CCNP Security: SENSS Part 1-3

1.3 Configure device hardening per best practices

1.3.a Routers
Source:http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Management Plane

• Passwords
  
  • Enable MD5 hashing (secret option) for enable and local user passwords
  • Configure the password retry lockout
  • Disable password recovery (consider risk)
• Disable unused services
• Configure TCP keepalives for management sessions
• Set memory and CPU threshold notifications
• Configure
  
  • Memory and CPU threshold notifications
  • Reserve memory for console access
  • Memory leak detector
  • Buffer overflow detection
  • Enhanced crashinfo collection
• Use iACLs to restrict management access
• Filter (consider risk)
  
  • ICMP packets
  • IP fragments
  • IP options
  • TTL value in packets
• Control Plane Protection
  
  • Configure port filtering
  • Configure queue thresholds
• Management access
  
  • Use Management Plane Protection to restrict management interfaces
  • Set exec timeout
  • Use an encrypted transport protocol (such as SSH) for CLI access
  • Control transport for vty and tty lines (access class option)
  • Warn using banners
• AAA
  
  • Use AAA for authentication and fallback
  • Use AAA (TACACS+) for command authorization
  • Use AAA for accounting
  • Use redundant AAA servers
• SNMP
  
  • Configure SNMPv2 communities and apply ACLs
  • Configure SNMPv3
• Logging
  
  • Configure centralized logging
  • Set logging levels for all relevant components
  • Set logging source-interface
  • Configure logging timestamp granularity
• Configuration Management
  
  • Replace and rollback
  • Exclusive Configuration Change Access
  • Software resilience configuration
  • Configuration change notifications

Control Plane

• Disable (consider risk)
  
  • ICMP redirects
  • ICMP unreachables
  • Proxy ARP
• Configure NTP authentication if NTP is being used
• Configure Control Plane Policing/Protection (port filtering, queue thresholds)
• Secure routing protocols
  
  • BGP (TTL, MD5, maximum prefixes, prefix lists, system path ACLs)
  • IGP (MD5, passive interface, route filtering, resource consumption)
• Configure hardware rate limiters
• Secure First Hop Redundancy Protocols (GLBP, HSRP, VRRP)

Data Plane

• Configure IP Options Selective Drop
• Disable (consider risk)
  
  • IP source routing
  • IP Directed Broadcasts
  • ICMP redirects
• Limit IP Directed Broadcasts
• Configure tACLs (consider risk)
  
  • Filter ICMP
  • Filter IP fragments
  • Filter IP options
  • Filter TTL values
• Configure required anti-spoofing protections
  
  • ACLs
  • IP Source Guard
  • Dynamic ARP Inspection
  • Unicast RPF
  • Port security
• Control Plane Protection (control-plane cef-exception)
• Configure NetFlow and classification ACLs for traffic identification
• Configure required access control ACLs (VLAN maps, PACLs, MAC)
• Configure Private VLANs

1.3.b Switches
See above, there applicable

1.3.c Firewalls 
Source: http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html

Best Practices Checklist

Management Plane Checks

Disable Console Logging - Firewall
Requirement	Severity	Comments
Disable Console Logging	Low	Best practice: Ensure console logging is disabled or set to critical. Although useful for troubleshooting from the console port, it is possible that excessive log messages on the console could make it impossible to manage the device, even from the console. Command:  no logging console - or - logging console critical

Enable Logging - Firewall
Requirement	Severity	Comments
Enable Logging	Info	Best practice: Check if state of event logging on the firewall is enabled. Logging a firewall's activities and status offers several benefits. Using the information in a log, the administrator can tell whether the firewall is working properly or whether it has been compromised. In some cases, it can show what types of probes or attacks are being attempted against the firewall or the protected network. If the logging is disabled, the events that happen on the firewall are not logged anywhere. This may make it harder to troubleshoot any network issues. This may also cause some of the problems, including attempted attacks, to go unnoticed, as well as prevent collection of evidence about any unauthorized activity. If logging is enabled, ensure the logging messages are sent to only trusted hosts on a protected network so the logs cannot be compromised and cannot be viewed by anyone who is not authorized to view them. Command:  logging on | logging enable
Enable Logging Timestamp	Low	Best practice: Timestamps should be enabled for log messages, which will facilitate interpretation of the messages for troubleshooting and investigating network attacks. Ensure that the date/time is correctly set (if NTP is not configured) so that the timestamps provide the proper day/time of the log messages. If the timestamps are not shown in the log messages, it may not be possible to sense the order of events occurring in the network. Command:  logging timestamp
Enable Logging to Buffer	Low	Best practice: Cisco devices can store log messages in memory. The buffered data is available only from an exec or enabled exec session, and it is cleared when the device reboots. This form of logging is useful, even though it does not offer enough long-term protection for the logs. Buffered logging keeps the log messages in RAM on the device. A logging buffer must be configured on the device, and this buffer is circular, meaning that when it fills up, the oldest log message is deleted to make room for the new message. If buffer logging is not enabled, it will not be possible to view the most recent log messages on the device for troubleshooting or monitoring purposes. Command:  logging buffered <level>
Log Messages to a Syslog Server	Info	Best practice: Cisco devices can be configured to forward log messages to an external Syslog service. It is highly recommended that networks implement a logging structure based on a Syslog infrastructure. Proactive monitoring of firewall logs is an integral part of Security Admin duties. The firewall syslogs are useful for forensics, network troubleshooting, security evaluation, worm and virus attack mitigation, and so on. This is a scalable solution, which provides long-term storage capabilities and a central location for all device messages Command:  logging host <interface-name> <ipAddress>

Secure Device Access - Firewall
Requirement	Severity	Comments
Restrict HTTP Access to Certain Addresses	Info	Best practice: To specify hosts that can access the HTTP server internal to the FWSM. The addresses allowed to access the firewall using HTTP can be restricted. Any undefined IP address will not see the prompt at all. Command:  http <ip-address> <net-mask> <interface name>
Restrict SSH Access to Certain Addresses	Medium	Best practice: The addresses allowed to access the firewall using SSH can be restricted. Any undefined IP address will not see the prompt at all. Command:  ssh <ip-address> <net-mask> <interface name>
Restrict Telnet Access to Certain Addresses	Medium	Best practice: The addresses allowed to access the firewall using Telnet can be restricted. Any undefined IP address will not see the prompt at all. Command:  telnet <ip-address> <net-mask> <interface name>
Set Enable Password	Info	Best practice: Set enable password to secure access to privilege level. Access to the privileged EXEC mode (enable mode) should be protected by requiring a password else user logged in to user mode can access enable mode. Command:  enable password <password>
Set Password	Info	Best practice: To set the login password, use the passwd command in global configuration mode. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode. Command:  passwd <password>
Set Suitable Console Timeout	Low	Best practice: For console connections the idle timeout must be configured to avoid undesirable open and unattended console connection to the firewall. Command:  console timeout <timeout value in minutes>
Set Suitable SSH Timeout	Low	Best practice: For ssh connections the idle timeout must be configured to avoid undesirable and unattended open ssh connections to the firewall. Command:  ssh timeout <timeout in minutes>
Set Suitable Telnet Timeout	Low	Best practice: For telnet connections the idle timeout must be configured to avoid undesirable open unattended telnet connection to the firewall. Command:  telnet timeout <timeout in minutes>
Use Warning Banner Messages	Low	Best practice: Use of configurable, personalized login and failed-login banners is recommended. This feature lets you change the default message for login and failed-login. You can configure message banners that will be displayed when a user logs in to the system Command:  banner <banner-message>

Secure Interactive Access Using AAA - Firewall
Requirement	Severity	Comments
Define AAA Server with Key	Medium	Best practice: An Authentication Authorization and Accounting Server (AAA) is recommended to store all the username / password and privilege levels in one single repository. AAA server should be configured with a key for authentication and encryption. Command:  aaa-server TACACS+ <interface> host <ipAddress> <key>
Use AAA Accounting	Low	Best practice: When you configure the aaa accounting command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. Command:  aaa accounting command EXAUTH LOCAL
Use AAA Authentication for Enable Mode	Medium	Best practice: Authenticates users who access privileged EXEC mode when they use the enable command. For authentication an external server may be used and also supports fallback to local database if external authentication server is down. Command:  aaa authentication enable console RADIUS LOCAL
Use AAA Authentication for HTTP	Medium	Best practice: If aaa authentication http console command is not defined, you can gain access to the FWSM (via ASDM) with no username and the FWSM enable password (set with the enable password command). Command:  aaa authentication http console RADIUS LOCAL
Use AAA Authentication for SSH	Info	Best practice: Before the firewall can authenticate a Telnet or SSH user, we must first configure access to the firewall using the telnet or ssh commands. These commands identify the IP addresses that are allowed to communicate with the firewall. Command:  aaa authentication ssh console RADIUS LOCAL
Use AAA Authentication for Telnet	Medium	Best practice: Before the firewall can authenticate a Telnet or SSH user, we must first configure access to the firewall using the telnet or ssh commands. These commands identify the IP addresses that are allowed to communicate with the firewall. Command:  aaa authentication telnet console RADIUS LOCAL
Use AAA Authorization	Low	Best practice: The aaa authorization command specifies whether command execution at the CLI is subject to authorization. If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. When configuring command authorization with a TACACS+ server, do not save your configuration until you are sure it works the way you want. If you get locked out because of a mistake, you can usually recover access by restarting the FWSM. Command:  aaa authorization command TACACS LOCAL
Use Local Login as Backup to AAA	Info	Best practice: While configuring external authentication it is advisable to keep the local database check as fallback option. Command:  aaa authentication http console RADIUS LOCAL

Secure Management Protocols - Firewall
Requirement	Severity	Comments
Authenticate NTP Updates	Medium	Best practice: Network Time Protocol (NTP) is a UDP based protocol used to synchronize time clocks amongst network devices. NTP is especially useful to ensure that timestamps on log messages are consistent throughout the entire network. It is recommended to authenticate NTP updates so that time is synchronized with approved servers only. Command:  ntp authentication-key <key-id> md5 <key>
Change Default Community String	High	Best practice: The default community string of "public" and "private" are well known. These should always be changed to more secure strings. Command:  snmp-server community <non-default-string>
Define SNMP Server Host	Low	Best practice: SNMP is an application-layer communication protocol that allows ONS 15454 network devices to exchange management information among these systems and with other devices outside the network. SNMP is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. Command:  snmp-server host
Disable SNMP if not used	Low	Best practice: SNMP Protocol should be disabled if not used in the network. If used, access to SNMP service should be protected using appropriate mechanisms like ACLs. Command:  no snmp-server
Enable SNMP Trap Logging	Low	Best practice: SNMP traps are used to report an alert or other asynchronous event about a managed firewall. Command:  snmp server enable traps
Use NTP to Synch Network Clocks	Medium	Best practice: Network Time Protocol (NTP) is a UDP based protocol used to synchronize time clocks amongst network devices. NTP is especially useful to ensure that timestamps on log messages are consistent throughout the entire network. Command:  ntp server <ntp server name> source <interface>

Control Plane Checks

Disable Unneeded Services - Firewall
Requirement	Severity	Comments
Check if Failover is used	Info	Best practice: This rule checks if failover is configured in the firewall devices Command:  failover
Disable HTTP session replication	Info	Best practice: The replication of http session data to the failover firewall should be disabled unless the firewall is not expected to be under extreme load and the http session data is highly critical. Given the short duration of http sessions, low probably of firewall failure and the design of most applications, this is not likely to be needed. This rule checks only firewalls with failover configured. Command:  no failover replication http
Disable Proxy ARPs	Low	Best practice: Proxy ARP allows a firewall to extend the network at layer 2 across multiple interfaces (i.e. LAN segments). Hence proxy ARP allows hosts from different segments to function as if they were on the same subnet, and is only safe when used between trusted LAN segments. Attackers can use the trusting nature of proxy ARP by spoofing a trusted host and intercepting packets. Because of this inherent security weakness, proxy ARP should be disabled on interfaces that do not require it, especially those interfaces that connect to untrusted networks. Command:  sysopt noproxyarp <interface>
Limit ICMP responses on interfaces	Low	Best practice: Preferable to disable ICMP on outside interfaces at a minimum. The default (i.e. no ICMP control list is configured), is for the PIX/ASA/FWSM to accept all ICMP traffic that terminates at any interface (including the outside interface). This will depend on the customer policy. Command:  icmp permit <acl> <interface>

Data Plane Checks

Data Plane - Firewall
Requirement	Severity	Comments
Enable uRPF anti-spoofing	Info	Best practice: Anti-spoofing should be configured on all outside interfaces. This rule checks if uRFP is enabled on any one interface.  Command:  ip verify reverse-path interface <interface-name>

CCNP Security: SENSS Part 1-2

1.2 Implement Layer 2 Security

1.2.a Configure DHCP snooping
DHCP snooping protects the LAN from rogue DHCP servers, which could be used to mount a MitM or DoS attack.  DHCP snooping drops messages from untrusted DHCP servers.  This is performed by maintaining a DHCP snooping binding table, which contains the MAC address, IP address, lease time, binding type, vlan number, and interface information as related to the untrusted interfaces on the switch.  Stored as a flat configuration file in flash.  Untrusted interfaces are used for hosts, trusted interfaces are used for upstream switches and networking devices, and DHCP servers.

Enable DHCP snooping globally on the switch
Switch(config)# ip dhcp snooping

Enable DHCP snooping per vlan
Switch(config)# ip dhcp snooping vlan number | vlan range

Configure errdisable recovery timer
Switch(config)# errdisable recovery cause dhcp-rate-limit interval interval

Per-vlan errdisable detection enabled with a violation occuring in shutdown by default
Switch(config)# errdisable detect cause dhcp-rate-limit action shutdown vlan

Configure the interface as trusted or untrusted.  By default, interfaces are untrusted
Switch(config-if)# ip dhcp snooping trust

Verification
Switch# show ip dhcp snooping

Rate limiting function can be used to prevent a DoS attack.  When the threshold is breached, the port is placed in an errdisabled state.
Switch(config-if)# ip dhcp snooping limit rate 100

Recommended to store the database configuration file off of the switch and on a remote server.
Swtich(config)# ip dhcp snooping database tftp://x.x.x.x/directory/file
Switch# show ip dhcp snooping database detail

May be necessary to manually read database entries in from a tftp file.  To do so and to show verification:
switch# show ip dhcp snooping database
switch# renew ip dhcp snoop data url
switch# show ip dhcp snoop data
switch# show ip dhcp snoop bind


1.2.b Describe dynamic ARP inspection
DAI is used to help prevent MitM attacks conducted via ARP poisoning. Inspects the arp entries passing through the switch in real time.  Source information used to verify legitimate ARP traffic is pulled from the DHCP snooping table.  If DHCP snooping is not configured, all ARP traffic will be dropped.  By default, ports are placed in the untrusted state for DAI.  After configuring DHCP snooping, configure the trusted ports using the command ip arp inspection trust at the interface level.  After this is configured, enable DAI on the desired vlan(s) ip arp inspection vlan number

Devices assigned static IPs will be need to either be added to an ARP ACL entry, or have their port placed in the trusted status, as their MAC and IP will never be seen by DHCP snooping.

DAI has two blocking mechanisms-rate limiting of ARP entries (default value is 15/s), and dropping ARP messages which do not match the DHCP snooping table (example, ARP poisoning attacks directed at the gateway and a host on the network, by abusing the gratuitous ARP reply function).


1.2.c Describe storm control
Storm control feature is used to prevent traffic disruption to ports experiencing a broadcast, multicast, or unicast traffic storm.  Monitors traffic levels over a one second interval and compares traffic rate with the configured storm control level.  This configured value is a percentage of the total bandwidth of the port.  If the threshold is exceeded during the one second interval, the broadcast suppression will be engaged.  Whether this feature operates in hardware or software depends on the switch model.
switch(config-if)# storm-control broadcast level level
switch(config-if)# storm-control action shutdown | trap 
switch# show storm-control


1.2.d Configure port security
Used to control traffic from both static and dynamically learned mac addresses on a switch's access ports.  Can also be used to limit the number of hosts allowed to send traffic across an access port.

Violation modes
Protect- Drops packets from unknown source addresses (ex hosts over the limit)
Restrict- Drops packets and causes securityviolation counter to increase
Shutdown- Interface placed into err-disabled state and sends SNMP trap

switch(config-if)# switchport port-security
switch(config-if)# switchport port-security max number
switch(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
OR
switch(config-if)# switchport port-security mac-address sticky
switch(config-if)# switchport port-security aging time minutes
switch(config-if)# switchport port-security aging type interval | inactivity
switch(config)# errdisable recovery cause psecure-violation
switch(config)# errdisable recovery interval seconds


1.2.e Describe common Layer 2 threats and attacks and mitigation

VLAN Hopping
1.  Attacker crafts packets to negotiate a trunk to come up on an access port across ISL or 802.1q
2,  Attacker can craft packets to twice encapsulate packets with a VLAN ID

Mitigation:
Disable DTP on user facing ports (switchport mode access, switchport nonegotiate).
Do not use VLAN 1.
Use a dedicated VLAN for trunk ports.
Explicitly configure trunking on trusted ports.
Use tagged mode for native vlan on trunks.  Disable unused ports

CAM table overflow
Attacker sends thousands of packets using bogus source mac addresses per second, causing the switch's cam table to overflow.  Traffic then must be broadcast across all ports, turning the switch effectively into a hub

Mitigation:
Use port security to limit the amount of learned MAC addresses per interface

DHCP starvation attack
Attacker tries to lease all of the available DHCP addresses within a DHCP scope.

Mitigation:
Use port security to limit the amount of L2 addresses which can transit a port.

Rogue DHCP server attack
Attacker stands up a DHCP server, can then affect users default gateway, IP addressing, and DNS server.  Commonly used for DoS and MitM attacks

Mitigation: Use DHCP snooping

ARP Poisoning
Attacker abuses the gratitious ARP request feature to claim to be the owner of a target host(s) IP address.  Commonly used to poison the gateway and target host(s) and perform a MitM attack.  Attack can furthermore be refined to use tools such as SSLstrip to decrypt SSH/SSL traffic.

Mitigation: Use DAI

MAC Spoofing attack
Attacker spoofs mac address to impersonate other hosts on the LAN

Mitigation
DHCP snooping, DAI, IPSG

STP Attacks
Attacker can impersonate the root bridge and force a STP election to occur.  Can then execute a MitM, DoS attack

Mitigation
BPDU filter and rootguard

CDP Attacks
Attacker can crash IOS devices by spamming CDP advertisements and consuming too much memory

Mitigation
Disable CDP unless it is required.

1.2.f Describe MACSec
IEEE 802.1AE standard.  Used in conjunction with 802.1x.  802.1x provides authentication mechanism.
Ensures data confidentiality by providing symmetric encryption at layer 2
Provides integrity by ensuring data cannot be modified in transit
MACSec encrypts packets hop by hop at layer 2
Anyconnect can be used as a supplicant.


1.2.g Configure IP source verification
DHCP snooping must be configured.  Used to prevent hosts from spoofing IP addresses of other hosts in the network.  Enabled per interface.  Switch blocks all IP traffic received on the interface except for packets permitted via DHCP snooping table.  Can also filter mac source addresses

switch(config-if)# ip verify source
switch(config-if)# ip verify source port-security
switch# show ip verify source

CCNP Security: SENSS Part 1-1

Notes for the SENSS exam, mapped against Cisco's blueprint for the 300-206.  As there are no books for this exam, my sources for this primarily came from various manuals and documentation available on Cisco's site.  Whether a blueprint item is listed as "implement" or "describe" determined how far in depth I studied the particular topic.  Notes focus on CLI 

Threat Defense: 1.1 Implement firewall (ASA or IOS depending on which supports the implementation)

1.1.a Implement ACLs

ACL Types

Extended ACLs-main type used, used for access rules, traffic matching for service policies, AAA rules, WCCP, botnet traffic filter, VPN group, and DAP policies

EtherType ACLs- apply to non-IP layer 2 traffic for transparent mode

WebType ACLs - Used for filtering clientless SSL VPN traffic

Standard ACLs - identify traffic based on destination address only.  Used by route maps and VPN filters.

ACLs and NAT

Important to note distinction on when Real IP addresses (the untranslated IP address) and Mapped IP addresses (NAT translated IPs).  Major distinction occurs between 8.2 code and 8.3+ code for the ASA.

Use Real IP Adddresses

-Access rules (referenced by access-group command)

-Service Policy Rules (referenced by match access-list command

-Botnet Traffic Filter classification (referenced by dynamic-filter enable classify-list command)

-AAA rules (aaa match command)

-WCCP (wccp redirect-list group-list command)

Use Translated IP Addresses

-IPSec ACLs

-capture command ACLs

-Per-user ACLs

-Routing protocol ACLs

-All other feature ACLs

Network mask is different from IOS access-list command. ASA uses a network mask.  IOS uses wildcard bits.

Configuration and Management

Show ACL contents, line numbers, and hit counts

asa# show access-list outside_access_in

Add an ACE- access-list [name] [line line-num] type

If no line num is specified, ACE is appended to the end of the ACL

Add comments to an ACL (does not apply to webtype)- access-list [name] [line line-num] remark

Best practice is to insert the remark before the ACE.  Remark is limited to 100 char. If a line number is not specified, remark is added to the end of the ACL.

ACE's and remarks cannot be edited or moved.  Instead a new one must be created at the right location via line number.  The old ACE or remark should then be deleted.  ASDM is easier to use for this purpose.

Delete an ACE or remark- no access-list parameters 

Parameters must match the ACE or remark exactly to remove it

Delete an entire ACL including remarks - clear configure access-list name

If no name is specified, all ACL's are deleted.  There is no confirmation with this command.

Rename an ACL- access-list name rename new_name

Apply an ACL to a policy- must use the access-group command to apply an extended ACL to an interface.  ACL's must be applied to a policy to have any effect on traffic.

Configure Extended ACLs

Syntax:

access-list access_list_name [line line_number] extended {deny | permit}
protocol_argument source_address_argument dest_address_argument
[log [[level] [interval secs] | disable | default]]
[time-range time_range_name]
[inactive]

1.1.b Implement static/dynamic NAT/PAT

Nat Types

Dynamic NAT- group of real IP addresses mapped to a group of mapped IP addresses

Dynamic PAT- group of real IP addresses mapped to a single IP address using a unique source port

Static NAT - consistent mapping between a real and mapped IP address, allows bidirectional traffic

Identity NAT- reall address statically translated to itself.  Used to bypass NAT

ASA can implement NAT by network object NAT and twice NAT.  Recommended to use network object NAT unless extra twice NAT features required.

Network Object NAT

Defines all NAT rules configured as a parameter of a network object.  

Twice NAT

Identifies source and destination address in a single rule.  Can allow both source and destination to be translated

Identity NAT

Map an IP to itself, used for bypassing NAT

Configure Dynamic Network Object NAT

-Create a host or range network object for the mapped addresses

-Define target real addresses to be translated

-Configure dynamic NAT for object IP addresses.  

Nat config to translate inside subnet 192.168.1.0/24 dynamically to 10.1.1.1-100 pool

ciscoasa(config)# object network in-out-nat

ciscoasa(config-network-object)# range 10.1.1.1 10.1.1.100

ciscoasa(config)# object network inside-network

ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0

ciscoasa(config-network-object)# nat (inside,outside) dynamic in-out-nat

Configure Dynamic Twice NAT

-Create host or range network objects  for the source real, source mapped, destination real, and destination mapped addresses

-Create service objects for destination real and destination mapped ports

Configure Dynamic PAT

ciscoasa(config)# nat (inside,outside) source dynamic inside-subnet interface 

Configure Static NAT

ciscoasa(config)# nat (inside, dmz) source static inside-net inside-net-mapped destination static Server1 Server1 service real-service mapped-service

Configure Identity NAT

ciscoasa#(config-network-object) nat (inside, outside) static host-obj host-obj-identity

-mapped ip should match the real IP.  host-obj ip = host-obj-identity

1.1.c Implement object groups

Object groups allow the resuse and grouping of IP addresses, which can greatly shorten ACE entries in an ACL.  The syntax is object-group network [name]

Example

ciscoasa(config)# object-group network malicious

ciscoasa(config-network)# network-object host 10.1.1.101

ciscoasa(config-network)# network-object host 10.1.1.102

ciscoasa(config-network)# network-object host 10.1.1.103

ciscoasa(config-network)# object-group network inside-hosts

ciscoasa(config-network)# network-object host 192.168.1.4

ciscoasa(config-network)# network-object host 192.168.1.5

ciscoasa(config-network)# access-list ACL_IN extended deny ip object-group inside-hosts object-group malicious

ciscoasa(config-network)# access-list ACL_IN extended permit ip any any

ciscoasa(config-network)# access-group ACL_IN in interface inside

1.1.d Describe threat detection features

Works at layers 3 and 4 to develop a baseline for traffic on the device, checking packet drop stats and accumulating reports based on traffic patterns.  Three main types-basic, advanced, and scanning.  Only scanning can be configured to be reactive, via the shunning of hosts.

Basic Threat Detection

Monitors rate of dropped packets and security events due to:

-ACL drops

-Bad packet format

-Connection limits exceeded

-DoS attack

-Basic firewall checks failed

-Suspicious ICMP packets detected

-Packets failed application inspection

-Interface overload

-Scanning attack detected

-Incomplete session detection

When threat is detected, ASA generates system log message 733100.  Basic threat detection measures the rate the drops occur over a period of time, called the average rate interval (ARI).  Range is 600 seconds to 30 days.  If the number events within the ARI exceed the thresholds, the events are considered a threat.  Basic threat detection does not take action and is informational only.  Burst rate interval (BRI) is always smaller then the ARI.  It looks at smaller periods of snapshot data. BRI is 1/30th of the ARI.

Advanced Threat Detection

More granular, such as for tracking stats for host IPs, ports, protocols, individual ACLs, etc.  Default setting, is enabled only for ACL statistics.  Time periods are 20 min, 1 hour, 8 hours, and 24 hours. Advanced threat detection is purely informational.

Scanning Threat Detection

Used to keep track of suspected attackers which create connections on too many hosts in a subnet, or ports on a host/subnet.  Disabled by default.

The ARI and BRI settings are shared between Basic and Scanning Threat detection.  Scanning Threat Detection maintains a database of attacker and target IP addresses.  Traffic is only considered if it passes an ACL, whereas basic threat detection will consider traffic valid even if it is dropped by an ACL.

Can be reactive by shunning an attacker's IP address.  If an attack is detected, a syslog message 733101 is logged.  If configured to react, a syslog message 733102 is logged.  When the shun expires, syslog message 733103 is logged. 

1.1.e Implement botnet traffic filtering

Workflow

-Enable used of dynamic database

ciscoasa(config)# dynamic-filter updater-client enable

ciscoasa(config)# dynamic-filter use-database

-Add static entries to database, optional

ciscoasa(config)# dynamic-filter blacklist

ciscoasa(config-llist)# name malicious.site.example.com

ciscoasa(config)# dynamic-filter whitelist

ciscoasa(config-llist)# name good.site.example.com

-Enable DNS snooping

Default config inspects all UDP DNS traffic on all interfaces, but DNS snooping is disabled

Recommendation-enable DNS snooping only on interfaces where external DNS requests are traveling

ciscoasa(config)# class-map dynamic-filter_snoop_class

ciscoasa(config-cmap)# match port udp eq domain

ciscoasa(config)# policy-map dynamic-filter_snoop_policy

ciscoasa(config-pmap)# class dynamic-filter_snoop_class

ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

ciscoasa(config)# service-policy dynamic-filter_snoop_policy interface outside

-Enable traffic classification and actions

ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80

ciscoasa(config)# dynamic-filter enable interface outside

ciscoasa(config)# dynamic-filter drop blacklist interface outside 

-Block traffic manually based on syslog msg info, optional

1.1.f Configure application filtering and protocol inspection

Inspection engines are required for services which embed IP addresses into the user data packet, or which open secondary connections on dynamic ports.  Requires the ASA to do DPI.  

Configured via service policies.  Uses the MPF.

-(optional) Create an ACL to identify the traffic which inspections will be applied to in a l3/l4 class map.  Default inspects all traffic

-specify additional optional parameters for applying inspection to the traffic

-Add or edit a l3/l4 policy map that sets the actions to enact on the class map traffic

ciscoasa(config)# policy-map [name]

ciscoasa(config-pmap)# class [name]

ciscoasa(config-pmap-c)# inspect [protocol]

ciscoasa(config)# service-policy policymap_name [global | interface int-name]

default config:

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

dns-guard

protocol-enforcement

nat-rewrite

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225 _default_h323_map

inspect h323 ras _default_h323_map

inspect ip-options _default_ip_options_map

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp _default_esmtp_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

1.1.g Describe ASA security contexts

The ASA can be partitioned into multiple contexts, each of which acts independently with separately defined administrators, security policies, and interfaces.  Similiar to running multiple ASA's within a single box, with some limitations.

Features not supported in multiple context mode:

-RIP

-OSPFv3 (OSPFv2 supported)

-Multicast Routing

-Threat Detection

-Unified Communications

-QoS

-Remote Access VPN (site to site supported)

Config files

Context configurations: separate file for each context, identifies security policy, interfaces.  Context configs stored in flash memory, or downloaded from external source (ext, TFTP server)

System configuration: context configuration locations, interfaces, and other context operations parameters are defined by the system admin in the system configuration.  Acts simliar to the startup configuration.  System config does not define interfaces for itself, uses the admin context config for this purpose.  Includes a failover interface for failover traffic

Admin context configuration: Admin context can access both the system and all other contexts.  Lives on flash memory and cannot be remote.  Admin context is created automatically when converted from single mode, on flash memory, and is named admin.cfg.

Packet Classification

To determine which context is used to send/receive packets, the ASA uses 

Unique interfaces:This method is always used for transparent mode as unique interfaces are always required for contexts.  If only one context (non transparent mode) is associated with the ingress interface, the traffic is classified to the associated context

Unique MAC Addresses:Auto generation of MAC addresses for context interfaces is enabled by default, or they can be configured manually.  Context interface MAC's must be unique if multiple contexts share an interface.

NAT Configuration:  If unique MAC addresses are disabled, then the ASA uses mapped addresses via the NAT config to classify packets to the appropriate context.  Cisco recommendation is to use unique MAC addresses over NAT traffic classification.

If the destination MAC is a multicast or broadcast MAC address, the packet is duplicated and sent to each context.

Cascading Contexts

Contexts can be placed in front of other contexts.  The outside interface of one context is the same interface as the inside interface of a different context.

Context User Management

System Administrator-accessed via the console port, or via the admin context via remote management.  System administrators can access all contexts.  

Context Administrator-these admins can only manage the context the user account is assigned to.  Accessible via telnet, ssh, ASDM.

Resource Management

Default setting-all security contexts have unlimited access to ASA resources.  VPN resources are disabled by default.  Resource management can be configured to limit use per context.  

Resource classes-contexts are assigned to resource classes to determine the limits.  All contexts belong to the default class if they are not assigned to a new resource class.  Contexts can only be assigned to one resource class.  

Resource Limits-Can be defined as a percentage or an absolute value.  Services (except VPN resources) can be oversubscribed, however if another context uses too many resources, the situation could result in other contexts dropping connections due to oversubscription.

Default Class-if a context belongs to a class other than the default, the other class settings ovveride the default class settings.  If settings are undefined in the new class, and the context is assigned to both the default class and the new class (the only multi-class membership permitted), then the default class values will take effect for the undefined values in the custom class.  Default class has unlimited access to resources for all contexts, except the following:

Telnet, SSH, IPSec- 5 sessions each max per context

MAC addresses- 65,535 entries

VPN site-to-site tunnels - 0 sessions.  Class must be configured manually to allow VPN sessions

Licensing

5506-X - not supported

5512-X - Requires Security Plus license, 2 contexts.  Additional context license-5 contexts

5515-X - Base license 2 contexts, additional context license, 5 contexts

5525-X - Base license 2 contexts, additional context license, 5, 10, 20 contexts

5545-X - Base license 2 contexts, additional context license, 5,10,20,50 contexts

5555-X - Base license 2 contexts, additional context license, 5,10,20,50,100

5585-X SSP-10- Base 2 contexts, additional 5,10,20,50,100 contexts

SSP-20, 40, 60 - Base 2 contexts, additional 5,10,20,50,100,250 contexts

ASAv - Not supported

High Availability-HSRP, VRRP, GLBP

For this post, I'm going to provide a brief overview of each of the first hop redundancy protocols covered in CCNP Switch.

Hot Standby Router Protocol (HSRP)- Cisco proprietary.  Active/Standby design.  There is 1 active router, 1 standby router, and any other routers in the group are "other routers" in the listening state.  The set of routers are called the Virtual Router, which represents a shared IP and MAC address, which is used by the endpoints as the default gateway.  Virtual MAC format: 0000.0c07.acxx .  xx represents the HSRP group number.  HSRP requires layer 2 connectivity between routers.

16 max HSRP groups

HSRP Packet Flow: Workstation uses ARP to resolve MAC for default gateway.  Active router responds to ARP and replies with virtual MAC.  In the event of failure, hosts do not need to update their ARP cache, as the standby router when it transitions to the active state, sends a gratuitous ARP reply to a broadcast MAC destination address, for the virtual IP address to force a CAM table update on the L2 switches, so L2 forwarding correctly points to the new active HSRP router.

HSRP States

Initial-Starting state, entered when an interface comes up or a configuration change occurs
Listen-Router is aware of the virtual IP, but is not active or standby.  Listens for hello messages
Speak-Sends hello messages and participates in election of active and standby routers.
Standby-Ready to become the active router should active router fail.  Sends hello messages.  Max 1 standby router per group.
Active-Actively forwards packets sent to the HSRP virtual mac address.  Sends hello messages. Max 1 active router per group.

HSRP Timers

Hello time- 3 seconds
Hold time - 10 seconds
Both timers are configurable.  Active HSRP router will advertise timers, advertised timers from the active router will take higher precedence then statically configured values.
HSRP hello packets are sent to multicast destination IP 224.0.0.2

HSRP Priority
Ranges from 0-255, default value 100
Router with the highest priority becomes the active router during an election.  In the event of a tie, the router with the highest IP address wins the election.

HSRP Preemption
Enabling preemption allows a standby router with a higher priority to take over an active router's role as the active router for the HSRP group.  Preemption is disabled by default

HSRP Tracking
Allows the priority of a HSRP router to be adjusted automatically based on tracked interface or object availability. If a tracked interface drops, the priority can be decremented to a configured value to be lower then the current active router, allowing the standby to take over. Note that preemption needs to be configured for this work properly.  Tracking can be coupled with IP SLA.

HSRP Caveats- Ensure HSRP active router is also the root STP bridge for the associated VLAN.  Ensure HSRP timers match across all routers in an associated HSRP group.  Ensure a L2 connection exists amongst HSRP routers. Timers configured on the active HSRP router are advertised to other members of the group and override manually configured timer values.

Virtual Router Redundancy Protocol (VRRP)
Essentially IEEE compatible version of HSRP, with some different features.  One router is active, and handles all traffic forwarding directed to the virtual IP address.  This router is called the master router.  Any other routers in the VRRP group are called backup routers.  Compared to HSRP, a real router's IP address can be assigned as the virtual IP address for the VRRP group.  If the real address is used, the router using this IP becomes the master address.  If a virtual IP is used, master is elected based on highest priority.

255 max VRRP groups

VRRP Packet Flow: Same as HSRP.

VRRP States:
Initialize
Backup-Backup VRRP routers do not sent advertisements, compared to HSRP.  Instead, they continue to listen for master advertisements.  If the master advertisements stop and the master down interval is exceeded, master state transition begins.
Master-While in the master state, the router actively forwards frames sent to the virtual IP and sends advertisements once every second, by default.

VRRP Timers:
Three timers are used:
The advertisement timer-default 1 second
The master down interval.  This is calculated via 3 * advertistement interval + skew time
The skew time.  Calculated 256 - priority / 256.  The skew timer ensures the router with the higher priority becomes the next VRRP master.
Only the VRRP group master sends advertisements, and it sends it by default every second to multicast address 224.0.0.18.

VRRP Priority:
Priority is configurable from 1-254, with 100 being the default priority.  0 is a special value used in the event of a master router powering down in a controlled manner to inform backup routers that it is going down.  In the event of a tie, the router with the highest IP address becomes the master.

VRRP Preemption
Unlike HSRP, preemption is enabled by default.

VRRP Tracking:
VRRP cannot track interfaces like HSRP, but can track objects

VRRP Caveats:
L2 link amongst VRRP members required for operation
Master router should be the STP root for the corresponding VLAN in a switched environment to ensure optimal pathing
VRRP group timers must match-unlike HSRP, timers are not advertised from the master router.

Gateway Load Balancing Protocol (GLBP)
Cisco proprietary protocol which allows for an active/active network with multiple routers actively forwarding traffic, comapred to HSRP and VRRP which only have one active or master router per configured group.  Can actively forward and share traffic across multiple gateways.  Routers in a GLBP group fall into one of two categories.  Active virtual gateway (AVG).  This router is elected to be the AVG for the group and assigned a virtual mac address to each remaining member of the GLBP group.  Active virtual forwarder (AVF).  The remaining gateways in the GLBP group, which are assigned virtual MACs by the AVG.  Compared to HSRP and VRRP, AVFs forward traffic.

There can be a max of 1024 virtual grouters, or GLBP groups, per physical interface of a router.
There can be a max of 4 virtual forwarders per group.

GLBP Packet Flow
AVG replies to ARP requests from hosts, and depending on the selected load balancing mode, replies with the virtual mac address for GLBP group members.

*GLBP States- still looking for more detailed information of the exact GLBP states

GLBP Load Balancing Modes
Round-robin load balancing algorithm (default)- Reply to each client ARP request used the virtual MAC address of next possible GLBP group member in a round robin fashion.
Weighted load-balancing algorithm- traffic load directed to a router is based on a weighted value assigned to the router
Host-dependent load-balancing algorithm- Host will use the same virtual mac address assuming the virtual mac address is a participant of the GLBP group

GLBP Timers
Hello- default 3 seconds
Hold time- default 10 seconds
Redirect - determines when AVG stops responding to ARP for a failed virtual mac of an AVF
Secondary Hold - Amount of time before an AVF will accept packets from an assumed virtual mac taken from a failed AVF
The AVG sends hello messages by default every 3 seconds to GLBP members via multicast 224.0.0.102.
The AVG will advertise timer values to GLBP group members

GLBP Priority
Priority determines the AVG for a group.  Priority is 1-255,with 100 as the default.  If preemption is enabled (it is off by default), as with HSRP and VRRP, a router can take over the role of AVG if it has a higher priority.

GLBP Weighting 
Weighting is used to determine AVF redundancy priority in the event of an AVF failure.  Additionally, a threshold is created to determine when an AVF may or may not be active.  The default weight value is 100. All AVFs backup on another-if an AVF fails, out of the remaining AVFs, the one with the highest weighting value wins this secondary election and accepts packets sent to two virtual macs-its own, and the one it assumed via the election.  This is where the redirect and secondary hold timers come into play.

GLBP Preemption:
Disabled by default but supported

GLBP Tracking:
Tracks objects and interfaces

GLBP Caveats:
L2 link necessary between GLBP group members
Active gateways should be configured as STP root for corresponding VLANs

Catalyst Switching Tables

General notes/review material for basic L2 switching with Catalyst switches, along with notes about the CAM and TCAM tables.

L2 Switching Review

L2 switches learn mac addresses via incoming frames, and stores the MAC address, switchport, and VLAN on which the frame arrives in the CAM table.  Frames are forwarded by destination MAC address, and frames with errors are not sent out of the switch.  Frames are received, inspected, and regenerated-this is store-and-forward switching.

CAM Tables

All Catalyst switches use a content-addressable memory (CAM) table for L2 switching.  MAC addresses are stored as keys, which the switch uses to consult then to determine egress port and VLAN ID.  If the MAC is not present, the flooding process begins to learn the MAC address.  If the mac address learned on one port presents itself on another port, the MAC address and time-stamp are saved for the new port and the prior entry deleted.

MAC addresses are learned dynamically by default but may be set statically.  The default aging period for the CAM table is 300 seconds.   If a MAC address keeps alternating between learned switch ports, a syslog error for MAC address flapping between interfaces is generated.

Change mac address table aging:
switch(config)# mac address-table aging-time [seconds]

Clear CAM table entries manually:
switch#clear mac address-table dynamic address [mac] | interface [type] | vlan [id]

Set static CAM entries
switch(config)#mac address-table static [mac] vlan [id] interface [type]

Show CAM table size:
switch#show mac address-table dynamic address [mac] | interface [type] | vland [id]

TCAM Tables

Switches capable of processing QoS and security ACLs use a Ternary Content-Addressable Memory Table (TCAM).  This processing is implemented in hardware.  Multi-layer switches and some L2 switches are equipped with TCAM table(s).  TCAM evaluates inbound packets against an entire access list using one table lookup.  Most switches have multiple TCAM tables for both in/out QoS and Security ACLs, allowing these lookups to be performed simultaneously or in parallel with L2 and L3 forwarding decisions.

The structure of the TCAM table is essentially an extension of the CAM table.  Like the CAM table, a lookup operation is performed, but TCAM entries consist of three input values for keys-Value, Mask, and Result (VMR) combinations.  Values and Masks are 134 bits.  The Value consists of source and destination addresses and protocol information.  The Masks choose value bits of interest.  Results are numeric values which show what action to take after the TCAM table lookup operation.  Frame or packet headers are compared against the value and mask pairs to yield a desired result.  Compared to a traditional permit/deny/log response, TCAM results can translate into QoS policing, pointing to a next hop routing table, etc.

The TCAM table consists of two primary parts, the Feature Manager (FM) and Switching Database Manager (SDM).

FM-This compiles ACE entries into the TCAM table, allowing TCAM to be consulted at full frame forwarding speed.
SDM-This can partition the TCAM on some switches (excluding 4500 and 6500) to tune the TCAM partitions.


TCAM Value Patterns
Ethernet-Source MAC 48, Destination MAC 48, Ethertype 16
ICMP- Source IP 32, Destination IP 32, Protocol 16, ICMP code 8, ICMP type 4, ToS 8
Extended IP TCP/UDP- Source IP 32, Dest IP 32, Protocol 16, IP ToS 8, src port 16, src operator 4, dest port 16, dest operator 4
Other IP- source IP 32, dest IP 32, protocol 16, ToS 8
IGMP- Source IP 32, Dest IP 32, protocol 16, ToS 8, IGMP message type 8
IPX- Source IPX network 32, Dest IPX network 32, dest node 48, IPX packet type 16

Port Operators
If an ACE uses a port operator such as range, neq, gt, or lt, when the FM software compiles the TCAM entry it uses a logical operation unit (LOU) register.  LOU's are limited and only so many can be used.