Pages

Thursday, December 31, 2015

Security Interview Questions

Interview questions on Firewall
1. Which feature on a firewall can be used for mitigating IP spoofing attacks
Access control list can be used for the purpose.

2. What type of firewall can be used to block a web security threat
A web application firewall or a layer 7 firewall can be used for the purpose.

3. Which fields in a packet does a network layer firewall look into for making decisions?
IP and transport layer headers for information related to source and destination IP addresses, port numbers etc.

4. Which feature on a Cisco firewall can be used for protection against TCP Syn flood attacks
TCP intercept feature.

5. Which feature on a firewall can be used to block a specific URL or a website.
URL Filtering.

6. Which is the main field in an IP header, which is modified by a NAT firewall.
The source IP address in the IP header.

7. What type of firewall can be configured for providing user-based authentication to users on the LAN network.
Proxy firewall.

Network Security Interview questions
1. How can a brute force attack on a router be prevented
A limit for the maximum number of login attempts can be setup on the router. On exceeding the limit, the account can be locked. Logs can be setup on the router to observe the IP address from which the login attempts is generated and an access list set up to block the IP.

2. Name two radius servers which are used in network environment
IAS Server and FreeRadius.

3. A switch is configured to authenticate users with a radius server. Which port on the server would be used for radius authentication
UDP port 1812 would be used for the same.

4. A user needs to access a Windows PC, which is behind a NAT router in office. What method can be used to access the desktop of the PC from home
To access the desktop of a remote PC, windows remote desktop protocol can be used.Since the PC is behind a NAT router, port forwarding can be setup on the router to forward packets to the internal PC. The user at home would initiate remote desktop connection to the internet IP address of the NAT router, which would forward
the request to the internal PC.

5. A VPN server is to be deployed in an organization. The VPN server would be used by remote users for gaining access to the organization network. The organization has a NAT router, which is used by users inside the organization for internet sharing and has one public IP address. Can the VPN server use the same IP address, which can then be used by remote users?
The VPN server can be setup behind the NAT router and port forwarding configured to allow incoming traffic to the VPN server. The remote users would connect to the public IP address of the NAT router, which would then forward the request to the VPN server.

6. Which feature on a wireless access point can be used for blocking unauthorized access based on the mac-address
Mac-filtering feature on an access point can be used. The list of allowed mac-addresses can be configured using the feature.

7. Which field in a STP packet is manipulated in a STP BPDU attack?
The priority value in the STP header is crafted lower than the actual root bridge value, which would make the STP topology change, as lower priority value packet would be elected as the root bridge.

8. Which is a common feature used by stateless firewalls
Access control lists

9. What is TKIP and why is it used.
TKIP stands for temporal key integrity protocol. It is used by WPA, wifi protected access to provide encryption services on a wireless network.

IPSEC Interview questions
1. In which IPSEC Phase is the keys used for data encryption derived.


The keys are derived in IPSEC phase 2. The derived keys are used by IPSEC
 protocol ESP for encrypting the data.

2. How the IPSEC do protocols, ESP and AH provide replay protection.
ESP and AH include the sequence number fields in the respective headers. The
 values are used by the IPSEC peers to track duplicate packets. If a packet with an
 already received sequence number arrives, it would be rejected, thus providing 
replay protection.

3. In IPSEC, If ESP provides both encryption and authentication, why is AH 
required.
ESP does not provide authentication to the outer IP header, which AH does.

4. Explain two methods by which two IPSEC routers can authenticate with each other.
IPSEC routers can be authenticated using pre-shared keys or using digital 
certificates.

5. Which UDP ports should be open on a firewall to allow traffic from a L2TP/IPSEC based VPN clients to a PPTP VPN server on the inside
UDP port 500 for IKE traffic, UDP port 1701 for L2TP communication between client and server and UDP port 4500 for NAT-T communication.



6. Which IP protocol does AH and ESP headers use in IPSEC.
ESP and AH use IP protocol 50 and 51 respectively.

6. Which type of VPN would you use if data has to be encrypted at the network 
layer
IPSEC VPN encrypts data at the network layer whereas SSL encrypts data at the 
application layer.

Interview questions on network address translation
1. Name one instance where static NAT is used in a real-world deployment
It is used for mapping a public IP address for a Server with a private IP address.

2. Why does Active FTP not work with NAT in an Internet environment?
In Active FTP, the data connection is established to a port on the FTP client by the FTP server. The port number along with the IP address to which the server needs to initiate the connection is provided by the FTP client after the control connection is successful. When the client is behind the NAT router, the FTP server cannot initiate the connection to the provided IP address, as typically it would be a private IP address not routable on the internet.

3. How does NAT work in situations where transport layer protocols are not used. For ex: Ping
Ping does not use transport layer protocols. It uses ICMP at the network layer. NAT uses the sequence number field in the ICMP header to identify packets on which NAT is applied.

4. Two computers are behind a NAT router. The computers use the routers public IP address for sharing internet connection.If a user on the internet pings the public IP address of the router, which device would respond
The router would respond as it is configured for the public ip address.

5. How many times can NAT be applied to a packet before it reaches the destination
Any number of times.

6. Give a good reason as to why a NAT router is preferred over a Proxy for sharing internet connection
NAT works at the network layer. This means that irrespective of the application, all packets can be sent out on the internet. Proxy is application specific. So if a HTTP proxy is deployed, it can send out only HTTP based traffic on to the internet. Other traffic like ping, FTP etc would be blocked.

7. Does TCP checksum change after NAT is applied
TCP checksums are calculated based on a pseudo header which also includes source IP address of the IP header. Since the source IP header address is modified when NAT is applied, the checksum would be affected.

Security Testing Interview Questions and Answers
What is Security Testing?
Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended.
Security testing is the most important type of testing for any application. In this type of testing, tester plays an important role of an attacker and play around the system to find security-related bugs.

Q#1. What is Security Testing?

Ans. Security testing can be considered most important in all type of software testing. Its main objective is to find vulnerabilities in any software (web or networking) based application and protect their data from possible attacks or intruders.
As many applications contain confidential data and needs to be protected being leaked. Software testing needs to be done periodically on such applications to identify threats and to take immediate action on them.

Q#2. What is “Vulnerability”?

Ans. The Vulnerability can be defined as a weakness of any system through which intruders or bugs can attack on the system.
If security testing has not been performed rigorously on the system then chances of vulnerabilities get an increase. Time to time patches or fixes requires preventing a system from the vulnerabilities.

Q#3. What is the Intrusion Detection?

Ans. Intrusion detection is a system which helps in determining possible attacks and deal with it. Intrusion detection includes collecting information from many systems and sources, analysis of the information and find out the possible ways of attack on the system.
Intrusion detection check following:
    1.    Possible attacks
    2.    Any abnormal activity
    3.    Auditing the system data
    4.    Analysis of different collected data etc.

Q#4. What is “SQL injection”?

Ans. SQL Injection is one of the common attacking techniques used by hackers to get the critical data.
Hackers check for any loophole in the system through which they can pass SQL queries which bypassed the security checks and return back the critical data. This is known as SQL injection. It can allow hackers to steal the critical data or even crash a system.
SQL injections are very critical and need to be avoided. Periodic security testing can prevent these kinds of attacks. SQL database security needs to be defined correctly and input boxes and special characters should be handled properly.

Q#5. List the attributes of Security Testing? 

Ans. There are following seven attributes of Security Testing:
    1.    Authentication
    2.    Authorization
    3.    Confidentiality
    4.    Availability
    5.    Integrity
    6.    Non-repudiation
    7.    Resilience

Q#6. What is XSS or Cross Site Scripting?

Ans. XSS or cross-site scripting is a type of vulnerability that hackers used to attack web applications.
It allows hackers to inject HTML or JAVASCRIPT code into a web page which can steal the confidential information from the cookies and returns to the hackers. It is one of the most critical and common techniques which needs to be prevented.

Q#7. What is SSL connection and an SSL session?

Ans. SSL or secured socket layer connection is a transient peer-to-peer communications link where each connection is associated with one SSL Session.
SSL session can be defined as an association between client and server generally created by handshake protocol. There are set of parameters are defined and it may be shared by multiple SSL connections.

Q#8. What is “Penetration Testing”?

Ans. Penetration testing is on the security testing which helps in identifying vulnerabilities in a system. A penetration test is an attempt to evaluate the security of a system by manual or automated techniques and if any vulnerability found testers use that vulnerability to get deeper access to the system and found more vulnerabilities. The main purpose of this testing to prevent a system from any possible attacks.
Penetration testing can be done in two ways –White Box testing and Black box testing.
In white box testing, all the information is available with the testers whereas in black box testing testers don’t have any information and they test the system in real-world scenario to find out the vulnerabilities.

Q#9. Why “Penetration Testing” is important?

Ans. Penetration testing is important because-
    1.    Security breaches and loopholes in the systems can be very costly as threat of attack is always possible and hackers can steal the important data or even crash the system.
    2.    It is impossible
    3.    Penetration testing identifies and protects a system by above mentioned attacks and helps organizations to keep their data safe.
Q#10.  Name the two common techniques used to protect a password file?
Ans. Two common techniques to protect a password file are- hashed passwords and a salt value or password file access control.

Q#11. List the full names of abbreviations related to Software security?

Ans. Abbreviations related to software security are:
    1.    IPsec – Internet Protocol Security is a suite of protocols for securing Internet
    2.    OSI – Open Systems Interconnection
    3.    ISDN Integrated Services Digital Network
    4.    GOSIP- Government Open Systems Interconnection Profile
    5.    FTP – File Transfer Protocol
    6.    DBA – Dynamic Bandwidth Allocation
    7.    DDS – Digital Data System
    8.    DES – Data -Encryption Standard
    9.    CHAP – Challenge Handshake Authentication Protocol
    10.    BONDING – Bandwidth On Demand Interoperability Group
    11.    SSH – The Secure Shell
    12.    COPS Common Open Policy Service
    13.    ISAKMP – Internet Security Association and Key Management Protocol
    14.    USM – User-based Security Model
    15.    TLS – The Transport Layer Security

Q#12. What is ISO 17799?

Ans. ISO/IEC 17799 is originally published in UK and defines best practices for Information Security Management. It has guidelines for all organizations small or big for Information security.

Q#13. List down some factors that can cause vulnerabilities?

Ans. Factors causing vulnerabilities are:
    1.    Design flaws – If there are loopholes in the system that can allow hackers to attack the system easily.
    2.    Passwords – If passwords are known to hackers they can get the information very easily. Password policy should be followed rigorously to minimize the risk of password steal.
    3.    Complexity – Complex software can open the doors on vulnerabilities.
    4.    Human Error – Human error is a significant source of security vulnerabilities.
    5.    Management – Poor management of the data can lead to the vulnerabilities in the system.

Q#14. List the various methodologies in Security testing?

Ans. Methodologies in Security testing are:
    1.    White Box- All the information are provided to the testers.
    2.    Black Box- No information is provided to the testers and they can test the system in real-world scenario.
    3.    Grey Box- Partial information is with the testers and rest they have to test on their own.

Q#15. List down the seven main types of security testing as per Open Source Security Testing methodology manual?

Ans. The seven main types of security testing as per Open Source Security Testing methodology manual are:
    1.    Vulnerability Scanning: Automated software scans a system against known vulnerabilities.
    2.    Security Scanning :Manual or automated technique to identify network and system weaknesses.
    3.    Penetration testing: Penetration testing is on the security testing which helps in identifying vulnerabilities in a system.
    4.    Risk Assessment: It involves analysis of possible risk in the system. Risks are classified as Low, Medium and High.
    5.    Security Auditing :Complete inspection of systems and applications to detect vulnerabilities.
    6.    Ethical hacking :Hacking done on a system to detect flaws in it rather than personal benefits.
    7.    Posture Assessment :This combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.

Q#16. What is SOAP and WSDL?
Ans. SOAP or Simple Object Access Protocol  is a XML-based protocol through which applications exchange information over HTTP. XML requests are send by web services in SOAP format then a SOAP client sends a SOAP message to the server. The server responds back again with a SOAP message along with the requested service.

Q#17. List the parameters that define an SSL session connection?

Ans. The parameters that define an SSL session connection are:
    1.    Server and client random
    2.    Server write MACsecret
    3.    Client write MACsecret
    4.    Server write key
    5.    Client write key
    6.    Initialization vectors
    7.    Sequence numbers

Q#18. What is file enumeration?

Ans. This kind of attack uses the forceful browsing with the URL manipulation attack. Hackers can manipulate the parameters in URL string and can get the critical data which generally not open for public such as achieved data, old version or data which in under development.

Q#19. List the benefits that can be provided by an intrusion detection system?

Ans. There are three benefits of an intrusion detection system.
    1.    NIDS or Network Intrusion Detection
    2.    NNIDS or Network Node Intrusion detection system
    3.    HIDS or Host Intrusion Detection System

Q#20. What is HIDS?

Ans. HIDS or Host Intrusion Detection system is a system in which snapshot of the existing system is taken and compares with the previous snap shot. It checks if critical files were modified or deleted then a alert is generated and send to the administrator.

Q#21. List down the principal categories of SET participants?

Ans. Following are the participants:
    1.    Cardholder
    2.    Merchant
    3.    Issuer
    4.    Acquirer
    5.    Payment gateway
    6.    Certification authority

Q#22. Explain “URL manipulation”?

Ans. URL manipulation is a type of attack in which hackers manipulate the website URL to get the critical information. The information is passed in the parameters in the query string via HTTP GET method between client and server. Hackers can alter the information between these parameters and get the authentication on the servers and steal the critical data.
In order to avoid this kind of attacks security testing of URL manipulation should be done. Testers themselves can try to manipulate the URL and check for possible attacks and if found they can prevent these kinds of attacks.

Q#23. What are the three classes of intruders?

Ans. Following are the three classes of intruders:
    1.    Masquerader: It can be defined as an individual who is not authorized on the computer but hack the system’s access control and get the access of authenticated user’s account.
    2.    Misfeasor: In this case user is authenticated to use the system resources but he miss uses his access on the system.
    3.    Clandestine user It can be defined as an individual who hacks the control system of the system and bypasses the system security system.

Q#24. List the component used in SSL?

Ans. Secure Sockets Layer protocol or SSL is used to make secure connection between client and computers. Below are the component used in SSL:
    1.    SSL Recorded protocol
    2.    Handshake protocol
    3.    Change Cipher Spec
    4.    Encryption algorithms

Q#25. What is port scanning?

Ans. Ports are the point from where information goes in and out of any system. Scanning of the ports to find out any loop holes in the system are known as Port Scanning. There can be some weak points in the system to which hackers can attack and get the critical information. These points should be identified and prevented from any misuse.
Following are the types of port scans:
    1.    Strobe: Scanning of known services.
    2.    UDP: Scanning of open UDP ports
    3.    Vanilla: In this scanning the scanner attempts to connect to all 65,535 ports.
    4.    Sweep: The scanner connects to the same port on more than one machine.
    5.    Fragmented packets: The scanner sends packet fragments that get through simple packet filters in a firewall
    6.    Stealth scan: The scanner blocks the scanned computer from recording the port scan activities.
    7.    FTP bounce: The scanner goes through an FTP server in order to disguise the source of the scan.

Q#26. What is a Cookie?

Ans. Cookie is a piece of information received from web server and stored in a web browser which can be read anytime later. Cookie can contain password information, some auto-fill information and if any hackers get these details it can be dangerous. Learn here how to test website cookies.

Q#27. What are the types of Cookies?

Ans. Types of Cookies are:
    •    Session Cookies – These cookies are temporary and last in that session only.
    •    Persistent cookies – These cookies stored on the hard disk drive and last till its expiry or manually removal of it.

Q#28. What is a honeypot?

Ans. Honeypot is fake computer system which behaves like a real system and attracts hackers to attack on it. Honeypot is used to find out loop holes in the system and to provide solution for these kinds of attacks.

Q#29. List the parameters that define an SSL session state?

Ans. The parameters that define an SSL session state are:
    1.    Session identifier
    2.    Peer certificate
    3.    Compression method
    4.    Cipher spec
    5.    Master secret
    6.    Is resumable

Q#30. Describe Network Intrusion Detection system?

Ans. Network Intrusion Detection system generally known as NIDS. It is used for analysis of the passing traffic on the entire sub-net and to match with the known attacks. If any loop hole identified then administrator receives an alert.


https://intellipaat.com/blog/interview-question/cyber-security-interview-questions/





Tuesday, December 22, 2015

Trunking troubleshooting commands

conf t

default int range fa 0/1-5
int range fa 0/1-5
shutdown
exit

! SW1-auto, SW2-auto
int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic auto
no shutdown

do show int trunk

do show int fa 0/2 switchport | ex private|Unknown

shutdown
exit

! SW1-desirable, SW2-auto
int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic desirable
no shutdown

do show int trunk

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

do show int fa 0/2 switchport | ex private|Unknown

shutdown
exit

! SW1-auto, SW2-ON
int fa0/4
switchport trunk encap dot1q
switchport mode dynamic auto
no shutdown

do show int trunk

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

do show int fa 0/4 switchport | ex private|Unknown

! Chaning native VLAN on 1 side:
switchport trunk native vlan 20

do show int trunk

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2 repeat 2

shutdown
exit
default int fa 0/4

! SW1 On/Nonegotiate, SW2-On
int fa 0/4
switchport trun encap dot1q
switchport mode trunk
switchport nonegotiate
no shutdown

do show int trunk

do show int fa 0/4 switchport | ex private|Unknown

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

shutdown
exit

! SW1-On/Nonegotiate, SW2-dynamic desirable
int fa 0/3
switchport trun encap dot1q
switchport mode trunk
switchport nonegotiate
no shut

do show int trunk

do show int fa 0/3 switchport | ex private|Unknown

shutdown
exit

! Flipside:

! SW1-dynamic des, SW2-On/Nonegotiate
int fa 0/5
switchport trun encap dot1q
switchport mode dynamic desirable
no shutdown

do show int trunk

do show int fa 0/5 switchport | ex private|Unknown

shutdown
exit

! SW1-On/Nonegotiate, SW2-On/Nonegotiate
int fa 0/5
switchport trun encap dot1q
switchport mode trunk
switchport nonegotiate
no shut

do show int trunk

do show int fa 0/5 switchport | ex private|Unknown

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

shutdown
exit






























IPv6 Security


Difference in Ipv4 and Ipv6 ACL
In IPv4 for access-list, we have implicit deny at the end

In Ipv6 ACL, there is implicit permit for 2 messages
Neighbor solicitation
Neighbor Advertisement
After that, we have implied deny for everything

To explicitly allow NS and NA in case if any router doesn’t support implicit permit
ipv6 access-list FILTERv6
permit icmp any any nd-na
permit icmp any any nd-ns
ipv6 deny any any

Monday, December 21, 2015

CPP commands IOS

A control plane policy, in the context of networking and security, refers to a set of rules and configurations that dictate how network devices handle control plane traffic. The control plane is responsible for managing and controlling the operation of network devices, including tasks such as routing, switching, and protocol operations.

Control plane policies are designed to ensure the security, availability, and reliability of the control plane by controlling access to management interfaces, filtering incoming control plane traffic, and prioritizing critical control plane functions. These policies help protect network devices from various threats, such as denial-of-service (DoS) attacks, unauthorized access, and protocol vulnerabilities.

Key components of control plane policies may include:

1. **Access Control Lists (ACLs)**: ACLs are used to filter control plane traffic based on source/destination IP addresses, protocols, ports, and other criteria. They help restrict access to management interfaces and control plane protocols to authorized users and devices.

2. **Rate Limiting and Traffic Policing**: Rate limiting and traffic policing mechanisms can be used to control the rate of incoming control plane traffic and prevent overload or disruption of critical control plane functions. They help mitigate the impact of DoS attacks and prevent resource exhaustion.

3. **Control Plane Protection (CoPP)**: Control Plane Protection (CoPP) is a feature available on some network devices that allows administrators to define policies to protect the control plane from excessive or malicious traffic. CoPP can prioritize critical control plane traffic and drop or rate-limit non-essential traffic.

4. **Management Plane Security**: Management plane security measures protect management interfaces and protocols used for device configuration, monitoring, and maintenance. This includes features such as authentication, encryption, role-based access control (RBAC), and secure management protocols (e.g., SSH, HTTPS).

5. **Protocol Hardening**: Protocol hardening involves configuring control plane protocols to enhance their security and resilience to attacks. This may include disabling unnecessary services, enabling authentication and encryption, and applying security best practices recommended by vendors and industry standards.

Overall, control plane policies are essential for maintaining the security and stability of network infrastructure by protecting the control plane from unauthorized access, malicious activity, and performance degradation. They help ensure that critical network functions continue to operate smoothly and securely, even in the face of potential threats and attacks.

configure terminal
access-list 100 permit icmp any any

! Create class map which calls
! on the ACL
class-map ICMP
match access-group 100
exit

! Create policy map which calls
! on the class map
policy-map ICMP-POLICY
class ICMP

! Tell the policy map that if
! ICMP traffic is seen, that this
! traffic should be rate limited
! down to 8Kbps, and anything over
! that should be dropped
police 8000 conform-action transmit exceed-action drop
exit
exit

! Apply the policy with to the
! logical "control-plane" with
! a service-policy command
! We need to go into control-plane
! configuration:

control-plane

! Apply the service policy, so that
! when any ICMP traffic is being
! sent TO the router (regardless
! of physical interface) it will
! be policed (rate limited).
service-policy input ICMP-POLICY
end

! To verify it is in place:
show policy-map control-plane

IOS Zone Based Firewall



So far we have two different methods to do firewall
ACL and Proxy

The third option is stateful filtering, also called as remembering. Remember session ie source ip dest ip, source port, dest port, tcp flag. All these are stored on tcp session table.  If returned traffic matches the session table then traffic is dynamically allowed.

Earlier we had :

1. Reflexive ACLs
config t

! Create an ACL that we will apply
! outbound on Fa 4/0.
! The "reflect REMEMBER" will create
! a reflexive ACL entry called "REMEMBER"
! that we can apply on a second ACL inbound.

ip access-list extended GOING-OUT
permit tcp any any reflect REMEMBER
permit udp any any reflect REMEMBER
permit icmp any any reflect REMEMBER
deny ip any any log
exit

interface fa 4/0
ip access-group GOING-OUT out

do show access-list

ip access-list extended COMING-IN
evaluate REMEMBER
deny ip any any log
exit

int fa 4/0
ip access-group COMING-IN in
exit

do show access-list

2. Context-Based Access Control
Deny everything coming in and inspect traffic when it goes out. inspect traffic out so that returned traffic is dynamically allowed. 

conf t

! Deny any initial inbound traffic

ip access-list extended DENY
deny ip any any log

int fa 4/0
ip access-group DENY in
exit

! Create a Context-Based Access Control
! (CBAC) inspection rule to remember
! TCP, UDP and ICMP
ip inspect name REMEMBER TCP
ip inspect name REMEMBER UDP
ip inspect name REMEMBER ICMP

! Apply the inspection rule outbound
! on Fa 4/0

int fa 4/0
ip inspect REMEMBER out
exit

do show ip inspect interfaces

show ip inspect sessions

3. ZBF
Identify zones (add interfaces)
Identify traffic (class maps) ie traffic on particular subnet
Identify the action (policy maps) ie inspect, allow/pass, drop
Identify the zones involved (zone pair) ie IN-TO-OUT
Specify the policy to use on the zone pair(service-policy); policy-map match to a zone pair.
































IPv6 and Security

R1#
! Prep work:
conf t
default int fa 1/0
default int fa 1/1
int fa 1/0
 mac-address cc1e.6783.1111
 no ip address
 duplex auto
 speed auto
 no keepalive
int fa 1/1
 mac-address cc1e.6783.1111
 no ip address
 duplex auto
 speed auto
 no keepalive
exit
no ipv6 router ospf 1
end
-----------------------------------------
configure terminal

! Enable IPv6 routing.  It is off by default
ipv6 unicast-routing
do show ipv6 int brief

!  Configure an IPv6 address on the interface
interface FastEthernet1/0
 ipv6 address 2001:0DB8:0000:000B:0000:0000:0000:0001/64
exit
do show ipv6 int brief

!  Configure the other interface on R1
interface FastEthernet1/1
ipv6 address 2001:DB8:0:A::1/64

!  Configure a routing protocol on R1
!  Note: no more "network" statements.

!  OSPFv3 requires a 32-bit router-id 
! If we have any IPv4 addresses, it will use that
! If no IPv4 addresses, we must set the router-id

ipv6 router ospf 1
router-id 1.1.1.1
exit

! To enable OSPFv3 on the interfaces, we need to
! go to each interface to tell them to participate in
! OSPFv3, in the correct process #
interface FastEthernet1/0
ipv6 ospf 1 area 0
exit

interface FastEthernet1/1
ipv6 ospf 1 area 0
exit

configure terminal
ipv6 access-list NO_TELNET
deny tcp 2001:db8:0:a::/64 any eq 23
permit any any

! Apply the ACL to the interface, inbound
int fa 1/1
ipv6 traffic-filter NO_TELNET in

! Verify the ACL
do show access-lists

Additional tools and commands on IOS

enable

configure terminal
enable secret cisco
aaa new-model
exit
disable

! Enter the "Root" parser View
! Use the enable secret to enter
enable view
cisco

! Verify that we are in the root view
show parser view

! From the root view, enter configuration mode
configure terminal

! Create a new View, named "help-desk"
parser view help-desk

! Set the secret for this view"
secret cisco-hd

! Lock down what can be done while
! in this help-desk view
commands exec include all show ip
commands exec include show version
commands exec include show
commands exec include logout

! Optionally, create a user, and lock him
! into this new help-desk view.  
! Even though he has privilege level 15
! the user will only be able to perform! tasks allowed by the view
username bob view help-desk privilege 15 secret cisco-bob

! Train the router to use the local database 
! (the running-config) for authentication and
! authorization on the VTY lines by creating 2 custom
! method lists, and applying those methods to the VTY lines
aaa authentication login VTY-Authen local
aaa authorization exec VTY-Author local

! Applying the custom method lists to the
! VTy lines
line vty 0 4
login authentication VTY-Authen
authorization exec VTY-Author
end

Control plane host with ssh
conf t

! Domain name required for RSA key creation
ip domain-name CBTNuggets.com

! Create the keys for SSH (Use minimum of 1024)
crypto key generate rsa modulus 1024

! One way of kicking out TELNET
line vty 0 4
transport input ssh
exit

! Another way of locking down
! management specific management
! protocols to specific ports
! Best to use Out of Band (OOB) management
! when possible
! Enter the logical control-plane interface
control-plane host

! Tell the router to only allow specific
! protocols on specific ports
management-interface fa2/0 allow ssh http https
end

Prep for CCP
configure terminal
ip http server
ip http secure-server
ip http authentication local
username admin privilege 15 secret cisco
end

config terminal
secure boot-image

secure boot-config

do show secure bootset


Data Plane Security

How data plane security can be achieved?

Data plane security refers to measures taken to protect the actual data traffic flowing through a network from various threats and attacks. Here are some strategies and technologies commonly used to achieve data plane security: 1. **Access Control Lists (ACLs)**: ACLs are used to control traffic flow by defining rules that permit or deny packets based on criteria such as source/destination IP addresses, port numbers, and protocols. ACLs can be implemented on routers, switches, and firewalls to enforce security policies and restrict unauthorized access to network resources. 2. **Firewalls**: Firewalls are network security devices that monitor and control incoming and outgoing traffic based on predetermined security rules. They can be deployed at network boundaries, such as between internal and external networks, to inspect and filter traffic, block malicious connections, and prevent unauthorized access. 3. **Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)**: IDS and IPS solutions monitor network traffic for suspicious patterns or behavior indicative of security threats, such as intrusion attempts, malware infections, or denial-of-service attacks. IDS alerts administrators to potential threats, while IPS can actively block or mitigate attacks in real-time. 4. **Data Encryption**: Encrypting data traffic helps protect sensitive information from eavesdropping and unauthorized access. Technologies such as IPsec (Internet Protocol Security), SSL/TLS (Secure Sockets Layer/Transport Layer Security), and VPNs (Virtual Private Networks) encrypt data packets as they traverse the network, ensuring confidentiality and integrity. 5. **Virtual LANs (VLANs)**: VLANs are used to logically segment a network into separate broadcast domains, isolating traffic between different VLANs. By restricting communication between VLANs and implementing proper access controls, VLANs help contain security breaches and limit the impact of attacks. 6. **Network Segmentation**: Dividing a network into smaller, isolated segments or zones helps contain security threats and prevent lateral movement by attackers. Segmentation separates critical systems and sensitive data from less secure areas, reducing the attack surface and minimizing the potential impact of security incidents. 7. **Flow-based Traffic Analysis**: Flow-based analysis tools monitor network traffic patterns and behavior to detect anomalies, identify suspicious activities, and uncover potential security threats. By analyzing the flow of data packets, these tools can detect unauthorized access attempts, data exfiltration, and other malicious activities. 8. **Hardening Network Devices**: Ensuring that network devices, such as routers, switches, and firewalls, are securely configured and regularly updated with the latest security patches and firmware helps minimize vulnerabilities and protect against exploitation by attackers. By implementing these measures and adopting a defense-in-depth approach, organizations can enhance data plane security and mitigate the risks posed by various threats and attacks targeting network traffic.


configure terminal
ip dhcp snooping vlan 3
ip dhcp snooping

! Trust the port where the DHCP
! server lives
int g 0/24
ip dhcp snooping trust
exit
do show ip dhcp snooping binding

conf t
int g 0/7
switchport mode access

! Up to 5 MAC addresses at same time
switchport port-security maximum 5

! Shutdown the port if over limit
! of source MAC addresses (this is the default)
switchport port-security violation shutdown

! Turn on the feature (forgotten by many)
switchport port-security

! Verify settings
do show port-security

! Save the admins time, by having
! the port automatically return from
! "err-diable" state
errdisable recovery cause psecure-violation

! How long before port is restored
errdisable recovery interval 60

configure terminal
interface g0/5
switchport mode access
switchport access vlan 3
switchport nonegotiate

conf t
spanning-tree portfast default
spanning-tree portfast bpduguard default

int g0/5
spanning-tree portfast
spanning-tree bpduguard enable

errdisable recovery cause bpduguard

do show spanning-tree summary











































AAA(Authentication, Authorization and Accounting) Config

Terms:
Remote Authentication Dial In User Service
Terminal Access Controller Access Control System

Commands:
enable

Configure terminal

! Create a local admin for safety
! Note: for all production passwords! follow best practices for length
! and complexity
username admin privilege 15 secret cisco
username bob privilege 1 secret cisco

! Configure the privilege 15 secret
enable secret cisco

! Enable AAA
aaa new-model

! Specify where the AAA server is,
! and which protocol to use (TACACS+ in this case)
tacacs-server host 192.168.1.252

! Specify the Key to use for encryption
! between the client (this router) and the AAA
! TACACS+ server
tacacs-server key cisco123

! Create a default method list and specify that
! we want to try one of the AAA servers as our
! first method in the list, and then if that times
! out, we want to use the local database, and if the
! user isn't in the local database, require the
! enable secret for access
aaa authentication login default group tacacs+ local

! Create a custom method list, that if used,
! will have no authentication required at all
! (Just in the lab)
aaa authentication login FREE-BIRD none

! Lets apply the FREE-BIRD method list to the
! Console (to make it easy on me ;)
line console 0
login authentication FREE-BIRD

! (This method list applies only
! to the console 0).  The default will apply
! to the other Lines, such as VTY and AUX.
! Lets set up a couple authorization method lists
! We will use custom lists (not a default one)
! because we don't want this to apply everywhere
! (just on our VTY lines for this demo)
exit

aaa authorization commands 1 TAC1 group tacacs+ local
aaa authorization commands 15 TAC15 group tacacs+ local

! This next command is required for the IOS
! to check for authorization for commands
! issued within configuration mode
aaa authorization config-commands

! Lets create some accounting method lists as well
aaa accounting commands 1 TAC-act1 start-stop group tacacs+
aaa accounting commands 15 TAC-act15 start-stop group tacacs+

! Lets apply the authorization and accounting custom
! method lists just to the VTY lines
! Note: default login authentication method list
! already applies to these VTY lines
line vty 0 4
authorization commands 1 TAC1
authorization commands 15 TAC15
accounting commands 1 TAC-act1
accounting commands 15 TAC-act15

Simple test:

enable

conf t
enable secret cisco
aaa new-model
aaa authentication login default enable
do debug aaa authentication
do telnet 10.1.0.1


ASA CLI L3-4



enable
conf t

show run int m0/0

## Configure interfaces
int m 0/0
no shutdown
nameif management
security-level 100
ip address 192.168.1.100 255.255.255.0
exit

int Gig 0/0
no shutdown
nameif outside
security-level 0
ip address 10.123.0.100 255.255.255.0
exit

int Gig 0/1
no shutdown
nameif inside
security-level 100
ip address 10.1.0.100 255.255.255.0
exit

int Gig 0/2
no shutdown
nameif dmz
security-level 50
ip address 172.16.5.100 255.255.255.0
exit

## To manage ASA from GUI
http server enable
http 192.168.1.0 255.255.255.0 management

## verify the config
show int ip brief

##create a default route pointing to R2
route outside 0.0.0.0 0.0.0.0 10.123.0.1 1 : 1 is AD here. Lower AD is preferred.

##Configure SNMP v3
snmp-server location CBT Nuggets Lab
snmp-server contact Keith Barker
snmp-server group G1 v3 priv
snmp-server user U1 G1 v3 auth sha a-pass priv aes 128 e-pass
snmp-server host management 192.168.1.23 version 3 U1 # who are going to send snmp message to .23
snmp cpu threshold rising 80 1  ## generate traps if CPU rising above 80 %
snmp-server enable traps cpu threshold rising

## Verify
show snmp user
show snmp group

##By default logging is disabled on ASA.

show logging
logging enable
logging host management 192.168.1.23 ## send syslog messages to .23
logging trap 5
logging console 4
logging buffered 6
clear logging buffer
exit
conf t
show log

## to remove particular log message
no logging message 111005

## to change syslog messsage
logging message 111007 level Informational: Informational is level 6
exit
conf t

## Verify
show logging | include 111007

## to clear buffer
clear logging buffer

exit
conf t

### To send some particular syslog messages to email
logging list Our-Event-List message 101001-101003
logging list Our-Event-List level Informational ## send only those messages are Informational or below

smtp-server 192.168.1.23
logging from-address ASA@Here.net
logging recipient-address Keith@there.com level Informational ## send messages to this email address
logging mail Our-Event-List ## only syslog messages for this list should be sent

##Set up a time Zone
clock timezone PST -8 0
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60

## Ping NTP server
ping 66.187.233.4

## setup ntp
ntp server 66.187.233.4 source outside

##verify
show ntp associations
show ntp status

## set up net flow
flow-export destination management 192.168.1.23 9996 ## send netwflow record out mgmt interface to .23 on port 9996

##configure MPF
class-map global-class
match any ## match on any traffic
exit

policy-map global_policy
class global-class
flow-export event-type all destination 192.168.1.23  ### any traffic that matches the global class, export the flow to .23 which is running NetFlow collector
exit
exit

## Configure NAT for DMZ server
object network Srv-1
host 172.16.5.5
nat static 10.123.0.5 net-to-net

## if we want to configure multiple hosts, we can create object-groups
object network Srv-2
host 172.16.5.6
object network Srv-3
host 172.16.5.7
object-group network DMZ-Servers
network-object object Srv-1
network-object object Srv-2
network-object object Srv-3

## To create service object group
object-group service WEB-Services
service-object tcp destination eq http
service-object tcp destination eq https
exit

## if traffic is destined to HTTP and https ports that are running on DMZ-servers permit
access-list outside_access_in permit object-group WEB-Services any object-group DMZ-Servers
access-group outside_access_in in interface outside


Sunday, December 20, 2015

ASA(Adaptive Security Appliance) and ASDM(Adaptive Security Device Manager) Essentials



Basic Checks:
Versions and image, certificates like self-signed which is temporary, Access allowed like SSH, user auth etc.

Certificates Options:
Temporary Self-signed
Permanent Self-signed
Permanent from CA

Configuring :
Security Levels and Other Interfaces
NAT and DHCP Services

Verification
To check Licensing on ASDM
Config -> Device Management -> Licensing -> Activation Key

To check boot image :
Config -> Device Management -> System Image -> Boot Image

To check management access :
Config -> Device Management -> Management Access -> ASDM/https/telnet/ssh

To allow http and ssh on inside interface
http 10.0.0.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside

Lets create some users under LOCAL on ASA
Config -> device mgmt -> Users/AAA -> user accounts

CLI :
username admin password XXXXXXX encrypted privilege 15

Now for http and ssh access use LOCAL database
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL

Certificate Options:
Config -> device mgmt -> certificate mgmt -> Identity cert

We can have inside host as dhcp server so that it can assign ip address to outside clients.
We can also configure NAT. Anybody coming from 10.0.0.0 network and going to internet from outside interface translates the source ip address

The router is doing some basic NAT as well for the 192.168.1.0/24 address space.

To verify routing :
Monitoring -> Routing -> Routes

To configure NAT:
Config -> Firewall -> NAT

nat (inside, outside) 1 source dynamic any interface
#nat from inside to outside coming from any ip, pat on outside interface.

Configure DHCP server:
config -> device mgmt -> dhcp-> dhcpserver

dhcpd address 10.0.0.51-10.0.0.60 inside
dhcpd enable inside
dhcpd dns 8.8.8.8 interface inside















MPF(Modular Policy Framework)

Modular Policy Framework

CPS:
Class-map: Identify traffic
Policy-map: Specify Action for that traffic
Service Policy: Where on ASA you want to apply it. Also, we have option for Global-policy

CLI for implementing Application Inspection L3/L4 :

Example :
Let's allow host to dynamically connect to ftp server and inspect ftp

#create access-list
access-list dmz_mpc permit tcp any any eq ftp

#Identity the traffic
class-map FTP-Class-MAp
    match access-list dmz_mpc

#Take action on that traffic
policy-map FTP-Policy-MAP
    class FTP-Class-MAP
    inspect ftp
This will inspect the control channel between host and ftp server

#where to apply
service-policy FTP-Policy-MAP interface dmz

To verify lets transfer some files using ftp
On ASA
show conn

To check MPF config on ASDM:

Config -> Firewall -> service policy rules

show run class-map
by default, there will be default-inspection-traffic

default-inspection-traffic is a pre-defined list of ports, services, and application that Cisco is looking for by default.

show run policy-map
display default policies

we can delete default policy

show run service-policy
we can also apply service-policy globally

CLI for implementing QOS :

priority-queue inside

class-map VOIP
    match dscp 46 : dscp bits 46 is EF

class-map TELNET
    match port tcp eq telnet

policy-map inside-policy
    CLASS VOIP
       priority
    Class TELNET
        police output 8000 1500 confirm-action transmit exceed-action drop

service-policy inside-policy interface inside

Note: prioritize of traffic is always outbound. Policing can be inbound or outbound.

CLI for implementing for connection settings
class-map TCP-sessions
    match port tcp range 1 65000

policy-map Conn-Limits
    class TCP-sessions
        set connection conn-max 500 embryonic-conn-max 50
        set connection timeout embryonic 0:05:00 half-closed 0:10:00

service-policy Conn-Limits interface outside

Note: Unlike CLI, on ASDM first we configure service rule then class and finally policy map

Config -> Firewall -> service policy rules -> Add

Note: inspection can be inbound or outbound, QOS, prioritize always outbound and policing can be inbound or outbound

TCP and UDP are by default therein Inspection list but icmp is not.






NAT on ASA


In 8.2 and older, if we forgot to configure NAT, ASA will send traffic if there is no nat-control configured. Without NAT if we are trying to connect to internet from private address the ISP will kill the packet. The second reason to use NAT is we utilize the existing ipv4 address efficiently.
So to use NAT we have to use command nat-control along with NAT rule.

In version 8.2 and older, the NAT used to work like if-then statement

Dynamic NAT :
nat(inside) 1 10.0.0.0 0 255.255.255.0
#If traffic coming on inside interface and if it is sourced from network 10.0.0.0 then it is part of NAT 1.
global (outside) 1 192.168.1.51-192.168.1.100 : what the address should be translated into
global (outside) 1 192.168.1.101 : global PAT
global (dmz) 1 interface

NAT 0:
In case If we don’t want to use NAT then we should use NAT 0 command
access-list NONAT permit ip (source net to dest net)
nat (inside) 0 access-list NONAT

NAT 0 means do not translate


Static NAT :
static (dmz,outside) 192.168.1.175 172.16.0.5
static (dmz,inside) 172.16.0.5 172.16.0.5 : Identity NAT where it maps its ip address to own ip address. It’s one to one translation

In version 8.3 and above :
Newer NAT is called object NAT or Auto NAT


Network “objects” are like an alias. When we refer to the object, the ASA knows what we are referring to.

No stoppage of traffic if there is no rule but to function, we need NAT rule. Traffic initiated from private network to internet without NAT rule will be dropped.

ASDM :
Config -> firewall -> NAT Rules -> Add

Manual NAT :

object network inside_10
      subnet 10.0.0.0 255.255.255.0
object network outside-pool
      subnet 192.168.1.51 192.168.1.100
 object network inside_10
      nat dynamic outside-pool

For object network inside_10, i want to do dynamic nat to translate address to outside pool address

This nat rule holds good if we want to go from inside to outside and dmz network. we can also create Auto NAT tied to the interface if we want to go either from inside to outside or from inside to dmz.

show nat
show xlate

The three sections of NAT
1. Manual NAT (very granular)
2. Auto NAT/object NAT
3. Manual NAT (again, after “auto NAT”)

Check for Manual NAT if not there in config check for auto if not there check for 3rd rule and if no rule is configured no NAT is applied.

Auto NAT: more specific to the interface, here we specify the interface and whether we want NAT from inside to outside or from inside to dmz.
we can configure multiple Auto NAT in section 2

object network inside_10
  nat (inside, any) dynamic outside-pool
In manual NAT we didn’t have (any or inside) interface configured which means any any.

show xlate

We can remove the xlate
clear xlate

Manual NAT after Auto:To configure any NAT we need.
Say we want to create a rule when same PC is going to network host 192.168.1.253 (R2) , let's do NAT to .101 . In previous case, we were using pool from .51-100. To do this we will create a manual rule and we want to hit it before object rule.

show nat
currently (section 2) is auto NAT portion

object network Raj-global-101_address
    host 192.168.1.101
object network R2_real_addres
        host 192.168.1.253
object network Raj_local_ip
         host 10.0.0.51
nat (inside, outside) 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress

show nat
Now in above config Manual NAT policies is part of (section 1)
and auto NAT policies (section 2)

telnet 192.168.1.253
R2#who

translated ip is shown: 192.169.1.101

We can also put Manual NAT after auto NAT

no nat 1
nat (inside, outside) after-auto 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress

show nat
Now we have section 2 and 3 since we purposefully placed Manual NAT after auto NAT
auto NAT policies (section 2)
Manual NAT Policies (section 3)

Now Auto NAT policy should be hit first.

clear xlate

telnet 192.168.1.253
R2#who
ip address shown is 192.168.1.80 : auto NAt is used

show xlate
10.0.0.51 is mapped to 192.168.1.80

To remove Manaul rule after auto NAt
no nat after-auto 1

So we can mix and match as we want it.

Case Study:
what happens when two company merge together. Say our existing client belongs to company A and new company B has internal network 10.0.0.0/24 too. Both companies have 10 networks. What to do with over-lapping ip address?

Solution: Bi-directional NAT/ Twice NAT. This is basically Manual NAT
we need to lie on both sides. Company A thinks B is in 10.2 and Company B thinks A is in 10.1
To achieve this we use source NAT and destination NAT

Example :
object-network bogus
    host 192.168.1.205
object network Raj-new-global
    host 192.168.1.102
nat (inside, outside) 2 source static Raj_local_ip Raj-new-global destination static bogus R2_real_address

If i go to that bogus address, it should translate me to new global address

show nat
section 1 Manual
section 2 Auto

A packet from 10.0.0.51 going to 192.168.1.205 should result in :

source nat changing source address to 192.168.1.102
destination nat changing destination address in the packets to 192.168.1.253

telnet 192.168.1.205
R2# show users
ip address seen 192.168.1.102

Final piece :
Let's do nat for dmz server
object network dmz-server-real
    host 172.16.0.5
object network dmz_global
    host 192.168.1.176
object network dmz-server-real
   nate(dmz, any) static dmz_global

Open browser to 192.168.1.176
http://192.168.1.176

show xlate
show nat









































Saturday, December 19, 2015

ACL on ASA



ACL (Access Control List)

Note: Traffic between two interfaces, that have same security level is NOT allowed by default.

ACLs can be placed inbound on an interface to allow initial traffic through the ASA(from lower security level to higher security level)

We can have inbound ACL’s on any interfaces. This will over-write the default initial traffic flow that goes through ASA.

There is implicit deny at the end as we used to have on the router.

Types of ACLs

1. Standard
filter based on source ip address. Not much used.

2. Extended
This can match anything in L3 and L4. Basically source and destination ip address. Always applied to inbound on the interface.

3. Global ACL: present on 8.3 and above

Any traffic going out of our network is outbound and any traffic coming to our network in inbound.

Inbound: lower to higher security level
Outbound: higher to lower security level

ACL can be applied to the inbound or outbound interface of ASA but we rarely apply it to outbound.

ASDM :

Config -> Firewall -> Access Rules -> Add

Let's create ACL to permit http traffic from any user on internet to dmz server
Access-list inbound on outside interface
access-list ACL1 permit tcp any object object dmx-server-real-ip eq http
access-group ACL1 in interface outside

Here if we don’t mention keyword extended it will by default assume extended. we can also mention time-range so that ACL will be effective during that period.

time-range During-the-week
 period weekdays 08:00 to 16:50
access-list outside_access_in line 1 extended permit tcp any object dmz-server-real-ip eq http time-range During-the-week
access-group outside_access_in in interface outside

Here line 1 is just the sequence no means this is first entry in ACL . We need not to mention this if we have a single entry.

CLI :
show time-range
show clock

Case : Say we have 3 servers on inside network and for all servers we want to allow TCP 80, 443, 25 . To accomplish this we need to have 9 entries/ lines on ACL. This is pain.

Solution :
Use object groups . One line of access-list will replace 9 lines this way.

We can identify all these servers on network object groups.

 object-group network 3-musketeers
     network-object object server2-on-dmz
     network-object object server3-on-dmz
     network-object object dmz-server-real-ip

object-group service 3-services tcp
    port-object eq http
    port-object eq https
    port-object eq smtp

access-list outside-access_in line 1 extended permit tcp any object-group 3-musketeers object-group 3-services

show access-list
show run | in access

Let’s create NAT rule for two other servers.

object network outside-server2
    host 192.168.1.177
object network server2-on-dmz
    nat static outside-server2

Try to connect to 192.168.1.177 through browser

show conn
show conn detail

Public server: Creates NAT and access-list for a device.

we can do access-list and NAT translation with one option called public server

ASDM :Config -> Firewall -> Public Servers - > Add

object network dmz-server-real-ip
    nat(dmz,outside) static dmz-server-mapped-ip
access-list outside_access line 1 extended permit tcp any object dmz-server-real-ip eq http
access-group outside-access in interface outside.

In ASA we use a normal mask instead of wildcard mask while configuring ACL.

Global ACL :It is an ACL that can hover over entire ASA. Can be applied logically inbound on all the interfaces.

By default, if there are no match on ACL list, there is implicit deny which will deny everything. If we configure global ACL the implicit deny does not have an effect.

So here is rule
1. Interface ACL
2. If no match go to global ACL
3. If no match then implicit Deny

If global ACL is not configured, it is just like normal ACL.

Global ACL is for simplicity purpose.

access-list global_access line 1 extended permit tcp any object dmz-server-real-ip eq http
access-group global_access global

implict deny at the end of ACL is no longer valid.

Packet Tracer :
To identify the initial flow of traffic. Verification of initial flow of packet.

ASDM :
Tools-> Packet Tracer
show animation

CLI :
packet-tracer input inside tcp 10.0.0.51 1065 192.168.1.176 80






























Friday, December 18, 2015

Routing Options on ASA


Giving the ASA the information it needs to take a decision on incoming packets. Train ASA how to reach L3 network.

To check routes on ASA
show route
On IOS router this command is show ip route

On ASDM :
Config -> Device Setup -> Routing -> Add

CLI :
static route
route outside 0.0.0.0 0.0.0.0 192.168.1.1 3
3 is “Distance metric” here

Static route for inside interface to reach 10.0.1.0 network
route inside 10.0.1.0 255.255.255.0 10.0.0.11 2

show route

ping 10.0.0.1

If we have 100’s of a network, we don’t want to add them manually. In that case, we will be using dynamic routing protocols.

Supported Routing Protocols
RIP v1 v2
OSPF
EIGRP

Let's configure ospf
    router ospf 1
    area 1
    network 172.16.0.0 255.255.255.0 area 1
    network 192.168.1.0 255.255.255.0 area 1
    network 10.0.0.0 255.255.255.0 area 1

show ospf neighbour
show route

to remove ospf :
no router ospf 1

RIP Config:
router rip
   no auto-summary
   version 2
   network 10.0.0.0
   network 172.16.0.0
   network 192.168.1.0

show route

To remove RIP
no router rip

EIGRP Config:
router eigrp 1
   network 172.16.0.0 255.255.255.0
   network 192.168.1.0 255.255.255.0
   network 10.0.0.0 255.255.255.0

Note : network 0.0.0.0 0.0.0.0  : This means everything in eigrp

show route

Multicast :
CLI to enable multicast routing capabilities

multicast-routing

Now we can use protocol PIM (protocol independent multicast).
It supports
1. STUB multicast routing also is known as SMR. This is used on edge of multicast network.
2. PIM SPARSE mode: it will not forward traffic until it has good reason to do so. Only forward traffic to multicast group or client whoever request that.

It also supports PIM on bidirectional functionality

ASA doesn’t support Dense mode.







ASA VLAN, Port Channel and Redundant Interfaces

VLAN Port channel and redundant interfaces

Interfaces Options
VLAN Int
EtherChannel
Redundant

How to create multiple interfaces on ASA?
create logical layer 3 interfaces. Switch port connected to ASA should be configured as a trunk port and ASA port need to support 802.1q tag and create multiple sub-interfaces on ASA. This is exactly same like a router on the stick config.

Let's configure ASA1 with three logical subinterfaces.

Config -> Device setup -> interfaces -> Add -> Interface
Once we create sub-interfaces ASA automatically knows that we are going to use 802.1q mechanism.

CLI :

interface g1.10
vlan 10
no shut
nameif inside_10
security-level 100
ip address 10.0.10.1 255.255.255.0

Similarly, we can create sub-interfaces for vlan 20 and 30.

Note: The 5505 uses “interface vlan x” commands to create new logical interfaces. All the rest of 5500 family uses sub-interfaces, as shown above.

To enable traffic between same security-level interfaces
same-security-traffic permit inter-interface

EtherChannel :
To increase throughput. Implement between the switches. To configure etherchannel we can either use PagP cisco propriety or standard LACP as communicating protocol between switches.

Link Aggregation Control protocol (LACP) uses 3 options for negotiating the etherchannel :
Active
Passive
ON (static)


Besides these protocols, we have two types of EtherChannel
L2 and L3

Let's create new logical L3 Etherchannel.

We can configure etherchannel between ASA and switch. Upto 8 active ASA interfaces can participate in etherchannel.

ASDM :
Config -> Device setup -> interfaces -> Add -> EtherChannel
No config should present on interfaces which are going to participate on etherchannel

CLI :
interface g2
    channel-group 1 mode Active
interface g3
    channel-group 1 mode Active
interface port-channel1
    port-channel load-balance src-port
    port-channel min-bundle 1
        lacp max-bundle 8
        no shut
    speed auto
    duplex auto
    nameif dmz
    security-level 50
    ip address 172.16.0.1 255.255.255.0

Redundant :
Let's create a new L3 redundant interface. This will not do load-balancing instead two interfaces active and backup will participate as a pair. At a given time active interface only forward traffic. If an active physical interface fails, standby will take up as active and it will use active interface mac address.

ASDM :

Config -> Device setup -> interfaces -> Add -> redundant interface
No config should present on interfaces which are going to participate in redundant.

CLI :

interface redundant1
    member-interface g4
    member-interface g5
    no shut
    nameif outside
    security-level 0
    ip address 192.168.1.171 255.255.255.0

Note: the interface which is configured first will be active on. in our case it is g4

Verify through CLI

show interface port-channel 1
show port-channel 1

show int redundant 1

We can make g5 as active interface
redundant-interface redundant 1 active-member g5

Now g5 will become active member


Is etherchannel and portchannel same?
Yes, "EtherChannel" and "PortChannel" refer to the same technology. EtherChannel is Cisco's proprietary term for link aggregation, which allows multiple physical Ethernet links to be combined into a single logical link. This logical link provides increased bandwidth, improved redundancy, and load balancing across the member links.

PortChannel is the generic term used in the networking industry to describe the logical aggregation of multiple physical ports into a single logical port. While EtherChannel is specific to Cisco devices, other networking vendors may use the term PortChannel or similar terminology to describe the same functionality.

In essence, EtherChannel and PortChannel represent the same concept of bundling multiple physical links to create a higher-bandwidth and more resilient connection between network devices. They are commonly used in scenarios where increased throughput, fault tolerance, and load distribution are required, such as connecting switches, routers, or servers to network infrastructure.









Thursday, December 17, 2015

VPN CLustering


VPN Clustering also known as Load balancing enables multiple ASAs to shared their load for remote VPN sessions. Load balancing tracks session to the least loaded ASA thus distributing the load. This not only makes efficient use of the system resources but also provides HA. This also helps to deploy remote access VPN cost effectively.  Different ASA flavors and VPN 3060 Concentrator can co-exist in a single cluster.

VPN Clustering can only be used for remote access VPN. This cannot be used for site to site VPNs.

Remote connection to the VPN Cluster can only be established from remote Cisco VPN s/w or hardware VPN client or SSL VPN .
For the cluster to work all ASA’s must be configured with same services.

Implementing VPN Clustering requires a virtual cluster by logically grouping two or more ASA’s or VPN concentrators on the same subnet. To outside client, virtual cluster looks like a single device accessible by a single virtual ip address. A VPN client attempting a VPN session connects first to this virtual address but it quickly and transparently redirects it to the least loaded device on the cluster.

At a given time one device on the cluster holds the role of the virtual Master cluster and therefore owns the virtual ip address. The virtual cluster master role is not tied to the particular device. It can shift among devices. Say if virtual master cluster fails then one of the backup devices on the cluster will take up as the master role and becomes Master Virtual cluster. The new failover cluster master is not stateful hence all the existing vpn session will drop. A new vpn session needs to be re-established. The virtual master cluster monitors all devices on the cluster, keep tracks of how busy each is and distribute the session load accordingly. Once the client connects to virtual master ip address it will reply with global ip address of the least busy device on the cluster. In the second transaction which is transparent to the device the client directly connect to that device. In this virtual master, cluster divides traffic evenly and efficiently across the devices.

If any device in the cluster fails, The terminated session can immediately re-connect to the virtual cluster ip address. The virtual cluster master then re-connect this session to the active device in the cluster. Even if several devices in the cluster fails, a user can continue to connect to the cluster as long one device in the cluster is available.

Before configuring make sure all ASA’s are configured with public and private ip addresses and all ASA must share same virtual cluster ip address.

ASDM :

Config -> Features -> VPN -> Load Balancing ->
Enable check box for Load balancing
Enter ip address of cluster this should be public
Enable ipsec encryption for encrypting the data
The devices in the cluster communicate via lan to lan tunnel by using ipsec.
Specify the key for encrypt
Select private and public interfaces
priority range is from 1-10
If this ASA is behind the firewall use NAT. This is ip address configured on router for performing the translation and statically assigned to the public interface of the ASA.

Note : 
Clustering supports Single and Multiple contexts, as well as routed and transparent mode. A single configuration is maintained across all units in the cluster using automatic configuration sync.







Wednesday, December 16, 2015

Botnet Filtering on ASA


A botnet is a network of compromised computers, often referred to as "bots" or "zombies," that are under the control of a single entity, known as the botmaster or bot herder. These compromised computers are typically infected with malicious software, known as malware, which allows the botmaster to remotely control them without the users' knowledge or consent.

Botnets are commonly used for various malicious activities, including:

1. **Distributed Denial of Service (DDoS) Attacks**: Botnets are frequently used to launch DDoS attacks against websites, servers, or networks by flooding them with a massive volume of traffic. This overwhelms the targeted resources, causing them to become unavailable to legitimate users.

2. **Spam and Phishing Campaigns**: Botnets can be used to send out vast quantities of spam emails or phishing messages. These messages may contain malicious links or attachments designed to steal sensitive information, such as login credentials or financial data, from unsuspecting recipients.

3. **Credential Stuffing and Brute Force Attacks**: Botnets are often used to automate credential stuffing attacks, where large sets of stolen usernames and passwords are systematically tested against various websites, online services, or applications. They may also conduct brute force attacks to crack passwords through trial and error.

4. **Click Fraud and Ad Fraud**: Botnets can generate fake clicks or views on online advertisements, websites, or videos to fraudulently inflate advertising revenue or manipulate online metrics. This can deceive advertisers, website owners, and advertising networks, resulting in financial losses.

5. **Cryptocurrency Mining**: Some botnets are used to distribute cryptocurrency mining malware, also known as cryptojacking, which hijacks the computing resources of infected devices to mine cryptocurrencies such as Bitcoin, Monero, or Ethereum. This can degrade system performance and increase energy consumption.

6. **Data Theft and Espionage**: Botnets may be used to steal sensitive data, such as intellectual property, trade secrets, or personal information, from compromised devices. This stolen data can be used for various purposes, including espionage, identity theft, or financial fraud.

Combatting botnets requires a multi-faceted approach, including proactive measures such as maintaining up-to-date security software, implementing strong authentication practices, and educating users about the risks of malware infections. Additionally, law enforcement agencies, cybersecurity researchers, and industry stakeholders collaborate to disrupt and dismantle botnet operations through legal action, botnet takedowns, and coordination efforts.

Botnet Filtering on ASA: Reputation based filtering

Cisco has Security Intelligence Operations known as SIO
Inform, protect and respond
Early-warning intelligence, threat, and vulnerability analysis, and proven Cisco mitigation solutions to help protect networks.
They collect information about malicious traffic patterns all over the world and try to identify the people who are responsible for it.

We need to train ASA to identify malicious ip address and stop any traffic going from pc to that device.

To implement this on ASA, we need to have SIO based infrastructure and need to buy time-based license.

Basic requirements:
ASA should have reachability to cisco server to download dynamic database.

How it works?
DNS on the ASA: to resolve the name of cisco server
Turn on “DNS Snooping” : ASA will look out for each DNS request that customers are making out to the internet
Enable Client and use dynamic database
Optionally create static lists
Specify action in regard to interface

ASDM :
1. Config -> Device Management -> DNS -> DNS Client -> Add info
Primary DNS server : 8.8.8.8
Enable on outside interface

2. Config -> Firewall -> Botnet Traffic Filter -> DNS Snooping  : for botnet option we need license

3. Config -> Firewall -> Botnet Traffic filter -> Botnet Database

4. Config -> Firewall -> Botnet Traffic filter -> Black and White Lists

5.  Config -> Firewall -> Botnet Traffic filter -> Traffic Settings: to specify interface on which traffic to be blocked