent network attacks, however
they can add latency and slow network performance. IDS and IPS devices can be
routers equipped with IPS software, dedicated devices, or hardware modules installed
in adaptive security appliances, switches or routers.
IPS Implementations
Intrusion prevention systems can be host-based or network-based. HIPS are installed
on network hosts. They monitor activity on the host and can prevent attacks and log
suspicious activity. HIPS are like a combination of antimalware and firewall software.
HIPS have mostly a local view of the network and are only an effective solution if they
are used on all hosts. In addition, they should not be the only security measure taken
in a network, but instead are just one layer of security.
NIPS can be implemented using a dedicated device or a router with IPS software.
Network-based IPS act in real time to block malicious software and network attacks.
Network-based IPS can be deployed in two modes. In promiscuous mode, they
function as IDS by monitoring mirrored traffic. While they can’t stop network attacks,
they can alert personnel and log information when attacks occur. An inline mode IPS
processes all traffic that enters a network and checks that traffic at Layers 3 to 7. IPS
can also check the contents of payloads that are carried in network traffic, such as
email attachments. Because inline mode puts the IPS directly into the traffic flow it
makes packet-forwarding rates slower by adding latency. Inline mode allows the
sensor to stop attacks by dropping malicious traffic before it reaches the intended
target.
IPS on Cisco ISRs
Enabling IPS functionality on routers at the branch level is a cost-effective way to
protect networks with a single device. The IPS detection and enforcement engine that
ran on legacy router platforms was the Cisco IOS IPS. However, the Cisco IOS IPS is no
longer supported. For the 4000 Series ISR, the Cisco Snort IPS has replaced the IOS IPS.
Snort runs in a virtual container on the router hardware. The IPS function does not
affect the traffic forwarding functions of the router. When running as an IPS, Snort
monitors network traffic and analyzes it against a defined-rule set. Snort can classify
attacks by type, and can perform actions against the traffic such as sending alerts,
logging events, and acting against traffic when attack signatures are matched. Snort
can be configured to automatically update its rules from an internet source such as
Cisco or snort.org. Problematic signatures can be disabled, and custom rules created.
Snort is intended to be run on 4300 ISR and above. It requires 8 GB of DRAM and 8 GB
of Flash to run. Resource profiles can be configured to control how Snort uses ISR
system resources.
Cisco Switched Port Analyzer
SPAN is a technology that enables network monitoring and IDS to function in
segmented networks. Network traffic is mirrored from source ports or VLANs to a
destination port or VLAN that is connected to the monitoring device or IDS. Traffic
from the source ports is copied and sent to the destination port. Traffic that enters the
switch is called ingress traffic, and traffic exits the switch is called egress traffic. Source
ports carry the traffic that is to be monitored, and destination ports are connected to
the monitoring devices. The monitored traffic is copied and sent out of the destination

310
port. The configuration of SPAN entails defining the source and destination
switchports.
11.5.2 Module 11 - IPS Technologies Quiz
Question 1
What is an IPS signature?
It is the timestamp that is applied to logged security events and alarms.
It is the authorization that is required to implement a security policy.
It is a set of rules used to detect typical intrusive activity.
It is a security script that is used to detect unknown threats.
Question 2
Which network technology uses a passive splitting device that forwards all traffic,
including Layer 1 errors, to an analysis device?
NetFlow
Network tap
SNMP
IDS
Question 3
What is a characteristic of an IPS operating in inline-mode?
It does not affect the flow of packets in forwarded traffic.
It can stop malicious traffic from reaching the intended target.
It requires the assistance of another network device to respond to an attack.
It can only send alerts and does not drop any packets.
Question 4
What is a zero-day attack?
It is a computer attack that occurs on the first day of the month.
It is an attack that results in no hosts able to connect to a network.
done
It is a computer attack that exploits unreported software vulnerabilities.
It is an attack that has no impact on the network because the software vendor has
mitigated the vulnerability.
Question 5
What is a feature of an IPS?
It can stop malicious packets.
It has no impact on latency.
It is deployed in offline mode.
It is primarily focused on identifying possible incidents.
Question 6
Which network monitoring technology passively monitors network traffic to detect
attacks?
IDS
TAP
RSPAN
IPS
Question 7
Which open source network monitoring technology performs real-time traffic
analysis and generates alerts when threats are detected on IP networks?
Snort IPS

311
IOS IPS
SPAN
RSPAN
Question 8
Which Cisco platform supports Cisco Snort IPS?
800 series ISR
2900 series ISR
3900 series ISR
4000 series ISR
Question 9
Which device supports the use of SPAN to enable monitoring of malicious activity?
Cisco NAC
Cisco IronPort
Cisco Security Agent
Cisco Catalyst switch
Question 10
What is a host-based intrusion detection system (HIDS)?
It is an agentless system that scans files on a host for potential malware.
It identifies potential attacks and sends alerts but does not stop the traffic.
It detects and stops potential direct attacks but does not scan for malware.
It combines the functionalities of antimalware applications with firewall protection.
Question 11
Which network monitoring capability is provided by using SPAN?
Network analysts are able to access network device log files and to monitor network
behavior.
Real-time reporting and long-term analysis of security events are enabled.
Statistics on packets flowing through Cisco routers and multilayer switches can be
captured.
Traffic exiting and entering a switch is copied to a network monitoring device.
Question 12
What network monitoring tool can be used to copy packets moving through one
port, and send those copies to another port for analysis?
NAC
SNMP
SPAN
Syslog

312
Module 12: IPS Operation and Implementation
12.0 Introduction
12.0.1 Why Should I Take this Module?
A networking architecture paradigm shift is required to defend against fast-moving and
evolving attacks. This must include cost-effective detection and prevention systems,
such as intrusion detection systems (IDS) or the more scalable intrusion prevention
systems (IPS). The network architecture integrates these solutions into the entry and
exit points of the network.
When implementing IDS or IPS, it is important to be familiar with the types of IPS
systems available, the role of signature categories, and possible actions that a Cisco
IOS router can take when an attack is detected.
The first part of the module examines conventional IPS signatures and alerts. The
remainder of the module discusses the Snort IPS which can run on 4000 series ISR
devices.
12.0.2 What Will I Learn in this Module?
Module Title: IPS Operation and Implementation
Module Objective: Explain how signatures are used to detect malicious network
traffic.
Topic Title Topic Objective
IPS Signatures Describe IPS signatures.
Cisco Snort IPS Explain how the Cisco Snort IPS provides network security services.
Configure Snort IPS Explain how to configure Snort IPS on a Cisco ISR G2.
12.1 IPS Signatures
Scroll to begin
12.1.1 IPS Signature Attributes
The network must be able to identify incoming malicious traffic in order to stop it.
Fortunately, malicious traffic displays distinct characteristics or “signatures”.
Conceptually similar to the virus.dat file used by virus scanners, a signature is a set of
rules that an IDS and an IPS use to detect typical intrusion activity. Signatures uniquely
identify specific viruses, worms, protocol anomalies, and malicious traffic (e.g., a DoS
attacks).
A malicious packet flow has a specific type of activity and signature. IPS sensors must
be tuned to look for matching signatures or abnormal traffic patterns. As sensors scan
network packets, they use signatures to detect known attacks and respond with
predefined actions. An IDS or IPS sensor examines the data flow using many different
signatures. A sensor takes action when it matches a signature with a data flow, such as
logging the event or sending an alarm to the IDS or IPS management software.
Signatures also have three distinctive attributes:
 Type - Atomic or Composite
 Trigger - Also called the alarm
 Action - What the IPS will do
12.1.2 Types of Signatures
Some threats can be identified in one packet while other threats may require many
packets and their state information (i.e., IP addresses, port numbers, and more) to
identify a threat.
There are two types of signatures:

313
 Atomic Signature - This is the simplest type of signature because a single packet,
activity, or event identifies an attack. The IPS does not need to maintain state
information and traffic analysis can usually be performed very quickly and
efficiently.
 Composite Signature - Also called a stateful signature because the IPS requires
several pieces of data to match an attack signature. The IPS must also maintain
state information, which is referred to as the event horizon. The length of an event
horizon varies from one signature to the next.
12.1.3 IPS Signature Alarms
The heart of any IPS signature is the signature alarm, which is often referred to as the
signature trigger. The signature alarm (i.e., trigger) for an IPS sensor could be anything
that can reliably signal an intrusion or security policy violation. A network-based IPS
might trigger a signature action if it detects a packet with a payload containing a
specific string that is going to a specific TCP port, for example.
The IPS signature alarm is analogous to the alarm in a home security system. The
triggering mechanism for a burglar alarm could be a motion detector. When the
burgler alarm is enabled, the movement of an individual entering a room is detected.
This triggers the alarm.
These triggering mechanisms can be applied to atomic and composite signatures. The
triggering mechanisms can be simple or complex. Every IPS incorporates signatures
that use one or more of these basic triggering mechanisms to trigger signature actions.
There are four general IPS signature trigger categories as listed in the table.
Detection Type Advantages
 Also known as signature-based detection.
 Simplest triggering mechanism as it searches for a specific and
Pattern-Based pre-defined atomic or composite pattern.
Detection  A IPS sensor compares the network traffic to a database of
known attacks, and triggers an alarm or prevents
communication if a match is found.
 Also known as profile-based detection.
 Involves first defining a profile of what is considered normal
network or host activity.
Anomaly-Based
 This normal profile is usually defined by monitoring traffic and
Detection
establishing a baseline.
 Once defined, any activity beyond a specified threshold in the
normal profile will generate a signature trigger and action.
 Also known as behavior-based detection.
 Although similar to pattern-based detection, an administrator
manually defines behaviors that are suspicious based on
Policy-Based
historical analysis.
Detection
 The use of behaviors enables a single signature to cover an
entire class of activities without having to specify each
individual situation.
Honey Pot-  Honey pot-based detection uses a server as a decoy server to
Based attract attacks.
Detection  The purpose of a decoy server is to lure attacks away from
production devices.

314
  Allows administrators time to analyze incoming attacks and
malicious traffic patterns to tune their sensor signatures.
12.1.4 IPS Signature Actions
When a signature detects the activity for which it is configured, the signature triggers
one or more actions.
Depending on the IPS sensor, various actions can be enabled. The table lists some
actions that an IPS sensor may provide.
Note: The available actions depend on the signature type and the platform.
Alert Category Specific Action Description
Produce alert The IPS sends events as alerts.
Generate an
Produce verbose
alert The IPS sends a detailed event alert.
alert
Log attacker Logs packets from the attacker IP address and
packets sends an alert.
Logs packets from the victim and attacker IP
Log the activity Log pair packets
addresses and sends an alert.
Log victim Logs packets from the victim IP address and sends
packets an alert.
Deny packet
Terminates the packet.
inline
Deny connection Terminates the current packet and future packets
Deny the activity inline on this TCP flow.
Terminates the current packet and future packets
Deny attacker
from this attacker address for a specified period of
inline
time.
Reset the TCP Reset TCP Sends TCP resets to hijack and terminate the TCP
connection connection flow.
Request block Sends a request to a blocking device to block this
connection connection.
Request block Sends a request to a blocking device to block this
Block future
host attacker host.
activity
Sends a request to the notification application
Request SNMP
component of the sensor to perform SNMP
trap
notification.

12.1.5 Evaluating Alerts

Triggering mechanisms can generate alarms that are false positives or false negatives.
These alarms must be addressed when implementing an IPS sensor. True positives and
true negatives are desirable and indicate the IPS is functioning properly. False positives
and false negatives are undesirable and must be investigated.
The table summarizes the following four types of alarms:
Alarm Type Network Activity IPS Activity Outcome
True positive Attack traffic Alarm generated Ideal setting
True negative Normal user traffic No alarm generated Ideal setting
False positive Normal user traffic Alarm generated Tune alarm

315
False negative Attack traffic No alarm generated Tune alarm
Alerts can be classified as follows:
 True positive - (Desirable) This is used when the IPS generates an alarm because it
detected known attack traffic. The alert has been verified to be an actual security
incident and also indicates that the IPS rule worked correctly.
 True negative - (Desirable) This is used when the system is performing as expected.
No alerts are issued because the traffic that is passing through the system is clear
of threats.
 False positive - (Undesirable) This is used when an IPS generates an alarm after
processing normal user traffic that should not have triggered an alarm. The IPS
must be tuned to change these alarm types to true negatives. The alert does not
indicate an actual security incident. Benign activity that results in a false positive is
sometimes referred to as a benign trigger. False positives are costly because they
must be investigated.
 False negative - (Dangerous) This is used when an IPS fails to generate an alarm
and known attacks are not being detected. This means that exploits are not being
detected by the security systems that are in place. These incidents could go
undetected for a long time, and ongoing data loss and damage could result. The
goal is for these alarm types to generate true positive alarms.
12.1.6 Check Your Understanding- IPS Signature Actions
Check your understanding of IPS signature actions by choosing the correct answer to
the following questions.
Question 1
Which action logs the IP address from a malicious source only and sends an alert?
Request block host
Drop or prevent the activity
Log attacker packets
Deny connection inline
Reset a TCP connection
Question 2
Which action terminates a malicious packet only?
Request drop host
Request block trap
Deny packet inline
Log attacker packets
Reset a TCP connection
Question 3
Which action makes the IPS device send TCP resets to hijack and terminate a TCP
flow?
Block future activity
Drop or prevent the activity
Deny packets inline
Log pair packets
Reset TCP connection
12.2 Cisco Snort IPS
12.2.1 IPS Service Options

316
Intrusion prevention services were available on the first-generation Integrated Services
Routers (ISR G1) using the Cisco IOS IPS. Cisco IOS IPS monitored and prevented
intrusions by comparing traffic against signatures of known threats and blocking the
traffic when a threat was detected.
Note: Support for Cisco IOS IPS discontinued in 2018. Therefore, IOS IPS is no longer
recommended on branch routers.
Organizations now have three options available to provide intrusion prevention
services.
 Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line threat
prevention appliances that provide industry leading effectiveness against both
known and unknown threats.
 Cisco Snort IPS - This is an IPS service that can be enabled on a second generation
ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer support Cisco IOS
IPS.
 External Snort IPS Server - This is similar to the Cisco Snort IPS solution but
requires a promiscuous port (i.e., a SPAN switch port) and an external Snort
IDS/IPS.
All three IPS services use Snort and receive rule updates from Cisco Talos.
12.2.2 NGIPS
NGIPSs are dedicated IPS appliances. They are built on Snort's core open technology
and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based
security intelligence provided by Cisco Talos.
NGIPS features include the following:
 IPS rules that identify and block attack traffic targeted at network vulnerabilities.
 Tightly integrated defense against advanced malware by incorporating advanced
analysis of network and endpoint activity.
 Sandboxing technology that uses hundreds of behavioral indicators to identify
zero-day and evasive attacks.
 Also includes Application Visibility and Control (AVC), Cisco Advanced Malware
Protection (AMP) for Networks, and URL Filtering.
Note: Further discussion of NGIPS appliances is out of scope for this course.
12.2.3 Snort IPS
Snort is an open source network IPS that performs real-time traffic analysis and
generates alerts when threats are detected on IP networks. It can also perform
protocol analysis, content searching or matching, and detect a variety of attacks and
probes (e.g., buffer overflows, stealth port scans, and more). Snort was inducted into
the InfoWorld Open Source Hall of Fame as one greatest pieces of open source
software ever.
The Snort engine can now run as a virtual container service on Cisco 4000 ISRs and
Cisco Cloud Services Router 1000v Series. It is ideal for smaller organizations looking
for a cost-effective routing and threat defense solution. For instance, an ISR G2 can
provide advanced routing capabilities and integrated threat defense security using
Snort IPS.
Snort IPS can be implemented with other security features integrated into the 4000
Series ISRs, such as VPN, zone-based Cisco IOS firewalls, and Cisco Cloud Web Security.
This enables the ISR to provide comprehensive threat protection in a small footprint.
This is crucial for small branch locations that need to address security for the local

317
internet connection. Snort IPS integrated in an ISR is a cost-effective alternative for
branch office locations because a separate firewall device is not required.
Snort IPS on the 4000 Series ISR provides the following functionalities:
 IDS and IPS mode - Configure threat detection or prevention mode. In prevention
mode, attack traffic will be dropped.
 Three signature levels - Snort provides three levels of signature protection:
connectivity (least secure), balanced (middle option), and security (most secure).
The security level is the most secure as it enables the highest number of signatures
to be verified.
 An allowed list - This provides the ability to turn off certain signatures and helps to
avoid false positives such as legitimate traffic triggering an IPS action. Up to 1000
entries can be supported in the allowed list.
 Snort health monitoring - Cisco IOS Software keeps track of the health of the Snort
engine that is running in the service container.
 Fail open and close - In the event of IPS engine failure, the router can be
configured to block the traffic flow or to bypass IPS checking until the Snort engine
recovers.
 Signature update - Automatic and manual updates are supported. Snort IPS can
download the signature package directly from cisco.com or a local resource
location over HTTP and HTTPS.
 Event logging - IPS logs can be sent to an independent log collector or included
along with the router syslog stream. Sending IPS logs separately helps if the
security event management tool is different from the regular syslog server.
12.2.4 Snort Components and Rules
Snort IPS for 4000 Series ISRs consists of two components:
 Snort engine - This is the IPS detection and enforcement engine that is included in
the Security (SEC) license for 4000 Series ISRs.
 Snort rule software subscriptions for signature updates - Snort rule sets to keep
current with the latest threat protection are term-based subscriptions, available for
one or three years.
To address the rapidly evolving threat landscape, it is important to ensure that
signatures are as up-to-date as possible.
There are two types of term-based subscriptions:
 Community Rule Set - Available for free, this subscription offers limited coverage
against threats. The community rule set focuses on reactive response to security
threats versus proactive research work. There is also a 30-day delayed access to
updated signatures meaning that newest rule will be a minimum of 30 days old. In
addition, there is no Cisco customer support available.
 Subscriber Rule Set - Available for a fee, this service provides the best protection
against threats. It includes coverage of advance exploits by using the research work
of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest
access to updated signatures in response to a security incident or the proactive
discovery of a new threat. This subscription is fully supported by Cisco.
Note: Contact Cisco Support to obtain the subscriber rule set license.
12.2.5 ISR Container Applications
Routers were initially packet processing devices. However, over the years, they have
evolved to perform many computing functions. Routers have acquired so much

318
processing power that server applications can now be hosted inside the router using
virtual machines called service containers.
Applications such as Snort IPS can be uploaded and hosted on these routers. Service
containers are supported on most IOS XE platforms. IOS XE is based on the Linux
architecture and supports virtual machine hosting.
The Snort engine runs as a Linux Service Container application on the ISR 4000 as
shown in the figure. This provides it with dedicated computing resources that run
independently of the data plane CPU load. It also makes it easier for the Snort engine
to be regularly updated.

Specifically, the Snort engine on the 4000 Series ISR runs as a container application.
The 4000 Series ISR uses a multi-core CPU, and the Cisco IOS-XE has the ability to
allocate these cores for control-plane or data-plane functions. Computing resources
unused by control plane functions can be used for running other services. A Linux
container infrastructure hosts these applications. Applications running in this container
infrastructure can have a tighter integration with Cisco IOS Software.
12.2.6 Snort IPS Rule Alarms
In Snort IPS, signatures are configured using “rules”. These rules serve as the signature
alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header
generates an action.
A rule header is conceptually similar to an access control list (ACL) statement. It is a
one line statement that identifies malicious traffic.
The basic rule header command syntax is:
[action] [protocol] [sourceIP] [sourceport] -> [destIP] [destport] ([Rule options])
Note: The Rule options contain additional rule information.
For example, the following sample header generates an alert whenever a TCP
connection for the hosts/ports identified in the rule header variables are going to the
identified destination hosts/ports variables:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
Refer to the figure for a detailed explanation of this example.

319
12.2.7 Snort IPS Rule Actions
Snort can be enabled in IDS mode or in IPS mode.
Snort IDS mode can perform the following three actions:
 Alert - Generate an alert using the selected alert method.
 Log - Log the packet.
 Pass - Ignore the packet.
Snort IPS mode can perform all the IDS actions plus the following:
 Drop - Block and log the packet.
 Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or
an ICMP port unreachable message if the protocol is UDP.
 Sdrop - Block the packet but do not log it.
12.2.8 Snort IPS Header Rule Options
A Snort rule header also contains rule options (fields) to provide additional information
for the rule. Options are separated by semicolons (;) and the rule option keywords are
separated from their arguments using colons (:).
The figure displays sample rule options for the alert tcp $EXTERNAL_NET
$HTTP_PORTS -> $HOME_NET any rule header.

320
The table describes the common general rule and the detection rule options in the
sample rule header.
Note: These are just a few of the different types of rule options. For more examples,
search the internet for "snort rule options"
Rule Option Specific Action
This is a simple text string that provides a meaningful message to output
msg:
when the rule matches.
flow: Specifies the direction of network traffic.
A detection rule option that allows the rule creator to set rules that
search for specific content in the packet payload and trigger response
content:
based on that data. This option data can contain mixed text and binary
data
Detection rule keywords that allow the rule creator to specify where to
distance: /
start searching relative to the beginning of the payload or the beginning
offset:
of a content match.
Detection rule keywords that allow the rule creator to specify how far
within: /
forward to search relative to the end of a previous content match and,
depth:
once that content match is found, how far to search for it.
A detection rule keyword that allows rules to be written using “perl
pcre
compatible regular expressions” which allows for more complex matches.
A detection rule keyword that allows a rule to test a number of bytes
byte_test
against a specific value in binary.
metadata: Allows a rule creator to embed additional information about the rule.
reference: Allows rules to include references to external sources of information.
classtype: Identifies the potential effect of what a successful attack would be.
The signature ID (sid) is a unique identifier for each rule making them
sid / rev easy to identify. It should be used with the rev (revision) keyword to
indicate the current version of the rule.
12.2.9 Snort IPS Operation
Packets arriving on Snort enabled interfaces are inspected as follows:
1. Cisco IOS Software forwards the packets to be inspected to the Snort IPS engine
using an internal virtual port group (VPG) interface.
2. Snort IPS inspects the traffic and takes necessary action.
3. Snort drops the packets associated with bad flows (IPS mode). Good flow packets
are returned back to the router for further processing.
Packet exchange between the container applications and the IOS data plane is done
using VPG interfaces. These routed interfaces are connected through the router back
plane. The corresponding interface on the container side will appear as virtual
Ethernet ports.
Snort IPS requires two VPG interfaces:
 Management interface - This is the interface that is used to source logs to the log
collector and for retrieving signature updates from Cisco.com. For this reason, this
interface requires a routable IP address.
 Data interface - This is the interface that is used to send user traffic between the
Snort virtual container service and the router forwarding plane.

321
In the figure, VPG0 is used for Snort management traffic while VPG1 is used for user
traffic to be inspected. User traffic to be inspected is forwarded to the Snort engine
using VPG1 as shown. Traffic is then inspected and either rejected (dropped) or
forwarded back to the router as shown.

12.2.10 Check Your Understanding - Snort IPS

Check your understanding of Snort IPS by choosing the correct answer to the following
questions.
Question 1
What are the three actions supported by Snort IDS? (Choose three.)
Alert
Drop
Log
Pass
Reject
Sdrop
Question 2
Which two options are components of Snort IPS that is running on an ISR 4000?
(Choose two.)
Snort action
Snort alarm
Snort engine
Snort rule set
12.3 Configure Snort IPS
12.3.1 Snort IPS Configuration Steps
To deploy Snort IPS on supported devices, perform the following steps:
Step 1. Download the Snort OVA file.
Step 2. Install the OVA file.
Step 3. Configure Virtual Port Group interfaces.
Step 4. Activate the virtual services.
Step 5. Configure Snort specifics.
Step 6. Enable IPS globally or on desired interfaces.
Step 7. Verify Snort IPS.

322
Note: The Snort IPS functionality is available only in security K9-licensed IOS XE
version. The security license tis required to enable the service. This feature is available
in Cisco IOS XE Release 3.16.1S, 3.17S, and later releases.
12.3.2 Step 1. Download the Snort OVA File
An Open Virtualization Archive (OVA) is a file that contains a compressed, installable
version of a virtual machine. The Snort service OVA file is not bundled with the Cisco
IOS XE Release images installed on the router. However, if the OVA file is be
preinstalled in the flash of the router, it is recommended that the latest OVA file be
downloaded from Cisco.com.
For example, in the figure, the user is downloading the OVA file for an ISR 4321 router
using IOS Fuji-16.9.6.

Note: CCO access is required to download files from Cisco.com.

12.3.3 Step 2. Install the Snort OVA File
The OVA file must be downloaded and saved in a file location available to the ISR
router (e.g., Flash).
To install the OVA file, use the virtual-service install name virtual-service-
name package file-url media file-system privilege EXEC command. The length of
the name is 20 characters and the complete path to the OVA file must be specified.
An example configuration is shown below.
R1# virtual-service install name MYIPS package flash:iosxe-
utd.16.09.06.1.0.10_SV29130_XE_16_9.ova
Installing package 'bootflash:/iosxe-utd.16.09.06.1.0.10_SV29130_XE_16_9.ova' for
virtual-service 'MYIPS'. Once the install has finished, the VM may be activated. Use
'show virtual-service list' for progress.
R1#
*Oct 5 08:07:45.953: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0:
vman: Package 'iosxe-utd.16.09.06.1.0.10_SV29130_XE_16_9.ova' for service
container 'MYIPS' is 'Cisco signed', signing level cached on original install is 'Cisco
signed'

323
R1#
During the OVA file installation, the security license is checked and an error is reported
if the license is not present. Therefore, the Cisco IOS XE image must be enabled with
the security license. In the output, you can see that the OVA is Cisco signed.
Use the show virtual-service list command to display the status of the installation of
all applications installed on the virtual service container.
12.3.4 Step 3. Configure Virtual Port Group Interfaces
Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest
IP addresses.
In our example, the VPG interfaces will be configured as follows:
 VGP0 - This is for management traffic to exchange information with IPS servers.
The guest IP address needs to be routable to connect to the signature update
server and external log server. It is also used to log traffic to log collectors.
 VPG1 - This is for user traffic marked for inspections. This should not be routable
and therefore use a non-routable private IP address.
Note: Be sure to provide proper NAT and routing to enable the management VPG to
reach the log server as well as cisco.com to retrieve signature update files.
The following is a sample configuration of VPG0 and VPG1.
R1# configure terminal
R1(config)# interface VirtualPortGroup0
R1(config-if)# description Management interface
R1(config-if)# ip address 209.165.201.1 255.255.255.252
R1(config-if)# exit
R1(config)#
*Oct 5 08:13:10.970: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VirtualPortGroup0, changed state to up
R1(config)# interface VirtualPortGroup1
R1(config-if)# description Data interface
R1(config-if)# ip address 192.168.0.1 255.255.255.252
R1(config-if)# exit
R1(config)#
*Oct 5 08:13:12.921: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VirtualPortGroup1, changed state to up
R1#
12.3.5 Step 4. Activate Virtual Services
The next step is to configure guest IPs on the same subnet for the container side and
activate the virtual service as shown in the output.
R1(config)# virtual-service MYIPS
R1(config-virt-serv)# vnic gateway VirtualPortGroup0
R1(config-virt-serv-vnic)# guest ip address 209.165.201.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# vnic gateway VirtualPortGroup1
R1(config-virt-serv-vnic)# guest ip address 192.168.0.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# activate
The virtual-service virtual-service-name command configures the logical
name, MYIPS in the example, that is used to identify the virtual container service.

324
The vnic gateway VirtualPortGroup interface-number command creates a virtual
network interface card (vNIC) gateway interface for the virtual container service. It also
maps the vNIC gateway interface to the virtual port group, and enters the virtual-
service vNIC configuration mode.
The guest ip address ip-address command configures a guest vNIC address for the vNIC
gateway interface.
Finally, the activate command activates the application installed in a virtual container
service.
12.3.6 Step 5. Configure Snort Specifics
Next is to configure how Snort is to be deployed (i.e. IPS or IDS mode), where the Snort
logs should be sent, the policy and profile to configure for Snort, and more.
Refer to the sample command output.
R1(config)# utd engine standard
R1(config-utd-eng-std)# logging host 10.10.10.254
R1(config-utd-eng-std)# logging syslog
R1(config-utd-eng-std)#
R1(config-utd-eng-std)# threat-inspection
R1(config-utd-engstd-insp)# threat protection
R1(config-utd-engstd-insp)# policy balanced
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# signature update occur-at daily 0 0
R1(config-utd-engstd-insp)# signature update server cisco username Bob password
class
R1(config-utd-engstd-insp)# logging level warning
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# exit
R1(config-utd-eng-std)# exit
R1(config)#
The utd engine standard command configures the UTD standard engine and enters
UTD standard engine configuration mode.
The logging host and logging syslog commands enable the logging of emergency
messages to a server.
The threat-inspection command configures threat inspection for the Snort engine.
From here you can specify which mode Snort will be in:
 threat protection - Snort will be in IPS mode.
 threat detection - Snort will be in IDS mode.
The policy command specifies three security policies used by Snort and provided by
Cisco Talos, as shown in the following help facility example.
R1(config-utd-engstd-insp)# policy ?
balanced Set the policy to balanced (this is the default option)
connectivity Set the policy to connectivity (stresses on connectivity over security)
security Set the policy to security (provide mode exhaustive coverage)
R1(config-utd-engstd-insp)# policy
The three policy settings in order from least protection to most protection are:
 connectivity - This provides the least protection as it prioritizes connectivity over
security. Approximately 1,000 rules are pre-loaded using this policy.

325
 balanced - This is the default policy. It is recommended for initial deployments.
This policy attempts to balance security needs and performance characteristics of
the network. Approximately 8,000 rules are pre-loaded using this policy.
 security - This provides the most protection. It is designed for organizations that
are exceptionally concerned about security. Customers deploy this policy in
protected networks, that have a lower bandwidth requirements, but much higher
security requirements. Approximately 12,000 rules are pre-loaded using this policy.
Note: IPS system performance is negatively affected as more rules are enabled.
The signature update command configures the signature update interval parameters.
In our sample output, Snort will update its signatures every night at midnight.
The signature update server command configures the signature update server
parameters. You must specify the signature update parameters with the server details.
If you use Cisco.com for signature updates, you must provide the username and
password. If you use local server for signature updates, based on the server settings
you can provide the username and password. In our sample output, Snort updates its
signature file from cisco.com using the username Bob and password class.
Finally the logging level command specifies the types of syslog messages that will be
generated.
12.3.7 Step 6. Enable IPS Globally or on Desired Interfaces
Based on the organizational requirements, Snort can be enabled globally (i.e., on all
the interfaces) or on selected interfaces.
The example in the output enables UTD globally on all interfaces and defines what to
do if the Snort engine fails.
R1(config)# utd
R1(config-utd)# all-interfaces
R1(config-utd)#
R1(config-utd)# engine standard
R1(config-engine-std)# fail close
R1(config-engine-std)# exit
R1(config-utd)# exit
R1(config)#
The all-interfaces option configures unified threat defense (UTD) on all Layer 3
interfaces of the device.
The engine standard command configures the Snort-based UTD engine and enters
standard engine configuration mode. From this mode, we can specify how Snort will
behave if there is a UTD engine failure.
Specifically, Snort can be configured to:
 fail-open (default) - When there is a UTD engine failure, this option allows all of the
IPS/IDS traffic through without being inspected.
 fail-close - If enabled, this option drops all the IPS/IDS traffic when there is an UTD
engine failure. Therefore, no traffic will be allowed to leave.
Alternatively, Snort could be enabled only on select interfaces as shown.
Note: An error message will be displayed if the global configuration was first
configured.
R1(config)# interface G0/0/0
R1(config-if)# utd enable
R1(config-if)# exit

326
R1(config)# interface G0/0/1
R1(config-if)# utd enable
R1(config-if)# exit
R1(config)#
You can also enable the UTD allowed list feature. This enables you to identify IPS
signature IDs to be suppressed (not used).
For example, when an IPS is incorrectly identifying normal user traffic as a threat (i.e., a
false positive), we can add those signatures to an allowed list. The IPS will not use
signatures in the allowlist.
To do so, enter UTD allowed list configuration mode and identify signature IDs to be
excluded from inspection. After the allowed list signature ID is configured, Snort will
allow the flow to pass through the device without any alerts and drops.
For example, assume that the IPS has incorrectly identified user traffic from Branch1 as
malicious and assigned it id 21555. This signature can be added to an allowed list, as
shown.
R1(config)# utd threat-inspection whitelist
R1(config-utd-whitelist)# signature id 21555 comment traffic from Branch 1
R1(config-utd-whitelist)#
12.3.8 Step 7. Verify Snort IPS
After Snort IPS is implemented, it is necessary to verify the configuration to ensure
correct operation.
There are several show commands that can be used to verify the Snort IPS
configuration and operation.
 show virtual-service list - The command displays an overview of resources that are
utilized by the applications.
 show virtual-service detail - The command displays a list of resources that are
committed to a specified application, including attached devices.
 show utd engine standard config - The command displays the UTD configuration.
 show utd engine standard status - The command displays the status of the UTD
engine.
 show platform hardware qfp active feature utd stats - The command checks the
data plane. It verifies increments for encap, decap, redirect, and reinject and
displays a health of "Green".
12.3.9 Syntax Checker - Configure Snort IPS
In this Syntax Checker activity, you will complete Steps 2 - 6 to configure snort IPS:
Step 2. Install the Snort OVA file.
Step 3. Configure Virtual Port Group interfaces.
Step 4. Activate the virtual services.
Step 5. Configure Snort specifics.
Step 6. Enable IPS globally or on desired interfaces.
Step 1 is to download to Snort OVA file from cisco.com.
Step 2: Install the OVA file iosxe-utd.16.09.06.1.0.10_SV29130_XE_16_9.ova in flash.
Use the virtual service name MYIPS.
R1#virtual-service install name MYIPS package flash:iosxe-
utd.16.09.06.1.0.10_SV29130_XE_16_9.ova

327
Installing package 'bootflash:/iosxe-utd.16.09.06.1.0.10_SV29130_XE_16_9.ova' for
virtual-service 'MYIPS'. Once the install has finished, the VM may be activated. Use
'show virtual-service list' for progress.
R1#
*Oct 5 08:07:45.953: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0:
vman: Package 'iosxe-utd.16.09.06.1.0.10_SV29130_XE_16_9.ova' for service
container 'MYIPS' is 'Cisco signed', signing level cached on original install is 'Cisco
signed'
Step 3: Configure Virtual Port Group interfaces using the following specifications:
 Enter global configuration mode and then interface configuration mode
for VirtualPortGroup0.
 Describe the interface as Management interface.
 Assign the IP address 209.165.201.1 255.255.255.252.
 Exit interface configuration mode.
R1#configure terminal
R1(config)#interface VirtualPortGroup0
R1(config-if)#description Management interface
R1(config-if)#ip address 209.165.201.1 255.255.255.252
R1(config-if)#exit
R1(config)#
*Oct 5 08:13:10.970: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VirtualPortGroup0, changed state to up
 Enter interface configuration mode for VirtualPortGroup1.
 Describe the interface as Data interface.
 Assign the IP address 192.168.0.1 255.255.255.252.
 Exit interface configuration mode.
R1(config)#interface VirtualPortGroup1
R1(config-if)#description Data interface
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#exit
R1(config)#
*Oct 5 08:13:12.921: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VirtualPortGroup1, changed state to up
Step 4: Activate the virtual services using the following specifications:
 Name the virtual service MYIPS
 Create a vNIC for VirtualPortGroup0.
 Assign the vNIC the guest IP address 209.165.201.2.
 Exit vNIC configuration mode.
 Create a vNIC for VirtualPortGroup1.
 Assign the vNIC the guest IP address 192.168.0.2.
 Exit vNIC configuration mode.
 Activate the virtual service.
 Exit virtual service configuration mode.
R1(config)#virtual-service MYIPS
R1(config-virt-serv)#vnic gateway VirtualPortGroup0
R1(config-virt-serv-vnic)#guest ip address 209.165.201.2
R1(config-virt-serv-vnic)#exit

328
R1(config-virt-serv)#vnic gateway VirtualPortGroup1
R1(config-virt-serv-vnic)#guest ip address 192.168.0.2
R1(config-virt-serv-vnic)#exit
R1(config-virt-serv)#activate
R1(config-virt-serv)#exit
Step 5. Configure snort specifics using the following specifications:
 Enter configuration mode for the UTD engine.
 Log traffic from host 10.10.10.254 using syslog.
 Enter threat inspection mode.
 Set the inspection to protection with a balanced policy.
 Configure the signature update for daily at 0 0.
 Configure the username Bob and password class for the signature update server.
 Enter exit twice to return to global configuration mode.
R1(config)#utd engine standard
R1(config-utd-eng-std)#logging host 10.10.10.254
R1(config-utd-eng-std)#logging syslog
R1(config-utd-eng-std)#threat-inspection
R1(config-utd-engstd-insp)#threat protection
R1(config-utd-engstd-insp)#policy balanced
R1(config-utd-engstd-insp)#signature update occur-at daily 0 0
R1(config-utd-engstd-insp)#signature update server cisco username Bob password
class
R1(config-utd-engstd-insp)#logging level warning
R1(config-utd-engstd-insp)#exit
R1(config-utd-eng-std)#exit
Step 6. Enable IPS globally or on desired interfaces using the following specifications:
 Enter configuration mode for UTD interfaces.
 Configure all interfaces as UTD interfaces.
 Set the engine to standard.
 If the UTD engine fails, all traffic should be dropped.
 Enter exit twice to return to global configuration mode.
 Enable UTD on G0/0/0 and G0/0/1 exiting interface configuration mode each time.
R1(config)#utd
R1(config-utd)#all-interfaces
R1(config-utd)#engine standard
R1(config-engine-std)#fail close
R1(config-engine-std)#exit
R1(config-utd)#exit
R1(config)#interface G0/0/0
R1(config-if)#utd enable
R1(config-if)#exit
R1(config)#interface G0/0/1
R1(config-if)#utd enable
R1(config-if)#exit
Alternatively, you can enable Snort on specific interfaces. Enable Snort on
the G0/0/0 and G0/0/1 interfaces. Exit interface configuration mode after configuring
each interface.

329
R1(config)#interface G0/0/0
R1(config-if)#utd enable
R1(config-if)#exit
R1(config)#interface G0/0/1
R1(config-if)#utd enable
R1(config-if)#exit
Step 7 is to verify your Snort configuration which is beyond the scope of this activity.
You successfully configured Snort IPS.
12.3.10 Check Your Understanding - Implementing Snort IPS
Check your understanding of implementing Snort IPS by choosing the correct answer
to the following questions.
Question 1
Which type of file contains a compressed, installable version of the Snort IPS virtual
machine?
BIN
EXE
OVA
VPG
Question 2
Which Snort IPS interface statement is true?
One loopback interface is required
Two ethernet interfaces are required
Two virtual port group interfaces are required
signal_cellular_4_bar
Two VLAN interfaces
12.4 IPS Operation and Implementation Summary
12.4.1 What Did I Learn in this Module?
IPS Signatures
IPS signatures have three attributes: type, trigger, and action. The signature type can
be atomic or composite. The signature alarms can use pattern-based detection,
anomaly-based detection, policy-based detection, or honey pot-based detection. The
IPS signature actions include generate an alert, log the activity, deny the activity, reset
the TCP connection, and block future activity. Triggering mechanisms can generate
results such as true positive, true positive, false negatives, and false negatives.
Cisco Snort IPS
Intrusion protection is provided in modern Cisco networks using either dedicated
NGIPS Firepower enabled devices, Snort IPS on ISR 4000 routers, or using an external
Snort IPS server. Snort IPS on ISR device can provide both IDS or IPS services. It has
predefined security levels (i.e., connectivity, balanced, and security). It can refer to a
allowed list, provide feedback on the health of the Snort engine, offer fail-open and
fail-close failover, and automated signature updates and logging. Snort IPS consists of a
Snort engine and Snort rule set. There are community rules available for free and
subscriber rules available for a fee. Snort IPS runs in a Linux service container VM
supported by ISR 4000 routers. Snort IPS uses rules consisting of rule headers and rule
options to identify malicious traffic.
Configure Snort IPS

330
To configure Snort IPS on an ISR 4000 device, you must download the latest OVA file,
install it on the router, configure VPG interfaces, activate the virtual services, configure
Snort IPS specifics, and enable UTD. After Snort is configured and activated, show
commands allow verification of its operation.

12.4.2 Module 12 - IPS Operation and Implementation Quiz

Question 1
Which IPS signature trigger category uses the simplest triggering mechanism and
searches for a specific and pre-defined atomic or composite pattern?
Pattern-Based Detection
Anomaly-Based Detection
Honey Pot-Based Detection
Policy-Based Detection
Question 2
What term describes a set of rules used by an IDS or IPS to detect typical intrusion
activity?
Event file
Trigger
Definition
Signature
Question 3
Which type of alert is generated when an IPS incorrectly identifies normal network
user traffic as attack traffic?
True positive
True negative
False positive
False negative
Question 4
What is a characteristic of the Snort subscriber rule set term-based subscription?
It provides 30-day delayed access to updated signatures.
It focuses on reactive responses to security threats.
It is available for a fee.
It does not provide access to Cisco support.
Question 5
Which classification indicates that an alert is verified as an actual security incident?
True positive
True negative
False positive
False negative
Question 6
Which intrusion prevention service was available on first-generation ISR routers and
is no longer supported by Cisco?
Cisco IOS IPS
Cisco Firepower Next-Generation
Cisco Snort IPS
External Snort IPS Server
Question 7

331
Which statement correctly describes the configuration of a Snort VPG interface?
The VPG0 interface must have a routable address with access to the internet.
The VPG1 interface must be configured with a public IP address.
The VPG1 interface must use a routable static IP address.
The VPG1 interface must receive an address from DHCP.
Question 8
What are three actions that can be performed by Snort in IDS mode? (Choose three.)
Log
Drop
Alert
Reject
Sdrop
Pass
Question 9
Which device is a dedicated inline threat prevention appliance that is effective
against both known and unknown threats?
Cisco FirePOWER NGIPS
signal_cellular_4_bar
Cisco Snort IPS
Cisco ASA
Cisco IOS IPS
Question 10
Which rule action will cause Snort IPS to block a packet without logging it?
Drop
Reject
Alert
Sdrop
Question 11
What is the source for IPS rule updates when using a Cisco intrusion prevention
service?
Cisco Talos
Cisco.com
Security Onion
SIEM
Checkpoint Exam: Intrusion Prevention Group Exam
This exam will cover material from Modules 11-12 of the Network Security 1.0
curriculum.
Copyright 2021, Cisco Systems, Inc.
Question 1
What is an advantage of HIPS that is not provided by IDS?
HIPS deploys sensors at network entry points and protects critical network segments.
HIPS provides quick analysis of events through detailed logging.
HIPS monitors network processes and protects critical files.
HIPS protects critical system resources and monitors operating system processes.
Question 2
What is a network tap?

332
a passive device that forwards all traffic and physical layer errors to an analysis
device
a Cisco technology that provides statistics on packets flowing through a router or
multilayer switch
a technology used to provide real-time reporting and long-term analysis of security
events
a feature supported on Cisco switches that enables the switch to copy frames and
forward them to an analysis device
Question 3
What is PulledPork?
a rule management application that can be used to automatically download Snort
rule updates
an open source network IPS that performs real-time traffic analysis and generates
alerts when threats are detected on IP networks
a virtual service container that runs on the Cisco ISR router operating system
a centralized management tool to push the rule sets based on preconfigured policy, to
Cisco routers
Question 4
Which tool can perform real-time traffic and port analysis, and can also detect port
scans, fingerprinting and buffer overflow attacks?
Netflow
Nmap
SIEM
Snort
Question 5
What are two characteristics of both IPS and IDS sensors? (Choose two.)
both can stop trigger packets
both are deployed inline in the data stream
both can detect atomic patterns
both use signatures to detect patterns
neither introduce latency or jitter
Question 6
What is an advantage of using an IPS?
It is installed outside of the data traffic flow.
It has no impact on network latency.
It does not impact network traffic if there is a sensor overload.
It can stop trigger packets.
Question 7
Which Snort IPS feature enables a router to download rule sets directly from
cisco.com or snort.org?
Signature allowed listing
Snort rule set updates
Snort rule set pull
Snort rule set push
Question 8
What are two characteristics of an IPS operating in promiscuous mode? (Choose
two.)

333
It requires the assistance of another network device to respond to an attack.
It sits directly in the path of the traffic flow.
It does not impact the flow of packets in forwarded traffic.
It can stop malicious traffic from reaching the intended target for all types of attacks.
It sends alerts and drops any malicious packets.
Question 9
What is a characteristic of an IDS?
It can affect network performance by introducing latency and jitter.
It is installed inline with the network traffic flow.
It can be configured to drop trigger packets that are associated with a connection.
It often requires assistance from other network devices to respond to an attack.
Question 10
What is a minimum system requirement to activate Snort IPS functionality on a Cisco
router?
at least 4 GB flash
K9 license
at least 4 GB RAM
ISR 2900 or higher
Question 11
A network administrator is trying to download a valid file from an internal server.
However, the process triggers an alert on a NMS tool. What condition describes this
alert?
false positive
true positive
false negative
true negative
Question 12
Match each intrusion protection service with the description.

Question 13
What information must an IPS track in order to detect attacks matching a composite
signature?
the total number of packets in the attack
the attacking period used by the attacker
the state of packets related to the attack
the network bandwidth consumed by all packets
Question 14
Match each Snort IPS rule action with the description.

334
Question 15
What is a characteristic of the connectivity policy setting when configuring Snort
threat protection?
it provides the lowest level of protection
it enables the highest number of signatures to be verified
it attempts to balance network security with network performance
it prioritizes security over connectivity
Question 16
What situation will generate a true negative IPS alarm type?
a known attack that is not detected
normal traffic that generates a false alarm
normal traffic that is correctly being ignored and forwarded
a verified security incident that is detected
Question 17
What is provided by the fail open and close functionality of Snort IPS?
provides the ability to automatically disable problematic signatures that routinely
cause false positives and pass traffic
keeps track of the health of the Snort engine that is running in the service container
blocks the traffic flow or bypasses IPS checking in the event of an IPS engine failure
keeps Snort current with the latest threat protection and term-based subscriptions
Question 18
What is contained in an OVA file?
a current compilation of known threats and prevention mechanisms
an installable version of a virtual machine
a set of rules for an IDS or IPS to detect intrusion activity
a list of atomic and composite signatures
Question 19
Which IPS signature trigger category uses a decoy server to divert attacks away from
production devices?
honey pot-based detection
policy-based detection
anomaly-based detection
pattern-based detection
Question 20
What are two actions that an IPS can perform whenever a signature detects the
activity for which it is configured? (Choose two.)
restart the infected device
reconverge the network
drop or prevent the activity

335
allow the activity
disable the link

Module 13: EndPoint Security

13.0 Introduction
13.0.1 Why Should I Take this Module?
Endpoints are susceptible to data theft. The network has evolved to include traditional
endpoints and new, lightweight, portable, consumerized endpoints such as
smartphones, tablets, wearables, and others. These new endpoints have blurred the
network border because access to network resources can be initiated by users from
many locations using various connectivity methods at any time. What methods are
used to protect endpoints? Keep reading to learn about protecting endpoints!
13.0.2 What Will I Learn in this Module?
Module Title: Endpoint Security
Module Objective: Explain endpoint vulnerabilities and protection methods.
Topic Title Topic Objective
Endpoint Security
Describe endpoint security and the enabling technologies.
Overview
802.1X Authentication Explain the functions of 802.1x components.
13.1 Endpoint Security Overview
13.1.1 LAN Elements Security
News media commonly cover external network attacks on enterprise networks. These
are some examples of such attacks:
 DoS attacks on an organization’s network to degrade or even halt public access to it
 Breach of an organization’s Web server to deface their web presence
 Breach of an organization’s data servers and hosts to steal confidential information
Various network security devices are required to protect the network perimeter from
outside access. As shown in the figure, these devices could include a hardened ISR that
is providing VPN services, an ASA firewall appliance, an IPS, and a AAA server.

336
Many attacks can, and do, originate from inside the network. Therefore, securing an
internal LAN is just as important as securing the outside network perimeter. Without a
secure LAN, users within an organization are still susceptible to network threats and
outages that can directly affect an organization’s productivity and profit margin. After
an internal host is infiltrated, it can become a starting point for an attacker to gain
access to critical system devices, such as servers and the sensitive information they
contain.
Specifically, there are two internal LAN elements to secure:
 Endpoints - Hosts commonly consist of laptops, desktops, servers, and IP phones
which are susceptible to malware-related attacks. Endpoints also include video
cameras, point-of-sale devices, and devices on the Internet of Things.
 Network infrastructure - LAN infrastructure devices interconnect endpoints and
typically include switches, wireless devices, and IP telephony devices. Most of
these devices are susceptible to LAN-related attacks including MAC address table
overflow attacks, spoofing attacks, DHCP related attacks, LAN storm attacks, STP
manipulation attacks, and VLAN attacks.
This module focuses on securing endpoints.
13.1.2 Traditional Endpoint Security
Historically, employee endpoints were company-issued computers which resided
within a clearly defined LAN perimeter. These hosts were protected by firewalls and
IPS devices which worked well with hosts that were connected to the LAN and behind
the firewall.
The endpoints also used traditional host-based security measures:
 Antivirus/Antimalware Software - This is software installed on a host to detect and
mitigate viruses and malware. Companies that provide anti-virus software include
Norton, TotalAV, McAfee, MalwareBytes and many others.
 Host-based IPS - This is software that is installed on the local host to monitor and
report on the system configuration and application activity, provide log analysis,

337
 event correlation, integrity checking, policy enforcement, rootkit detection, and
alerting. Examples include Snort IPS, OSSEC, and Malware Defender, among others.
 Host-based firewall - This is software that is installed on a host that restricts
incoming and outgoing connections to those initiated by that host only. Some
firewall software can also prevent a host from becoming infected and stop infected
hosts from spreading malware to other hosts. Included in some operating systems
such as Windows, or produced by companies such as NetDefender, Zonealarm,
Comodo Firewall, and many others.
13.1.3 The Borderless Network
The network has evolved to include traditional endpoints and new, lightweight,
portable, consumerized endpoints such as smartphones, tablets, wearables, and
others. The new bring-your-own-device (BYOD) needs of workers require a different
way of approaching endpoint security. These new endpoints have blurred the network
border because access to network resources can be initiated by users from many
locations using various connectivity methods at any time.
There are some problems with the traditional method of securing endpoints. In many
networks, the network-based devices are disparate and typically do not share
information among themselves. Additionally, new endpoint devices are not good
candidates for the traditional host-based endpoint security solutions because of the
variety of devices and the variety of operating systems available on those devices.
The challenge is allowing these heterogeneous devices to connect to enterprise
resources securely.
13.1.4 Security for Endpoints in the Borderless Network
Larger organizations now require protection before, during, and after an attack. IT
administrators must be able to answer the following questions:
 Where did the attack come from?
 What was the exploit method and point of entry?
 What systems were affected?
 What did the exploit do?
 How do we recover from the exploit?
 How can we mitigate the vulnerability and root cause?
Organizations must also protect their endpoints from new threats and provide the
protection measures that are outlined in the table below.
Measure Purpose
antimalware
Protect endpoints from malware.
software
spam filtering Prevent spam emails from reaching endpoints.
Prevent endpoints from connecting to websites with bad
blocklisting reputations by immediately blocking connections based on the
latest reputation intelligence.
data loss
Prevent sensitive information from being lost or stolen.
prevention (DLP)
13.1.5 Network-Based Malware Protection
New security architectures for the borderless network address security challenges by
having endpoints use network scanning elements. These devices provide many more
layers of scanning than a single endpoint possibly could. Network-based malware

338
prevention devices are also capable of sharing information among themselves to make
better informed decisions.
Protecting endpoints in a borderless network can be accomplished using network-
based, as well as host-based techniques, as shown in the figure.
The figure shows generic icons for the following sections: next generation firewalls,
intrusion prevention systems, network access control, gateway security, and endpoint
security.

The following are examples of devices and techniques that implement host protections
at the network level.
 Advanced Malware Protection (AMP) - This provides endpoint protection from
viruses and malware.
 Email Security Appliance (ESA) - This provides filtering of SPAM and potentially
malicious emails before they reach the endpoint. An example is the Cisco ESA.
 Web Security Appliance (WSA) - This provides filtering and blocking of websites to
prevent hosts from reaching dangerous locations on the web. The Cisco WSA
provides control over how users access the internet and can enforce acceptable
use policies, control access to specific sites and services, and scan for malware.
 Network Admission Control (NAC) - This permits only authorized and compliant
systems to connect to the network.
These technologies work in concert with each other to give more protection than host-
based suites can provide, as shown in the figure.

339
13.1.6 Hardware and Software Encryption of Local Data
Endpoints are also susceptible to data theft. For instance, if a corporate laptop is lost
or stolen, a thief could scour the hard drive for sensitive information, contact
information, personal information, and more.
The solution is to locally encrypt the disk drive with a strong encryption algorithm such
as 256-bit AES encryption. The encryption protects the confidential data from
unauthorized access. The encrypted disk volumes can only be mounted for normal
read/write access with the authorized password.
Operating systems such as MAC OSX natively provide encryption options. The
Microsoft Windows 10 operating system also provides encryption natively. Individual
files, folders, and drives can be configured to encrypt data. In Windows, BitLocker
provides drive encryption, as shown in the figure. Files can also be encrypted, but
because applications can create unencrypted back up files, the entire folder that the
file is stored in should be encrypted.

340
13.1.7 Network Access Control
The purpose of network access control (NAC) is to allow only authorized and compliant
systems, whether managed or unmanaged, to access the network. It unifies endpoint
security technologies with user or device authentication and network security policy
enforcement. A NAC system can deny network access to noncompliant devices, place
them in a quarantined area, or give them only restricted access to computing
resources, thus keeping insecure nodes from infecting the network.
NAC systems can have the following capabilities:
 Profiling and visibility - This recognizes and profiles users and their devices before
malicious code can cause damage.
 Guest network access - This manages guests through a customizable, self-service
portal that includes guest registration, guest authentication, guest sponsoring, and
a guest management portal.
 Security posture checking - This evaluates security-policy compliance by user type,
device type, and operating system.
 Incident response - This mitigates network threats by enforcing security policies
that block, isolate, and repair noncompliant machines without administrator
attention.
NAC systems should extend NAC to all network access methods, including access
through LANs, remote-access gateways, and wireless access points.
The Cisco Identity Services Engine (ISE) combines AAA and network device profiling
into a single system.
13.1.8 NAC Functions
The goal of NAC systems is to ensure that only hosts that are authenticated and have
had their security posture examined and approved are permitted onto the network.
For example, company laptops used offsite for a period of time might not have
received current security updates or could have become infected from other systems.

341
Those systems cannot connect to the network until they are examined, updated, and
approved.
Network access devices can function as the enforcement layer, as shown in the figure.
They force the clients to query a RADIUS server for authentication and authorization.
The RADIUS server can query other devices, such as an antivirus server, and reply to
the network enforcers.
Network Access Devices Enforce Security

13.1.9 Check Your Understanding - Endpoint Security Overview

Check your understanding of endpoint security by choosing the correct answer to the
following questions.
Question 1
What prevents endpoints from connecting with websites that have a bad reputation
based on the latest reputation intelligence?
Blocklisting
Spam filtering
Data loss prevention
Antimalware software
Question 2
What protects endpoints from malicious software?
Blocklisting
Spam filtering
Data loss prevention
Antimalware software
Question 3
What prevents sensitive information from being lost or stolen?
Blocklisting
Spam filtering
Data loss prevention
Antimalware software
Question 4

342
What filters unwanted emails before they reach the endpoint?
Blocklisting
Spam filtering
Data loss prevention
Antimalware software
13.2 802.1X Authentication
13.2.1 Security Using 802.1X Port-Based Authentication
The IEEE 802.1X standard defines a port-based access control and authentication
protocol that restricts unauthorized workstations from connecting to a LAN through
publicly accessible switch ports. The authentication server authenticates each
workstation that is connected to a switch port before making available any services
offered by the switch or the LAN.
The figure shows that with 802.1X port-based authentication, the devices in the
network have specific roles.
802.1X Topology

The 802.1x roles include:

 Supplicant (Client) - The device (workstation) that requests access to LAN and
switch services and then responds to requests from the switch. The workstation
must be running 802.1X-compliant client software. (The port that the client is
attached to is the supplicant [client] in the IEEE 802.1X specification.)
 Authenticator (Switch) - This device controls physical access to the network based
on the authentication status of the client. The switch acts as an intermediary
(proxy) between the client (supplicant) and the authentication server, requesting
identifying information from the client, verifying that information with the
authentication server, and relaying a response to the client. The switch uses a
RADIUS software agent, which is responsible for encapsulating and de-
encapsulating the EAP (Extensible Authentication Protocol) frames and interacting
with the authentication server.
 Authentication server - This server performs the actual authentication of the
client. The authentication server validates the identity of the client and notifies the
switch whether the client is authorized to access the LAN and switch services.
Because the switch acts as the proxy, the authentication service is transparent to

343
 the client. The RADIUS security system with EAP extensions is the only supported
authentication server.
Until the workstation is authenticated, 802.1X access control enables only Extensible
Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and
Spanning Tree Protocol (STP) traffic through the port to which the workstation is
connected. After authentication succeeds, normal traffic can pass through the port.
The switch port state determines whether the client is granted access to the network.
When configured for 802.1X port-based authentication, the port starts in the
unauthorized state. While in this state, the port disallows all ingress and egress traffic
except for 802.1X protocol, STP, and CDP packets. When a client is successfully
authenticated, the port transitions to the authorized state, allowing all traffic for the
client to flow normally. If the switch requests the client identity (authenticator
initiation) and the client does not support 802.1X, the port remains in the
unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1X-enabled client connects to a port and the client initiates
the authentication process (supplicant initiation) by sending the EAPOL-start frame to
a switch that is not running the 802.1X protocol, no response is received, and the client
begins sending frames as if the port is in the authorized state.
The figure shows the complete message exchange between the supplicant,
authenticator, and the authentication server. The encapsulation occurs as follows:
 Between the supplicant and the authenticator - EAP data is encapsulated in EAPOL
frames.
 Between the authenticator and the authentication server - EAP data is
encapsulated using RADIUS.
802.1X Message Exchange

If the client is successfully authenticated (the switch receives an “accept” frame from
the authentication server), the port state changes to authorized, and all frames from
the authenticated client are enabled through the port.
If the authentication fails, the port remains in the unauthorized state, but
authentication can be retried. If the authentication server cannot be reached, the

344
switch can retransmit the request. If no response is received from the server after the
specified number of attempts, authentication fails, and network access is not granted.
When a client logs out, it sends an EAPOL-logout message, causing the switch port to
transition to the unauthorized state.
13.2.2 Control the 802.1X Authorization State
It may be necessary to configure a switch port to override the 802.1X authentication
process. To do this, use the authentication port-control interface configuration
command to control the port authorization state. The parameters for this command
are shown below. The individual port on the authenticator switch is configured with
this command, in this case, port F0/1 of S1. By default, a port is in the force-
authorized state meaning it can send and receive traffic without 802.1x
authentication.

S1(config-if)# authentication port-control ?

auto PortState set to automatic
force-authorized PortState set to AUTHORIZED <--default
force-unauthorized PortState set to UnAuthorized
S1(config-if)# authentication port-control
Parameter Description
Enables 802.1X port-based authentication and causes the port to begin
in the unauthorized state. During this time only EAPOL, STP, and CDP
auto
frames are the only type of frames that can be sent or received
through the port until the client device has been authenticated.
force- The port sends and receives normal traffic without 802.1x-based
authorized authentication of the client. This is the default setting.
Causes the port to remain in the unauthorized state, ignoring all
force-
attempts by the client to authenticate. The switch cannot provide
unauthorized
authentication services to the client through the port.
The auto keyword must be entered to enable 802.1X authentication. Therefore, to
enable 802.1X on the port, use the authentication port-control auto interface
configuration command.
If the client is successfully authenticated (receives an Accept frame from the
authentication server), the port state changes to authorized, and all frames from the
authenticated client are allowed through the port. If the authentication fails, the port
remains in the unauthorized state, but authentication can be retried. If the
authentication server cannot be reached, the switch can resend the request. If no
response is received from the server after the specified number of attempts,
authentication fails, and network access is not granted.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to
change to the unauthorized state.
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is
received, the port returns to the unauthorized state.

345
13.2.3 802.1X Configuration
This scenario is implemented the same topology as above. A PC is attached to F0/1 on
the switch and the device is will be authenticated via 802.1X with a RADIUS server.
Unlike in previous AAA scenarios in which administrators were authenticated to the
router configuration lines, in this scenario, an endpoint is authenticated before access
is granted to the network.
Configuring 802.1X requires a few basic steps:
Step 1. Enable AAA using the aaa new-model command.
Step 2. Designate the RADIUS server and configure its address and ports.
Step 3. Create an 802.1X port-based authentication method list using the aaa
authentication dot1x command.
Step 4. Globally enable 802.1X port-based authentication using the dot1x system-
auth-control command.
Step 5. Enable port-based authentication on the interface using the authentication
port-control auto command.
Step 6. Enable 802.1X authentication on the interface using the dot1x pae command.
The authenticator options sets the Port Access Entity (PAE) type so the interface acts
only as an authenticator and will not respond to any messages meant for a supplicant.
An example configuration is shown below.
S1(config)# aaa new-model
S1(config)# radius server NETSEC
S1(config-radius-server)# address ipv4 10.1.1.50 auth-port 1812 acct-port 1813
S1(config-radius-server)# key RADIUS-Pa55w0rd
S1(config-radius-server)# exit
S1(config)#
S1(config)# aaa authentication dot1x default group radius
S1(config)# dot1x system-auth-control
S1(config)#
S1(config)# interface F0/1
S1(config-if)# description Access Port
S1(config-if)# switchport mode access
S1(config-if)# authentication port-control auto
S1(config-if)# dot1x pae authenticator
13.2.4 Syntax Checker - Configure 802.1x Port-Authentication
Use this Syntax Checker to practice configuring 802.1X port-authentication on a 2960
switch.
Configure a RADIUS server on S1 using the following instructions:
 Enable AAA.
 Enter RADIUS server configuration mode and name the configuration NETSEC.
 Configure the RADIUS server address to 10.1.1.50 with the authentication port
of 1812 and the accounting port of 1813.
 Configure the shared secret key RADIUS-Pa55w0rd.
 Exit RADIUS configuration mode.
S1(config)#aaa new-model
S1(config)#radius server NETSEC
S1(config-radius-server)#address ipv4 10.1.1.50 auth-port 1812 acct-port 1813
S1(config-radius-server)#key RADIUS-Pa55w0rd

346
S1(config-radius-server)#exit
Complete the following steps to configure 802.1x port-based authentication:
 Specify an 802.1x port-based default authentication method list with the primary
option RADIUS.
 Globally enable 802.1x port-based authentication.
S1(config)#aaa authentication dot1x default group radius
S1(config)#dot1x system-auth-control
Complete the following steps to enable 802.1X authentication on the interface:
 Enter interface configuration mode for F0/1.
 Configure the interface as an access switchport.
 Enable port-based authentication on the interface with the auto parameter.
 Enable 802.1x authentication with the Port Access Entity (PAE) type so the
interface acts only as an authenticator.
 Use the end command to exit from configuration mode.
S1(config)#interface F0/1
S1(config-if)#switchport mode access
S1(config-if)#authentication port-control auto
S1(config-if)#dot1x pae authenticator
S1(config-if)#end
*Mar 3 18:22:23.443: %SYS-5-CONFIG_I: Configured from console by console
You successfully configured 802.1x port-authentication on a 2960 switch.
13.3 Endpoint Security Summary
13.3.1 What Did I Learn in this Module?
Introducing Endpoint Security
Traditionally endpoints included PCs, servers, and printers. However, in today’s
network, endpoints also include phones, tablets, laptops, Internet of Things devices,
network video cameras and many other things. Endpoint security used to depend on
host-based security measures such as antimalware software, host-based IPS, and host-
based firewall software. Many devices and technologies enhance host-based endpoint
protections. Some of them are email security appliances, web security appliances,
NAC, and the Cisco Identity Services Engine. Another way that endpoints can be
protected from data loss is through the use of encryption of local data at the file,
folder, or drive level. Software such as BitLocker is included with Microsoft Windows
10 for this purpose.
Network Access Control is a system that can check whether endpoints that attempt to
the network comply with network security policies. It handles user authentication and
can take action against devices that violate security policies by having out date security
software. It can even take action to bring devices up to compliance standard before
allowing access. NAC can also provide easy to manage methods of providing network
access to guest computers require connectivity to the network. Cisco ISE combines
AAA and NAC and into a single system.
802.1X Authentication
802.1X provides a means by which authenticator network access switch can act as an
intermediary between a client and an authentication server. The switch forwards
authentication information from the client to the server. If authentication is successful,
the client will be allowed to access the network through the connected switch port. If
authorization fails, the switch will not permit the client endpoint to connect to the

347
network. The system uses the EAP and EAPOL to carry authentication traffic between
the switch and the authenticator switch. The switch uses EAP and RADIUS to
communicate with the authentication server. The 802.1X authentication process can
be control by configuring the authenticator port with the authentication port-
control command. The port can be set carryout the authentication process, provide
authorized access, or to be in unauthorized state. In this state no device will be able to
connect to the network.
802.1X port-based authentication is configured by first globally activating AAA and by
specifying the RADIUS server name, address, and ports. After that the authenticator
interface is configured with 802.1X parameters.
13.3.2 Module 13 - Endpoint Security Quiz
Question 1
A switch has the following command issued as part of an 802.1X deployment.
address ipv4 10.1.1.50 auth-port 1812 acct-port 1813
What is the purpose of this command?
It identifies the address of the RADIUS server and ports on the server used for
RADIUS traffic.
It identifies the address of the RADIUS server and the ports used for EAPOL messages.
It identifies the address of the default gateway and the ports used for traffic destined
for remote networks.
It identifies the address of the switch to which the client connects and the ports used
for the EAPOL messages.
Question 2
Which device is used as the authentication server in an 802.1X implementation?
Ethernet switch
Wireless router
Access point
RADIUS server
Question 3
What are two main capabilities of a NAC system? (Choose two.)
Route filtering
DMZ protection
Incident response
Security posture check
Administrative role assignment
Question 4
Which Cisco appliance can be used to filter network traffic contents to report and
deny traffic based on the web server reputation?
ASA
AVC
ESA
WSA
Question 5
Which command is used to enable AAA as part of the 802.1X configuration process
on a Cisco device?
aaa new-model
signal_cellular_4_bar

348
aaa authentication dot1x
dot1x pae authenticator
dot1x system-auth-control
Question 6
The switch port to which a client attaches is configured for the 802.1X protocol. The
client must authenticate before being allowed to pass data onto the network.
Between which two 802.1X roles is EAP data encapsulated using RADIUS? (Choose
two.)
Encrypter
Supplicant
Authenticator
Authentication server
Data nonrepudiation server
Question 7
Which host-based security measure is used to restrict incoming and outgoing
connections?
Rootkit
Host-based IPS
Host-based firewall
Antivirus/antimalware software
Question 8
Which security service is provided by 802.1x?
Port-based network access control
Malware analysis and protection across the full attack continuum
Malware analysis of files
Protection against emerging threats for Cisco products
Question 9
Why is it important to protect endpoints?
Endpoints are the starting point for VLAN attacks.
After an endpoint is breached, an attacker can gain access to other devices.
Endpoints are susceptible to STP manipulation attacks that can disrupt the rest of the
LAN.
A breached endpoint gives a threat actor access to system configuration that can
modify security policy.
Question 10
Websites are rated based on the latest website reputation intelligence. Which
endpoint security measure prevents endpoints from connecting to websites that
have a bad rating?
DLP
Denylisting
Spam filtering
Host-based IPS
Antimalware software
Question 11
When would the authentication port-control command be used during an 802.1X
implementation?
When a client has sent an EAPOL-logoff message

349
When the authentication server is located in the cloud
When an organization needs to control the port authorization state on a switch
When the authentication server is located at another location and cannot be reached
Question 12
When using 802.1X authentication, what device controls physical access to the
network, based on the authentication status of the client?
The switch that the client is connected to
The authentication server
The supplicant
The router that is serving as the default gateway
Question 13
A port has been configured for the 802.1X protocol and the client has successfully
authenticated. Which 802.1X state is associated with this PC?
Authorized
Enabled
Forwarding
Up

350
Module 14: Layer2 Security Considerations
14.0 Introduction
14.0.1 Why Should I Take this Module?
Security is only as strong as the weakest link. Layer 2 provides access to users of the
network, and also makes up an essential part of the network infrastructure. Layer 2
devices provide redundancy by offering multiple high-speed paths to connect large
segments of the network. By providing access to all internal network users, it can also
provide access to threat actors who may attempt to bring down the network
infrastructure. Therefore, in your rule as a network security administrator, you must be
diligent with mitigating threats to your Layer 2 infrastructure. Continue reading to
learn about the many potential threats to Layer 2 and the various means available to
alleviate these threats. Layer 2 is the weakest link!
14.0.2 What Will I Learn in this Module?
Module Title: Layer 2 Security Considerations
Module Objective: Implement security measures to mitigate Layer 2 attacks.

14.1 Layer 2 Security Threats

14.1.1 Describe Layer 2 Vulnerabilities
The OSI reference model is divided into seven layers which work independently of
each other. As shown in the figure, each layer performs a specific function and has
core elements that can be exploited.

351
Network administrators routinely implement security solutions to protect the
elements in Layer 3 up through Layer 7 using VPNs, firewalls, and IPS devices.
However, as shown in the figure below, if Layer 2 is compromised, then all layers
above it are also affected. For example, if an employee or visitor with access to the
internal network could capture Layer 2 frames, then all of the security implemented on
the layers above would be useless. The employee could also wreak havoc on the Layer
2 LAN networking infrastructure.
Lower Levels Affect Higher Levels

14.1.2 Switch Attack Categories

Security is only as strong as the weakest link in the system, and Layer 2 is considered to
be that weakest link. This is because traditionally LANs were under the administrative

352
control of a single organization. We inherently trusted all persons and devices
connected to our LAN. Today, with BYOD and more sophisticated attacks, our LANs
have become more vulnerable to penetration. Therefore, in addition to protecting
Layer 3 to Layer 7, network security professionals must also mitigate attacks to the
Layer 2 LAN infrastructure.
The first step in mitigating attacks on the Layer 2 infrastructure is to understand the
underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure.
Attacks against the Layer 2 LAN infrastructure are highlighted in the table.
Note: The focus of this module is on common Layer 2 attacks.
Type Description
MAC Table Includes MAC table overflow (also called MAC Address Flooding)
Attacks Attacks.
Includes VLAN hopping and VLAN double-tagging attacks. It also
VLAN Attacks
includes attacks between devices on a common VLAN.
DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.
ARP Attacks Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing
Includes MAC Address and IP address spoofing attacks.
Attacks
STP Attacks Includes Spanning Tree Protocol manipulation attacks.
The figure below provides an overview of Cisco solutions that help mitigate Layer 2
attacks.

353
Topic Title Topic Objective
Port security prevents many types of attacks including MAC table
Port Security
overflow attacks and DHCP starvation attacks.
DHCP Snooping prevents DHCP starvation and DHCP spoofing
DHCP Snooping
attacks by rogue DHCP servers.
Dynamic ARP
DAI prevents ARP spoofing and ARP poisoning attacks.
Inspection (DAI)
IP Source Guard
IP Source Guard prevents MAC and IP address spoofing attacks.
(IPSG)
These Layer 2 solutions will not be effective if the management protocols are not
secured. An example would be if attackers can easily telnet into a switch. Syslog,
SNMP, TFTP, telnet, FTP and most other common network management protocols are
insecure. Therefore, the following strategies are recommended:
 Always use secure variants of these protocols such as SSH, SCP, and SSL.
 Consider using out-of-band (OOB) management.
 Use a dedicated management VLAN where nothing but management traffic
resides.
 Use ACLs to filter unwanted access.
14.1.3 Check Your Understanding - Identify Layer 2 Threats and Mitigation Measures
Layer 2 Attacks and Mitigation
Check your understanding of Layer 2 attacks and mitigation by choosing the correct
answer to the following questions.
Question 1
What type of attack occurs when a threat actor sends packets with false MAC or IP
addresses?
VLAN attacks
Address spoofing
DHCP attacks
ARP attacks
Question 2
What prevents many types of attacks including MAC table overflow attacks and
DHCP starvation attacks?
IP Source Guard (IPSG)
DHCP Snooping
Dynamic ARP inspection (DAI)
Port Security
Question 3
What type of attack sends false address requests to a server until all addresses are
used and none are available for legitimate users?
VLAN attack
Address spoofing
DHCP attack
ARP attack
Question 4
What prevents DHCP starvation and spoofing attacks?
IP Source Guard (IPSG)
Dynamic ARP Inspection (DAI)

354
Port Security
DHCP Snooping
Question 5
What prevents MAC and IP address spoofing attacks?
IP Source Guard (IPSG)
Dynamic ARP Inspection (DAI)
Port Security
DHCP Snooping
14.2 MAC Table Attacks
14.2.1 Switch Fundamentals
A switch uses MAC addresses to forward (or discard) frames to other devices on a
network. If a switch just forwarded every frame it received out all ports, your network
would be so congested that it would probably come to a complete halt.
A Layer 2 Ethernet switch uses Layer 2 MAC addresses to make forwarding decisions. It
is completely unaware of the data (protocol) being carried in the data portion of the
frame, such as an IPv4 packet, an ARP message, or an IPv6 ND packet. The switch
makes its forwarding decisions based solely on the Layer 2 Ethernet MAC addresses.
An Ethernet switch examines its MAC address table to make a forwarding decision for
each frame, unlike legacy Ethernet hubs that repeat bits out all ports except the
incoming port. In the figure, the four-port switch was just powered on. The table
shows the MAC Address Table which has not yet learned the MAC addresses for the
four attached PCs.
Note: MAC addresses are shortened throughout this topic for demonstration
purposes.

The switch MAC address table is empty.

Note: The MAC address table is sometimes referred to as a content addressable
memory (CAM) table. While the term CAM table is fairly common, for the purposes of
this course, we will refer to it as a MAC address table.
14.2.2 Switch Learning and Forwarding
The switch dynamically builds the MAC address table by examining the source MAC
address of the frames that are received on a port. The switch forwards frames by
searching for a match between the destination MAC address in the frame and an entry
in the MAC address table.
Click the Learn and Forward buttons for an illustration and explanation of this process.

355
 Learn
 Forward
Lean
Examine the Source MAC Address
Every frame that enters a switch is checked for new information to learn. It does this
by examining the source MAC address of the frame and the port number where the
frame entered the switch. If the source MAC address does not exist, it is added to the
table along with the incoming port number. If the source MAC address does exist, the
switch updates the refresh timer for that entry in the table. By default, most Ethernet
switches keep an entry in the table for 5 minutes.
In the figure for example, PC-A is sending an Ethernet frame to PC-D. The table shows
the switch adds the MAC address for PC-A to the MAC Address Table.
Note: If the source MAC address does exist in the table but on a different port, the
switch treats this as a new entry. The entry is replaced using the same MAC address
but with the more current port number.

1. PC-A sends an Ethernet frame.

2. The switch adds the port number and MAC address for PC-A to the MAC Address
Table.
Forward
Find the Destination MAC Address
If the destination MAC address is a unicast address, the switch will look for a match
between the destination MAC address of the frame and an entry in its MAC address
table. If the destination MAC address is in the table, it will forward the frame out the
specified port. If the destination MAC address is not in the table, the switch will
forward the frame out all ports except the incoming port. This is called an unknown
unicast.
As shown in the figure, the switch does not have the destination MAC address in its
table for PC-D, so it sends the frame out all ports except port 1.
Note: If the destination MAC address is a broadcast or a multicast, the frame is also
flooded out all ports except the incoming port.

356
1. The destination MAC address is not in the table.
2. The switch forwards the frame out all other ports.
14.2.3 Filtering Frames
As a switch receives frames from different devices, it is able to populate its MAC
address table by examining the source MAC address of every frame. When the MAC
address table of the switch contains the destination MAC address, it is able to filter the
frame and forward out a single port.
Click each button for an illustration and explanation of how a switch filters frames.
 PC-D to Switch
 Switch to PC-A
 PC-A to Switch to PC-D
PC-D to Switch
In the figure, PC-D is replying back to PC-A. The switch sees the MAC address of PC-D in
the incoming frame on port 4. The switch then puts the MAC address of PC-D into the
MAC Address Table associated with port 4.

357
The switch adds the port number and MAC address for PC-D to its MAC address table.
Switch to PC-A
Next, because the switch has destination MAC address for PC-A in the MAC Address
Table, it will send the frame only out port 1, as shown in the figure.

1. The switch has a MAC address entry for the destination.

2. The switch filters the frame, sending it only out port 1.
PC-A to Switch to PC-D
Next, PC-A sends another frame to PC-D, as shown in the figure. The MAC address
table already contains the MAC address for PC-A; therefore, the five-minute refresh
timer for that entry is reset. Next, because the switch table contains the destination
MAC address for PC-D, it sends the frame only out port 4.

358
1. The switch receives another frame from PC-A and refreshes the timer for the MAC
address entry for port 1.
2. The switch has a recent entry for the destination MAC address and filters the
frame, forwarding it only out port 4.

14.2.4 MAC Address Table Flooding

All MAC tables have a fixed size and consequently, a switch can run out of
resources in which to store MAC addresses. MAC address flooding attacks take
advantage of this limitation by bombarding the switch with fake source MAC
addresses until the switch MAC address table is full.
When this occurs, the switch treats the frame as an unknown unicast and
begins to flood all incoming traffic out all ports on the same VLAN without
referencing the MAC table. This condition now allows a threat actor to capture
all of the frames sent from one host to another on the local LAN or local VLAN.
Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can
only capture traffic within the local LAN or VLAN to which the threat actor is
connected.
The figure shows how a threat actor can easily use the network attack
tool macof to overflow a MAC address table.

1. The threat actor is connected to VLAN 10 and uses macof to rapidly generate many
random source and destination MAC and IP addresses.
2. Over a short period of time, the switch’s MAC table fills up.

359
3. When the MAC table is full, the switch begins to flood all frames that it receives. As
long as macof continues to run, the MAC table remains full and the switch
continues to flood all incoming frames out every port associated with VLAN 10.
4. The threat actor then uses packet sniffing software to capture frames from any and
all devices connected to VLAN 10.
If the threat actor stops macof from running or is discovered and stopped, the switch
eventually ages out the older MAC address entries from the table and begins to act like
a switch again.
14.2.5 MAC Address Table Attack Mitigation
What makes tools such as macof so dangerous is that an attacker can create a MAC
table overflow attack very quickly. For instance, a Catalyst 6500 switch can store
132,000 MAC addresses in its MAC address table. A tool such as macof can flood a
switch with up to 8,000 bogus frames per second; creating a MAC address table
overflow attack in a matter of a few seconds. The example shows a sample output of
the macof command on a Linux host.
# macof -i eth1
36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S
1094191437:1094191437(0) win 512
16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S
446486755:446486755(0) win 512
18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S
105051945:105051945(0) win 512
e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S
1838062028:1838062028(0) win 512
62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S
1792413296:1792413296(0) win 512
c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S
1018924173:1018924173(0) win 512
88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S
727776406:727776406(0) win 512
b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S
605528173:605528173(0) win 512
e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S
2128143986:2128143986(0) win 512
Another reason why these attack tools are dangerous is because they not only affect
the local switch, they can also affect other connected Layer 2 switches. When the MAC
address table of a switch is full, it starts flooding out all ports including those
connected to other Layer 2 switches.
To mitigate MAC address table overflow attacks, network administrators must
implement port security. Port security will only allow a specified number of source
MAC addresses to be learned on the port. Port security is further discussed later in this
module.
14.3 Mitigate MAC Table Attacks
14.3.1 Secure Unused Ports
Layer 2 devices are considered to be the weakest link in a company’s security
infrastructure. Layer 2 attacks are some of the easiest for hackers to deploy but these
threats can also be mitigated with some common Layer 2 solutions.

360
All switch ports (interfaces) should be secured before the switch is deployed for
production use. How a port is secured depends on its function.
A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. For example, if a
Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use,
it is good practice to disable the 21 unused ports. Navigate to each unused port and
issue the Cisco IOS shutdown command. If a port must be reactivated at a later time, it
can be enabled with the no shutdown command.
To configure a range of ports, use the interface range command.
Switch(config)# interface range type module/first-number - last-number
For example, to shutdown ports for Fa0/8 through Fa0/24 on S1, you would enter the
following command.
S1(config)# interface range fa0/8 - 24
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively
down
(output omitted)
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively
down
S1(config-if-range)#
14.3.2 Mitigate MAC Address Table Attacks
The simplest and most effective method to prevent MAC address table overflow
attacks is to enable port security.
Port security limits the number of valid MAC addresses allowed on a port. It allows an
administrator to manually configure MAC addresses for a port or to permit the switch
to dynamically learn a limited number of MAC addresses. When a port that is
configured with port security receives a frame, the source MAC address of the frame is
compared to the list of secure source MAC addresses that were manually configured or
dynamically learned on the port.
By limiting the number of permitted MAC addresses on a port to one, port security can
be used to control unauthorized access to the network, as shown in the figure.

361
Note: MAC addresses are shown as 24 bits for simplicity.
14.3.3 Enable Port Security
Notice in the example, the switchport port-security command was rejected. This is
because port security can only be configured on manually configured access ports or
manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic
auto (trunking on). Therefore, in the example, the port is configured with
the switchport mode access interface configuration command.
Note: Trunk port security is beyond the scope of this course.
S1(config)# interface f0/1
S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1#
Use the show port-security interface command to display the current port security
settings for FastEthernet 0/1, as shown in the example below. Notice that port security
is enabled, and the port status is Secure-down, which means there are no devices
attached and no violation has occurred. Also, the violation mode is Shutdown, and the
maximum number of MAC addresses allowed is 1. If a device is connected to the port,
the switch port status would display Secure-up and the switch will automatically add
the device’s MAC address as a secure MAC. In this example, no device is connected to
the port.
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown

362
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses :0
Configured MAC Addresses : 0
Sticky MAC Addresses :0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1#
Note: If an active port is configured with the switchport port-security command and
more than one device is connected to that port, the port will transition to the error-
disabled state. This condition is discussed later in this topic.
After port security is enabled, other port security specifics can be configured, as shown
in the example.
S1(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
S1(config-if)# switchport port-security
14.3.4 Limit and Learn MAC Addresses
To set the maximum number of MAC addresses allowed on a port, use the following
command:
Switch(config-if)# switchport port-security maximum value
The default port security value is 1. The maximum number of secure MAC addresses
that can be configured depends on the switch and the IOS. In this example, the
maximum is 8192.
S1(config)# interface f0/1
S1(config-if)# switchport port-security maximum ?
<1-8192> Maximum addresses
S1(config-if)# switchport port-security maximum
The switch can be configured to learn about MAC addresses on a secure port in one of
three ways:
1. Manually Configured
The administrator manually configures a static MAC address(es) by using the following
command for each secure MAC address on the port:
Switch(config-if)# switchport port-security mac-address mac-address
2. Dynamically Learned
When the switchport port-security command is entered, the current source MAC for
the device connected to the port is automatically secured but is not added to the
startup configuration. If the switch is rebooted, the port will have to re-learn the
device’s MAC address.
3. Dynamically Learned - Sticky
The administrator can enable the switch to dynamically learn the MAC address and
“stick” them to the running configuration by using the following command:
Switch(config-if)# switchport port-security mac-address sticky

363
Saving the running configuration will commit the dynamically learned MAC address to
NVRAM.
The following example demonstrates a complete port security configuration for
FastEthernet 0/1 with a host connected to port Fa0/1. The administrator specifies a
maximum of 2 MAC addresses, manually configures one secure MAC address, and then
configures the port to dynamically learn additional secure MAC addresses up to the 2
secure MAC address maximum. Use the show port-security interface and the show
port-security address command to verify the configuration.
*Mar 1 00:12:38.179: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to
up
*Mar 1 00:12:39.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
S1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses :2
Configured MAC Addresses : 1
Sticky MAC Addresses :1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 a41f.7272.676a SecureSticky Fa0/1 -
1 aaaa.bbbb.1234 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

364
The output of the show port-security interface command verifies that port security is
enabled, there is a host connected to the port (i.e., Secure-up), a total of 2 MAC
addresses will be allowed, and S1 has learned one MAC address statically and one MAC
address dynamically (i.e., sticky).
The output of the show port-security address command lists the two learned MAC
addresses.
14.3.5 Port Security Aging
Port security aging can be used to set the aging time for static and dynamic secure
addresses on a port. Two types of aging are supported per port:
 Absolute - The secure addresses on the port are deleted after the specified aging
time.
 Inactivity - The secure addresses on the port are deleted only if they are inactive
for the specified aging time.
Use aging to remove secure MAC addresses on a secure port without manually
deleting the existing secure MAC addresses. Aging time limits can also be increased to
ensure past secure MAC addresses remain, even while new MAC addresses are added.
Aging of statically configured secure addresses can be enabled or disabled on a per-
port basis.
Use the switchport port-security aging command to enable or disable static aging for
the secure port, or to set the aging time or type.
Switch(config-if)# switchport port-security
aging { static | time time | type {absolute | inactivity}}
Parameter Description
static Enable aging for statically configured secure addresses on this port.
Specify the aging time for this port. The range is 0 to 1440 minutes. If the
time time
time is 0, aging is disabled for this port.
Set the absolute aging time. All the secure addresses on this port age out
type
exactly after the time (in minutes) specified and are removed from the
absolute
secure address list.
Set the inactivity aging type. The secure addresses on this port age out
type
only if there is no data traffic from the secure source address for the
inactivity
specified time period.
Note: MAC addresses are shown as 24 bits for simplicity.
The example shows an administrator configuring the aging type to 10 minutes of
inactivity and then using the show port-security interface command to verify the
configuration.
S1(config)# interface fa0/1
S1(config-if)# switchport port-security aging time 10
S1(config-if)# switchport port-security aging type inactivity
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled

365
Maximum MAC Addresses : 2
Total MAC Addresses :2
Configured MAC Addresses : 1
Sticky MAC Addresses :1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#
14.3.6 Port Security Violation Modes
If the MAC address of a device that is attached to the port differs from the list of
secure addresses, then a port violation occurs. By default, the port enters the error-
disabled state.
To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation { protect | restrict | shutdown}
The following table describes the different switch modes.
Mode Description
The port transitions to the error-disabled state immediately, turns off the
shutdown port LED, and sends a syslog message. It increments the violation counter.
(default) When a secure port is in the error-disabled state, an administrator must re-
enable it by entering the shutdown and no shutdown commands.
The port drops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum
restrict
value or increase the maximum value. This mode causes the Security
Violation counter to increment and generates a syslog message.
This is the least secure of the security violation modes. The port drops
packets with unknown MAC source addresses until you remove a sufficient
protect
number of secure MAC addresses to drop below the maximum value or
increase the maximum value. No syslog message is sent.
The following table shows how a switch reacts based on the configured violation
mode.
Violation Discards Offending Sends Syslog Increase Violation Shuts Down
Mode Traffic Message Counter Port
Protect Yes No No No
Restrict Yes Yes Yes No
Shutdown Yes Yes Yes Yes
The following example shows an administrator changing the security violation to
“restrict”. The output of the show port-security interface command confirms that the
change has been made.
S1(config)# interface f0/1
S1(config-if)# switchport port-security violation restrict
S1(config-if)# end
S1#
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 10 mins

366
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses :2
Configured MAC Addresses : 1
Sticky MAC Addresses :1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#
14.3.7 Ports in error-disabled State
What happens when the port security violation is shutdown and a port violation
occurs? The port is physically shutdown and placed in the error-disabled state, and no
traffic is sent or received on that port.
In the example, the port security violation is changed back to the default shutdown
setting. Then the host with MAC address a41f.7272.676a is disconnected and a new
host is plugged into Fa0/1.
Notice that a series of port security related messages are generated on the console.
S1(config)# int fa0/1
S1(config-if)# switchport port-security violation shutdown
S1(config-if)# end
S1#
*Mar 1 00:24:15.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar 1 00:24:16.606: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state
to down
*Mar 1 00:24:19.114: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state
to up
*Mar 1 00:24:20.121: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
S1#
*Mar 1 00:24:32.829: %PM-4-ERR_DISABLE: psecure-violation error detected on
Fa0/1, putting Fa0/1 in err-disable state
*Mar 1 00:24:32.838: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address a41f.7273.018c on port FastEthernet0/1.
*Mar 1 00:24:33.836: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar 1 00:24:34.843: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state
to down
S1#
Note: The port protocol and link status are changed to down and the port LED is
turned off.
In the example, the show interface command identifies the port status as err-disabled.
The output of the show port-security interface command now shows the port status
as Secure-shutdown instead of Secure-up. The Security Violation counter increments
by 1.
S1# show interface fa0/1 | include down
FastEthernet0/18 is down, line protocol is down (err-disabled)

367
(output omitted)
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses :2
Configured MAC Addresses : 1
Sticky MAC Addresses :1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 1
S1#
The administrator should determine what caused the security violation If an
unauthorized device is connected to a secure port, the security threat is eliminated
before re-enabling the port.
In the next example, the first host is reconnected to Fa0/1. To re-enable the port, first
use the shutdown command, then, use the no shutdown command to make the port
operational, as shown in the example.
S1(config)# interface fa0/1
S1(config-if)# shutdown
S1(config-if)#
*Mar 1 00:39:54.981: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state
to administratively down
S1(config-if)# no shutdown
S1(config-if)#
*Mar 1 00:40:04.275: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state
to up
*Mar 1 00:40:05.282: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
S1(config-if)#

14.3.8 Verify Port Security

After configuring port security on a switch, check each interface to verify that the port
security is set correctly, and check to ensure that the static MAC addresses have been
configured correctly.
Port Security for All Interfaces
To display port security settings for the switch, use the show port-security command.
The example indicates that only one port is configured with the switchport port-
security command.
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------

368
 Fa0/1 2 2 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#
Port Security for a Specific Interface
Use the show port-security interface command to view details for a specific interface,
as shown previously and in this example.
S1# show port-security interface fastethernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses :2
Total MAC Addresses :2
Configured MAC Addresses : 1
Sticky MAC Addresses :1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 0
S1#
Verify Learned MAC Addresses
To verify that MAC addresses are “sticking” to the configuration, use the show
run command as shown in the example for FastEthernet 0/19.
S1# show run interface fa0/1
Building configuration...
Current configuration : 365 bytes
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky a41f.7272.676a
switchport port-security mac-address aaaa.bbbb.1234
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
end
S1#
Verify Secure MAC Addresses
To display all secure MAC addresses that are manually configured or dynamically
learned on all switch interfaces, use the show port-security address command as
shown in the example.
S1# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------

369
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 a41f.7272.676a SecureSticky Fa0/1 -
1 aaaa.bbbb.1234 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#
14.3.9 Syntax Checker - Implement Port Security
Implement port security for a switch interface based on the specified requirements
You are currently logged into S1. Configure FastEthernet 0/5 for port security by using
the following requirements:
 Use the interface name fa0/5 to enter interface configuration mode.
 Enable the port for access mode.
 Enable port security.
 Set the maximum number of MAC address to 3.
 Statically configure the MAC address aaaa.bbbb.1234.
 Configure the port to dynamically learn additional MAC addresses and dynamically
add them to the running configuration.
 Return to privileged EXEC mode.
S1(config)#interface fa0/5
S1(config-if)#switchport mode access
S1(config-if)#switchport port-security
S1(config-if)#switchport port-security maximum 3
S1(config-if)#switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#end
Enter the command to verify port security for all interfaces.
S1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/5 3 2 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
Enter the command to verify port security on FastEthernet 0/5. Use fa0/5 for the
interface name.
S1#show port-security interface fa0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3

370
Total MAC Addresses :2
Configured MAC Addresses : 1
Sticky MAC Addresses :1
Last Source Address:Vlan : 0090.2135.6B8C:1
Security Violation Count : 0
Enter the command that will display all of the addresses to verify that the manually
configured and dynamically learned MAC addresses are in the running configuration.
S1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0090.2135.6b8c SecureSticky Fa0/5 -
1 aaaa.bbbb.1234 SecureConfigured Fa0/5 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
You have successfully configured and verified port security for the interface.
14.3.10 SNMP MAC Address Notification
Network managers need a way of monitoring who is using the network and what their
location is. For example, if port Fa0/1 is secure on a switch, an SNMP trap is generated
when a MAC address entry for that port disappears from the MAC table.
The MAC address notification feature sends SNMP traps to the network management
station (NMS) whenever a new MAC address is added to, or an old address is deleted
from, the forwarding tables. MAC address notifications are generated only for dynamic
and secure MAC addresses.
MAC address notification allows the network administrator to monitor MAC addresses
that are learned, as well as MAC addresses that age out and are removed from the
switch. For example, in the figure, the laptop with MAC C has disconnected from the
network. The switch will eventually timeout port Fa0/3 and send an SNMP trap
notification to the NMS Server.
Use the mac address-table notification global configuration command to enable the
MAC address notification feature on a switch.
The figure shows a laptop that has been disconnected from F0/3 and as a result the
switch will eventually time out port F0/3 and send an S N M P trap notification to the N
M S Server.

371
14.3.11 Packet Tracer - Implement Port Security
In this Packet Tracer activity, you will configure and verify port security on a switch.
Port security allows you to restrict a port’s ingress traffic by limiting the MAC
addresses that are allowed to send traffic into the port.

14.4 Mitigate VLAN Attacks

14.4.1 VLAN Hopping Attacks
VLANs are used to create separate broadcast domains on switches. Endpoints that are
located in one VLAN are unable to communicate with endpoints that are on another
VLAN unless permitted to do so by a router or Layer 3 switch. VLANs can be used to
separate sensitive content from other network traffic. For example, a guest VLAN may
be created for guests to an organization. Those guests should not have access to
sensitive corporate content that is carried on other VLANs. VLAN attacks can
circumvent the intention of a VLAN design by allowing unauthorized users access to
VLANs that they should not be able access. Two types of VLAN attacks are VLAN
hopping attacks and VLAN double-tagging attacks.
A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN
without the aid of a router. In a basic VLAN hopping attack, the threat actor configures
a host to act like a switch to take advantage of the automatic trunking port feature
enabled by default on most switch ports.
The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary
Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch. If
successful, the switch establishes a trunk link with the host, as shown in the figure.
Now the threat actor can access all the VLANs on the switch. The threat actor can send
and receive traffic on any VLAN, effectively hopping between VLANs.

372
14.4.2 VLAN Double-Tagging Attack
A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame
that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the
original 802.1Q tag did not specify.
Click each step for an example and explanation of a double-tagging attack.
 Step 1
 Step 2
 Step 3
Step 1
The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header
has the VLAN tag of the threat actor, which is the same as the native VLAN of the trunk
port. For the purposes of this example, assume that this is VLAN 10. The inner tag is
the victim VLAN, in this example, VLAN 20.

373
A VLAN double-tagging attack is unidirectional and works only when the attacker is
connected to a port residing in the same VLAN as the native VLAN of the trunk port.
The idea is that double tagging allows the attacker to send data to hosts or servers on a
VLAN that otherwise would be blocked by some type of access control configuration.
Presumably the return traffic will also be permitted, thus giving the attacker the ability
to communicate with devices on the normally blocked VLAN.
VLAN Attack Mitigation
VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the
following trunk security guidelines, as discussed in a previous module:
 Disable trunking on all access ports.
 Disable auto trunking on trunk links so that trunks must be manually enabled.
 Be sure that the native VLAN is only used for trunk links.
Step 2
The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The
switch sees that the frame is destined for VLAN 10, which is the native VLAN. The
switch forwards the packet out all VLAN 10 ports after stripping the VLAN 10 tag. The
frame is not retagged because it is part of the native VLAN. At this point, the VLAN 20
tag is still intact and has not been inspected by the first switch.

Step 3
The frame arrives at the second switch which has no knowledge that it was supposed
to be for VLAN 10. Native VLAN traffic is not tagged by the sending switch as specified
in the 802.1Q specification. The second switch looks only at the inner 802.1Q tag that
the threat actor inserted and sees that the frame is destined for VLAN 20, the target
VLAN. The second switch sends the frame on to the target or floods it, depending on
whether there is an existing MAC address table entry for the target.

374
14.4.3 Mitigating VLAN Hopping Attacks
Use the following steps to mitigate VLAN hopping attacks:
Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using
the switchport mode access interface configuration command.
Step 2: Disable unused ports and put them in an unused VLAN. In the example it is
VLAN 1000.
Step 3: Manually enable the trunk link on a trunking port by using the switchport
mode trunk command.
Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using
the switchport nonegotiate command.
Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk
native vlan vlan_number command.
For example, assume the following:
 FastEthernet ports 0/1 through fa0/16 are active access ports
 FastEthernet ports 0/17 through 0/20 are not currently in use
 FastEthernet ports 0/21 through 0/24 are trunk ports.
VLAN hopping can be mitigated by implementing the following configuration.
S1(config)# interface range fa0/1 - 16
S1(config-if-range)# switchport mode access
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/17 - 20
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 1000
S1(config-if-range)# shutdown
S1(config-if-range)# exit
S1(config)#

375
S1(config)# interface range fa0/21 - 24
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport nonegotiate
S1(config-if-range)# switchport trunk native vlan 999
S1(config-if-range)# end
S1#
 FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled
by explicitly making them access ports.
 FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to
an unused VLAN.
 FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks
with DTP disabled. The native VLAN is also changed from the default VLAN 1 to
VLAN 999.
14.4.4 Syntax Checker - Mitigate VLAN Hopping Attacks
Mitigate VLAN hopping attacks on the switch based on the specified requirements.
You are currently logged into S1. The ports status of the ports are as follows:
 FastEthernet ports 0/1 through 0/4 are used for trunking with other switches.
 FastEthernet ports 0/5 through 0/10 are unused.
 FastEthernet ports 0/11 through 0/24 are active ports currently in use.
Use range fa0/1 - 4 to enter interface configuration mode for the trunks.
S1(config)#interface range fa0/1 - 4
Configure the interfaces as nonnegotiating trunks assigned to default VLAN 99.
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#switchport nonegotiate
S1(config-if-range)#switchport trunk native vlan 99
S1(config-if-range)# exit
Use range fa0/5 - 10 to enter interface configuration mode for the unused ports.
S1(config)#interface range fa0/5 - 10
Configure the unused ports as access ports, assign them to VLAN 86, and shutdown
the ports.
S1(config-if-range)#switchport mode access
S1(config-if-range)#switchport access vlan 86
% Access VLAN does not exist. Creating vlan 86
S1(config-if-range)#shutdown
*Mar 1 00:28:48.883: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state
to administratively down
*Mar 1 00:28:48.900: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state
to administratively down
*Mar 1 00:28:48.908: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state
to administratively down
*Mar 1 00:28:48.917: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state
to administratively down
*Mar 1 00:28:48.942: %LINK-5-CHANGED: Interface FastEthernet0/9, changed state
to administratively down
*Mar 1 00:28:48.950: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state
to administratively down

376
*Mar 1 00:28:49.890: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/5, changed state to down
*Mar 1 00:28:49.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/6, changed state to down
S1(config-if-range)# exit
Use range fa0/11 - 24 to enter interface configuration mode for the active ports and
then configure them to prevent trunking.
S1(config)#interface range fa0/11 - 24
S1(config-if-range)#switchport mode access
S1(config-if-range)# end
S1#
You have successfully mitigated VLAN hopping attacks on this switch.
14.4.5 Private VLANs
VLANs are broadcast domains. However, in some situations, it may useful to break this
rule and allow only the minimum required L2 connectivity within the VLAN.
Private VLANs (PVLAN) provide Layer 2 isolation between ports within the same
broadcast domain. There are three types of PVLAN ports:
 Promiscuous - A promiscuous port can talk to everyone. It can communicate with
all interfaces, including the isolated and community ports within a PVLAN.
 Isolated - An isolated port can only talk to promiscuous ports. An isolated port has
complete Layer 2 separation from the other ports within the same PVLAN, but not
from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic
from promiscuous ports. Traffic from an isolated port is forwarded only to
promiscuous ports.
 Community - Community ports can talk to other community and promiscuous
ports. These interfaces are separated at Layer 2 from all other interfaces in other
communities or isolated ports within their PVLAN.
The example in the figure illustrates which ports can interconnect. The security
provided by a PVLAN can be bypassed by using the router as a proxy.

For example, in the figure below, PC-A and PC-B are isolated from each other.
However, PC-A can initiate an attack against PC-B by sending packets that have the

377
source IP address and MAC address of PC-A, the destination IP address of PC-B, but the
destination MAC address of R1. S1 will forward the frame to R1 because F0/5 is
configured as a promiscuous port. R1 rebuilds the frame with PC-B's MAC address and
forwards it to S1. S1 then forwards the frame to PC-B.
Note: PVLANs are used mainly in service provider co-location sites. Another typical
application can be found in hotels where each room would be connected on its own
isolated port.
PVLAN Proxy Attack

To mitigate this type of attack, configure an ACL that will deny traffic with a source and
destination IP address that belongs to the same subnet, as shown in in the
configuration below.
R1(config)# ip access-list extended PVLAN
R1(config-ext-nacl)# deny ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# interface g0/0
R1(config-if)# ip access-group PVLAN in
R1(config-if)#
14.4.6 PVLAN Edge Feature
Some applications require that no traffic be forwarded at Layer 2 between ports on the
same switch so that one neighbor does not see the traffic generated by another
neighbor.
In such an environment, the use of the PVLAN Edge feature ensures that there is no
exchange of unicast, broadcast, or multicast traffic between PVLAN edge ports on the
switch, as shown in the figure. The PLVAN Edge feature is also called Protected Ports.
The PVLAN Edge feature has the following characteristics:
 A protected port does not forward any traffic, such as unicast, multicast, or
broadcast, to any other port that is also a protected port. Data traffic cannot be
forwarded between protected ports at Layer 2; only control traffic is forwarded
because these packets are processed by the CPU and forwarded in software. All
data traffic passing between protected ports must be forwarded through a Layer 3
device.
 Forwarding behavior between a protected port and a non-protected port proceeds
as usual.

378
 The default is to have no protected ports defined.
Restricting Layer 2 Traffic between Switch Ports

14.4.7 Configure PVLAN Edge

To configure the PVLAN Edge feature, enter the switchport protected interface
configuration mode command.
The PVLAN Edge feature can be configured on a physical interface or an EtherChannel
group. When the PVLAN Edge feature is enabled for a port channel, it is enabled for all
ports in the port-channel group. To disable protected port, use the no switchport
protected interface configuration mode command.
To verify the configuration of the PVLAN Edge feature, use the show interfaces
interface-id switchport global configuration mode command, as shown in the example
below.
Switch# show interfaces gigabitethernet1/0/1 switchport
Name: G1/0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
(output omitted)
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
379
Unknown multicast blocked: disabled

Voice VLAN: none (Inactive)

Appliance trust: none
The PVLAN edge is a feature that has only local significance to the switch, and there is
no isolation provided between two protected ports located on different switches. A
protected port does not forward any traffic (unicast, multicast, or broadcast) to any
other port that is also a protected port on the same switch. Traffic cannot be
forwarded between protected ports at Layer 2 (L2); all traffic passing between
protected ports must be forwarded through a Layer 3 (L3) device.
14.4.8 Video - Private VLAN Tutorial and Demonstration
This video and tutorial demonstrates Private VLAN configuration and includes the
following:
 Advantages of Private VLANs
 Examples of Private VLAN implementation
 Types of Private VLAN ports
 Configuration of Private VLANS on a 3560 Multilayer switch
 Use of the switchport protected command on a 2960 switch

14.5 Mitigate DHCP Attacks

14.5.1 DHCP Attacks
Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are
mitigated by implementing DHCP snooping.
DHCP Starvation Attack
The goal of the DHCP starvation attack is DoS for connecting clients. DHCP starvation
attacks require an attack tool such as Gobbler.
Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to
lease them all. Specifically, it creates DHCP discovery messages with bogus MAC
addresses.
DHCP Spoofing Attack

380
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network
and provides false IP configuration parameters to legitimate clients. A rogue server can
provide a variety of misleading information:
 Wrong default gateway - The rogue server provides an invalid gateway, or its own
IP address, to create a man-in-the-middle attack. This may go entirely undetected
as the intruder intercepts the data flow through the network and then forwards it
on to the real default gateway.
 Wrong DNS server - The rogue server provides an incorrect DNS server address
that points the user to a nefarious website.
 Wrong IP address - The rogue server provides an invalid IP address which
effectively creates a DoS attack on the DHCP client.
Click each step for an example and explanation of a DHCP spoofing attack.
 Step 1
 Step 2
 Step 3
 Step 4
 Step 5
Step 1
Threat Actor Connects Rogue DHCP Server
A threat actor successfully connects a rogue DHCP server to a switch port on the same
subnet and VLANs as the target clients. The goal of the rogue server is to provide
clients with false IP configuration information.

381
Step 2
Client Broadcasts DHCP Discovery Messages
A legitimate client connects to the network and requires IP configuration parameters.
Therefore, the client broadcasts a DHCP Discovery request looking for a response from
a DHCP server. Both servers will receive the message and respond.

Step 3
Legitimate and Rogue DHCP Reply
The legitimate DHCP server responds with valid IP configuration parameters. However,
the rogue server also responds with a DHCP offer containing IP configuration
parameters defined by the threat actor. The client will reply to the first offer received.

382
Step 4
Client Accepts Rogue DHCP Offer
The rogue offer was received first, and therefore, the client broadcasts a DHCP request
accepting the IP parameters defined by the threat actor. The legitimate and rogue
server will receive the request.

Rogue Server Acknowledges

The rogue server unicasts a reply to the client to acknowledge its request. The
legitimate server will cease communicating with the client.

383
14.5.2 DHCP Attacks Mitigation
It is easy to mitigate DHCP starvation attacks by using port security. However,
mitigating DHCP spoofing attacks requires more protection.
For instance, Gobbler uses a unique MAC address for each DHCP request and port
security. Port security could be configured to mitigate this. However, Gobbler can also
be configured to use the same interface MAC address with a different hardware
address for every request. This would render port security ineffective.
DHCP spoofing attacks can be mitigated using DHCP snooping on trusted ports. DHCP
snooping also helps mitigate against DHCP starvation attacks by rate limiting the
number of DHCP discovery messages that an untrusted port can receive. DHCP
snooping builds and maintains a DHCP snooping binding database that the switch can
use to filter DHCP messages from untrusted sources. The DHCP snooping binding table
includes the client MAC address, IP address, DHCP lease time, binding type, VLAN
number, and interface information on each untrusted switchport or interface.
Devices under your administrative control, such as switches, routers, and servers, are
trusted sources. Any device beyond the firewall or outside your network is an
untrusted source. In addition, all access ports are generally treated as untrusted
sources. The figure shows an example of trusted and untrusted ports.
The diagram shows a D H C P server at the upper right side of topology that is
connected to a distribution switch below it. The distribution switch is connected to
another distribution switch to the left of the diagram and access switch below it. The
other distribution switch has an access switch connected below it. Both access
switches have a connection to both distribution switches, but to each other. The
access switch on the right has a P C below it and the other access switch has a P C with
a rogue character under it. The diagram shows a purple square for trusted ports and a
red circle for untrusted ports. There is are purple squares between the D H C P server
and the distribution switch, as well as between each link between all of the switches.
However, there is a red circle between the two P Cs and the access switches.

384
Note: In a large network, the DHCP binding table may take time to build after it is
enabled. For example, it could take 2 days for DHCP snooping to complete the table if
DHCP lease time is 4 days.
When DHCP snooping is enabled on an interface or VLAN, and a switch receives a
packet on an untrusted port, the switch compares the source packet information with
that held in the DHCP snooping binding table. The switch will deny packets containing
specific information:
 Unauthorized DHCP server messages from an untrusted port
 Unauthorized DHCP client messages not adhering to the snooping binding table or
rate limits
 DHCP relay-agent packets that include option-82 information on an untrusted port
Note: To counter Gobbler using the same MAC address, DHCP snooping also makes the
switch check the Client Hardware Address (CHADDR) field in the DHCP request. This
ensures that it matches the hardware MAC address in the DHCP snooping binding table
and the MAC address in the MAC table. If there is no match, the request is dropped.
Note: Similar mitigation techniques are available for DHCPv6 and IPv6 clients. Because
IPv6 devices can also receive their addressing information from the router’s Router
Advertisement (RA) message, there are also mitigation solutions to prevent any rogue
RA messages.
14.5.3 Steps to Implement DHCP Snooping
Use the following steps to enable DHCP snooping:
Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration
command.
Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration
command.
Step 3. Limit the number of DHCP discovery messages that can be received per second
on untrusted ports by using the ip dhcp snooping limit rate interface configuration
command.

385
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp
snooping vlan global configuration command.
14.5.4 DHCP Snooping Configuration Example
The reference topology for this DHCP snooping example is shown in the figure. Notice
that F0/5 is an untrusted port because it connects to a PC. F0/1 is a trusted port
because it connects to the DHCP server.
The graphic has a legend with a Purple square Trusted Port and a red circle Untrusted
Port below the topology diagram. Then the graphic shows a LAN network with a switch
with trusted and untrusted ports. The switch has a P C connected to the left and a D H
C P connected to it on the right. On the interface connecting to the P C is a red circle
for an untrusted interface and on the interface connected to the D H C P Server is the
purple square for a trusted port.

The following is an example of how to configure DHCP snooping on S1. Notice how
DHCP snooping is first enabled. Then the upstream interface to the DHCP server is
explicitly trusted. Next, the range of FastEthernet ports from F0/5 to F0/24 are
untrusted by default, so a rate limit is set to six packets per second. Finally, DHCP
snooping is enabled on VLANS 5, 10, 50, 51, and 52.
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if-range)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#
Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping
and show ip dhcp snooping binding to view the clients that have received DHCP
information, as shown in the example.
Note: DHCP snooping is also required by Dynamic ARP Inspection (DAI), which is the
next topic.
S1# show ip dhcp snooping

386
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
5,10,50-52
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet0/1 yes yes unlimited
Custom circuit-ids:
FastEthernet0/5 no no 6
Custom circuit-ids:
FastEthernet0/6 no no 6
Custom circuit-ids:
S1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 192.168.10.11 193185 dhcp-snooping 5 FastEthernet0/5
14.5.5 Syntax Checker - Mitigate DHCP Attacks
Implement DHCP snooping for a switch based on the following topology and specified
requirements.

You are currently logged into S1. Enable DHCP snooping globally for the switch.
S1(config)#ip dhcp snooping
Enter interface configuration mode for g0/1 - 2, trust the interfaces, and return to
global configuration mode.
S1(config)#interface range g0/1 - 2
S1(config-if-range)#ip dhcp snooping trust
S1(config-if-range)#exit

387
Enter interface configuration mode for f0/1 - 24, limit the DHCP messages to no more
than 10 per second, and return to global configuration mode.
S1(config)#interface range f0/1 - 24
S1(config-if-range)#ip dhcp snooping limit rate 10
S1(config-if-range)#exit
Enable DHCP snooping for VLANs 10,20,30-49.
S1(config)#ip dhcp snooping vlan 10,20,30-49
S1(config)# exit
Enter the command to verify DHCP snooping.
S1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30-49
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet0/1 yes yes unlimited
Custom circuit-ids:
GigabitEthernet0/2 yes yes unlimited
Custom circuit-ids:
FastEthernet0/1 no no 10
Custom circuit-ids:
Enter the command to verify the current DHCP bindings logged by DHCP snooping
S1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.0.0.10 193185 dhcp-snooping 5 FastEthernet0/1
S1#
You have successfully configured and verified DHCP snooping for the switch.
14.6 Mitigate ARP Attacks
14.6.1 ARP Attacks
Recall that hosts broadcast ARP Requests to determine the MAC address of a host with
a particular IPv4 address. This is typically done to discover the MAC address of the
default gateway. All hosts on the subnet receive and process the ARP Request. The
host with the matching IPv4 address in the ARP Request sends an ARP Reply.
According to the ARP RFC, a client is allowed to send an unsolicited ARP Request called
a “gratuitous ARP.” When a host sends a gratuitous ARP, other hosts on the subnet

388
store the MAC address and IPv4 address contained in the gratuitous ARP in their ARP
tables.
The problem is that an attacker can send a gratuitous ARP message containing a
spoofed MAC address to a switch, and the switch would update its MAC table
accordingly. Therefore, any host can claim to be the owner of any IP and MAC address
combination they choose. In a typical attack, a threat actor can send unsolicited ARP
Replies to other hosts on the subnet with the MAC Address of the threat actor and the
IPv4 address of the default gateway.
There are many tools available on the internet to create ARP man-in-the-middle
attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others. IPv6 uses ICMPv6
Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to
mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed
ARP Reply.
ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP
Inspection (DAI).
Click each step for an example and explanation of ARP spoofing and ARP poisoning.
Step 1
Normal State with Converged MAC Tables
Each device has an accurate MAC table with the correct IPv4 and MAC addresses for
the other devices on the LAN.

ARP Spoofing Attack

The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1
as the default gateway:
1. The first one informs all devices on the LAN that the threat actor’s MAC address
(CC:CC:CC) maps to R1’s IPv4 address, 10.0.0.1.
2. The second one informs all devices on the LAN that the threat actor’s MAC address
(CC:CC:CC) maps to PC1’s IPv4 address, 10.0.0.11.
Step 2

389
ARP Spoofing Attack
The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1
as the default gateway:
1. The first one informs all devices on the LAN that the threat actor’s MAC address
(CC:CC:CC) maps to R1’s IPv4 address, 10.0.0.1.
2. The second one informs all devices on the LAN that the threat actor’s MAC address
(CC:CC:CC) maps to PC1’s IPv4 address, 10.0.0.11.

Step 3
ARP Poisoning Attack with Man-in-the-Middle Attack
R1 and PC1 remove the correct entry for each other’s MAC address and replace it with
PC2’s MAC address. The threat actor has now poisoned the ARP caches of all devices
on the subnet. ARP poisoning leads to various man-in-the-middle attacks, posing a
serious security threat to the network.

390
14.6.2 Video - ARP Spoofing

14.6.3 Dynamic ARP Inspection

In a typical ARP attack, a threat actor can send unsolicited ARP requests to other hosts
on the subnet with the MAC Address of the threat actor and the IP address of the
default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch
must ensure that only valid ARP Requests and Replies are relayed.

391
Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks
by:
 Not relaying invalid or gratuitous ARP Requests out to other ports in the same
VLAN
 Intercepting all ARP Requests and Replies on untrusted ports
 Verifying each intercepted packet for a valid IP-to-MAC binding
 Dropping and logging ARP Requests coming from invalid sources to prevent ARP
poisoning
 Error-disabling the interface if the configured DAI number of ARP packets is
exceded
14.6.4 DAI Implementation Guidelines
To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI
implementation guidelines:
 Enable DHCP snooping globally.
 Enable DHCP snooping on selected VLANs.
 Enable DAI on selected VLANs.
 Configure trusted interfaces for DHCP snooping and ARP inspection.
It is generally advisable to configure all access switch ports as untrusted and to
configure all uplink ports that are connected to other switches as trusted.
The sample topology in the figure identifies trusted and untrusted ports.

14.6.5 DAI Configuration Example

In the previous topology, S1 is connecting two users on VLAN 10. DAI will be
configured to mitigate against ARP spoofing and ARP poisoning attacks.
As shown in the example, DHCP snooping is enabled because DAI requires the DHCP
snooping binding table to operate. Next, DHCP snooping and ARP inspection are

392
enabled for the PCs on VLAN10. The uplink port to the router is trusted, and therefore,
is configured as trusted for DHCP snooping and ARP inspection.
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspection trust
DAI can also be configured to check for both destination or source MAC and IP
addresses:
 Destination MAC - Checks the destination MAC address in the Ethernet header
against the target MAC address in the ARP packet body
 Source MAC - Checks the source MAC address in the Ethernet header against the
sender MAC address in the ARP packet body
 IP address - Checks the ARP packet body for invalid and unexpected IP addresses
including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses
The ip arp inspection validate {src-mac [dst-mac] [ip]} global configuration command
is used to configure DAI to drop ARP packets when the IP addresses are invalid. It can
be used when the MAC addresses in the body of the ARP packets do not match the
addresses that are specified in the Ethernet header. Notice in the following example
how only one command can be configured. Therefore, entering multiple ip arp
inspection validate commands overwrites the previous command. To include more
than one validation method, enter them on the same command line as shown and
verified in the following output.
S1(config)# ip arp inspection validate ?
dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address
S1(config)# ip arp inspection validate src-mac
S1(config)# ip arp inspection validate dst-mac
S1(config)# ip arp inspection validate ip
S1(config)# do show run | include validate
ip arp inspection validate ip
S1(config)# ip arp inspection validate src-mac dst-mac ip
S1(config)# do show run | include validate
ip arp inspection validate src-mac dst-mac ip
S1(config)#
14.6.6 Syntax Checker - Mitigate ARP Attacks
Implement DAI for a switch based on the following topology and specified
requirements.

393
You are currently logged into S1. Enable DHCP snooping globally for the switch.
S1(config)#ip dhcp snooping
Enter interface configuration mode for g0/1 - 2, trust the interfaces for both DHCP
snooping and DAI, and then return to global configuration mode.
S1(config)#interface range g0/1 - 2
S1(config-if-range)#ip dhcp snooping trust
S1(config-if-range)#ip arp inspection trust
S1(config-if-range)#exit
Enable DHCP snooping and DAI for VLANs 10,20,30-49.
S1(config)#ip dhcp snooping vlan 10,20,30-49
S1(config)#ip arp inspection vlan 10,20,30-49
S1(config)#
You have successfully configured DAI for the switch.
14.7 Mitigate Address Spoofing Attacks
14.7.1 Address Spoofing Attacks
MAC addresses and IP addresses can be spoofed for a variety of reasons. Spoofing
attacks occur when one host poses as another to receive otherwise inaccessible data,
or to circumvent security configurations.
The method used by switches to populate the MAC address table leads to a
vulnerability known as MAC address spoofing. MAC address spoofing attacks occur
when attackers alter the MAC address of their host to match another known MAC
address of a target host, as shown in the figure. The attacking host then sends a frame
throughout the network with the newly-configured MAC address.
Attacker Spoofs a Server’s MAC Addrevss

394
When the switch receives the frame, it examines the source MAC address. The switch
overwrites the current MAC table entry and assigns the MAC address to the new port,
as shown in the figure below. It then inadvertently forwards frames destined for the
target host to the attacking host.
Switch Updates MAC Table with Spoofed Addressb

When the switch changes the MAC table, the target host does not receive any traffic
until it sends traffic. When the target host sends traffic, the switch receives and
examines the frame, resulting in the MAC table being rewritten once more, realigning
the MAC address to the original port. To stop the switch from returning the spoofed
MAC address port assignments to their correct state, the attacking host can create a
program or script that will constantly send frames to the switch so that the switch
maintains the incorrect or spoofed information. There is no security mechanism at
Layer 2 that allows a switch to verify the source of MAC addresses, which is what
makes it so vulnerable to spoofing.
IP address spoofing is when a rogue PC hijacks a valid IP address of a neighbor, or a
uses a random IP address. IP address spoofing is difficult to mitigate, especially when it
is used inside a subnet in which the IP belongs.
14.7.2 Address Spoofing Attack Mitigation

395
To protect against MAC and IP address spoofing, configure the IP Source Guard (IPSG)
security feature. IPSG operates just like DAI, but it looks at every packet, not just the
ARP packets. Like DAI, IPSG also requires that DHCP snooping be enabled.
Specifically, IPSG is deployed on untrusted Layer 2 access and trunk ports. IPSG
dynamically maintains per-port VLAN ACLs (PVACL) based on IP-to-MAC-to-switch-port
bindings. Initially, all IP traffic on the port is blocked, except for DHCP packets that are
captured by the DHCP snooping process. A PVACL is installed on the port when a client
receives a valid IP address from the DHCP server or when a static IP source binding is
configured by the user.
This process restricts the client IP traffic to those source IP addresses that are
configured in the binding. Any IP traffic with a source IP address other than that in the
IP source binding will be filtered out. This filtering limits the ability of a host to attack
the network by claiming the IP address of a neighbor host.
For each untrusted port, there are two possible levels of IP traffic security filtering:
 Source IP address filter - IP traffic is filtered based on its source IP address and only
IP traffic with a source IP address that matches the IP source binding entry is
permitted. When a new IP source entry binding is created or deleted on the port,
the PVACL automatically adjusts itself to reflect the IP source binding change.
 Source IP and MAC address filter - IP traffic is filtered based on its source IP
address in addition to its MAC address. Only IP traffic with source IP and MAC
addresses that match the IP source binding entry are permitted.
14.7.3 Configure IP Source Guard
Examine the IP Source Guard reference topology that is shown in the figure.

IP Source Guard is enabled on untrusted ports using the ip verify source command as
shown in the configuration below. Remember that the feature can only be configured
on a Layer 2 access or trunk port and that DHCP snooping is required to learn valid IP
address and MAC address pairs.
S1(config)# interface range fastethernet 0/1 - 2
S1(config-if-range)# ip verify source
S1(config-if-range)# end
S1#
Use the show ip verify source command to verify the IP Source Guard configuration, as
shown below. In the example, the F0/1 and F0/2 ports are configured with IP Source
Guard. Each interface has one valid DHCP binding
396
S1# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
F0/1 ip active 192.168.10.10 10
F0/2 ip active 192.168.10.11 10
S1#
14.7.4 Syntax Checker - Configure IP Source Guard
Use this Syntax Checker to configure IP Source Guard.
Enable IP source guard on untrusted interfaces F0/1 - 2.
S1(config)#interface range F0/1 - 2
S1(config-if-range)#ip verify source
Use the do command from inside global config mode to display the IP source guard
settings.
S1(config-if-range)#do show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
F0/1 ip active 192.168.10.10 10
F0/2 ip active 192.168.10.11 10
S1(config-if-range)#
You have successfully configured IP source guard.
14.8 Spanning Tree Protocol
14.8.1 Spanning Tree Protocol
Spanning Tree Protocol (STP) is a loop-prevention network protocol that allows for
redundancy while creating a loop-free Layer 2 topology. IEEE 802.1D is the original IEEE
MAC Bridging standard for STP.
Click Play in the figure to view an animation of STP in action.
STP Normal Operation

14.8.2 STP Recalculation

Click Play in the next figure to view an animation of STP recalculation when a failure
occurs.
STP Compensates for Network Failure

397
14.8.3 Layer 2 Loops
Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and
unknown unicast frames to loop endlessly. This can bring down a network within a
very short amount of time, sometimes in just a few seconds. For example, broadcast
frames, such as an ARP Request are forwarded out all of the switch ports, except the
original ingress port. This ensures that all devices in a broadcast domain are able to
receive the frame. If there is more than one path for the frame to be forwarded out of,
an endless loop can result. When a loop occurs, the MAC address table on a switch will
constantly change with the updates from the broadcast frames, which results in MAC
database instability. This can cause high CPU utilization, which makes the switch
unable to forward frames.
Broadcast frames are not the only type of frames that are affected by loops. Unknown
unicast frames sent onto a looped network can result in duplicate frames arriving at
the destination device. An unknown unicast frame is when the switch does not have
the destination MAC address in its MAC address table and must forward the frame out
all ports, except the ingress port.
Click Play in the figure to view the animation. When the animation pauses, read the
text describing the action. The animation will continue after the short pause.

398
14.8.4 STP Port Roles
The spanning tree algorithm designates a single switch as the root bridge and uses it as
the reference point for all path calculations. In the figure, the root bridge (switch S1) is
chosen through an election process. All switches that participate in STP exchange
BPDU frames to determine which switch has the lowest bridge ID (BID) on the
network. The switch with the lowest BID automatically becomes the root bridge for the
spanning tree algorithm calculations.
Note: For simplicity, assume until otherwise indicated that all ports on all switches are
assigned to VLAN 1. The switches are configured with the default PVST+. Each switch
has a unique MAC address associated with VLAN 1.
STP Ports

399
A BPDU is a messaging frame that is exchanged by switches for STP. Each BPDU
contains a BID that identifies the switch that sent the BPDU. The BID contains a priority
value, the MAC address of the sending switch, and an optional extended system ID.
The lowest BID value is determined by the combination of these three fields.
After the root bridge has been determined, the spanning tree algorithm calculates the
shortest path to it. Each switch uses the spanning tree algorithm to determine which
ports to block. While the spanning tree algorithm determines the best paths to the
root bridge for all switch ports in the broadcast domain, traffic is prevented from being
forwarded through the network. The spanning tree algorithm considers both path and
port costs when determining which ports to block. The path costs are calculated using
port cost values associated with port speeds for each switch port along a given path.
The sum of the port cost values determines the overall path cost to the root bridge. If
there is more than one path to choose from, spanning tree algorithm chooses the path
with the lowest path cost.
When the spanning tree algorithm has determined which paths are most desirable
relative to each switch, it assigns port roles to the participating switch ports. The STP
port roles are:
 Alternate - Alternate or backup ports are configured to be in a blocking state to
prevent loops. Alternate ports are selected only on trunk links where neither end is
a root port.
 Root - Root ports are switch ports that are closest to the root bridge.
 Designated - Designated ports are all non-root ports that STP permits to forward
traffic on the network. Designated ports are selected on a per-trunk basis. If one
end of a trunk is a root port, then the other end is a designated port. All ports on
the root bridge are designated ports.
The figure above shows the relationship of the port roles in the network to the root
bridge and whether they are allowed to forward traffic. In the figure, only one end of
Trunk2 is blocked. This allows for faster transition to a forwarding state when a change
in the network makes it necessary.
Note: A port that is administratively shut down is referred to as a disabled port.
14.8.5 STP Root Bridge
As shown in the figure, every spanning tree instance (switched LAN or broadcast
domain) has a switch designated as the root bridge. The root bridge serves as a
reference point for all spanning tree calculations to determine which redundant paths
to block.
An election process determines which switch becomes the root bridge.

400
The figure below shows the BID fields. The BID is made up of a priority value, an
extended system ID, and the MAC address of the switch.
Bridge ID (BID) Fields

All switches in the broadcast domain participate in the election process. After a switch
boots, it begins to send out BPDU frames every two seconds. These BPDU frames
contain the switch BID and the root ID.
As the switches forward their BPDU frames, switches in the broadcast domain read the
root ID information from the BPDU frames. If the root ID from a BPDU that has been
received is lower than the root ID on the receiving switch, then the receiving switch
updates its root ID, which identifies the adjacent switch as the root bridge. The switch
then forwards new BPDU frames with the lower root ID to the other switches.
Eventually, the switch with the lowest BID ends up being identified as the root bridge
for the spanning tree instance.
There is a root bridge elected for each spanning tree instance. It is possible to have
multiple distinct root bridges. If all ports on all switches are members of VLAN 1, then
there is only one spanning tree instance. The extended system ID plays a role in how
spanning tree instances are determined.
14.8.6 STP Path Cost
When the root bridge has been elected for the spanning tree instance, the spanning
tree algorithm starts the process of determining the best paths to the root bridge from
all destinations in the broadcast domain. The path information is determined by
summing up the individual port costs along the path from the destination to the root
bridge. Each “destination” is actually a switch port.

401
The default port costs are defined by the speed at which the port operates. As shown
in the table, 10 Gb/s Ethernet ports have a port cost of 2, 1 Gb/s Ethernet ports have a
port cost of 4, 100 Mb/s Fast Ethernet ports have a port cost of 19, and 10 Mb/s
Ethernet ports have a port cost of 100.
Link Speed and Cost (Revised IEEE Cost (Previous IEEE
Name Specification) Specification)
10 Gb/s 2 1
1 Gb/s 4 1
100 Mb/s 19 10
10 Mb/s 100 100
Note: As newer, faster Ethernet technologies become available, the path cost values
may change to accommodate the new speeds. The non-linear numbers in the table
accommodate some improvements to the older Ethernet standard. The values have
changed to accommodate the 10 Gb/s Ethernet standard. To illustrate the continued
change associated with high-speed networking, Catalyst 4500 and 6500 switches
support a longer path cost method; for example, 10 Gb/s has a 2000 path cost, 100
Gb/s has a 200 path cost, and 1 Tb/s has a 20 path cost.
Although switch ports have a default port cost associated with them, the port cost is
configurable. The ability to configure individual port costs gives the administrator the
flexibility to manually control the spanning tree paths to the root bridge.
To configure the port cost of an interface enter the spanning-tree cost value command
in interface configuration mode. The value can be between 1 and 200,000,000.
In the example below, switch port F0/1 has been configured with a port cost of 25
using the spanning-tree cost 25 interface configuration mode command on the F0/1
interface.
S2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S2(config)# interface f0/1
S2(config-if)# spanning-tree cost 25
S2(config-if# end
S2#
To restore the port cost back to the default value of 19, enter the no spanning-tree
cost interface configuration mode command.
S2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S2(config)# interface f0/1
S2(config-if)# no spanning-tree cost
S2(config-if)# end
S2#
The path cost is equal to the sum of all the port costs along the path to the root bridge.
Paths with the lowest cost become preferred, and all other redundant paths are
blocked. In the example below, the path cost from S2 to the root bridge S1, over Path 1
is 19 (based on the IEEE-specified individual port cost), while the path cost over Path 2
is two times 19, or 38. Because Path 1 has a lower overall path cost to the root bridge,
it is the preferred path. STP then configures the redundant path to be blocked,
preventing a loop from occurring.

402
To verify the port and path cost to the root bridge, enter the show spanning-
tree command. The Cost field is the total path cost to the root bridge. This value
changes depending on how many switch ports must be traversed to get to the root
bridge. In the output below, each interface is also identified with an individual port
cost of 19.
S2# show spanning-tree
VLAN001
Spanning tree enabled protocol ieee
Root ID Priority 27577
Address 000A.0033.3333
Cost 19
Port 1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000A.0011.1111
Hello time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
----------- ----- ---- ----- --------- -----------------
F0/1 Root FWD 19 128.1 Edge P2p
F0/2 Desg FWD 19 128.2 Edge P2p
14.8.7 Select the Root Bridge
When an administrator wants a specific switch to become a root bridge, the bridge
priority value must be adjusted to ensure it is lower than the bridge priority values of
all the other switches on the network. There are two different methods to configure
the bridge priority value on a Cisco Catalyst switch.

403
Refer to the topology above. Click the buttons to view examples of the two methods of
configuring bridge priority and how to verify that a bridge is acting as root.
 Method 1
 Method 2
 Verify Root Bridge
Method 1
To ensure that the switch has the lowest bridge priority value, use the spanning-tree
vlan vlan-id root primary command in global configuration mode. The priority for the
switch is set to the predefined value of 24,576 or to the highest multiple of 4,096, less
than the lowest bridge priority detected on the network.
If an alternate root bridge is desired, use the spanning-tree vlan vlan-id root
secondary global configuration mode command. This command sets the priority for
the switch to the predefined value of 28,672. This ensures that the alternate switch
becomes the root bridge if the primary root bridge fails. This assumes that the rest of
the switches in the network have the default 32,768 priority value defined.
In this example, S1 has been assigned as the primary root bridge using the spanning-
tree vlan 1 root primary command, and S2 has been configured as the secondary root
bridge using the spanning-tree vlan 1 root secondary command.
S1(config)# spanning-tree VLAN 1 root primary
S1(config)# end
-----------------------
S2(config)# spanning-tree root secondary
S2(config)# end
Method 2
Another method for configuring the bridge priority value is using the spanning-tree
vlan vlan-id priority value global configuration mode command. This command gives
more granular control over the bridge priority value. The priority value is configured in
increments of 4,096 between 0 and 61,440.
In the example, S3 has been assigned a bridge priority value of 24,576 for VLAN 1 using
the spanning-tree vlan 1 priority 24576 command. This is the equivalent value of the
root primary setting.
S3(config)# spanning-tree VLAN 1 priority 24576
Verify Root Bridge
To verify the bridge priority of a switch, use the show spanning-tree command. In
example in Method 2, the priority of the switch was set to 24,576. Also notice that the
switch is designated as the root bridge for the spanning tree instance.
S3# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee

404
 Root ID Priority 24577
Address 00A.0033.3333
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 000A.0033.3333
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------ ----- ---- ----- ---------- ------
Fa0/1 Desg FWD 4 128.1 p2p
Fa0/2 Desg FWD 4 128.2 p2p
S3#
14.8.8 Syntax Checker - Configure and Verify the Root Bridge
Introductory text. Can be a bulleted list of what they’ll do or any other appropriate
text.
You are logged into S3:
 Configure the priority for VLAN 1 on S3 to 24567.
 Enter the end command to return to privileged EXEC mode.
S3(config)#spanning-tree vlan 1 priority 24576
S3(config)#end
------------------------
You are now logged into S2:
 Configure S2 to be the secondary root for VLAN 1.
 Enter the end command to return to privileged EXEC mode.
S2(config)#spanning-tree vlan 1 root secondary
S2(config)#end
------------------------
You are now logged into S1:
 Configure S1 to be the primary root for VLAN 1.
 Enter the end command to return to privileged EXEC mode.
S1(config)#spanning-tree vlan 1 root primary
S1(config)#end
Display the current spanning tree status on S1.
S1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 000A.0033.0033
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 000A.0033.0033
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------------------------

405
Fa0/1 Desg FWD 4 128.1 P2p
Fa0/2 Desg FWD 4 128.2 P2p
S1#
You have successfully configured and verified the Root Bridge.
14.8.9 Video - Observe STP Operation

14.8.10 Packet Tracer - Investigate STP Loop Prevention

In this Packet Tracer activity, you will complete the following objectives:
 Create and configure a simple three switch network with STP.
 View STP operation
 Disable STP and view operation again.

14.8.11 Check Your Understanding - Purpose of STP

Check your understanding of the purpose of STP by choosing the correct answer to the
following questions.
Question 1
Which statement describes STP?
STP is a Layer 2 routing protocol.
STP is a Layer 3 routing protocol for Ethernet LANs.
STP is a Layer 2 loop prevention protocol for Ethernet LANs.
STP is a Layer 3 loop prevention protocol for IP networks.
Question 2
Without STP on the Ethernet LAN, which three types of frames could cause a
catastrophic loop in the network? (Choose three.)
Unicast
Unknown unicast
Multicast
Broadcast
Question 3
What device is elected by the Spanning Tree Algorithm? All other switches determine
a single least-cost path to this device.
Root bridge
Dedicated bridge
Default gateway
406
Core switch
14.9 Mitigate STP Attacks
14.9.1 STP Attack
Threat actors can manipulate the Spanning Tree Protocol (STP) to conduct an attack by
spoofing the root bridge and changing the topology of a network. Attackers can make
their hosts appear as root bridges; and therefore, capture all traffic for the immediate
switched domain.
To conduct an STP manipulation attack, the attacking host broadcasts STP bridge
protocol data units (BPDUs) containing configuration and topology changes that will
force spanning-tree recalculations, as shown in the figure. The BPDUs that are sent by
the attacking host announce a lower bridge priority in an attempt to be elected as the
root bridge.
Note: These issues can occur when someone adds an Ethernet switch to the network
without any malicious intent.

If successful, the attacking host becomes the root bridge, as shown in the figure below,
and can now capture a variety of frames that would otherwise not be accessible.

407
This STP attack is mitigated by implementing BPDU Guard on all access ports.
14.9.2 Mitigating STP Attacks
To mitigate STP manipulation attacks, use the Cisco STP stability mechanisms to
enhance the overall performance of the switches and to reduce the time that is lost
during topology changes.
These are the STP stability mechanisms:
 PortFast - PortFast immediately brings an interface that is configured as an access
or trunk port to the forwarding state from a blocking state. This bypasses the
listening and learning states. It should be applied to all end-user ports. PortFast
should only be configured when there is a host attached to the port, and not
another switch.
 BPDU Guard - BPDU guard immediately error disables a port that receives a BPDU.
It is typically used on PortFast enabled ports. Apply to all end-user ports.
 Root Guard - Root guard prevents an inappropriate switch from becoming the root
bridge. Root guard limits the switch ports out of which the root bridge may be
negotiated. Apply to all ports which should not become root ports.
 Loop Guard - Loop guard prevents alternate or root ports from becoming
designated ports because of a failure that leads to a unidirectional link. Apply to all
ports that are or can become non-designated.
These features enforce the placement of the root bridge in the network and enforce
the STP domain borders.
The figure highlights the ports on which these features should be implemented.
STP Stability Mechanisms

408
14.9.3 Configure PortFast
PortFast bypasses the STP listening and learning states to minimize the time that
access ports must wait for STP to converge. If PortFast is enabled on a port connecting
to another switch, there is a risk of creating a spanning-tree loop.
PortFast can be enabled on an interface by using the spanning-tree portfast interface
configuration command. Alternatively, Portfast can be configured globally on all access
ports by using the spanning-tree portfast default global configuration command.
To verify whether PortFast is enabled globally you can use either the show running-
config | begin span command or the show spanning-tree summary command. To
verify if PortFast is enabled on an interface, use the show running-config
interface type/number command, as shown in the following example.
The show spanning-tree interface type/number detail command can also be used for
verification.
Notice the warning messages that are displayed when PortFast is enabled.
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
S1(config-if)# exit
S1(config)# spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.

409
S1(config)# exit
S1# show running-config | begin span
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
(output omitted)
S1#
14.9.4 Configure BPDU Guard
Even though PortFast is enabled, the interface will still listen for BPDUs. Unexpected
BPDUs might be accidental, or part of an unauthorized attempt to add a switch to the
network.
If any BPDUs are received on a BPDU Guard enabled port, that port is put into error-
disabled state. This means the port is shut down and must be manually re-enabled or
automatically recovered through the errdisable recovery cause bpduguard global
command.
BPDU Guard can be enabled on a port by using the spanning-tree bpduguard
enable interface configuration command. Alternatively, use the spanning-tree portfast
bpduguard default global configuration command to globally enable BPDU guard on all
PortFast-enabled ports.
To display information about the state of spanning tree, use the show spanning-tree
summary command. In the example, PortFast default and BPDU Guard are both
enabled as the default state for ports that are configured in access mode.
Note: Always enable BPDU Guard on all PortFast-enabled ports.
S1(config)# interface fa0/1
S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# exit
S1(config)# spanning-tree portfast bpduguard default
S1(config)# end
S1# show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled

410
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
(output omitted)
S1#
14.9.5 Syntax Checker -Mitigate STP Attacks
Implement PortFast and BPDU Guard for a switch based on the following topology and
specified requirements

You are currently logged into S1. Complete the following steps to implement PortFast
and BPDU Guard on all access ports:
 Enter interface configuration mode for fa0/1 - 24.
 Configure the ports for access mode.
 Return to global configuration mode.
 Enable PortFast by default for all access ports.
 Enable BPDU Guard by default for all access ports.
S1(config)#interface range fa0/1 - 24
S1(config-if-range)#switchport mode access
S1(config-if-range)#exit
S1(config)#spanning-tree portfast default
S1(config)#spanning-tree portfast bpduguard default
S1(config)# exit
Verify that PortFast and BPDU Guard is enabled by default by viewing STP summary
information.
S1#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none

411
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
(output omitted)
S1#
You have successfully configured and verified PortFast and BPDU Guard for the switch.
14.9.6 Configure Root Guard
There are some switches in a network that should never, under any circumstances,
become the STP root bridge. Root Guard provides a way to enforce the placement of
root bridges in the network by limiting which switch can become the root bridge.
Root guard is best deployed on ports that connect to switches that should not be the
root bridge. If a root-guard-enabled port receives BPDUs that are superior to those
that the current root bridge is sending, that port is moved to a root-inconsistent state.
This is effectively equal to an STP listening state, and no data traffic is forwarded across
that port. Recovery occurs as soon as the offending device ceases to send superior
BPDUs.
Use the spanning-tree guard root interface configuration command to configure root
guard on an interface.
In the figure, D1 is the root bridge. If D1 fails, only D2 switch should become the root
bridge. To ensure that S1 never becomes a root bridge, the F0/1 interfaces of D1 and
D2 should be enabled for Root guard.

To view Root Guard ports that have received superior BPDUs and are in a root-
inconsistent state, use the show spanning-tree inconsistent ports command.

412
Note: Root guard may seem unnecessary because an administrator can manually set
the bridge priority of a switch to zero. However, this does not guarantee that this
switch will be elected as the root bridge. Another switch may still become the root if it
also has a priority of zero and a lower MAC address.
14.9.7 Configure Loop Guard
Traffic on bidirectional links flows in both directions. If for some reason one-direction
traffic flow fails, this creates a unidirectional link which can result in a Layer 2 loop. STP
relies on continuous reception or transmission of BPDUs based on the port role. The
designated port transmits BPDUs, and the non-designated port receives BPDUs. A
Layer 2 loop is usually created when an STP port in a redundant topology stops
receiving BPDUs and erroneously transitions to the forwarding state.
The STP Loop Guard feature provides additional protection against Layer 2 loops. If
BPDUs are not received on a non-designated Loop Guard-enabled port, the port
transitions to a loop-inconsistent blocking state, instead of the listening / learning /
forwarding state. Without the Loop Guard feature, the port would assume a
designated port role and create a loop.
As shown here, Loop Guard is enabled on all non-Root Guard ports using the spanning-
tree guard loop interface configuration command.
Note: Loop Guard can also be enabled globally using the spanning-tree loopguard
default global configuration command. This enables Loop Guard on all point-to-point
links.

14.9.8 Syntax Checker -Configuring Loop Guard

Implement PortFast, BPDU Guard, and Loop guard for a switch.
Configure S1 using the following instructions:
 Configure PortFast globally for all non-trunking ports on the switch.
 Enable BPDU guard globally on all ports with PortFast enabled.
 Enable Loop guard globally on all point-to-point links.
 Exit global configuration mode.
S1(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You

413
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
S1(config)#spanning-tree portfast bpduguard default
S1(config)#spanning-tree loopguard default
S1(config)#end
Verify that PortFast, BPDU guard, and Loop guard are enabled on switch S1.
S1#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is enabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 1 0 0 5 6
---------------------- -------- --------- -------- ---------- ----------
1 vlan 1 0 0 5 6
S1#
You have successfully configured and verified PortFast, BPDU guard, and Loop guard.
14.9.9 Lab - Configure STP Security
In this lab, you will complete the following objectives:
 Part 1: Configure basic switch settings.
 Part 2: Configure secure trunks ports.
 Part 3: Protect against STP attacks.
 Part 4: Configure port security and disable unused ports.

14.9.10 Packet Tracer - Implement STP Security

In this Packet Tracer, you will complete the following objectives:
 Assign the Central switch as the root bridge.
 Secure spanning-tree parameters to prevent STP manipulation attacks.
 Enable port security to prevent MAC table overflow attacks.

14.9.11 Packet Tracer - Layer 2 VLAN Security

In this Packet Tracer, you will complete the following objectives to configure security
on Layer 2 switches:
 Configure basic settings.
 Configure SSH.

414
 Configure secure trunks and access ports by enabling features including port
security, root guard, BPDU guard, loop guard and PVLAN Edge.
 Configure DHCP Snooping.

14.10 Layer 2 Security Considerations Summary

14.10.1 What Did I Learn in this Module?
Layer 2 Security Threats
Security is implemented at all layers of the OSI model. However, if Layer 2 is disrupted
by a cyber attack, all layers above it will be affected. There are a number of attacks that
can happen at Layer 2 including MAC table attacks, VLAN attacks, DHCP attacks, ARP
attacks, address spoofing attacks, and STP attacks. It is important to protect Layer 2 by
always using secure variants of protocols such as SSH, SCP, and SSL. Using out-of-band
management whenever possible and creating a dedicated VLAN for management
traffic are also means to make successful Layer 2 attacks less likely. In addition, ACLs
should be used to filter unwanted access. Port security, DHCP Snooping, DAI, and IP
Source Guard are available on Cisco switches to directly mitigate Layer 2 attacks.
MAC Table Attacks
Layer 2 switches use MAC addresses to make forwarding decisions. The switch uses a
MAC table that maps MAC addresses to switchports. The switch looks for the
destination MAC address in the MAC table for the frames that it receives. It then
forwards the traffic to the corresponding port. If the switch does not recognize a
destination MAC address, it floods the frames for the unknown destination out of all
ports except the port from which the frames originated. These are called unknown
unicast messages. The switch dynamically learns MAC addresses from the source
addresses of the frames that originate on its ports. One type of Layer 2 attack floods
the switch with frames with random MAC source addresses. The switch attempts to
add all of these frames to the MAC table until the table is full. Subsequent frames are
then treated as unknown unicast messages and sent out all but the receiving port.
Since these frames are flooded, a threat actor can receive all traffic that is sent on the
network. Threat actor tools such as macof can quickly overwhelm the MAC table of a
switch causing a MAC table overflow exploit. Because the flooding of unknown unicast
addresses can include trunk ports to other switches, the exploit can cause widespread
disruptions.
Mitigate MAC Table Attacks
Layer 2 devices are considered to be the weakest link in a company’s security
infrastructure because Layer 2 attacks are some of the easiest for hackers to deploy.
For this reason, Cisco has developed a number of Layer 2 security measures in the
switch IOS. A simple but effective way to prevent Layer 2 attacks is to shutdown all
unused ports. Port security is a simple way to directly address MAC address overflow
attacks. With port security, the number of MAC addresses that are allowed to be
learned on a port, and the way in which the addresses are learned can be controlled.
Port security aging can be used to remove secure MAC addresses on a secure port
without manually deleting the existing secure MAC addresses. Aging time limits can
also be increased to ensure past secure MAC addresses remain, even while new MAC
addresses are added. When port security violations occur, the switchport can be
configured to shutdown, restrict frames from unknown MAC addresses from being
415
forwarded and issue a syslog message, or protect to drop frames from the unknown
host but not issue a syslog message. Protect is the least secure option. A port that has
been shutdown by port security is placed in the err-disabled state. The port must be
manually re-enabled with the shutdown and no shutdown commands in order to
return to the Secure-up state.
Mitigate VLAN Attacks
VLANs may be used to separate sensitive traffic from other traffic. VLAN hopping and
VLAN double-tagging attacks enable threat actors to access VLANs that they are not
authorized to access. In VLAN hopping attacks, a threat actor connects a host
computer to a switch and then attempts to negotiate the switchport to become trunk
using DTP. The threat actor computer attempts to act as another switch that is
connected by a trunk. Trunks carry traffic for all VLANs by default, so if a threat actor
can connect a computer over a trunked link, all VLAN traffic can be intercepted. In
VLAN double-tagging attacks, a threat actor adds a false VLAN tag to malicious traffic in
addition to the legitimate tag. This can allow a threat actor to send unauthorized traffic
into other VLANs. VLAN hopping and double-tagging attacks can be mitigated by
disabling trunking and trunk negotiation on all switchports that are to be accessed by
users, and by ensuring that the native VLAN is only used on trunk links. Private VLAN
promiscuous ports can be vulnerable to PVLAN proxy attacks in which a threat actor
can spoof the destination MAC address of the default gateway router. The router will
then permit the unauthorized traffic to enter the target VLANs. PVLAN proxy attacks
can be mitigated through the use of access control lists.
Mitigate DHCP Attacks
Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are
mitigated by implementing DHCP snooping. The goal of the DHCP starvation attack is
DoS for connecting clients. DHCP starvation attacks require an attack tool such as
Gobbler. A DHCP spoofing attack occurs when a rogue DHCP server is connected to the
network and provides false IP configuration parameters to legitimate clients. It is easy
to mitigate DHCP starvation attacks by using port security. DHCP spoofing attacks can
be mitigated using DHCP snooping on trusted ports. DHCP snooping also helps mitigate
DHCP starvation attacks by rate limiting the number of DHCP discovery messages that
an untrusted port can receive. DHCP snooping builds and maintains a DHCP snooping
binding database that the switch can use to filter DHCP messages from untrusted
sources. DHCP snooping is globally activated. Ports that are connected to legitimate
DHCP servers are then configured as trusted. In addition, untrusted ports can be
configured to rate limit DHCP requests.
Mitigate ARP Attacks
According to the ARP RFC, a client can send gratuitous ARP requests. When other hosts
on the subnet receive a gratuitous ARP request, the hosts store the MAC address and
IPv4 address contained in the gratuitous ARP in their ARP tables. An attacker can send
a gratuitous ARP message containing a spoofed MAC address to a switch, and the
switch would update its MAC table accordingly. Therefore, any host can claim to be the
owner of any IP and MAC address. In a typical attack, a threat actor can send
unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the
threat actor and the IPv4 address of the default gateway. Address spoofing attacks
occur when threat actors craft packets that contain false IP or MAC addresses. MAC
address spoofing attacks occur when threat actors alter the MAC address of their host

416
to match another known MAC address of a target host. A spoofed MAC address can
cause a switch to send packets that are intended for another host to the threat actor
PC. This can be especially problematic when the spoofed MAC address is that of the
default gateway. DAI can mitigate ARP spoofing by ensuring that only valid ARP
Requests and Replies are sent into the network. DAI requires that DHCP snooping is
globally configured. DAI can be configured on trusted interfaces and VLANs.
Mitigate Address Spoofing Attacks
Spoofing attacks occur when one host poses as another to receive otherwise
inaccessible data, or to circumvent security configurations. MAC address spoofing
attacks occur when attackers alter the MAC address of their host to match another
known MAC address of a target host. When a switch receives the spoofed frames, it
switch overwrites the current MAC table entry and assigns the MAC address to the
new port. A threat actor computer can now receive traffic that was intended for the
host with the spoofed address. IP address spoofing is when a rogue PC hijacks a valid IP
address of a neighbor, or a uses a random IP address. IP address spoofing is difficult to
mitigate, especially when it is used inside a subnet in which the IP belongs. To protect
against MAC and IP address spoofing, configure IPSG. IPSG operates like DAI, but it
looks at every packet, not just the ARP packets. Like DAI, IPSG also requires that DHCP
snooping be enabled. For each untrusted port, a source IP address or source IP and
MAC address filter can be configured.
Spanning Tree Protocol
STP is a loop-prevention network protocol that allows for redundancy while creating a
loop-free Layer 2 topology. Without STP enabled, Layer 2 loops can form, causing
broadcast, multicast and unknown unicast frames to loop endlessly. This can bring
down a network within a very short amount of time, sometimes in just a few seconds.
The spanning tree algorithm designates a single switch as the root bridge and uses it as
the reference point for path calculations. Spanning tree algorithm calculates the
shortest path to the root bridge and enables forwarding on trunks that form the best
path. Alternate ports are blocked. Designated ports are all non-root ports that
spanning tree permits to forward traffic. If a path become unavailable, spanning tree
then enables the alternate ports to forward traffic. Spanning tree uses bridge protocol
data units to communicate between switches in a spanning tree topology.
Mitigating STP Attacks
Threat actors can manipulate the STP to conduct an attack by spoofing the root bridge
and changing the topology of a network. Attackers can make their hosts appear as root
bridges; and therefore, capture all traffic for the immediate switched domain. Cisco
switches have a number of STP stability mechanisms such as PortFast, BPDU Guard,
Root Guard, and Loop Guard. PortFast enables access ports to go to spanning-tree
forwarding state without go through the transitional spanning-tree states. BPDU guard
immediately error disables a port that receives a BPDU. This is configured on non-
trunking ports that typically have PortFast enabled. Root Guard prevents an
inappropriate switch from becoming the root bridge. Loop guard prevents alternate or
root ports from becoming designated ports because of a failure that leads to a
unidirectional link.
14.10.2 Module 14 - Layer 2 Security Considerations Quiz
Question 1

417
What is the only type of traffic that is forwarded by a PVLAN protected port to other
protected ports?

Control
Management
Broadcast
User
Question 2
A network administrator is configuring DAI on a switch with the command ip arp
inspection validate src-mac. What is the purpose of this configuration command?
It checks the source MAC address in the Ethernet header against the MAC address
table.
It checks the source MAC address in the Ethernet header against the user-configured
ARP ACLs.
It checks the source MAC address in the Ethernet header against the target MAC
address in the ARP body.
It checks the source MAC address in the Ethernet header against the sender MAC
address in the ARP body.
Question 3
What mitigation plan is best for thwarting a DoS attack that is creating a MAC
address table overflow?
Disable DTP.
Disable STP.
Enable port security.
Place unused ports in an unused VLAN.
Question 4
What network attack seeks to create a DoS for clients by preventing them from being
able to obtain a DHCP lease?
DHCP starvation
DHCP spoofing
IP address spoofing
CAM table attack
Question 5
When security is a concern, which OSI Layer is considered to be the weakest link in a
network system?
Layer 4
Layer 2
Layer 3
Layer 7
Question 6
If two switches are configured with the same priority and the same extended system
ID, what determines which switch becomes the root bridge?
The MAC address with the highest hexadecimal value
The highest BID
The lowest IP address
The Layer 2 address with the lowest hexadecimal value
Question 7

418
Which statement describes the behavior of a switch when the MAC address table is
full?
It treats frames as unknown unicast and floods all incoming frames to all ports on the
switch.
It treats frames as unknown unicast and floods all incoming frames to all ports within
the local VLAN.
It treats frames as unknown unicast and floods all incoming frames to all ports within
the collision domain.
It treats frames as unknown unicast and floods all incoming frames to all ports across
multiple switches.
Question 8
A cybersecurity analyst is using the macof tool to evaluate configurations of switches
deployed in the backbone network of an organization. Which type of LAN attack is
the analyst targeting during this evaluation?
VLAN hopping
DHCP spoofing
VLAN double-tagging
MAC address table overflow
Question 9
What determines which switch becomes the STP root bridge for a given VLAN?
The lowest bridge ID
The highest priority
The highest MAC address
The lowest IP address
Question 10
What action can a network administrator take to help mitigate the threat of VLAN
hopping attacks?
Disable VTP.
Configure all switch ports to be members of VLAN 1.
Disable automatic trunking negotiation.
Enable PortFast on all switch ports.
Question 11
Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)
Port Security
IP Source Guard
DHCP Snooping
Web Security Appliance
Dynamic ARP Inspection
Question 12
What is the only type of port that an isolated port can forward traffic to on a private
VLAN?
A promiscuous port
Another isolated port
Any access port in the same PVLAN
A community port
Question 13

419
What additional security measure must be enabled along with IP Source Guard to
protect against address spoofing?
DHCP snooping
BPDU Guard
Root guard
Port security
Checkpoint Exam: Layer 2 and Endpoint Security Group Exam
This exam will cover material from Modules 13-14 of the Network Security 1.0
curriculum.
Copyright 2021, Cisco Systems, Inc.
Question 1
What device is considered a supplicant during the 802.1X authentication process?
the router that is serving as the default gateway
the client that is requesting authentication
the switch that is controlling network access
the authentication server that is performing client authentication
Question 2
Which protocol defines port-based authentication to restrict unauthorized hosts
from connecting to the LAN through publicly accessible switch ports?
TACACS+
RADIUS
802.1x
SSH
Question 3
What is the goal of the Cisco NAC framework and the Cisco NAC appliance?
to ensure that only hosts that are authenticated and have had their security posture
examined and approved are permitted onto the network
to monitor data from the company to the ISP in order to build a real-time database of
current spam threats from both internal and external sources
to provide anti-malware scanning at the network perimeter for both authenticated and
non-authenticated devices
to provide protection against a wide variety of web-based threats, including adware,
phishing attacks, Trojan horses, and worms
Question 4
A company implements 802.1X security on the corporate network. A PC is attached
to the network but has not authenticated yet. Which 802.1X state is associated with
this PC?
disabled
err-disabled
forwarding
unauthorized
Question 5
What are two examples of traditional host-based security measures? (Choose two.)
NAS
Host-based NAC
Host-based IPS
802.1X

420
Antimalware software
Question 6
Why are traditional network security perimeters not suitable for the latest
consumer-based network endpoint devices?
These devices are not managed by the corporate IT department.
These devices pose no risk to security as they are not directly connected to the
corporate network.
These devices connect to the corporate network through public wireless networks.
These devices are more varied in type and are portable.
Question 7
In an 802.1x deployment, which device is a supplicant?
RADIUS server
Access point
End-user station
Switch
Question 8
Which term describes the role of a Cisco switch in the 802.1X port-based access
control?
supplicant
authenticator
agent
authentication server
Question 9
Which command is used as part of the 802.1X configuration to designate the
authentication method that will be used?
aaa new-model
aaa authentication dot1x
dot1x pae authenticator
dot1x system-auth-control
Question 10
What two internal LAN elements need to be secured? (Choose two.)
Cloud-based hosts
Switches
IP phones
Edge routers
Fiber connections
Question 11
Two devices that are connected to the same switch need to be totally isolated from
one another. Which Cisco switch security feature will provide this isolation?
BPDU guard
SPAN
DTP
PVLAN Edge
Question 12
How can DHCP spoofing attacks be mitigated?
by implementing DHCP snooping on trusted ports
by disabling DTP negotiations on nontrunking ports

421
by the application of the ip verify source command to untrusted ports
by implementing port security
Question 13
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
VLAN hopping
ARP spoofing
ARP poisoning
DHCP spoofing
Question 14
What is the result of a DHCP starvation attack?
Legitimate clients are unable to lease IP addresses.
The IP addresses assigned to legitimate clients are hijacked.
The attacker provides incorrect DNS and default gateway information to clients.
Clients receive IP address assignments from a rogue DHCP server.
Question 15
Which procedure is recommended to mitigate the chances of ARP spoofing?
Enable IP Source Guard on trusted ports.
Enable DHCP snooping on selected VLANs.
Enable port security globally.
Enable DAI on the management VLAN.
Question 16
A network administrator is configuring DAI on a switch with the command ip arp
inspection validate dst-mac. What is the purpose of this configuration command?
to check the destination MAC address in the Ethernet header against the target MAC
address in the ARP body
to check the destination MAC address in the Ethernet header against the user-
configured ARP ACLs
to check the destination MAC address in the Ethernet header against the MAC address
table
to check the destination MAC address in the Ethernet header against the source MAC
address in the ARP body
Question 17
Which Cisco solution helps prevent MAC and IP address spoofing attacks?
DHCP Snooping
IP Source Guard
Port Security
Dynamic ARP Inspection
Question 18
Which protocol should be used to mitigate the vulnerability of using Telnet to
remotely manage network devices?
TFTP
SSH
SCP
SNMP
Question 19

422
A network administrator uses the spanning-tree loopguard default global
configuration command to enable Loop Guard on switches. What components in a
LAN are protected with Loop Guard?
All Root Guard enabled ports.
All PortFast enabled ports.
All point-to-point links between switches.
All BPDU Guard enabled ports.
Question 20

Refer to the exhibit. The network administrator is configuring the port security
feature on switch SWC. The administrator issued the command show port-security
interface fa 0/2 to verify the configuration. What can be concluded from the output
that is shown? (Choose three.)
The switch port mode for this interface is access mode.
The port is configured as a trunk link.
There is no device currently connected to this port.
Three security violations have been detected on this interface.
This port is currently up.
Security violations will cause this port to shut down immediately.

423
Module 15: Crythographic Services
15.0 Introduction
15.0.1 Why Should I Take this Module?
Cryptographic services are an essential element of network security. Much of the
communicating that we do on computer networks is encrypted at some level.
Frequently, network messages may be encrypted two or three times depending on the
how the traffic is communicated. One principle of network communication is to always
assume that your messages will be intercepted. For this reason, always use encrypted
services when they are available. In many cases, you have no choice but to do so.
15.0.2 What Will I Learn in this Module?
Module Title: Cryptographic Services
Module Objective: Explain how the types of encryption, hashes, and digital signatures
work together to provide confidentiality, integrity, and authentication.

15.0.3 Lab - Creating Codes

Secret codes have been used for thousands of years. Ancient Greeks and Spartans used
a scytale (rhymes with Italy) to encode messages. Romans used a Caesar cipher to
encrypt messages. A few hundred years ago, the French used the Vigenère cipher to
encode messages. Today, there are many ways that messages can be encoded.
In this lab, you will create and encrypt messages using online tools.

15.1 Secure Communications

15.1.1 Authentication, Integrity, and Confidentiality
To ensure secure communications across both the public and private infrastructure,
the network administrator’s first goal is to secure the network infrastructure, including
routers, switches, servers, and hosts. This can be accomplished using device hardening,
AAA access control, ACLs, firewalls, monitoring threats using IPS, securing endpoints
using Advanced Malware Protection (AMP), and enforcing email and web security
using the Cisco Email Security Appliance (ESA) and Cisco Web Security Appliance
(WSA). The figure shows an example of a secure network topology.

424
The next goal is to secure the data as it travels across various links. This may include
internal traffic, but of greater concern is protecting the data that travels outside of the
organization to branch sites, telecommuter sites, and partner sites.
There are three primary objectives of securing communications:
 Authentication - This guarantees that the message is not a forgery and actually
comes from the authentic source. Modern networks ensure authentication using
hash message authentication code (HMAC).
 Integrity - This guarantees that no one intercepted the message and altered it;
similar to a checksum function in a frame. This is provided by implementing the
SHA-2 or SHA-3 family of hash-generating algorithms.
 Confidentiality - This guarantees that if the message is captured, it cannot be
deciphered. This is provided using symmetric or asymmetric encryption algorithms.
Note: These primary objectives are similar but not identical to the three primary issues
in securing and maintaining a computer network which are confidentiality, integrity,
and availability.
The most popular symmetric encryption algorithm is the Advanced Encryption
Standard (AES). Symmetric encryption algorithms are based on the premise that each
communicating party knows the pre-shared key.
Data confidentiality can also be ensured using asymmetric algorithms, including Rivest,
Shamir, and Adleman (RSA) and the public key infrastructure (PKI). Asymmetric
encryption algorithms are based on the assumption that the two communicating
parties have not previously shared a secret and must establish a secure method to do
so.
15.1.2 Authentication
There are two primary methods for validating a source in network communications:
authentication services and data nonrepudiation services.
Authentication guarantees that a message comes from the source that it claims to
come from. Authentication is similar to entering a secure personal identification
number (PIN) for banking at an ATM, as shown in the figure. The PIN should only be
known to the user and the financial institution. The PIN is a shared secret that helps
protect against forgeries.
425
Entering an ATM Authentication PIN

In network communications, authentication can be accomplished using cryptographic

methods. This is especially important for applications or protocols, such as email or IP,
that do not have built-in mechanisms to prevent spoofing of the source.
Data nonrepudiation is a similar service that allows the sender of a message to be
uniquely identified. With nonrepudiation services in place, a sender cannot deny
having been the source of that message. It might appear that the authenticity service
and the nonrepudiation service are fulfilling the same function. Although both address
the question of the proven identity of the sender, there is a difference between the
two.
The most important part of nonrepudiation is that a device cannot repudiate, or
refute, the validity of a message sent. Nonrepudiation relies on the fact that only the
sender has the unique characteristics or signature for how that message is treated. Not
even the receiving device can know how the sender treated this message to prove
authenticity because the receiver could then pretend to be the source.
If the major concern is for the receiving device to validate the source and there is no
concern about the receiving device imitating the source, it does not matter whether
the sender and receiver both know how to treat a message to provide authenticity. An
example of authenticity versus nonrepudiation is a data exchange between two
computers of the same company versus a data exchange between a customer and an
e-commerce website. The two computers exchanging data within an organization do
not have to prove to the other which of them sent a message.
This practice is not acceptable in business applications, such as when purchasing items
online. If the online store knows how a customer message was created to prove the
authenticity, then it could easily fake “authentic” orders. In such a scenario, the sender
must be the only party with the knowledge of how the message was created. The
online store can prove to others that the order was, in fact, sent by the customer, and
the customer cannot argue that the order is invalid.

426
15.1.3 Data Integrity
Data integrity ensures that messages are not altered in transit. With data integrity, the
receiver can verify that the received message is identical to the sent message and that
no manipulation occurred.
European nobility ensured the data integrity of documents by creating a wax seal to
close an envelope, as shown in the figure. The seal was often created using a signet
ring. These bore the family crest, initials, a portrait, or a personal symbol or motto of
the owner of the signet ring. An unbroken seal on an envelope guaranteed the
integrity of its contents. It also guaranteed authenticity based on the unique signet ring
impression.
Wax Seal Ensuring Integrity

15.1.4 Data Confidentiality

Data confidentiality ensures privacy so that only the receiver can read the message.
This can be achieved through encryption. Encryption is the process of scrambling data
so that it cannot be easily read by unauthorized parties.
When enabling encryption, readable data is called plaintext, or cleartext, while the
encrypted version is called encrypted text or ciphertext. In this course, we will use the
term ciphertext. The plaintext readable message is converted to ciphertext, which is
the unreadable, disguised message. Decryption reverses the process. A key is required
to encrypt and decrypt a message. The key is the link between the plaintext and
ciphertext.
Historically, various encryption algorithms and methods have been used. Julius Caesar
is said to have secured messages by putting two sets of the alphabet, side-by-side, and
then shifting one of them by a specific number of places. The number of places in the
shift serves as the key. He converted plaintext into ciphertext using this key, and only
his generals, who also had the key, knew how to decipher the messages. This method
is now known as the Caesar cipher. An encoded message using the Caesar cipher is
shown in the figure.

427
Encoded Caesar Cipher Message

Using a hash function is another way to ensure data confidentiality. A hash function
transforms a string of characters into a usually shorter, fixed-length value or key that
represents the original string. The difference between hashing and encryption is in
how the data is stored. With encrypted text, the data can be decrypted with a key.
With the hash function, after the data is entered and converted using the hash
function, the plaintext is gone. The hashed data is simply there for comparison. For
example, when a user enters a password, the password is hashed and then compared
to the stored hashed value. If the user forgets the password, it is impossible to decrypt
the stored value, and the password must be reset.
The purpose of encryption and hashing is to guarantee confidentiality so that only
authorized entities can read the message
15.1.5 Check Your Understanding - Identify the Secure Communication Objective
Check your understanding of Confidentiality, Integrity, and Authentication by
identifying the characteristics of each.
Question 1
Ensures privacy so that only the receiver can read the message.
Confidentiality
Integrity
Authentication
Question 2
Ensures that messages are not altered in transit.
Confidentiality
Integrity

428
Authentication
Question 3
Guarantees that a message comes from the source that it claims to come from.
Confidentiality
Integrity
Authentication
Question 4
In banking, it can be achieved by requiring a secure personal identification number
(PIN) at an ATM.
Confidentiality
Integrity
Authentication
Question 5
Encryption and hashing are used to make certain that only authorized entities can
read the message.
Confidentiality
Integrity
Authentication
Question 6
A key is required to encrypt and decrypt a message.
Confidentiality
Integrity
Authentication
Question 7
The receiver can verify that the received message is identical to the sent message
and that no manipulation occurred.
Confidentiality
Integrity
Authentication
15.2 Cryptography
15.2.1 Creating Cipher Text
The history of cryptography starts in diplomatic circles thousands of years ago.
Messengers from a king’s court took encrypted messages to other courts. Occasionally,
other courts not involved in the communication, attempted to steal messages sent to a
kingdom they considered an adversary. Not long after, military commanders started
using encryption to secure messages.
Click below to learn more about ciphers and cipher devices.
 Scytale
 Caesar Cipher
 Vigenère Cipher
 Enigma Machine
Scytale
A scytale is a device used to generate a transposition cipher. A strip of paper or other
material is wrapped around a rod of a known diameter, as shown in the figure. The
message is written on the paper across rows. When the strip is removed, the message
is unreadable until it is wrapped around another rod of the same diameter.

429
Caesar Cipher
The Caesar Cipher is a type of substitution cipher in which each letter is replaced by
another letter that is a set number of places away in the alphabet. That number of
places is the key. In the figure, the key is 3.

Vigenère cipher
The Vigenère cipher is a type of polyalphabetic substitution cipher. It was considered
unbreakable until 1863. To use the cipher a key text is generated that repeats for the
length of the message to be encrypted. A combination of the plaintext letter and the
corresponding key letter are used to locate the ciphertext value for the letter in a
table, shown in the figure, or other device. In the table, the row value would be the
key letter, the plaintext would be located in the column. The location where the row
and column intersect is the ciphertext letter to be used.

430
Enigma Machine
The Enigma machine was an electromechanical encryption device that was developed
and used by Nazi Germany during World War II. The device depended on the
distribution of pre-shared keys that were used to encrypt and decrypt messages. The
Enigma ciphers were broken by the Allies, and numerous Enigma-encoded messages
were decoded during the war. This provided a significant advantage to the Allies and is
estimated to have greatly shortened the war and saved many lives.

431
15.2.2 Transposition Ciphers
In transposition ciphers, no letters are replaced; they are simply rearranged. An
example of this type of cipher is taking the FLANK EAST ATTACK AT DAWN message
and transposing it to read NWAD TA KCATTA TSAE KNALF. In this example, the key is to
reverse the letters.
Another example of a transposition cipher is known as the rail fence cipher. In this
transposition, the words are spelled out as if they were a rail fence. They are
staggered, some in front, some in the middle and some in back, across several parallel
lines.
Modern encryption block cipher algorithms, such as AES and the legacy 3DES, still use
transposition as part of the algorithm.
Click below to learn about the use of a simple transposition cipher.
 Plaintext Message
 Encryption Process
 Encrypted Message
Plaintext Message
The plaintext message will be encoded using a key of 3. This key value specifies that
three lines are required when creating the encrypted code.

Encryption Process
A rail fence cipher is used with the key of 3.

432
Encrypted Message
This is the encrypted text.

15.2.3 Substitution Ciphers

Substitution ciphers substitute one letter for another. In their simplest form,
substitution ciphers retain the letter frequency of the original message.
The Caesar cipher was a simple substitution cipher.
Because the entire message relied on the same single key shift, the Caesar cipher is
referred to as a monoalphabetic substitution cipher. It is also fairly easy to crack. For
this reason, polyalphabetic ciphers, such as the Vigenère cipher, were invented. The
method was originally described by Giovan Battista Bellaso in 1553, but the scheme
was later misattributed to the French diplomat and cryptographer, Blaise de Vigenère.
Click below to learn more about substitution ciphers.
 Plaintext message
 Encryption process
 The encrypted message
Plaintext message

433
The plaintext message will be encoded with a key of 3.

Encription Process
Shift the top scroll over by the three characters (a key of 3) and A becomes D, B
becomes E, and so on. If the key used was 8, then A becomes I, B becomes J, and so on.

The Encrypted Message

The process is reversed to de-encrypt the message.

434
15.2.4 A More Complex Substitution Cipher
The Vigenère cipher is based on the Caesar cipher, except that it encrypts text by using
a different polyalphabetic key shift for every plaintext letter. The different key shift is
identified using a shared key between sender and receiver. The plaintext message can
be encrypted and decrypted using the Vigenère Cipher Table that is shown in the
figure.
The figure shows a table called the Vigenère table.

a b c d e f g h i j k l m n o p q r s t u v w x y z
A a b c d e f g h i j k l m n o p q r s t u v w x y z
B b c d e f g h i j k l m n o p q r s t u v w x y z a
C c d e f g h i j k l m n o p q r s t u v w x y z a b
D d e f g h i j k l m n o p q r s t u v w x y z a b c
E e f g h i j k l m n o p q r s t u v w x y z a b c d
F f g h i j k l m n o p q r s t u v w x y z a b c d e
G g h i j k l m n o p q r s t u v w x y z a b c d e f
H h i j k l m n o p q r s t u v w x y z a b c d e f g
I i j k l m n o p q r s t u v w x y z a b c d e f g h
J j k l m n o p q r s t u v w x y z a b c d e f g h i
K k l m n o p q r s t u v w x y z a b c d e f g h i j
L l m n o p q r s t u v w x y z a b c d e f g h i j k
M m n o p q r s t u v w x y z a b c d e f g h i j k l
N n o p q r s t u v w x y z a b c d e f g h i j k l m
O o p q r s t u v w x y z a b c d e f g h i j k l m n
P p q r s t u v w x y z a b c d e f g h i j k l m n o
435
Q q r s t u v w x y z a b c d e f g h i j k l m n o p
R r s t u v w x y z a b c d e f g h i j k l m n o p q
S s t u v w x y z a b c d e f g h i j k l m n o p q r
T t u v w x y z a b c d e f g h i j k l m n o p q r s
U u v w x y z a b c d e f g h i j k l m n o p q r s t
V v w x y z a b c d e f g h i j k l m n o p q r s t u
W w x y z a b c d e f g h i j k l m n o p q r s t u v
X x y z a b c d e f g h i j k l m n o p q r s t u v w
Y y z a b c d e f g h i j k l m n o p q r s t u v w x
Z z a b c d e f g h i j k l m n o p q r s t u v w x y
To illustrate how the Vigenère Cipher Table works, suppose that a sender and receiver
have a shared secret key composed of these letters: SECRETKEY. The sender uses this
secret key to encode the plaintext FLANK EAST ATTACK AT DAWN:
 The F (FLANK) is encoded by looking at the intersection of column F and the row
starting with S (SECRETKEY), resulting in the cipher letter X.
 The L (FLANK) is encoded by looking at the intersection of column L and the row
starting with E (SECRETKEY), resulting in the cipher letter P.
 The A (FLANK) is encoded by looking at the intersection of column A and the row
starting with C (SECRETKEY), resulting in the cipher letter C.
 The N (FLANK) is encoded by looking at the intersection of column N and the row
starting with R (SECRETKEY), resulting in the cipher letter E.
 The K (FLANK) is encoded by looking at the intersection of column K and the row
starting with E (SECRETKEY), resulting in the cipher letter O.
The process continues until the entire text message FLANK EAST ATTACK AT DAWN is
encrypted. The process can also be reversed. For instance, the F is still the cipher letter
X if encoded by looking at the intersection of row F (FLANK) and the column starting
with S (SECRETKEY).
When using the Vigenère cipher, if the message is longer than the key, the key is
repeated. For example, SECRETKEYSECRETKEYSEC is required to encode FLANK EAST
ATTACK AT DAWN:
 Secret key: SECRETKEYSECRETKEYSEC
 Plaintext: FLANKEASTATTACKATDAWN
 Cipher text: XPCEOXKURSXVRGDKXBSAP
Although the Vigenère cipher uses a longer key, it can still be cracked. For this reason,
a better cipher method was required.
15.2.5 One-Time Pad Ciphers
Gilbert Vernam was an AT&T Bell Labs engineer who, in 1917, invented, and later
patented, the stream cipher. He also co-invented the one-time pad cipher. Vernam
proposed a teletype cipher in which a prepared key consisting of an arbitrarily long,
non-repeating sequence of numbers was kept on paper tape, shown in the figure. It
was then combined character by character with the plaintext message to produce the
ciphertext.
Example of One-Time Pad Device

436
To decipher the ciphertext, the same paper tape key was again combined character by
character, producing the plaintext. Each tape was used only once; hence, the name
one-time pad. As long as the key tape does not repeat or is not reused, this type of
cipher is immune to cryptanalytic attack. This is because the available ciphertext does
not display the pattern of the key.
Several difficulties are inherent in using one-time pads in the real world. One difficulty
is the challenge of creating random data. Computers, because they have a
mathematical foundation, are incapable of creating true random data. Additionally, if
the key is used more than once, it is easy to break. RC4 is an example of this type of
cipher that is widely used on the internet. Again, because the key is generated by a
computer, it is not truly random. In addition to these issues, key distribution is also
challenging with this type of cipher.
15.3 Cryptanalysis
15.3.1 Cracking Code
For as long as there has been cryptography, there has been cryptanalysis. Cryptanalysis
is the practice and study of determining the meaning of encrypted information
(cracking the code), without access to the shared secret key. This is also known as
codebreaking.
Throughout history, there have been many instances of cryptanalysis:
 The Vigenère cipher had been absolutely secure until it was broken in the 19th
century by English cryptographer Charles Babbage.
 Mary, Queen of Scots, was plotting to overthrow Queen Elizabeth I from the throne
and sent encrypted messages to her co-conspirators. The cracking of the code used
in this plot led to the beheading of Mary in 1587.
 The Enigma-encrypted communications were used by the Germans to navigate and
direct their U-boats in the Atlantic. Polish and British cryptanalysts broke the
German Enigma code. Winston Churchill was of the opinion that it was a turning
point in WWII.

437
15.3.2 Methods of Cracking Code
Several methods are used in cryptanalysis:
 Brute-force method - The attacker tries every possible key knowing that eventually
one of them will work.
 Ciphertext method - The attacker has the ciphertext of several encrypted
messages but no knowledge of the underlying plaintext.
 Known-Plaintext method - The attacker has access to the ciphertext of several
messages and knows something about the plaintext underlying that ciphertext.
 Chosen-Plaintext method - The attacker chooses which data the encryption device
encrypts and observes the ciphertext output.
 Chosen-Ciphertext method - The attacker can choose different ciphertext to be
decrypted and has access to the decrypted plaintext.
 Meet-in-the-Middle method - The attacker knows a portion of the plaintext and
the corresponding ciphertext.
Note: Details of how these methods are implemented is beyond the scope of this
course.
The simplest method to understand is the brute-force method. For example, if a thief
attempted to steal a bicycle secured with the combination lock displayed in the figure,
they would have to attempt a maximum of 10,000 different possibilities (0000 to
9999). All encryption algorithms are vulnerable to this attack. On average, a brute-
force attack succeeds about 50 percent of the way through the keyspace, which is the
set of all possible keys.
The objective of modern cryptographers is to have a keyspace large enough that it
takes too much time and money to accomplish a brute-force attack.
15.3.3 Cracking Code Example
When choosing a cryptanalysis method, consider the Caesar cipher encrypted code.
The best way to crack the code is to use brute force. Because there are only 25
possible rotations, the effort is relatively small to try all possible rotations and see
which one returns something that makes sense.
A more scientific approach is to use the fact that some characters in the English
alphabet are used more often than others. This method is called frequency analysis.
For example, the graph in the figure below shows the frequency of letters in the
English language. The letters E, T, and A are the most popular letters used in the
English language. The letters J, Q, X, and Z are the least popular. Understanding this
pattern can help discover which letters are probably included in the cipher message.
Frequency Analysis of the English Alphabet

438
The graph outlines the frequency of letters in the English language.
For example, the letters E, T, and A are the most popular.
In the Caesar ciphered message IODQN HDVW DWWDFN DW GDZQ, shown in the
figure, the cipher letter D appears six times while the cipher letter W appears four
times. There is a good possibility that the cipher letters D and W represent either the
plaintext E, T or A. In this case, the D represents the letter A, and the W represents the
letter T.
An attacker would only have to replace the cipher letter D first with popular plaintext
letters including E, T, and finally A. Trying A would reveal the shift pattern of 3, and the
attacker could then decipher the entire message.

Ciphered Text
In this ciphered message, there are 6 occurrences of the cipher letter D and 4
occurrences of the cipher letter W.
15.3.4 Check Your Understanding - Crack the Code
In this activity, you will use the tables below to find the encrypted values for different
words. In the last question, you will decode encrypted text to reveal the cleartext
439
word. The cleartext is in the top row and the encoded text values are in the bottom
row.
Chart 1

Chart 2

Chart 3

Practice encoding and decoding text by completing the tasks below.

Question 1
Refer to Chart 1. What is the encrypted text for the term ENCRYPTION?
AJNVULPTKJ
IRHVCTXMSN
AJYNULPEKJ
ISHVCTXMSR
YHWLSJNCIH
KTIXEVZOUT
KTJYEVZOUT
Question 2
Refer to Chart 2. What is the encrypted text for the word AUTHENCITY?
UONBILCNCYMR
HINNBCMIJNCH
UONBYHNCWCNS
JFYUMYNLSUAH
ULNBOLCMECHA
WIHZCXYHNCUF
UHIHSGIOMFST
Question 3
Refer to Chart 3. What is the encrypted value of the word INTEGRITY?
GIBZTZRMH
RMHRWVILH
RPMLDRGGE
RMGVTIZOB
DSLPMLDHA
440
RMGVTIRGB
Question 4
Refer to Chart 3. What is the plaintext value for the encrypted text FMVMXIBKGVW?
UNDENIABLE
ENCRYPTION
UNENCRYPTED
UNDOUBTABLE
15.4 Cryptology
15.4.1 Making and Breaking Secret Codes
Cryptology = Cryptography + Cryptanalysis

Cryptology is the science of making and breaking secret codes. As shown in the figure,
cryptology combines two separate disciplines:
 Cryptography - the development and use of codes
 Cryptanalysis - the breaking of those codes
There is a symbiotic relationship between the two disciplines because each makes the
other one stronger. National security organizations employ practitioners of both
disciplines and put them to work against each other.
There have been times when one of the disciplines has been ahead of the other. For
example, during the Hundred Years War between France and England, the
cryptanalysts were leading the cryptographers. France mistakenly believed that the
Vigenère cipher was unbreakable, and then the British cracked it. Some historians
believe that the successful cracking of encrypted codes and messages had a major
impact on the outcome of World War II. Currently, it is believed that cryptographers
are in the lead.
15.4.2 Cryptanalysts
Cryptanalysis is often used by governments in military and diplomatic surveillance, by
enterprises in testing the strength of security procedures, and by malicious hackers in
exploiting weaknesses in websites.

441
Cryptanalysts are individuals who perform cryptanalysis to crack secret codes. A
sample job description is displayed in the figure.
While cryptanalysis is often linked to mischievous purposes, it is actually a necessity. It
is an ironic fact of cryptography that it is impossible to prove that any algorithm is
secure. It can only be proven that it is not vulnerable to known cryptanalytic attacks.
Therefore, there is a need for mathematicians, scholars, and security forensic experts
to keep trying to break the encryption methods.

15.4.3 The Secret is in the Keys

In the world of communications and networking, authentication, integrity, and data
confidentiality are implemented in many ways using various protocols and algorithms.
The choice of protocol and algorithm varies based on the level of security required to
meet the goals of the network security policy.
As an example, for message integrity, message-digest 5 (MD5) is faster than Secure
Hash Algorithm 2 (SHA2). However, MD5 but is now considered to be insecure.
Confidentiality can be implemented using the legacy 3DES or the more secure AES.
Again, the choice varies depending on the security requirements specified in the
network security policy document. Additional considerations are the computing power
that is required to encrypt and decrypt data, and the acceptance of the protocol in the
security community. The table lists some common cryptographic hashes, protocols,
and algorithms.
Integrity Authenticity Confidentiality
MD5
HMAC-MD5 (legacy) 3DES (legacy)
(legacy)

442
SHA HMAC-SHA-256 AES
RSA and DSA
Old encryption algorithms, such as the Caesar cipher or the Enigma machine, were
based on the secrecy of the algorithm to achieve confidentiality. With modern
technology, where reverse engineering is often simple, public-domain algorithms are
frequently used. With most modern algorithms, successful decryption requires
knowledge of the appropriate cryptographic keys. This means that the security of
encryption lies in the secrecy of the keys, not the algorithm.
15.4.4 Check Your Understanding - Cryptology Terminology
Check your understanding of cryptography terminology by choosing the correct
answer to the following questions.
Question 1
What is a cipher that replaces one letter for another, possibly retaining the letter
frequency of the original message?
Brute-force
Cryptanalysis
Nonrepudiation
Substitution
Transposition
Vigenère
Question 2
What is a method of cryptanalysis in which an attacker tries every possible key
knowing that eventually one of them will work?
Brute-force
Cryptanalysis
Nonrepudiation
Substitution
Transposition
Vigenère
Question 3
What cipher method does 3DES use as part of the algorithm?
Brute-force
Cryptanalysis
Nonrepudiation
Substitution
Transposition
Vigenère
Question 4
What is the term for when a device cannot refute the validity of a message that it
has received?
Brute-force
Cryptanalysis
Nonrepudiation
Substitution
Transposition
Vigenère
Question 5

443
What is the practice and study of determining the meaning of encrypted information,
without access to the shared secret key?
Brute-force
Cryptanalysis
Nonrepudiation
Substitution
Transposition
Vigenère
15.4.5 Lab - Explore Encryption Methods
In this lab, you will complete the following objectives:
 Part 1: Decipher a pre-encrypted message using the Vigenère cipher.
 Part 2: Create a Vigenère cipher encrypted message and decrypt it.

15.5 Cryptographic Services Summary

15.5.1 What Did I Learn in this Module?
Securing Communications
In addition to ensuring that the network and network devices are secure and protected
from attack, network security personnel also ensure that data is protected during
transmission. The three primary objectives of securing communications are:
 Authentication - This guarantees that the message is not a forgery and actually
comes from the authentic source.
 Integrity - This guarantees that no one intercepted the message and altered it;
similar to a checksum function in a frame.
 Confidentiality - This guarantees that if the message is captured, it cannot be
deciphered.
Authentication may be secured by HMAC. Integrity is ensured through the use of the
legacy MD5 or secure members of the SHA family of hash generating algorithms. Data
confidentiality is ensured through symmetric encryption algorithms, including the
legacy 3DES and AES. Symmetric encryption algorithms are based on the premise that
communicating parties both know a pre-shared key. Asymmetric algorithms, such RSA
and PKI, are based on the assumption that communicating parties do not know a pre-
shared key and must establish a secure means of key exchange.
In network communications, authentication proves that a message actually comes
from a valid source. Data nonrepudiation is a similar service to authentication in that it
allows the sender of a message to be uniquely identified. Data integrity ensures that
messages are not altered in transit. Data confidentiality ensures privacy so that only
the intended receiver can read the message.
Cryptography
Cryptography has been used to secure communications for thousands of years.
Historic ciphers include the scytale from ancient Greece, the Caesar cipher, and the
Vigenère cipher. The Vigenère cipher is a type of polyalphabetic substitution cipher
that was considered unbreakable until 1863. The Enigma Machine was an electro-
mechanical device that produced encoded messages that were very difficult to break
during World War II. Three types of cipher are:
 Transposition - The rearranged letters are used for the encoded text. In order for
the key to be sharable, the letters were shifted by a specific number of characters.

444
 Substitution - This is when different letters are substituted for the letters in the
cleartext.
 One-time pad - This is a prepared key consisting of an arbitrarily long, non-
repeating sequence of numbers was kept on paper tape. It was then combined
character by character with the plaintext message to produce the ciphertext. The
keys were only used once and were pre-shared.
Cryptanalysis
Cryptanalysis, or codebreaking, is the practice and study of determining the meaning
of encrypted information (cracking the code), without access to the shared secret key.
Several methods of cryptanalysis are:
 Brute-force method - The attacker tries every possible key knowing that eventually
one of them will work.
 Ciphertext method - The attacker has the ciphertext of several encrypted
messages but no knowledge of the underlying plaintext.
 Known-Plaintext method - The attacker has access to the ciphertext of several
messages and knows something about the plaintext underlying that ciphertext.
 Chosen-Plaintext method - The attacker chooses which data the encryption device
encrypts and observes the ciphertext output.
 Chosen-Ciphertext method - The attacker can choose different ciphertext to be
decrypted and has access to the decrypted plaintext.
 Meet-in-the-Middle method - The attacker knows a portion of the plaintext and
the corresponding ciphertext.
The objective of modern cryptographers is to have a keyspace large enough that it
takes too much time and money to accomplish a brute-force attack. Analysis of the
frequency of letters in a language can help with breaking simple substitution and
transposition ciphers.
Cryptology
Cryptology is the science of making and breaking secret codes. It combines
cryptography and cryptanalysis. In the world of communications and networking,
authentication, integrity, and data confidentiality are implemented in many ways using
various protocols and algorithms. The choice of algorithm varies depending on the
security requirements, the hardware resources that are available for encryption and
decryption, and the acceptance of the algorithm in the security community. Public-
domain algorithms are frequently used. With most modern algorithms, successful
decryption requires knowledge of the appropriate cryptographic keys. This means that
the security of encryption lies in the secrecy of the keys, not the algorithm.

15.5.2 Module 15 - Cryptographic Services Quiz

445
Question 1

Refer to the exhibit. Which type of cipher method is depicted?

Caesar cipher
Stream cipher
Substitution cipher
Transposition cipher
Question 2
What are two objectives of ensuring data integrity? (Choose two.)
Data is available all the time.
Data is unaltered during transit.
Access to the data is authenticated.
Data is not changed by unauthorized entities.
Data is encrypted while in transit and when stored on disks.
Question 3
A network security specialist is tasked to implement a security measure that
monitors the status of critical files in the data center and sends an immediate alert if
any file is modified. Which aspect of secure communications is addressed by this
security measure?
Data integrity
Nonrepudiation
Data confidentiality
Origin authentication

Question 4

446
Which type of attack allows an attacker to use a brute force approach?
Social engineering
Packet sniffing
Denial of service
Password cracking
Question 5
Why would HMAC be used to help secure the data as it travels across various links?
It is an asymmetric encryption algorithm used when the two communicating parties
have not previously shared a secret key.
It is a hashing algorithm used to guarantee that the message is not a forgery and
actually comes from the authentic source.
It is a hashing algorithm used to encrypt the message and guarantee that no one
intercepted the message and altered it.
It is a popular symmetric encryption algorithm used when each communicating party
needs to know the pre-shared key.
Question 6
What is the focus of cryptanalysis?
Hiding secret codes
Developing secret codes
Breaking encrypted codes
Implementing encrypted codes
Question 7
What is cryptology?
The science of guaranteeing that a message is not a forgery and comes from the
authentic source
The science of creating transposition and substitution ciphers
The science of cracking the code without access to the shared secret key
The science of making and breaking secret codes
Question 8
Which objective of secure communications is achieved by encrypting data?
Authentication
Availability
Confidentiality

447
Integrity
Question 9
What is the purpose of a nonrepudiation service in secure communications?
To provide the highest encryption level possible
To ensure that the source of the communications is confirmed
To confirm the identity of the recipient of the communications
To ensure that encrypted secure communications cannot be decoded
Question 10
What is an example of the transposition cipher?
RC4
Rail fence
Caesar
Vigenère
Question 11
A web server administrator is configuring access settings to require users to
authenticate first before accessing certain web pages. Which requirement of
information security is addressed through the configuration?
Integrity
Scalability
Availability
Confidentiality
Question 12

As data is being stored on a local hard disk, which method would secure the data
from unauthorized access?
Data encryption
A duplicate hard drive copy
Deletion of sensitive files
Two factor authentication

Module 16: Basic Integrity and Authenticy

448
16.0 Introduction
16.0.1 Why Should I Take this Module?
What do you know about cryptography? What is it and how can it be implemented? In
order to secure data as it travels across links, you need to have an understanding of
how to protect that data and maintain its integrity. In this module you will learn about
cryptography and its role in digital data communications. Let’s get started.
16.0.2 What Will I Learn in this Module?
Module Title: Basic Integrity and Authenticity
Module Objective: Explain how cryptography is used to ensure data integrity and
authenticity.
Topic Title Topic Objective
Integrity and Explain the role of cryptography in ensuring the integrity and
Authenticity authenticity of data.
Key Management Describe the components of key management.
Explain how cryptographic approaches enhance data
Confidentiality
confidentiality.
16.1 Integrity and Authenticity
16.1.1 Secure Communications
Organizations must provide support to secure data as it travels across links. This may
include internal traffic, but it is even more important to protect data that travels
outside of the organization to branch sites, telecommuter sites, and partner sites.
These are the four elements of secure communications:
 Data Integrity - Guarantees that the message was not altered. Any changes to data
in transit will be detected. Integrity is ensured by implementing either of the
Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message digest algorithm is
still widely in use. However, it is inherently insecure and creates vulnerabilities in a
network. Note that MD5 should be avoided.
 Origin Authentication - Guarantees that the message is not a forgery and does
actually come from whom it states. Many modern networks ensure authentication
with algorithms such as hash-based message authentication code (HMAC).
 Data Confidentiality - Guarantees that only authorized users can read the
message. If the message is intercepted, it cannot be deciphered within a
reasonable amount of time. Data confidentiality is implemented using symmetric
and asymmetric encryption algorithms.
 Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute,
the validity of a message sent. Nonrepudiation relies on the fact that only the
sender has the unique characteristics or signature for how that message is treated.
Cryptography can be used almost anywhere that there is data communication. In fact,
the trend is toward all communication being encrypted.
16.1.2 Cryptographic Hash Functions
Hashes are used to verify and ensure data integrity. They are also used to verify
authentication. Hashing is based on a one-way mathematical function that is relatively
easy to compute, but significantly harder to reverse.
Grinding coffee is a good analogy of a one-way function. It is easy to grind coffee
beans, but it is almost impossible to put all of the tiny pieces back together to rebuild
the original beans.

449
As shown in the figure, a hash function takes a variable block of binary data, called the
message, and produces a fixed-length, condensed representation, called the hash. The
resulting hash is also sometimes called the message digest, digest, or digital
fingerprint.

With hash functions, it is computationally infeasible for two different sets of data to
come up with the same hash output. Furthermore, the hash value changes every time
the data is changed or altered. Because of this, cryptographic hash values are often
called “digital fingerprints”. These fingerprints can be used to detect duplicate data
files, file version changes, and similar applications. These values are used to guard
against an accidental or intentional change to the data, or accidental data corruption.
The cryptographic hash function is applied in many different situations for entity
authentication, data integrity, and data authenticity purposes.
16.1.3 Cryptographic Hash Operation
Mathematically, the equation h= H(x) is used to explain how a hash algorithm
operates. As shown in the figure, a hash function H takes an input x and returns a
fixed-size string hash value h.

450
The example in the figure summarizes the mathematical process. A cryptographic hash
function should have the following properties:
 The input can be any length.
 The output is always a fixed length.
 H(x) is relatively easy to compute for any given x.
 H(x) is one way and not reversible.
 H(x) is collision free, meaning that two different input values will result in different
hash values.
If a hash function is hard to invert, it is considered a one-way hash. Hard to invert
means that given a hash value of h, it is computationally infeasible to find an input
for x such that h=H(x).
16.1.4 MD5 and SHA
Hash functions are used to ensure the integrity of a message. They help ensure data
has not accidentally changed and that what was sent is indeed what was received.
Note: Deliberate changes can be made by a threat actor.
In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to
ensure that the message is not accidentally altered on its way to the receiver.

The hash algorithm works as follows:

1. The sending device inputs the message into a hashing algorithm and computes its
fixed-length hash of 4ehiDx67NMop9.
2. This hash is then attached to the message and sent to the receiver. Both the
message and the hash are in plaintext.
3. The receiving device removes the hash from the message and inputs the message
into the same hashing algorithm. If the computed hash is equal to the one that is
attached to the message, the message has not been altered during transit. If the
hashes are not equal, as shown in the figure, then the integrity of the message can
no longer be trusted.
There are four well-known hash functions:
 MD5 with 128-bit digest - Developed by Ron Rivest and used in a variety of
internet applications, MD5 is a one-way function that produces a 128-bit hashed
message. MD5 is considered to be a legacy algorithm and should be avoided and
used only when no better alternatives are available. It is recommended that SHA-2
or SHA-3 be used instead.
 SHA-1 - Developed by the U.S. National Security Agency (NSA) in 1995. It is very
similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160-bit
hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a
legacy algorithm.

451
 SHA-2 - Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256 bit),
SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then the SHA-256,
SHA-384, and SHA-512 algorithms should be used whenever possible.
 SHA-3 - SHA-3 is the newest hashing algorithm and was introduced by the National
Institute of Standards and Technology (NIST) as an alternative and eventual
replacement for the SHA-2 family of hashing algorithms. SHA-3 includes SHA3-224
(224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and SHA3-512 (512 bit). The SHA-
3 family are next-generation algorithms and should be used whenever possible.
While hashing can be used to detect accidental changes, it cannot be used to guard
against deliberate changes that are made by a threat actor. There is no unique
identifying information from the sender in the hashing procedure. This means that
anyone can compute a hash for any data, as long as they have the correct hash
function.
For example, when the message traverses the network, a potential threat actor could
intercept the message, change it, recalculate the hash, and append it to the message.
The receiving device will only validate against whatever hash is appended.
Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide
security to transmitted data. To provide integrity against man-in-the-middle attacks,
origin authentication is also required.
16.1.5 Origin Authentication
To add origin authentication and integrity assurance, use a keyed-hash message
authentication code (HMAC). HMAC uses an additional secret key as input to the hash
function.
Note: Other Message Authentication Code (MAC) methods are also used. However,
HMAC is used in many systems including SSL, IPsec, and SSH.
Click each button for an illustration and explanation about origin authentication using
HMAC.
 HMAC Hashing Algorithm
 Creating the HMAC Value
 Verifying the HMAC Value
 Cisco Router HMAC Example
HMAC Hashing Algorithm
As shown in the figure, an HMAC is calculated using any cryptographic algorithm that
combines a cryptographic hash function with a secret key. Hash functions are the basis
of the protection mechanism of HMACs.
Only the sender and the receiver know the secret key, and the output of the hash
function now depends on the input data and the secret key. Only parties who have
access to that secret key can compute the digest of an HMAC function. This defeats
man-in-the-middle attacks and provides authentication of the data origin.
If two parties share a secret key and use HMAC functions for authentication, a properly
constructed HMAC digest of a message that a party has received indicates that the
other party was the originator of the message. This is because the other party
possesses the secret key.

452
Creating the HMAC Value
As shown in the figure, the sending device inputs data (such as Terry Smith’s pay of
$100 and the secret key) into the hashing algorithm and calculates the fixed-length
HMAC digest. This authenticated digest is then attached to the message and sent to
the receiver.

Verifying the HMAC Value

In the figure, the receiving device removes the digest from the message and uses the
plaintext message with its secret key as input into the same hashing function. If the
digest that is calculated by the receiving device is equal to the digest that was sent, the

453
message has not been altered. Additionally, the origin of the message is authenticated
because only the sender possesses a copy of the shared secret key. The HMAC function
has ensured the authenticity of the message.

Cisco Router HMAC Example

The figure shows how HMACs are used by Cisco routers that are configured to use
Open Shortest Path First (OSPF) routing authentication.
R1 is sending a link state update (LSU) regarding a route to network 10.2.0.0/16:
1. R1 calculates the hash value using the LSU message and the secret key.
2. The resulting hash value is sent with the LSU to R2.
3. R2 calculates the hash value using the LSU and its secret key. R2 accepts the
update if the hash values match. If they do not match, R2 discards the update.

454
16.1.6 Lab - Hashing Things Out
In this lab, you will complete the following objectives:
 Creating Hashes with OpenSSL
 Verifying Hashes

16.2 Key Management

16.2.1 Characteristics of Key Management
Key management is often considered the most difficult part of designing a
cryptosystem. Many cryptosystems have failed because of mistakes in their key
management, and all modern cryptographic algorithms require key management
procedures. In practice, most attacks on cryptographic systems are aimed at the key
management level, rather than at the cryptographic algorithm itself.
As shown in the table, there are several essential characteristics of key management to
consider.
Characteristic Description
It was up to Caesar to choose the key of his cipher. The Vigenère
cipher key is also chosen by the sender and receiver. In a modern
cryptographic system, key generation is usually automated and not
Key Generation
left to the end user. The use of good random number generators is
needed to ensure that all keys are equally generated so that the
attacker cannot predict which keys are more likely to be used.
Some keys are better than others. Almost all cryptographic
algorithms have some weak keys that should not be used. With the
help of key verification procedures, weak keys can be identified and
Key Verification
regenerated to provide a more secure encryption. With the Caesar
cipher, using a key of 0 or 25 does not encrypt the message, so it
should not be used.
Key Exchange Key management procedures should provide a secure key exchange
455
 mechanism that allows secure agreement on the keying material
with the other party, probably over an untrusted medium.
On a modern multi-user operating system that uses cryptography, a
key can be stored in memory. This presents a possible problem when
Key Storage that memory is swapped to the disk, because a Trojan horse program
installed on the PC of a user could then have access to the private
keys of that user.
Using short key lifetimes improves the security of legacy ciphers that
are used on high-speed connections. In IPsec a 24-hour lifetime is
Key Lifetime
typical. However, changing the lifetime to 30 minutes improves the
security of the algorithms.
Revocation notifies all interested parties that a certain key has been
Key Revocation compromised and should no longer be used. Destruction erases old
and Destruction keys in a manner that prevents malicious attackers from recovering
them.
16.2.2 Key Length and Keyspace
Two terms that are used to describe keys are:
 Key length - Also called the key size, this is the measure in bits. In this course, we
will use the term key length.
 Keyspace - This is the number of possibilities that can be generated by a specific
key length.
As key length increase, the keyspace increases exponentially:
 A 2-bit (22) key length = a keyspace of 4 because there are four possible keys (00,
01, 10, and 11).
 A 3-bit (23) key length = a keyspace of 8, because there are eight possible keys (000,
001, 010, 011, 100, 101, 110, 111).
 A 4-bit (24) key length = a keyspace of 16 possible keys.
 A 40-bit (240) key length = a keyspace of 1,099,511,627,776 possible keys.
The table displays the characteristics of the AES encryption algorithm. Notice how AES
uses long key lengths. This dramatically increases the keyspace which affects the time
it takes to crack the code.
Characteristic Description
Algorithm Full Name Advanced Encryption Standard
Timeline Official standard since 2001
Type of Algorithm Symmetric
Key Size (in bits) 128, 192, and 256
Speed High
Time to Crack
(assuming a computer could try 255 keys per 149 trillion years
second)
Resource Consumption Low
16.2.3 The Keyspace
The keyspace of an algorithm is the set of all possible key values. A key that has n bits
produces a keyspace that has 2 n possible key values. By adding one bit to the key, the
keyspace is effectively doubled.

456
As shown in the table, DES with its 56-bit keys has a keyspace of more than
72,000,000,000,000,000 (256) possible keys. By adding one bit to the key length, the
keyspace doubles, and an attacker needs twice the amount of time to search the
keyspace. Adding an additional bit to a 57-bit key size means that it would now take an
attacker four times the amount of time to search the keyspace. Adding 4 more bits to
56-bits would create a 60-bit key. A 60-bit key would take 16 times longer to crack
than a 56-bit key.
Approximate Number
DES Key Keyspace
of Possible Keys
56
2
56-bit 11111111 11111111 11111111 ~72,000,000,000,000,000
11111111 11111111 11111111 11111111
257
57-bit 11111111 11111111 11111111 ~144,000,000,000,000,000
11111111 11111111 11111111 11111111 1
258
58-bit 11111111 11111111 11111111 ~288,000,000,000,000,000
11111111 11111111 11111111 11111111 11
259
59-bit 11111111 11111111 11111111 ~576,000,000,000,000,000
11111111 11111111 11111111 11111111 111
260
~1,152,000,000,000,000,00
60-bit 11111111 11111111 11111111
0
11111111 11111111 11111111 11111111 1111
Note: Longer keys are more secure; however, they are also more resource intensive.
Caution should be exercised when choosing longer keys because handling them could
add a significant load to the processor in lower-end products.
Almost every algorithm has some weak keys in its keyspace that enable an attacker to
break the encryption via a shortcut. Weak keys show the regularities in encryption. For
instance, DES has four keys for which encryption is the same as decryption. This means
that if one of these weak keys is used to encrypt plaintext, an attacker can use the
weak key to decrypt the ciphertext and reveal the plaintext.
The DES weak keys are those that produce 16 identical subkeys. This occurs when the
key bits are:
 Alternating ones and zeros (0101010101010101)
 Alternating F and E (FEFEFEFEFEFEFEFE)
 E0E0E0E0F1F1F1F1
 1F1F1F1F0E0E0E0E
It is very unlikely that such keys would be chosen, but network administrators should
still verify all keys that are implemented and prevent weak keys from being used. With
manual key generation, take special care to avoid defining weak keys.
Note: DES is a legacy encryption algorithm and should not be used. It is used here to
illustrate the concept of keyspace only.
16.2.4 Types of Cryptographic Keys
Several types of cryptographic keys can be generated:
 Symmetric keys - Can be exchanged between two routers supporting a VPN
 Asymmetric keys - Are used in secure HTTPS applications

457
 Digital signatures - Are used when connecting to a secure website
 Hash keys - Are used in symmetric and asymmetric key generation, digital
signatures, and other types of applications
Regardless of the key type, all keys share similar issues. Choosing a suitable key length
is one issue. If the cryptographic system is trustworthy, the only way to break it is with
a brute-force attack. If the keyspace is large enough, the search requires an enormous
amount of time, making such an exhaustive effort impractical. The table summarizes
the key length required to secure data for the indicated amount of time.
Symmetric Asymmetric Digital
Length of Protection Hash
Key Key Signature
3 years 80 1248 160 160
10 years 96 1776 192 192
20 years 112 2432 224 224
30 years 128 3248 256 256
Protection against quantum
256 15424 512 512
computers
On average, an attacker has to search through half of the keyspace before the correct
key is found. The time that is needed to accomplish this search depends on the
computer power that is available to the attacker.
Current key lengths can easily make any attempt insignificant because it takes millions
or billions of years to complete the search when a sufficiently long key is used.
With modern algorithms that are trusted, the strength of protection depends solely on
the size of the key. Choose the key length so that it protects data confidentiality or
integrity for an adequate period of time. Data that is more sensitive and needs to be
kept secret longer must use longer keys.
16.2.5 Choice of Cryptographic Keys
Performance is another issue that can influence the choice of a key length. An
administrator must find a good balance between the speed and protective strength of
an algorithm, because some algorithms, such as the Rivest, Shamir, and Adleman (RSA)
algorithm, run slowly due to large key lengths. Strive for adequate protection, while
enabling communication over untrusted networks.
The estimated funding of the attacker should also affect the choice of key length.
When assessing the risk of someone breaking the encryption algorithm, estimate the
resources of the attacker and how long the data must be protected. For example,
classic DES can be broken by a $1 million machine in a couple of minutes. If the data
that is being protected is worth significantly more than the $1 million dollars needed
to acquire a cracking device, then another algorithm should be used. In fact, DES is
now considered too weak to use for any application.
Because of the rapid advances in technology and cryptanalytic methods, the key length
that is needed for a particular application is constantly increasing. Part of the strength
of the RSA algorithm is the difficulty of factoring large numbers. For example, the
factors of 12 would be 1 x 12, 2 x 6, and 3 x 4. Therefore, a 1024-bit number is a very
large number with many factors. Increasing that number to a 2048-bit number creates
even more factors. Of course, this advantage is lost if an easy way to factor large
numbers is found, but cryptographers consider this possibility unlikely.

458
The rule “the longer the key, the better” is valid, except for possible performance
reasons. Shorter keys equal faster processing, but are less secure. Longer keys equal
slower processing, but are more secure.
16.2.6 Check Your Understanding - Characteristics of Key Management
Check your understanding of characteristics of key management by choosing the BEST
answer to the following questions.
Question 1
Which characteristic helps identify a weak key and regenerate a new replacement
key?
Key exchange
Key generation
Key revocation and destruction
Key verification
Question 2
Which characteristic creates new keys for cryptography?
Key storage
Key exchange
Key generation
Key lifetime
Question 3
Which characteristic is a mechanism that allows secure agreement on the keying
material with the other party over an untrusted medium?
Key storage
Key lifetime
Key generation
Key exchange
16.3 Confidentiality
16.3.1 Data Confidentiality
Asymmetric and symmetric encryption are the two classes of encryption used to
provide data confidentiality. These two classes differ in how they use keys.
Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES) are based on the premise that each
communicating party knows the pre-shared key. Data confidentiality can also be
ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and
the public key infrastructure (PKI).
Note: DES is a legacy algorithm and should not be used. 3DES should be avoided if
possible.
The figure highlights some differences between symmetric and asymmetric encryption.

459
16.3.2 Symmetric Encryption
Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-
shared key, also called a secret key, is known by the sender and receiver before any
encrypted communications can take place.
To help illustrate how symmetric encryption works, consider an example where Alice
and Bob live in different locations and want to exchange secret messages with one
another through the mail system. In this example, Alice wants to send a secret
message to Bob.
In the figure, Alice and Bob have identical keys to a single padlock. These keys were
exchanged prior to sending any secret messages. Alice writes a secret message and
puts it in a small box that she locks using the padlock with her key. She mails the box to
Bob. The message is safely locked inside the box as the box makes its way through the
post office system. When Bob receives the box, he uses his key to unlock the padlock
and retrieve the message. Bob can use the same box and padlock to send a secret
reply back to Alice.
Symmetric Encryption Example

Today, symmetric encryption algorithms are commonly used with VPN traffic. This is
because symmetric algorithms use less CPU resources than asymmetric encryption
algorithms. This allows the encryption and decryption of data to be fast when using a
VPN. When using symmetric encryption algorithms, like any other type of encryption,
the longer the key, the longer it will take for someone to discover the key. Most
encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a

460
minimum key length of 128 bits should be used. Use a longer key for more secure
communications.
Symmetric encryption algorithms are sometimes classified as either a block cipher or a
stream cipher. Click the buttons to learn about these two cipher modes.
 Block Ciphers
 Stream Ciphers
Block Ciphers
Block ciphers transform a fixed-length block of plaintext into a common block of
ciphertext of 64 or 128 bits. Common block ciphers include DES with a 64-bit block size
and AES with a 128-bit block size.

Stream ciphers
Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are
basically a block cipher with a block size of one byte or bit. Stream ciphers are typically
faster than block ciphers because data is continuously encrypted. Examples of stream
ciphers include RC4 and A5 which is used to encrypt GSM cell phone communications.

Well-known symmetric encryption algorithms are described in the table.

Symmetric
Encryption Description
Algorithms
Data Encryption This is a legacy symmetric encryption algorithm. It uses a short key
Standard (DES) length that makes it insecure for most current uses.
The is the replacement for DES and repeats the DES algorithm
process three times. It should be avoided if possible as it is
3DES (Triple DES)
scheduled to be retired in 2023. If implemented, use very short key
lifetimes.
Advanced AES is a popular and recommended symmetric encryption
Encryption algorithm. It offers combinations of 128-, 192-, or 256-bit keys to
Standard (AES) encrypt 128, 192, or 256 bit-long data blocks.
Software- SEAL is a faster alternative symmetric encryption algorithm to AES.
Optimized SEAL is a stream cypher that uses a 160-bit encryption key and has
Encryption a lower impact on the CPU compared to other software-based
Algorithm (SEAL) algorithms.
Rivest ciphers This algorithm was developed by Ron Rivest. Several variations

461
 have been developed, but RC4 was the most prevalent in use. RC4
(RC) series is a stream cipher that was used to secure web traffic. It has been
algorithms found to have multiple vulnerabilities which have made it insecure.
RC4 should not be used.
16.3.3 Asymmetric Encryption
Asymmetric algorithms, also called public-key algorithms, are designed so that the key
that is used for encryption is different from the key that is used for decryption, as
shown in the figure. The decryption key cannot, in any reasonable amount of time, be
calculated from the encryption key and vice versa.
Asymmetric Encryption Example

Asymmetric algorithms use a public key and a private key. Both keys are capable of the
encryption process, but the complementary paired key is required for decryption. The
process is also reversible. Data that is encrypted with the public key requires the
private key to decrypt. Asymmetric algorithms achieve confidentiality and authenticity
by using this process.
Because neither party has a shared secret, very long key lengths must be used.
Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths
greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter
are considered insufficient.
Examples of protocols that use asymmetric key algorithms include:
 Internet Key Exchange (IKE) - This is a fundamental component of IPsec VPNs.
 Secure Socket Layer (SSL) - This is now implemented as IETF standard Transport
Layer Security (TLS).
 Secure Shell (SSH) - This protocol provides a secure remote access connection to
network devices.
 Pretty Good Privacy (PGP) - This computer program provides cryptographic privacy
and authentication. It is often used to increase the security of email
communications.
Asymmetric algorithms are substantially slower than symmetric algorithms. Their
design is based on computational problems, such as factoring extremely large numbers
or computing discrete logarithms of extremely large numbers.
Because they are slow, asymmetric algorithms are typically used in low-volume
cryptographic mechanisms, such as digital signatures and key exchange. However, the
key management of asymmetric algorithms tends to be simpler than symmetric
algorithms, because usually one of the two encryption or decryption keys can be made
public.
Common examples of asymmetric encryption algorithms are described in the table.
Asymmetric Key Description

462
Encryption
Length
Algorithm
The Diffie-Hellman algorithm allows two parties to agree
512, on a key that they can use to encrypt messages they
1024, want to send to each other. The security of this
Diffie-Hellman
2048, algorithm depends on the assumption that it is easy to
(DH)
3072, raise a number to a certain power, but difficult to
4096 compute which power was used given the number and
the outcome.
Digital Signature DSS specifies DSA as the algorithm for digital signatures.
Standard (DSS) and 512 - DSA is a public key algorithm based on the ElGamal
Digital Signature 1024 signature scheme. Signature creation speed is similar to
Algorithm (DSA) RSA, but is 10 to 40 times slower for verification.
RSA is for public-key cryptography that is based on the
current difficulty of factoring very large numbers. It is
Rivest, Shamir, and
the first algorithm known to be suitable for signing, as
Adleman 512 to
well as encryption. It is widely used in electronic
encryption 2048
commerce protocols and is believed to be secure given
algorithms (RSA)
sufficiently long keys and the use of up-to-date
implementations.
An asymmetric key encryption algorithm for public-key
cryptography which is based on the Diffie-Hellman key
512 - agreement. A disadvantage of the ElGamal system is
EIGamal
1024 that the encrypted message becomes very big, about
twice the size of the original message and for this reason
it is only used for small messages such as secret keys.
Elliptic curve cryptography can be used to adapt many
Elliptic curve 224 or cryptographic algorithms, such as Diffie-Hellman or
techniques higher ElGamal. The main advantage of elliptic curve
cryptography is that the keys can be much smaller.
16.3.4 Asymmetric Encryption - Confidentiality
Asymmetric algorithms are used to provide confidentiality without pre-sharing a
password. The confidentiality objective of asymmetric algorithms is initiated when the
encryption process is started with the public key.
The process can be summarized using the formula:
Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
When the public key is used to encrypt the data, the private key must be used to
decrypt the data. Only one host has the private key; therefore, confidentiality is
achieved.
If the private key is compromised, another key pair must be generated to replace the
compromised key.
Click the buttons to view how the private and public keys can be used to provide
confidentiality to the data exchange between Bob and Alice.
 Alice acquires Bob’s public key
 Alice uses the public key
 Bob decrypts message with private key
Alice acquires Bob’s public key

463
Alice requests and obtains Bob’s public key.

Alice uses the public key

Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm. Alice
sends the encrypted message to Bob.

Bob decrypts message with private key

Bob then uses his private key to decrypt the message. Since Bob is the only one with
the private key, Alice's message can only be decrypted by Bob and thus confidentiality
is achieved.

464
16.3.5 Asymmetric Encryption - Authentication
The authentication objective of asymmetric algorithms is initiated when the encryption
process is started with the private key.
The process can be summarized using the formula:
Private Key (Encrypt) + Public Key (Decrypt) = Authentication
When the private key is used to encrypt the data, the corresponding public key must
be used to decrypt the data. Because only one host has the private key, only that host
could have encrypted the message, providing authentication of the sender. Typically,
no attempt is made to preserve the secrecy of the public key, so any number of hosts
can decrypt the message. When a host successfully decrypts a message using a public
key, it is trusted that the private key encrypted the message, which verifies who the
sender is. This is a form of authentication.
Click the buttons to view how the private and public keys can be used to provide
authentication to the data exchange between Bob and Alice.
 Alice uses her private key
 Bob requests the public key
 Bob decrypts using the public key
Alice uses her private key
Alice encrypts a message using her private key. Alice sends the encrypted message to
Bob. Bob needs to authenticate that the message did indeed come from Alice.

465
Bob requests the public key
In order to authenticate the message, Bob requests Alice’s public key.

Bob uses Alice’s public key to decrypt the message.

466
16.3.6 Asymmetric Encryption - Integrity
Combining the two asymmetric encryption processes provides message confidentiality,
authentication, and integrity.
The following example will be used to illustrate this process. In this example, a
message will be ciphered using Bob’s public key and a ciphered hash will be encrypted
using Alice’s private key to provide confidentiality, authenticity, and integrity.
 Alice uses Bob’s public key.
 Alice encrypts a hash using her private key
 Bob uses Alice’s public key to decrypt the hash
 Bob uses his private key to decrypt the message

Alice uses Bob’s public key.

Alice wants to send a message to Bob ensuring that only Bob can read the document.
In other words, Alice wants to ensure message confidentiality. Alice uses the public key
of Bob to cipher the message. Only Bob will be able to decipher it using his private key.

467
Alice encrypts a hash using her private key
Alice also wants to ensure message authentication and integrity. Authentication
ensures Bob that the document was sent by Alice, and integrity ensures that it was not
modified Alice uses her private key to cipher a hash of the message. Alice sends the
encrypted message with its encrypted hash to Bob.

Bob uses Alice’s public key to decrypt the hash

Bob uses Alice’s public key to verify that the message was not modified. The received
hash is equal to the locally determined hash based on Alice’s public key. Additionally,
this verifies that Alice is definitely the sender of the message because nobody else has
Alice’s private key.

468
Bob uses his private key to decrypt the message
Bob uses his private key to decipher the message.

16.3.7 Diffie-Hellman
Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two
computers to generate an identical shared secret without having communicated
before. The new shared key is never actually exchanged between the sender and
receiver. However, because both parties know it, the key can be used by an encryption
algorithm to encrypt traffic between the two systems.
Here are two examples of instances when DH is commonly used:
 Data is exchanged using an IPsec VPN

469
 SSH data is exchanged
To help illustrate how DH operates, refer to the figure.

The colors in the figure will be used instead of complex long numbers to simplify the
DH key agreement process. The DH key exchange begins with Alice and Bob agreeing
on an arbitrary common color that does not need to be kept secret. The agreed-on
color in our example is yellow.
Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose
blue. These secret colors will never be shared with anyone. The secret color represents
the chosen secret private key of each party.
Alice and Bob now mix the shared common color (yellow) with their respective secret
color to produce a public color. Therefore, Alice will mix the yellow with her red color
to produce a public color of orange. Bob will mix the yellow and the blue to produce a
public color of green.
Alice sends her public color (orange) to Bob and Bob sends his public color (green) to
Alice.
Alice and Bob each mix the color they received with their own, original secret color
(Red for Alice and blue for Bob.). The result is a final brown color mixture that is
identical to the partner’s final color mixture. The brown color represents the resulting
shared secret key between Bob and Alice.
The security of DH is based on the fact that it uses very large numbers in its
calculations. For example, a DH 1024-bit number is roughly equal to a decimal number
of 309 digits. Considering that a billion is 10 decimal digits (1,000,000,000), one can
easily imagine the complexity of working with not one, but multiple 309-digit decimal
numbers.
Diffie-Hellman uses different DH groups to determine the strength of the key that is
used in the key agreement process. The higher group numbers are more secure, but
require additional time to compute the key. The following identifies the DH groups
supported by Cisco IOS Software and their associated prime number value:
 DH Group 1: 768 bits
 DH Group 2: 1024 bits
 DH Group 5: 1536 bits

470
 DH Group 14: 2048 bits
 DH Group 15: 3072 bits
 DH Group 16: 4096 bits
Note: A DH key agreement can also be based on elliptic curve cryptography. DH groups
19, 20, and 24, which are based on elliptic curve cryptography, are also supported by
Cisco IOS Software.
Unfortunately, asymmetric key systems are extremely slow for any sort of bulk
encryption. This is why it is common to encrypt the bulk of the traffic using a
symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys
that will be used by the encryption algorithm.
16.3.8 Video - Cryptography

16.3.9 Check Your Understanding - Classify the Encryption Algorithms

Question 1
True or False? In asymmetric encryption, encryption and decryption use the same
key.
True
False
Question 2
What is an example of a symmetric encryption algorithm?
Internet Key Exchange (IKE)
Secure Socket Layer (SSL)
Secure Shell (SSH)
Advanced Encryption Standard (AES)
Question 3
Which algorithm provides asymmetric encryption?
Data Encryption Standard (DES)
Diffie-Hellman (DH)
3DES
AES
Question 4
Which hash function is the most secure?
MD5
3DES
471
IKE
SHA-3
16.3.10 Lab - Encrypting and Decrypting Data Using OpenSSL
In this lab, you will complete the following objectives:
 Encrypting Messages with OpenSSL
 Decrypting Messages with OpenSSL

16.3.11 Lab - Encrypting and Decrypting Data Using a Hacker Tool

In this lab, you will complete the following objectives:
 Setup Scenario
 Create and Encrypt Files
 Recover Encrypted Zip File Passwords

16.3.12 Lab - Examining Telnet and SSH in Wireshark

In this lab, you will complete the following objectives:
 Examine a Telnet Session with Wireshark
 Examine an SSH Session with Wireshark
16.4 Basic Integrity and Authenticity Summary
16.4.1 What Did I Learn in this Module?
Integrity and Authenticity
These are the four elements of secure communications: data integrity, origin
authentication, data confidentiality, and data non-repudiation. Cryptography can
be used almost anywhere that there is data communication. Hashes are used to
verify and ensure data integrity. Hashing is based on a one-way mathematical
function that is relatively easy to compute, but significantly harder to reverse.
The cryptographic hashing function can also be used to verify authentication. A
hash function takes a variable block of binary data, called the message, and
produces a fixed-length, condensed representation, called the hash. The
resulting hash is also sometimes called the message digest, digest, or digital
fingerprint. Mathematically, the equation h= H(x) is used to explain how a hash
algorithm operates. A hash function H takes an input x and returns a fixed-size
string hash value h. A cryptographic hash function should have the following
properties:
 The input can be any length.
 The output has a fixed length.
 H(x) is relatively easy to compute for any given x.
 H(x) is one way and not reversible.
 H(x) is collision free, meaning that two different input values will result in
different hash values.
The four well-known hash functions are MD5 with 128 bit digest, SHA-1, SHA-2,
and SHA-3. While hashing can be used to detect accidental changes, it cannot
be used to guard against deliberate changes that are made by a threat actor in
a man-in-the-middle attack. Origin authentication is also required to provide
protection.
To add origin authentication and integrity assurance, use a keyed-hash
message authentication code (HMAC). HMAC uses an additional secret key as
input to the hash function. Other Message Authentication Code (MAC) methods

472
are also used. However, HMAC is used in many systems including SSL, IPsec,
and SSH.
Key Management
Key management is often considered the most difficult part of designing a
cryptosystem. Most attacks on cryptographic systems are aimed at the key
management level, rather than at the cryptographic algorithm itself. The
essential characteristics of key management are key generation, key
verification, key exchange, key storage, key lifetime, and key revocation and
destruction. Two terms that are used to describe keys are key length and
keyspace. As key length increases, the keyspace increases exponentially. The
keyspace of an algorithm is the set of all possible key values. A key that has n
bits produces a keyspace that has 2^n possible key values. By adding one bit to
the key, the keyspace is effectively doubled. Almost every algorithm has some
weak keys in its keyspace that enable an attacker to break the encryption via a
shortcut. Weak keys show the regularities in encryption. Several types of
cryptographic keys that can be generated include symmetric keys, asymmetric
keys, digital signatures, and hash keys. With modern algorithms that are
trusted, the strength of protection depends solely on the size of the key. Choose
the key length so that it protects data confidentiality or integrity for an adequate
period of time. Data that is more sensitive and needs to be kept secret longer
must use longer keys. Performance is another issue that can influence the
choice of a key length. An administrator must find a good balance between the
speed and protective strength of an algorithm, because some algorithms, such
as the Rivest, Shamir, and Adleman (RSA) algorithm, run slowly due to large
key lengths.
Confidentiality
There are two classes of encryption used to provide data confidentiality:
asymmetric and symmetric. These two classes differ in how they use keys.
Symmetric encryption algorithms such as Data Encryption Standard (DES),
3DES, and Advanced Encryption Standard (AES) are based on the premise that
each communicating party knows the pre-shared key. Data confidentiality can
also be ensured using asymmetric algorithms, including Rivest, Shamir, and
Adleman (RSA) and the public key infrastructure (PKI). Symmetric algorithms
use the same pre-shared key to encrypt and decrypt data. A pre-shared key,
also called a secret key, is known by the sender and receiver before any
encrypted communications can take place. Symmetric encryption algorithms are
commonly used with VPN traffic because symmetric algorithms use less CPU
resources than asymmetric encryption algorithms. To ensure that the encryption
is safe, a minimum key length of 128 bits should be used. Use a longer key for
more secure communications. Symmetric encryption algorithms are sometimes
classified as either a block cipher or a stream cipher. Block ciphers transform a
fixed-length block of plaintext into a common block of ciphertext of 64 or 128
bits. Stream ciphers encrypt plaintext one byte or one bit at a time. Stream
ciphers are basically a block cipher with a block size of one byte or bit. Stream
ciphers are typically faster than block ciphers because data is continuously
encrypted. Asymmetric algorithms, also called public-key algorithms, are
designed so that the key that is used for encryption is different from the key that
is used for decryption. Asymmetric encryption can use key lengths between 512
to 4,096 bits. Key lengths greater than or equal to 2,048 bits can be trusted,
while key lengths of 1,024 or shorter are considered insufficient. Examples of

473
protocols that use asymmetric key algorithms include Internet Key Exchange
(IKE), Secure Socket Layer (SSL), Secure Shell (SSH), and Pretty Good
Privacy (PGP). The process can be summarized using the formula: Private Key
(Encrypt) + Public Key (Decrypt) = Authentication. Diffie-Hellman (DH) is an
asymmetric mathematical algorithm that allows two computers to generate an
identical shared secret without having communicated before. The new shared
key is never actually exchanged between the sender and receiver. DH is
commonly used when data is exchanged using an IPsec VPN and SSH data is
exchanged.
16.4.2 Module 16 - Basic Integrity and Authenticity Quiz
Question 1
Which security function is provided by encryption algorithms?
Key management
Authorization
Integrity
Confidentiality
Question 2
Which type of cryptographic key would be used when connecting to a
secure website?
DES key
Symmetric keys
Hash keys
Digital signatures
Question 3
What do most cryptographic system attacks seek to target?
Key management
The cryptographic algorithm
The actual data packet
User information
Question 4
Which type of attack does the use of HMACs protect against?
DoS
DDoS
Brute force
Man-in-the-middle
Question 5
What is a feature of asymmetrical encryption?
Different keys are used to encrypt and decrypt data.
Key lengths are short.
It encrypts bulk data quickly.
It requires fewer computations than symmetric encryption requires.
Question 6
What is the reason for HMAC to use an additional secret key as input to
the hash function?
To provide encryption
To provide authentication
To provide integrity verification
To prevent DoS attacks
Question 7
What is the purpose of the DH algorithm?

474
To provide nonrepudiation support
To support email data confidentiality
To encrypt data traffic after a VPN is established
To generate a shared secret between two hosts that have not
communicated before
Question 8
Which statement describes the Software-Optimized Encryption Algorithm
(SEAL)?
SEAL is a stream cipher.
It uses a 112-bit encryption key.
It is an example of an asymmetric algorithm.
It requires more CPU resources than software-based AES does.
Question 9
Which data security component is provided by hashing algorithms?
Key exchange
Confidentiality
Integrity
Authentication
Question 10
Which two algorithms use a hashing function to ensure message
integrity? (Choose two.)
SEAL
AES
3DES
MD5
SHA
Question 11
Which characteristic of security key management is responsible for
making certain that weak cryptographic keys are not used?
Verification
Exchange
Generation
Revocation and destruction
Question 12
What is the function of the Diffie-Hellman algorithm within the IPsec
framework?
Allows peers to exchange shared keys
Provides strong data encryption
Guarantees message integrity
Provides authentication

475
Module 17: Public Key Crytography
17.0 Introduction
17.0.1 Why Should I Take this Module?
How can we secure communications between websites we have never
communicated with? How do we know the software we just downloaded is
legitimate and has not been manipulated by a 3rd party criminal organization?
The answer is with the use of digital signatures to provide digital certificates and
code signing. Digital signatures are managed and distributed using the public
key infrastructure (PKI).
In this module, you will learn about digital signatures and how the PKI is used is
used to ensure data confidentiality and provide authentication.
17.0.2 What Will I Learn in this Module?
Module Title: Public Key Cryptography
Module Objective: Explain how a public key infrastructure is used to ensure
data confidentiality and provide authentication.
Topic Title Topic Objective
Public Key Cryptography with
Explain public key cryptography.
Digital Signatures
Authorities and the PKI Trust Explain how the public key infrastructure
System functions.
Applications and Impacts of Explain how the use of cryptography affects
Cryptography cybersecurity operations.
17.1 Public Key Cryptography with Digital Signatures
17.1.1 Digital Signature Overview
Digital signatures are a mathematical technique used to provide authenticity,
integrity, and nonrepudiation. Digital signatures have specific properties that
enable entity authentication and data integrity. In addition, digital signatures
provide nonrepudiation of the transaction. In other words, the digital signature
serves as legal proof that the data exchange did take place. Digital signatures
use asymmetric cryptography.
Click the buttons to explore properties of digital signatures.
 Authentic
 Unalterable
 Not Reusable
 Non-repudiated
Authentic
The signature cannot be forged and provides proof that the signer, and no one
else, signed the document.
Unalterable
After a document is signed, it cannot be altered.
Not Reusable
The document signature cannot be transferred to another document.
Non-repudiated
The signed document is considered to be the same as a physical document.
The signature is proof that the document has been signed by the actual person.
Digital signatures are commonly used in the following two situations:
1. Code signing - This is used for data integrity and authentication purposes.
Code signing is used to verify the integrity of executable files downloaded

476
 from a vendor website. It also uses signed digital certificates to authenticate
and verify the identity of the site that is the source of the files.
2. Digital certificates - These are similar to a virtual ID card and used to
authenticate the identity of system with a vendor website and establish an
encrypted connection to exchange confidential data.
There are three Digital Signature Standard (DSS) algorithms that are used for
generating and verifying digital signatures:
 Digital Signature Algorithm (DSA) - DSA is the original standard for
generating public and private key pairs, and for generating and verifying
digital signatures.
 Rivest-Shamir Adelman Algorithm (RSA) - RSA is an asymmetric
algorithm that is commonly used for generating and verifying digital
signatures.
 Elliptic Curve Digital Signature Algorithm (ECDSA) - ECDSA is a newer
variant of DSA and provides digital signature authentication and non-
repudiation with the added benefits of computational efficiency, small
signature sizes, and minimal bandwidth.
In the 1990s, RSA Security Inc. started to publish public-key cryptography
standards (PKCS). There were 15 PKCS, although 1 has been withdrawn as of
the time of this writing. RSA published these standards because they had the
patents to the standards and wished to promote them. PKCS are not industry
standards, but are well recognized in the security industry and have recently
begun to become relevant to standards organizations such as the IETF and
PKIX working-group.
17.1.2 Digital Signatures for Code Signing
Digital signatures are commonly used to provide assurance of the authenticity
and integrity of software code. Executable files are wrapped in a digitally signed
envelope, which allows the end user to verify the signature before installing the
software.
Digitally signing code provides several assurances about the code:
 The code is authentic and is actually sourced by the publisher.
 The code has not been modified since it left the software publisher.
 The publisher undeniably published the code. This provides nonrepudiation
of the act of publishing.
The US Government Federal Information Processing Standard (FIPS)
Publication 140-3 specifies that software available for download on the internet
is to be digitally signed and verified. The purpose of digitally signed software is
to ensure that the software has not been tampered with, and that it originated
from the trusted source as claimed. Digital signatures serve as verification that
the code has not been tampered with by threat actors and malicious code has
not been inserted into the file by a third party.
Click the buttons to access the properties of a file that has a digitally signed
certificate.
 File Properties
 Digital Signatures
 Digital Signatures Details
 Certificate Information
 Certification Path
File Properties

477
This executable file was downloaded from the internet. The file contains a
software tool from Cisco Systems.

Digital Signatures
Clicking the Digital Signatures tab reveals that the file is from a trusted
organization, Cisco Systems Inc. The file digest was created with the sha256
algorithm. The date on which the file was signed is also provided.
Clicking Details opens the Digital Signatures Details window.

Digital Signature Details

The Digital Signature Details window reveals that the file was signed by Cisco
Systems, Inc in October of 2019. This was verified by countersignature provided
by Entrust Time Stamping Authority on the same day as it was signed by Cisco.
Click View Certificate to see the details of the certificate itself.

478
Certificate Information
The General tab provides the purposes of the certificate, who the certificate was
issued to, and who issued the certificate. It also displays the period for which
the certificate is valid. Invalid certificates can prevent the file from running.

Certification Path
Click the Certification Path tab to see the file was signed by Cisco Systems, as
verified to DigiCert. In some cases an additional entity may independently verify
the certificate.

17.1.3 Digital Signatures for Digital Certificates

A digital certificate is equivalent to an electronic passport. It enables users,
hosts, and organizations to securely exchange information over the internet.
479
Specifically, a digital certificate is used to authenticate and verify that a user
who is sending a message is who they claim to be. Digital certificates can also
be used to provide confidentiality for the receiver with the means to encrypt a
reply.
Digital certificates are similar to physical certificates. For example, the paper-
based Cisco Certified Network Associate Security (CCNA-S) certificate in the
figure identifies who the certificate is issued to, who authorized the certificate,
and for how long the certificate is valid. Digital certificates also provide similar
information.

The digital certificate independently verifies an identity. Digital signatures are

used to verify that an artifact, such as a file or message, is sent from the verified
individual. In other words, a certificate verifies identity, a signature verifies that
something comes from that identity.
This scenario will help you understand how a digital signature is used. Bob is
confirming an order with Alice. Alice is ordering from Bob’s website. Alice has
connected with Bob’s website, and after the certificate has been verified, the
Bob’s certificate is stored on Alice’s website. The certificate contains Bob’s
public key. The public key is used to verify the Bob’s digital signature.
Refer to the figure to see how the digital signature is used.

480
Bob confirms the order and his computer creates a hash of the confirmation.
The computer encrypts the hash with Bob’s private key. The encrypted hash,
which is the digital signature, is appended to the document. The order
confirmation is then sent to Alice over the internet.
When Alice receives the digital signature, the following process occurs.

1. Alice’s receiving device accepts the order confirmation with the digital
signature and obtains Bob’s public key.
2. Alice’s computer then decrypts the signature using Bob’s public key. This
step reveals the assumed hash value of the sending device.
3. Alice’s computer creates a hash of the received document, without its
signature, and compares this hash to the decrypted signature hash. If the
hashes match, the document is authentic. This means the confirmation was
sent by Bob and that it has not changed since it was signed.
17.2 Authorities and the PKI Trust System
17.2.1 Public Key Management

481
Internet traffic consists of traffic between two parties. When establishing an
asymmetric connection between two hosts, the hosts will exchange their public
key information.
For example, an SSL certificate is a digital certificate that confirms the identity
of a website domain. To implement SSL on your website, you purchase an SSL
certificate for your domain from an SSL Certificate provider. The trusted third
party does an in-depth investigation prior to the issuance of credentials. After
this in-depth investigation, the third-party issues credentials (i.e. digital
certificate) that are difficult to forge. From that point forward, all individuals who
trust the third party simply accept the credentials that the third-party issues.
When computers attempt to connect to a web site over HTTPS, the web
browser checks the website’s security certificate and verifies that it is valid and
originated from a reliable Certificate Authority (CA). This validates that the
website identify is true. The digital certificate is saved locally by the web
browser and is then used in subsequent transactions. The website’s public key
is included in the certificate and is used to verify future communications
between the website and the client.
The SSL Certificate provider and Certificate Authorities are trusted third parties
that provide services similar to governmental licensing bureaus.

The Public Key Infrastructure (PKI) consists of specifications, systems, and

tools that are used to create, manage, distribute, use, store, and revoke digital
certificates. The certificate authority (CA) is an organization that creates digital
certificates by tying a public key to a confirmed identify, such as a website or
individual. The PKI is an intricate system that is designed to safeguard digital
identities from hacking by even the most sophisticated threat actors or nation
states.
Some examples of Certificate Authorities are IdenTrust, DigiCert, Sectigo,
GlobalSign, and GoDaddy. These CAs charge for their services. Let’s Encrypt is
a non-profit CA that offers certificates free of charge.
17.2.2 The Public Key Infrastructure
PKI is needed to support large-scale distribution and identification of public
encryption keys. The PKI framework facilitates a highly scalable trust
relationship.

482
It consists of the hardware, software, people, policies, and procedures needed
to create, manage, store, distribute, and revoke digital certificates.
The figure shows the main elements of the PKI.

1. PKI certificates contain an entity’s or individual’s public key, its purpose, the
certificate authority (CA) that validated and issued the certificate, the date
range during which the certificate is valid, and the algorithm used to create
the signature.
2. The certificate store resides on a local computer and stores issued
certificates and private keys.
3. The PKI Certificate of Authority (CA) is a trusted third party that issues PKI
certificates to entities and individuals after verifying their identity. It signs
these certificates using its private key.
4. The certificate database stores all certificates approved by the CA.
The next figure shows how the elements of the PKI interoperate:
 In this example, Bob has received his digital certificate from the CA. This
certificate is used whenever Bob communicates with other parties.
 Bob communicates with Alice.
 When Alice receives Bob’s digital certificate, she communicates with the
trusted CA to validate Bob’s identity.

1. Issues PKI Certificate. Bob initially requests a certificate from the CA. The CA
authenticates Bob and stores Bob’s PKI certificate in the certificate database.
2. Exchanges PKI Certificate. Bob communicates with Alice using his PKI certificate.
3. Verifies PKI Certificate. Alice communicates with the trusted CA using the CA’s
public key. The CA refers to the certificate database to validate Bob’s PKI
certificate.

483
Note: Not all PKI certificates are directly received from a CA. A registration authority
(RA) is a subordinate CA and is certified by a root CA to issue certificates for specific
uses.
17.2.3 The PKI Authorities System
Many vendors provide CA servers as a managed service or as an end-user product.
Some of these vendors include Symantec Group (VeriSign), Comodo, Go Daddy Group,
GlobalSign, and DigiCert among others.
Organizations may also implement private PKIs using Microsoft Server or Open SSL.
CAs, especially those that are outsourced, issue certificates based on classes which
determine how trusted a certificate is.
The table provides a description of the classes. The table provides a description of the
classes as defined by VeriSign. There is no standard for digital certificate classes, so
there are different classes depending on the CA. Other CAs may use a three class
system. The class number is determined by how rigorous the procedure was that
verified the identity of the holder when the certificate was issued. The higher the class
number, the more trusted the certificate. Therefore, a class 5 certificate is trusted
much more than a lower-class certificate.
Class Description
0 Used for testing in situations in which no checks have been performed.
1 Used by individuals who require verification of email.
2 Used by organizations for which proof of identity is required.
Used for servers and software signing. Independent verification and checking of
3
identity and authority is done by the certificate authority.
4 Used for online business transactions between companies.
5 Used for private organizations or government security.
For example, a class 1 certificate might require an email reply from the holder to
confirm that they wish to enroll. This kind of confirmation is a weak authentication of
the holder. For a class 3 or 4 certificate, the future holder must prove identity and
authenticate the public key by showing up in person with at least two official ID
documents.
Some CA public keys are preloaded, such as those listed in web browsers. The figure
displays various VeriSign certificates contained in the certificate store on the host. Any
certificates signed by any of the CAs in the list will be seen by the browser as legitimate
and will be trusted automatically.

484
Note: An enterprise can also implement PKI for internal use. PKI can be used to
authenticate employees who are accessing the network. In this case, the enterprise is
its own CA.
17.2.4 The PKI Trust System
PKIs can form different topologies of trust. The simplest is the single-root PKI topology.
As shown in the figure below, a single CA, called the root CA, issues all the certificates
to the end users, which are usually within the same organization. The benefit to this
approach is its simplicity. However, it is difficult to scale to a large environment
because it requires a strictly centralized administration, which creates a single point of
failure.

Single-Root PKI Topology

485
On larger networks, PKI CAs may be linked using two basic architectures:
Cross-certified CA topologies - As shown in the figure below, this is a peer-to-peer
model in which individual CAs establish trust relationships with other CAs by cross-
certifying CA certificates. Users in either CA domain are also assured that they can
trust each other. This provides redundancy and eliminates the single-point of failure.
Cross-Certified CA

Hierarchical CA topologies - As shown in the figure below, the highest-level CA is

called the root CA. It can issue certificates to end users and to a subordinate CA. The
sub-CAs could be created to support various business units, domains, or communities
of trust. The root CA maintains the established “community of trust” by ensuring that

486
each entity in the hierarchy conforms to a minimum set of practices. The benefits of
this topology include increased scalability and manageability. This topology works well
in most large organizations. However, it can be difficult to determine the chain of the
signing process.
A hierarchical and cross-certification topology can be combined to create a hybrid
infrastructure. An example would be when two hierarchical communities want to
cross-certify each other in order for members of each community to trust each other.
Hierarchical CA

17.2.5 Interoperability of Different PKI Vendors

Interoperability between a PKI and its supporting services, such as Lightweight
Directory Access Protocol (LDAP) and X.500 directories, is a concern because many CA
vendors have proposed and implemented proprietary solutions instead of waiting for
standards to develop.
Note: LDAP and X.500 are protocols that are used to query a directory service, such as
Microsoft Active Directory, to verify a username and password.
To address this interoperability concern, the IETF published the Internet X.509 Public
Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527).
The X.509 version 3 (X.509 v3) standard defines the format of a digital certificate.
Refer to the figure for examples of how the X.509 v3 format is used in the
infrastructure of the internet.
X.509v3 Applications
The figure shows an external web server labeled with the circled number 1 and S S L
that connects to a firewall. The firewall has another connection to a V P N concentrator
below it labeled with circled number 2 and the words I P s e c. The firewall has a third
connection to a cloud labeled internet. The firewall has another connection to an
enterprise network cloud that includes a C A server, an internet mail server that has
the circled number 3 and S / M I M E beside it, and servers that have Cisco Secure ACS
beside it and the circled number four E A P - T L S words beside it.

487
1. SSL - Secure web servers use X.509.v3 for website authentication in the SSL and TLS
protocols, while web browsers use X.509v3 to implement HTTPS client certificates.
SSL is the most widely used certificate-based authentication.
2. IPsec - IPsec VPNs use X.509 certificates when RSA-based authentication is used for
internet key exchange (IKE).
3. S/MIME - User mail agents that support mail protection with the
Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol use X.509
certificates.
4. EAP-TLS - Cisco switches can use certificates to authenticate end devices that
connect to LAN ports using 802.1x between the adjacent devices. The
authentication can be proxied to a central ACS via the Extensible Authentication
Protocol with TLS (EAP-TLS).
17.2.6 Certificate Enrollment, Authentication, and Revocation
The first step in the CA authentication procedure is to securely obtain a copy of the
CA’s public key. All systems that leverage the PKI must have the CA’s public key, which
is called the self-signed certificate. The CA public key verifies all the certificates issued
by the CA and is vital for the proper operation of the PKI.
Note: Only a root CA can issue a self-signed certificate that is recognized or verified by
other CAs within the PKI.
For many systems such as web browsers, the distribution of CA certificates is handled
automatically. The web browser comes pre-installed with a set of public CA root
certificates. Organizations and their website domains push their public certificates to
website visitors. CAs and certificate domain registrars create and distribute private and
public certificates to clients that purchase certificates.

488
The certificate enrollment process is used by a host system to enroll with a PKI. To do
so, CA certificates are retrieved in-band over a network, and the authentication is done
out-of-band (OOB) by telephone.
Once enrolled, authentication between two parties is no longer dependent on the
presence of the CA server as each user exchanges their certificates containing public
keys.
Authentication no longer requires the presence of the CA server, and each user
exchanges their certificates containing public keys.
Certificates must sometimes be revoked. For example, a digital certificate can be
revoked if key is compromised or if it is no longer needed.
Here are two of the most common methods of revocation:
 Certificate Revocation List (CRL) - A list of revoked certificate serial numbers that
have been invalidated because they expired. PKI entities regularly poll the CRL
repository to receive the current CRL.
 Online Certificate Status Protocol (OCSP) - An internet protocol used to query an
OCSP server for the revocation status of an X.509 digital certificate. Revocation
information is immediately pushed to an online database.
17.2.7 Lab - Certificate Authority Stores
In this lab, you will complete the following objectives:
 Certificates Trusted by Your Browser
 Checking for Man-In-Middle

17.3 Applications and Impacts of Cryptography

17.3.1 PKI Applications
Where can PKI be used by an enterprise? The following provides a short list of
common uses of PKIs:
 SSL/TLS certificate-based peer authentication
 Secure network traffic using IPsec VPNs
 HTTPS Web traffic
 Control access to the network using 802.1x authentication
 Secure email using the S/MIME protocol
 Secure instant messaging
 Approve and authorize applications with Code Signing
 Protect user data with the Encryption File System (EFS)
 Implement two-factor authentication with smart cards
 Securing USB storage devices
17.3.2 Encrypted Network Transactions
A security analyst must be able to recognize and solve potential problems related to
permitting PKI-related solutions on the enterprise network.
Consider how the increase of SSL/TLS traffic poses a major security risk to enterprises
because the traffic is encrypted and cannot be intercepted and monitored by normal
means. Users can introduce malware or leak confidential information over an SSL/TLS
connection.
Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses,
malware, data loss, and intrusion attempts in a network.

489
Other SSL/TLS-related issues may be associated with validating the certificate of a web
server. When this occurs, web browsers will display a security warning. PKI-related
issues that are associated with security warnings include:
 Validity date range - The X.509v3 certificates specify “not before” and “not after”
dates. If the current date is outside the range, the web browser displays a message.
Expired certificates may simply be the result of administrator oversight, but they
may also reflect more serious conditions.
 Signature validation error - If a browser cannot validate the signature on the
certificate, there is no assurance that the public key in the certificate is authentic.
Signature validation will fail if the root certificate of the CA hierarchy is not
available in the browser’s certificate store.
The figure shows an example of a signature validation error with the Cisco AnyConnect
Mobility VPN Client.
Signature Validation Error

Some of these issues can be avoided due to the fact that the SSL/TLS protocols are
extensible and modular. This is known as a cipher suite. The key components of the
cipher suite are the Message Authentication Code Algorithm (MAC), the encryption
algorithm, the key exchange algorithm, and the authentication algorithm. These can be
changed without replacing the entire protocol. This is very helpful because the
different algorithms continue to evolve. As cryptanalysis continues to reveal flaws in
these algorithms, the cipher suite can be updated to patch these flaws. When the
protocol versions within the cipher suite change, the version number of SSL/TLS
changes as well.

490
17.3.3 Encryption and Security Monitoring
Network monitoring becomes more challenging when packets are encrypted.
However, security analysts must be aware of those challenges and address them as
best as possible. For instance, when site-to-site VPNs are used, the IPS should be
positioned so it can monitor unencrypted traffic.
However, the increased use of HTTPS in the enterprise network introduces new
challenges. Since HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it
is not as easy to peek into user traffic.
Security analysts must know how to circumvent and solve these issues. Here is a list of
some of the things that a security analyst could do:
 Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-
HTTPS SSL traffic.
 Enhance security through server certificate validation using CRLs and OCSP.
 Implement antimalware protection and URL filtering of HTTPS content.
Cryptography is dynamic and always changing. A security analyst must maintain a good
understanding of cryptographic algorithms and operations to be able to investigate
cryptography-related security incidents.
There are two main ways in which cryptography impacts security investigations. First,
attacks can be directed to specifically target the encryption algorithms themselves.
After the algorithm has been cracked and the attacker has obtained the keys, any
encrypted data that has been captured can be decrypted by the attacker and read,
thus exposing private data. Secondly, the security investigation is also affected because
data can be hidden in plain sight by encrypting it. For example, command and control
traffic that is encrypted with TLS/SSL most likely cannot be seen by a firewall. The
command and control traffic between a command and control server and an infected
computer in a secure network cannot be stopped if it cannot be seen and understood.
The attacker would be able to continue using encrypted commands to infect more
computers and possibly create a botnet. This type of traffic can be detected by
decrypting the traffic and comparing it with known attack signatures, or by detecting
anomalous TLS/SSL traffic. This is either very difficult and time consuming, or a hit-or-
miss process.
17.4. Public Key Cryptography Summary
17.4.1 What Did I Learn in this Module?
Public Key Cryptography
Digital signatures are a mathematical technique used to provide three basic security
services: authenticity, integrity, and nonrepudiation. Properties of digital signature are
that they are authentic, unalterable, not reusable, and non-repudiated. Digital
signatures are commonly used in the following two situations: code signing and digital
certificates. There are three DSS algorithms that are used for generating and verifying
digital signatures: DSA, RSA and ECDSA. Digitally signing code provides assurances
about the software code: the code is authentic and is actually sourced by the
publisher, the code has not been modified since it left the software publisher, and the
publisher undeniably published the code. A digital certificate is equivalent to an
electronic passport. It enables users, hosts, and organizations to securely exchanges
information over the internet. Specifically, a digital certificate is used to authenticate
and verify that a user who is sending a message is who they claim to be.

491
Authorities and the PKI Trust System
When establishing secure connection between two hosts, the hosts will exchange their
public key information. There are trusted third parties on the internet that validate the
authenticity of these public keys using digital certificates. The PKI consists of
specifications, systems, and tools that are used to create, manage, distribute, use,
store, and revoke digital certificates. PKI is needed to support large-scale distribution
of public encryption keys. The PKI framework facilitates a highly scalable trust
relationship. Many vendors provide CA servers as a managed service or as an end-user
product. Some of these vendors include Symantec Group (VeriSign), Comodo, Go
Daddy Group, GlobalSign, and DigiCert among others. The class number is determined
by how rigorous the procedure was that verified the identity of the holder when the
certificate was issued, with five being the highest. PKIs can form different topologies of
trust. The simplest is the single-root PKI topology. Interoperability between PKI and its
supporting services is a concern because many CA vendors have proposed and
implemented proprietary solution instead of waiting for standards to develop. To
address the interoperability concern, the IETF published RFC 2527.
Applications and Impacts of Cryptography
There are many common uses of PKIs including a few listed here: SSL/TLS certificate-
based peer authentication, HTTPS Web traffic, secure instant message, and securing
USB storage devices. A security analyst must be able to recognize and solve potential
problems related to permitting PHI-related solutions on the enterprise network. For
example, threat actors can use SSL/TSL to introduce regulatory compliance violations,
viruses, malware, data loss, and intrusion attempts in the network. Other SSL/TSL
related issues may be associated with validating the certificate of the web server. PKI-
related issues that are associated with security warnings include validity date range
and signature validation. Some of these issues can be avoided due to the fact that the
SSL/TSL protocols are extensible and modular. This is known as the cipher suite. The
key components of the cipher suite are the MAC, the encryption algorithm, the key
exchange algorithm, and the authentication algorithm. Cryptography is dynamic and
always changing. You must maintain a good understanding of algorithms and
operations to be able to investigate cryptography-related security incidents. Encrypted
communications can make network security data payloads unreadable by
cybersecurity analysts. Encryption can be used to hide malware command and control
traffic between infected hosts and the command and control servers. In addition,
malware can be hidden by encryption and data can be encrypted during exfiltration,
making it hard to detect.
17.4.2 Module 17 - Configure Network and Device Security Quiz
Question 1
What are the two important components of a public key infrastructure (PKI) used in
network security? (Choose two.)
Intrusion prevention system
Certificate authority
Digital certificates
Pre-shared key generation
Symmetric encryption algorithms

492
Question 2
What is the purpose of code signing?
Data encryption
Reliable transfer of data
Source identity secrecy
Integrity of source .EXE files
Question 3
Which statement describes the use of certificate classes in the PKI?
The lower the class number, the more trusted the certificate.
A vendor must issue only one class of certificates when acting as a CA.
A class 5 certificate is more trustworthy than a class 4 certificate.
Email security is provided by the vendor, not by a certificate.
Question 4
What role does an RA play in PKI?
A root CA
A super CA
A subordinate CA
A backup root CA
Question 5
Which protocol uses X.509 certificates to support mail protection performed by mail
agents?
EAP-TLS
S/MIME
IPsec
SSL
Question 6
What protocol is used to query the revocation status of an X.509 certificate?
OCSP
SSL
EAP
LDAP
Question 7
In which way does the use of HTTPS increase the security monitoring challenges
within enterprise networks?
HTTPS traffic is much faster than HTTP traffic.
HTTPS traffic enables end-to-end encryption.
HTTPS traffic does not require authentication.
HTTPS traffic can carry a much larger data payload than HTTP can carry.
Question 8
Which technology is used to provide assurance of the authenticity and integrity of
software code?
Public key infrastructures
Certificate authorities
Block ciphers
Digital signatures
Question 9

493
Which CA class of digital certificates would be used by individuals to perform email
verification?
0
1
2
3
Question 10
What is a purpose of a digital certificate?
To authenticate and verify that a user who is sending a message is who they claim to
be
To query for the revocation status of an X.509 certificate
To support large-scale distribution and identification of public encryption keys
To assure the authenticity and integrity of software code
Question 11
What is an appropriate use for class 5 digital certificates?
Used for online business transactions between companies
Used by organizations for which proof of identity is required
Used for private organizations or government security
Used for testing in situations in which no checks have been performed
Checkpoint Exam: Cryptography Group Exam
This exam will cover material from Modules 15-17 of the Network Security 1.0
curriculum.
Copyright 2023, Cisco Systems, Inc.
Question 1
What is an example of the one-time pad cipher?
RC4
Vigenère
Rail fence
Caesar
Question 2
The following message was encrypted using a Caesar cipher with a key of 2:
fghgpf vjg ecuvng
What is the plaintext message?
defend the region
defend the castle
invade the region
invade the castle
Question 3
What popular encryption algorithm requires that both the sender and receiver know
a pre-shared key?
MD5
HMAC
AES
PKI
Question 4
As data is being stored on a local hard disk, which method would secure the data
from unauthorized access?

494
a duplicate hard drive copy
data encryption
two factor authentication
deletion of sensitive files
Question 5
What is another name for confidentiality of information?
consistency
trustworthiness
privacy
accuracy
Question 6
Which requirement of secure communications is ensured by the implementation of
MD5 or SHA hash generating algorithms?
confidentiality
integrity
authentication
nonrepudiation
Question 7
In which method used in cryptanalysis does the attacker know a portion of the
plaintext and the corresponding ciphertext?
chosen-plaintext
meet-in-the-middle
ciphertext
brute-force
Question 8
What is the keyspace of an encryption algorithm?
the set of procedures used to calculate asymmetric keys
the set of hash functions used to generate a key
the mathematical equation that is used to create a key
the set of all possible values used to generate a key
Question 9
What technology supports asymmetric key encryption used in IPsec VPNs?
3DES
SEAL
AES
IKE
Question 10
Which algorithm can ensure data integrity?
AES
MD5
PKI
RSA
Question 11
What are two properties of a cryptographic hash function? (Choose two.)
The hash function is one way and irreversible.
The output is a fixed length.
Complex inputs will produce complex hashes.

495
The input for a particular hash algorithm has to have a fixed size.
Hash functions can be duplicated for authentication purposes.
Question 12
A company is developing a security policy for secure communication. In the exchange
of critical messages between a headquarters office and a branch office, a hash value
should only be recalculated with a predetermined code, thus ensuring the validity of
data source. Which aspect of secure communications is addressed?
data confidentiality
non-repudiation
data integrity
origin authentication
Question 13
What are two symmetric encryption algorithms? (Choose two.)
SHA
3DES
AES
HMAC
MD5
Question 14
Which statement describes asymmetric encryption algorithms?
They include DES, 3DES, and AES.
They are relatively slow because they are based on difficult computational
algorithms.
They have key lengths ranging from 80 to 256 bits.
They are also called shared-secret key algorithms.
Question 15
Two users must authenticate each other using digital certificates and a CA. Which
option describes the CA authentication procedure?
The CA is always required, even after user verification is complete.
After user verification is complete, the CA is no longer required, even if one of the
involved certificates expires.
CA certificates are retrieved out-of-band using the PSTN, and the authentication is
done in-band over a network.
The users must obtain the certificate of the CA and then their own certificate.
Question 16
Alice and Bob are using a digital signature to sign a document. What key should Alice
use to sign the document so that Bob can make sure that the document came from
Alice?
public key from Bob
username and password from Alice
private key from Bob
private key from Alice
Question 17
What is the purpose for using digital signatures for code signing?
to generate a virtual ID
to establish an encrypted connection to exchange confidential data with a vendor
website

496
to authenticate the identity of the system with a vendor website
to verify the integrity of executable files downloaded from a vendor website
Question 18
An IT enterprise is recommending the use of PKI applications to securely exchange
information between the employees. In which two cases might an organization use
PKI applications to securely exchange information between users? (Choose two.)
File and directory access permission
HTTPS web service
FTP transfers
802.1x authentication
Local NTP server
Question 19
What technology has a function of using trusted third-party protocols to issue
credentials that are accepted as an authoritative identity?
Symmetric keys
Digital signatures
PKI certificates
Hashing algorithms
Question 20
¿In a hierarchical CA topology, where can a subordinate CA obtain a certificate for
itself?
from the root CA or from self-generation
from the root CA only
from the root CA or another subordinate CA anywhere in the tree
from the root CA or another subordinate CA at the same level
from the root CA or another subordinate CA at a higher level
Question 21
What is the purpose of a digital certificate?
It provides proof that data has a traditional signature attached.
It guarantees that a website has not been hacked.
It ensures that the person who is gaining access to a network device is authorized.
It authenticates a website and establishes a secure connection to exchange
confidential data.

497
Module 18: VPNs
18.0 Introduction
18.0.1 Why Should I Take this Module?
Welcome to VPNs!
Have you, or someone you know, ever been hacked while using public WiFi? It’s
surprisingly easy to do.
The solution to this problem is to use Virtual Private Networks (VPNs) and the
additional protection of IP Security (IPsec). VPNs are commonly used by remote
workers around the globe. There are also personal VPNs that you can use when you
are on public WiFi. In fact, there are many different kinds of VPNs using IPsec to
protect and authenticate IP packets between their source and destination.
18.0.2 What Will I Learn in this Module?
Module Title: VPNs
Module Objective: Explain the purpose of VPNs.
Topic Title Topic Objective
VPN Overview Describe VPNs and their benefits.
VPN Topologies Compare remote-access and site-to-site VPNs.
Introducing IPsec Describe the IPsec protocol and its basic functions.
IPsec Protocols Compare AH and ESP protocols.
Internet Key
Describe the IKE protocol.
Exchange
18.1 VPN Overview
18.1.1 Virtual Private Networks
To secure network traffic between sites and users, organizations use virtual private
networks (VPNs) to create end-to-end private network connections. A VPN is virtual in
that it carries information within a private network, but that information is actually
transported over a public network. A VPN is private in that the traffic is encrypted to
keep the data confidential while it is transported across the public network.
The figure shows a collection of various types of VPNs managed by an enterprise’s
main site. The tunnel enables remote sites and users to access the main site’s network
resources securely.

498
 A Cisco Adaptive Security Appliance (ASA) firewall helps organizations provide
secure, high performance connectivity including VPNs and always-on access for
remote branches and mobile users.
 SOHO stands for small office home office where a VPN-enabled router can provide
VPN connectivity back to the corporate main site.
 Cisco AnyConnect is software that remote workers can use to establish client-
based VPN connection with the main site.
The first types of VPNs were strictly IP tunnels that did not include authentication or
encryption of the data. For example, Generic Routing Encapsulation (GRE) is a
tunneling protocol developed by Cisco and which does not include encryption services.
It is used to encapsulate IPv4 and IPv6 traffic inside an IP tunnel to create a virtual
point-to-point link.
18.1.2 VPN Benefits
Modern VPNs now support encryption features, such as Internet Protocol Security
(IPsec) and Secure Sockets Layer (SSL) to secure network traffic between sites.
Major benefits of VPNs are shown in the table.
Benefit Description
With the advent of cost-effective, high-bandwidth technologies,
Cost Savings organizations can use VPNs to reduce their connectivity costs while
simultaneously increasing remote connection bandwidth.
VPNs provide the highest level of security available, by using advanced
Security encryption and authentication protocols that protect data from
unauthorized access.
VPNs allow organizations to use the internet, making it easy to add new
Scalability
users without adding significant infrastructure.
VPNs can be implemented across a wide variety of WAN link options
including all the popular broadband technologies. Remote workers can
Compatibility
take advantage of these high-speed connections to gain secure access to
their corporate networks.
18.2 VPN Topologies

499
18.2.1 Site-to-Site and Remote-Access VPNs
VPNs are commonly deployed in one of the following configurations: site-to-site or
remote-access.
Click each VPN type for more information.
 Site-to-Site VPN
 Remote-Access VPN
Site-to-Site VPN
A site-to-site VPN is created when VPN terminating devices, also called VPN gateways,
are preconfigured with information to establish a secure tunnel. VPN traffic is only
encrypted between these devices. Internal hosts have no knowledge that a VPN is
being used.

Remote-Access VPN
A remote-access VPN is dynamically created to establish a secure connection between
a client and a VPN terminating device. For example, a remote access SSL VPN is used
when you check your banking information online.

18.2.2 Remote-Access VPNs

In the previous topic you learned about the basics of a VPN. Here you will learn about
the types of VPNs.
VPNs have become the logical solution for remote-access connectivity for many
reasons. As shown in the figure, remote-access VPNs let remote and mobile users
securely connect to the enterprise by creating an encrypted tunnel. Remote users can

500
securely replicate their enterprise security access including email and network
applications. Remote-access VPNs also allow contractors and partners to have limited
access to the specific servers, web pages, or files as required. This means that these
users can contribute to business productivity without compromising network security.
Remote-access VPNs are typically enabled dynamically by the user when required.
Remote access VPNs can be created using either IPsec or SSL. As shown in the figure, a
remote user must initiate a remote access VPN connection.
The figure displays two ways that a remote user can initiate a remote access VPN
connection: clientless VPN and client-based VPN.

 Clientless VPN connection -The connection is secured using a web browser SSL
connection. SSL is mostly used to protect HTTP traffic (HTTPS) and email protocols
such as IMAP and POP3. For example, HTTPS is actually HTTP using an SSL tunnel.
The SSL connection is first established, and then HTTP data is exchanged over the
connection.
 Client-based VPN connection - VPN client software such as Cisco AnyConnect
Secure Mobility Client must be installed on the remote user’s end device. Users
must initiate the VPN connection using the VPN client and then authenticate to the
destination VPN gateway. When remote users are authenticated, they have access
to corporate files and applications. The VPN client software encrypts the traffic
using IPsec or SSL and forwards it over the internet to the destination VPN
gateway.
18.2.3 SSL VPNs
When a client negotiates an SSL VPN connection with the VPN gateway, it actually
connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is
sometimes expressed as SSL/TLS. However, both terms are often used
interchangeably.

501
SSL uses the public key infrastructure and digital certificates to authenticate peers.
Both IPsec and SSL VPN technologies offer access to virtually any network application
or resource. However, when security is an issue, IPsec is the superior choice. If support
and ease of deployment are the primary issues, consider SSL. The type of VPN method
implemented is based on the access requirements of the users and the organization’s
IT processes. The table compares IPsec and SSL remote access deployments.
Feature IPsec SSL
IPsec works at Layer 3, the SSL operates at Layer 7, the
Network layer of the OSI model Application layer of the OSI model it
directly on top of IP. encrypts HTTP traffic not IP packets.
Medium - Because it requires a
Connection Low - It only requires a web browser
VPN client pre-installed on a
complexity on a host.
host.
Limited - Only specific devices
Connection Extensive - Any device with a web
with specific configurations can
option browser can connect.
connect.
It is important to understand that IPsec and SSL VPNs are not mutually exclusive.
Instead, they are complementary; both technologies solve different problems, and an
organization may implement IPsec, SSL, or both, depending on the needs of its
telecommuters.
18.2.4 Site-to-Site IPsec VPNs
Site-to-site VPNs are used to connect networks across another untrusted network such
as the internet. In a site-to-site VPN, end hosts send and receive normal unencrypted
TCP/IP traffic through a VPN-terminating device. The VPN-terminating device is
typically called a VPN gateway. A VPN gateway device could be a router or a firewall, as
shown in the figure. For example, the Cisco Adaptive Security Appliance (ASA) shown
on the right side of the figure is a standalone firewall device that combines firewall,
VPN concentrator, and intrusion prevention functionality into one software image.
The figure shows a site-to-site V P N connection using an IPsec tunnel. The client
laptop is connected to the networks V P N gateway, shown as a router. The V P N
gateway is connected across the Internet, depicted as a cloud, to another V P N
gateway, shown as an A S A firewall. The connection between the two V P N gateways
are using IPsec to secure the V P N tunnel.

The VPN gateway encapsulates and encrypts outbound traffic. It then sends the traffic
through a VPN tunnel over the internet to a VPN gateway at the target site. Upon

502
receipt, the receiving VPN gateway strips the headers, decrypts the content, and relays
the packet toward the target host inside its private network.
Site-to-site VPNs are typically created and secured using IP security (IPsec).
18.2.5 Check Your Understanding - Compare Remote-Access and Site-to-Site VPNs
Check your understanding of VPN characteristics by choosing the correct answer to the
following questions.
Question 1
Which type of VPN supports dynamically changing connection information and can
be enabled when needed?
Remote
Site-to-site
Question 2
Which type of VPN is used when the host sends and receives normal TCP/IP traffic
through a VPN gateway?
Remote
Site-to-site
Question 3
Which type of VPN is used when both sides of the VPN connection are aware of the
VPN configuration in advance?
Remote
Site-to-site
Question 4
Which type of VPN is used when internal hosts have no knowledge that a VPN exists?
Remote
Site-to-site
Question 5
Which type of VPN is used when the telecommuter device is responsible for
establishing the VPN?
Remote
Site-to-site
18.3 IPsec Overview
18.3.1 Video - IPsec Concepts
In the previous topic you learned about types of VPNs. It is important to understand
how IPsec works with a VPN.
Click Play in the figure for a video about IPsec.

503
18.3.2 IPsec Technologies
IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be secured
across IP networks. IPsec protects and authenticates IP packets between source and
destination. IPsec can protect traffic from Layer 4 through Layer 7.
Using the IPsec framework, IPsec provides these essential security functions:
 Confidentiality - IPsec uses encryption algorithms to prevent cybercriminals from
reading the packet contents.
 Integrity - IPsec uses hashing algorithms to ensure that packets have not been
altered between source and destination.
 Origin authentication - IPsec uses the Internet Key Exchange (IKE) protocol to
authenticate source and destination. Methods of authentication include the use of
pre-shared keys (passwords), digital certificates, or RSA certificates.
 Diffie-Hellman - Secure key exchange typically using various groups of the DH
algorithm.
IPsec is not bound to any specific rules for secure communications. This flexibility of
the framework allows IPsec to easily integrate new security technologies without
updating the existing IPsec standards. The currently available technologies are aligned
to their specific security function. The open slots shown in the IPsec framework in the
figure can be filled with any of the choices that are available for that IPsec function to
create a unique security association (SA).

504
The security functions are listed in the table.
IPsec Function Description
The choices for IPsec Protocol include Authentication Header (AH) or
Encapsulation Security Protocol (ESP). AH authenticates the Layer 3
IPsec Protocol
packet. ESP encrypts the Layer 3 packet. Note: ESP+AH is rarely used as
this combination will not successfully traverse a NAT device.
Encryption ensures confidentiality of the Layer 3 packet. Secure
choices include Advanced Encryption Standard (AES) or Software-
Confidentiality
Optimized Encryption Algorithm (SEAL). Legacy algorithms that should
avoided include Data Encryption Standard (DES) and Triple DES (3DES).
Integrity ensures that data arrives unchanged at the destination by
using a hash algorithm. Examples include Secure Hash Algorithm (SHA)
and message-digest 5 (MD5). MD5 is insecure and should be avoided.
Integrity There are several versions of SHA. SHA-1 is the original version and
should be avoided. Instead, SHA-256 is recommended to protect
sensitive information. SHA-384 and SHA-512 are required to protect
classified information of higher importance.
IPsec uses Internet Key Exchange (IKE) to authenticate users and
devices that can carry out communication independently. IKE uses
Authentication several types of authentication, including username and password,
one-time password, biometrics, pre-shared keys (PSKs), and digital
certificates using the Rivest, Shamir, and Adleman (RSA) algorithm.
IPsec uses the DH algorithm to provide a public key exchange method
for two peers to establish a shared secret key. There are several DH
algorithm groups to choose from. However, do not use DH groups 1, 2
Diffie-Hellman
and 5 as they are no longer recommended. Instead, DH groups 14, 15,
or 16 are considered secure and the Elliptic Curve DH groups 19, 20,
21, and 24 are considered to be the most secure.
The figure shows examples of SAs for two different implementations. An SA is the basic
building block of IPsec. When establishing a VPN link, the peers must share the same

505
SA to negotiate key exchange parameters, establish a shared key, authenticate each
other, and negotiate the encryption parameters. Notice that SA Example 1 is using no
encryption.
IPsec Security Association Examples

18.3.3 IPsec Protocol Encapsulation

Choosing the IPsec protocol encapsulation is the first building block of the framework.
IPsec encapsulates packets using Authentication Header (AH) or Encapsulation Security
Protocol (ESP). The choice of AH or ESP establishes which other building blocks are
available.

 AH is appropriate only when confidentiality is not required or permitted. It

provides data authentication and integrity, but it does not provide data
confidentiality (encryption). All text is transported unencrypted.
 ESP provides both confidentiality and authentication. It provides confidentiality by
performing encryption on the IP packet. ESP provides authentication for the inner
IP packet and ESP header. Authentication provides data origin authentication and

506
 data integrity. Although both encryption and authentication are optional in ESP, at
a minimum, one of them must be selected.
18.3.4 Confidentiality
Confidentiality is achieved by encrypting the data, as shown in the figure. The degree
of confidentiality depends on the encryption algorithm and the length of the key used
in the encryption algorithm. If someone tries to hack the key through a brute-force
attack, the number of possibilities to try is a function of the length of the key. The time
to process all the possibilities is a function of the computer power of the attacking
device. The shorter the key, the easier it is to break. A 64-bit key can take
approximately one year to break with a relatively sophisticated computer. A 128-bit
key with the same machine can take roughly 1019 or 10 quintillion years to decrypt.

The encryption algorithms highlighted in the figure are all symmetric key
cryptosystems.

 DES uses a 56-bit key and should be avoided.

507
 3DES is a variant of the 56-bit DES. It uses three independent 56-bit encryption
keys per 64-bit block, which provides significantly stronger encryption strength
over DES. DES is computationally taxing and is no longer considered to be secure.
 AES is the most recommended symmetric encryption algorithm. It provides
stronger security than DES and is computationally more efficient than 3DES. AES
offers three different key lengths: 128 bits, 192 bits, and 256 bits.
 SEAL is a stream cipher, which means it encrypts data continuously rather than
encrypting blocks of data. SEAL uses a 160-bit key and is considered to be very
secure.
18.3.5 Integrity
Data integrity means that the data that is received is exactly the same data that was
sent. Potentially, data could be intercepted and modified. For example, in the figure,
assume that a check for $100 is written to Alex. The check is then mailed to Alex, but it
is intercepted by a threat actor. The threat actor changes the name on the check to
Jeremy and the amount on the check to $1,000 and attempts to cash it. Depending on
the quality of the forgery in the altered check, the attacker could be successful.

Because VPN data is transported over the public internet, a method of proving data
integrity is required to guarantee that the content has not been altered. A hashing
algorithm guarantees the integrity of the message using a hash value. The figure
highlights the two most common hashing algorithms.
Note: Cisco now rates SHA-1 as legacy and recommends at least SHA-256 for integrity.

508
 Message-Digest 5 (MD5) uses a 128-bit shared-secret key. The variable-length
message and 128-bit shared secret key are combined and run through the HMAC-
MD5 hash algorithm. The output is a 128-bit hash. MD5 is no longer secure should
be avoided.
 The Secure Hash Algorithm (SHA) uses a 160-bit secret key. The variable-length
message and the 160-bit shared secret key are combined and run through the
HMAC-SHA-1 algorithm. The output is a 160-bit hash. SHA-256 or higher are
considered to be secure.
18.3.6 Authentication
When conducting business long distance, you must know who is at the other end of
the phone, email, or fax. The same is true of VPN networks. The device on the other
end of the VPN tunnel must be authenticated before the communication path is
considered secure. The figure highlights the two peer authentication methods.

 A pre-shared secret key (PSK) value is entered into each peer manually. The PSK is
combined with other information to form the authentication key. PSKs are easy to
configure manually, but do not scale well, because each IPsec peer must be
configured with the PSK of every other peer with which it communicates.
 Rivest, Shamir, and Adleman (RSA) authentication uses digital certificates to
authenticate the peers. The local device derives a hash and encrypts it with its
private key. The encrypted hash is attached to the message and is forwarded to the
remote end and acts like a signature. At the remote end, the encrypted hash is
decrypted using the public key of the local end. If the decrypted hash matches the
recomputed hash, the signature is genuine. Each peer must authenticate its
opposite peer before the tunnel is considered secure.
The figure shows an example of PSK authentication. At the local device, the
authentication key and the identity information are sent through a hash algorithm to
form the hash for the local peer (Hash_L). One-way authentication is established by
sending Hash_L to the remote device. If the remote device can independently create
the same hash, the local device is authenticated. After the remote device
authenticates the local device, the authentication process begins in the opposite
direction, and all steps are repeated from the remote device to the local device.

509
PSK Authentication

The figure below shows an example of RSA authentication. At the local device, the
authentication key and identity information are sent through the hash algorithm to
form the hash for the local peer (Hash_L). Then the Hash_L is encrypted using the local
device’s private encryption key. This creates a digital signature. The digital signature
and a digital certificate are forwarded to the remote device. The public encryption key
for decrypting the signature is included in the digital certificate. The remote device
verifies the digital signature by decrypting it using the public encryption key. The result
is Hash_L. Next, the remote device independently creates Hash_L from stored
information. If the calculated Hash_L equals the decrypted Hash_L, the local device is
authenticated. After the remote device authenticates the local device, the
authentication process begins in the opposite direction and all steps are repeated from
the remote device to the local device.
RSA Authentication

18.3.7 Secure Key Exchange with Diffie-Hellman

Encryption algorithms require a symmetric, shared secret key to perform encryption
and decryption. How do the encrypting and decrypting devices get the shared secret
key? The easiest key exchange method is to use a public key exchange method, such as
Diffie-Hellman (DH), as shown in the figure.

510
DH provides a way for two peers to establish a shared secret key that only they know,
even though they are communicating over an insecure channel. Variations of the DH
key exchange are specified as DH groups:
 DH groups 1, 2, and 5 should no longer be used. These groups support a key size of
768 bits, 1024 bits, and 1536 bits, respectively.
 DH groups 14, 15, and 16 use larger key sizes with 2048 bits, 3072 bits, and 4096
bits, respectively, and are recommended for use until 2030.
 DH groups 19, 20, 21 and 24 with respective key sizes of 256 bits, 384 bits, 521 bits,
and 2048 bits support Elliptical Curve Cryptography (ECC), which reduces the time
needed to generate keys. DH group 24 is the preferred next generation encryption.
The DH group you choose must be strong enough, or have enough bits, to protect the
IPsec keys during negotiation. For example, if you choose AES 128-bit key, use group
14, 19, 20 or 24. However, if you choose AES-256 or higher, use the DH group 21 or 24.
18.3.8 Video - IPsec Transport and Tunnel Modes

511
18.3.9 Check Your Understanding - IPsec
Check your understanding of IPsec by choosing the correct answer to the following
questions.
Question 1
IPsec can protect traffic in which OSI layers? (Choose four.)
Layer 1
Layer 2
Layer 3
done
Layer 4
Layer 5
Layer 6
Layer 7
Question 2
Which IPsec function uses pre-shared passwords, digital certificates, or RSA
certificates?
IPsec protocol
Confidentiality
Integrity
Authentication
Diffie-Hellman
Question 3
True or False: The IPsec framework must be updated each time a new standard is
developed.
True
False
Question 4
Which choices are packet encapslation options suported by IPsec? (Choose two.)
AES
done
AH
DH24
ESP
PSK
RSA
SHA
Question 5
Which choices provide for the Confidentiality function in the IPsec framework?
(Choose three.)
3DES
AES
AH
DH24
PSK
SEAL
SHA
Question 6

512
Which choices provide for the Integrity function in the IPsec framework? (Choose
two.)
AES
AH
DH24
MD5
PSK
SEAL
SHA
Question 7
Which choices are available for the Authentication function in the IPsec framework?
(Choose two.)
AES
AH
DH24
PSK
RSA
SEAL
SHA
Question 8
Which Diffie-Hellman group choices are no longer recommended?
DH groups 1, 2, and 5
signal_cellular_4_bar
DH groups 14, 15, and 16
DH groups 19, 20, 21 and 24
18.4 IPsec Protocols
18.4.1 IPsec Protocol Overview
The two main IPsec protocols are Authentication Header (AH) and Encapsulation
Security Protocol (ESP). The IPsec protocol is the first building block of the framework.
The choice of AH or ESP establishes which other building blocks are available.
AH uses IP protocol 51 and is appropriate only when confidentiality is not required or
permitted. It provides data authentication and integrity, but it does not provide data
confidentiality (encryption). All text is transported unencrypted.
ESP uses IP protocol 50 and provides both confidentiality and authentication. It
provides confidentiality by performing encryption on the IP packet. ESP provides
authentication for the inner IP packet and ESP header. Authentication provides data
origin authentication and data integrity. Although both encryption and authentication
are optional in ESP, at a minimum, one of them must be selected.

513
18.4.2 Authentication Header
AH achieves authenticity by applying a keyed one-way hash function to the packet to
create a hash or message digest. The hash is combined with the text and is transmitted
in plaintext, as shown in in the figure. The receiver detects changes in any part of the
packet that occur during transit by performing the same one-way hash function on the
received packet and comparing the result to the value of the message digest that the
sender supplied. Authenticity is assured because the one-way hash also employs a
shared secret key between the two systems.
The AH function is applied to the entire packet, except for any IP header fields that
normally change in transit. Fields that normally change during transit are called
mutable fields. For example, the Time to Live (TTL) field is considered mutable because
routers modify this field.
The AH process occurs in this order:
1. The IP header and data payload are hashed using the shared secret key.

514
2. The hash builds a new AH header, which is inserted into the original packet, as
shown in the figure below.

3. The new packet is transmitted to the IPsec peer router.

4. The peer router hashes the IP header and data payload using the shared secret key,
extracts the transmitted hash from the AH header, and compares the two hashes, as
shown in the figure below.

The hashes must match exactly. If one bit is changed in the transmitted packet, the
hash output on the received packet changes and the AH header will not match.
AH supports MD5 and SHA algorithms. AH may not work if the environment uses NAT.
18.4.3 Encapsulation Security Protocol
If ESP is selected as the IPsec protocol, an encryption algorithm must also be selected.
Cisco products support 3DES, AES, and SEAL. However, 3DES should be avoided. If
3DES must be implemented, then configure short key lifetimes.
ESP can also provide integrity and authentication. First, the payload is encrypted. Next,
the encrypted payload is sent through a hash algorithm, such as SHA-256 or higher.

515
The hash provides authentication and data integrity for the data payload. Note that
MD5 and SHA-1 should be avoided.
Optionally, ESP can also enforce anti-replay protection. Anti-replay protection verifies
that each packet is unique and is not duplicated. This protection ensures that a hacker
cannot intercept packets and insert changed packets into the data stream. Anti-replay
works by keeping track of packet sequence numbers and using a sliding window on the
destination end.
When a connection is established between a source and destination, their counters are
initialized at zero. Each time a packet is sent, a sequence number is appended to the
packet by the source. The destination uses the sliding window to determine which
sequence numbers are expected. The destination verifies that the sequence number of
the packet is not duplicated and is received in the correct order.
For example, if the sliding window on the destination is set to one, the destination is
expecting to receive the packet with the sequence number one. After it is received, the
sliding window moves to two. When detection of a replayed packet occurs, such as the
destination receiving a second packet with the sequence number of one, an error
message is sent, the replayed packet is discarded, and the event is logged.
Anti-replay is typically used in ESP, but it is also supported in AH.

18.4.4 ESP Encrypts and Authenticates

When both authentication and encryption are selected, encryption is performed first.
One reason for this order of processing is that it facilitates rapid detection and
rejection of replayed or bogus packets by the receiving device. Prior to decrypting the
packet, the receiver can authenticate inbound packets. By doing this, it can quickly
detect problems and potentially reduce the impact of DoS attacks. To reiterate, ESP
provides confidentiality with encryption and provides integrity with authentication.
Up to this point, the discussion of IPsec has focused on IPv4. However, IPsec was
initially established to provide security for IPv6 packets. Therefore, the IPsec
implementations for IPv4 and IPv6 are similar as far as the standards are concerned. In

516
IPv4, AH and ESP are IP protocol headers. IPv6 uses the extension headers with a next-
header value of 50 for ESP and 51 for AH.

18.4.5 Transport and Tunnel Modes

ESP and AH can be applied to IP packets in two different modes, transport mode and
tunnel mode, as shown in the figure below.

Transport Mode
In transport mode, security is provided only for the transport layer of the OSI model
and above. Transport mode protects the payload of the packet but leaves the original
IP address in plaintext. The original IP address is used to route the packet through the
internet. ESP transport mode is used between hosts.
Tunnel Mode
Tunnel mode provides security for the complete original IP packet. The original IP
packet is encrypted and then it is encapsulated in another IP packet. This is known as
IP-in-IP encryption. The IP address on the outside IP packet is used to route the packet
through the internet.

517
ESP tunnel mode is used between a host and a security gateway, or between two
security gateways, as shown in the figure.
For host-to-gateway applications, a home office might not have a router to perform
the IPsec encapsulation and encryption. In this case, an IPsec client running on the PC
performs the IPsec IP-in-IP encapsulation and encryption. For gateway-to-gateway
applications, rather than load IPsec on all of the computers at the remote and
corporate offices, it is easier to have the security gateways perform the IP-in-IP
encryption and encapsulation. At the corporate office, the router de-encapsulates and
decrypts the packet.

As shown in the figure, AH transport mode provides authentication and integrity for
the entire packet. It does not encrypt the data, but it is protected from modification.
AH tunnel mode encapsulates the IP packet with an AH and a new IP header, and signs
the entire packet for integrity and authentication.

518
18.4.6 Check Your Understanding - Compare AH and ESP
Check your understanding of the differences between AH and ESP by choosing
whether the following statements are true or false.
Question 1
ESP provides data authentication and integrity.
True
False
Question 2
ESP provides confidentiality and authentication.
True
False
Question 3
AH does not provide data confidentiality (encryption).
True
False
Question 4
AH provides confidentiality by performing encryption on the IP packet.
True
False
Question 5
ESP provides authentication for the inner IP packet and the ESP header.
True
False
18.5 Internet Key Exchange
18.5.1 The IKE Protocol
The Internet Key Exchange (IKE) protocol is a key management protocol standard. IKE
is used in conjunction with the IPsec standard. As shown in the figure, IKE
automatically negotiates IPsec security associations and enables IPsec secure
communications. IKE enhances IPsec by adding features and simplifies configuration
for the IPsec standard. Without IKE in place, IPsec configuration would be a complex,
manual configuration process that would not scale well.

519
IKE is a hybrid protocol that implements key exchange protocols inside the Internet
Security Association Key Management Protocol (ISAKMP) framework. ISAKMP
(pronounced “Ice-a-camp”) defines the message format, the mechanics of a key
exchange protocol, and the negotiation process to build an SA for IPsec.
Instead of transmitting keys directly across a network, IKE calculates shared keys based
on the exchange of a series of data packets. This disables a third party from decrypting
the keys even if the third party captured all of the exchanged data that was used to
calculate the keys. IKE uses UDP port 500 to exchange IKE information between the
security gateways. UDP port 500 packets must be permitted on any IP interface that is
connecting a security gateway peer.
18.5.2 Phase 1 and 2 Key Negotiation
IKE uses ISAKMP for phase 1 and phase 2 of key negotiation. Phase 1 negotiates a
security association (a key) between two IKE peers. The key negotiated in phase 1
enables IKE peers to communicate securely in phase 2. During phase 2 negotiation, IKE
establishes keys (security associations) for other applications, such as IPsec.
In Phase 1, two IPsec peers perform the initial negotiation of SAs. The basic purpose of
Phase 1 is to negotiate ISAKMP policy, authenticate the peers, and set up a secure
tunnel between the peers. This tunnel will then be used in Phase 2 to negotiate the
IPsec policy, as shown in the figure.

Note: The phrases IKE policy and ISAKMP policy are equivalent. The phrase ISAKMP
policy is used in this course to better match the commands (crypto isakmp
policy, show isakmp policy, etc.) as well as to clarify that the ISAKMP policy applies to
the IKE Phase 1 tunnel.
Phase 1 can be implemented in main mode or aggressive mode. When main mode is
used, the identities of the two IKE peers are hidden. Aggressive mode takes less time
than main mode to negotiate keys between peers. However, since the authentication
hash is sent unencrypted before the tunnel is established, aggressive mode is
vulnerable to brute-force attacks.
Note: In Cisco IOS software, the default action for IKE authentication is to initiate main
mode. However, Cisco IOS software will respond in aggressive mode to an IKE peer
that initiates aggressive mode.
520
18.5.3 Phase 2 - Negotiating SAs
The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that will be
used to secure the IPsec tunnel, as shown in the figure. IKE Phase 2 is called quick
mode and can only occur after IKE has established a secure tunnel in Phase 1. SAs are
negotiated by the IKE process ISAKMP on behalf of IPsec, which needs encryption keys
for operation. Quick mode negotiates the IKE Phase 2 SAs. In this phase, the SAs that
IPsec uses are unidirectional; therefore, a separate key exchange is required for each
data flow.
Quick mode also renegotiates a new IPsec SA when the IPsec SA lifetime expires.
Basically, quick mode refreshes the keying material that creates the shared secret key.
This is based on the keying material that is derived from the DH exchange in Phase 1.
Quick Mode

IKE version 2, a next-generation key management protocol based on RFC 5996, is an

enhancement of the IKE protocol. IKE version 2 supports NAT detection and NAT
Traversal (NAT-T) during Phase 1. If both VPN devices are NAT-T capable, and if they
detect that they are connecting to each other through a NAT device, NAT-T is auto
detected and auto negotiated. NAT-T encapsulates ESP packets inside UDP and assigns
both the Source and Destination ports as 4500. Now ESP packets can traverse NAT.
18.5.4 Video - IKE Phase 1 and Phase 2

18.6 VPNs Summary

18.6.1 What Did I Learn in this Module?
VPN Overview
Organizations use virtual private networks (VPNs) to create end-to-end private
network connections that are transported over a public network. A VPN is private in

521
that the traffic is encrypted to keep the data confidential while it is transported across
the public network.
Modern VPNs now support encryption features, such as Internet Protocol Security
(IPsec) and Secure Sockets Layer (SSL) to secure network traffic between sites. Benefits
include:
 Cost savings
 Security
 Scalability
 Compatibility
VPN Topologies
There are two types of VPN topologies:
 Site-to-site VPNs - Created when VPN gateways are preconfigured with
information to establish a secure tunnel. VPN traffic is only encrypted between
these devices. Internal hosts have no knowledge that a VPN is being used.
 Remote access VPNs - These VPNs enable remote and mobile users to securely
connect to the enterprise by creating an encrypted tunnel.
Remote access connections can be:
 Clientless - The connection is secured using a web browser SSL connection. SSL
uses the public key infrastructure and digital certificates to authenticate peers.
 Client-based - The connection is secured using a client application such as the Cisco
AnyConnect Secure Mobility Client on the host.
IPsec Overview
IPsec is a framework used to define how a VPN connection will ensure confidentiality,
integrity, and origin authentication. It is not bound to any specific protocols enabling it
to integrate using new security technologies. When establishing a VPN link, the peers
must share the same SA to negotiate key exchange parameters, establish a shared key,
authenticate each other, and negotiate the encryption parameters.
IPsec provides:
 Confidentiality - Using symmetric encryption protocols (i.e., AES, SEAL, 3DES, and
DES).
 Integrity - Using Hashed Message Authentication Code (HMAC) hashing algorithms
(i.e., SHA or MD5).
 Authentication - Using a pre-shared secret or RSA.
DH provides a way for two peers to establish a shared secret key that only they know,
even though they are communicating over an insecure channel.
IPsec Protocols
The two main IPsec protocols are:
 Authentication Header (AH) - IP protocol 51 that only provides authentication.
 Encapsulation Security Protocol (ESP) - IP protocol 50 that provides authentication
and encryption.
ESP and AH can be applied to IP packets using transport mode or tunnel mode.
Internet Key Exchange
The Internet Key Exchange (IKE) protocol is a key management protocol standard that
is used to automatically negotiate IPsec security associations and enable IPsec secure
communications. IKE uses UDP port 500 to exchange IKE information between the
security gateways.

522
IKE uses ISAKMP for phase 1 and phase 2 of key negotiation. Phase 1 negotiates a
security association (a key) between two IKE peers. The key negotiated in phase 1
enables IKE peers to communicate securely in phase 2. During phase 2 negotiation, IKE
establishes keys (security associations) for other applications, such as IPsec.
18.6.2 Module 18 - VPNs Quiz
Question 1
A network administrator is planning a VPN tunnel. Why would the engineer select
main mode for IKE Phase 1?
It is quicker.
It is more secure.
It requires less configuration.
It is the industry standard.
Question 2
What are the two types of VPN connections? (Choose two.)
PPPoE
Site-to-site
Leased line
Frame Relay
Remote access
Question 3
Which IPsec framework protocol provides data integrity and data authentication, but
does not provide data confidentiality?
AH
IP protocol 50
ESP
DH
Question 4
What can be used as a VPN gateway when setting up a site-to-site VPN?
Cisco Catalyst switch
Cisco router
Cisco Unified Communications Manager
Cisco AnyConnect
Question 5
Which two types of VPNs are examples of enterprise-managed remote access VPNs?
(Choose two.)
IPsec VPN
Clientless SSL VPN
GRE over IPsec VPN
Client-based IPsec VPN
IPsec Virtual Tunnel Interface VPN
Question 6
Which type of VPN may require the Cisco VPN Client software?
Remote access VPN
SSL VPN
Site-to-site VPN
MPLS VPN
Question 7

523
Which protocol provides authentication, integrity, and confidentiality services and is
a type of VPN?
AES
ESP
IPsec
MD5
Question 8
Which IPsec security function provides assurance that the data received via a VPN
has not been modified in transit?
Confidentiality
Integrity
Authentication
Secure key exchange
Question 9
Which statement describes a feature of site-to-site VPNs?
The VPN connection is not statically defined.
VPN client software is installed on each host.
Internal hosts send normal, unencapsulated packets.
Individual hosts can enable and disable the VPN connection.
Question 10
What is a type of VPN that is generally transparent to the end user?
Site-to-site
Remote access
Public
Private
Question 11
Which statement describes a VPN?
VPNs use dedicated physical connections to transfer data between remote users.
VPNs use logical connections to create public networks through the Internet.
VPNs use open source virtualization software to create the tunnel through the
Internet.
VPNs use virtual connections to create a private network through a public network.
Question 12
What is the purpose of IKE?
Key transmission
VPN key management
Firewall port management
Security appliance configuration

524
Module 19: Implement Site-To-Site Ipsec VPN
19.0 Introduction
19.0.1 Why Should I Take this Module?
By now you have a basic understanding of VPNs. How do you configure a site-to-site
VPN? Once it has been configured, how do you test it? This module will cover these
topics.
19.0.2 What Will I Learn in this Module?
Module Title: Implement Site-to-Site IPsec VPNs
Module Objective: Configure a site-to-site IPsec VPN, with pre-shared key
authentication, using CLI.
Topic Title Topic Objective
Configure a Site-to-Site IPsec Describe IPsec negotiation and the five steps of IPsec
VPN configuration.
Use the correct commands to configure an ISAKMP
ISAKMP Policy
policy.
IPsec Policy Use the correct commands to configure the IPsec policy.
Use the correct command to configure and apply a
Crypto Map
Cryptomap.
IPsec VPN Configure the IPsec VPN.
19.1 Configure a Site-to-Site IPsec VPN
19.1.1 IPsec Negotiation
In order for an IPsec VPN tunnel to become operational, IPsec negotiation must first
occur. The IPsec negotiation process to establish a VPN involves five steps, which
include IKE Phase 1 and Phase 2.
Click below to see learn about the 5 steps.
 Step 1
 Step 2
 Step 3
 Step 4
 Step 5
Step 1
An Internet Security Association Key Management Protocol (ISAKMP) tunnel is initiated
when host A sends “interesting” traffic to host B. Traffic is considered interesting when
it travels between the peers and meets the criteria that are defined in an ACL.

Host A sends interesting traffic to Host B

525
Step 2
IKE Phase 1 begins. The peers negotiate the ISAKMP SA policy. When the peers agree
on the policy and are authenticated, a secure tunnel is created.

R1 and R2 negotiate an IKE Phase 1 session.

Step 3
IKE Phase 2 begins. The IPsec peers use the authenticated secure tunnel to negotiate
the IPsec SA policy. The negotiation of the shared policy determines how the IPsec
tunnel is established.

R1 and R2 negotiate an IKE Phase 2 session.

Step 4
The IPsec tunnel is created, and data is transferred between the IPsec peers based on
the IPsec SAs.

526
Information is exchanged through IPsec tunnel.
Step 5
The IPsec tunnel terminates when the IPsec SAs are manually deleted, or when their
lifetime expires.

IPsec tunnel is terminated.

19.1.2 Site-to-Site IPsec VPN Topology
Implementing a site-to-site VPN requires configuring settings for both IKE Phase 1 and
Phase 2. In the phase 1 configuration, the two sites are configured with the necessary
ISAKMP security associations to ensure that an ISAKMP tunnel can be created. In the
phase 2 configuration, the two sites are configured with the IPsec security associations
to ensure that an IPsec tunnel is created within the ISAKMP tunnel. Both tunnels will
be created only when interesting traffic is detected.
The topology in the figure for XYZCORP will be used in this section to demonstrate a
site-to-site IPsec VPN implementation. Both routers are configured with IP addressing
and static routing. An extended ping on R1 verifies that routing between the LANs is
operational.

The interface and default routing configurations for R1 and R2 are shown in the
example.
R1# show run

527
<output omitted>
!
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
!
interface Serial0/0/0
ip address 172.30.2.1 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 Serial0/0/0

!=========================================
R2# show run
<output omitted>
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Serial0/0/0
ip address 172.30.2.2 255.255.255.0
!
ip route 10.0.1.0 255.255.255.0 Serial0/0/0
!
An extended ping on R1 verifies that routing between the LANs is operational, as
shown in the example output.
R1# ping 192.168.1.1 source 10.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
19.1.3 IPsec VPN Configuration Tasks
Security Policy Requirements
All XYZCORP VPNs should be implemented using the following security policy:
 Encrypt traffic with AES 256 and SHA.
 Authenticate with PSK.
 Exchange keys with DH group 14.
 ISAKMP tunnel lifetime is 1 hour.
 IPsec tunnel uses ESP with a 15-minute lifetime.
Configuration Tasks:
The configuration tasks required to meet this policy are:
Task 1: Configure the ISAKMP Policy for IKE Phase 1
Task 2: Configure the IPsec Policy for IPsec Phase 2
Task 3: Configure a Crypto Map for the IPsec Policy
Task 4: Apply the IPsec Policy
Task 5: Verify that the IPsec Tunnel is Operational

528
19.1.4 Existing ACL Configurations
Although XYZCORP does not have an existing ACL configuration, this would not be the
case in a production network. Perimeter routers typically implement a restrictive
security policy, blocking all traffic except for traffic specifically allowed. Prior to
implementing a site-to-site IPsec VPN, ensure that the existing ACLs do not block traffic
necessary for IPsec negotiations. The ACL command syntax to permit ISAKMP, ESP, and
AH traffic is shown here.
Router(config)# ip access-list extended name
Router(config-ext-nacl)# permit udp source wildcard destination wildcard eq isakmp
Router(config-ext-nacl)# permit esp source wildcard destination wildcard
Router(config-ext-nacl)# permit ahp source wildcard destination wildcard
The example below demonstrates an ACL configuration that allows the traffic
necessary for IPsec negotiations. R2 would have a similar configuration.
R1(config)# ip access-list extended INBOUND
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
R1(config-ext-nacl)# permit icmp host 172.30.2.2 host 172.30.2.1
R1(config-ext-nacl)# permit udp host 172.30.2.2 host 172.30.2.1 eq isakmp
R1(config-ext-nacl)# permit esp host 172.30.2.2 host 172.30.2.1
R1(config-ext-nacl)# permit ahp host 172.30.2.2 host 172.30.2.1
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface serial0/0/0
R1(config-if)# ip access-group INBOUND in
19.1.5 Handling Broadcast and Multicast Traffic
The XYZCORP topology uses static routing, so there is no multicast or broadcast traffic
that needs to be routed through the tunnel. But what if XYZCORP decided to
implement EIGRP or OSPF? These routing protocols use multicast addresses to
exchange routing information with neighbors. IPsec only supports unicast traffic. To
enable routing protocol traffic, the peers in a site-to-site IPsec VPN implementation
would need to be configured with a Generic Routing Encapsulation (GRE) tunnel for
the multicast traffic.
GRE supports multiprotocol tunneling, as shown in the figure. It can encapsulate
multiple OSI Layer 3 protocol packet types inside an IP tunnel. Adding an additional
GRE header between the payload and the tunneling IP header provides the
multiprotocol functionality. GRE also supports IP multicast tunneling. Routing protocols
that are used across the tunnel enable dynamic exchange of routing information in the
virtual network. GRE does not provide encryption. GRE configuration is beyond the
scope of this course.
Generic Routing Encapsulation

529
19.1.6 Check Your Understanding - Identify the IPsec Negotiation Steps
Check your understanding of the IPsec negotiation steps by ordering the steps using
the drop down menus.

19.2 ISAKMP Policy

19.2.1 The Default ISAKMP Policies
The first task is to configure the ISAKMP policy for IKE Phase 1. The ISAKMP policy lists
the SAs that the router is willing to use to establish the IKE Phase 1 tunnel. The Cisco
IOS comes with default ISAKMP policies already in place. To view the default policies,
enter the show crypto isakmp default policy command, as shown in the example after
the figure.

530
R1# show crypto isakmp default policy
Default IKE policy
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5

531
 authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
R1 has eight default ISAKMP policies ranging from the most secure (policy 65507) to
the least secure (policy 65514). If no other policy has been defined by the
administrator, R1 will attempt to use the most secure default policy. If R2 has a
matching policy, then R1 and R2 can successfully negotiate the IKE Phase 1 ISAKMP
tunnel without any configuration by the administrator. Eight default policies allow for
flexibility in the negotiations. If there is no agreement to use the most secure default
policy, R1 will attempt to use the next most secure policy.
In this example, none of the default policies match the security policy for XYZCORP. So
a new ISAKMP policy will have to be configured.
19.2.2 Syntax to Configure a New ISAKMP Policy
To configure a new ISAKMP policy, use the crypto isakmp policy command, as shown
in the figure. The only argument for the command is to set a priority for the policy
(from 1 to 10000). Peers will attempt to negotiate using the policy with the lowest
number (highest priority). Peers do not require matching priority numbers.
When in ISAKMP policy configuration mode, the SAs for the IKE Phase 1 tunnel can be
configured. Use the mnemonic HAGLE to remember the five SAs to configure:
 Hash
 Authentication
 Group
 Lifetime
 Encryption
R1(config)# crypto isakmp policy ?
<1-1000> Priority of protection suite
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults]]>
19.2.3 ISAKMP Policy Configuration
To meet the security policy requirements for XYZCORP, configure the ISAKMP policy
with the following SAs:
 Hash is SHA

532
 Authentication is pre-shared key
 Group is 14
 Lifetime is 3600 seconds
 Encryption is AES
The example shows the ISAKMP policy configuration. Use the show crypto isakmp
policy command to verify the configuration. R2 has an equivalent configuration.
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 24
R1(config-isakmp)# lifetime 3600
R1(config-isakmp)# end
R1# show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #24 (2048 bit, 256 bit subgroup)
lifetime: 3600 seconds, no volume limit
R1#
19.2.4 Pre-Shared Key Configuration
The XYZCORP security policy requires that a pre-shared key be used for authentication
between the peers. The administrator can either specify a host name or an IP address
for the peer. The command syntax is shown below.
Router(config)# crypto isakmp key keystring address peer-address
Router(config)# crypto isakmp key keystring hostname peer-hostname
XYZCORP uses the key phrase cisco12345 and the IP address of the peer as shown in
the examples after the figure.

R1# conf t
R1(config)# crypto isakmp key cisco12345 address 172.30.2.2
R1(config)#
R2# conf t
R2(config)# crypto isakmp key cisco12345 address 172.30.2.1
R2(config)#
19.2.5 Syntax Checker - Configuring a Pre-Shared Key
Use this Syntax Checker to configure the ISAKMP policy for R2.
Configure the ISAKMP policy with priority 1 using the following SA parameters:
 Hash is SHA
 Authentication is pre-shared

533
 Diffie-Hellman Group is 24
 Lifetime is 3600 seconds
 Encryption is AES with a 256 bit key
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 24
R2(config-isakmp)#lifetime 3600
R2(config-isakmp)#encryption aes 256
Configure the pre-shared ISAKMP key using cisco12345 for the key and 172.30.2.1 as
the IP address of the peer.
R2(config-isakmp)#crypto isakmp key cisco12345 address 172.30.2.1
Use the do command within config mode to display the ISAKMP policy.
R2(config-isakmp)#do show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #24 (2048 bit, 256 bit subgroup)
lifetime: 3600 seconds, no volume limit
R2(config-isakmp)#
You have successfully configured the ISAKMP policy.
19.3 IPsec Policy
19.3.1 Define Interesting Traffic
Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does
not yet exist. This is verified with the show crypto isakmp sa command in the figure
below. Interesting traffic must be detected before IKE Phase 1 negotiations can begin.
For the XYXCORP site-to-site VPN, interesting traffic is any permitted communications
between the Site 1 and Site 2 LANs.

R1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
R1#
To define interesting traffic, configure each router with an ACL to permit traffic from
the local LAN to the remote LAN, as shown in the following examples for R1 and R2.
The ACL will be used in the crypto map configuration to specify what traffic will trigger
the start of IKE Phase 1.
R1# conf t
R1(config)# access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255

534
R1(config)#
R2# conf t
R2(config)# access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
R2(config)#
19.3.2 Configure IPsec Transform Set
The next step is to configure the set of encryption and hashing algorithms that will be
used to transform the data sent through the IPsec tunnel. This is called the transform
set. During IKE Phase 2 negotiations, the peers agree on the IPsec transform set to be
used for protecting interesting traffic.
Configure a transform set using the crypto ipsec transform-set command, as shown
here. First, specify a name for the transform set (R1-R2, in the example).
R1(config)# crypto ipsec transform-set?
WORD Transform set tag
R1(config)# crypto ipsec transform-set R1-R2?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
R1(config)# crypto ipsec transform-set ?
WORD Transform set tag

R1(config)# crypto ipsec transform-set R1-R2 ?

ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher

535
 esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
After the transform set is named, the encryption and hashing algorithm can be
configured in either order. The examples show the tranform set configuration for R1
and R2.
R1(config)# crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac
R1(config)#
R2(config)# crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac
R2(config)#
19.3.3 Syntax Checker - Configure IPsec Transform Set
Use this Syntax Checker to configure the IPsec policy for R2.
Configure the IPsec policy on R2. Create an extended access list 102 describing
interesting traffic from 192.168.1.0/24 to 10.0.1.0/24.
R2(config)#access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
Configure the IPsec transform set named R1-R2 using the following instructions:
 Use esp-aes for encryption.
 Use esp-sha-hmac for the hash.
R2(config)#crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac
R2(config)#
You have successfully configured the IPsec policy.
19.4 Crypto Map
19.4.1 Syntax to Configure a Crypto Map
Now that the interesting traffic is defined, and an IPsec transform set is configured, it is
time to bind those configurations with the rest of the IPsec policy in a crypto map. The
syntax to start a crypto map set is shown below. The sequence number is important
when configuring multiple crypto map entries. XYZCORP will only need one crypto map
entry to match traffic and account for the remaining SAs. Although the ipsec-manual
option is shown, its use is beyond the scope of this course.
Router(config)# crypto map map-name seq-num { ipsec-isakmp | ipsec-manual }
The available configurations for a crypto map entry when you are in crypto map
configuration mode are shown below. The map name is R1-R2_MAP, and the
sequence number is 10.
R1(config)# crypto map R1-R2_MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# ?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
disable Disable this crypto-map-statement.
exit Exit from crypto map configuration mode

536
 match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
19.4.2 Crypto Map Configuration
To finish the configuration to meet the IPsec security policy for XYZCORP, complete the
following:
Step 1. Bind the ACL and the transform set to the map.
Step 2. Specify the peer’s IP address.
Step 3. Configure the DH group.
Step 4. Configure the IPsec tunnel lifetime.
The crypto map configurations for R1 and R2 are shown below.
R1(config)# crypto map R1-R2_MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# set transform-set R1-R2
R1(config-crypto-map)# set peer 172.30.2.2
R1(config-crypto-map)# set pfs group24
R1(config-crypto-map)# set security-association lifetime seconds 900
R1(config-crypto-map)# exit
R1(config)#
R2(config)# crypto map R1-R2_MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)# match address 102
R2(config-crypto-map)# set transform-set R1-R2
R2(config-crypto-map)# set peer 172.30.2.1
R2(config-crypto-map)# set pfs group24
R2(config-crypto-map)# set security-association lifetime seconds 900
R2(config-crypto-map)# exit
R2(config)#
Use the show crypto map command to verify the crypto map configuration, as shown
below for R1. All the required SAs should be in place. Notice that the output shows
that no interfaces are currently using the crypto map.
R1# show crypto map
Crypto Map IPv4 "R1-R2_MAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 101
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group24
Mixed-mode : Disabled
Transform sets={

537
 R1-R2: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map R1-R2_MAP:
R1#
19.4.3 Apply and Verify the Crypto Map
To apply the crypto map, enter interface configuration mode for the outbound
interface and configure the crypto map map-name command. Below is the
configuration for XYZCORP. Notice the show crypto map output now displays that the
Serial 0/0/0 interface is using the crypto map. R2 is configured with the same
command on its Serial 0/0/0 interface.
R1(config)# interface serial0/0/0
R1(config-if)# crypto map R1-R2_MAP
R1(config-if)#
*Mar 19 19:36:36.273: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)# end
R1# show crypto map
Crypto Map IPv4 "R1-R2_MAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 101
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group24
Mixed-mode : Disabled
Transform sets={
R1-R2: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map R1-R2_MAP:
Serial0/0/0
19.4.4 Syntax Checker - Configure, Apply, and Verify the Crypto Map
Use this Syntax Checker to configure, apply, and verify a crypto map on R2.
Configure the crypto map on R2 to bind the transform set and IPsec policy using the
following parameters:
 Crypto map name is R1-R2_MAP.
 Sequence number is 10.
 Bind access list 102 and transform set R1-R2.
 Peer IP address is 172.30.2.1.
 Diffie-Hellman Group is group24.
 SA lifetime is 900 seconds.
R2(config)#crypto map R1-R2_MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 102
R2(config-crypto-map)#set transform-set R1-R2
R2(config-crypto-map)#set peer 172.30.2.1
R2(config-crypto-map)#set pfs group24

538
R2(config-crypto-map)#set security-association lifetime seconds 900
Apply the R1-R2_MAP to the s0/0/0 interface.
R2(config-crypto-map)#interface s0/0/0
R2(config-if)#crypto map R1-R2_MAP
*Mar 19 19:36:36.273: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Use the do command in config mode to display the crypto map.
R2(config-if)#do show crypto map
Crypto Map IPv4 "R1-R2_MAP" 10 ipsec-isakmp
Peer = 172.30.2.1
Extended IP access list 102
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group24
Mixed-mode : Disabled
Transform sets={
R1-R2: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map R1-R2_MAP:
Serial0/0/0
R2(config-if)#
You have successfully configured and applied the crypto map.
19.5 IPsec VPN
19.5.1 Send Interesting Traffic
Now that both the ISAKMP and IPsec policies are configured, and the crypto map is
applied to the appropriate outbound interfaces, test the two tunnels by sending
interesting traffic across the link.
Traffic from the LAN interface on R1 that is destined for the LAN interface on R2 is
considered interesting traffic because it matches the ACLs configured on both routers.
An extended ping from R1 will effectively test the VPN configuration. The extended
ping command syntax and results are shown below. The first ping failed because it
takes a few milliseconds to establish the ISAKMP and IPsec tunnels.
R1# ping 192.168.1.1 source 10.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R1#
19.5.2 Verify the ISAKMP and IPsec Tunnels
Sending interesting traffic does not actually mean that the tunnels are established. R1
and R2 will route traffic between the two LANs even if the ISAKMP and IPsec policy
configurations are wrong. To verify that tunnels have been established, use the show
crypto isakmp sa and show crypto ipsec sa commands. In the output below, notice that
the tunnel is active between the two peers, 172.30.2.1 and 172.30.2.2, and that they
are using the R1-R2_MAP crypto map.

539
R1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.30.2.2 172.30.2.1 QM_IDLE 1005 ACTIVE
IPv6 Crypto ISAKMP SA
R1#
R1# show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: R1-R2_MAP, local addr 172.30.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 172.30.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.30.2.1, remote crypto endpt.: 172.30.2.2

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0xD3E56A5F(3555027551)
PFS (Y/N): Y, DH group: group24

inbound esp sas:

spi: 0x5D620493(1566704787)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2019, flow_id: Onboard VPN:19, sibling_flags 80004040, crypto map: R1-
R2_MAP
sa timing: remaining key lifetime (k/sec): (4155730/802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD3E56A5F(3555027551)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }

540
 conn id: 2020, flow_id: Onboard VPN:20, sibling_flags 80004040, crypto map: R1-
R2_MAP
sa timing: remaining key lifetime (k/sec): (4155730/802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

R1#
Use this Syntax Check to verify the IPsec VPN from R2.
19.5.3 Syntax Checker - Verify the ISAKMP and IPsec Tunnels
Establish the tunnel on R2 by by pinging 10.0.1.1 with a source address of 192.168.1.1.
R2#ping ip 10.0.1.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
Display the ISAKMP tunnel status.
R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.30.2.1 172.30.2.2 QM_IDLE 1005 ACTIVE
IPv6 Crypto ISAKMP SA
Display the IPsec tunnel status.
R2#show crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: R1-R2_MAP, local addr 172.30.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
current_peer 172.30.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.2.2, remote crypto endpt.: 172.30.2.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0xD3E56A5F(3555027551)
PFS (Y/N): Y, DH group: group24
inbound esp sas:
spi: 0x5D620493(1566704787)

541
 transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2019, flow_id: Onboard VPN:19, sibling_flags 80004040, crypto map: R1-
R2_MAP
sa timing: remaining key lifetime (k/sec): (4155730/802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
<output omitted>
R2#
You have successfully verified the IPsec VPN.
19.5.4 Video - Site-to-Site IPsec VPN Configuration

19.5.5 Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN

In this Packet Tracer, you will complete the following objectives:
 Verify connectivity throughout the network
 Configure router R1 to support to site-to-site IPsec VPN with R3

19.6 Implement Site-to-Site IPsec VPNs Summary

19.6.1 What Did I Learn in this Module?
Configure a Site-to-Site VPN
IPsec negotiation to establish a VPN involves five steps, which include IKE Phase 1 and
Phase 2. An ISAKMP tunnel is initiated when host A sends “interesting” traffic to host
B. Traffic is considered interesting when it travels between the peers and meets the
criteria that are defined in an ACL. IKE Phase 1 begins. The peers negotiate the ISAKMP
SA policy. When the peers agree on the policy and are authenticated, and a secure
tunnel is created. IKE Phase 2 begins. The IPsec peers use the authenticated secure
tunnel to negotiate the IPsec SA policy. The negotiation of the shared policy
determines how the IPsec tunnel is established. The IPsec tunnel is created, and data is
transferred between the IPsec peers based on the IPsec SAs. The IPsec tunnel

542
terminates when the IPsec SAs are manually deleted, or when their lifetime expires.
Implementing a site-to-site VPN requires configuring settings for both IKE Phase 1 and
Phase 2. In the Phase 1 configuration, the two sites are configured with the necessary
ISAKMP security associations to ensure that an ISAKMP tunnel can be created. In the
Phase 2 configuration, the two sites are configured with the IPsec security associations
to ensure that an IPsec tunnel is created within the ISAKMP tunnel. Both tunnels will
be created only when interesting traffic is detected. IPsec only supports unicast traffic.
To enable multicast routing protocol traffic, the peers in a site-to-site IPsec VPN
implementation would need to be configured with a Generic Routing Encapsulation
(GRE) tunnel for the multicast traffic. GRE supports multiprotocol tunneling. It can
encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel. The
addition of an additional GRE header between the payload and the tunneling IP header
provides the multiprotocol functionality. GRE also supports IP multicast tunneling.
Routing protocols that are used across the tunnel enable dynamic exchange of routing
information in the virtual network. GRE does not provide encryption.
ISAKMP Policy
The ISAKMP policy lists the SAs that the router is willing to use to establish the IKE
Phase 1 tunnel. The Cisco IOS comes with default ISAKMP policies already in place. To
view the default policies, enter the show crypto isakmp default policy command. The
router will attempt to use the most secure default policy if no other policy was defined
by the administrator. To configure a new ISAKMP policy, use the crypto isakmp policy
command. The five SAs to configure are hash, authentication, group, lifetime, and
encryption (HAGLE).
IPsec Policy
Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does
not yet exist. This is verified with the show crypto isakmp sa command. To define
interesting traffic, configure each router with an ACL to permit traffic from the local
LAN to the remote LAN. The ACL will be used in the crypto map configuration to
specify what traffic will trigger the start of IKE Phase 1. Configure the set of encryption
and hashing algorithms that will be used to transform the data that is sent through the
IPsec tunnel. Configure a transform set using the crypto ipsec transform-set command.
Crypto Map
Now that the interesting traffic is defined, and an IPsec transform set is configured, it is
time to bind those configurations with the rest of the IPsec policy in a crypto map. To
finish the configuration to meet the IPsec security policy you must bind the ACL and
the transform set to the map, specify the peer’s IP address, configure the DH group,
and configure the IPsec tunnel lifetime. Use the show crypto map command to verify
the crypto map configuration. To apply the crypto map, enter interface configuration
mode for the outbound interface and configure the crypto map map-name command.
IPsec VPN
After the ISAKMP and IPsec policies are configured, and the crypto map is applied to
the appropriate outbound interfaces, test the two tunnels by sending interesting traffic
across the link. An extended ping will effectively test the VPN configuration. To verify
that tunnels have been established, use the show crypto isakmp sa and show crypto
ipsec sa commands.
19.6.2 Module 19 - Implement Site-to-Site IPsec VPNs Quiz
Question 1

543
What is defined by an ISAKMP policy?
The security associations that IPsec peers are willing to use
The preshared keys that will be exchanged between IPsec peers
Access lists that identify interesting traffic
The IP addresses of IPsec peers
Question 2
Which are the five security associations to configure in ISAKMP policy configuration
mode?
Hash, Authentication, Group, Lifetime, Encryption
Hash, Authentication, GRE, Lifetime, ESP
Hash, Authorization, Group, Lifetime, Encryption
Hash, Accounting, Group, Lifetime, ESP
Question 3
What command or action will verify that a VPN tunnel has been established?
Issue a show crypto map command.
Issue a show crypto isakmp sa command.
Issue a show ip interface command.
Send interesting traffic from the VPN router interface.
Question 4
What three protocols must be permitted through the company firewall for
establishment of IPsec site-to-site VPNs? (Choose three.)
ESP
NTP
HTTPS
AH
ISAKMP
SSH
Question 5

544
Refer to the exhibit. The ISAKMP policy for the IKE Phase 1 tunnel was configured,
but the tunnel does not yet exist. Which action should be taken next before IKE
Phase 1 negotiations can begin?
Configure the set of encryption and hashing algorithms that will be used to transform
the data sent through the IPsec tunnel.
Configure an ACL to define interesting traffic.
Bind the transform set with the rest of the IPsec policy in a crypto map.
Configure the IPsec tunnel lifetime.
Question 6
What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts
during IKE Phase 1?
ISAKMP SA policy
Transform sets
Interesting traffic
DH groups
Question 7
A network analyst is configuring a crypto map and has just bound the ACL and the
transform set to the map, and set the IPsec tunnel lifetime. What other step
completes the configuration of the crypto map?
Define the interesting traffic.
Apply the map to an interface.
Configure the DH group.
Configure the SA policy.
Question 8
What is the first step in establishing an IPsec VPN?
Detection of interesting traffic
Negotiation of ISAKMP policies
Creation of a secure tunnel to negotiate a security association policy
Creation of an IPsec tunnel between two IPsec peers
Question 9

Refer to the exhibit. Given the partial output of the show version command on a
router, if a network engineer wants to begin to configure an IPsec VPN, what would
be the next step to take?
Configure an ACL to define interesting traffic.
Configure the ISAKMP policy for IKE phase 1.
Accept the EULA and activate the security technology package.
Configure a crypto map for the IPsec policy.

545
Question 10

Refer to the exhibit. How will traffic that does not match access list 101 be treated by
the router?
It will be sent encrypted.
It will be discarded.
It will be sent unencrypted.
It will be blocked.
Checkpoint Exam: VPNs Group Exam
This exam will cover material from Modules 18-19 of the Network Security 1.0
curriculum.
Copyright 2021, Cisco Systems, Inc.
Question 1
Which protocol creates a virtual point-to-point connection to tunnel unencrypted
traffic between Cisco routers from a variety of protocols?
GRE
IKE
OSPF
IPsec
Question 2
Which two statements describe the IPsec protocol framework? (Choose two.)
AH provides encryption and integrity.
AH uses IP protocol 51.
AH provides integrity and authentication.
ESP uses UDP protocol 51.
AH provides both authentication and encryption.
Question 3
What are the two modes used in IKE Phase 1? (Choose two.)
aggressive
passive
primary
main
secondary
Question 4
How is "tunneling" accomplished in a VPN?
All packets between two hosts are assigned to a single physical medium to ensure that
the packets are kept private.
Packets are disguised to look like other types of traffic so that they will be ignored by
potential attackers.

546
A dedicated circuit is established between the source and destination devices for the
duration of the connection.
New headers from one or more VPN protocols encapsulate the original packets.
Question 5
What technology is used to negotiate security associations and calculate shared keys
for an IPsec VPN tunnel?
3DES
IKE
SHA
PSK
Question 6
Which two scenarios are examples of remote access VPNs? (Choose two.)
A small branch office with three employees has a Cisco ASA that is used to create a
VPN connection to the HQ.
An employee who is working from home uses VPN client software on a laptop in
order to connect to the company network.
All users at a large branch office can access company resources through a single VPN
connection.
A toy manufacturer has a permanent VPN connection to one of its parts suppliers.
done
A mobile sales agent is connecting to the company network via the Internet
connection at a hotel.
Question 7
Which two statements describe a remote access VPN? (Choose two.)
It connects entire networks to each other.
It is used to connect individual hosts securely to a company network over the
Internet.
It requires hosts to send TCP/IP traffic through a VPN gateway.
It may require VPN client software on hosts.
It requires static configuration of the VPN tunnel.
Question 8
Two corporations have just completed a merger. The network engineer has been
asked to connect the two corporate networks without the expense of leased lines.
Which solution would be the most cost effective method of providing a proper and
secure connection between the two corporate networks?
frame Relay
cisco AnyConnect Secure Mobility Client with SSL
remote access VPN using IPsec
cisco Secure Mobility Clientless SSL VPN
site-to-site VPN
Question 9
Which statement describes the effect of key length in deterring an attacker from
hacking through an encryption key?
The length of a key does not affect the degree of security.
The length of a key will not vary between encryption algorithms.
The shorter the key, the harder it is to break.
The longer the key, the more key possibilities exist.

547
Question 10
Which is a requirement of a site-to-site VPN?
It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic.
It requires a client/server architecture.
It requires the placement of a VPN server at the edge of the company network.
It requires hosts to use VPN client software to encapsulate traffic.
Question 11
What is a function of the GRE protocol?
to provide encryption through the IPsec tunnel
to configure the IPsec tunnel lifetime
to encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel
to configure the set of encryption and hashing algorithms that will be used to
transform the data sent through the IPsec tunnel
Question 12
What takes place during IKE Phase 2 when establishing an IPsec VPN?
Interesting traffic is identified.
Traffic is exchanged between IPsec peers.
ISAKMP security associations are exchanged.
IPsec security associations are exchanged.
Question 13

Refer to the exhibit. What show command displays whether the securityk9 software
is installed on the router and whether the EULA license has been activated?
show crypto isakmp policy 1
show version
show interfaces s0/0/0
show running-config
Question 14

Refer to the exhibit. What HMAC algorithm is being used to provide data integrity?

548
DH
MD5
AES
SHA
Question 15
What is needed to define interesting traffic in the creation of an IPsec tunnel?
access list
transform set
security associations
hashing algorithm
Question 16
Router R1 has configured ISAKMP policies numbered 1, 5, 9, and 203. Router R2 only
has default policies. How will R1 attempt to negotiate the IKE Phase 1 ISAKMP tunnel
with R2?
R1 will try to match policy #203 with the most secure default policy on R2.
R1 will begin to try to match policy #1 with policy #65514 on R2.
R1 will attempt to match policy #1 with the most secure matching policy on R2.
R1 and R2 cannot match policies because the policy numbers are different.
Question 17

Refer to the exhibit. A VPN tunnel is configured on the WAN between R1 and R2. On
which R1 interface(s) would a crypto map be applied in order to create a VPN
between R1 and R2?
G0/0
G0/0 and G0/1
all R1 interfaces
S0/0/0
Question 18
What type of traffic is supported by IPsec?
IPsec supports all IPv4 traffic.
IPsec supports all traffic permitted through an ACL.
IPsec supports layer 2 multicast traffic.
IPsec only supports unicast traffic.
Question 19

549
A site-to-site IPsec VPN is to be configured. Place the configuration steps in order.

Question 20
When the CLI is used to configure an ISR for a site-to-site VPN connection, what is
the purpose of the crypto map command in interface configuration mode?
to bind the interface to the ISAKMP policy
to force IKE Phase 1 negotiations to begin
to negotiate the SA policy
to configure the transform set

550
Module 20: Introduction to ASA
20.0 Introduction
20.0.1 Why Should I Take this Module?
In this module, you will learn about the Cisco ASA Firewall models. Which model is the
best choice? It depends on your organization's requirements. Keep reading to learn
more!
20.0.2 What Will I Learn in this Module?
Module Title: Introduction to the ASA
Module Objective: Explain how the ASA operates as an advanced stateful firewall.
Topic Title Topic Objective
Compare ASA solutions to other routing firewall
ASA Solutions
technologies.
The ASA 5506-X with FirePOWER
Describe three ASA deployment scenarios.
Services
20.1 ASA Solutions
20.1.1 ASA Firewall Models
An IOS router firewall solution is appropriate for small branch deployments and for
administrators who are experienced with Cisco IOS. However, an IOS firewall solution
does not scale well and typically cannot meet the needs of a large enterprise.
The Cisco ASA with FirePOWER Services family of products provides dedicated firewall
services in one device. These are next-generation firewall (NGFW) devices that deliver
integrated threat defense across the entire attack continuum.
There are several ASA models addressing the needs of various organizations. Cisco ASA
devices scale to meet a range of requirements and network sizes. The choice of ASA
model depends on an organization’s requirements, such as maximum throughput,
maximum connections per second, and budget.
The following figures display these models and their stateful inspection throughput.
All models provide advanced stateful firewall features and VPN functionality. The
biggest difference between the models is the maximum traffic throughput handled by
each model and the number and types of interfaces.
Click below to learn more about different ASA models.
 Cisco Firepower 1000
 Cisco Firepower 2100
 Cisco Firepower 4100
 Cisco Firepower 9300
Cisco Firepower 1000
This model is suitable for small office and home office (SOHO) and small business.

Cisco Firepower 2100

These models that are intended for the Internet edge of medium to large businesses.

551
Cisco Firepower 4100
This figure displays a 4100 series ASA that is intended for large campus and data center
use.

Cisco Firepower 9300

Designed for service providers and high-performance data centers, the 9300 appliance
delivers carrier-grade performance in a modular chassis. It creates separate logical
firewalls for deployment flexibility, quickly inspects encrypted traffic, gains application
visibility, detects and blocks network intrusions, deploys scalable VPNs, and provides
integrated protection against DDoS attacks. Devices can be clustered for performance
and high availability.

Cisco also supports the virtualization of computing infrastructure by taking advantage

of the increased power availability of modern x86 servers. The Cisco Adaptive Security
Virtual Appliance (ASAv) brings the power of ASA appliances to the virtual domain. A
server hypervisor can create a virtual switch capable of supporting many types of
virtual machines (VMs). The Cisco ASAv operates as a VM using the server’s interfaces
to process traffic.
Like the physical Cisco ASA devices, the ASAv also supports site-to-site VPN, remote-
access VPN, and clientless VPN functionalities.
Note: The ASAv does not support clustering and multiple contexts.
To provide a suitable fit for customer needs, Cisco ASAv is available in five models:
 Cisco ASAv5 - This appliance requires 2 GB of memory and delivers up to 100 Mbps
of stateful inspection throughput.
 Cisco ASAv10 - This appliance requires 4 GB of memory and delivers up to 1 Gbps
of stateful inspection throughput.
 Cisco ASAv30 - This appliance requires 8 GB of memory and delivers up to 2 Gbps
of stateful inspection throughput.

552
 Cisco ASAv50 - This appliance requires 16 GB of memory and delivers up to 10
Gbps of stateful inspection throughput.
 Cisco ASAv100 - This appliance requires 32 GB of memory and delivers up to 20
Gbps of stateful inspection throughput.
Note: The focus of this module will be on the ASA 5506-X which is designed for small
business, branch office, and enterprise teleworker implementations.
20.1.2 Video - Cisco ASA Next-Generation Firewall Appliances

20.1.3 Advanced ASA Firewall Features

Click below to learn about the advanced features.
 ASA virtualization
 High availability with failover
 Identity Firewall
 Threat control and containment services
ASA virtualization
As illustrated, a single ASA can be partitioned into multiple virtual devices. Each virtual
device is called a security context. Each context is an independent device, with its own
security policy, interfaces, and administrators. Multiple contexts are similar to having
multiple standalone devices. Many features are supported in multiple context modes,
including routing tables, firewall features, IPS, and management. Some features are
not supported, including VPN and dynamic routing protocols.

553
High availability with failover
As shown here, two identical ASAs can be paired into an active / standby failover
configuration to provide device redundancy. Both platforms must be identical in
software, licensing, memory, and interfaces, including the Security Services Module
(SSM). In the example, ASA-1 is the primary/active forwarding device and traffic
leaving PC-1 takes the preferred path using ASA-1. ASA-1 and ASA-2 monitor each
other using the LAN failover link. If ASA-1 fails, then ASA-2 would immediately assume
the primary role and become active.

Identity Firewall
The ASA provides optional, granular access control based on an association of IP
addresses to Windows Active Directory login information. For example, in the figure,
when a client attempts to access the server resources, it must first be authenticated
using the Microsoft Active Directory Identity-based firewall services. These services

554
enhance the existing access control and security policy mechanisms by allowing users,
or groups, to be specified in place of source IP addresses. Identity-based security
policies can be interleaved without restriction between traditional IP address-based
rules.

Threat control and containment services

All ASA models support basic IPS features. However, advanced IPS features can only be
provided by integrating special hardware modules with the ASA architecture. IPS
capability is available using the Advanced Inspection and Prevention (AIP) modules.
Antimalware capabilities can be deployed by integrating the Content Security and
Control (CSC) module. The Cisco Advanced Inspection and Prevention Security Services
Module (AIP-SSM) and Cisco Advanced Inspection and Prevention Security Services
Card (AIP-SSC) deliver protection against tens of thousands of known exploits. They
also protect against millions of other unknown exploit variants using specialized IPS
detection engines and thousands of signatures. Cisco Services for IPS provides
signature updates through a global intelligence team that is working 24 hours a day to
help ensure protection against the latest threats.

555
20.1.4 Cisco Firepower Series
Traditionally, organizations used dedicated devices to protect their network. The Cisco
next-generation firewall (NGFW) combines proven firewall technology with advanced
threat and malware detection capabilities.
These NGFWs consolidate multiple security layers into a single platform, eliminating
the cost of buying and managing multiple solutions. This integrated approach
combines best-in-class security technology with multilayer protection that is integrated
into a single device.
The Cisco ASA 5500-X with FirePOWER Services devices are part of the new Cisco
NGFWs. Designed for small to medium branch offices, the ASA 5500-X with FirePOWER
Services merges the ASA 5500 stateful firewall features with some of the following
advanced threat and malware detection capabilities:
 Next-generation IPS (NGIPS)
 Advanced Malware Protection (AMP)
 Application control and URL filtering
Note: “FirePOWER” refers to the Firepower services running on an ASA while
“Firepower” refers to Cisco Firepower series of NGFW devices.
20.1.5 Video - Cisco FTD - Threat Centric NGFW

20.1.6 Review of Firewalls in Network Design

When discussing networks that are connected to a firewall, there are some general
terms to consider:
 Outside network - The network/zone that is outside the protection of the firewall.
 Inside network - The network/zone that is protected and behind the firewall.
 DMZ - The demilitarized zone that allows both inside and outside users access to
protected network resources.
Firewalls protect inside networks from unauthorized access by users who are on an
outside network. They also protect inside network users from each other. For example,
by creating zones, an administrator can keep the network that is hosting the
accounting servers separate from other networks in an organization.
The figure illustrates how these zones interact for permitted traffic:
 Traffic originating from the inside network going to the outside network is
permitted.
556
 Traffic originating from the inside network going to the DMZ network is permitted.
 Traffic originating from the outside network going to the DMZ network is
selectively permitted.
Permitted Traffic

The figure below illustrates how these zones interact for denied traffic:
 Traffic originating from the outside network going to the inside network is denied.
 Traffic originating from the DMZ network going to the inside network is denied.
Denied Traffic

557
Cisco ISRs can provide firewall features by using either the Zone-Based Policy Firewall
(ZPF) or by using the older context-based access control (CBAC) feature. An ASA
provides the same features, but the configuration differs considerably from the IOS
router configuration of the ZPF.
The ASA is a dedicated firewall appliance. By default, it treats a defined inside interface
as the trusted network and any defined outside interfaces as untrusted networks.
Each interface has an associated security level. These security levels enable the ASA to
implement security policies. For example, inside users can access outside networks
based on certain addresses, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
Note: Security levels are sometimes called trust levels. In this course, we will use the
term security levels.
Network resources that are needed by outside users, such as a web or FTP server, can
be located in a DMZ. The firewall allows limited access to the DMZ while protecting the
inside network from outside users.
20.1.7 ASA Firewall Modes of Operation
There are two firewall interface modes of operation available on ASA devices: routed
mode and transparent mode.
In routed mode, two or more interfaces separate Layer 3 networks (i.e., domains). In
the figure, the ASA is considered to be a router hop in the network and can perform
NAT between connected networks. Routed mode supports multiple interfaces. Each
interface is on a different subnet and requires an IP address on that subnet. The ASA
applies policies to flows as they transit the firewall.
Note: The focus of this module is on the routed mode.
Routed Mode

558
An ASA in transparent mode is often referred to as a “bump in the wire,” or a “stealth
firewall” because the ASA functions like a Layer 2 device and is not considered a router
hop. In the figure below, the ASA is only assigned an IP address on the local network
for management purposes. This mode is useful to simplify a network configuration, or
when the existing IP addressing cannot be altered. However, the drawbacks include no
support for dynamic routing protocols, VPNs, QoS, or DHCP Relay.
Transparent Mode

20.1.8 ASA Licensing Requirements

A license specifies the options that are enabled on a given ASA. Most ASA appliances
come pre-installed with either a Base license or a Security Plus license. For example,
the Cisco ASA 5506-X model comes with a Base license and the option to upgrade to
the Security Plus license. The Security Plus upgrade license enables the Cisco ASA
5506-X to scale to support a higher connection capacity and up to 50 IPsec VPN users.
It adds full DMZ support and integrates into switched network environments through
VLAN trunking support. Furthermore, the Security Plus license enables support for
redundant ISP connections and stateless active/standby high-availability services. This
feature helps to ensure business continuity.
To provide more features to the ASA, additional time-based or optional licenses can be
purchased. For example, an administrator can install a Botnet Traffic Filter time-based
license that is valid for one year. Another example would be if the ASA must handle a
short-term surge in the number of concurrent SSL VPN users. In this case, an optional
AnyConnect Premium license can be purchased.
Combining these additional licenses to the pre-installed licenses creates a permanent
license. The permanent license is then activated by installing a permanent activation
key using the activation-key command. The permanent activation key includes all

559
licensed features in a single key. A product activation key can be purchased from a
Cisco account representative.
Note: Only one permanent license key can be installed. After it is installed, it is
referred to as the running license.
To verify the license information on an ASA device, use the show activation-
key command, as shown below, or the show version command.
NETSEC-ASA# show activation-key
Serial Number: JAD242301E6
Running Permanent Activation Key: 0x1e14e468 0x7c715e6b 0xcc71d1f4 0x9de81084
0x4e143eb6
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs :5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers :2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions :2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
NETSEC-ASA#
20.2 The ASA 5506-X with FirePOWER Services
20.2.1 Overview of ASA 5506-X
The Cisco ASA 5506-X is a full-featured security appliance for small businesses, branch
offices, and enterprise teleworker environments. It delivers a high-performance
firewall, SSL VPN, IPsec VPN, and rich networking services in a modular, plug-and-play
appliance.
The figure illustrates the front panel of the ASA 5506-X.
ASA 5506-X Front Panel

560
The figure below illustrates the back panel of the Cisco ASA 5506-X. The default DRAM
memory is 4 GB and the default internal flash memory is 8 GB. In a failover
configuration, the two units must be identical models with the same hardware
configuration, the same number and types of interfaces, and the same amount of
RAM. Failover is available with the Security Plus license.
ASA 5506-X Backplane

1. 12V power connector.

2. Four status LEDs for Power, Status, Active, and WLAN.
3. 8 - 1 Gigabit Ethernet interfaces. The L indicates link status and the S indicates
connection speed.
4. Gigabit Ethernet management interface.
5. USB Type A port connection for external storage device.
6. RJ45 and mini-USB console ports.
7. Reset pin. When pressed for three seconds, the ASA resets to default new state
on reboot. Flash is not erased.
The figure below shows the inside components of the Cisco ASA 5506-X.
Note: Unlike the ASA 5506-X that uses routed interfaces and IP addresses, the ASA
5505 used switchports and VLANs similar to a Layer 2 switch.
ASA 5506-X Inside Components

561
1. 50GB mSata solid state drive
2. Crypto accelerator CPU
3. Multicore 1.25 GHz CPU
4. 4GB DRAM
20.2.2 ASA Security Levels
The ASA assigns security levels to distinguish between inside and outside networks.
Security levels define the level of trustworthiness of an interface. The higher the level,
the more trusted the interface. The security level numbers range from 0
(untrustworthy) to 100 (very trustworthy). Each operational interface must have a
name and a security level from 0 (lowest) to 100 (highest) assigned.
As shown in the figure below, level 100 should be assigned to the most secure
network, such as the inside network. Level 0 can be assigned to the outside network,
which is connected to the Internet. DMZs and other networks can be assigned a
security level between 0 and 100. When traffic moves from an interface with a higher
security level to an interface with a lower security level, it is considered outbound
traffic. Conversely, traffic moving from an interface with a lower security level to an
interface with a higher security level is considered inbound traffic.
Security Level Settings

Security levels help to control many aspects of network traffic as shown in the table
below.
Aspect Effect
By default, there is an implicit permit from a higher security interface
to a lower security interface (outbound). Hosts on the higher security
Network interface can access hosts on a lower security interface. Multiple
Access interfaces can be assigned the same security level. If communication is
enabled for interfaces with the same security level, there is an implicit
permit for traffic between the interfaces.

562
 Some application inspection engines are dependent on the security
Inspection
level. When interfaces have the same security level, the ASA inspects
Engines
traffic in either direction.
HTTPS and FTP filtering applies only for outbound connections that are
Application from a higher level to a lower level. If communication is enabled for
Filtering interfaces with the same security level, traffic can be filtered in either
direction.
Outbound traffic is allowed and inspected by default. Returning traffic is allowed
because of stateful packet inspection. For example, internal users on the inside
interface can easily access resources on the DMZ. They can also initiate connections to
the Internet with no restrictions and without the need for an additional policy or
additional commands. However, traffic that is coming from the outside network and
going into either the DMZ or the inside network, is denied by default. Return traffic,
originating on the inside network and returning via the outside interface, would be
allowed. Any exception to this default behavior requires configuration of an ACL to
explicitly permit traffic from an interface with a lower security level to an interface
with a higher security level, for example outside to inside.
20.2.3 ASA 5506-X Deployment Scenarios
The ASA 5506-X is commonly used as an edge security device. It connects a small
business to an ISP device, such as a DSL or cable modem, for access to the internet. It
can be deployed to interconnect and protect several workstations, network printers,
and IP phones.
In a small branch, a common deployment would include an inside network with
security level 100 and an outside network with security level 0, as shown in the figure
below.
ASA Deployment in Small Branches

563
In the small business, as shown below, the ASA 5506-X can be deployed with two
different protected network segments. One segment is the inside network, which
connects workstations and IP phones. The other segment is the DMZ, which connects a
company web server. The outside interface is used to connect to the internet.
ASA Deployment in a Small Business

In an enterprise deployment, as shown here, the ASA 5506-X can be used by

telecommuters and home users to connect to a centralized location using a VPN.
ASA Deployment in an Enterprise

564
20.3 Introduction to the ASA Summary
20.3.1 What Did I Learn in this Module?
ASA Solutions
The Cisco ASA with FirePOWER Services family of products provides dedicated firewall
services in one device. These are NGFW devices that deliver integrated threat defense
across the entire attack continuum. The choice of ASA model depends on an
organization’s requirements, such as maximum throughput, maximum connections per
second, and budget. The Cisco ASAv brings the power of ASA appliances to the virtual
domain. When discussing networks connected to a firewall, there are some general
terms to consider: outside network, inside network, and the DMZ.
There are two firewall interface modes of operation available on ASA devices: routed
mode and transparent mode. In routed mode, two or more interfaces separate Layer 3
networks, i.e. domains. An ASA in transparent mode is often referred to as a “bump in
the wire,” or a “stealth firewall” because the ASA functions like a Layer 2 device and is
not considered a router hop. Advanced ASA firewall features include ASA virtualization,
high availability with failover, identity firewall, and threat control and containment
services. Most ASA appliances come pre-installed with either a Base license or a
Security Plus license.
The ASA 5506-X with FirePOWER Services
The Cisco ASA 5506-X is a full-featured security appliance for small businesses, branch
offices, and enterprise teleworker environments. It delivers a high-performance
firewall, SSL VPN, IPsec VPN, and rich networking services in a plug-and-play appliance.
The ASA assigns security levels to distinguish between inside and outside networks.
The security level numbers range from 0 (untrustworthy) to 100 (very trustworthy).
Outbound traffic is allowed and inspected by default. Returning traffic is allowed
because of stateful packet inspection. The ASA 5506-X is commonly used as an edge
565
security device. It connects a small business to an ISP device, such as a DSL or cable
modem, for access to the internet.
20.3.2 Module 20 - Introduction to the ASA Quiz
Question 1
What is a characteristic of ASA security levels?
The lower the security level on an interface, the more trusted the interface.
Each operational interface must have a name and be assigned a security level from 0 to
200.
Inbound traffic is identified as the traffic moving from an interface with a higher
security level to an interface with a lower security level.
An ACL needs to be configured to explicitly permit traffic from an interface with a
lower security level to an interface with a higher security level.
Question 2
What are the two biggest differences among various ASA firewall models. (Choose
two.)
In the maximum traffic throughput supported
In the operating system version support
In the configuration method using either CLI or ASDM
In the number and types of interfaces
In the VPN functionality
Question 3
Which statement describes the Cisco ASAv product?
It is a cloud-based Cisco ASA firewall product.
It is a Cisco ASA feature added on a Cisco router.
It is a virtual machine version of Cisco ASA product.
It is a Cisco FirePOWER service that can be added on a Cisco router.
Question 4
What two features must match between ASA devices to implement a failover
configuration? (Choose two.)
Source IP address
Device model
Amount of RAM
Next-hop destination
Software configuration
Question 5
Which feature is specific to the Security Plus upgrade license of an ASA and provides
increased availability?
Routed mode
Transparent mode
Stateful packet inspection
Redundant ISP connections
Question 6
What is the most trustworthy security level that can be configured on an ASA device
interface?
0
50
100

566
255
Question 7
Which two statements describe the 8 Gigabit Ethernet ports in the backplane of a
Cisco ASA 5506-X device? (Choose two.)
They are all routed ports.
Port 1 is a routed port and the rest are switch ports.
They all can be configured as routed ports or switch ports.
Three of them are routed ports and 5 of them are switch ports.
These ports all require IP addresses.
Question 8
Which advanced ASA Firewall feature provides granular access control based on an
association of IP addresses to Windows Active Directory login information?
Identity firewall
ASA virtualization
High availability with failover
Threat control and containment services
Question 9
What are two basic configuration requirements for each operational interface on an
ASA 5506-X device? (Choose two.)
A name
A security level
An encryption key
An ACL assignment
A VLAN assignment
Question 10
What is one of the drawbacks to using transparent mode operation on an ASA
device?
No support for IP addressing
No support for using an ASA as a Layer 2 switch
No support for management
No support for QoS
Question 11
Which service is added to the Cisco ASA 5500 by the ASA 5500-X?
ASA virtualization
FirePOWER service
High availability with failover
Threat control and containment services
Question 12
Which statement describes the default network access control on an ASA firewall
device?
Inbound traffic from the DMZ network to the inside network is allowed.
Inbound traffic from the outside network to the DMZ network is allowed.
Returning traffic from the outside network to the inside network is allowed.
Outbound traffic from the inside network to the outside network is allowed without
inspection.

567
Module 21: ASA Firewall Configuration
21.0 Introduction
21.0.1 Why Should I Take this Module?
The Cisco ASA 5506-X with FirePOWER Services is a feature-rich security appliance that
is suited for small to medium-sized business networks. The ASA 5506-X is a very
popular device that is used by many organizations, which makes knowledge and skills
with working with this security appliance valuable in the job market. In this module
you will configure a broad range of features of the device including ACLs, DHCP, NAT,
AAA, and service policies.
21.0.2 What Will I Learn in this Module?
Module Title: ASA Firewall Configuration
Module Objective: Implement an ASA firewall configuration.
Topic Title Topic Objective
Basic ASA Firewall Explain how to configure an ASA-5506-X with
Configuration FirePOWER Services.
Configure Management Configure management settings and services on a ASA
Settings and Services 5506-X firewall.
Object Groups Explain how to configure object groups on an ASA.
Use the correct commands to configure access lists
ASA ACLs
with object groups on an ASA.
Use the correct commands to configure an ASA to
NAT Services on an ASA
provide NAT services.
Use correct commands to configure access control
AAA
using the local database and AAA server.
Service Policies on an ASA Configure service policies on an ASA
Introduction to ASDM
Note: This is an optional topic that is not assessed.
(Optional)
21.1 Basic ASA Firewall Configuration
21.1.1 Basic ASA Settings
The ASA command line interface (CLI) is a proprietary OS, which has a similar look and
feel to the router IOS. For example, the ASA CLI contains command prompts similar to
that of a Cisco IOS router, as shown in the figure. Also, like the IOS CLI, the ASA CLI also
recognizes the following:
 Abbreviation of commands and keywords
 Use of the Tab key to complete a partial command
 Use of the help key (?) after a command to view additional syntax

568
However, the ASA CLI also has different commands. The table contrasts common IOS
router and ASA commands.

ASA CLI commands can be executed regardless of the current configuration mode
prompt. The IOS command do is not required nor recognized. The following examples
display some features unique to the ASA.

569
Note: All ASA models can be configured and managed using either the CLI or the
Adaptive Security Device Manager (ASDM). The focus of this module is on ASA CLI.
ASDM is discussed in an optional topic at the end of this module.
21.1.2 ASA Default Configuration
The ASA 5506-X with FirePOWER Services ships with a default configuration that, in
most instances, is sufficient for a basic SOHO deployment.
Note: The ASA can be restored to its factory default configuration by using
the configure factory-default global configuration mode command.
The default hostname is ciscoasa. By default, the privileged EXEC and console line
passwords are not configured. All interfaces are shutdown and unnamed. The default
configuration is partially displayed in the example. These settings can be changed by:
 Manually using the CLI
 Interactively using the CLI Setup Initialization wizard
 Using the ASDM Startup wizard
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
no mac-address auto
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level

570
no ip address
!
<output omitted>
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
<output omitted>
21.1.3 ASA Interactive Setup Initialization Wizard
The ASA provides an interactive setup initialization wizard to simplify the initial
configuration of the device. The wizard guides the administrator to configure basic
settings using interactive prompts.
The wizard is displayed when there is no startup configuration, or if the startup
configuration is erased and the ASA is rebooted using the write
erase and reload privileged EXEC commands.
When the device is rebooted, the ASA wizard displays the prompt “Pre-configure
Firewall now through interactive prompts [yes]?” To cancel and display the ASA
default user EXEC mode prompt, enter no. Otherwise, enter yes or simply
press Enter to accept the default [yes]. This initiates the wizard and the ASA
interactively guides an administrator to configure the default settings.
The following shows an example of an interactive configuration.
Note: The security appliance displays the default values in brackets ([ ]) before
prompting the user to accept or change them. To accept the default input, press Enter.
Pre-configure Firewall now through interactive prompts [yes]? <Enter>
Firewall Mode [Routed]: <Enter>
Enable password [<use current password>]: cisco
Allow password recovery [yes]? <Enter>
Clock (UTC):
Year [2021]:
Month [Feb]:
Day [9]:
Time [11:21:11]:
Management IP address: 192.168.1.1
Management network mask: 255.255.255.0

571
Host name: NETSEC-ASA
Domain name: netsec.com
IP address of host running Device Manager: 192.168.1.100
The following configuration will be used:
Enable password: cisco
Allow password recovery: yes
Clock (UTC): 11:21:11 Feb 9 2021
Firewall Mode: Routed
Management IP address: 192.168.1.1
Management network mask: 255.255.255.0
Host name: NETSEC-ASA
Domain name: netsec.com
IP address of host running Device Manager: 192.168.1.100
Use this configuration and save to flash? [yes]<Enter>
After the interactive portion of the wizard is completed, the security appliance displays
the summary of the new configuration and prompts the user to save or reject the
settings. Answering yes saves the configuration to flash and displays the configured
hostname prompt. Answering no restarts the Setup Initialization wizard from the
beginning with any changes that had been made as the new default settings. This
enables the administrator to correct a misconfigured setting.
Although the wizard provides the basic configuration settings, most administrators
prefer to manually configure the device using the CLI commands.
21.2 Configure Management Settings and Services
21.2.1 Enter Global Configuration Mode
The default ASA user prompt of ciscoasa> is displayed when an ASA configuration is
erased, the device is rebooted, and the user does not use the interactive setup wizard.
To enter privileged EXEC mode, use the enable user EXEC mode command. Initially, an
ASA does not have a password configured; therefore, when prompted, leave the
enable password prompt blank and press Enter.
The ASA date and time should be set either manually or by using Network Time
Protocol (NTP). To set the date and time, use the clock set privileged EXEC command.
Enter global configuration mode using the configure terminal privileged EXEC
command. The first time that global configuration mode is accessed, a message
pertaining to the Smart Call Home feature appears. This allows activation of the
anonymous error reporting to Cisco regarding the status and health of device. Other
Smart Call Home features are accessed in call-home configuration mode. These
features offer proactive diagnostics and real-time alerts on select Cisco devices, which
provides higher network availability and increased operational efficiency. To
participate, a cisco.com ID is required, and the ASA device must be registered under a
Cisco SMARTnet Service contract.
Search the internet to learn more about Cisco Smart Call Home.
An example of entering privileged EXEC and global configuration mode is shown below.
A simple configuration is entered, and the anonymous Smart Call Home prompt is
shown.
ciscoasa> enable
Password:
ciscoasa#

572
ciscoasa# clock set 12:00:00 1 April 2020
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: A
You will be reminded again in 7 days.
If you would like to enable this feature, issue the command
"call-home reporting anonymous".
Please remember to save your configuration.
ciscoasa(config)#
21.2.2 Configure Basic Settings
An ASA must be configured with basic management settings. The table displays the
commands to accomplish this task.
ASA Command Description
 Specifies a hostname up to 63 characters.
 A hostname must start and end with a letter or digit,
hostname name
and have as interior characters only letters, digits, or
a hyphen.
domain-name name Sets the default domain name.
 Sets the enable password for privileged EXEC mode.
enable  Sets the password as a case-sensitive string of 3 to 32
password password alphanumeric and special characters (not including a
question mark or a space).
Provides legal notification and configures the system to
banner motd message display a message-of-the-day banner when connecting to
the ASA.
key config-key  Sets the passphrase between 8 and 128 character
password-encryption long.
[ new-pass [ old-pass ]]  Used to generate the encryption key.
Enables password encryption and encrypts all user
password encryption aes
passwords.
The example displays a basic configuration on an ASA 5506-X.
Like the IOS CLI, legal notification is provided using the banner motd command.
However, the command is configured somewhat differently than the IOS version. To
configure a banner with several lines, the banner motd must be entered multiple
times. To remove a line(s), use the no banner motd message command.
The privileged EXEC password is automatically encrypted using MD5. However,
stronger encryption using AES should be enabled. To do so, a primary passphrase must
be configured, and AES encryption must be enabled.
ciscoasa(config)# hostname NETSEC-ASA
NETSEC-ASA(config)# domain-name netsec.com
573
NETSEC-ASA(config)# enable password Cisco#123
NETSEC-ASA(config)#
NETSEC-ASA(config)# banner motd -----------------------------------------------
NETSEC-ASA(config)# banner motd Authorized access only!
NETSEC-ASA(config)# banner motd You have logged into a secure device.
NETSEC-ASA(config)# banner motd -----------------------------------------------
NETSEC-ASA(config)# banner motd
NETSEC-ASA(config)# exit
NETSEC-ASA# exit
Logoff
---------------------------------------------------------
Authorized access only!
You have logged into a secure device.
---------------------------------------------------------
Type help or '?' for a list of available commands.
NETSEC-ASA>
The example displays a sample configuration for encrypting all user passwords.
To change the Primary passphrase, use the key config-key password-
encryption command. To determine if password encryption is enabled, use the show
password encryption command.
NETSEC-ASA> enable
Password: *********
NETSEC-ASA# show password encryption
Password Encryption: Disabled
Master key hash: Not set(saved)
NETSEC-ASA#
NETSEC-ASA# configure terminal
NETSEC-ASA(config)# key config-key password-encryption cisco123
NETSEC-ASA(config)# password encryption aes
NETSEC-ASA(config)# exit
NETSEC-ASA#
NETSEC-ASA# show password encryption
Password Encryption: Enabled
Master key hash: 0x45ebef8e 0x77a0f287 0x90247f80 0x2a184246 0xe85cbcc4(not
saved)
NETSEC-ASA# write
Building configuration...
Cryptochecksum: c2cb4c42 66ed8038 c81a3d7f c5df996e
6781 bytes copied in 0.260 secs
[OK]
NETSEC-ASA#
21.2.3 Syntax Checker - Configure Basic Settings on an ASA 5506-X
Use the Syntax Checker to configure the basic settings on an ASA 5506-X.
Enter global configuration mode and configure the following basic settings:
 Hostname is NETSEC-ASA
 Domain is netsec.com
 Enable password is Cisco#123

574
Note: The banner motd command will be entered for you.
ciscoasa#configure terminal
ciscoasa(config)#hostname NETSEC-ASA
NETSEC-ASA(config)#domain-name netsec.com
NETSEC-ASA(config)#enable password Cisco#123
NETSEC-ASA(config)# banner motd -----------------------------------------------
NETSEC-ASA(config)# banner motd Authorized access only!
NETSEC-ASA(config)# banner motd You have logged into a secure device.
NETSEC-ASA(config)# banner motd -----------------------------------------------
NETSEC-ASA(config)# banner motd
Change the passphrase to cisco123, encrypt the password with AES, and then exit
global configuration mode.
NETSEC-ASA(config)#key config-key password-encryption cisco123
NETSEC-ASA(config)#password encryption aes
NETSEC-ASA(config)#exit
Verify the passphrase is encrypted.
NETSEC-ASA#show password encryption
Password Encryption: Enabled
Master key hash: 0x45ebef8e 0x77a0f287 0x90247f80 0x2a184246 0xe85cbcc4(not
saved)
Save the configuration.
NETSEC-ASA#write
Building configuration...
Cryptochecksum: c2cb4c42 66ed8038 c81a3d7f c5df996e
6781 bytes copied in 0.260 secs
[OK]
NETSEC-ASA#
You have successfully configured basic settings on the ASA 5506-X.
21.2.4 Configure Interfaces
The backplane of the ASA-5506-X is shown in the figure.

The ASA-5506-X has eight Gigabit Ethernet interfaces that can be configured to carry
traffic from different networks. The G1/1 interface is used by convention as the
outside interface to the internet or other outside network. It is set to receive its IP
address over DHCP by default, because it is assumed that the interface will be
configured to an ISP that uses DHCP to address attached interfaces.
The remaining interfaces, G1/2-G1/8, can be assigned to inside networks or DMZs. In
addition, a Gigabit Ethernet port (labeled GE MGMT in the figure) is dedicated to in-
575
band management of the ASA Fire POWER module. During configuration, it is
designated as Management1/1. Configuration of the ASA FirePOWER module is
beyond the scope of this course.
In software versions 9.7 and later, individual ports can be combined into bridge groups
that make them act like switch ports on the same logical network. In this way, multiple
devices can be connected directly to the ASA 5506-X in the DMZ and inside logical
networks. This is done by configuring the ports in bridged virtual interfaces (BVI). The
BVI is then configurated with a name, security-level, IP address and mask, and other
settings. In order to permit devices on different physical interfaces, the same-security-
traffic permit inter-interface global configuration command must be configured. A
drawback to using BVIs is that many commands, such as no shutdown, must be
configured on the individual interfaces. In addition, if an access list is to be used on the
BVI, the list must be grouped with each physical interface individually.
The IP address of an interface can be configured using one of the following options:
 Manually - Commonly used to assign an IP address and mask to the interface.
 DHCP - Used when an interface is connecting to an upstream device providing
DHCP services. The interface can be a DHCP client and discover its IP address and
DHCP-related information from the upstream device.
 PPPoE - Used when an interface is connecting to an upstream DSL device providing
point-to-point connectivity over Ethernet services. The interface can be a PPPoE
client and discover its IP address from an upstream PPPoE DSL device.
The table lists the commands to configure an IP address on an interface.

Each interface must have a security level from 0 (lowest) to 100 (highest). For example,
you should assign your most secure network, such as the inside host network, to level
100. While the outside network connected to the Internet can be level 0. Other
networks, such as DMZs can be in between. You can assign interfaces to the same
security level.
The example displays a sample configuration. Notice how default security level values
are assigned to the inside interface and outside interfaces. Note that the DMZ
interface is assigned the same security level as the outside untrusted network.
Therefore, the security-level command is really only required if an administrator

576
chooses to change those values. Any other interface should be assigned a security level
value.
The security level default behavior is to implicitly permit traffic from a higher security
interface to a lower security interface outbound. Traffic is implicitly permitted between
interfaces with the same security level if the ASA has been configured to globally
permit this behavior. Traffic from interfaces with lower security levels is implicitly
denied to interfaces with higher security levels.
In the example, the outside interface is manually configured with an IP address.
However, many ISPs use DHCP to provide addresses to customer networks. In that
case use the ip address dhcp command to configure the outside interface.
The commands below are used to configure basic interface parameters.
ASA Command Description
 Names the interface using a text string of up to 48
characters.
 The name is not case-sensitive.
nameif if_name  You can change the name by re-entering this command with
a new value.
 Do not enter the no form, because that command causes all
commands that refer to that name to be deleted.
security-level val Sets the security level, where number is an integer between 0
ue (lowest) and 100 (highest).
no shutdown Activate the interface.

NETSEC-ASA(config)# interface g1/1

NETSEC-ASA(config-if)# nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
NETSEC-ASA(config-if)# security-level 0
NETSEC-ASA(config-if)# ip address 209.165.200.225 255.255.255.252
NETSEC-ASA(config-if)# no shutdown
NETSEC-ASA(config-if)# interface g1/2
NETSEC-ASA(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
NETSEC-ASA(config-if)# security-level 100
NETSEC-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
NETSEC-ASA(config-if)# no shutdown
577
NETSEC-ASA(config-if)# interface g1/3
NETSEC-ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
NETSEC-ASA(config-if)# security-level 50
NETSEC-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
NETSEC-ASA(config-if)# no shutdown
NETSEC-ASA(config-if)# exit
NETSEC-ASA(config)#
Verify the interface addressing and status with the show interface ip brief command
as shown below. Note that the show command does not need to be entered in User
EXEC mode.
NETSEC-ASA(config-if)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 209.165.200.225 YES manual down down
GigabitEthernet1/2 192.168.1.1 YES manual up up
GigabitEthernet1/3 192.168.2.1 YES manual up up
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
Internal-Control1/1 unassigned YES unset down down
Internal-Data1/1 unassigned YES unset down down
Internal-Data1/2 unassigned YES unset down down
Internal-Data1/3 unassigned YES unset up up
Internal-Data1/4 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset administratively down down
NETSEC-ASA(config-if)#
21.2.5 Syntax Checker - Configure Outside, Inside, and DMZ Interfaces on an ASA
5506-X
Use the Syntax Checker to configure the outside, inside, and DMZ interfaces on an ASA
5506-X.
Configure the OUTSIDE interface.
 Enter interface configuration mode for g1/1.
 Name the interface OUTSIDE.
 Configure level 0 for security.
 Configure the IP address 209.165.200.225 255.255.255.252.
 Activate the interface.
NETSEC-ASA(config)#interface g1/1
NETSEC-ASA(config-if)#nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
NETSEC-ASA(config-if)#security-level 0
NETSEC-ASA(config-if)#ip address 209.165.200.225 255.255.255.252
NETSEC-ASA(config-if)#no shutdown
NETSEC-ASA(config-if)#exit
Configure the INSIDE interface.

578
 Enter interface configuration mode for g1/2.
 Name the interface INSIDE.
 Configure level 100 for security.
 Configure the IP address 192.168.1.1 255.255.255.0.
 Activate the interface.
 Exit interface configuration mode.
NETSEC-ASA(config)#interface g1/2
NETSEC-ASA(config-if)#nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
NETSEC-ASA(config-if)#security-level 100
NETSEC-ASA(config-if)#ip address 192.168.1.1 255.255.255.0
NETSEC-ASA(config-if)#no shutdown
NETSEC-ASA(config-if)#exit
Configure the DMZ interface.
 Enter interface configuration mode for g1/3.
 Name the interface DMZ.
 Configure level 50 for security.
 Configure the IP address 192.168.2.1 255.255.255.0.
 Activate the interface.
 Exit interface configuration mode.
NETSEC-ASA(config)#interface g1/3
NETSEC-ASA(config-if)#nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
NETSEC-ASA(config-if)#security-level 50
NETSEC-ASA(config-if)#ip address 192.168.2.1 255.255.255.0
NETSEC-ASA(config-if)#no shutdown
NETSEC-ASA(config-if)#exit
Display brief output to verify the interfaces are up.
NETSEC-ASA(config)#show interface ip brief
show interface ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 209.165.200.225 YES manual up up
GigabitEthernet1/2 192.168.1.1 YES manual up up
GigabitEthernet1/3 192.168.2.1 YES manual up up
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
Internal-Control1/1 unassigned YES unset down down
Internal-Data1/1 unassigned YES unset down down
Internal-Data1/2 unassigned YES unset down down
Internal-Data1/3 unassigned YES unset up up
Internal-Data1/4 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset administratively down down
NETSEC-ASA(config)#

579
You have successfully configured inside, outside, and DMZ interfaces on the ASA 5506-
X.

21.2.6 Configure a Default Static Route

If an ASA is configured as a DHCP client, then it can receive and install a default route
from the upstream device. Otherwise, a default static route must be configured using
the route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address command. To verify the
route entry, use the show route command.
The example shows the configuration and verification of a default static route.
NETSEC-ASA(config)# route OUTSIDE 0.0.0.0 0.0.0.0 209.165.200.226
NETSEC-ASA(config)#
NETSEC-ASA(config)# show route | begin Gateway
Gateway of last resort is 209.165.200.226 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 209.165.200.226, OUTSIDE
C 192.168.1.0 255.255.255.0 is directly connected, INSIDE
L 192.168.1.1 255.255.255.255 is directly connected, INSIDE
C 192.168.2.0 255.255.255.0 is directly connected, DMZ
L 192.168.2.1 255.255.255.255 is directly connected, DMZ
C 209.165.200.224 255.255.255.252 is directly connected, OUTSIDE
L 209.165.200.225 255.255.255.255 is directly connected, OUTSIDE
NETSEC-ASA(config)#
21.2.7 Syntax Checker - Configure a Default Static Route on an ASA 5506-X
Use the Syntax Checker to configure a default static route on an ASA 5506-X.
Configure a default route to the OUTSIDE interface using 209.165.200.226 as the next-
hop IP address.
NETSEC-ASA(config)#route OUTSIDE 0.0.0.0 0.0.0.0 209.165.200.226
Pipe the route table output to begin at the word Gateway.
NETSEC-ASA(config)#show route | begin Gateway
Gateway of last resort is 209.165.200.226 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 209.165.200.226, OUTSIDE
C 192.168.1.0 255.255.255.0 is directly connected, INSIDE
L 192.168.1.1 255.255.255.255 is directly connected, INSIDE
C 192.168.2.0 255.255.255.0 is directly connected, DMZ
L 192.168.2.1 255.255.255.255 is directly connected, DMZ
C 209.165.200.224 255.255.255.252 is directly connected, OUTSIDE
L 209.165.200.225 255.255.255.255 is directly connected, OUTSIDE
NETSEC-ASA(config)#
You have successfully configured a default static route on an ASA 5506-X.
21.2.8 Configure Remote Access Services
Telnet or SSH is required to manage the ASA 5506-X remotely, using the CLI. To enable
the Telnet service, use the commands listed in the table.
Note: The aaa authentication telnet console LOCAL command overrides the password
set with the password command and authenticates the Telnet access against the local
database.

580
The configuration in the example enables Telnet on an ASA 5506-X. In the example,
only the inside host with IP address 192.168.1.3 would be permitted to access the ASA.
The ASA will close the Telnet session if it is left idle for three minutes.
NETSEC-ASA(config)# password cisco
NETSEC-ASA(config)# telnet 192.168.1.3 255.255.255.255 INSIDE
NETSEC-ASA(config)# telnet timeout 3
NETSEC-ASA(config)#
NETSEC-ASA(config)# show run telnet
telnet 192.168.1.3 255.255.255.255 INSIDE
telnet timeout 3
NETSEC-ASA(config)#
Telnet communications send everything in plaintext, including passwords. SSH traffic is
encrypted in a tunnel which helps protect passwords and other sensitive configuration
commands from interception. Therefore, for security reasons, remote access should
always be enabled using SSH. To enable SSH access, use the commands that are listed
in the table. To verify the SSH configuration, use the show ssh command.

581
In the example, SSH access is enabled on an ASA 5506-X. AAA authentication is enabled
and references the local user database. The RSA crypto key is generated using 2048
bits. Two inside hosts and an outside host are being permitted to access the ASA and
SSH version 2 is enabled.
NETSEC-ASA(config)# username ADMIN password class
NETSEC-ASA(config)# aaa authentication ssh console LOCAL
NETSEC-ASA(config)# crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
NETSEC-ASA(config)# ssh 192.168.1.3 255.255.255.255 INSIDE
NETSEC-ASA(config)# ssh 192.168.1.4 255.255.255.255 INSIDE
NETSEC-ASA(config)# ssh 172.16.1.3 255.255.255.255 OUTSIDE
NETSEC-ASA(config)# ssh version 2
NETSEC-ASA(config)# show ssh
Timeout: 5 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes256-ctr aes256-cbc aes192-ctraes192-
cbc aes128-ctr aes128-cbc
Cipher integrity algorithms enabled: hmac-sha2-256
Hosts allowed to ssh into the system:
172.16.1.3 255.255.255.255 OUTSIDE
192.168.1.3 255.255.255.255 INSIDE
192.168.1.4 255.255.255.255 INSIDE
NETSEC-ASA(config)#

582
21.2.9 Syntax Checker - Enable SSH Remote Access to Use the Local Database on an
ASA 5506-X
Use the Syntax Checker to enable SSH remote access using the local database on an
ASA 5506-X.
Enable SSH using the following requirements:
 Configure the user ADMIN to use the password class.
 Configure SSH to refer to the local database for authentication.
 Generate an RSA key with a modulus of 2048.
 Reply y to the prompt "Do you really want to replace them?"
NETSEC-ASA(config)#username ADMIN password class
NETSEC-ASA(config)#aaa authentication ssh console LOCAL
NETSEC-ASA(config)#crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]:y
Keypair generation process begin. Please wait...
 Allow the 192.168.1.3 and 192.168.1.4 hosts to SSH to the INSIDE interface.
 Allow the 172.16.1.3 host to SSH to the OUTSIDE interface.
 Configure SSH to use version 2
NETSEC-ASA(config)#ssh 192.168.1.3 255.255.255.255 INSIDE
NETSEC-ASA(config)#ssh 192.168.1.4 255.255.255.255 INSIDE
NETSEC-ASA(config)#ssh 172.16.1.3 255.255.255.255 OUTSIDE
NETSEC-ASA(config)#ssh version 2
Enter the show ssh command to verify your configuration.
NETSEC-ASA(config)#show ssh
Idle Timeout: 5 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes256-ctr aes256-cbc aes192-ctr aes192-
cbc aes128-ctr aes128-cbc
Cipher integrity algorithms enabled: hmac-sha2-256
Hosts allowed to ssh into the system:
172.16.1.3 255.255.255.255 OUTSIDE
192.168.1.3 255.255.255.255 INSIDE
192.168.1.4 255.255.255.255 INSIDE
NETSEC-ASA(config)#
You have successfully enabled SSH remote access to use the local database on an ASA
5506-X.
21.2.10 Optional Lab - Configure ASA Basic Settings Using the CLI
In this lab, you will complete the following objectives:
 Part 1: Configure Basic Device Settings
 Part 2: Access the ASA Console and Use CLI Setup Mode to Configure Basic Settings
 Part 3: Configure Basic ASA Settings and Interface Security Levels

21.2.11 Configure Network Time Protocol Services

Network Time Protocol (NTP) services can be enabled on an ASA to obtain the date
and time from an NTP server. To enable NTP, use the global configuration mode
commands listed in the table.

583
To verify the NTP configuration and status, use the show ntp status and show ntp
associations commands.
ASA Command Description
ntp authenticate Enables authentication with an NTP server.
Specifies an authentication key ID to be a trusted key,
ntp trusted-key key_id
which is required for authentication with an NTP server.
ntp authentication-
Sets a key to authenticate with an NTP server.
key key_id md5 key
ntp
server ip_address [ key key Identifies an NTP server.
_id ]
The example shows how to enable NTP with authentication on an ASA 5506-X. The
configuration assumes that the NTP server has been configured with an authentication
key.
NETSEC-ASA(config)# ntp authenticate
NETSEC-ASA(config)# ntp trusted-key 1
NETSEC-ASA(config)# ntp authentication-key 1 sha-256 cisco123
NETSEC-ASA(config)# ntp server 192.168.1.254
NETSEC-ASA(config)#
21.2.12 Syntax Checker - Enable NTP with Authentication on an ASA 5506-X
Use the Syntax Checker to enable NTP and configure authentication on an ASA 5506-X.
Implement the following requirements to enable NTP:
 Enable authentication with an NTP server.
 Set the authentication key to 1.
 The key uses SHA-256 and the key cisco123.
 Specify NTP to use the server at 192.168.1.254
NETSEC-ASA(config)#ntp authenticate
NETSEC-ASA(config)#ntp trusted-key 1
NETSEC-ASA(config)#ntp authentication-key 1 sha-256 cisco123
NETSEC-ASA(config)#ntp server 192.168.1.254
NETSEC-ASA(config)#
You have successfully enabled NTP with authentication on an ASA 5506-X.
21.2.13 Configure DHCP Services
An ASA can be configured to be a DHCP server to provide IP addresses and DHCP-
related information to hosts. To enable an ASA as a DHCP server and provide DHCP
services to hosts, use the commands listed in the table.
ASA Command Description
 Creates a DHCP address pool in
which IP_address1 is the start of the pool
dhcpd
and IP_address2 is the end of the pool, separated
address IP_address1 [ -
by a hyphen.
IP_address2 ] if_name
 The address pool must be on the same subnet as
the ASA interface.
(Optional) Specifies the IP address(es) of the DNS
dhcpd dns dns1 [ dns2 ]
server(s).
dhcpd lease lease_length  (Optional) Changes the lease length granted to

584
 the client which is the amount of time in seconds
that the client can use its allocated IP address
before the lease expires.
 The lease_length defaults to 3600 seconds (1
hour) but can be a value from 0 to 1,048,575
seconds.
dhcpd (Optional) Specifies the domain name assigned to the
domain domain_name client.
Enables the DHCP server service (daemon) on the
dhcpd enable if_name
interface (typically the inside interface) of the ASA.
The example enables the DHCP service for inside clients on an ASA 5506-X.
Note: If the ASA outside interface was configured as a DHCP client, then the dhcpd
auto_config OUTSIDE global configuration mode command can be used to pass the
DHCP-obtained information to the DHCP inside clients.
To verify DHCP settings, use the following commands:
 show dhcpd state - Displays the current DHCP state for inside and outside
interfaces.
 show dhcpd binding - Displays the current DHCP bindings of inside users.
 show dhcpd statistics - Displays the current DHCP statistics.
To clear the DHCP bindings or statistics, use the clear dhcpd binding or clear dhcpd
statistics command.
NETSEC-ASA(config)# dhcpd address 10.0.0.1-10.0.1.255 INSIDE
Warning, DHCP pool range is limited to 256 addresses, set address range as: 10.0.0.1-
10.0.1.0
Address range subnet 10.0.0.1 or 10.0.1.0 is not the same as INSIDE interface subnet
192.168.1.1
NETSEC-ASA(config)# dhcpd address 192.168.1.10-192.168.1.250 INSIDE
NETSEC-ASA(config)# dhcpd lease 1800
NETSEC-ASA(config)#
21.2.14 Syntax Checker - Configure DHCP Services
Use the Syntax Checker to enable DHCP services on an ASA 5506-X.
Implement the following requirements to configure DHCP services:
 Create a pool of inside addresses from 192.168.1.10 to 192.168.1.250 on
the INSIDE interface.
 Set the lease length to 30 minutes (1800).
NETSEC-ASA(config)#dhcpd address 192.168.1.10-192.168.1.250 INSIDE
NETSEC-ASA(config)#dhcpd lease 1800
NETSEC-ASA(config)#
You have successfully configured DHCP services on an ASA 5506-X.
21.3 Object Groups
21.3.1 Introduction to Objects and Object Groups
Objects are reusable components for use in configurations. Objects can be defined and
used in Cisco ASA configurations in the place of inline IP addresses, services, names,
and so on. Objects make it easy to maintain configurations because an object can be
modified in one place and the change will be reflected in all other places that are
referencing it. Without objects, the parameters for every feature would need to be
modified instead of just once. For example, if a network object defines an IP address

585
and subnet mask, and you want to change the address, you only need to change it in
the object definition, not in every feature that refers to that IP address. The advantage
is that when an object is modified, the change is automatically applied to all rules that
use the specified object. Therefore, objects make it easy to maintain configurations.
There are two types of objects that can be configured:
 Network object - A network object can contain a host, a network IP address, a
range of IP addresses, or a fully qualified domain name (FQDN). A network object is
configured using the object network command.
 Service object - Contains a protocol and optional source and/or destination port. A
service object is configured using the object service command.
Note: A network object is required to configure NAT in ASA image versions 8.3 and
higher.
Network object groups can contain multiple network objects as well as inline networks
or hosts. Network object groups can include a mix of both IPv4 and IPv6 addresses.
Objects can be attached or detached from one or more object groups when needed,
ensuring that the objects are not duplicated, but can be re-used wherever needed.
These objects can be used in NAT, access lists, and object groups. Network objects are
a vital part of configuring NAT and can greatly simplify ACLs.
The ASA supports objects and object groups, as shown in the output in the following
example.
NETSEC-ASA(config)# object ?
configure mode commands/options:
network Specifies a host, subnet or range IP addresses
service Specifies a protocol/port
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network Specifies a group of host or subnet IP addresses
protocol Specifies a group of protocols, such as TCP, etc
security Specifies identity attributes such as security-group
service Specifies a group of TCP/UDP ports/services
user Specifies single user, local or import user group
NETSEC-ASA(config)#
21.3.2 Configure Network Objects
To create a network object, use the object network object-name global configuration
mode command. The prompt changes to network object configuration mode.
Network objects can consist of the following:
 host - a host address
 fqdn - a fully-qualified domain name
 range - a range of IP addresses
 subnet - an entire IP network or subnet
Commands available in network object configuration mode are shown in the table.
Use the no form of any of these commands to remove a network object value. To
erase all network objects, use the clear config object network command. This
command clears all network objects.
ASA Command Description

586
attribute attribute-agent attribute- Defined and used to filter traffic associated
type attribute-value with one or more virtual machines.
Enter a description of the object up to 200
description
characters in length.
A fully-qualified domain name such as the
name of a host, such as www.example.com.
fqdn Specify v4 to limit the address to IPv4, and v6
for IPv6. If you do not specify an address type,
IPv4 is assumed.
host ip-address The IPv4 or IPv6 address of a single host.
A range of addresses. You can specify IPv4 or
range start_add end_add
IPv6 ranges. Do not include masks or prefixes.
subnet {ipv4_add Assigns a network subnet to the named
ipv4_mask | ipv6_add/ipv6_prefix} object.
The example displays a sample network object configuration. To verify, use the show
running-config object command. Notice that the configuration of range overwrites the
previous configuration of host.
NetSec-ASA(config)# object network EXAMPLE-1
NetSec-ASA(config-network-object)# host 192.168.1.3
NetSec-ASA(config-network-object)# exit
NetSec-ASA(config)# show run object
object network EXAMPLE-1
host 192.168.1.3
NetSec-ASA(config)# object network EXAMPLE-1
NetSec-ASA(config-network-object)# range 192.168.1.10 192.168.1.20
NetSec-ASA(config-network-object)# exit
NetSec-ASA(config)# show run object
object network EXAMPLE-1
range 192.168.1.10 192.168.1.20
NetSec-ASA(config)#
21.3.3 Configure Service Objects
To create a service object, use the object service object-name global configuration
mode command. The prompt changes to service object configuration mode. The
service object can contain a protocol, ICMP, ICMPv6, TCP, or UDP port (or port ranges).
The example displays service options available.
NETSEC-ASA(config)# object service EXAMPLE-2
NETSEC-ASA(config-service-object)#
NETSEC-ASA(config-service-object)# service ?
service-object mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp

587
 igrp
ip
ipinip
ipsec
nos
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
configure mode commands/options:
call-home Enable or disable Smart Call-Home
internal Advanced settings (use only under Cisco supervision)
password-recovery Password recovery configuration
resetinbound Send reset to a denied inbound TCP packet
resetoutbound Send reset to a denied outbound TCP packet
resetoutside Send reset to a denied TCP packet to outside interface
sw-reset-button Configure software reset button
NETSEC-ASA(config-service-object)#
The table provides an overview of common service options available. Optional
keywords are used to identify source port or destination port, or both. Operators such
as eq (equal), neq (not equal), lt (less than), gt (greater than), and range, support
configuring a port for a given protocol. If no operator is specified, the default operator
is eq.
Use the no form of the command to remove a service object. To erase all service
objects, use the clear config object service command.
ASA Command Description
service protocol Specifies an IP protocol name or number.
service tcp [source operator port] Specifies that the service object is for the TCP
[destination operator port] protocol.
service udp [source operator port] Specifies that the service object is for the UDP
[destination operator port] protocol.
service icmp [icmp- Specifies that the service object is for the ICMP
type [icmp_code]] protocol.
service icmp6 [icmp- Specifies that the service object is for the ICMPv6
type [icmp_code]] protocol.
The example displays a sample service object configuration. A service object name can
only be associated with one protocol and port (or ports). If an existing service object is
configured with a different protocol and port, the new configuration replaces the
existing protocol and port with the new ones.
To verify, use the show running-config object service command.
NETSEC-ASA(config)# object service SERV-1
NETSEC-ASA(config-service-object)# service tcp destination eq ftp
NETSEC-ASA(config-service-object)# service tcp destination eq www

588
NETSEC-ASA(config-service-object)# exit
NETSEC-ASA(config)# show run object service
object service SERV-1
service tcp destination eq www
NETSEC-ASA(config)#
21.3.4 Object Groups
Objects can be grouped together to create an object group. By grouping like objects
together, an object group can be used in an access control entry (ACE) instead of
having to enter an ACE for each object separately.
Note: A protocol object group can also be created. However, it is not recommended,
and the use of a service object-group should be used instead.
The following guidelines and limitations apply to object groups:
 Objects and object groups share the same name space.
 Object groups must have unique names.
 An object group cannot be removed or emptied if it is used in a command.
 The ASA does not support IPv6 nested object groups.
There are five types of object groups.
 Network - A network-based object group specifies a list of IP host, subnet, or
network addresses.
 User - Locally created, as well as imported Active Directory user groups can be
defined for use in features that support the identity firewall.
 Service - A service-based object group is used to group TCP, UDP, or TCP and UDP
ports into an object. The ASA enables the creation of a service object group that
can contain a mix of TCP services, UDP services, ICMP-type services, and any
protocol, such as ESP, GRE, and TCP.
 ICMP-Type - The ICMP protocol uses unique types to send control messages (RFC
792). The ICMP-type object group can group the necessary types required to meet
an organization’s security needs, such as to create an object group called ECHO to
group echo and echo-reply.
 Security - A security group object group can be used in features that support Cisco
TrustSec by including the group in an extended ACL, which in turn can be used in
an access rule.
21.3.5 Configure Common Object Groups
To configure a network object group, use the object-group network grp-name global
configuration mode command. After entering the command, add network objects to
the network group using the network-object and group-object commands.
Note: A network object group cannot be used to implement NAT. A network object is
required to implement NAT.
To configure an ICMP object group, use the object-group icmp-type grp-name global
configuration mode command. After entering the command, add ICMP objects to the
ICMP object group using the icmp-object and group-object commands.
The example displays a sample network object group configuration.
NETSEC-ASA(config)# object-group network ADMIN-HOST
NETSEC-ASA(config-network-object-group)# description Administrative hosts
NETSEC-ASA(config-network-object-group)# network-object host 192.168.1.3
NETSEC-ASA(config-network-object-group)# network-object host 192.168.1.4
NETSEC-ASA(config-network-object-group)# exit

589
NETSEC-ASA(config)# object-group network ALL-HOSTS
NETSEC-ASA(config-network-object-group)# description All inside hosts
NETSEC-ASA(config-network-object-group)# network-object 192.168.1.32
255.255.255.240
NETSEC-ASA(config-network-object-group)# group-object ADMIN-HOST
NETSEC-ASA(config-network-object-group)# exit
NETSEC-ASA(config)# show run object-group
object-group network ADMIN-HOST
description Administrative host IP addresses
network-object host 192.168.1.3
network-object host 192.168.1.4
object-group network ALL-HOSTS
network-object 192.168.1.32 255.255.255.240
group-object ADMIN-HOST
NETSEC-ASA(config)#
The example displays a sample ICMP-type object group configuration.
NETSEC-ASA(config)# object-group icmp-type ICMP-ALLOWED
NETSEC-ASA(config-icmp-object-group)# icmp-object echo
NETSEC-ASA(config-icmp-object-group)# icmp-object time-exceeded
NETSEC-ASA(config-icmp-object-group)# exit
NETSEC-ASA(config)# show running-config object-group id ICMP-ALLOWED
object-group icmp-type ICMP-ALLOWED
icmp-object echo
icmp-object time-exceeded
NETSEC-ASA(config)#
To configure a service object group, use the object-group service grp-name global
configuration mode command. The service object group can define a mix of TCP
services, UDP services, ICMP-type services, and any protocol. After entering the object-
group service command, add service objects to the service group using the service-
object and group-object commands.
To configure a service object group for TCP, UDP, or TCP and UDP, specify the option in
the object-group service grp-name [tcp | udp | tcp-udp] global configuration mode
command. When tcp, udp, or tcp-udp is optionally specified on the command line,
service defines a standard service object group of TCP/UDP port specifications, such as
"eq smtp" and "range 2000 2010." After entering the command, add port objects to
the service group with the port-object and group-object commands.
To remove all the object groups from the configuration, use the clear configure object-
group global configuration mode command.
To verify group object configurations, use the show running-config object-
group command.
Practical examples of object groups will be presented when configuring ACLs and NAT.
The ASA does not support IPv6 nested object groups.
The example displays a sample service object group configuration.
NETSEC-ASA(config)# object-group service SERVICES-1
NETSEC-ASA(config-service-object-group)# service-object tcp destination eq www
NETSEC-ASA(config-service-object-group)# service-object tcp destination eq https
NETSEC-ASA(config-service-object-group)# service-object tcp destination eq pop3

590
NETSEC-ASA(config-service-object-group)# service-object udp destination eq ntp
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group service SERVICES-2 tcp
NETSEC-ASA(config-service-object-group)# port-object eq www
NETSEC-ASA(config-service-object-group)# port-object eq smtp
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group service SERVICES-3 tcp
NETSEC-ASA(config-service-object-group)# group-object SERVICES-2
NETSEC-ASA(config-service-object-group)# port-object eq ftp
NETSEC-ASA(config-service-object-group)# port-object range 2000 2005
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#
21.3.6 Check Your Understanding - Object Groups
Check your understanding of the types of object groups by choosing the correct
answer to the following questions.
Question 1
Which type of object group can contain a mix of services, such as TCP, and UDP, and
can contain any protocol, such as ESP or GRE?
Network
User
Service
Protocol
Security
Question 2
Which type of object group uses unique types to send control messages?
Network
User
Service
Protocol
Security
ICMP-type
Question 3
Which type of object group can be used to control access with the identity firewall?
Network
User
Service
Protocol
Security
ICMP-type
Question 4
Which type of object group is used in features that support Cisco TrustSec by
including the group in an extended ACL which in turn can be used in an access rule?
Network
User
Service

591
Protocol
Security
ICMP-type
Question 5
Which type of object group is no longer recommended and should be replaced with a
service object group?
Network
User
Service
Protocol
Security
ICMP-type
Question 6
Which type of object group specifies an FQDN, host, subnet, or range of IP
addresses?
Network
User
Service
Protocol
Security
ICMP-type
21.4 ASA ACLs
21.4.1 ASA ACLs
The Cisco ASA 5506-X provides basic traffic filtering capabilities with ACLs. ACLs control
access in a network by preventing defined traffic from entering or exiting. In addition,
an ACL can be used to select traffic to which a feature will apply, thereby performing a
matching service rather than a control service.
There are many similarities between ASA ACLs and IOS ACLs. For example, both are
made up of ACEs, processed sequentially from the top down, and there is an
implicit deny any at the bottom. Additionally, the rule of only one ACL per interface,
per protocol, per direction, still applies.
ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., 255.255.255.0)
instead of a wildcard mask (e.g. 0.0.0.255). Also most ASA ACLs are named instead of
numbered.
These are the similarities between ASA ACLs and IOS ACLs:
 ACLs are made up of one or more ACEs. ACEs are applied to a protocol, a source
and destination IP address, a network, or the source and destination ports.
 ACLs are processed sequentially from top down.
 A criteria match will cause the ACL to be exited.
 There is an implicit deny any at the bottom.
 Remarks can be added per ACE or ACL.
 Only one access list can be applied per interface, per protocol, per direction.
 ACLs can be enabled/disabled based on time ranges.
These the differences between ASA ACLs and IOS ACLs:
 The ASA uses a network mask (e.g., 255.255.255.0) and not a wildcard mask (e.g.
0.0.0.255).
 ACLs are always named instead of numbered.

592
 By default, interface security levels apply access control without an ACL configured.
21.4.2 Types of ASA ACL Filtering
ACLs on a security appliance can be used not only to filter packets that are passing
through the appliance but also to filter packets destined for the appliance.
 Through-traffic filtering - Traffic that is passing through the security appliance from
one interface to another interface. The configuration is completed in two steps.
The first step is to set up an ACL. The second step is to apply that ACL to an
interface.
 To-the-box-traffic filtering - Also known as a management access rule, to-the-box-
traffic filtering applies to traffic that terminates at the ASA. They are created to
filter traffic that is destined for the control plane of the ASA. They are completed in
one step but require an additional set of rules to implement access control.
ASA devices differ from their router counterparts because of interface security levels.
By default, security levels apply access control without an ACL configured. For instance,
traffic from a more secure interface, such as security level 100, is allowed to access less
secure interfaces, such as level 0. Traffic from a less secure interface is blocked from
accessing more secure interfaces.
For example, a host from the inside network with security level 100 can access the
outside interface with security level 0 as shown below.

However, a host from an outside interface with security level 0 cannot access the
inside higher-level interface, as shown below. Less secure interfaces are blocked from
accessing more secure interfaces. If required, an ACL would have to be explicitly
configured to permit traffic from a lower security level to a higher security level.

593
To allow connectivity between interfaces with the same security levels, the same-
security-traffic permit inter-interface global configuration mode command is required.
To enable traffic to enter and exit the same interface, such as when encrypted traffic
enters an interface and is then routed out the same interface unencrypted, use
the same-security-traffic permit intra-interface global configuration mode command
21.4.3 Types of ASA ACLs
The ASA supports five types of access lists:
 Extended access list - The most common type of ACL. Contains one or more ACEs
to specify source and destination addresses and protocol, ports (for TCP or UDP),
or the ICMP type (for ICMP). They are used to filter traffic and to identify traffic
that that should be handled by various features.
 Standard access list - Unlike IOS where a standard ACL identifies the source
host/network, ASA standard ACLs are used to identify the destination IP addresses.
They are typically only used for OSPF routes and can be used in a route map for
OSPF redistribution. Standard access lists cannot be applied to interfaces to control
traffic.
 EtherType access list - An EtherType ACL can be configured only if the security
appliance is running in transparent mode.
 Webtype access list - Used for filtering for clientless SSL VPN traffic. These ACLs
can deny access based on URLs or destination addresses.
 IPv6 access list - Used to determine which IPv6 traffic to block and which traffic to
forward at router interfaces.
Use the help access-list privileged EXEC command to display the syntax for all of the
ACLs supported on an ASA platform.
Note: The focus of this module is on extended ACLs.
The tables below provide examples for the use of extended, standard, and IPv6 ACLs,
respectively.
The table provides examples of the uses of extended ACLs.
ACL Use Description
The ASA does not allow any traffic from a lower security
Control network access
interface to a higher security interface unless it is explicitly
for IP traffic
permitted by an extended access list.
Identify traffic for AAA
AAA rules use access lists to identify traffic.
rules

594
 Policy NAT lets you identify local traffic for address
Identify addresses for
translation by specifying the source and destination
NAT
addresses in an extended access list.
Establish VPN access Extended access list can be used in VPN commands.
 Access lists can be used to identify traffic in a class
Identify traffic for
map, which is used for features that support MPF.
Modular Policy
 Features that support MPF include TCP, general
Framework (MPF)
connection settings, and inspection.
The table provides examples of uses of standard ACLs.
ACL Use Description
 Standard access lists include only the destination
Identify OSPF destination address.
network in route maps  It can be used to control the redistribution of
OSPF routes.
Filter traffic for LAN-to-LAN (L2L), Cisco VPN Client, and
VPN filters
the Cisco AnyConnect Secure Mobility Client traffic.
The table provides an example for the use of IPv6 ACLs.
ACL Use Description
Control network access for Can be used to add and apply access lists to control
IPv6 networks traffic in IPv6 networks.
21.4.4 Syntax for Configuring an ASA ACL
The ACL configuration syntax options for the ASA can be a little overwhelming
considering the number of parameters supported, as shown in the partial output of
the help access-list command output shown in the example. These parameters not
only give an administrator full control over what to inspect, but also provide full
logging capabilities in order to analyze traffic flows at a later time.
NETSEC-ASA(config)# help access-list
USAGE:
Extended access list:
Use this to configure policy for IP traffic through the firewall
[no] access-list <id> [line <line_num>] [extended] {deny | permit}
{<protocol> | object-group {<service_obj_grp_id> |
<protocol_obj_grp_id>} | object <service_object_name>}
[user-group [<domain_nickname>\\]<user_group_name> |
user [<domain_nickname>\]<user_name> |
object-group-user < object_group_user_name>]
[security-group {name <sgname> | tag <sgt>} |
object-group-security <security_obj_grp_id>]
{host <sip> | <sip> <smask> | <sip-prefix> |
interface <ifc> | any | any4 | any6
object-group <network_obj_grp_id> |
object <network_obj_name>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
[security-group {name <sgname> | tag <sgt>} |
object-group-security <security_obj_grp_id>]

595
 {host <dip> | <dip> <dmask> | <dip-prefix> |
interface <ifc> | any | any4 |any6
object-group <network_obj_grp_id> |
object <network_obj_name>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
- More -
There are many options that can be used with ACLs. However, for most needs, a more
useful and condensed version of the syntax is shown below.

IOS and ASA ACLs have similar elements, but some options vary with the ASA. The
table describes elements of an ASA ACL.
Note: Explanation of all ACL syntax is beyond the scope of this module and is not
explored further.
Element Description
The name of the ACL. It can be any alphanumeric name up to 241
ACL id
characters.
Action Can be permit or deny.
Protocol Can be IP for all traffic, or the name / IP protocol number (0-250)
number - Source including icmp ( 1), tcp ( 6), udp ( 17), or a protocol object-group.
 Identifies the source and can be any, a host, a network, or a
network object group.
Source
 For to-the-box-traffic filtering, the interface keyword is used
to specify the source interface of the ASA.
 (Optional) Operand is used in conjunction with the source
port.
Source port
 Valid operands include lt (less than), gt (greater
operator
than), eq (equal), neq (not equal), and range for an inclusive
range.

596
 (Optional) Can be the actual TCP or UDP port number, select port
Source port
names, or service object group.
 Identifies the destination and like the source, it can be any, a
host, a network, or a network object group.
Destination
 For to-the-box-traffic filtering, the interface keyword is used
to specify the destination interface of the ASA.
 (Optional) Operand is used in conjunction with the
Destination port
destination port.
operator
 Valid operands are the same as the source port operands.
(Optional) Can be the actual TCP or UDP port number, select port
Destination port
names, or service object group.
Log Can set elements for syslog including severity level and log interval.
Time range (Optional) Specify a time range for the ACE.

21.4.5 Syntax for Applying an ASA ACL

After the ACL is configured, the next step is to apply it to an interface in either the
inbound or the outbound direction. Applying an ACL is done in global configuration
mode.
The example displays the command syntax and parameter description for applying the
ACL to an interface using the access-group command syntax.
ciscoasa(config)# access-group id { in | out } interface if_name [ per-user-override |
control-plane ]
Syntax Description
access-group Keyword used to apply an ACL to an interface.
id The name of the actual ACL to be applied to an interface.
in The ACL will filter inbound packets.
out The ACL will filter outbound packets.
interface Keyword to specify the interface to which to apply the ACL.
if_name The name of the interface to which to apply an ACL.
per-user- Option that allows downloadable ACLs to override the entries on the
override interface ACL.
Keyword to specify whether the applied ACL analyzes traffic destined
control-plane
to ASA for management purposes.
To verify ACLs, use the show access-list and show running-config access-list commands.
To erase a configured ACL, use the clear configure access-list id command.
21.4.6 ASA ACL Examples
Click below for four ASA ACL examples with brief explanations.
ACL Example #1
 ACL allows all hosts on the inside network to go through the ASA.
 By default, all other traffic is denied unless explicitly permitted.
NETSEC-ASA(config)# access-list ACL-IN extended permit ip any any
NETSEC-ASA(config)# access group ACL-IN in interface INSIDE
ACL Example #2
 ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network.
 Internal hosts are permitted access to all other addresses.

597
 All other traffic is implicitly denied.
NETSEC-ASA(config)# access-list ACL-IN extended deny ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
NETSEC-ASA(config)# access-list ACL-IN extended permit ip any any
NETSEC-ASA(config)# access-group ACL-IN in interface INSIDE
ACL Example #3
 ACL allows hosts on 192.168.1.0/24 to access the 209.165.201.0/27 network.
 By default, all other traffic is denied unless explicitly permitted.
NETSEC-ASA(config)# access-list ACL-IN extended permit ip 192.168.1.0
255.255.255.0 209.165.201.0 255.255.255.224
NETSEC-ASA(config)# access-group ACL-IN in interface INSIDE
ACL Example #4
 ACL prevents all inside hosts from accessing a web service at 209.165.201.29.
 Internal hosts are permitted to access all other services at 209.165.201.29.
 Internal hosts are permitted access to all other addresses.
 All other traffic is implicitly denied.
NETSEC-ASA(config)# access-list ACL-IN extended deny tcp any host 209.165.201.29
eq www
NETSEC-ASA(config)# access-list ACL-IN extended permit ip any any
NETSEC-ASA(config)# access-group ACL-IN in interface INSIDE
21.4.7 ACLs and Object Groups
Consider the sample topology in the figure in which access from two trusted, remote
hosts, PC1 and PC2, should be allowed to the two internal for web and email servers.

The ACL displayed in the example below would require two ACEs for each PC to
accomplish the task. The implicit deny any drops and logs any packets that do not
match email or web services. As shown in the example, ACLs should always be
thoroughly documented using the remark command.
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-1 -> Server A for HTTP /
SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq http

598
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq smtp
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-1 -> Server B for HTTP /
SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq http
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq smtp
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-2 -> Server A for HTTP /
SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq http
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq smtp
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-2 -> Server B for HTTP /
SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq http
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq smtp
NETSEC-ASA(config)# access-list ACL-IN extended deny ip any any log
NETSEC-ASA(config)# access-group ACL-IN in interface OUTSIDE
To verify the ACL syntax, use the show running-config access-list and show access-
list commands, as shown in the example.
NETSEC-ASA(config)# show running-config access-list
access-list ACL-IN remark Permit PC-1 -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.131 eq
www
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.131 eq
smtp
access-list ACL-IN remark Permit PC-1 -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.132 eq
www
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.132 eq
smtp
access-list ACL-IN remark Permit PC-2 -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.131 eq
www
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.131 eq
smtp
access-list ACL-IN remark Permit PC-2 -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.132 eq
www
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.132 eq
smtp
access-list ACL-IN extended deny ip any any log
NETSEC-ASA(config)#

599
NETSEC-ASA(config)# show access-list ACL-IN brief
access-list ACL-IN; 9 elements; name hash: 0x44d1c580
NETSEC-ASA(config)#
21.4.8 ACL Using Object Groups Examples
Object grouping is a way to group similar items together to reduce the number of
ACEs. By grouping like objects together, object groups can be used in an ACL instead of
having to enter an ACE for each object separately. Without object grouping, the
security appliance configuration may contain thousands of lines of ACEs, which can
become difficult to manage.
The example displays a condensed ACL syntax to use with the object groups example
on this page.
The security appliance follows the multiplication factor rule when ACEs are defined.
For example, if two outside hosts need to access two internal servers running HTTP
and SMTP services, the ASA will have eight host-based ACEs. They should be calculated
as follows:
Number of ACEs = (2 outside hosts) x (2 internal servers) x (2 services) = 8
Object grouping can cluster network objects into one group and outside hosts into
another, as shown in the following syntax. The security appliance can also combine
both TCP services into a service object group.
ciscoasa(config)# access-list id extended { deny | permit } protocol object-group
source_net-obj-grp_id object-group dest_net-obj-grp_id object-group service-obj-
grp_id
For example, consider the reference topology in the figure below. In the extended ACL
example on the previous page, this topology required a total of nine ACL ACEs, the
eight permit ACEs, and the implicit deny ACE. Creating the following objects can help
simplify the actual ACL to one ACE. For example, the following object groups are
created:
 Network object group named NET-HOSTS - Identifies two external hosts.
 Network object group named SERVERS - Identifies servers providing email and
web services.
 Service object group HTTP-SMTP - Identifies SMTP and HTTP protocols.

600
The example displays the configuration that accomplishes the same result as the
extended ACL on the previous page using object groups.
Note The previous ACL-IN ACE statements have been removed with the no access-
list command.
NETSEC-ASA(config)# object-group network NET-HOSTS
NETSEC-ASA(config-network-object-group)# description OG matches PC-A and PC-B
NETSEC-ASA(config-network-object-group)# network-object host 209.165.201.1
NETSEC-ASA(config-network-object-group)# network-object host 209.165.201.2
NETSEC-ASA(config-network-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group network SERVERS
NETSEC-ASA(config-network-object-group)# description OG matches Web / Email
Servers
NETSEC-ASA(config-network-object-group)# network-object host 209.165.202.131
NETSEC-ASA(config-network-object-group)# network-object host 209.165.202.132
NETSEC-ASA(config-network-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group service HTTP-SMTP tcp
NETSEC-ASA(config-service-object-group)# description OG matches SMTP / WEB
traffic
NETSEC-ASA(config-service-object-group)# port-object eq smtp
NETSEC-ASA(config-service-object-group)# port-object eq www
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# access-list ACL-IN remark Only permit PC-A / PC-B -> Internal
Servers
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp object-group NET-HOSTS
object-group SERVERS object-group HTTP-SMTP
After object groups have been configured, they can be used in any ACL and multiple
ACLs. A single ACE could be used to allow trusted hosts to make specific service
requests to a group of internal servers.
Although the configuration of object groups may seem tedious, the advantage is that
these objects can be reused in other ASA commands, and they can easily be altered.
For instance, if a new internal mail server needs to be added, then all that is required is
to edit the SERVERS object group.
Note: Object groups can also be nested in other object groups.
The example displays the final ACL configuration in the running configuration.
NETSEC-ASA(config)# show running-config access-list
access-list ACL-IN remark Only permit PC-A / PC-B -> Internal Servers
access-list ACL-IN extended permit tcp object-group NET-HOSTS object-group
SERVERS object-group HTTP-SMTP
21.4.9 Syntax Checker - Configure an ASA ACL Using Object Groups
Use the Syntax Checker to configure an ASA ACL using object groups.
Configure a network object group named NET-HOSTS to match hosts 209.165.201.1
and 209.165.201.2. Then exit network object configuration mode.
NETSEC-ASA(config)#object-group network NET-HOSTS
NETSEC-ASA(config-network-object-group)# description OG matches PC-A and PC-B

601
NETSEC-ASA(config-network-object-group)#network-object host 209.165.201.1
NETSEC-ASA(config-network-object-group)#network-object host 209.165.201.2
NETSEC-ASA(config-network-object-group)#exit
Configure a network object group named SERVERS to match hosts 209.165.202.131
and 209.165.202.132. Then exit network object configuration mode.
NETSEC-ASA(config)#object-group network SERVERS
NETSEC-ASA(config-network-object-group)# description OG matches Web / Email
Servers
NETSEC-ASA(config-network-object-group)#network-object host 209.165.202.131
NETSEC-ASA(config-network-object-group)#network-object host 209.165.202.132
NETSEC-ASA(config-network-object-group)#exit
Configure a tcp service object group named HTTP-SMTP match to match the smtp port,
and then match to the www port. Exit network object configuration mode.
NETSEC-ASA(config)#object-group service HTTP-SMTP tcp
NETSEC-ASA(config-service-object-group)# description OG matches SMTP / WEB
traffic
NETSEC-ASA(config-service-object-group)#port-object eq smtp
NETSEC-ASA(config-service-object-group)#port-object eq www
NETSEC-ASA(config-service-object-group)#exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# access-list ACL-IN remark Only permit PC-A / PC-B -> Internal
Servers
The remark for ACL-IN has already been configured for you. Now configure ACL-IN to
permit tcp from NET-HOSTS to SERVERS using the HTTP-SMTP service policy.
NETSEC-ASA(config)#access-list ACL-IN extended permit tcp object-group NET-HOSTS
object-group SERVERS object-group HTTP-SMTP
Display ACL-IN in the running configuration.
NETSEC-ASA(config)#show running-config access-list
access-list ACL-IN remark Only permit PC-A / PC-B -> Internal Servers
access-list ACL-IN extended permit tcp object-group NET-HOSTS object-group
SERVERS object-group HTTP-SMTP
You have successfully configured an ACL using object groups on an ASA 5506-X.
21.5 NAT Services on an ASA
21.5.1 ASA NAT Overview
Like IOS routers, the ASA supports Network Address Translation (NAT). NAT is typically
used to translate private IP network addresses into public IP addresses.
NAT can be deployed using one of the methods:
Inside NAT - The typical NAT deployment method is when a host from a higher-security
interface has traffic destined for a lower-security interface and the ASA translates the
internal host address into a global address. The ASA then restores the original inside IP
address for return traffic.
Outside NAT - This method is used when traffic from a lower-security interface that is
destined for a host on the higher-security interface must be translated. This method
may be useful to make an enterprise host located on the outside of the internal
network appear as one from a known internal IP address.
Bidirectional NAT - Indicates that both inside NAT and outside NAT are used together.
The figure illustrates how inside NAT and outside NAT flow.

602
Specifically, the Cisco ASA supports the following common types of NAT:
 Dynamic PAT - This is a many-to-one translation. This is also known as NAT with
overload. Usually an inside pool of private addresses overloading an outside
interface or outside address.
 Static NAT - This is a one-to-one translation. Usually an outside address mapping to
an internal server.
 Policy NAT - Policy-based NAT is based on a set of rules. These rules can specify
that only certain source addresses that are intended for specific destination
addresses and/or specific ports will be translated.
 Identity NAT - A real address is statically translated to itself, essentially bypassing
NAT. You might want to configure NAT this way when you want to translate a large
group of addresses, but then want to exempt a smaller subset of addresses.
These types of NAT are referred to as network object NAT because the configuration
requires network objects to be configured.
Note: Another ASA NAT feature is called Twice-NAT. Twice-NAT identifies both the
source and destination address in a single rule (nat command). Twice-NAT is used
when configuring remote-access IPsec and SSL VPNs. Twice-NAT is beyond the scope of
the module and is not explored further.
21.5.2 Configure Dynamic NAT
To configure network object dynamic NAT, two network objects are required:
 A network object identifying the pool of public IP addresses into which internal
addresses are translated. These are identified using range or subnet network
object commands.
 The second network object identifies the internal addresses to be translated and
then binds the two objects together. These are identified using
the range or subnet network object commands.
The two network objects are then bound together
using nat [(real_if_name,mapped_if_name)] dynamic mapped_obj [interface [ipv6]]
[dns] network object command. The real_if_name is the prenat interface.
The mapped_if_name is the postnat interface. Notice that there is no space after the
comma in the command syntax.
For example, the figure displays the NAT reference topology that will be used to
configure dynamic NAT, dynamic PAT, and static NAT.
In this dynamic NAT example, the inside hosts on the 192.168.1.0/27 network will be
dynamically assigned a range of public IP addresses from 209.165.200.240 to
209.165.200.248.
603
The example displays a sample dynamic NAT configuration to accomplish this task.
The PUBLIC network object identifies the public IP addresses to be translated to while
the DYNAMIC-NAT object identifies the internal addresses to be translated and is
bound to the PUBLIC network object with the nat command.
NETSEC-ASA(config)# object network PUBLIC
NETSEC-ASA(config-network-object)# range 209.165.200.240 209.165.200.248
NETSEC-ASA(config-network-object)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object network DYNAMIC-NAT
NETSEC-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.224
NETSEC-ASA(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC
NETSEC-ASA(config-network-object)# end
NETSEC-ASA#
To allow inside hosts to ping outside hosts, you can use a policy map to permit ICMP
messages to return through the external interface. The example shows the
configuration to allow return ICMP traffic from outside hosts through
the OUTSIDE interface.
NETSEC-ASA(config)# policy-map global_policy
NETSEC-ASA(config-pmap)# class inspection_default
NETSEC-ASA(config-pmap-c)# access-list ICMPACL extended permit icmp any any
NETSEC-ASA(config)# access-group ICMPACL in interface OUTSIDE
NETSEC-ASA(config)#
After the inside host pings the outside host, verify the network address translation
using the show xlate command, as shown in the example. Additional information can
be gathered using the show nat and show nat detail commands.
NETSEC-ASA(config)# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

NAT from INSIDE:192.168.1.3 to OUTSIDE:209.165.200.242 flags I idle 0:00:02

timeout 3:00:00
NETSEC-ASA(config)#
NETSEC-ASA(config)# show nat

604
Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic DYNAMIC-NAT PUBLIC
translate_hits = 1, ntranslated_hits = 1
NETSEC-ASA(config)#
NETSEC-ASA(config)# show nat detail
Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic DYNAMIC-NAT PUBLIC
translate_hits = 1, ntranslated_hits = 1
Source - Origin: 192.168.1.0/27, Translated: 209.165.200.240-209.165.200.248
NETSEC-ASA(config)#
21.5.3 Syntax Checker - Configure Dynamic NAT on an ASA 5506-X
Use the Syntax Checker to configure dynamic NAT on an ASA 5506-X.

Dynamic NAT configuration on a ASA requires the following:

 A network object defining the pool of public IP addresses.
 A network object defining the internal IP address to be translated.
 Binding the network objects together to begin the translation.
Create a network object PUBLIC, and then assign it the IP address pool
from 209.165.200.240 to 209.165.200.248. Exit network object configuration mode.
NETSEC-ASA(config)#object network PUBLIC
NETSEC-ASA(config-network-object)#range 209.165.200.240 209.165.200.248
NETSEC-ASA(config-network-object)#exit
 Create a network object DYNAMIC-NAT
 Assign it the subnet 192.168.1.0 255.255.255.224.
 Use the nat command to specify the INSIDE and OUTSIDE interface and bind
the PUBLIC network object for dynamic IP addresses.
 Exit network object configuration mode.
NETSEC-ASA(config)#object network DYNAMIC-NAT
NETSEC-ASA(config-network-object)#subnet 192.168.1.0 255.255.255.224
NETSEC-ASA(config-network-object)#nat (INSIDE,OUTSIDE) dynamic PUBLIC
NETSEC-ASA(config-network-object)#exit
Complete the following to allow inside hosts to ping outside hosts:
 Enter policy map configuration mode for global_policy.
 Enter class configuration mode for the inspection_default class.
 In class configuration mode, configure an ACL named ICMPACL. The ACL should
allow all ICMP traffic.
 Assign the ACL to match inbound traffic entering the OUTSIDE interface.
NETSEC-ASA(config)#policy-map global_policy
NETSEC-ASA(config-pmap)#class inspection_default
NETSEC-ASA(config-pmap-c)#access-list ICMPACL extended permit icmp any any
NETSEC-ASA(config)#access-group ICMPACL in interface OUTSIDE
Assume host 192.168.1.3 has sent traffic to the outside. Enter the show
xlate command to verify the internal private IP address was translated to a public IP
address.
NETSEC-ASA(config)#show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r - portmap,

605
s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.3 to OUTSIDE:209.165.200.242 flags I idle 0:00:02
timeout 3:00:00
NETSEC-ASA(config)#
You have successfully configured dynamic NAT on an ASA 5506-X.
21.5.4 Configure Dynamic PAT
A variation of this configuration is called Dynamic PAT. This is when an actual external
IP address is configured and overloaded instead of the ASA interface IP address.
Only one network object is required when overloading the outside interface. To enable
inside hosts to overload the outside address,
use nat [(real_if_name,mapped_if_name)] dynamic interface command.
The example displays a dynamic PAT configuration for the same reference topology.
NETSEC-ASA(config)# object network INSIDE-NET
NETSEC-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.224
NETSEC-ASA(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface
NETSEC-ASA(config-network-object)# end
NETSEC-ASA#
After the inside host pings the outside host, verify the network address translation
using the show xlate command. The example displays the resulting translation.
NETSEC-ASA# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP PAT from INSIDE:192.168.1.3/1 to OUTSIDE:209.165.200.226/1 flags ri idle
0:00:02 timeout 0:00:30
NETSEC-ASA#
21.5.5 Configure Static NAT
Static NAT is configured when an inside address is mapped to an outside address. For
instance, static NAT can be used when a server must be accessible from the outside.
To configure static NAT, use the nat [(real_if_name,mapped_if_name)] static mapped-
inline-host-ip network object command.
The figure displays the NAT reference topology that will be used to configure the DMZ
interface and static NAT.

606
The example below displays the configuration that is used to enable static NAT. In this
example, outside hosts can reach the internal server with the IP address 192.168.2.3
using the external IP address 209.165.200.227.
An ACL is required for the translation to be successful.
NETSEC-ASA(config)# object network DMZ-SERVER
NETSEC-ASA(config-network-object)# host 192.168.2.3
NETSEC-ASA(config-network-object)# nat (DMZ,OUTSIDE) static 209.165.200.227
NETSEC-ASA(config-network-object)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# access-list OUTSIDE-DMZ extended permit ip any host
192.168.2.3
NETSEC-ASA(config)# access-group OUTSIDE-DMZ in interface OUTSIDE
NETSEC-ASA(config)#
NETSEC-ASA(config)# policy-map global_policy
NETSEC-ASA(config-pmap)# class inspection_default
NETSEC-ASA(config-pmap-c)# access-list ICMPACL extended permit icmp any any
NETSEC-ASA(config)# access-group ICMPACL in interface DMZ
NETSEC-ASA(config)#
Use the show xlate and show nat detail commands to verify translations, as shown in
the example. It may be necessary to use the clear nat counters command when
testing NAT.
NETSEC-ASA(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.2.3 to OUTSIDE:209.165.200.227
flags s idle 0:00:21 timeout 0:00:00
NAT from INSIDE:192.168.1.3 to OUTSIDE:209.165.200.242 flags I idle 0:09:06
timeout
3:00:00
NETSEC-ASA(config)#
NETSEC-ASA(config)# show nat detail
Auto NAT Policies (Section 2)
1 (DMZ) to (OUTSIDE) source static DMZ-SERVER 209.165.200.227
translate_hits = 1, ntranslated_hits = 1
Source - Origin: 192.168.2.3/32, Translated: 209.165.200.227/32
2 (INSIDE) to (OUTSIDE) source dynamic DYNAMIC-NAT PUBLIC
translate_hits = 1, ntranslated_hits = 1
Source - Origin: 192.168.1.0/27, Translated: 209.165.200.240-209.165.200.248
NETSEC-ASA(config)#
21.5.6 Syntax Checker - Configure Static NAT on an ASA 5506-X
Use the Syntax Checker to configure static NAT on an ASA 5506-X.
To configure static NAT, you create a network object for the host you want to map to a
public IP address.
 Create a network object DMZ-SERVER.
 Assign 192.168.2.3 to the network object.

607
 Use the nat command to statically assign 209.165.200.227 for packets coming in
the DMZ interface and exiting the OUTSIDE interface.
 Exit network object configuration mode.
NETSEC-ASA(config)#object network DMZ-SERVER
NETSEC-ASA(config-network-object)#host 192.168.2.3
NETSEC-ASA(config-network-object)#nat (DMZ,OUTSIDE) static 209.165.200.227
NETSEC-ASA(config-network-object)#exit
 Configure an ACL OUTSIDE-DMZ that will permit any traffic to destination
192.168.2.3.
 Apply the ACL for inbound traffic on the OUTSIDE interface.
NETSEC-ASA(config)#access-list OUTSIDE-DMZ extended permit ip any host
192.168.2.3
NETSEC-ASA(config)#access-group OUTSIDE-DMZ in interface OUTSIDE
NETSEC-ASA(config)# policy-map global_policy
NETSEC-ASA(config-pmap)# class inspection_default
NETSEC-ASA(config-pmap-c)# access-list ICMPACL extended permit icmp any any
ACL ICMPACL is already configured. Assign the ACL to match inbound traffic entering
the DMZ interface.
NETSEC-ASA(config)#access-group ICMPACL in interface DMZ
Assume an external host at 209.165.200.242 has sent traffic to the DMZ server at
192.168.2.3. Use the show xlat command to verify the internal private IP address
was translated to a public IP address. Notice that the flag s indicates that the
translation was static.
NETSEC-ASA(config)#show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.2.3 to OUTSIDE:209.165.200.227
flags s idle 0:00:21 timeout 0:00:00
NAT from INSIDE:192.168.1.3 to OUTSIDE:209.165.200.242 flags I idle 0:09:06
timeout
3:00:00
NETSEC-ASA(config)#
You have successfully configured static NAT on an ASA 5506-X.
21.6 AAA
21.6.1 AAA Review
Authentication, authorization, and accounting (AAA) provides an extra level of
protection and user control. Using AAA only, authenticated and authorized users can
be permitted to connect through the ASA.
Authentication can be used alone or with authorization and accounting. Authorization
always requires a user to be authenticated first. Accounting can be used alone, or with
authentication and authorization.
AAA is conceptually similar to using a credit card, as shown in the figure.
Authentication controls access by requiring valid user credentials, which are usually a
username and password. The ASA can authenticate all administrative connections to
the ASA, including Telnet, SSH, console, ASDM using HTTPS, and privileged EXEC.

608
Authorization controls access, per user, after users are authenticated. Authorization
controls the services and commands that are available to each authenticated user.
Without authorization enabled, authentication alone would provide the same access
to services for all authenticated users. The ASA can authorize management commands,
network access, and VPN access.
Accounting tracks traffic that passes through the ASA, enabling administrators to have
a record of user activity. Accounting information includes session start and stop times,
usernames, the number of bytes that pass through the ASA for the session, the service
used, and the duration of each session.

21.6.2 Local Database and Servers

Cisco ASA can be configured to authenticate using a local user database or an external
server for authentication or both.
Local AAA uses a local database for authentication. This method stores usernames and
passwords locally on the ASA, and users authenticate against the local database. Local
AAA is ideal for small networks that do not need a dedicated AAA server.
Note: Unlike the ISR, ASA devices do not support local authentication without using
AAA.
Use the username name password password [privilege priv-level] command to create
local user accounts. To erase a user from the local database, use the clear config
username [name] command. To view all user accounts, use the show running-config
username command.
Server-based AAA authentication is a far more scalable method than local AAA
authentication. Server-based AAA authentication uses an external database server by
leveraging the RADIUS or TACACS+ protocols. If there are multiple networking devices,
server-based AAA is more appropriate.
To configure a TACACS+ or RADIUS server, use the commands listed in the table.

609
ASA Command Description
Creates a TACACS+ or RADIUS AAA
aaa-server server-tag protocol protocol
server group.
 Configures a AAA server as part
of a AAA server group.
aaa-server server-tag [(if_name)] host
 Also configures AAA server
{server-ip | name } [ key ]
parameters that are host-
specific.
To erase all AAA server configurations, use the clear config aaa-server command. To
view all user accounts, use the show running-config aaa-server command.
The example shows configuration of a AAA TACACS+ server on an ASA 5506-X.
NETSEC-ASA(config)# username Admin password class privilege 15
NETSEC-ASA(config)# show run username
username Admin password ***** pbkdf2 privilege 15
NETSEC-ASA(config)# aaa-server TACACS-SVR protocol tacacs+
NETSEC-ASA(config-aaa-server-group)# aaa-server TACACS-SVR (DMZ) host
192.168.2.3
NETSEC-ASA(config-aaa-server-host)# exit
NETSEC-ASA(config)# show run aaa-server
aaa-server TACACS-SVR protocol tacacs+
aaa-server TACACS-SVR (DMZ) host 192.168.2.3
NETSEC-ASA(config)#
21.6.3 AAA Configuration
To authenticate users who access the ASA CLI over a console (serial), SSH, HTTPS
(ASDM), or Telnet connection, or to authenticate users who access privileged EXEC
mode using the enable command, use the aaa authentication enable
console command in global configuration mode. The command syntax is as follows:
ciscoasa(config)# aaa authentication { serial | enable | telnet | ssh | http } console
{ LOCAL | server-group [ LOCAL ]}
To erase all AAA parameters, use the clear config aaa command. To view all user
accounts, use the show running-config username command.
The example provides a sample AAA configuration that is then verified and tested.
NETSEC-ASA(config)# aaa authentication serial console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication ssh console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication http console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication telnet console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication enable console TACACS-SVR LOCAL
NETSEC-ASA(config)#
NETSEC-ASA(config)# show run aaa
aaa authentication serial console TACACS-SVR LOCAL
aaa authentication ssh console TACACS-SVR LOCAL
aaa authentication http console TACACS-SVR LOCAL
aaa authentication telnet console TACACS-SVR LOCAL
aaa authentication enable console TACACS-SVR LOCAL
aaa authentication login-history
NETSEC-ASA(config)# exit
NETSEC-ASA# exit

610
Logoff
Username: Admin
Password: *****
-----------------------------------------------
Authorized access only!
You have logged into a secure device.
-----------------------------------------------
User Admin logged in to NETSEC-ASA
Logins over the last 2 days: 4. Last login: 10:14:48 UTC Feb 11 2021 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
NETSEC-ASA>
21.6.4 Syntax Checker - Configure AAA on an ASA 5506-X
Use the Syntax Checker to configure and verify AAA services on an ASA 5506-X.
Configure privilege level 15 for the user Admin with the password class.
NETSEC-ASA(config)#username Admin password class privilege 15
NETSEC-ASA(config)# show run username
username Admin password ***** pbkdf2 privilege 15
 Name the AAA server TACACS-SVR and configure it to use tacacs+.
 Associate the server to the DMZ interface and specify the IP address 192.168.2.3.
 Exit AAA server host configuration mode.
NETSEC-ASA(config)#aaa-server TACACS-SVR protocol tacacs+
NETSEC-ASA(config-aaa-server-group)#aaa-server TACACS-SVR (DMZ) host
192.168.2.3
NETSEC-ASA(config-aaa-server-host)#exit
NETSEC-ASA(config)# show run aaa-server
aaa-server TACACS-SVR protocol tacacs+
aaa-server TACACS-SVR (DMZ) host 192.168.2.3
NETSEC-ASA(config)#
Configure AAA to use the LOCAL TACACS-SVR to authenticate users over a console
(serial) connection. SSH, HTTP, and Telnet will be configured for you. Then configure
AAA to authenticate users that attempt to access privilege EXEC mode.
NETSEC-ASA(config)#aaa authentication serial console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication ssh console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication http console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication telnet console TACACS-SVR LOCAL
NETSEC-ASA(config)#aaa authentication enable console TACACS-SVR LOCAL
Use the show run aaa command to verify the AAA configuration.
NETSEC-ASA(config)#show run aaa
aaa authentication serial console TACACS-SVR LOCAL
aaa authentication ssh console TACACS-SVR LOCAL
aaa authentication http console TACACS-SVR LOCAL
aaa authentication telnet console TACACS-SVR LOCAL
aaa authentication enable console TACACS-SVR LOCAL
aaa authentication login-history
NETSEC-ASA(config)#

611
Enter exit twice to log out of NETSEC-ASA. Then log back in with the user Admin and
password class.
Note: The Syntax Checker will show the password instead of displaying *****.
NETSEC-ASA(config)#exit
NETSEC-ASA#exit
Logoff
Username:Admin
Password:class
-----------------------------------------------
Authorized access only!
You have logged into a secure device.
-----------------------------------------------

User Admin logged in to NETSEC-ASA

Logins over the last 2 days: 4. Last login: 10:14:48 UTC Feb 11 2021 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
NETSEC-ASA>
You have successfully configured static NAT on an ASA 5506-X.
21.7 Service Policies on an ASA
21.7.1 Overview of MPF
A Modular Policy Framework (MPF) configuration defines a set of rules for applying
firewall features, such as traffic inspection and QoS, to the traffic that traverses the
ASA. MPF allows granular classification of traffic flows, which enables the application
of different advanced policies to different flows. MPF is used with hardware modules
to redirect traffic granularly from the ASA to the modules that use Cisco MPF. MPF can
be used for advanced application layer inspection of traffic by classifying at Layers 5
through 7. Rate limiting and QoS features can also be implemented using MPF.
Cisco MPF uses three configuration objects to define modular, object-oriented,
hierarchical policies.
Click below to learn more about the three configuration objects that are used in
MPF.
 Class Maps
 Policy Maps
 Service Policy
Class Maps
What are we looking for?
 Classify traffic.
 Identify traffic on which to perform MPF.
 Create layer 3 and 4 class maps that can contain multiple match criteria.
ciscoasa(config)# class-map class-name
Policy Maps
What shall we do with it?
 Define actions
 Define a policy for the traffic at Layers 3 to 7.
 Create a policy map that can contain multiple class maps with associated
actions.

612
ciscoasa(config)# policy-map policy-name
Service Policy
Where do we do it?
 Activate the policy map on interfaces.
 Create a service policy that applies a policy map to an interface or all interfaces.
ciscoasa(config)# service-policy serv-name [ global | interface if-name ]
Although the MPF syntax is similar to the ISR IOS Cisco Modular QoS CLI (MQC) syntax
or the Cisco Common Classification Policy Language (C3PL) syntax, the configurable
parameters differ. The ASA platform provides more configurable actions as compared
to an ISR for Cisco IOS ZPF. The ASA supports Layer 5 to Layer 7 inspections using a
richer set of criteria for application-specific parameters. For instance, the ASA MPF
feature can be used to match HTTP URLs and request methods, prevent users from
surfing to specific sites during specific times, or even prevent users from downloading
music (MP3) and video files via HTTP/FTP or HTTPS/SFTP.
There are four steps to configure MPF on an ASA:
Step 1. (Optional) Configure extended ACLs to identify granular traffic that can be
specifically referenced in the class map. For example, ACLs can be used to match TCP
traffic, UDP traffic, HTTP traffic, or all traffic to a specific server.
Step 2. Configure the class map to identify traffic.
Step 3. Configure a policy map to apply actions to those class maps.
Step 4. Configure a service policy to attach the policy map to an interface.
21.7.2 Configure Class Maps
Class maps are configured to identify Layer 3 and 4 traffic (also called layer 3/4). To
create a class map and enter class-map configuration mode, use the class-map class-
map-name global configuration mode command. The names “class-default” and any
name that begins with “_internal” or “_default” are reserved. The class map name
must be unique and can be up to 40 characters in length. The name should also be
descriptive.
Note: A variation of the class-map command is used for management traffic that is
destined for the ASA. In this case, use the class-map type management class-map-
name command.
When in class-map configuration mode, a description explaining the purpose of the
class map should be configured using the description command.
Next, traffic to match should be identified using the match any (matches all traffic)
or match access-list access-list-name commands to match traffic specified by an
extended access list.
Note: Unless otherwise specified, only include one match command in the class map.
The example provides a sample class map configuration.
NETSEC-ASA(config)# access-list UDP permit udp any any
NETSEC-ASA(config)# access-list TCP permit tcp any any
NETSEC-ASA(config)# access-list SERVER permit ip any host 10.1.1.1
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map ALL-TCP
NETSEC-ASA(config-cmap)# description This class-map matches all TCP traffic
NETSEC-ASA(config-cmap)# match access-list TCP
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#

613
NETSEC-ASA(config)# class-map ALL-UDP
NETSEC-ASA(config-cmap)# description This class-map matches all UDP traffic
NETSEC-ASA(config-cmap)# match access-list UDP
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map ALL-HTTP
NETSEC-ASA(config-cmap)# description This class-map matches all HTTP traffic
NETSEC-ASA(config-cmap)# match port TCP eq http
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map TO-SERVER
NETSEC-ASA(config-cmap)# description Class map matches traffic 10.1.1.1
NETSEC-ASA(config-cmap)# match access-list SERVER
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
The ASA also automatically defines a default Layer 3/4 class map identified in the
configuration by class-map inspection_default. Identified in this class map is the match
default-inspection-traffic which matches the default ports for all inspections. When
used in a policy map, this class map ensures that the correct inspection is applied to
each packet, based on the destination port of the traffic. For example, when UDP
traffic for port 69 reaches the ASA, the ASA applies the TFTP inspection. In this case
only, multiple inspections can be configured for the same class map. Normally, the ASA
does not use the port number to determine which inspection to apply. This provides
flexibility to apply inspections to non-standard ports.
To display information about the class map configuration, use the show running-config
class-map command.
To remove all class maps, use the clear configure class-map command in global
configuration mode.
21.7.3 Define and Activate a Policy
Policy maps are used to bind class maps with actions. Use the policy-map policy-map-
name global configuration mode command, to apply actions to the Layer 3 and 4
traffic. The policy map name must be unique and up to 40 characters in length. The
name should also be descriptive.
In policy-map configuration mode, config-pmap, use the following commands:
 description - Add description text.
 class class-map-name - Identify a specific class map on which to perform actions.
The maximum number of policy maps is 64. There can be multiple Layer ¾ class maps
in one policy map, and multiple actions can be assigned from one or more feature
types to each class map.
Note: The configuration includes a default Layer ¾ policy map that the ASA uses in the
default global policy. It is called global_policy and performs an inspection on the
default inspection traffic. There can only be one global policy. Therefore, to alter the
global policy, either edit it or replace it.
These are the three most common commands available in policy map configuration
mode:
 set connection - Sets connection values.
 inspect - Provides protocol inspection servers.

614
 police - Sets rate limits for traffic in this class.
Actions are applied to traffic bidirectionally or unidirectionally depending on the
feature.
To display information about the policy map configuration, use the show running-
config policy-map command.
Use the clear configure policy-map command in global configuration mode, to remove
all policy maps.
Configure the Service Policy
To activate a policy map globally on all interfaces or on a targeted interface, use
the service-policy policy-map-name [ global | interface intf ] global configuration mode
command to enable a set of policies on an interface.
The example configures the policy map. Its associated service policy is applied globally.
NETSEC-ASA(config)# access-list TFTP-TRAFFIC permit udp any any eq 69
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map CLASS-TFTP
NETSEC-ASA(config-cmap)# match access-list TFTP-TRAFFIC
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# policy-map POLICY-TFTP
NETSEC-ASA(config-pmap)# class CLASS-TFTP
NETSEC-ASA(config-pmap-c)# inspect tftp
NETSEC-ASA(config-pmap-c)# exit
NETSEC-ASA(config-pmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# service-policy POLICY-TFTP global
NETSEC-ASA(config)#
21.7.4 Syntax Checker - Define and Activate a Policy on an ASA 5506-X
Use the Syntax Checker to define and activate a policy on an ASA 5506-X.
Configure an ACL named TFTP-TRAFFIC to allow all inbound and outbound TFTP
traffic. Use the port number instead of the keyword.
NETSEC-ASA(config)#access-list TFTP-TRAFFIC permit udp any any eq 69
Configure a class named CLASS-TFTP to match the TFTP-TRAFFIC ACL. Then exit class
map configuration mode.
NETSEC-ASA(config)#class-map CLASS-TFTP
NETSEC-ASA(config-cmap)#match access-list TFTP-TRAFFIC
NETSEC-ASA(config-cmap)#exit
Configure a policy named POLICY-TFTP to use CLASS-TFTP to inspect TFTP traffic. The
enter exit twice to return to global configuration mode.
NETSEC-ASA(config)#policy-map POLICY-TFTP
NETSEC-ASA(config-pmap)#class CLASS-TFTP
NETSEC-ASA(config-pmap-c)#inspect tftp
NETSEC-ASA(config-pmap-c)#exit
NETSEC-ASA(config-pmap)#exit
Configure the service policy to use POLICY-TFTP for all traffic (global).
NETSEC-ASA(config)#service-policy POLICY-TFTP global
You have successfully defined and activated a policy on an ASA 5506-X.
21.7.5 Packet Tracer - Configure ASA Basic Settings and Firewall Using the CLI

615
In this comprehensive Packet Tracer activity, you will complete the following
objectives:
 Verify connectivity and explore the ASA.
 Configure basic ASA settings and interface security levels using the CLI.
 Configure routing, address translation, and inspection policy using the CLI.
 Configure DHCP, AAA, and SSH.
 Configure a DMZ, Static NAT, and ACLs.

21.7.6 Optional Lab - Configure ASA Network Services, Routing, and DMZ with ACLs
Using CLI
In this comprehensive lab, you will complete the following objectives:
 Part 1: Configure Basic Device Settings
 Part 2: Configure Routing, Address Translation, and Inspection Policy Using the CLI
 Part 3: Configure DHCP, AAA, and SSH
 Part 4: Configure DMZ, Static NAT, and ACLs

21.8 ASA Firewall Configuration Summary

21.8.1 What Did I Learn in this Module?
Basic ASA Firewall Configuration
The ASA command line interface (CLI) is a proprietary OS, which has a similar look and
feel to the router IOS. For example, the ASA CLI contains command prompts similar to
that of a Cisco IOS router. Also, like the IOS CLI, the ASA CLI also supports abbreviation
of commands and keywords, use of the Tab key to complete a partial command, and
use of the help key (?) after a command to view additional syntax. Many commands
are similar to those in other versions of IOS, however many differences also exist.
The ASA 5506-X with FirePOWER Services ships with a default configuration that, in
most instances, is sufficient for a basic SOHO deployment. Configuration changes can
be made manually using the CLI, interactively using the CLI Setup Initialization wizard,
and by using the Adaptive Security Device Manager (ASDM) setup wizard.
The ASA can be restored to its factory default configuration by using the configure
factory-default global configuration mode command.
Configure Management Services and Settings
The ASA 5506-X is configured by entering privileged EXEC mode with the enable
command and then using configure terminal to enter global configuration mode. When
entering global configuration mode for the first time, you are offered the option of
participating in the Cisco Smart Call Home program. When approved and other
qualifications are met, the ASA will communicate with Cisco in order to send and
receive proactive diagnostics and real-time alerts.
The privileged EXEC password is automatically encrypted using MD5. However,
stronger encryption using AES should be enabled. To do so, a primary passphrase must
be configured, and AES encryption must be enabled. To change the primary
passphrase, use the key config-key password-encryption command.

616
The ASA 5506-X has eight Gigabit Ethernet interfaces that can be configured to carry
traffic on different Layer 3 networks. The G1/1 interface is frequently configured as the
outside interface to the ISP. Basic configuration of interfaces includes IP addressing,
naming, and setting the security level. Interfaces can be grouped together as bridged
virtual interfaces (BVI). A BVI can be configured with a single name and IP address
although other settings may need to be configured on the individual component
interfaces. Interfaces can be configured with addresses manually, by DHCP, or over
PPPoE. If the interface is configured with DHCP, a default route from an upstream
device can automatically be configured on the ASA. Otherwise, a default route must be
manually configured.
For remote management, the ASA can be configured to accept connections over Telnet
or SSH. SSH is strongly preferred. Authorization can be made from the local user
database.
Other network services such as NTP and DHCP can be configured on the ASA. The ASA
can be configured to receive NTP information from authenticated servers. DHCP
services can also be configured to provide addresses to internal hosts.
Object Groups
Objects are reusable components for use in configurations. Objects can be defined and
used in Cisco ASA configurations in the place of inline IP addresses, services, names,
and so on. Objects make it easy to maintain configurations because an object can be
modified in one place and the change will be reflected in all other places that are
referencing it. For example, a network object can be created to hold the IP address of a
syslog server. If the address of the server changes, the object can be changed, and that
change will be reflected in every configuration command that references the object.
There are two types of objects, network objects and service objects. Network objects
can include host addresses, subnets, ranges of addresses, and FQDNs. Service objects
can refer to different network services and protocols. Object groups are collections of
objects that are related. Network object groups can also be used in configurations
including ACLs and NAT. There are five types of object groups. Where objects can hold
only one value, object groups can hold multiple values including in-line values as well
as previously created objects.
ASA ACLs
The Cisco ASA 5506-X provides basic traffic filtering capabilities with ACLs. ACLs control
access in a network by preventing defined traffic from entering or exiting. In addition,
an ACL can be used to select traffic to which a feature will apply, thereby performing a
matching service rather than a control service. ASA ACLs differ from IOS ACLs in that
they use a network mask (e.g., 255.255.255.0) instead of a wildcard mask (e.g.
0.0.0.255). There are five types of ASA ACLs including the familiar standard and
extended types. All ASA ACLs are named. ASA standard and extended ACL syntax is
similar to that used on ISRs. ASA ACLs must be grouped with an interface in order to go
into effect. Object groups can be used with ASA ACLs to limit the number of ACEs that
are required in a list.
NAT Services on an ASA
NAT can be configured on ASAs as is done with routers. For ASAs there are three
deployment methods. The first is inside NAT which is used for translating inside
addresses on secure networks to outside addresses on less secure networks. In outside
NAT, traffic from a lower security network is translated for a higher security network.

617
This is used to make internal enterprise hosts available to outside users. Bidirectional
NAT uses both inside and outside NAT together. The ASA supports four types of NAT,
dynamic NAT with overload, static NAT, policy NAT, and identity NAT. Network objects
must be used to configure NAT. They are used to represent pools of IP addresses to be
used in translation and the internal IP addresses that are permitted to be translated.
AAA
Cisco ASAs can be configured to authenticate access using a local user database or an
external server for authentication or both. Unlike the ISR, ASA devices do not support
local authentication without using AAA. Server-based AAA authentication uses an
external database server by leveraging the RADIUS or TACACS+ protocols.
To authenticate users who access the ASA CLI over a console, SSH, HTTPS (ASDM), or
Telnet connection, or to authenticate users who access privileged EXEC mode using
the enable command, use the aaa authentication enable console command in global
configuration mode.
Service Policies on an ASA
A Modular Policy Framework (MPF) configuration defines a set of rules for applying
firewall features, such as traffic inspection and QoS, to the traffic that traverses the
ASA. MPF allows granular classification of traffic flows, to apply different advanced
policies to different flows. Cisco MPF uses three configuration objects to define
modular, object-oriented, hierarchical policies. Class maps are used to identify the
traffic that will be processed by MPF. Policy maps define what will be done to the
identified traffic. Service policies identify which interfaces the policy map should be
applied to.
The ASA supports Layer 5 to Layer 7 inspections using a richer set of criteria for
application-specific parameters. For instance, the ASA MPF feature can be used to
match HTTP URLs and request methods, prevent users from surfing to specific sites
during specific times, or even prevent users from downloading music (MP3) and video
files via HTTP/FTP or HTTPS/SFTP.
21.8.2 Module 21 - ASA Firewall Configuration Quiz
Question 1
Which two statements are true about ASA standard ACLs? (Choose two.)
They are applied to interfaces to control traffic.
They identify only the destination IP address.
They are the most common type of ACL.
They specify both the source and destination MAC address.
They are typically only used for OSPF routes.
Question 2
When dynamic NAT on an ASA is being configured, what two parameters must be
specified by network objects? (Choose two.)
The inside NAT interface
The interface security level
A range of private addresses that will be translated
The outside NAT interface
The pool of public global addresses
Question 3
Which command is used on an ASA to enable password encryption and encrypt all
user passwords?

618
key config-key password-encryption [ new-pass [ old-pass ]]
password encryption aes
enable password password
service password-encryption
Question 4
Which type of NAT would be used on an ASA where 10.0.1.0/24 inside addresses are
to be translated only if traffic from these addresses is destined for the
198.133.219.0/24 network?
Dynamic NAT
Dynamic PAT
Policy NAT
Static NAT
Question 5
A network administrator has deployed object groups in order to make ACLs easier to
implement and understand. Which two objects would be part of a service object
group? (Choose two.)
Hostname
Top-level protocol
IP address
ICMP type
Subnet
Question 6
What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?
ASA ACLs do not have an implicit deny any at the end, whereas IOS ACLs do.
ASA ACLs are always named, whereas IOS ACLs are always numbered.
ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs.
ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the
wildcard mask.
Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only
one IOS ACL can be applied.
Question 7
Which object or object group is required to implement NAT on an ASA 5506-X
device?
Service object
Network object
Protocol object group
Network object group
Question 8
Which statement describes a feature of AAA in an ASA device?
Accounting can be used alone.
Authorization is enabled by default.
Both authorization and accounting require a user to be authenticated first.
If authorization is disabled, all authenticated users will have a very limited access to
the commands.
Question 9
What type of ACL is designed for use in the configuration of an ASA to support
filtering for clientless SSL VPNs?

619
EtherType
Extended
Standard
Webtype
Question 10
A network technician is attempting to resolve problems with the NAT configuration
on an ASA. The technician generates a ping from an inside host to an outside host.
Which command verifies that addresses are being translated on the ASA?
show ip address
show ip nat translation
show running-config
show xlate
Question 11
Which two types of objects can be configured on an ASA device? (Choose two.)
User
Service
Security
Protocol
Network
ICMP-type
Question 12
Which option lists the four steps to configure the Modular Policy Framework on an
ASA?
1) Configure a policy map to apply actions to the identified traffic.
2) Configure a service policy to identify which interface should be activated for the
service.
3) Configure extended ACLs to identify specific granular traffic. This step may be
optional.
4) Configure the class map to define interesting traffic.
1) Configure a service policy to identify which interface should be activated for the
service.
2) Configure extended ACLs to identify specific granular traffic. This step may be
optional.
3) Configure the class map to define interesting traffic.
4) Configure a policy map to apply actions to the identified traffic.
done
1) Configure extended ACLs to identify specific granular traffic. This step may be
optional.
2) Configure the class map to define interesting traffic.
3) Configure a policy map to apply actions to the identified traffic.
4) Configure a service policy to identify which interface should be activated for the
service.
1) Configure extended ACLs to identify specific granular traffic. This step may be
optional.
2) Configure the class map to define interesting traffic.
3) Configure a service policy to identify which interface should be activated for the

620
service.
4) Configure a policy map to apply actions to the identified traffic.
Question 13
Which statement is true about ASA CLI and IOS CLI commands?
The show ip interface brief command is valid for both CLIs.
The ASA CLI does not recognize the write erase command, but the IOS CLI does.
Only the ASA CLI requires the use of Ctrl-C to interrupt show commands.
Both CLIs recognize the Tab key to complete a partial command.
21.9 Introduction to ASDM (Optional)
21.9.1 Overview of ASDM
The Cisco ASA can be configured and managed using either the command line
interface (CLI) or by using the graphical user interface (GUI) Adaptive Security Device
Manager (ASDM). The CLI is fast, but requires more time to learn. ASDM is intuitive
and simplifies the ASA configuration.
Specifically, Cisco ASDM is a Java-based GUI tool that facilitates the setup,
configuration, monitoring, and troubleshooting of Cisco ASAs. The application hides
the complexity of commands from administrators and allows streamlined
configurations without requiring extensive knowledge of the ASA CLI. It works with SSL
to ensure secure communication with the ASA. It also provides quick-configuration
wizards and logging and monitoring functionality that is not available using the CLI.
In order to access the advanced features of the Cisco ASA FirePOWER module that is
included with the ASA 5506-X, Firepower Management Center (FMC) is recommended.
Note: Cisco Adaptive Security Manager (ASDM) requires Java to be installed on the
host that is used for ASDM configuration of the ASA. Because of changes to the Oracle
Java License, we can no longer require download and installation of a Java runtime
environment (JRE) in order to run the ASDM labs.
21.9.2 Prepare for ASDM
To enable access to the ASDM, the ASA requires some minimal configuration.
Specifically, ASDM is accessed using a Secure Socket Layer (SSL) web browser
connection to the ASA Web Server. SSL encrypts the traffic between the client and the
ASA Web Server.
At a minimum, the ASA requires that a management interface be configured in order
to run ASDM. The management interface depends on the model of ASA. On an ASA
5506-X, the management interface can be any inside interface (G1/2 - G1/8).
Specifically, to prepare for ASDM access on an ASA 5506-X, the following must be
configured, as shown in the example:
 Selected inside physical port - complete a basic configuration on the port including
a management IP address and security level
 Enable the ASA Web Server - Enable the ASA HTTP server.
 Permit access to the ASA Web Server - By default, the ASA operates in a closed
policy; therefore, all connections to the HTTP server are denied. A network
statement that specifies the hosts that are permitted to access the HTTP server
must be configured.
The example configures the chosen management inside interface (G1/2) with IP
address 192.168.1.1. It enables the interface, enables the ASA HTTP server, and
permits access from any inside host on the 192.168.1.0/24 network.
After configuring the ASA, verify connectivity by pinging it from the authorized host.

621
ciscoasa# conf t
ciscoasa(config)# interface g1/2
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ciscoasa(config-if)# no shutdown
ciscoasa(config)# exit
ciscoasa(config)#
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
ciscoasa(config)#
21.9.3 Syntax Checker - Configure an ASA 5506-X for ASDM Access
Use the Syntax Checker to configure an ASA 5506-X for ASDM access.
Configure the INSIDE interface.
 Enter interface configuration mode for g1/2.
 Name the interface INSIDE.
 Configure the IP address 192.168.1.1 255.255.255.0.
 Activate the interface.
 Exit interface configuration mode.
ciscoasa(config)#interface g1/2
ciscoasa(config-if)#ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)#nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
 Enable the ASA as an HTTP server.
 Configure any host on the 192.168.1.0/24 network to access the HTTP server on
the INSIDE interface.
ciscoasa(config)#http server enable
ciscoasa(config)#http 192.168.1.0 255.255.255.0 INSIDE
You have successfully configured an ASA 5506-X for ASDM access.
21.9.4 Start ASDM
To start ASDM, enter the management IP address of the ASA in a web browser from a
permitted host. The permitted host must establish a connection through a browser to
the inside interface IP address using the HTTPS protocol.
Click to disregard the initial security certificate warning and to launch the ASDM
window.
The initial ASDM window is displayed, as shown in the figure. It provides two options
for preparing your computer to access the ASDM GUI:
 Run Cisco ASDM as a local application - This provides the Install ASDM
Launcher option to connect to the ASA from the host’s desktop using SSL. The
advantage of doing so is that one application can be used to manage several ASA
devices, and a web browser is not required to start ASDM.
 Run Cisco ASDM as a Java Web Start application - This provides the Install Java
Web Start option to enable a browser to run launch ASDM. A web browser is
required to establish a connection. ASDM is not installed on the local host.

622
After selecting an option, the installation process will begin. Note: You computer
requires a version of the Java runtime in order for either of these options to work.
ASDM Initial Launch Window

In this example, Install ASDM Launcher is selected. The application installer will
download to your computer. Run the installer and follow the prompts to install the
software. When installation is complete, the Cisco ASDM-IDM Launcher window will
appear as shown in the figure. Provide the enable password and click OK.
Authenticate to Use ASDM

Finally, the ASDM Home page displays, as shown in the figure.

ASDM Home Page

623
21.9.5 Lab - Configure ASA Basic Settings and Firewall Using ASDM
In this lab, you will complete the following objectives:

Module 22: Network Security Testing

22.0 Introduction
22.0.1 Why Should I Take this Module?
Networks are under attack. How can you test your network? What tools are available
to test it? Keep reading to learn more about the types of testing techniques and the
available tools.
22.0.2 What Will I Learn in this Module?
Module Title: Network Security Testing
Module Objective: Describe the various techniques and tools used for network
security testing.
Topic Title Topic Objective
Network Security Testing Describe the techniques used in network security
Techniques testing.
Network Security Testing Tools Describe the tools used in network security testing
22.1 Network Security Testing Techniques
22.1.1 Operations Security
Operations security is concerned with the day-to-day practices necessary to first
deploy and later maintain a secure system. All networks are vulnerable to attack if the
planning, implementation, operations, and maintenance of the network do not adhere
to operational security practices.
Operations security starts with the planning and implementation process of a network.
During these phases, the operations team analyzes designs, identifies risks and
vulnerabilities, and makes the necessary adaptations. The actual operational tasks
begin after the network is set up and include the continual maintenance of the
environment. These activities enable the environment, systems, and applications to
continue to run correctly and securely.

624
Some security testing techniques are predominantly manual, and others are highly
automated. Regardless of the type of testing, the staff that sets up and conducts the
security testing should have significant security and networking knowledge in these
areas:
 Operating systems
 Basic programming
 Networking protocols, such as TCP/IP
 Network vulnerabilities and risk mitigation
 Device hardening
 Firewalls
 IPSs
22.1.2 Testing and Evaluating Network Security
The effectiveness of an operations security solution can be tested without waiting for a
real threat to take place. Network security testing makes this possible. Network
security testing is performed on a network to ensure all security implementations are
operating as expected. Typically, network security testing is conducted during the
implementation and operational stages, after the system has been developed,
installed, and integrated.
Security testing provides insight into various administrative tasks, such as risk analysis
and contingency planning. It is important to document the results of security testing
and make them available for staff involved in other IT areas.
During the implementation stage, security testing is conducted on specific parts of the
network. After a network is fully integrated and operational, a Security Test and
Evaluation (ST&E) is performed. An ST&E is an examination of the protective measures
that are placed on an operational network.
Objectives of ST&E include the following:
 Uncover design, implementation, and operational flaws that could lead to the
violation of the security policy.
 Determine the adequacy of security mechanisms, assurances, and device
properties to enforce the security policy.
 Assess the degree of consistency between the system documentation and its
implementation.
Tests should be repeated periodically and whenever a change is made to the system.
For security systems that protect critical information or protect hosts that are exposed
to constant threat, security testing should be conducted more frequently.
22.1.3 Types of Network Tests
After a network is operational, you must access its security status. Many security tests
can be conducted to assess the operational status of the network:
 Penetration testing - Network penetration tests, or pen testing, simulate attacks
from malicious sources. The goal is to determine the feasibility of an attack and
possible consequences if one were to occur. Some pen testing may involve
accessing a client’s premises and using social engineering skills to test their overall
security posture.
 Network scanning - Includes software that can ping computers, scan for listening
TCP ports, and display which types of resources are available on the network. Some
scanning software can also detect usernames, groups, and shared resources.
Network administrators can use this information to strengthen their networks.

625
 Vulnerability scanning - This includes software that can detect potential
weaknesses in the tested systems. These weaknesses can include misconfiguration,
blank or default passwords, or potential targets for DoS attacks. Some software
allows administrators to attempt to crash the system through the identified
vulnerability.
 Password cracking - This includes software that is used to test and detect weak
passwords that should be changed. Password policies must include guidelines to
prevent weak passwords.
 Log review - System administrators should review security logs to identify potential
security threats. Filtering software to scan lengthy log files should be used to help
discover abnormal activity to investigate.
 Integrity checkers - An integrity checking system detects and reports on changes in
the system. Most of the monitoring is focused on the file system. However, some
checking systems can report on login and logout activities.
 Virus detection - Virus or antimalware detection software should be used to
identify and remove computer viruses and other malware.
Note: Other tests, including Wardialing and Wardriving, are considered to be legacy,
but should still be accounted for in network testing.
22.1.4 Applying Network Test Results
Network security testing results can be used in several ways:
 To define mitigation activities to address identified vulnerabilities
 As a benchmark to trace the progress of an organization in meeting security
requirements
 To assess the implementation status of system security requirements
 To conduct cost and benefit analysis for improvements to network security
 To enhance other activities, such as risk assessments, certification and
authorization (C&A), and performance improvement efforts
 As a reference point for corrective action
22.2 Network Security Testing Tools
22.2.1 Network Testing Tools
There are many tools available to test the security of systems and networks. Some of
these tools are open source while others are commercial tools that require licensing.
Software tools that can be used to perform network testing include:
 Nmap/Zenmap - This is used to discover computers and their services on a
network, therefore creating a map of the network.
 SuperScan - This port scanning software is designed to detect open TCP and UDP
ports, determine what services are running on those ports, and to run queries,
such as whois, ping, traceroute, and hostname lookups.
 SIEM (Security Information Event Management) - This is a technology used in
enterprise organizations to provide real time reporting and long-term analysis of
security events.
 GFI LANguard - This is a network and security scanner which detects vulnerabilities.
 Tripwire - This tool assesses and validates IT configurations against internal
policies, compliance standards, and security best practices.
 Nessus - This is a vulnerability scanning software, focusing on remote access,
misconfigurations, and DoS against the TCP/IP stack.
 L0phtCrack - This is a password auditing and recovery application.

626
 Metasploit - This tool provides information about vulnerabilities and aids in
penetration testing and IDS signature development.
Note: Network testing tools evolve at a rapid pace. The preceding list includes legacy
tools, and its intent is to provide an awareness of the different types of tools available.
22.2.2 Nmap and Zenmap
Nmap is a commonly used, low-level scanner that is available to the public. It has an
array of excellent features which can be used for network mapping and
reconnaissance.
The basic functionality of Nmap allows the user to accomplish several tasks, as follows:
 Classic TCP and UDP port scanning -This searches for different services on one
host.
 Classic TCP and UDP port sweeping - This searches for the same service on
multiple hosts.
 Stealth TCP and UDP port scans and sweeps - This is similar to classic scans and
sweeps, but harder to detect by the target host or IPS.
 Remote operating system identification - This is also known as OS fingerprinting.
Advanced features of Nmap include protocol scanning, known as Layer 3 port
scanning. This feature identifies Layer 3 protocol support on a host. Examples of
protocols that can be identified include GRE and OSPF.
While Nmap can be used for security testing, it can also be used for malicious
purposes. Nmap has an additional feature that allows it to use decoy hosts on the
same LAN as the target host, to mask the source of the scan.
Nmap has no application layer features and runs on UNIX, Linux, Windows, and OS X.
Both console and graphical versions are available. The Nmap program and Zenmap GUI
can be downloaded from the internet.
22.2.3 SuperScan
SuperScan is a Microsoft Windows port scanning tool. It runs on most versions of
Windows and requires administrator privileges.
SuperScan version 4 has a number of useful features:
 Adjustable scanning speed
 Support for unlimited IP ranges
 Improved host detection using multiple ICMP methods
 TCP SYN scanning
 UDP scanning (two methods)
 Simple HTML report generation
 Source port scanning
 Fast hostname resolution
 Extensive banner grabbing capabilities
 Massive built-in port list description database
 IP and port scan order randomization
 A selection of useful tools, such as ping, traceroute, and whois
 Extensive Windows host enumeration capability
Tools, such as Nmap and SuperScan, can provide effective penetration testing on a
network and determine network vulnerabilities while helping to anticipate possible
attack mechanisms. However, network testing cannot prepare a network administrator
for every security problem.
22.2.4 SIEM

627
Security Information Event Management (SIEM) is a technology used in enterprise
organizations to provide real time reporting and long-term analysis of security events.
SIEM evolved from two previously separate products: Security Information
Management (SIM) and Security Event Management (SEM). SIEM can be implemented
as software, integrated with Cisco Identity Services Engine (ISE) or as a managed
service.
SIEM combines the essential functions of SIM and SEM to provide:
 Correlation - Examines logs and events from disparate systems or applications,
speeding detection of and reaction to security threats.
 Aggregation - Aggregation reduces the volume of event data by consolidating
duplicate event records.
 Forensic analysis - The ability to search logs and event records from sources
throughout the organization provides more complete information for forensic
analysis.
 Retention - Reporting presents the correlated and aggregated event data in real-
time monitoring and long-term summaries.
SIEM provides details on the source of suspicious activity, including:
 User information (name, authentication status, location, authorization group,
quarantine status)
 Device information (manufacturer, model, OS version, MAC address, network
connection method, location)
 Posture information (device compliance with corporate security policy, antivirus
version, OS patches, compliance with mobile device management policy)
Using this information, network security engineers can quickly and accurately assess
the significance of any security event and answer the critical questions:
 Who is associated with this event?
 Is it an important user with access to intellectual property or sensitive information?
 Is the user authorized to access that resource?
 Does the user have access to other sensitive resources?
 What kind of device is being used?
 Does this event represent a potential compliance issue?
22.2.5 Check Your Understanding - Identify Network Security Testing Tools
Check your understanding of network security testing tools by choosing the correct
answer to the following questions.
Question 1
Which tool provides information about vulnerabilities and aids in penetration testing
and IDS signature development?
SuperScan
Metasploit
SIEM
Tripwire
Question 2
Which tool discovers computers and services on a computer network, therefore
creating a map of the network?
Nessus
GFI LANguard
SuperScan

628
Nmap/Zenmap
Question 3
Which tool is a vulnerability scanning software, focusing on remote access,
misconfigurations, and DoS against the TCP/IP stack?
Nessus
GFI LANguard
SuperScan
SIEM
22.3 Network Security Testing Summary
22.3.1 What Did I Learn in this Module?
Network Security Testing Techniques
Operations security starts with the planning and implementation process of a network.
During these phases, the operations team analyzes designs, identifies risks and
vulnerabilities, and makes the necessary adaptations. The actual operational tasks
begin after the network is set up and include the continual maintenance of the
environment. The staff that sets up and conducts the security testing should have
significant security and networking knowledge in these areas: device hardening,
firewalls, IPSs, operating systems, basic programming, networking protocols, such as
TCP/IP, and network vulnerabilities and risk mitigation. An ST&E is an examination of
the protective measures that are placed on an operational network. Many security
tests can be conducted to assess the operational status of the network and include:
penetration testing, network scanning, vulnerability scanning, password cracking, log
review, integrity checkers, and virus detection.
Network Security Testing Tools
There are many tools available to test the security of systems and networks including:
Nmap/Zenmap, SuperScan, SIEM, GFI LANguard, Tripwire, Nessus, L0phtCrack, and
Metasploit. Nmap and Zenmap (its graphical frontend) are commonly used and free
low-level scanners. SuperScan is also a free Microsoft Windows port scanning tool.
Security Information Event Management (SIEM) is a technology used in enterprise
organizations to provide real time reporting and long-term analysis of security events.
SIEMs provide correlation, aggregation, forensic analysis, and retention.
22.3.2 Module 22 - Network Security Testing Quiz
Question 1
Each day, a security analyst spends time examining logs and events from different
systems and applications to quickly detect security threats. What function of the
Security Information Event Management (SIEM) technology does this action
represent?
Aggregation
Retention
Forensic analysis
Correlation
Question 2
Which network security tool can detect open TCP and UDP ports on most versions of
Microsoft Windows?
SuperScan
Nmap
Zenmap

629
L0phtcrack
Question 3
A security technician is evaluating a new operations security proposal designed to
limit access to all servers. What is an advantage of using network security testing to
evaluate the new proposal?
Network security testing is simple because it requires just one test to evaluate the new
proposal.
Network security testing proactively evaluates the effectiveness of the proposal
before any real threat occurs.
Network security testing is specifically designed to evaluate administrative tasks
involving server and workstation access.
Network security testing is most effective when deploying new security proposals.
Question 4
What information does the SIEM network security management tool provide to
network administrators?
Real time reporting and analysis of security events
Detection of open TCP and UDP ports
Assessment of system security configurations
A map of network systems and services
Question 5
What network scanning tool has advanced features that allows it to use decoy hosts
to mask the source of the scan?
Nmap
Tripwire
Nessus
Metasploit
Question 6
A new person has joined the security operations team for a manufacturing plant.
What is a common scope of responsibility for this person?
Data security on host devices
Day-to-day maintenance of network security
Managing redundancy operations for all systems
Physical and logical security of all business personnel
Question 7
Which security test is appropriate for detecting system weaknesses such as
misconfiguration, default passwords, and potential DoS targets?
Penetration testing
Vulnerability scanning
Network scanning
Integrity checkers
Question 8
What type of network security test would be used by network administrators for
detection and reporting of changes to network systems?
Integrity checking
Penetration testing
Vulnerability scanning
Network scanning

630
Question 9
Which network security tool allows an administrator to test and detect weak
passwords?
L0phtcrack
Nessus
Tripwire
Metasploit
Question 10
What are two tasks that can be accomplished with the Nmap and Zenmap network
tools? (Choose two.)
TCP and UDP port scanning
Identification of Layer 3 protocol support on hosts
Password auditing
Password recovery
Validation of IT system configuration
Question 11
What type of security test uses simulated attacks to determine possible
consequences of a real threat?
Penetration testing
Integrity checking
Vulnerability scanning
Network scanning
Question 12
What function is provided by the Tripwire network security tool?
Security policy compliance
Logging of security events
IDS signature development
Password recovery
Checkpoint Exam: ASA Group Exam
This exam will cover material from Modules 20-22 of the Network Security 1.0
curriculum.
Copyright 2021, Cisco Systems, Inc.
Question 1
In which two instances will traffic be denied as it crosses the ASA 5506-X device?
(Choose two.)
traffic originating from the outside network going to the inside network
traffic originating from the DMZ network going to the inside network
traffic originating from the outside network going to the DMZ network
traffic originating from the inside network going to the outside network
traffic originating from the inside network going to the DMZ network
Question 2
What mechanism is used by an ASA device to allow inspected outbound traffic to
return to the originating sender who is on an inside network?
network Address Translation
stateful packet inspection
access control lists
security zones

631
Question 3
Which license provides up to 50 IPsec VPN users on an ASA 5506-X device?
a purchased AnyConnect Premium license
a purchased Base license
a purchased Security Plus upgrade license
the most commonly pre-installed Base license
Question 4
What is the purpose of configuring an IP address on an ASA device in transparent
mode?
VPN connectivity
Management
NAT
Routing
Question 5
When configuring interfaces on an ASA, which two pieces of information must be
included? (Choose two.)
FirePower version
group association
name
service level
access list
security level
Question 6
What are three characteristics of the ASA routed mode? (Choose three.)
NAT can be implemented between connected networks.
In this mode, the ASA is invisible to an attacker.
This mode is referred to as a "bump in the wire."
This mode does not support VPNs, QoS, or DHCP Relay.
It is the traditional firewall deployment mode.
The interfaces of the ASA separate Layer 3 networks and require different IP
addresses in different subnets.
Question 7

632
Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what
statement correctly describes the flow of traffic allowed on the interfaces?
Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound.
Traffic that is sent from the DMZ and the LAN to the Internet is considered
outbound.
Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound.
Traffic that is sent from the LAN to the DMZ is considered inbound.
Question 8

Refer to the exhibit. A network administrator is verifying the security configuration

of an ASA. Which command produces the exhibited output?
show ip interface brief
show vlan
show interface ip brief
show switch vlan
Question 9

Refer to the exhibit. What kind of NAT is configured on the ASA device?
twice NAT
dynamic NAT
static NAT
dynamic PAT
Question 10

633
Refer to the exhibit. A network administrator is configuring the security level for the
ASA. Which statement describes the default result if the administrator tries to assign
the Inside interface with the same security level as the DMZ interface?
The ASA console will display an error message.
The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the
DMZ to the Inside interface.
The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the
Inside interface.
The ASA will not allow traffic in either direction between the Inside interface and the
DMZ.
Question 11
What interface configuration command is used on an ASA to request an IP address
from an upstream DSL device?
ip address pppoe
ip address
ip address dhcp setroute
dhcpd address[]
Question 12
What can be configured as part of a network object?
IP address and mask
Source and destination MAC address
Upper layer protocol
Interface type
Question 13
What is the function of a policy map configuration when an ASA firewall is being
configured?
identifying interesting traffic
using ACLs to match traffic

634
binding a service policy to an interface
binding class maps with actions
Question 14
A network analyst is testing the security of the systems and networks of a
corporation. What tool could be used to audit and recover passwords?
Metasploit
L0phtCrack
Nessus
SuperScan
Question 15
What testing tool is available for network administrators who need a GUI version of
Nmap?
SIEM
SuperScan
Zenmap
Nessus
Question 16
A network analyst wants to monitor the activity of all new interns. Which type of
security testing would track when the interns sign on and sign off the network?
password cracking
integrity checker
network scanning
vulnerability scanning
Question 17
What is the goal of network penetration testing?
detecting potential weaknesses in systems
detecting configuration changes on network systems
determining the feasibility and the potential consequences of a successful attack
detecting weak passwords
Question 18
How does network scanning help assess operations security?
It can log abnormal activity.
It can simulate attacks from malicious sources.
It can detect open TCP ports on network systems.
It can detect weak or blank passwords.
Question 19
What are three characteristics of SIEM? (Choose three.)
consolidates duplicate event data to minimize the volume of gathered data
examines logs and events from systems and applications to detect security threats
microsoft port scanning tool designed for Windows
can be implemented as software or as a service
provides real-time reporting for short-term security event analysis
uses penetration testing to determine most network vulnerabilities
Question 20
What is the purpose of the Tripwire network testing tool?
to provide information about vulnerabilities and aid in penetration testing and IDS
signature development

635
to provide password auditing and recovery
to detect unauthorized wired network access
to assess configuration against established policies, recommended best practices,
and compliance standards
to perform vulnerability scanning
Network Security 1.0 Practice Final
This practice final exam will cover material from the Network Security 1.0 curriculum
This exam can be used to practice for the final exam. This exam contains questions
similar in design to those on the final exam. However, your performance on this exam
does not predict your performance on the course final exam. Use the feedback
associated with this exam to target content areas for further study.
© 2021, Cisco Systems, Inc.
Question 1
Which benefit does SSH offer over Telnet for remotely managing a router?
Connections via multiple VTY lines
TCP usage
Encryption
Authorization
*SSH provides secure access to a network device for remote management. It uses a
stronger password authorization than Telnet does and encrypts any data that is
transported during the session.
Question 2
How does the service password-encryption command enhance password security on
Cisco routers and switches?
It requires that a user type encrypted passwords to gain console access to a router or
switch.
It encrypts passwords that are stored in router or switch configuration files.
It requires encrypted passwords to be used when connecting remotely to a router or
switch with Telnet.
It encrypts passwords as they are sent across the network.
*The service password-encryption command encrypts plaintext passwords in the
configuration file so that they cannot be viewed by unauthorized users.
Question 3
A network administrator is explaining to a junior colleague the use of
the lt and gt keywords when filtering packets using an extended ACL. Where would
the lt or gt keywords be used?
in an IPv4 extended ACL that allows packets from a range of TCP ports destined for a
specific network device
in an IPv4 named standard ACL that has specific UDP protocols that are allowed to be
used on a specific server
in an IPv6 named ACL that permits FTP traffic from one particular LAN getting to
another LAN
in an IPv6 extended ACL that stops packets going to one specific destination VLAN
*The lt and gt keywords are used for defining a range of port numbers that are less
than a particular port number or greater than a particular port number.
Question 4
Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?

636
the use of named ACL statements
an implicit deny any any statement
an implicit permit of neighbor discovery packets
the use of wildcard masks
*One of the major differences between IPv6 and IPv4 ACLs are two implicit permit
statements at the end of any IPv6 ACL. These two permit statements allow neighbor
discovery operations to function on the router interface.
Question 5
Which two statements describe remote access VPNs? (Choose two.)
Client software is usually required to be able to access the network.
Remote access VPNs are used to connect entire networks, such as a branch office to
headquarters.
End users are not aware that VPNs exists.
Remote access VPNs support the needs of telecommuters and mobile users.
A leased line is required to implement remote access VPNs.
*Remote access VPNs are designed to provide for the needs of telecommuters and
mobile users through the use of software that is installed on the client to encrypt and
encapsulate the data. Remote access VPNs can be used across a variety of WAN
connections. Users must access the client software to initiate the VPN connection.
Question 6
Which two statements are characteristics of a virus? (Choose two.)
A virus replicates itself by independently exploiting vulnerabilities in networks.
A virus can be dormant and then activate at a specific time or date.
A virus typically requires end-user activation.
A virus has an enabling vulnerability, a propagation mechanism, and a payload.
A virus provides the attacker with sensitive data, such as passwords.
*The type of end user interaction required to launch a virus is typically opening an
application, opening a web page, or powering on the computer. Once activated, a virus
may infect other files located on the computer or other computers on the same
network.

Question 7

Refer to the exhibit. Which statement about the JR-Admin account is true?
JR-Admin can issue ping and reload commands.
JR-Admin cannot issue any command because the privilege level does not match one
of those defined.
JR-Admin can issue only ping commands.
JR-Admin can issue show, ping, and reload commands.
JR-Admin can issue debug and reload commands.
*When the usernameprivilege 10 command is issued, access to commands with a
privilege level of 10 or less (0-10) is permitted to the user.
Question 8

637
Which three types of views are available when configuring the role-based CLI access
feature? (Choose three.)
Superuser view
Admin view
CLI view
Superview
Config view
Root view
There are three types of Role-based CLI views:
1) root view
2) CLI view
3) superview
Question 9
What command must be issued on a Cisco router that will serve as an authoritative
NTP server?
ntp broadcast client
ntp server 172.16.0.1
ntp master 1
clock set 11:00:00 DEC 20 2010
Routers that will serve as NTP masters must be configured with the ntp
master command. A client is configured with the ntp server command so that the
client can locate the NTP master. The ntp broadcast client command allows NTP to use
to broadcast messages. The clock set command is used to set the time on a router.
Question 10
Which statement describes the characteristics of packet-filtering and stateful
firewalls as they relate to the OSI model?
A packet-filtering firewall typically can filter up to the transport layer, whereas a
stateful firewall can filter up to the session layer.
A packet-filtering firewall uses session layer information to track the state of a
connection, whereas a stateful firewall uses application layer information to track the
state of a connection.
A stateful firewall can filter application layer information, whereas a packet-filtering
firewall cannot filter beyond the network layer.
Both stateful and packet-filtering firewalls can filter at the application layer.
Packet filtering firewalls can always filter Layer 3 content and sometimes TCP and UDP-
based content. Stateful firewalls monitor connections and thus have to be able to
support up to the session layer of the OSI model.
Question 11
A company is deploying a new network design in which the border router has three
interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to
the DMZ, and GigabitEthernet/01 connects to the internal private network. Which
type of traffic would receive the least amount of inspection (have the most freedom
of travel)?
traffic that originates from the public network and that is destined for the DMZ
traffic that is going from the private network to the DMZ
traffic that is returning from the public network after originating from the private
network

638
traffic that is returning from the DMZ after originating from the private network
Most traffic within an organization originates from a private IP address. The amount of
inspection done to that traffic depends on its destination or whether traffic that is
going to that private IP address originated the connection. The demilitarized zone
typically holds servers. Traffic that is destined to those servers is filtered based on what
services are being provided by the server (HTTP, HTTPS, DNS, etc.).
Question 12
What is a difference between symmetric and asymmetric encryption algorithms?
Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption
algorithms use different keys to encrypt and decrypt data.
Symmetric encryption algorithms are used to authenticate secure communications.
Asymmetric encryption algorithms are used to repudiate messages.
Symmetric encryption algorithms are used to encrypt data. Asymmetric encryption
algorithms are used to decrypt data.
Symmetric algorithms are typically hundreds to thousands of times slower than
asymmetric algorithms.
Asymmetric algorithms can use very long key lengths in order to avoid being hacked.
This results in the use of significantly increased resources and time compared to
symmetric algorithms.
Question 13
Which two security features can cause a switch port to become error-disabled?
(Choose two.)
Root guard
Protected ports
PortFast with BPDU guard enabled
Port security with the shutdown violation mode
Storm control with the trap option
Error-disabled mode is a way for a switch to automatically shut down a port that is
causing problems, and usually requires manual intervention from an administrator to
restore the port. When port security is configured to use the shutdown violation mode,
it will put the port into the error-disabled mode when the maximum number of MAC
addresses is exceeded. Likewise, BPDU guard will put the port into error-disabled
mode if a BPDU arrives on a PortFast enabled interface. Storm control will only put the
port into the error-disabled mode when configured with the shutdown option. The
trap option will simply create an SNMP log message.
Question 14

639
Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA that
filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic
originating from Zone B going to Zone C is denied. What is a possible scenario for
Zones A, B, and C?
A – Inside, B – DMZ, C – Outside
A – DMZ, B – Outside, C – Inside
A – Outside, B – Inside, C – DMZ
A – DMZ, B – Inside, C – Outside
ASA protects Network/Zone C (Inside) from unauthorized access by users on a
Network/Zone B (Outside). It also denies traffic from Network/Zone A (DMZ) to access
the Network/Zone C (Inside).
Question 15
What is the purpose of configuring multiple crypto ACLs when building a VPN
connection between remote sites?
When multiple combinations of IPsec protection are being chosen,
multiple crypto ACLs can define different traffic types.
Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-
enabled router across the Internet or network.
By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent
public users from connecting to the VPN-enabled router.
Multiple crypto ACLs can be configured to deny specific network traffic from crossing a
VPN.
A crypto ACL can define "interesting traffic" that is used to build a VPN, and forward
that "interesting traffic" across the VPN to another VPN-enabled router. Multiple
crypto ACLs are used to define multiple different types of traffic and utilize different
IPsec protection corresponding to the different types of traffic.
Question 16

640
Refer to the exhibit. A network administrator is configuring the security level for the
ASA. What is a best practice for assigning the security level on the three interfaces?
Outside 0, Inside 35, DMZ 90
Outside 40, Inside 100, DMZ 0
Outside 0, Inside 100, DMZ 50
Outside 100, Inside 10, DMZ 40
The Cisco ASA assigns security levels to distinguish among different networks it
connects. Security levels define the level of trustworthiness of an interface. The higher
the level, the more trusted the interface. The security level numbers range between 0
(untrustworthy) to 100 (very trustworthy). Therefore, the interface connecting to the
Internet should be assigned the lowest level. The interface connecting to the internal
network should be assigned the highest level. The interface connecting to the DMZ
network should be assigned a level between them.
Question 17

Refer to the exhibit. A network administrator is configuring PAT on an ASA device to

enable internal workstations to access the Internet. Which configuration command
should be used next?
nat (outside,inside) dynamic interface
nat (inside,outside) dynamic NET1
nat (inside,outside) dynamic interface
nat (outside,inside) dynamic NET1
The nat (inside,outside) dynamic interface command indicates that inside hosts are
overloading the outside address of the mapped interface.
Question 18

641
Refer to the exhibit. A network administrator is configuring an object group on an
ASA device. Which configuration keyword should be used after the object group
name SERVICE1?
icmp
ip
tcp
udp
Because this is a service object group, the keyword should indicate which protocol is
used. The options are tcp, udp, tcp-udp, icmp, and icmpv6. The subsequent commands
indicate that the services in the group are WWW, FTP, and SMTP. Because all of these
protocols use TCP, the keyword in the service object group should be tcp.
Question 19
Which two statements correctly describe certificate classes used in the PKI? (Choose
two.)
A class 5 certificate is for users with a focus on verification of email.
The lower the class number, the more trusted the certificate.
A class 0 certificate is for testing purposes.
A class 4 certificate is for online business transactions between companies.
A class 0 certificate is more trusted than a class 1 certificate.
*A digital certificate class is identified by a number. The higher the number, the more
trusted the certificate. The classes include the following:
 Class 0 is for testing purposes in which no checks have been performed.
 Class 1 is for individuals with a focus on verification of email.
 Class 2 is for organizations for which proof of identity is required.
 Class 3 is for servers and software signing for which independent verification and
checking of identity and authority is done by the issuing certificate authority.
 Class 4 is for online business transactions between companies.
 Class 5 is for private organizations or governmental security.
Question 20
What protocol is used by SCP for secure transport?
SSH
HTTPS
Telnet
IPSec
TFTP
*The Secure Copy (SCP) feature provides a secure and authenticated method for
copying and saving router configuration files by using SSH.
Question 21
What type of network security test uses simulated attacks to determine the
feasibility of an attack as well as the possible consequences if the attack occurs?
network scanning

642
integrity checking
vulnerability scanning
penetration testing
*There are many tests that are used by security specialists to assess the status of a
system. They include the following:
 penetration testing to determine the feasibility of attacks
 network scanning to scan for and identify open TCP ports
 integrity checking to check for changes that have occurred in the system
 vulnerability scanning to detect potential weaknesses in systems
Question 22

Refer to the exhibit. What type of syslog message is displayed?

debugging
warning
informational
notification
*The severity level is used to provide an explanation for the event or error that is
occurring within the Cisco IOS. The smaller the number of the severity level, the more
critical the event. A Syslog message with a level 5 is considered a notification message.
Question 23
What is the purpose of using the ip ospf message-digest-key md5 command and
the area authentication message-digest command on a router?
to enable OSPF MD5 authentication on a per-interface basis
to encrypt OSPF routing updates
to configure OSPF MD5 authentication globally on the router
to facilitate the establishment of neighbor adjacencies
*To configure OSPF MD5 authentication globally, the ip ospf message-digest-
keymd5interface configuration command and the areaauthentication message-
digest router configuration command are issued. To configure OSPF MD5
authentication per interface, the ip ospf message-digest-keymd5interface
configuration command and the ip ospf authentication message-digest interface
configuration command are issued. Authentication does not encrypt OSPF routing
updates. The requirements to establish OSPF router neighbor adjacencies are separate
from authentication.
Question 24
What are three techniques for mitigating VLAN hopping attacks? (Choose three.)
Enable trunking manually.
Use private VLANs.
Enable BPDU guard.
Enable Source Guard.
Disable DTP.
Set the native VLAN to an unused VLAN.
*Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking
Protocol (DTP), manually setting ports to trunking mode, and by setting the native
VLAN of trunk links to VLANs not in use.
Question 25

643
When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which step
must be taken after zones have been created?
Identify subsets within zones.
Design the physical infrastructure.
Assign interfaces to zones.
Establish policies between zones.
*The steps for configuring zones in a Zone-Based Policy Firewall are as follows:
Step 1. Determine the zones.
Step 2. Establish policies between zones.
Step 3. Design the physical infrastructure.
Step 4. Identify subsets within zones and merge traffic requirements.
Question 26
What are two shared characteristics of the IDS and the IPS? (Choose two.)
Both analyze copies of network traffic.
Both rely on an additional network device to respond to malicious traffic.
Both are deployed as sensors.
Both have minimal impact on network performance.
Both use signatures to detect malicious traffic.
*Both the IDS and the IPS are deployed as sensors and use signatures to detect
malicious traffic. The IDS analyzes copies of network traffic, which results in minimal
impact on network performance. The IDS also relies on an IPS to stop malicious traffic.
Question 27
When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions
can be applied to a traffic class? (Choose two.)
copy
forward
inspect
drop
hold
log
*The three actions that can be applied are inspect, drop,and pass.
 Inspect - This action offers state-based traffic control.
 Drop - This is the default action for all traffic. Similar to the implicit deny any at the
end of every ACL, there is an explicit drop applied by the IOS to the end of every
policy map.
 Pass - This action allows the router to forward traffic from one zone to another.
Question 28
What are two hashing algorithms used with IPsec AH to guarantee authenticity?
(Choose two.)
RSA
DH
MD5
SHA
AES
*The IPsec framework uses various protocols and algorithms to provide data
confidentiality, data integrity, authentication, and secure key exchange. Two popular

644
algorithms used to ensure that data is not intercepted and modified (data integrity and
authenticity) are MD5 and SHA.
Question 29
What is a benefit of having users or remote employees use a VPN to connect to the
existing network rather than growing the network infrastructure?
cost savings
scalability
compatibility
security
*A benefit of VPNs is scalability because organizations can use the Internet and easily
add new users without adding significant infrastructure. Security is provided by using
encryption and authentication protocols to protect data. Another benefit is
compatibility because VPNs can be implemented across a wide variety of WAN
connections. Organizations also benefit from cost savings because VPNs reduce
connectivity costs while simultaneously increasing remote connection bandwidth.
Question 30
Why are DES keys considered weak keys?
They produce identical subkeys.
DES weak keys use very long key sizes.
They are more resource intensive.
DES weak keys are difficult to manage.
*Weak keys, whether part of an existing encryption algorithm or manually generated,
reveal regularities in encryption. This creates a shortcut by which a hacker can break
the encryption. DES has four keys for which encryption is identical to decryption.
Question 31
What is an advantage in using a packet filtering firewall versus a high-end firewall
appliance?
Packet filters represent a complete firewall solution.
Packet filters provide an initial degree of security at the data-link and network layer.
Packet filters are not susceptible to IP spoofing.
Packet filters perform almost all the tasks of a high-end firewall at a fraction of the
cost.
*There are several advantages of using a packet filtering firewall:
- allows for implementing simple permit or deny rule sets.
- has a low impact on network performance
- is easy to implement, and is supported by most routers
- provides an initial degree of security at the network layer
- performs almost all the tasks of a high-end firewall at a much lower cost
Question 32
What three tasks can a network administrator accomplish with the Nmap and
Zenmap security testing tools? (Choose three.)
development of IDS signatures
security event analysis and reporting
password recovery
assessment of Layer 3 protocol support on hosts
open UDP and TCP port detection
operating system fingerprinting

645
*Nmap is a low-level network scanner that is available to the public and that has the
ability to perform port scanning, to identify open TCP and UDP ports, and which can
also perform system identification. It can also be used to identify Layer 3 protocols that
are running on a system. Zenmap is the GUI version of Nmap.
Question 33
Match the network security testing tool with the correct function.

Question 34
What is indicated by the use of the local-case keyword in a local AAA authentication
configuration command sequence?
that AAA is enabled globally on the router
that user access is limited to vty terminal lines
that passwords and usernames are case-sensitive
that a default local database AAA authentication is applied to all lines
The use of the local-case keyword means that the authentication is case-sensitive. It
does not enable or apply the AAA configuration to router interfaces or lines.
Question 35
What technology allows users to verify the identity of a website and to trust code
that is downloaded from the Internet?
digital signature
encryption
asymmetric key algorithm
hash algorithm
*Digital signatures provide assurance of the authenticity and integrity of software
codes. They provide the ability to trust code that is downloaded from the Internet.
Question 36
In the implementation of network security, how does the deployment of a Cisco ASA
firewall differ from a Cisco IOS router?
ASA devices support interface security levels.
ASA devices use ACLs that are always numbered.
ASA devices do not support an implicit deny within ACLs.
ASA devices use ACLs configured with a wildcard mask.
*The differences between ASA devices and Cisco IOS routers include the following:
An ASA device configured with ACLs is configured with a subnet mask.
An ASA device supports interface security levels.
An ASA device configured with an ACL is always named.
ASA devices and Cisco IOS routers are similar in that they both support an implicit deny
within an ACL.
Question 37
A network administrator is configuring an AAA server to manage RADIUS
authentication. Which two features are included in RADIUS authentication? (Choose
two.)

646
encryption for only the data
encryption for all communication
single process for authentication and authorization
separate processes for authentication and authorization
hidden passwords during transmission
*RADIUS authentication supports the following features:
 RADIUS authentication and authorization as one process
 Encrypts only the password
 Utilizes UDP
 Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
Question 38
What is the standard for a public key infrastructure to manage digital certificates?
PKI
x.509
NIST-SP800
x.503
*The x.509 standard is for a PKI infrastructure and x.500 if for directory structures.
Question 39
Match the type of cyberattackers to the description.

Question 40
What are two monitoring tools that capture network traffic and forward it to
network monitoring devices? (Choose two.)
SPAN
Wireshark
network tap
SNMP
SIEM
*A network tap is used to capture traffic for monitoring the network. The tap is
typically a passive splitting device implemented inline on the network and forwards all
traffic including physical layer errors to an analysis device. SPAN is a port mirroring
technology supported on Cisco switches that enables the switch to copy frames and
forward them to an analysis device.

647
Question 41
Match the network security device type with the description.

Question 42
Match the information security component with the description.

648
Question 43

Refer to the exhibit. An extended access list has been created to prevent human
resource users from gaining access to the accounting server. All other network traffic
is to be permitted. When following the ACL configuration guidelines, on which
router, interface, and direction should the access list be applied?
router R1, interface Gi0/0/0, outbound
router R1, interface S0/1/0, outbound
router R2, interface Gi0/0/1, inbound
router R1, interface Gi0/0/0, inbound
router R2, interface S0/1/1, inbound
router R2, interface Gi0/0/1, outbound
The ACL configuration guidelines recommend placing extended access control lists as
close to the source of network traffic as possible and placing standard access control
lists as close to the destination of network traffic as possible.
Question 44

Refer to the exhibit. A network administrator is configuring DAI on switch SW1.

What is the result of entering the exhibited commands?
DAI will validate both source and destination MAC addresses as well as the IP
addresses in the order specified. If all parameters are valid then the ARP packet is
allowed to pass.
DAI will validate both source and destination MAC addresses as well as the IP
addresses in the order specified. When one set of parameters are valid, the ARP packet
is allowed to pass.
DAI will validate only the destination MAC addresses.
DAI will validate only the IP addresses.

649
*DAI can be configured to check for destination MAC, source MAC, and IP addresses.
However, only one ip arp inspection validate command can be configured. Entering
multiple ip arp inspection validate commands overwrites the previous command.
Question 45
What protocol is used to encapsulate the EAP data between the authenticator and
authentication server performing 802.1X authentication?
SSH
MD5
TACACS+
RADIUS
*Encapsulation of EAP data between the authenticator and the authentication server is
performed using RADIUS.
Question 46
A server log includes this entry: Useraccessed host server ABC using Telnet yesterday
for 10 minutes. What type of log entry is this?
accessing
authentication
accounting
authorization
*Accounting records what users do and when they do it, including what is accessed,
the amount of time the resource is accessed, and any changes that were made.
Accounting keeps track of how network resources are used.
Question 47
Match the security policy with the description.

Question 48
What are two security features commonly found in a WAN design? (Choose two.)

650
VPNs used by mobile workers between sites
outside perimeter security including continuous video surveillance
port security on all user-facing ports
WPA2 for data encryption of all data between sites
firewalls protecting the main and remote sites
*WANs span a wide area and commonly have connections from a main site to remote
sites including a branch office, regional site, SOHO sites, and mobile workers. WANs
typically connect over a public internet connection. Each site commonly has a firewall
and VPNs used by remote workers between sites.
Question 49
Which two means can be used to try to bypass the management of mobile devices?
(Choose two.)
using a Trojan Horse
packet sniffing
rooting
using a fuzzer
jailbreaking
*Jailbreaking is a term used when breaking into an Apple iOS device, whereas rooting
is the term used for doing the same to an Android device. Both must be concerns in
the corporate environment where so many people bring their own devices and access
the corporate networks.
Question 50
During a recent pandemic, employees from ABC company were allowed to work
from home. What security technology should be implemented to ensure that data
communications between the employees and the ABC Head Office network remain
confidential?
a hashing algorithm such as MD5
a hash-generating algorithm such as SHA
a hash message authentication code such as HMAC
a symmetric or asymmetric encryption algorithm such as AES or PKI
*MD5 and SHA are hash-generating algorithms that guarantee that no one intercepted
the message and altered it. Advanced Encryption Standard (AES) is a popular
symmetric encryption algorithm where each communicating party needs to know the
pre-shared key. Public key infrastructure (PKI) is an asymmetric encryption algorithm
based on the assumption that the two communicating parties have not previously
shared a secret key. HMAC is a hash message authentication code that guarantees that
the message is not a forgery and actually comes from the authentic source.
Question 51
Which cipher played a significant role in World War II?
Enigma
One-time pad
Caesar
RC4
*The Enigma machine was an electromechanical encryption device that created the
Enigma cipher and was developed during World War II. The device depended on the
distribution of pre-shared keys that were used to encrypt and decrypt messages.
Question 52

651
One method used by Cryptanalysts to crack codes is based on the fact that some
letters of the English language are used more often than others. Which term is used
to describe this method?
meet-in-the-middle
known-plaintext
frequency analysis
cybertext
*Frequency analysis uses the fact that some characters in the English alphabet are
used more often than others. The letters E, T, and A are the most popular letters and J,
Q, X, and Z are the least popular.
Question 53
A company is concerned about data theft if any of the corporate laptops are stolen.
Which Windows tool would the company use to protect the data on the laptops?
RADIUS
BitLocker
802.1X
AMP
*Storage devices can be encrypted to protect data from unauthorized access.
Windows BitLocker provides drive encryption.
Question 54
A company requires the use of 802.1X security. What type of traffic can be sent if
the authentication port-control auto command is configured, but the client has not
yet been authenticated?
SNMP
Broadcasts such as ARP
EAPOL
Any data encrypted with 3DES or AES
*802.1X prevents unauthorized devices from gaining access to the network.
The authentication port-control auto command turns on 802.1X access control. Until
the client is authenticated, 802.1X only allows Extensible Authentication Protocol over
LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic
to pass through the port. EAPOL messages are sent between the client and the
authenticator such as a switch. If authentication is successful, normal traffic can be
sent and received through the port.
Question 55
Match each IPS signature trigger category with the description.

652
Question 56
Which type of firewall is commonly part of a router firewall and allows or blocks
traffic based on Layer 3 and Layer 4 information?
proxy firewall
application gateway firewall
stateless firewall
stateful firewall
*A stateless firewall uses a simple policy table look-up that filters traffic based on
specific criteria. These firewalls are usually part of a router firewall. They permit or
deny traffic based on Layer 3 and Layer 4 information.
Question 57
What are two benefits offered by a zone-based policy firewall on a Cisco router?
(Choose two.)
Any interface can be configured with both a ZPF and an IOS Classic Firewall.
Policies are defined exclusively with ACLs.
Policies provide scalability because they are easy to read and troubleshoot.
Virtual and physical interfaces are put in different zones to enhance security.
Policies are applied to unidirectional traffic between zones.
*There are several benefits of a ZPF:
 It is not dependent on ACLs.
 The router security posture is to block unless explicitly allowed.
 Policies are easy to read and troubleshoot. This provides scalability because one
policy affects any given traffic, instead of needing multiple ACLs and inspection
actions for different types of traffic.
 Virtual and physical interfaces can be grouped into zones.
 Policies are applied to unidirectional traffic between zones.
Both IOS Classic Firewalls and ZPFs can be enabled concurrently on a Cisco router.
However, the models cannot be combined on a single interface.
Question 58
What is the IPS detection engine that is included in the SEC license for 4000 Series
ISRs?
Security Onion
Snort
ASDM
AMP
*Snort is the IPS detection and enforcement engine that is included in the SEC license
for 4000 Series ISRs.
Question 59
What is a characteristic of an IPS atomic signature?
it requires several pieces of data to match an attack
it is a stateful signature

653
it can be slow and inefficient to analyze traffic
it is the simplest type of signature
*There are two types of IPS signatures:
 Atomic - This is the simplest type of signature because it does not require the IPS
to maintain state information and it can identify an attack with a single packet,
activity, or event.
 Composite - This is a stateful type of signature. It requires that the IPS maintain
state information to match an attack signature.
Question 60
Which special hardware module, when integrated into ASA, provides advanced IPS
features?
Advanced Inspection and Prevention Security Services Module (AIP-SSM)
Content Security and Control (CSC)
Advanced Inspection and Prevention (AIP)
Advanced Inspection and Prevention Security Services Card (AIP-SSC)
*The advanced threat control and containment services of an ASA firewall are
provided by integrating special hardware modules with the ASA architecture. These
special modules include:
 Advanced Inspection and Prevention (AIP) module – supports advanced IPS
capability.
 Content Security and Control (CSC) module – supports antimalware capabilities.
 Cisco Advanced Inspection and Prevention Security Services Module (AIP-
SSM) and Cisco Advanced Inspection and Prevention Security Services Card (AIP-
SSC) – support protection against tens of thousands of known exploits.

Network Security 1.0 Final PT Skills Assessment (PTSA) Exam

May 22, 2021 Last Updated: Dec 29, 2022 Network Security 1.0 41 Comments
Share TweetSharePin it
Network Security 1.0 Final PT Skills Exam (PTSA) (Answer Key)
Network Security (Version 1) – Network Security Final PT Skills Assessment (PTSA)

654
Network Security 1.0 Final PT Skills Exam (PTSA)
Network Security – Practice PT Skills Assessment (PTSA) Answers
A few things to keep in mind while completing this activity:
 Do not use the browser Back button or close or reload any Exam windows during
the exam.
 Do not close Packet Tracer when you are done. It will close automatically.
 Click the Submit Assessment button to submit your work.
Objectives
In this practice Packet Tracer Skills Based Assessment, you will:
 Configure an ASA firewall to implement security policies.
 Configure Layer 2 security on a LAN switch.
 Configure a site-to-site IPsec VPN
Background / Scenario
Your company has been hired by a used car dealership that has a corporate
headquarters and multiple branch offices. The Car1 Company has become concerned
about network security and has contracted you to implement Layer 2 security, an ASA
device, and VPN services from HQ to the branches. Your job is to prototype the network in
the lab prior to your company installing the equipment at the Car1 sites. In this case, you will
only implement a VPN between headquarters and a single branch.
Note: Some values and approaches to configuring devices in this simulated assessment may
not conform to current security best practices. In some cases, values have been simplified to
streamline the assessment, and in other cases, values have been used by necessity in
order to facilitate the assessment of certain skills in Packet Tracer.

655
Instructions
Addressing Table
Device Interf IP Address Subnet Gateway DNS
ace Mask server

S0/0/ 209.165.20 255.255.25

Internet 0 0.225 5.252 n/a n/a

S0/0/ 255.255.25
Internet 1 192.31.7.1 5.252 n/a n/a

S0/1/ 198.133.21 255.255.25

Internet 0 9.1 5.252 n/a n/a

192.135.25 255.255.25
Internet G0/0 0.1 5.0 n/a n/a

S0/0/ 209.165.20 255.255.25

HQ 0 0.226 5.252 n/a n/a

209.165.20 255.255.25
HQ G0/0 0.254 5.240 n/a n/a

209.165.20 255.255.25
HQ-ASA5506 G1/1 0.253 5.240 n/a n/a

192.168.10 255.255.25
HQ-ASA5506 G1/2 .1 5.0 n/a n/a

192.168.20 255.255.25
HQ-ASA5506 G1/3 .1 5.0 n/a n/a

S0/0/ 198.133.21 255.255.25

Branch 0 9.2 5.252 n/a n/a

198.133.21 255.255.25
Branch G0/0 9.62 5.224 n/a n/a

ExternalWeb 192.31.7.3 255.255.25 192.31.7.6

Svr NIC 5 5.224 2 n/a

ExternalUser NIC 192.31.7.3 255.255.25 192.31.7.6 192.135.2

656
 Device Interf IP Address Subnet Gateway DNS
ace Mask server

3 5.224 2 50.5

AAA/NTP/ 192.168.10 255.255.25 192.168.1

SyslogSvr NIC .10 5.0 0.1 n/a

192.168.20 255.255.25 192.168.2

DMZDNS Svr NIC .5 5.0 0.1 n/a

192.168.20 255.255.25 192.168.2 192.168.2

DMZWeb Svr NIC .2 5.0 0.1 0.5

PC0,PC1, and 255.255.25 192.168.1 192.168.1

PC2 NIC DHCPclient 5.0 0.1 0.10

198.133.21 255.255.25 198.133.2 192.135.2

BranchAdmin NIC 9.35 5.224 19.62 50.5

192.168.10 255.255.25 192.168.1 192.168.1

NetAdmin PC NIC .250 5.0 0.1 0.10

Part 1: Configure the ASA 5506-X

Step 1: Configure Basic Settings on the ASA device.
HQ-ASA5506 is already configured with a password: Thecar1Admin.
Note: In order to receive full credit for you configuration, you must save your
configuration file after making any changes to the device configuration.
 a. Configure the domain name as thecar1.com.
 b. Configure the hostname as HQ-ASA5506.
 c. Configure the INSIDE, OUTSIDE, and DMZ interfaces with the following:
 IP address 209.165.200.253/28, nameif OUTSIDE, security-level 1, assign to G1/1
 IP address 192.168.10.1/24, nameif INSIDE, security-level 100, assign to G1/2
 IP address 192.168.20.1/24, nameif DMZ, security-level 70, assign to G1/3
HQ-ASA5506
enable
Thecar1Admin
conf term
domain-name thecar1.com
hostname HQ-ASA5506
interface g1/1
nameif OUTSIDE
security-level 1
ip address 209.165.200.253 255.255.255.240
no shutdown

657
interface g1/2
nameif INSIDE
security-level 100
ip address 192.168.10.1 255.255.255.0
no shutdown
interface g1/3
nameif DMZ
security-level 70
ip address 192.168.20.1 255.255.255.0
no shutdown
exit
NOTE: After this step, check again to make sure that the interfaces G1/1, G1/2, G1/3 are
configured with IP addresses. If there is any interface that does not receive an IP address,
please reconfigure the IP address for that interface.

Step 2: Configure the DHCP service on the ASA device for the internal network.
 a. The DHCP pool is 192.168.10.25 – 192.168.10.35.
 b. The DHCP service should provide DNS server (AAA/NTP/syslog server) information.
 c. PC0, PC1, and PC2 should receive their addresses over DHCP.
HQ-ASA5506
dhcpd address 192.168.10.25-192.168.10.35 INSIDE
dhcpd dns 192.168.10.10 interface INSIDE
dhcpd option 3 ip 192.168.10.1
dhcpd enable INSIDE
PC0-PC1-PC2 received their addresses over DHCP
 PC 0
 PC 1
 PC 2

658
659
660
Step 3: Configure routing on the ASA.
Configure a default route that will enable hosts on the HQ INTERNAL and DMZ
networks to communicate with outside hosts. Use the IP address of the HQ router
interface as the gateway interface.
HQ-ASA5506
route OUTSIDE 0.0.0.0 0.0.0.0 209.165.200.254
Step 4: Configure Secure Network Management for the ASA Device.
a. Configure the ASA with NTP and AAA:
1. The ASA is a NTP client to the AAA/NTP/Syslog server.
2. Enable the authentication to the ASA.
3. The authentication key is key 1 with the password is corpkey.
HQ-ASA5506
ntp authenticate
ntp authentication-key 1 md5 corpkey
ntp server 192.168.10.10
ntp trusted-key 1
b. Configure AAA and SSH.

661
1. Configure the ASA device with AAA authentication using the username
of Car1Admin and password of adminpass01.
2. Configure AAA to use the local database for SSH connections to the console port.
3. Generate a RSA key pair to support with modulus size of 1024 bits.
4. Configure HQ-ASA5506 to accept SSH connections only from the Net Admin
workstation.
5. Configure SSH session timeout to be 20 minutes.
HQ-ASA5506
username Car1Admin password adminpass01
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024
yes
ssh 192.168.10.250 255.255.255.255 INSIDE
ssh timeout 20
Step 5: Configure NAT Service for the ASA device for both INSIDE and DMZ networks.
 a. Create a network object called INSIDE-nat with subnet 192.168.10.0/24 and
enable the IP addresses of the hosts in the internal network to be dynamically
translated to access the external network via the outside interface.
 b. Create a network object DMZ-web-server to statically translate the DMZ web
server internal IP address to the outside public IP address 209.165.200.241.
 c. Create a network object DMZ-dns-server to statically translate the DMZ DNS
server internal IP address to the outside public IP address 209.165.200.242.
HQ-ASA5506
object network INSIDE-nat
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface
exit
configure terminal
object network DMZ-web-server
host 192.168.20.2
nat (dmz,outside) static 209.165.200.241
exit
configure terminal
object network DMZ-dns-server
host 192.168.20.5
nat (dmz,outside) static 209.165.200.242
exit
Step 6: Configure ACL on the ASA device to implement the Security Policy.
a. Configure a named extended ACL to permit inside hosts to be translated to the pool of
outside IP addresses. Name the ACL NAT-IP-ALL.
b. Apply NAT-IP-ALL ACL to the DMZ and OUTSIDE interfaces in the inward direction.
c. Configure an ACL to allow access to the DMZ servers from the internet. Create an extended
named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic to the HQ ASA. The ACL
statements should be created in the order specified in the following guidelines:
(Note: The order of ACL statements is significant only because of the scoring requirements for
this assessment.)
1. The ACL should contain four access control entries (ACEs).

662
2. HTTP traffic is allowed to DMZ Web Svr.
3. DNS traffic (both TCP and UDP) is allowed to the DMZ DNS server (two separate ACEs).
4. FTP traffic from the Branch administrator workstation is allowed to the DMZ web server.
Note: For the purposes of this assessment, do NOT apply this ACL.
HQ-ASA5506
configure terminal
access-list NAT-IP-ALL extended permit ip any any
access-group NAT-IP-ALL in interface OUTSIDE
access-group NAT-IP-ALL in interface DMZ
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.241 eq 80
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit udp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit tcp host 198.133.219.35 host 209.165.200.241
eq ftp
end
copy running-config startup-config
Part 2: Configure Layer 2 Security on a Switch
For this part of the assessment, you will be configuring Switch1 in the internal network with
Layer 2 attack mitigation measures.
Step 1: Disable Unused Switch Ports
 a. Disable all unused switch ports on Switch1.
 b. Configure all unused ports in static access mode so that they will not negotiate trunks.
Switch 1
enable
conf t
interface range f0/2-4, f0/6-9, f0/11-22, g0/2
shutdown
switchport mode access
switchport nonegotiate
Step 2: Implement Port Security
On Switch1, configure port security on all of the switch ports that are connected to hosts
according to the following requirements:
 The ports should be configured as static access ports.
 The ports should learn a maximum of two MAC addresses.
 The ports should record the MAC addresses that have been learned in the device running
configuration.
 If a violation occurs, the port should drop packets from host MAC addresses that have not
been learned, increment the violation counter, and generate a syslog message.
Switch 1
interface range f0/1, f0/5, f0/10
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
switchport nonegotiate
Step 3: Implement STP Security
On Switch1, implement STP security measures on the active ports that are connected to hosts.
 a. Configure the switch to disable host ports that receive a BPDU.

663
 b. Configure the ports to quickly go into STP forwarding mode without going through the
STP transitional modes. Do this on a port-by-port basis, not on the entire switch.
Switch 1
interface range f0/1, f0/5, f0/10, g0/1
spanning-tree bpduguard enable
spanning-tree portfast
end
copy running-config startup-config
Part 3: Configure a Site-to-Site IPsec VPN between the HQ and the Branch Routers
Note: The Branch and HQ routers have already been configured with a username
of CORPADMIN and a password of NetSec-Admin1. The enable secret password is RTR-
AdminP@55.
Configure a site-to-site IPsec VPN between the HQ and Branch routers according to the
requirements below.
The following tables list the parameters for the ISAKMP phase 1 and phase 2 policies:
ISAKMP Phase 1 Policy Parameters

Key Distribution Method ISAKMP

EncryptionAlgorithm AES

Numberof Bits 256

HashAlgorithm SHA-1

AuthenticationMethod Pre-share

KeyExchange DH2

IKESA Lifetime 1800

ISAKMPKey Vpnpass101

IPsec Phase 2 Policy Parameters Table

Parameters HQ Router Branch Router

TransformSet Name VPN-SET VPN-SET

TransformSet esp-aesesp-sha-hmac esp-aesesp-sha-hmac

PeerHost Name Branch HQ

PeerIP Address 198.133.219.2 209.165.200.226

664
 Parameters HQ Router Branch Router

EncryptedNetwor
k 209.165.200.240/28 198.133.219.32/27

CryptoMap Name VPN-MAP VPN-MAP

SAEstablishment ipsec-isakmp ipsec-isakmp

a.Configure ACL 120 on the HQ router to identify the interesting traffic to be sent
across the VPN. The interesting traffic is all IP traffic from the HQ LAN to the Branch
LAN.
b.Configure the ISAKMP Phase 1 properties on the HQ router. The crypto ISAKMP
policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific
details needed.
c.Configure the ISAKMP Phase 2 properties on the HQ router using 10 as the sequence
number. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details
needed.
d.Bind the VPN-MAP crypto map to the outgoing interface.
e.Configure IPsec parameters on the Branch router using the same parameters as on
the HQ router. Note that interesting traffic is defined as the IP traffic from the Branch
LAN to the LAN that is attached to HQ.
f.Save the running-config, then reload both the HQ and Branch routers.
HQ Router
Username: CORPADMIN
Password: NetSec-Admin1
enable
Password: RTR-AdminP@55
conf ter
access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 1800
exit
crypto isakmp key Vpnpass101 address 198.133.219.2
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
match address 120
set transform-set VPN-SET
set peer 198.133.219.2
set pfs group2

665
set security-association lifetime seconds 1800
exit

int s0/0/0
crypto map VPN-MAP
end
copy running-config startup-config
Branch Router
Username: CORPADMIN
Password: NetSec-Admin1
enable
Password: RTR-AdminP@55
conf ter
access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 1800
exit
crypto isakmp key Vpnpass101 address 209.165.200.226
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
match address 120
set transform-set VPN-SET
set peer 209.165.200.226
set pfs group2
set security-association lifetime seconds 1800
exit
int s0/0/0
crypto map VPN-MAP
end
copy running-config startup-config

666