CCNA Sec 01 • • • • • • • • • • • • • • • • • • • • • • The basics of IT security: CIA (Confidentiality, Integrity, Availability) Confidentiality Measures that prevent disclosure of information or data to unauthorized individuals or systems Integrity Protecting the data from unauthorized alteration or revision Often ensured through the use of a hash Availability Making systems and data ready for use when legitimate users need them at any time Guaranteed by network hardening mechanisms and backup systems Attacks against availability all fall into the “denial of service” realm Asset It is anything that is valuable to an organization Vulnerability An exploitable weakness in a system or its design Threat Any potential danger to an asset Countermeasure A safeguard that somehow mitigates a potential risk Risk The potential for unauthorized access to, compromise, destruction, or damage to an asset Classifying Assets One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in a given class • Classifying Vulnerabilities • Policy flaws • Design errors CCNA Sec Page • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Design errors Protocol weaknesses Misconfiguration Software vulnerabilities Human factors Malicious software Hardware vulnerabilities Physical access to network resources Classifying Countermeasures Administrative controls Consist of written policies, procedures, guidelines, and standards Physical controls Are exactly what they sound like, physical security for the network servers, equipment, and infrastructure Logical controls (technical controls) Logical controls include passwords, firewalls, IPS, access lists, VPN tunnels, …… Potential Attackers Terrorists Criminals Government agencies Nation states Hackers Disgruntled employees Competitors Attack Methods Reconnaissance This is the discovery process used to find information about the network Social engineering Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks): the user Could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information Phishing Presents a link that looks like a valid trusted resource to a user Pharming Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user Privilege escalation The process of taking some level of access and achieving an even greater level of access Backdoor Application can be installed to allow access Code execution When attackers can gain access to a device, they might be able to take several actions Man-in-the-Middle Attacks Results when attackers place themselves in line between two devices that are communicating To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection) Additional Attack Methods Covert channel Uses programs or communications in unintended ways For ex If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-toCCNA Sec Page • For ex If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-topeer traffic inside of HTTP traffic • Also a backdoor application collecting keystroke information from the workstation and then sending it out as ICMP or http packet • Trust exploitation • Ex an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks from there to the inside network • Brute-force (password-guessing) attacks • Performed when an attacker’s system attempts thousands of possible passwords looking for the right match • Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time • DoS (Denial of Service) • An attack is launched from a single device with the intent to cause damage to an asset • DDoS (Distributed Denial-of-Service) • An attack is launched from multiple devices as from botnet network • Botnet • A collection of infected computers that are ready to take instructions from the attacker • RDoS (Reflected DDoS) • When the source of the initial (query) packets is actually spoofed by the attacker • The response packets are then “reflected” back from the unknowing participant to the victim of the attack • Guidelines for Secure Network Architecture • Rule of least privilege • Minimal access should only provided to the required network resources • Defense in depth • You should have security implemented on an early every point of your network • Ex filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host-based security precautions at the servers, as well • Separation of duties • Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place • Auditing • Accounting and keeping records about what is occurring on the network • Common forms of social engineering • Phishing • Elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution • The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number • Malvertising • This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware • Phone scams • An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of the organization and then using that information to start building a database to leverage for a future attack • Defenses Against Social Engineering • Password management • The number and type of characters that each password must include, how often a password must be changed • Two-factor authentication • Use two-factor authentication rather than fixed passwords • Antivirus/antiphishing defenses CCNA Sec Page • Antivirus/antiphishing defenses • Document handling and destruction • Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash • Physical security • Malware Identification Tools • Packet captures • Snort IDS - An open source IDS/IPS developed by the founder of Sourcefire • NetFlow • IPS events • Advanced Malware Protection (AMP) • Designed for Cisco FirePOWER network security appliances • Provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats • NGIPS (Next-Generation Intrusion Prevention System) • The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high inspection throughput rates Implementing AAA in Cisco IOS • Administrative access methods • Password only • Local database • AAA Local Authentication (self-contained AAA) • AAA Server-based • AAA provides: • Authentication • Who is permitted to access a network • Authorization • What they can while they are there • Accounting • Records in details what they did • Methods of implementing AAA services • Local AAA Authentication - Uses a local database stored in the router for authentication • Server-Based AAA Authentication - Uses an external database server that leverages RADIUS or TACACS+ protocols - Preferred in large environment • Server-Based Authentication • The user establishes a connection with the router • The router prompts the user for a username and password • The router passes the username and password to the Cisco Secure ACS • The ACS authenticates and authorizes the user based on its database • ACS (Access Control Server) • Can create a central user and administrative access DB that all network devices can access • Can work with many external databases, such as Active Directory • Supports both TACACS+ and RADIUS protocols • Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS) • Provides user and device group profiles CCNA Sec Page • • • • • • • • • • • • Restrictions to network access based on a specific time Can be software installed on windows server or a physical appliance can be purchased from Cisco RADIUS (Remote Authentication Dial-In User Service) Open standard, RFCs 2865, 2866, 2867, and 2868 Combines authentication & authorization, but separates accounting Supports detailed accounting required for billing users, so preferred by ISPs Encrypts only the password Does not encrypt user name, or any other data in the message Used UDP port 1645 & now 1812 for authentication & authorization Used UDP port 1646 & now 1813 for accounting Supports remote-access technologies, 802.1X, and SIP • • • • • • • • • TACACS+ (Terminal Access Control Access Control Server) Cisco proprietary Separates authentication and authorization Provides limited detailed accounting Encrypts all packet not only the password Utilizes TCP port 49 Multiprotocol support, such as IP and AppleTalk Incompatible with any previous version of TACACS • • • • • AAA clients must run Cisco IOS Release 11.2 or later ISE (Identity Services Engine) An identity and access control policy platform Can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels, and so on before allowing the device on the network • Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent replacement for ACS • ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts • Login method types: CCNA Sec Page • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Login method types: Enable Uses the enable password for authentication Line Uses the line password for authentication Local Uses the local username database for authentication Local-case Uses case-sensitive local username authentication Group radius Uses the list of all RADIUS servers for authentication Group tacacs+ Uses the list of all TACACS+ servers for authentication Group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command None To ensure that the authentication succeeds even if all methods return an error AAA lists When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods defined unless a predefined list is assigned If the default method list is not set and there is no other list, only the local user database is checked Authorization What a user can and cannot on the network after that user is authenticated Implemented using a AAA server-based solution When a user has been authenticated, a session is established with the AAA server The router requests authorization for the requested service from the AAA server The AAA server returns a PASS/FAIL for authorization TACACS+ establishes a new TCP session for every authorization request When AAA authorization is not enabled, all users are allowed full access To enable AAA R(config)# aaa new-model To Configure Authentication to Use the AAA Server R(config)# aaa authentication login list-name|default method method method [maximum methods] R(config)# aaa authentication login default group radius group tacacs+ local … R(config)# aaa authentication enable list-name|default group tacacs+ enable Methods are used in order, if no response from one, the next is used To specify the number of unsuccessful login attempts (then the user will be locked out) R(config)# aaa local authentication attempts max-fail n The account (non priv 15) will stay locked until it is cleared by an administrator To display a list of all locked-out users R# show aaa local user lockout To unlock a specific user or to unlock all locked users R# clear aaa local user lockout all | username name To display the attributes that are collected for a AAA session R# show aaa user all | unique-id To show the unique ID of a session R# show aaa sessions CCNA Sec Page • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • R# show aaa sessions For vty lines R(config)# line vty R(config-line)# login authentication name|default R(config-line)# authorization exec name|default To debug aaa authentication R# debug aaa authentication|authorization Look specifically for GETUSER and GETPASS status messages To configure AAA with CCP CCP, Configure, Router, AAA,… To create a local user account CCP > Router > Router Access > User Accounts/View > Add To configure the AAA client (router) with the TACACS+ server R(config)# tacacs-server host ip key the-key To configure the AAA client (router) with the RADIUS server R(config)# radius-server host ip key the-key AAA Authorization (Router) To get the priviege level that should be given to user from the local user database R(config)# aaa authorization exec default local To get the priviege level that should be given to user from the tacacs server R(config)# aaa authorization exec default group tacacs+ To enable command authorization on the console R(config)# aaa authorization console To assign level 15 automatically to any user just authenticated R(config)# aaa authorization exec default if-authenticated To authorize each command, you enter at config and it's submode R(config)# aaa authorization config-commands To authorize level x (1-15) users R(config)# aaa authorization commands x default group tacacs+ if-authenticated R(config)# no aaa authorization config-commands AAA debugging To debug aaa R# debug aaa authentication To debug RADIUS or TACACS+ R# debug radius|tacacs events AAA Accounting Each session established through the ACS can be fully accounted for and stored on the server To configure AAA accounting R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 ACS server configurations Network device groups Groups of network devices, normally based on routers or switches with similar functions/devices managed by the same administrators Network devices (ACS clients/routers/switches) The individual network devices that go into the device groups Identity groups (user/admin groups) Groups of administrators, normally based on users who will need similar rights and access to specific groups of network devices CCNA Sec Page • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • of network devices User accounts Individual administrator/user accounts that are placed in identity groups Authorization profiles These profiles control what rights are permitted The profile is associated with a network device group and a user/administrator identity group To manage ACS server https://ip Default username and password: acsadmin pass: default For trial license https://www.cisco.com/go/license username: adelmohammad , pass: P@ssw0rd get other licenses , demo and , search for access control , To create a device group ACS > Network Resources > Network Device Groups > Device Type > Create To add a device to the group Network Resources > Network Devices and AAA Clients > Create Click the Select button to the right of the device type and select the device group Select tacacs+ and type the password In the ip address select range and type the range (ex 10.0.0.100-200) , Add V To create a user group Users and Identity Stores > Identity Groups > Create To create individual user Users and Identity Stores > Internal Identity Stores > Users and click > Create To create a shell profile Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create Custom tasks tab, Default Privilege:static, type a privilige level To configure authorization policies (To assign permisions to identity group to access device group) Access Policies > Access Services > Default Device Admin > Authorization > Create Then select a shell profile or create one (shell profile has a name and defines a privilige level) Verifying and Troubleshooting Router-to-ACS Server Interactions Ping the ACS server from the router R# test aaa group tacacs+ username password legacy Using debug Commands to Verify Functionality To look at the reports on the ACS server Monitoring & Reports > Reports > Catalog > AAA Protocol Bring Your Own Device (BYOD) Allowing users bringing their own network-connected devices while also maintaining an appropriate security posture The organization’s security policy must be lever-aged to govern the level of access for BYOD devices CCNA Sec Page • • BYOD Solution Components • BYOD devices • The corporate-owned and personally owned endpoints that require access to the corporate network regardless of their physical location • Wireless access points (AP) • Provide wireless network connectivity to the corporate network for both local & BYOD devices • Wireless LAN (WLAN) controllers • Serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution • Used to implement and enforce the security requirements for the BYOD solution • Works with the ISE to enforce both authentication and authorization policies on each BYOD endpoint • Identity Services Engine (ISE) • The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies put forth by the organization • Cisco AnyConnect Secure Mobility Client • Provides connectivity for end users who need access to the corporate network • Inside network users leverages 802.1X to provide secure access to the corporate network • Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking • Integrated Services Routers (ISR) • Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments • Can provide VPN connectivity for mobile devices that are part of the BYOD solution • Adaptive Security Appliance (ASA) • Provides all the standard security functions for the BYOD solution at the Internet edge • Can provide IPS and VPN for end devices • Cloud Web Security (CWS) • Provides enhanced security for all the BYOD solution endpoints while they access Internet • RSA SecurID • The RSA SecurID server provides one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication CCNA Sec Page • • • • • • • • • • • • • • • • • • • • • • network devices and other applications which require OTP authentication Active Directory Restricts access to those users with valid authentication credentials Certificate authority The CA server ensures that only devices with corporate certificates can access the corporate network Mobile Device Management (MDM) Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution Specific functions provided by MDM include: Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached) Enforcement of strong passwords for all BYOD devices Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting to use these compromised devices on the corporate network Enforcement of data encryption requirements based on an organization’s security policies Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed MDM Deployment Options On-Premise MDM Deployment MDM application software is installed and maintained on servers within the corporate data center Consists of the following topology and network components: Data center The data center consists of the servers and ISE to enforce posture assessment and access control Internet edge Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices Services Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate Core Serves as the main distribution and routing point for all network traffic traversing the corporate network environment Campus building A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from the campus environment • Cloud-Based MDM Deployment • MDM application software is hosted, managed and maintained by a service provider who is solely CCNA Sec Page 10 • MDM application software is hosted, managed and maintained by a service provider who is solely responsible for the BYOD solution • Consists of the following topology and network components: • Data Center • The data center consists of the servers and ISE to enforce posture assessment and access control • Internet edge • Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices • WAN • Provides MPLS VPN connectivity for the branch office back to corporate network • Internet access for the branch office • Access to the cloud-based MDM functionality • The cloud-based MDM provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all of the BYOD devices • WAN edge • Serve as the ingress/egress point for the MPLS WAN traffic entering from and exiting to the branch office environment • Services • Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate • Core • Serves as the main distribution and routing point for all network traffic travers ing the corporate network environment • Branch office • All users requiring network connectivity within the branch office so through either hardwired connections to the access switches or via WLAN access to the corporate APs • CCNA Sec Page 11 ... while also maintaining an appropriate security posture The organization’s security policy must be lever-aged to govern the level of access for BYOD devices CCNA Sec Page • • BYOD Solution Components... • Antivirus/antiphishing defenses CCNA Sec Page • Antivirus/antiphishing defenses • Document handling and destruction • Sensitive documents and media must be securely disposed of and not simply... • Adaptive Security Appliance (ASA) • Provides all the standard security functions for the BYOD solution at the Internet edge • Can provide IPS and VPN for end devices • Cloud Web Security (CWS)