CCIE Security Tutorial

8/9/2019 CCIE Security Tutorial

1/189

CCIE Security Techtorial

TECCCIE-3001

TECCCIE-3001_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1

AgendaSection Topic

1 CCIE® Program Overview

®

3 Core Knowledge Section Overview

4 Implement secure networks using Cisco ASA Firewalls

5 Implement secure networks using Cisco IOS Firewalls

6 Implement secure networks using Cisco VPN solutions

7 Configure Cisco IPS to mitigate network threats

8 Implement Identity Management

9 Implement Control Plane & Management Plane Security

10 Configure Advanced Security

11 Identify and Mitigate Network Attacks

12 Preparation Resources and Test-Taking Tips


2/189

Disclaimer

Not all the topics discussed today appear onevery exam

For time reasons, we’re unable to discuss everyfeature and topic possible on the exam

Section 1

CCIE® Program Overview


3/189

CCIEs Worldwide

Most highly respected IT certification for more than 15 years

Industry standard for validating expert skills and experience

More than 20,000 CCIEs worldwide—less than 3% of allprofessionals certified by Cisco

Demonstrate strong commitment and investmentto networking career, life-long learning, anddedication to remaining an active CCIE

New Certification Logos

The Learning@Cisco organization is pleased tointroduce new logos for its Cisco Career Certification

https://cisco.hosted.jivesoftware.com/docs/DOC-3813

Program.

The logos were designed with input from the Ciscocertified community, and represent the prestige anddedication defined by the program.

Effective January 12, 2009, all certificates and plaques.

Certified individuals can access and download thelogos by logging into the Certifications Tracking Systemat: www.cisco.com/go/certifications/login


4/189

New Certification Logos

Overview: CCIE Tracks

Routing andSwitching

Security

• Introduced 2002

Voice

• Introduced 2003

•

• 64% of all bookings

• Labs in all regions, allworldwide locations

• 13% of bookings

• Labs in Beijing, Hong Kong,Brussels, RTP, San Jose,Sydney, Dubai, Bangaloreand Tokyo

Service ProviderNetworks

•

• 16% of bookings

• Labs in Brussels, SanJose, RTP, Sydney andTokyo

Storage Networking

• Introduced 2004

Wireless

• Introduced 2009

•

• 6% of bookings

• Labs in Brussels, Beijing,Hong Kong, RTP, SaoPaulo, Sydney

• o oo ngs

• Labs in Brussels and RTP

Available in Six Technical Specialties

Jose


5/189

CCIE Information Worldwide

Total of Worldwide CCIEs: 19,134*

Total of Routing and Switching CCIEs: 16,727

Total of Security CCIEs: 2,147

Multiple CertificationsMany CCIEs Have Gone on to Pass the Certification

“Total of Service Provider CCIEs: 1,182

Total of Storage Networking CCIEs: 140

Total of Voice CCIEs: 901

,CCIE.” Below Are Selected Statistics on CCIEs Who

Are Certified in More Than One Track

Total with Multiple CertificationsWorldwide:

1,974

Total of Routing and Switching andSecurity CCIEs:

739

Total of Routing and Switching andService Provider CCIEs:

496

*Updated 23-Feb-2009

Total of Routing and Switching andStorage Networking CCIEs:

35

Total of Routing and Switching and Voice

CCIEs: 258

Total with 3 or More Certifications 316

http://www.cisco.com/web/learning/le3/ccie/certified_ccies/worldwide.html

CCIE Exam Development Process

Cisco Business Units/Technology Groups

Input Sought From:

Reaching out to Extended

CCIE [Track ]ProgramManager

Cisco Standard Architectures(AVVID, SAFE)

Advisory SubjectMatter Experts

Technical SupportTAC Cases

Technical Bulletins, BestPractices, Whitepapers

and Relevant

ContentAdvisory

Group

CCIEProgram

Input:

Feedback:

Exam Objectives

and CCIE Written and

Lab Blueprints

Enterprise Technical Advisory Board

Focus Groups/CustomerSessions

CCIE Field Surveys

Team


6/189

Certification Process

CCIEs must pass two exams

100 multiple-choice questions

The lab exam is what makes CCIEdifferent. The full-day, hands-on labexam tests the ability to configureand troubleshoot equipment

Not all lab exams are offered at alllab locations

Step 1: CCIE Written Exam: #350-018

Available worldwide at any Pearson VUE testing facility for ~$350USD. Costs may vary due to exchange rates and local taxes

,

Two-hour exam with 100 multiple-choice questions

Closed book; no outside reference materials allowed

Pass/fail results are available immediately following the exam;the passing score is set by statistical analysis and is subject toperiodic change

a ng per o o ve ca en ar ays o re a e e exam

Candidates who pass a CCIE written exam must wait a minimumof six months before taking the same number exam

From passing written, candidate “must” take first lab exam attemptwithin 18 months

No “skip-question” functionality


7/189

Step 2: CCIE Lab Exam

Available in select Cisco locations for $1,400 USD,adjusted for exchange rates and local taxes whereapplicable, not including travel and lodging

Eight-hour exam requires working configurations andtroubleshooting to demonstrate expertise

Cisco documentation available via Cisco Web; nopersonal materials of any kind allowed in lab

Minimum score of 80% to pass

Scores can be viewed normally online within 48 hoursand failing score reports indicate areas whereadditional study may be useful

Section 2

CCIE® Security Overview


8/189

CCIE Security Overview

Security is one of the fastest-growing areas inthe industry

Information security is on top agenda to allorganizations

There is an ever-growing demand for Securityprofessionals in the industry

The CCIE Security certification was introduced in 2002and has evolved into one of the industry’s mostrespected high-level security certifications

Just around 2,200 CCIE Security worldwide

Securit

Advanced Technology Market Growth

Market and Job SpecializationCompanies are dedicating job rolesnow and expecting to increase thetrend within 5 years

Voice

Wireless

G r o w t h

SecurityFrom 46% dedicated now to 80%in 5 years

VoiceFrom 40% now to 69% in 5 years

WirelessFrom 39% now to 66% in 5 years

Time2008 Worldwide Survey by Forrester Consulting on Behalf of Cisco


9/189

CCIE Security Written Exam

v2.0CCIE Security Written Exam

Covers networking theory related to:

General Networkin

Security Protocols

Application Protocols

Security Technologies

Cisco Security Appliances and Apps

Cisco Security Management

Cisco Security General

Security Solutions

Security General

Lays foundation for Security lab exam


10/189

CCIE Security Written Exam

The CCIE Security v2.0 written exam strengthenscoverage of technologies critical to highly-secure

v2.0

enterprise networks

Topics such as ASA, IPS, NAC/ATD, CS-MARS, IPv6,security policies and standards are added to testcandidates on the security technologies and bestpractices in use today

.can schedule their Lab for v3.0. There is no additional

requirement to schedule v3.0 lab exam.

Security Written Exam:

Sample Question 1

A. Prevents DoS attacks based on ARP spoofing

Which Is a Benefit of Implementing RFC-2827?

.

C. Prevents DoS attacks based on MAC spoofing

D. Prevents leaking of Private Internet address space

E. Prevents leaking of Special-Use IPv4 Addresses

Answer is B


11/189

Security Written Exam:Sample Question 2

Which One of the Secure Access Methods Below CanCS-MARS Use to Get Configuration Information froman Adaptive Security Appliance (ASA)?

.

B. SFTP

C. SCP

D. SSL

E. HTTPS

Answer is A

New v3.0

CCIE Security Lab Exam


12/189

CCIE Security Lab Exam

Candidates build a secure network to a series ofsupplied specifications

The point values for each question are shown onthe exam

Some questions depend upon completion of previousparts of the network

Report any suspected equipment issues to the proctoras soon as possible; adjustments cannot be made oncethe exam is over

Beijing RTPBrussels

Security Lab Exam: Locations

Tokyo

San Jose

Hong Kong

Sydney

Nine Worldwide CCIE Lab Locations for Security

DubaiBangalore


13/189

Security Lab Exam: Changes

The CCIE Security Lab exam content was revised andimplemented worldwide on 20th April 2009, to include

New v3.0

some of the current trends and technologies in thesecurity industry

New topics and hardware and software upgrades havebeen introduced

End-of-Life devices were also removed;

an were remove

Routers were replaced with ISR series models

Catalyst 3550 Switches were replaced with 3560

Security Lab Exam: Equipment

and Software Versions New v3.0Lab May Test Any Feature That Can BeConfigured on the Equipment and Cisco IOSVersions Listed Below, or on the CCIE Website;

Cisco Integrated Services Routers (ISR) series runningCisco IOS version 12.4T

Cisco Catalyst 3560 series switches running 12.2SE

Cisco ASA 5500 series Firewalls running version 8.x

Lab, But You Won’t Be Tested on Them

Cisco IPS 4240 Appliance Sensor running version 6.x

Cisco Secure ACS version 4.1

Test PC for Testing and Troubleshooting

Candidate PC for rack access


14/189

Security Lab Exam: Blueprint

1. Implement secure networks using Cisco ASAFirewalls

New v3.0

2. Implement secure networks using Cisco IOS Firewalls

3. Implement secure networks using Cisco VPNsolutions

4. Configure Cisco IPS to mitigate network threats

.

6. Implement Control Plane & Management PlaneSecurity

7. Configure Advanced IOS Security

8. Identify and Mitigate Network Attacks

Security Lab Exam: Pre-Configuration

Basic IP addressing, hostname, passwords

The Routers and Switches in Your Topology ArePreconfigured With:

Switching: Trunking, VTP, VLANs

WAN: Frame Relay DLCI mappings, HDLC, PPP

Routing: OSPF, RIP, EIGRP, BGP

All pre-configured passwords are ‘cisco’

Occasionally, security devices may also have some

Do Not Change Any Pre-Configuration on AnyDevices Unless Explicitly Stated in a Question

pre-configuration. If not, candidate is required toinitialize all security devices


15/189

Security Lab Exam: Sample Topology

Context 2Context 1

BB2BB1

ASA Multi-Contextwith Failover

ACS

vs0

vs1

BB3

FR

TEST PC

PPP

Security Lab Exam: Rack and PC Access

CCIE Lab

Remote Location

CCIE Lab

Central Location

CiscoIntranet

CCIEBB

BB1

RackCommSrv

Candidate PC

Remote GWRouter

Central GWRouter

NIC1

NIC2

BB2

TEST PCRemote Desktop Enabled on NIC1

ACS


16/189

Security Lab Exam:The Equipment in Rack

The equipment on the rack assigned to you isphysically cabled and should not be tampered with.Before starting the exam, confirm working order of alldevices in your rack

During the exam, if any device is locked or inaccessiblefor any reason, you must recover it

When finishing the exam, ensure all devices are.

not accessible for grading; can not be marked and may

cause you to lose substantial points

Security Lab Exam: Grading

Proctors grade all lab exams

Automatic tools are never solely responsible for labexam grading—proctors are

Proctors complete grading of the exam and submits thefinal score within 48 hours

Points are awarded for working solutions only

Some questions have multiple solutions


17/189

Summary

1. Firewalls (ASA and IOSFW)Topics Covered in the Exam:

.

3. Intrusion protection

4. Identity authentication

5. Router plane protection

6. Advanced IOS security technologies

7. Mitigation techniques to respond to network attacks

Section 3

Core Knowledge Section Overview


18/189

Core Knowledge Section—Overview

Cisco CCIE team has implemented a new type ofquestion format to the CCIE Security Lab exam called–Core Knowledge Section a.k.a. Interview Section.

In addition to the live configuration scenarios,candidates will be asked a series of open-ended short-answer questions, covered from the lab exam blueprint.

No new topics are being added.

The new short-answer questions will be randomlyselected for each candidate every day

Core Knowledge Section—Why

One of the primary goals to introduce the new Core

Why Are You Adding Short-Answer Questions tothe CCIE Lab Exam?

now e ge ec on s ma n a n exam secur y anintegrity and ensure only qualified candidates achievecertification.

The questions will be designed to validate concepts,theory, architecture and fundamental knowledge ofproducts and protocols.


19/189

Core Knowledge Section—Format

Candidates will be asked four open-ended questions,computer-delivered, drawn from a pool of questionsbased on the material covered on the lab examblueprint.

Core Knowledge section format will not be multiple-choice type questions.

Candidates will be required to type out their answers,.

Candidates cannot use Cisco Documentation.

No changes are being made to the lab exam blueprintor to the length of the lab exam.

Core Knowledge Section—Time

Candidates are allowed a maximum of 30 minutes tocomplete the questions. The 30 minutes is inclusive inthe total length of the lab exam.

The total length of the CCIE lab exam will remain eighthours.

Well-prepared candidates should be able to answer thequestions in 15 minutes or less and move immediately

.


20/189

Core Knowledge Section—Scoring

The Core Knowledge section is scored Pass/Fail andevery candidate will be required to pass in order toachieve CCIE certification.

A candidate must answer at least three of the four short-answer questions correctly to Pass the CoreKnowledge section, which will be indicated with a 100%mark on the score report.

,Core Knowledge section will be marked 0%, indicating

a Fail. A 0% does not necessarily indicate thecandidate answered all the questions incorrectly.

1

2

3

Core Knowledge Section—Sample Q1

Header Header SA

Header Header KeyNonce

Header SAHeader

4

6

5

MSG 1: Initiator offers acceptable encryption and authentication algorithms (3DES,MD5, RSA)—i.e. the transform-set

MSG 2: Responder presents acceptance of the proposal (or not)

MSG 3: Initiator Diffie Helman key and nounce (key value is usually a number of 1024

Header Header [Cert] IDSig

Header NonceKeyHeader

Header SigID [Cert]Header

bit length) MSG 4: Responder Diffie Helman key and nounce

MSG 5: Initiator signature, ID and keys (maybe cert), i.e. authentication data

MSG 6: Responder signature, ID and keys (maybe cert)

Which ISAKMP mode is shown above?

Answer = Main Mode


21/189

Conditions for IPS signature to fire:

Version: IPv4 Protocol: TCP String:”CWD~root”Port Destination: 21

Core Knowledge Section—Sample Q2

Hacker

Fire alarm if packet is an IPv4 TCP packet destined for port 21

@IP Dest. 10.0.0.1Dest Port: 21

first Segment TCPxxxCWDyyy

@IP Dest. 10.0.0.1Dest: 21

last Segment TCP yyyootzzz FTP

server

@IP

@IP Dest. 10.0.0.1Dest Port: 21

sec Segment TCP Yyy~r yyy

Target

and contains the string “CWD~root” 10.0.0.1

Which type of pattern matching must be used to mitigatethis multi-vector attack?

Answer = Stateful Pattern Matching

Section 4

Implement Secure Networks UsingCisco ASA Firewalls


22/189

Exam Objectives

Perform basic firewall Initialization

Configure device management

on gure a ress trans at on nat, g o a , stat c

Configure ACLs

Configure IP routing

Configure object groups

Configure VLANs

Configure filtering

Configure failover

Configure Layer 2 Transparent Firewall

Configure security contexts (virtual firewall)

Configure Modular Policy Framework

Configure Application-Aware Inspection

Configure high availability solutions

Configure QoS policies

Firewall—Defined

A firewall is a security device which is configured topermit, deny or proxy data connections set by theorgan za on s secur y po cy. rewa s can e er ehardware or software based

A firewall's basic task is to control traffic between computernetworks with different zones of trust

Today’s firewalls combine multilayer stateful packetinspection and multiprotocol application inspection

Source: Wikipedia (www.wikipedia.com)

Virtual Private Network (VPN) services and IntrusionPrevention Services (IPS) have been combined with thefirewall inspection engine(s)

Despite these enhancements, the primary role of the firewallis to enforce security policy


23/189

Cisco ASA Firewall

Basic Overview

Firewall Design—Modes of Operation

Routed Mode

There Are a Variety of Choices When Designing aFirewall Deployment

Is the traditional mode of the firewall that acts as a routed hop and actsas a default gateway for hosts that connect to one of its screenedsubnets. Two or more interfaces that separate L3 domains.

Transparent Mode

Is where the firewall acts as a bridge functioning mostly at Layer2, thatacts like a "bump in the wire," or a "stealth firewall," and is not seen as a

router ho to connected devices

Single Mode

Is the regular basic firewall

Multi-context Mode

Involves the use of virtual firewalls (security contexts)


24/189

Interface and Security Levels

Inside Interface always has a security level of 100.Most Secure level

Outside Interface always has a security level of 0.Least Secure level

Multiple perimeter networks can exist. Use DMZInterface. Security levels between 1–99

Initializing Cisco ASA

Firewall Mode (Router vs. Transparent)

.

Enable/Allocate interfaces

Assign IP address for each active Interface

Un-shut Interfaces

Configure Address Translation (optional)

Configure Static/Dynamic Routing


25/189

VLAN Interface

Virtual LANs (VLANs) are used to create separatebroadcast domains within a single switched network

You can configure multiple logical interfaces on a singlephysical interface and assign each logical interface to aspecific VLAN

ASA supports 802.1q, allowing it to send and receivetraffic for multiple VLANs on a single interface

Routing Protocols

ASA supports RIP, OSPF and EIGRP routing protocols

Practice route filtering and summarization for protocols

Running multiple routing protocols concurrently on thesame Firewall is now supported

Routing protocol in multi-context mode is not,


26/189

Address Translation

Dynamic translations are built using:

Network Address Translation NAT

Subject to NAT-Control

(one-to-one mapping)

or

Port Address Translation (PAT)(many-to-one mapping)

Static translations are built using:

a c comman(create permanent mapping between a local

IP address and a global IP address)

Policy NAT

Policy NAT lets you identify local traffic for addresstranslation by specifying the source and destinationaddresses (or ports) in an access list

Regular NAT uses source addresses/ports only,whereas policy NAT uses both source and destinationaddresses/ports

With policy NAT, you can create multiple static

as the source/port and destination/port combination isunique for each statement

Use an access list with the static command to enablepolicy NAT


27/189

Object Grouping

Used for simplifying complex access control policies.Object grouping provides a way to reduce the numberof access rule entries required to describe complexsecurity policies

Following types of objects:

Protocol—group of IP protocols. It can be one of the followingkeywords; icmp, ip, tcp, or udp, or an integer in the range 1 to254 representing an IP protocol number. To match any Internet

, , , , .

Service—group of TCP or UDP port numbers assigned to

different servicesicmp-type—group of ICMP message types to which youpermit or deny access

Network—group of hosts or subnets

Basic Feature Summary:

Practice Them All

Address Translation

Source/Destination NAT

AAA

Object Grouping

VLAN

RIP

OSPF

EIGRP

Syslog

DHCP

PPPoE

URL Filtering

IDS

SSH

Failover

TCP Intercept

Java Filtering

ActiveX Filtering

SNMP

NTP

Packet Capture

Packet Tracer


28/189

Cisco ASA Firewall

Advanced Features

Advanced Features—Important

1. Virtual Firewall (Security Contexts)

.

3. Firewall High Availability (HA)

4. Modular Policy Framework (MPF)

5. No NAT-Control


29/189



.



5. No NAT-Control

Virtual Firewall

Virtualization provides a way to create multiplefirewalls in the same physical chassis

Virtual Firewall—when a single Firewall devicecan support multiple contexts

A context defines connected networks and thepolicies that the Firewall enforces

enforce many (up to 100s) policiesbetween different networks

Virtualization is a licensed feature


30/189

Virtual Firewall on ASA

Context = a virtual firewall

All virtualized firewalls must define a System context and an Admin

Admin context:

Remote root accessand access to allcontexts

A

B

C

Admin(mandatory)

context at a minimum

Virtual Firewall

contexts

There is no policy inheritance between contexts

The system space uses the admin context for network connectivity;system space creates other contexts

Physical ports assigned

Virtual Firewall:

Multiple Security ContextConfiguration

Changing single mode to Multiple Mode:

mode {single | multiple}

To Show system or Context information:

From the system execution space:show context [[name] [detail] | count]From a context execution space:show context [detail]

To specify contexts’ configuration file:config-url ur l Where URL can be flash/Disk/ftp server/http server

o a oca e p ys ca n er aces o e con ex scontext {context name}allocate-interface Ethernet0allocate-interface Ethernet1

Accessing the contexts:changeto {system | context name}context [name] - Changes to the context with the specified name.system - Changes to the system execution space.


31/189

Virtual Firewall:Multiple Security Context

hostname ASAenable password ciscono mac-address auto

admin-context admin

!

context admin

Sample Configuration: System Context

interface Ethernet0/0

speed auto

duplex auto

!

interface Ethernet0/0.30

vlan 30

!


vlan 40

!

allocate-interface Ethernet0/0

config-url flash:/admin.cfg

!

context custA

allocate-interface Ethernet0/0.30


config-url flash:custA.cfg

!

context custB

allocate-interface Ethernet0/0.40


speed auto

duplex auto

!

interface Ethernet0/2speed autoduplex auto

!


config-url flash:custB.cfg

System Context

The context is not operational until the

conf ig-ur l command has been entered.

Virtual Firewall:

Multiple Security Context

ASA# changeto context custA ASA/custA# changeto context custB

Context CustA Context CustB

Inside a Context

cust s ow run

hostname custA

enable password cisco

!


nameif outside

security-level 0

ip address 172.16.30.1 255.255.255.0

!


cust s ow run

hostname custB

enable password cisco

!


nameif outside

security-level 0

ip address 172.16.40.1 255.255.255.0

!


nameif insidesecurity-level 100

ip address 192.168.1.1 255.255.255.0

!

ASA/custA# changeto system

ASA#

nameif insidesecurity-level 100

ip address 192.168.2.1 255.255.255.0

!

ASA/custB# changeto system

ASA#


32/189



.



5. No NAT-Control

Transparent Firewall Mode (L2 Firewall)

Transparent Firewalls have the capability of operatingat layer 2—same level as a bridge

This Firewall is “transparent” to the data

IP addresses (the network) on either side of theFirewall are the same

Same subnet exists on inside and outside, differentVLANs on inside and outside

NAT is now supported in Transparent Firewall (v8.0 onthe ASA)

VPN traffic terminating on the firewall is not supportedwith the exception of management traffic ONLY


33/189

Transparent Firewall

Backbone

Router

Vlan 20

Vlan 30

HSRP, VRRP, GLBP

OSPF, EIGRP, RIP, etc.

PIM, multicast traffic

BPDUs, IPX, MPLS

10.1.1.2 224.0.0.x

10.1.1.2

10.1.1.3

OK if ACLpermits

Routers can establish routing protocols adjacencies through the firewall Protocols such as HSRP, VRRP, GLBP can cross the firewall

Multicast streams can also traverse the firewall

Non-IP traffic can be allowed (IPX, MPLS, BPDUs)

Router

Transparent Firewall

Sample Configurationciscoasa# show firewallFirewall mode: Router

ciscoasa(config)# firewall transparentSwitched to transparent mode

ciscoasa(config)# ip address 10.1.1.254 255.255.255.0ciscoasa(config)# interface Ethernet0ciscoasa(config-if)# nameif outsideciscoasa(config-if)# security-level 0

-ciscoasa(config)# interface Ethernet1ciscoasa(config-if)# nameif insideciscoasa(config-if)# security-level 100ciscoasa(config-if)# no shutdownciscoasa(config)# access-list 101 permit icmp any anyciscoasa(config)# access-group 101 in interface outside


34/189



.



5. No NAT-Control

New HA Feature—Interface Redundancy

Compatible with all firewallmodes (routed/transparent and

interface Redundant1

member-interface GigabitEthernet0/1

member-interface GigabitEthernet0/2

no nameif deployments (A/A and A/S)

When the active physicalinterface fails, traffic fails to thestandby physical interface androuting adjacencies,connection, and auth statewon’t need to be relearned.

no security-level

no ip address

!

interface Redundant1.4

vlan 4

nameif inside

security-level 100

ip address 172.16.10.1 255.255.255.0

Feature available on ASA5510and above.

Sub-interfaces (dot1q) need tobe built on top of the logicalredundant interface, notphysical member interfaces.

interface Redundant1.10

vlan 10

nameif outside

security-level 0

ip address 172.16.50.10 255.255.255.0


35/189

New HA Feature—Route Tracking

Method for tracking the availability of static routes with the ability toinstall a backup route should the primary route fail

Commonly used for static default routes, often in a dual ISPenvironment

Uses ICMP echo replies to monitor the availability of a target host,usually the next hop gateway

Can only be used in single routed mode

asa(config)# sla monitor 1234

asa(config-sla-monitor)# type echo protocol ipIcmpEcho10.1.1.1 interface outside

asa(config-sla-monitor-echo)# frequency 3asa(config)# sla monitor 1234 life forever start-time now

asa(config)# track 1 rtr 1234 reachability

asa(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1

Firewall HA Failover: Basics

Active/standby vs.primary/ secondary

Stateful failover (optional)

A failover only occurswhen either FWdetermines the standbyFW is healthier than theactive FW

ActiveUnit

StandbyUnit

LAN FO

Stateful

Both FWs swap MAC andIP addresses when afailover occurs

Level 1 syslogs will givereason of failover


36/189

Firewall HA—Active/Standby FO

Supported on all ASA models

ASA only supports

serial cable).

Both platforms must beidentical in software,licensing, memory andinterfaces

Not recommended to sharethe state and failover link, usea dedicated link for each

Preferably these cables willbe connected into the sameswitch with no hosts

Not recommended to use adirect connection betweenfirewalls (i.e. straight throughor X-over)

Firewall HA: Active/Active FO

Supported on allplatforms except the

Requires virtualization(multi-context) whichrequires additionallicensing

Use FO Group command

Re uires FO AA orcontexts

UR license

No load-balancingor load-sharingsupport today


37/189

Firewall HA: A/A Failover withAsymmetric Routing Support

A/A ASR mode adds supportfor asymmetric traffic flowsInternet

.

A/A ASR is enabled by addingmultiple A/A units to the same

ASR Group.

If traffic returns via ISP-Bwhich does not contain stateinfo so packets are forwarded

ISP-A

.1 .4 .2 .3

ISP-B

o e o er mem er o e ASR group

Inside Network B-1 Inside Network B-2

Logical1-A Logical2-S Logical2-ALogical1-S

InsideNetwork

.1 .4 .2 .3



.



5. No NAT-Control


38/189

Modular Policy Framework (MPF)

Rules

All of My Flows Were Treated Pretty Much the Same

Inside Outside

Granular and Flexible Policies

Rules aboutHTTPRules Rules about

FTP


There is a growing need to provide greater granularityand flexibility in configuring network policies

For example, the ability to include destination IPaddress as one of the criteria to identify traffic forNetwork Address Translation, or the ability to createa timeout configuration that is specific to a particularTCP application, as opposed to the current timeoutscheme which applies a timeout value to all TCP

applications, etc. MPF provides the tools to meet these specific needs


39/189


MPF features are derived from QoS as implemented inCisco IOS; not all features have been carried across though

MPF is built on three related CLI commands …

class-map—This command identifies the traffic that needs a specifictype of control. Class-maps have specific names which tie them into thepolicy-map

policy-map—This command describes the actions to be taken on thetraffic described in the class-map. Class-maps are listed by name underthe appropriate policy-map. Policy-maps have specific names too whicht e t em nto t e serv ce-po cy

service-policy—This command describes where the traffic should be

intercepted for control. Only one service-policy can exist per interface. An additional service-policy, “global-service-policy,” is defined fortraffic and general policy application. This policy applies to traffic onall interfaces


Understand how show service-policy command works

that the ASA would apply to that flow. You can use thisto check that your service policy configuration willprovide the services you want for specific connections.

ASA1# show service-policy flow tcp host 0.0.0.0 host YY.YY.1.1 eq 80Global policy:

Service-policy: global_policyClass-map: WebServerMatch: access-list WebServer Access rule: permit tcp any host YY.YY.1.1 eq www

Action:Input flow: set connection embryonic-conn-max 100 per-client-max 5


40/189



.



5. Application Firewall

6. NAT-Control

NAT Control

The security appliance has always been a devicesupporting, even requiring Network Address Translation

or max mum ex y an secur y.

Introduced in v7.0 is NAT as an option. Specifying NAT-CONTROL specifies the requirement to use NAT for outsidecommunications

To enable NAT control, use the nat-control command inglobal configuration mode

To disable NAT control, which allows inside hosts tocommunicate with outside networks without configuring aNAT rule, use the command, no nat-control in globalconfiguration mode

By default, NAT control is disabled


41/189

NAT Control

Syntax

Configuration

The nat-control statement is valid in routed firewallmode and in single and multiple security context mode.

No new NAT functionality is provided with this feature.

All existing NAT functionality remains the same.

NAT Control

Consider … NAT-CONTROL (v6.3 behavior)

All traffic leavin a firewall from a hi her to lower securit interface requires a NAT/GLOBAL pair

All traffic entering a firewall from a lower to higher securityrequires a STATIC/ACCESS-LIST pair

All other traffic is dropped

Consider … NO NAT-CONTROL (v7.0 behavior)

ra c eav ng a rewa rom a g er o ower secur yinterface moves freely

All traffic entering a firewall from a lower to higher security onlyrequires an ACCESS-LIST

NAT/GLOBAL pairs are needed only for traffic requiringaddress translation


42/189

Troubleshooting Firewall

Firewall Troubleshooting Tools

Understanding the packet flow

Debug commands

Show commands

Packet capture


43/189

Understanding the Packet Flow

To effectively troubleshoot a problem, one must firstunderstand the packet path through the network

Attempt to isolate the problem down to a single device

Then perform a systematic walk of the packet paththrough the device to determine where the problemcould be

For problems relating to the ASA, always:

Determine the flow: SRC IP, DST IP, SRC port, DST port,and protocol

Determine the interfaces through which the flow passes

Note: All Firewall Issues Can Be Simplified to Two Interfaces (Ingress and Egress)and the Rules Tied to Both

1. Receive Packet

2. Ingress Interface

3. Existing Connection?

4. Permit by Inbound ACL

No1 3 4

ExistingConn

RecvPkt

IngressInterface

2No

Packet Processing Flow Diagram

ACLPermit

on Interface?

5. Match Translation Rule(NAT, Static)

6. NAT Embedded IP andPerform Security Checks/Randomize Sequence Number

7. NAT IP Header

8. Pass Packet to OutgoingInterface

9. Layer 3 Route Lookup?

es

Yes

5

6

7NAT IP

rop

No

Drop

No

Drop

L7 NATSec

Checks

Matchxlate

10. Layer 2 Next Hop?11. Transmit Packet

Yes Yes

Drop Drop

XmitPkt

9 10 11Egress

Interface

Header

8Egress

Interface

No No

Once the Device andFlow Have BeenIdentified, Walk the Pathof the Packet Throughthe Device

L3Route

L2Addr


44/189

Translation and NAT Order of Operations

1. nat 0 access-list (nat-exempt)

2. Match existing xlates

3. Match static commands (first match)

a. Static NAT with and without access-list

b. Static PAT with and without access-list

F i r s t M a

4. Match nat commands

a. nat access-list (first match)

b. nat (best match)

i. If the ID is 0, create an identity xlate

ii. Use global pool for dynamic NAT

iii. Use global pool for dynamic PAT

c h

Syslog

Three different syslog destinations:

Tra —S slo server

Console—Serial console port

Monitor—Telnet sessions

“Log Host” defines ASA interface, IP address, protocoland port for syslog server

Syslog standard protocol is UDP, port is 514

Note: ASA supports syslog over TCP (port 514)

Don’t forget “Logging On” to enable syslog

Most common “pilot error”


45/189

Logging Levels and Events

LogLevel

Alert Event Messages

0 Emergencies Not used, only for RFC compliance

1 Alerts Mostly failover-related events

2 Critical Denied packets/connections

3 Errors AAA failures, CPU/memory issues, routing

issues, some VPN issues

4 WarningsDenied conns due to ACL, IDS events,

,

5 NotificationsUser and Session activity and firewall

configuration changes6 Informational

ACL logging, AAA events, DHCP activity,TCP/UDP connection and teardown

7 DebuggingDebug events, TCP/UDP request handling,

IPSEC and SSL VPN connection information

Network

Debug ICMP Trace

Ping

Valuable tool used to troubleshoot connectivity issues

Provides interface and translation information to quicklydetermine flow

ICMP echo-request from inside:10.1.1.2 to 198.133.219.25 ID=3239 seq=4369 length=80

ICMP echo-request: translating inside:10.1.1.2 to outside:209.165.201.22

ICMP echo-reply from outside:198.133.219.25 to 209.165.201.22 ID=3239 seq=4369 length=80ICMP echo-reply: untranslating outside:209.165.201.22 to inside:10.1.1.2

Example of debug icmp trace output c o-rep es mus e exp c y perm e roug


46/189

fw# show traffic

Show Traffic

The Show Traffic Command Displays the TrafficReceived and Transmitted out Each Interface of the ASA

outside:received (in 124.650 secs):

295468 packets 167218253 bytes2370 pkts/sec 1341502 bytes/sec

transmitted (in 124.650 secs):260901 packets 120467981 bytes2093 pkts/sec 966449 bytes/sec

inside:

received (in 124.650 secs):261478 packets 120145678 bytes2097 pkts/sec 963864 bytes/sec

transmitted (in 124.650 secs):294649 packets 167380042 bytes2363 pkts/sec 1342800 bytes/sec

Show Local-Host

A local-host entry is created for any source IP on a higher securitylevel interface

fw# show local-hostInterface inside: 1131 active, 2042 maximum active, 0 deniedlocal host: ,

TCP connection count/limit = 1/unlimitedTCP embryonic count = 0TCP intercept watermark = 50

=

It groups the xlates, connections, and AAA information together

Very useful for seeing the connections terminating on servers

AAA:user 'cisco' at 10.1.1.9, authenticated (idle for 00:00:10)

absolute timeout: 0:05:00inactivity timeout: 0:00:00

Xlate(s):Global 172.18.124.69 Local 10.1.1.9

Conn(s):TCP out 198.133.219.25:80 in 10.1.1.9:11055 idle 0:00:10 Bytes 127 flags UIO


47/189

Show Xlate and Show Xlate Debug

show xlate [global|local [netmask ]][gport |lport ] [debug]

fw# show xlate2 in use, 2381 most usedGlobal 172.18.124.68 Local 10.1.1.9PAT Global 172.18.124.65(1024) Local 10.9.9.3(11066)

fw# show xlate debug2 in use, 2381 most usedFlags: D - DNS, d - dump, I - identity, i - inside, n - no random,

o - outside, r - portmap, s - static

NAT from inside:10.1.1.9 to outside:172.18.124.68

flags - idle 0:02:03 timeout 3:00:00

TCP PAT from inside:10.9.9.3/11066 to outside:172.18.124.65/1024flags r idle 0:00:08 timeout 0:00:30

fw# show conn

Idle Time,Bytes

Transferred

ConnectionFlags

Show Conn and Show Conn Detail

2 in use, 64511 most used

TCP out 198.133.219.25:23 in 10.9.9.3:11068 idle 0:00:06 Bytes 127 flags UIOUDP out 172.18.124.1:123 in 10.1.1.9:123 idle 0:00:13 flags –

fw# show conn detail2 in use, 64511 most usedFlags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

“detail” AddsInterface Names

B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,E - outside back connection, F - outside FIN, f - inside FIN,G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,i - incomplete, J - GTP, j - GTP data, K - GTP t3-responsek - Skinny media, M - SMTP data, m - SIP media, O - outbound data,P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN,R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,s - awaiting outside SYN, T - SIP, t - SIP transient, U - up

TCP outside:198.133.219.25/23 inside:10.9.9.3/11068 flags UOUDP outside:172.18.124.1/123 inside:10.1.1.9/123 flags -


48/189

Outbound Connection Inbound Connection

Connection Flags: Quick Reference

TCP Flags FW Flags

SYN

SYN+ACK

ACK

Inbound Data

Outbound Data

FIN

FIN+ACK

saA

A

U

UI

UIO

Uf

UfFR

TCP Flags FW Flags

SYN

SYN+ACK

ACK

Inbound Data

Outbound Data

FIN

FIN+ACK

saAB

aB

UB

UIB

UIOB

UBF

UBfFr

OutsideInside

Client Server

OutsideInside

Server Client

ACK UfFRr ACK UBfFRr

capture [access-list ] [buffer ][ethernet-type ] [interface ] [packet-length ]

Packet Capture

an ACL

Traffic can be captured both before and after it passesthrough the ASA

Key steps:

Create an ACL that will match interesting traffic

Define the capture and bind it to an access-list and interface

View the capture on the ASA, or copy it off in pcap format

OutsideInside

Capture In Capture Out


49/189

packet-tracer input [src-interface] [protocol] [SrcAddr] [SrcPort][DstAddr] [DstPort] detailed

Packet Tracer

- .

In addition to capturing packets, you can trace thelifespan of a packet through the security appliance tosee whether the packet is operating correctly. This toollets you do the following:

Debug all packet drops in a production network.

er y t e con gurat on s wor ng as nten e .

Show all rules applicable to a packet, along with the CLI

commands that caused the rule addition.

Show a time line of packet changes in a data path.

Inject tracer packets into the data path.

Packet Tracer (Cont.)

The packet-tracer command provides detailedinformation about the packets and how they areprocessed by the security appliance.

For example; run packet-tracer to verify NAT translationfor any host accessing web server 198.133.219.25/80,then the source is translated to YY.YY.5.21. ASA# packet-tracer input inside tcp 0.0.0.0 1025 198.133.219.25 80

Phase: 6T e: NAT

Subtype:Result: ALLOWConfig:nat (inside) 1 access-list policynatnat-controlmatch ip inside 0.0.0.0 255.255.255.255 outside 198.133.219.25 255.255.255.255dynamic translation to pool 1 (YY.YY.5.21)translate_hits = 1, untranslate_hits = 0

Additional Information:Dynamic translate 10.1.1.1/1025 to YY.YY.5.21/1024 using netmask 255.255.255.255


50/189

Section 5

Implement Secure Networks Using Cisco IOS Firewalls

Exam Objectives Configure Zone-Based Firewall

Configure CBAC

Configure Flexible Packet Matching

Configure URL Filtering

Configure Audit

Configure Auth Proxy

Configure PAM

Configure access control Configure performance tuning

Configure advanced IOS Firewall features


51/189

Cisco IOS Firewall Overview

Stateful filtering Advanced Layer 3–7 Firewall

AdvancedFirewall

Application inspection (Layer 3 through Layer 7)

Application control—Application Layer Gateway (ALG)engines with wide range of protocols and applications

Built-in DoS protection capabilities

Supports deployments with Virtualization (VRFs),transparent mode and stateful failover

IPv6 support

http://www.cisco.com/go/iosfw

Cisco IOS Zone-Based PolicyFirewall (ZFW)


52/189

Zone-Based Policy Firewall (ZFW)

Introduced in Cisco IOS v12.4(6)T, where the CBAC model isbeing replaced with the new configuration model that uses ZFW

Allows grouping of physical and virtual interfaces into zones

Firewall policies are applied to traffic traversing zones

Simple to add or remove interfaces and integrate intofirewall policy

This new feature was added mainly to overcome the limitations ofthe CBAC that was employing stateful inspection policy on an

- .through the interface was subject to the same inspection policy,thereby limiting the granularity and policy enforcement particularlyin scenarios where multiple interfaces existed.

With ZFW, stateful inspection can now be applied on a zone-basedmodel. Interfaces are assigned to zones, and policy inspection isapplied to traffic moving between zones.

Zone-Based Policy Firewall (ZFW)—

Security Zones and Policy

Security Zones establish the security boundaries of the networkwhere traffic is subjected to policy restrictions as it crosses to

.

By default, traffic between the zones is blocked unless an explicitpolicy dictates the permission.

DMZPublic-DMZ

Policy

DMZ-PrivatePolicy

Private-DMZPolicy

DMZ Zone

UntrustedTrusted

Private-PublicPolicy

Internet

Private Zone


53/189

Zone-Based Policy Firewall (ZFW)—Supported Features and New Syntax

Supported Features

Stateful Inspection

Application Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP

URL filtering

Per-policy parameter

Transparent firewall

VRF-aware firewall (Virtual Firewall)

command set.

ZFW policies are configured with the new Cisco PolicyLanguage (CPL), which employs a hierarchical structure todefine inspection for network protocols and the groups ofhosts to which the inspection will be applied.

Zone-Based Policy Firewall (ZFW)—

Configuration Example

class-map type inspect match-any services

match protocol tcp

!

Define ServicesInspected by Policy

policy-map type inspect firewall-policy

class type inspect services

inspect

!

zone security private

zone security public

!

interface fastethernet 0/0

-

Configure Firewall Actionfor Traffic

Define Zones

!

interface fastethernet 0/1

zone-member security public

!

zone-pair security private-public source private destination public

service-policy type inspect firewall-policyEstablish Zone Pair, and

Apply Policy

ss gn n er aces oZones


54/189

Cisco IOS Context-Based AccessControl (CBAC)

CBAC Overview

Cisco router performs traffic filtering, traffic inspection,sends alerts, and tracks audit trails

Traffic filtering

Protocol filtering based on application-layer session information.Filters packets originating in sessions from either the protectedor non-protected networks, but only forwards traffic originatingfrom protected network

Traffic ins ection

Inspects packets at a firewall interface and manages stateinformation of TCP/UDP sessions. State information is used tocreate temporary openings in access lists to permit return traffic.Inspection helps prevent DoS attacks


55/189

Creating an Inspection Rule

An inspection rule specifies each application-layerprotocol that is to be inspected by CBAC

Typically, only one inspection rule is defined

Inspection rule can be applied to the interface onan inbound or outbound basis

One inspection rule per interface

CBAC: Configuration Example

Access Control List (ACL) on the outside interfacestops everything

access-list 101 deny ip any any log-input

interface Serial0

description outside

ip access-group 101 inSecured

Network

Unsecured

Network

CBAC

ip inspect name MYFW tcp

ip inspect name MYFW udp

interface Serial0

description outside

ip inspect MYFW out

Inspected traffic will open up temporary access forreturn traffic

s0 e0Internet

ACL

101 Inspect

Temporary Access Opened to Permit Matching

Return Traffic (Stateful Cisco IOSFW)


56/189

Cisco IOS Layer 2 Transparent Firewall

Layer 2 Transparent Firewall

Introduces “stealth firewall” capabilityNo IP address associated with firewall (nothing to attack)

No need to renumber or break u IP subnets

IOS Router is bridging between the two “halves” of the network

Use Case: Firewall Between Wireless and Wired LANs

Both “wired” and wireless segments are in same subnet 192.168.1.0/24

VLAN 1 is the “private” protected network.

Wireless is not allowed to access wired LAN

192.168.1.3

Fa 0/0

VLAN 1

Wireless

Transparent

Firewall192.168.1.2

Internet


57/189

Layer 2 Transparent Firewall—Configuration Example

Security Zone Policy:

zone-pair security zone-policy source wireddestination wireless

Classification:

class-map type inspect match-any protocols

match protocol dnsservce-po cy ype nspec rewa -po cy

!

interface VLAN 1

description private interface

bridge-group 1

zone-member security wired

!

interface VLAN2

description public interface

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol tcp

match protocol udp

Security Policy:

- -bridge-group 1

zone-member security wireless

Layer2 Configuration:bridge configuration

bridge irb

bridge 1 protocol ieee

bridge 1 route ip

- -

class type inspect protocols

Inspect

Security Zones:

zone security wired

zone security wireless

Cisco IOS URL Filtering


58/189

URL Filtering

Control employee access to entertainment sites duringwork hours

Internet Usage Control

Control downloads of objectionable or offensive material,limit liabilities

Cisco IOS supports static whitelist and blacklist URL filtering

External filtering servers such as Websense, Smartfilter canbe used at the corporate office, with Cisco IOS static listsas backu

Internet

WebSurfing

BranchOffice

Blocked

Get www.badsites.com

URL Filtering (Web Access Control)URL Filtering Options

Allowed

Get www.cisco.com

Get www.badsites.com

Get www.cisco.com

Black/white lists

Third-party filter server

N2H2

Websense

SmartFilter


59/189

Section 6

Implement Secure Networks UsingCisco VPN Solutions

Exam Objectives

Configure IPsec LAN-to-LAN (IOS/ASA)

Configure SSL VPN (IOS/ASA)

Configure Group Encrypted Transport (GET) VPN

Configure Easy VPN (IOS/ASA)

Configure CA (PKI)

Configure Remote Access VPN

Configure Cisco Unity Client

Configure Clientless WebVPN

Confi ure An Connect VPN

Configure XAuth, Split-Tunnel, RRI, NAT-T

Configure High Availability

Configure QoS for VPN

Configure GRE, mGRE

Configure L2TP

Configure advanced Cisco VPN features


60/189

This Section Is Divided into Six Parts:

1. IPsec

.

3. Group Encrypted Transport (GET) VPN

4. Easy VPN

5. SSL VPN

6. PKI (IOS CA Server)

IPSec

Part 1:


61/189

Data Security Assurance Model (CIA)

Network Security

Benefit

Confidentiality

Benefit Benefit

Integrity Authentication

of originator orrecipient of data

Shuns Impersonation

Replay

Shuns

Sniffing Replay

is unalteredduring transit

Shuns Alteration

Replay

What Is IPsec?

A set of security protocols and algorithms used tosecure IP data at the network layer

Internet Protocol Security

IPsec provides data confidentiality (encryption),integrity (hash), authentication (signature/certificates)of IP packets while maintaining the ability to route themthrough existing IP networks


62/189

IKE (Phase 1)

IPsec: Building a Connection

sec ase

Data

Two-phase protocol:

Phase 1 exchange: two peers establish a secure, authenticatedchannel with which to communicate; Main mode or Aggressive mode

There is also a Transaction Mode in between which is used for EzVPN clientscenario performing XAUTH and/or Client attributes (Mode Config)

Phase 2 exchange: security associations are negotiated on behalfof IPsec services; Quick mode accomplishes a Phase 2 exchange

Each phase has its SAs: ISAKMP SA (Phase 1)and IPsec SA (Phase 2)

Deployment Scenarios:Basic Peer-to-Peer Topology


63/189

Site-to-Site VPN Deployment Scenarios

Basic peer-to-peer topology

Basic site-to-site IPsec confi uration

Static vs. dynamic mapping

Split tunneling consideration

Filtering/Access Control

Crypto ACL consideration

High Availability

STEP 1—IKE Phase 1 PolicySite-2-Site Configuration

3.2.0.0/243.1.0.0/24

R1 R2

2.0.0.1/30 2.0.0.2/30

IPsec

IP

crypto isakmp policy 1authentication pre-sharedhash shaencr aes 128group 2

!crypto isakmp key 123 address 2.0.0.2

crypto isakmp policy 1authentication pre-sharedhash shaencr aes 128group 2

!crypto isakmp key 123 address 2.0.0.1


64/189

STEP 2—IKE Phase 2 PolicySite-2-Site Configuration

3.2.0.0/243.1.0.0/24

R1 R2

2.0.0.1/30 2.0.0.2/30

IPsec

IP

crypto ipsec transform-set ts esp-aes128 esp-sha-hmac!access-list 101 permit ip 3.1.0.00.0.0.255 3.2.0.0 0.0.0.255!crypto map cm 10 ipsec-isakmpset peer 2.0.0.2

crypto ipsec transform-set ts esp-aes128 esp-sha-hmac!access-list 101 permit ip 3.2.0.00.0.0.255 3.1.0.0 0.0.0.255!crypto map cm 10 ipsec-isakmpset peer 2.0.0.1

ma c a ressset transform-set ts

ma c a ressset transform-set ts

STEP 3—Applying the VPN PolicySite-2-Site Configuration

3.2.0.0/243.1.0.0/24

R1 R2

2.0.0.1/30 2.0.0.2/30

IPsec

IP

interface serial 1/0ip address 2.0.0.1 255.255.255.0crypto map cm

!ip route 3.2.0.0 255.255.255.0 2.0.0.2

interface serial 1/0ip address 2.0.0.2 255.255.255.0crypto map cm

!ip route 3.1.0.0 255.255.255.0 2.0.0.1


65/189

Static vs. Dynamic Crypto Map

ISP

Static Crypto Map

crypto map vpn 10 IPSec-isakmp

set peer Site_A

set transform-set …

match address 101

crypto map vpn 20 IPSec-isakmp

set peer Site_B

Site_A

set transform-set …

match address 102crypto map vpn 10 IPSec-isamkpdynamic dynamap

crypto dynamic-map dynamap 10set transform-set …

match address …

_

Static vs. Dynamic Crypto Map (Cont.)

Static Crypto Map

Need to VPN peer, crypto

Dynamic Crypto Map

Only need to configure IPsec ACL, IPsec transform-set

Use multiple crypto mapinstances to define multipleVPN peers

Bidirectional tunnel initiation

Requires more intensive

transform-set,crypto ACL is optional

One dynamic map asa template

Only the remote peercan initiate tunnel

managemen , ep oymen antroubleshooting

se w en remo e peerhas dynamic IP address

Simple to manageand deploy


66/189

Split Tunneling

Definition: “Split Tunneling” Is the Ability of a Device toForward Clear and Encrypted Traffic at the Same Timeover e ame n er ace

In site-to-site VPN, use routing and crypto ACL to controlsplit tunneling

Central Site Central Site

Without Split Tunneling With Split Tunneling

http://www.cisco.com/http://www.cisco.com/

VPN Head-End VPN Head-EndVPN VPN

Filtering/Access Control

When filtering at the edge there’s not much to see

IKE

UDP port 500

ESP, AH

IP protocol numbers 50, 51 respectively

NAT transparency-enabled

UDP port 4500

Internal access control should be implemented via theinternal interface ACLs or group policy and not thecrypto ACLs for performance reasons


67/189

High Availability

Common High Availability (HA) practice in conjunctionwith IPsec HA features

Design options

Local HA using link resiliency

Local HA using HSRP and RRI

Cisco IOS IPsec Stateful Failover

Geographical HA using IPsec backup peers

Local/geographical HA using GRE over IPsec(dynamic routing)

Local HA Using Link Resiliency1

Link resiliency: ISDN backup, backup Frame RelayDLCI, etc.

Choose multiple ISPs to achieve link diversity

ISPs

Use a loopback interface as the ISAKMP identity for theVPN router

Failover mechanism: backup interface, dialer watch,floating static routes


68/189

Local HA Using HSRP and RRI

(2) Router P RRI:“I can reach 10.1.1.0”

(1) SA Established to Primary

Sending IKE Keepalives (2) Router P RRI:“I can reach 10.1.1.0”

2

PHead-End

emo e

Internet

10.1.1.0/24

(3) 10.1.1.0/24 via P

(8) 10.1.1.0/24 via S

(5) Secondary Active(6) New SA Established to Secondary

Sending IKE Keepalives(7) Router S RRI:“I Can Reach 10.1.1.0”

= Unscheduled Immediate Memory Initialization Routine (4)

(3) 10.1.1.0/24 via P

S

HSRP is enable on outside (WAN facing) interface

Cisco IOS IPsec HA enhancement features: Allow IPsec use HSRP virtual IP as the peer address

Reverse route injection (RRI) injects IPsec remote proxy IDsinto dynamic routing process

Cisco IOS IPsec Stateful Failover 3

HA-1

IPsec stateful failover greatly improves failover timecompared to the stateless IPSec/HSPR failure

Peer et

Gateway

HA-2

n erna

NetworkInternet

with stateful switchover (SSO) and Hot Standby RoutingProtocol (HSRP).

SSO allows the active and standby routers to share IKE andIPSec state information so that each router has enoughinformation to become the active router at any time.


69/189

Geographic HA Using Backup Peers

200.1.1.1

4

crypto isakmp keepalive 20 3

crypto map vpn 10 ipsec-isakmp

set peer 200.1.1.1

set peer 200.1.5.1

set transform-set m set

rancOffice

CorporateNetwork

ISPs

200.1.5.1

match address 101

During IKE negotiation, IKE timer (three retries) detectsthe peer failure

IKE keepalive or DPD detected failed peer after tunnel isestablished1

s1

Local/Geographical HA Using

GRE over IPsec: Dynamic RoutingSan Jose

5

h2

s2

Network

Except under failure conditions:

Internet

New York

Geographical HA Local HA with Redundant Hub Design

Primary TunnelSecondary Tunnel

The IPsec and GRE tunnels are always up since routingprotocols are always running

The remote sites always have two apparent paths to all networksavailable via the head-end

Use dynamic routing for path selection and failover


70/189

Troubleshooting IPsec

Troubleshooting IPsec

Is the problem in connection establishment?

Phase 1 failure

Determine the Problem Characteristics

Transaction Mode/XAUTH

Phase 2 failure

Is the problem in passing traffic?

All traffic

S ecific traffic


71/189

Always Use Show CommandBefore Debug

show crypto isakmp sa

show crypto ipsec saImportant

Show

s ow cryp o eng ne connec on ac ve

Main Mode IKE Negotiation

Quick Mode Negotiation

Interesting Traffic Received

Show

Establishment of TunnelFlowchart

IKE

IPsec

Data

Debug Commandsdebug crypto isakmp

debug crypto ipsecImportantDebugs

e ug cryp o eng ne

Main Mode IKE Negotiation

Quick Mode Negotiation

Interesting Traffic Received

Debug

Establishment o TunnelFlowchartIKE

IPsec

Data


72/189

Basic Hub and Spoke Topology:GRE over IPsec

Hub and Spoke Topology

90% hub spoke, 10% spoke spoke traffic

Cisco IOS: uses crypto ACL summarization for smaller scaledeployment; uses GRE over IPsec with dynamic routing protocolfor larger scale deployment

ASA use summarized network lists for small scale deployment

Best option: GRE over IPsec with dynamic routing


73/189

Why GRE over IPsec

IPsec TunnelGRE TunnelL3

IPsec (ESP) tunnels only IP unicast traffic

GRE encapsulates non-IP and IP multicast or

Encrypted DecapsulateTwice

IP

HDRDataData

ESP

HDR

IP

HDR

GRE

HDR

IP

HDR

IP

HDRData

IPHDR

IP

HDRDataGRE

HDR

IP

HDR

roa cas pac e s n o un cas pac e s

GRE over IPsec Configuration Evolution

Before 12.2(13)T, crypto maps are required to apply toboth GRE tunnel interface and physical interface

From 12.2(13)T and later

Only need to apply crypto map on physical interface or

Use tunnel protection IPsec profile under tunnel interface


74/189

GRE over IPsec Configuration

authentication pre-share

crypto isakmp key cisco47 address 172.17.63.18

!

crypto ipsec transform-set trans2 esp-3des esp-md5-hmac

!

crypto map vpnmap2 local-address Ethernet1

crypto map vpnmap2 10 IPSec-isakmp

set peer 172.17.63.18

set transform-set trans2

match address 110

interface Ethernet1

ip address 172.16.175.75 255.255.255.0

crypto map vpnmap2

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco47 address 172.16.175.75

!

crypto ipsec transform-set trans2 esp-3des esp-md5-hmac

crypto ipsec profile vpnprof

set transform-set trans2

!

interface Ethernet1

12.2(13)T and Later

interface Tunnel0

ip address 10.10.2.1 255.255.255.252

ip mtu 1400

tunnel source Ethernet1

tunnel destination 172.17.63.18crypto map vpnmap2

ip route 0.0.0.0 0.0.0.0 172.16.175.1

!

access-list 110 permit gre -

host 172.16.175.75 host 172.17.63.18

p a ress . . . . . .

interface Tunnel0

ip address 10.10.2.2 255.255.255.252

ip mtu 1400

tunnel source Ethernet1tunnel destination 172.16.175.75

tunnel protection ipsec profile vpnprof

ip route 0.0.0.0 0.0.0.0 172.17.63.1z

IPsec Virtual Tunnel Interface(VTI) and Dynamic VTI (DVTI)


75/189

Virtual Tunnel Interface

IPsec Static Virtual Tunnel Interfaces

. .

192.168.100.0/30

.1 .2 . 1 6 8 . 1 . 0

/ 2 4

. 1 6 8 . 2 . 0

/ 2 4

Simplifies VPN configuration by eliminating crypto maps, accesscontrol lists (ACLs), and Generic Router Encapsulation (GRE)

Simplifies VPN design:

.1 .1

1 9

1 9

1:1 relationship between tunnels and sites with a dedicated logical interface

More scalable alternative to GRE VTI can support Quality of Service (QoS), multicast, and other

routing functions that previously required GRE

Improves VPN interoperability with other vendors

VTI Peer-to-Peer Configuration:

IKE (Phase One) Policy

172.16.172.10 172.16.171.20


-


-

Backbone

Router1 Router2

10.1.1.0/24 10.1.2.0/24

hash sha

encr aes 256

group 5

crypto isakmp key cisco address172.16.172.10 netmask 255.255.255.255

hash sha

encr aes 256

group 5

crypto isakmp key cisco address172.16.171.20 netmask 255.255.255.255


76/189

IPsec (Phase Two) Policy

172.16.172.10 172.16.171.20

crypto ipsec transform-set tset aes_sha

Backbone

Router1 Router2

10.1.1.0/24 10.1.2.0/24

esp-aes 256 esp-sha-hmac

crypto ipsec profile VTIset transform-set tset

- _ -aes 256 esp-sha-hmac

crypto ipsec profile VTIset transform-set tset

Apply VPN Configuration

172.16.172.10 172.16.171.20

interface Tunnel0ip address 10.10.10.1 255.255.255.0 interface Tunnel0

Backbone

Router1 Router2

10.1.1.0/24 10.1.2.0/24

tunnel mode ipsec ipv4tunnel source 172.16.172.10tunnel destination 172.16.171.20tunnel protection ipsec profile VTI

. . . . . .

tunnel mode ipsec ipv4tunnel source 172.16.172.20tunnel destination 172.16.171.10tunnel protection ipsec profile VTI


77/189

Dynamic Virtual Interfaces Taxonomy

Term Description

Virtual Template Is a Generic Infrastructure Which

Virtual Template

Provides Template for Configuration

Virtual Template Provides Mechanisms to DynamicallyCreate and Delete Interfaces

Defined on Router

Virtual Access InterfaceDynamically Created Interface for Each New User

Configuration from Virtual Templates

Cloning Applying Virtual Template’s Cisco IOS Commandsonto a Virtual Access Interface

User 1

RemoteLAN

Dynamic Virtual Interface: How It Works?

auth

LocalAuth.

Router

DSL

Single UserClient

Bridge/Router

Single UserClient withISDN Card

Virtual

Access

Virtual

Template

InterfaceISDN

21

3

4

4Physical

Interface

1. User 1 calls the router

2. Router 1 checks authentication locally/AAA server

3. Authentication succeeds

4. Clone virtual access interface from virtual template interface


78/189

Virtual

Dynamic Virtual Interface: Example

3

AAAUser 1

RemoteLAN

Bridge/ 1

-

Router

Virtual

Access

Interface

emp a e

Interface2

4

4

-

DSL

Single UserClient

Router

Single UserClient withISDN Card

ISDNPhysical

Interface

ip unnumbered loopback1

load-interval 30tunnel mode ipsec ipv4tunnel protection ipsec profile vpn1-ra

aaa author network list vpn-client group radius

crypto isakmp profile vpn1-ramatch identity group vpn 1client authentication list vpn-clientisakmp authorization list vpn-clientclient address respondvirtual-template 1

Head-end configuration

Old way: easy VPN server with dynamic crypto map

New way: IPsec virtual interface

Authorization, authentication, and accounting via RADIUS

Part 2:

Dynamic Multipoint VPN (DMVPN)


79/189


Provides full meshed connectivity with simpleconfiguration of hub and spoke

Supports dynamically addressed spokes

Facilitates zero-touch configuration for addition ofnew spokes

Features automatic IPsec triggering for building anIPsec tunnel

10.1.0.0 255.255.255.0

10.1.0.1

= Dynamic and Temporary

= Dynamic and Permanent

Spoke-to-Hub IPsec Tunnels


po e- o- po e sec unne s

Static

Public IP

Address

10.1.3.1

130.25.13.1

Dynamic(or Static)Public IP

Addresses

Spoke

10.1.1.0 255.255.255.0

10.1.1.1

10.1.3.0 255.255.255.0

10.1.2.0 255.255.255.0

10.1.2.1


80/189

DMVPN Advantages

Supports IP Unicast, IP Multicast, and dynamicrouting protocols

Supports spoke routers behind dynamic NATand hub routers behind static NAT

Dynamic partial-mesh or full-mesh VPNs

Usable with or without IPsec encryption

DMVPN Components

Next Hop Resolution Protocol (NHRP)

NHRP Re istration

NHRP Resolution and Redirect

Multipoint GRE Tunnel Interface (mGRE)

Single GRE interface to support multiple GRE/IPSec tunnels

Simplifies size and complexity of configuration

Dynamically creates and applies encryption policies

Routing

Dynamic advertisement of branch networks; almost all routingprotocols (EIGRP, RIP, OSPF, BGP, ODR) are supported


81/189

DMVPN Components: NHRP Registration

Spokes register to hub as clients of the NHRP serverusing static NHRP mapping

Hub creates a dynamic NHRP entry, mapping spoke’sprivate tunnel address to the spoke’s dynamicpublic address

Using the routing protocol, spokes advertise their LANnetwork to hub and learn about remote LAN addresses

With routing and NHRP mappings in place, traffic flows

over newly created spoke to hub GRE tunnels

These spoke to hub tunnels permanently stay up

DMVPN Components: NHRP Resolution

and Redirect

Traffic from LAN behind one spoke is always forwardedto LAN behind another spoke via the hub initially

Hub realizes traffic entered and exited the same tunnelinterface and sends an NHRP redirect to the spoke

The originating spoke sends an NHRP resolutionrequest trying to resolve the public address fordestination prefix

Hub forwards this query to spoke that owns the prefix

Remote spoke responds back to this query by initiatinga new dynamic GRE tunnel


82/189

Network Designs

Hub-and-spoke Design

Spoke-to-spoke traffic via hub

Spokes configured with pt-to-pt GRE tunnels –Dual DMVPN Clouds

Spokes configured with mGRE tunnels –Single DMVPN cloud

Spoke-to-spoke Design

Spoke to spoke data traffic over dynamic tunnels

Hub-and-Spoke

Spoke-to-Spoke

Spokes configured with mGRE tunnels –Single or Dual DMVPN clouds

Large Scale IOS SLB Design

Hub and Spoke as well as Spoke to Spoke support

Multiple “identical” hubs increase the CPU power

Server Load Balancing

Network DesignsSpoke-to-hub tunnels

Spoke-to-spoke path

Hub and spoke (Phase 1) Spoke-to-spoke (Phase 2)

Server Load Balancing Hierarchical (Phase 3)


83/189

Phase 1 Phase 2 Phase 3

DMVPN Phases Summarized

Hub and spokefunctionality 12.2(13)T

Simplified and smallerconfig for hub & spoke

Support dynamicallyaddress CPE

Spoke to spokefunctionality 12.3(4)T

Single mGREinterface in spokes

Direct spoke to spokedata traffic reducedload on hub

Architecture andscaling 12.4(6)T

Increase number ofhub with same huband spoke ratio

No hub daisy-chain

’ traffic from hubto spoke

Summarize routingat hub

Cannot summarizespoke routes on hub

Route on spoke musthave IP next hop ofremote spoke

routing table

OSPF routing protocol

not limited to 2 hubs

Cannot mix phase 2and phase 3 in sameDMVPN cloud

Troubleshooting DMVPN


84/189

Debug and Show CommandsIntroduced in 12.4(9)T

Showshow dmvpn

[ peer {{{ nbma | tunnel } ip_address } |

{ network ip_address mask } | { interface tunnel# } |

{ vrf vrf_name }}]

[ detail ] [ static ]

Debugdebug dmvpn [ { error | event | detail | packet | all }

n rp cryp o unne soc e a

debug dmvpn condition [ peer

{{{ nbma | tunnel } ip_address } | { network ip_address mask } |{ interface tunnel# } | { vrf vrf_name }}]

Logginglogging dmvpn { | rate-limit < 0-3600 > }

DMVPN Show Commands

HUB-1#show dmvpn

“show dmvpn”Tu1: 172.20.1.1

Spoke-1 Spoke-2

1.1.1.1 2.2.2.2

3.3.3.3

Hub-1

192.1.1.0 192.2.2.0

192.100.1.0

Tu1: 172.20.1.100

Tu1: 172.20.1.2

Legend: Attrb --> S - Static, D - Dynamic, I - IncompleteN - NATed, L - Local, X - No Socket# Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Hub, NHRP Peers:2,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb----- --------------- --------------- ----- -------- -----

1 1.1.1.1 172.20.1.1 UP 00:04:32 D1 2.2.2.2 172.20.1.2 UP 00:01:25 D

SPOKE-1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - IncompleteaN - NATed, L - Local, X - No Socket# Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Spoke, NHRP Peers:1,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb----- --------------- --------------- ----- -------- -----

1 3.3.3.3 172.20.1.100 UP 00:21:56 S


85/189

DMVPN Show Commands

HUB-1#show dmvpn detail

“show dmvpn detail”Tu1: 172.20.1.1

Spoke-1 Spoke-2

1.1.1.1 2.2.2.2

3.3.3.3

Hub-1

192.1.1.0 192.2.2.0

192.100.1.0

Tu1: 172.20.1.100

Tu1: 172.20.1.2


-------------- Interface Tunnel1 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100

Source addr: 3.3.3.3, Dest addr: MGREProtocol/Transport: "multi-GRE/IP", Protect "gre_prof",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details:Type:Hub, NBMA Peers:2# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- -----------------

1 1.1.1.1 172.20.1.1 UP 00:26:38 D 172.20.1.1/32

IKE SA: local 3.3.3.3/500 remote 1.1.1.1/500 Active

Crypto Session Status: UP-ACTIVEfvrf: (none)IPSEC FLOW: permit 47 host 3.3.3.3 host 1.1.1.1

Active SAs: 2, origin: crypto mapOutbound SPI : 0xB28957C6, transform : esp-3des esp-sha-hmacSocket State: Open

DMVPN Show Commands

HUB-1#show dmvpn peer nbma 2.2.2.2 detail

Tu1: 172.20.1.1

Spoke-1 Spoke-2

1.1.1.1 2.2.2.2

3.3.3.3

Hub-1

192.1.1.0 192.2.2.0

192.100.1.0

Tu1: 172.20.1.100

Tu1: 172.20.1.2“show dmvpn peer…”


-------------- Interface Tunnel1 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.20.1.100

Source addr: 3.3.3.3, Dest addr: MGREProtocol/Transport: "multi-GRE/IP", Protect "gre_prof",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details:Type:Hub, NBMA Peers:1# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------1 2.2.2.2 172.20.1.2 UP 00:35:01 D 172.20.1.2/32

IKE SA: local 3.3.3.3/500 remote 2.2.2.2/500 ActiveCrypto Session Status: UP-ACTIVEfvrf: (none)IPSEC FLOW: permit 47 host 3.3.3.3 host 2.2.2.2

Active SAs: 2, origin: crypto mapOutbound SPI : 0x74146521, transform : esp-3des esp-sha-hmacSocket State: Open


86/189

DMVPN Show Commands

HUB-1#show ip nhrp traffic

Tu1: 172.20.1.1

Spoke-1 Spoke-2

1.1.1.1 2.2.2.2

3.3.3.3

Hub-1

192.1.1.0 192.2.2.0

192.100.1.0

Tu1: 172.20.1.100

Tu1: 172.20.1.2

“show ip nhrp traffic”

Tunnel1: Max-send limit:100Pkts/10Sec, Usage:0%

Sent: Total 20 Resolution Request 0 Resolution Reply 0 Registration Request2 Registration Reply 0 Purge Request 0 Purge Reply0 Error Indication 0 Traffic Indication

Rcvd: Total 20 Resolution Request 0 Resolution Reply 2 Registration Request0 Registration Reply 0 Purge Request 0 Purge Reply0 Error Indication 0 Traffic Indication

Part 3:

Group Encrypted Transport (GET) VPN


87/189

Cisco Group Encrypted Transport (GET)VPN—Solution for Tunnel-Less VPNs

Cisco GET VPN Delivers a Revolutionary Solutionfor Tunnel-Less, Any-to-Any Branch ConfidentialCommunications

Large-scale any-to-any encryptedcommunications

Native routing without tunnel overlay

Optimal for QoS and Multicastsupport—improves applicationperformance

Transport agnostic—private

Any-to-Any

Connectivity

Any-to-Any

Connectivity

LAN/WAN, FR/AATM, IP, MPLS

Offers flexible span of control among

subscribers and providers Available on Cisco Integrated Services

Routers; Cisco 7200 and Cisco 7301with Cisco IOS 12.4(11)T

Real TimeScalable

Cisco GET

VPN

Benefits of Cisco GET VPN

Previous Limitations New Feature and Benefits

u cas r a c encryp on rougIPsec tunnels:

– Not scalable – Difficult to troubleshoot

ncryp on suppor e or a ve u cas an

Unicast traffic with GDOI

– Allows higher scalability – Simplifies Troubleshooting – Extensible standards-based framework

Overlay VPN Network – Overlay Routing – Sub-optimal Multicast

No Overlay

– Leverages Core network for Multicastreplication via IP Header preservation

rep ca on – Lack of Advanced QoS – p ma ou ng n ro uce n – Advanced QoS for encrypted traffic

Full Mesh Connectivity – Hub and Spoke primary

support – Spoke to Spoke not scalable

Any to Any Instant Enterprise Connectivity

– Leverages core for instant communication – Optimal for Voice over VPN deployments


88/189

GET VPN

Overview

Group Security Functions

Key Server Key Server • Validate Group Members

Routing Member • Forwarding• Replication• Routing

Group

Group

Member Routing

Members

• anage ecur ty o cy• Create Group Keys• Distribute Policy / Keys

Group

Member

Group

Member

Group Member • Encryption Devices• Route Between Secure / UnsecureRegions• Multicast Participation


89/189

Group Security Elements

Key ServersGroup Policy Proprietary: KSCooperative Protocol

Group

Group

Member Routing

Members

(KEK)

Traffic EncryptionKey (TEK)

Group

Member

Group

Member

RFC3547:Group Domain ofInterpretation(GDOI)

Group Keys

Key Encryption Key (KEK)

Used to encr t GDOI i.e. control Key Server . .traffic) between KS and GM

Traffic Encryption Key (TEK)

Used to encrypt data (i.e. usertraffic) between GM

IP VPN

KEKTEK1

Group Member

Group Member

Group Member


90/189

GET VPN

Data Plane

IPsec Tunnel Mode with IP Address

Preservation

IP Packet

Group

IP PayloadIP Header

IP PayloadIP Header E P

IP Header ncryp eTransport

IPsec header preserved by VPNGateway Preserved IP address uses original

routing plane


91/189

Secure Data Plane Multicast

Premise: Sender doesnot know the potential

Data Protection

Secure

Multicast

GM

GM

recipients

?

GM


Premise: Sender doesnot know the potential KS

Data Protection

SecureMulticast

recipients

Sender assumes thatlegitimate groupmembersobtain TrafficEncryption

GM

GM

Key from key serverfor the group

GM


92/189


Premise: Sender does notknow the potential recipients KS

Data Protection

Secure

Multicast

Sender assumes that legitimategroup members obtain trafficencryption key from keyserver for the group

Encrypt Multicast

GM

GM

preservation

Replication in the corebased on original (S,G)

GM

Corollary:

Secure Data Plane Unicast

Premise: Receiver advertisesdestination prefix but does

Data Protection

SecureUnicast

GM

GM

not know the potentialencryption sources

?

?

GM

?


93/189

Corollary:Secure Data Plane Unicast

Premise: Receiver advertisesdestination prefix but does KS

Data Protection

Secure

Unicast


Receiver assumesthat legitimategroup membersobtain Traffic Encryption

GM

GM


GM

Corollary:

Secure Data Plane Unicast

Premise: Receiver advertisesdestination prefix but does KS

Data Protection

SecureUnicast


Receiver assumesthat legitimategroup membersobtain Traffic Encryption

GM

GM


Receiver can authenticatethe group membership

GM


94/189

GET VPN

Control Plane GM-KS

Group Member: Membership

Management

Group Member Join: Registration

Immediatel u on boot

Immediately upon applying crypto map

Protected by IKE SA (Pre-shared Keys or PKI Certificate)

Group Member Maintenance: Rekey

Periodic Update Protected by Rekey SA (IKE SA expires)

New Policies Time S nc or New Ke s TEK or KEK, ,

Acknowledgement with Unicast Rekey

Unacknowledged with Multicast Rekey


95/189

Group Member States

Unknown

CCIE Security Tutorial

Documents

Transcript of CCIE Security Tutorial