CCNA Security – 640-554 Study Notes

Network Security involves the following:

Confidentiality – Encryption
Integrity – Hashing
Availability – High reliability, fail over

Risk Management

Assets are something valuable to a company
Vulnerabilities is an exploitable weakness in a system or its design
– A vulnerability that is not yet discovered is called a latent threat, whereas a discovered vulnerability is called a realised threat
Threat’s are the potential danger to an asset
Countermeasures are safeguards to mitigate risk.
Risk is the potential for unauthorized access.

Asset Classifications

Sensitive but unclassified
Top Secret



Classification Criteria

Value of the asset
Age of the asset
Replacement cost
Useful lifetime

Classification Roles

Owner: The group ultimately responsible for the data
Custodian: The group responsible for implementing the policy as decided by the owner.
User: The users who access the data abide to the rules of the policies, normally called an acceptable use policy.

Classifying Countermeasures

Administrative: These consist of written policies, procedures, guidelines and standards.
Physical: Electronic locks, UPS
Logical: Strong passwords, VPN, IPS, Access-lists etc..

Attack Methods

Reconnaissance: Port scan, service scanning
Social Engineering: Gaining the trust of an employee or inside source to provide private information
Privilege Escalation: A user with access to the device, but has no administrative access can exploit a vulnerability to escalate their privilege to administrative access.
Back Doors: Trojans

Attack Vectors

Internal Attacks risk can be reduced by implementing 802.1x (Ethernet Authentication) and AAA to ensure the user passes all AAA functions.

Network Admission Control (NAC) or Integrated Services Engine (ISE) could be used to enforce a policy on users connecting to the network.

Man in the Middle attacks can occur at layer 2 or layer 3.
Layer 2 attacks occur in the form of MAC address spoofing the address of the gateway, tricking all hosts to route to the malicious device. A malicious user could also negotiate a trunk port to a switch if the port is no hard set to an access port or DTP has not been disabled.
Layer 3 attacks can replicate the IP address of the gateway. IP Reverse Path Forwarding can be used to mitigate IP spoofing.

Covert Channel attacks hide potentially malicious traffic inside an allowed protocol. For instance, HTTPS may be allowed, but SSH disallowed. A user could tunnel all SSH traffic inside the HTTPS traffic and the firewall/IPS may not be able to detect the SSH traffic as it is encrypted within HTTPS.

Trust Exploitation

Pivot Attack is when a host within a DMZ is accessible via the internet, but the inside network is not; but the DMZ is allowed to talk to the inside. A malicious user may gain access to the DMZ, and pivot to access the inside network from the DMZ.

Password Attacks generally come in the form of brute force.

Botnets / DoS / DDoS

Generally ICMP floods, UDP or TCP connections to tie up all network resources.

Guidelines for secure network architecture

Rule of least privilege: Giving the users on the network access to only devices/functions they require.
Defense in-depth: Provide multiple layers of security.

Risk Analysis and Management

Initiation: Begin researching the product and its risk. Classify risks into low, medium or high categories.
Acquisition and development: Acquire the device and test it in an isolated network.
Operation and Maintenance: View/audit logs and device performance for any issues
Disposition: Formatting/destroying data

Things to consider with risk management:

  • Value
  • Vulnerabilities
  • Potential Threats
  • Compliance Issues (HIPAA)
  • Business Requirements

Use the following methods to identify the above:

Qualitative: The data is gathered by an SME to assess the asset value, vulnerabilities, potential threats and risk.
Quantitative: Uses raw numbers, statistics and data to determine the risk

For each new asset, identify the risk (Value, Vulnerability, Potential Threat = Risk)

What is a Security Policy

Primary Risk Management: Access-lists, backups, antivirus and encryption
A security policy should be an overview about why the policy does and does not cover. This is often called the scope of the policy.

Why have a Security Policy?

To educate staff. Without one, the risk is too great.

Building a security strategy

A borderless network means the network does not simply start at one location and finish at another, but provides access without physical borders

Borderless Endzone: Where end clients, servers etc.. are connected. Virus’ and malware occur in this zone
Borderless Datacentre: Where IPS and ASA devices live
Borderless Internet: The Internet. IPS, Firewalls, protocol inspection from layer 2 – 7 operate here

Policy management point: A single point to control/implement countermeasures. Cisco Security Manager (CSM) and Cisco Access Control Server (ACS) are two examples.

Secure X Framework

Context Aware: Parameters can be set for users before they are allowed onto the network. This may be inspecting a layer 7 application for certain content.
– Tools to implement this are Integrated Security Engine (ISE), Network Admission Control (NAC) and AAA.
AnyConnect uses SSL or IPSEC
TrustSec creates a distribution access policy enforcement mechanism. Security group tags (SGT) can be used and read by devices to accept the traffic, based on the SGT.
Security Intelligence Operations (SIO) is a Cisco cloud based service where online threats/vulnerabilities are detected.

Controlling & Containing Data Loss

ASA firewalls with packet filtering, stateful firewalls and IPS’ can be used to prevent data loss.
Integrated service routers can be used and upgraded with modules to use VPN, IPS and more functions.
IronPorts scan emails for virus’ and encryption.
ScanSafe is a Cisco product which aims to secure web browsing, warning a user if a URL has a potential risk.

Network Foundation Protocol

Mangement Plane: Traffic and protocols an administrator uses to mange network devices
– SSH, SSL/TLS, protected syslogs, snmpv3, NTP and parser views are all management plane protocols
Control Plane: Involves routing protocols and traffic that network devices use without administrative interaction.
– Control Plane Policing (CoPP), Control Plane Protection (CPPr) and authenticated routing updates.
Data Plane: Transit Traffic.
– Access lists, private VLAN’s, STP guard, IDS/IPS and Zone Based Firewalls.

Best Practices for securing the management plane

  • Enforce password strength and login attempts
  • Implement role based access (RBAC) and parser views
  • Use AAA
  • Use SNMPv3 which provides encryption and authentication
  • Keep devices clock updated with NTP
  • Control which devices are allowed to access network devices
  • Lock down SYSLOG.

Best practices for securing the control plane

Control Plane Policing can filter traffic to the device with policers, which reduces the inbound rate down to an acceptable rate so the CPU of the device doesn’t get overwhelmed.

Authentication, Authorization and Accounting

Authentication: User proves they are who they say they are.
Authorization: When resources the user can access.
Accounting: Making a user accountable for their actions with logging.

AAA can use the following: Local, ACS, TACACS and RADIUS.

ACS is an access control server which stores usernames, passwords and what the user is allowed to access.
ISE is another access control server.

The protocol normally used between an administrator and a networking device to access the CLI is TACACS, whereas if a user is wanting to access resources through the router, RADIUS is used. This is because TACACS has more granular uses for AAA.

Method Lists

A default method list is applied to the entire router or switch. A custom list must be applied to a line or interface. A total of 4 methods can be used per list.

Logging output can be sent to the console, VTY lines, device buffer, a SNMP server or a SYSLOG server.

Syslog Severity Ratings

Everyone Always Complains Even When Nothing Is Different

0 – Emergencies
1 – Alerts
2 – Critical
3 – Error
4 – Warning
5 – Notification
6 – Informational
7 – Debugging

Parser Views

Setting up parser views for RBAC

  1. Enable AAA
    1. aaa new-model
  2. Enable parser views from exec mode
    1. enable view
  3. Create the parser view
    1. Configuration Terminal
    2. parser view name
      1. commands exec include ping
      2. secret password
      3. exit
    3. Apply the view to a user
      1. username test view name password test
    4. exit
  4. Test the user’s view
  5. parser view name

Integrated Services Engine (ISE)

ISE is an access and identity platform to validate that a computer meets requirements of a company policy prior to the device being allowed onto the network.


TACACS is Cisco Propriety, uses TCP or UDP port 49. It encrypts the entire packet before it is sent.
TACACS separates AAA functions into distinct elements. Authentication is separate form Authorization and both of these are separate from Accounting. Can perform AAA on each command entered into a CLI, or upon a group basis.
RADIUS is cross platform and uses UDP port 1812. Is encrypts only the passwords. RADIUS combines many of the AAA functions. Authentication and Authorization function together, but provides more accounting that TACACS.

Cisco Configuration Professional

The 640-554 exam requires fairly in depth CCP knowledge. I’m not going to touch on this here, because you really need to download the client for yourself and play around with its features and learn the paths to certain functions.

Learn how to perform the following in CCP will be a good start

  • Configure NAT
    • Configuration -> Router -> NAT
  • Configure and edit an access list
    • Configuration -> Router -> ACL -> ACL Summary/ACL Editor
  • Set up a SSL VPN
  • Configure NTP and syslogs
    • Configuration -> Router -> Time -> NTP
  • Configure AAA
  • Setup a zone based firewall
    • Configuration ->Security -> Firewall -> Firewall -> Follow the Wizard
  • Create local users
    • Configuration -> Router -> Remote Access -> User Accounts -> View -> Add

Securing Layer 2

STP: 802.1D
Lowest bridge ID becomes root bridge. BPDU’s are used to check redundant paths.
States: Listening, learning, forwarding, blocking
Listening: Listens for BPDU’s for 15 seconds
Learning: Listens for BPUD’s and learns MAC addresses for 15 seconds
Forwarding: Forwards layer 2 traffic
Blocking: Redundant paths are blocked

RSTP: 802.1W
Port Fast places the port straight into a forwarding state. Used on access ports. Can cause loops if used incorrectly.

Layer 2 Best Practices

  • Change the default VLAN
    • switchport trunk native vlan number
  • Avoid VLAN 1 anywhere
  • Configure access ports for end users
    • switchport mode access
  • Disable DTP
    • Switchport nonegotiate
  • Limit MAC addresses on a switchort
    • switchport port-security maximum number
  • Enable root guard to stop other switches becoming the root bridge
    • spanning-tree guard root
  • Turn off CDP for access ports
    • int gig0/1
      • no cdp enable
  • Shutdown all non-used ports.
  • Port Security limits mac addresses
  • BPDU Guard: Protects STP by shutting the port down if a BPDU is received.
  • Root Guard: Stops another switch from becoming the root bridge.
  • Dynamic ARP: Stops layer 2 MAC address spoofing by building a table of layer 2 mac addresses
    IP Source Guard: Prevents layer 3 spoofing
  • 802.1x: Authenticates users before allowing them to access network resources
  • DHCP Snooping: Prevents rogue DHCP servers by specifying trusted and untrusted interfaces.
  • Storm Control: Limit the amount of multicast and broadcast through a switch
  • Access Control: Traffic control to enforce policy.

BPDU Guard can unshut the interface after a predetermined time if no further BPDU’s are received.

  • In global configuration
    • errdisable recovery cause bpduguard
    • errdisable recover interval value in seconds

Root Guard can be used if you connect to unmanged switches, and you don’t want them to become the root bridge

  • int gig0/1
    • spanning-tree guard root

Port Secutity is used to negate CAM overflow attacks. It also stops a single device from depleting a DHCP table

  • int gig0/1
    • switchport port-security
    • switchport port-security maximum number of allowed MAC addresses
    • switchport port-security mac-address sticky
      • Allows the switchport to automatically learn the MAC addresses to be allowed. These are stored in RAM, so they are not kept after a reload.
    • switchport port-security violation protect, shutdown or restrict
      • Shutdown is the default violation
      • Protect allows the original MAC addresses through, but blocks additional MAC addresses
      • Restrict is the same as protect, however it also sends a SNMP trap.
  • Verification
    • show port-security from enable mode

Securing the IOS and configuration

Secure boot-image
Secure boot-config
Show secure bootset

Securing the Data Plane in IPv6

Reasons for IPv6: IPv4 address space has a total of 2^32 addresses, whereas IPv6 has 2^128

  • IPv6 does not support NAT
  • Hosts use stateless address configuration auto-configuration to assign an IP address to themselves, but can also use DHCPv6 features to learn more information, such as the DNS server.
  • IPv6 support for IPSEC is required.
  • Simplified header, but is longer. Has extension headers if required
  • No broadcast function, so no ARP. Uses Network Discover Protocol (NDP) instead.
    • NDP uses ICMP for most of its functions. If there are network connectivity issues, check ICMPv6 is not blocked.
  • IPv6 addresses are segmented into 8 groups, each containing 16 bits or 4 hex characters.
  • :: can be used once to group consecutive 0’s.

Link Local Addresses

Link Local Addresses begin their network with FE:80. These networks are used to communicate with other IPv6 address on the same segment. If an IPv6 address needs to send something outside of its local network, it uses a globally routable address.

The last 64 bits of an IPv6 address are used for hosts/interface bits. EUI-64 may be used to create the host interface.

The loopback for IPv6 is ::1

Multicast Addresses

FF02::1 – Traffic destined to all link local addresses
FF02::2 – Traffic to all IPv6 addresses.
2000 – 3FFF are globally routable IPv6 addresses

With no ARP, we need another function to find the MAC address of a host. If a host needs to learn the MAC of a host, it sends out a neighbour solicitation (NS) message to the multicast group FF02::1. The host will reply back with a Neighbour Advertisement (NA) with it’s MAC address. This is the way IPv6 avoids broadcast traffic.

IPv6 and IPv4 have some routing protocol’s in common.

  • RIP-NG
  • OSPFv3
  • EIGRP for IPv6

No network statements are configured under the routing process for IPv6 as they are now performed on the interface themselves.

  • Enable IPv6
    • ipv6 unicast-routing
  • Enter the interface you wish to enable a routing protocol
    • int gig0/1
      • ipv6 rip name enable
      • ipv6 ospf instance number area area number
      • ipv6 eigrp 1
    • EIGRP must be ‘unshut’ under the routing process.
    • router eigrp 1
      • no shutdown
  • Verification
    • show ipv6 protocols

IPv6 best practices

  • Physical security: No electromagnetic interference. Temperature and humidity controlled. Logging for access. redundant power feeds.
  • Device hardening: Disable services not in use. CCP has a function to do this.
  • Control access between zones
  • Use routing protocol authentication
  • Use AAA
  • Reverse path forwarding can help mitigate DDoS and IP spoofing
  • TCP intercept can help stop SYN-Floods
  • Have an up to date security plan
  • Application inspection: Zone based firewall or an ASA
  • Stop MITM with arp inspection and STP guard at layer 2, and routing authenticating and VPN for layer 3.
  • Stop CAM overflow attacks with port-security
  • Filter bogon traffic
  • Filter multicast at your borders
  • Filter unused ICMPv6 traffic
  • Drop routing header type 0
  • Don’t use 6to4 auto tunnel
  • Protect against rogue IPv6 devices
  • Secure neighbour discovery and router advertisement guard can help

New Risks with IPv6

NDP: Clients discover routers with NDP. An attacker could setup his own router to perform a MITM attack.
Hop-by-hop extensions can control the path a packet takes
Routing header type 0 (This was retired late 2009 I believe)

Packet amplification attacks

A user sends a packet to the all node group (FF02::1 and uses all bandwidth when each user responds. This could be performed with a spoofed layer 3 address to attack one host.

ICMPv6 is used by NDP.

Tunneling IPv6 inside IPv4 may cause filtering to not occur on the IPv4 packet

Planning a threat control strategy

Threat control and Mitigation

Senior management are ultimately responsible for policy. The job of an administrator is to implement this policy.
A policy should be in place to respond to attacks, ideally in an automated fashion.

End users education and awareness are key to ensure users don’t click on malicious links and attachments.

Defense in depth is a layered approach to security

Centralised monitoring and analytics.

Application visibility is critical to see if protocol abuse is occurring, such as tunneling or malformed packets.

Have a formal process for an Incident. Incident response is having a formal process to deal with violations.

Context based access control (CBAC) was the evolution before stateful firewall filtering. Zone Based Firewalls (ZBF) replace CBAC. ZBF uses class maps to match traffic, policy maps to apply an action (inspect, drop) and service policies to apply them to a zone pair. ZBF can perform application based inspection/filtering.

Packet Filtering Access Lists: Used to match traffic which can be used in a class map

Access lists can be used to:

  • Block/allow certain routing protocols
  • QoS
  • VPN
  • NAT
  • Packet Filtering

What can we protect against?

  • Spoofing attacks by denying RFC1918 (Private address space) with ACL’s
  • TCP SYN floods by enabling TCP intercept
    • ip tcp intercept
  • Block reconnaissance attacks by denying access to ICMP and UDP externally.

Standard Access lists

  • Range 1-99, 1300 – 1999
  • Can only use source addresses
  • Place closest to destination

Extended Access lists

  • Range: 100 – 199, 2000 – 2699
  • Can be named or numbered
  • Can match layer 4 protocols, and match on source and destinations
  • Place closest to the source

The numbered lines inside an ACL are called Access Control Entries (ACE)

IPv6 packet filtering

There is no access-group command on the interface level, but instead uses traffic-filter ACL name in/out to apply the access list to an interface

Implementing Zone Based Firewalls using IOS

Context based access control (CBAC) is the old method. ZBF is the new.

ZBF uses:

  • Stateful inspection
  • Application inspection
  • Packet filtering
  • URL Filtering
  • Transparent firewall
    • A transparent firewall is implemented at layer 2, but can still perform analysis of traffic at layer 3 and higher.
  • Support for VPN’s
  • Access lists are not required as a filtering method to implement the policy.

Zones are created by administrators. A zone can have more than one interface assigned. The default zone is the self zone, which is a logical zone. Traffic to and from the router itself are termed to be going to and from the self zone. By default, traffic to any from the self zone are allowed.

By default, traffic between zones is denied. Zone pairs are created to allow communication between two zones.

What is needed:

  • Create the inside and outside zones
  • Inside to inside zone
  • Outside to outside zone
  • Policy to allow traffic from inside to outside, and to perform inspection, which stores the stateful information.

Cisco uses Cisco Common Classification Policy Language (C3PL) for the implementation of the policy, which has three main components.

Class Maps to match the traffic
Policy Maps to perform an action on the matched traffic
Service Policies to apply the policy maps to a zone pair.

Policy Map Actions

Inspect: Used to permit traffic and store stateful information for returning traffic. This is used to permit transit traffic from going out and coming back in.
Pass: Allows transit traffic, but doesn’t keep a stateful entry for returning traffic
Drop: Drops the traffic
Log: Logs the packet

Service policies are applied to a zone pair in a unidirectional basis between two zones. Only one service policy can be applied to a zone pair, so inspect must be used if return traffic is required.

Zone Traffic Behavior

Ingress Interface is not a member of a zone going to an interface not in a zone is forwarded
Ingress Interface is not a member of a zone going to an interface in a zone is dropped
Ingress Interface is apart of zone A, going to another interface in zone A is  forwarded
Ingress Interface is apart of zone A, going to another interface not in zone A is dropped
Ingress Interface is apart of zone A, going to another interface not in zone A, but has a policy stating traffic is allowed is forwarded.

Self zone traffic behavior

Self Zone -> Self Zone with no policy applied is passed
Zone A -> Self Zone with no policy applied is passed
Self Zone -> Zone A with policy applied uses the policy options, which may be to drop the traffic
Zone A -> Self Zone with a policy applied uses the policy options, which may be to drop the traffic.

Example configuration

  • class-map type inspect match-any ICMP_TELNET
    • match icmp
    • match telnet
  • policy-map type inspect ICMP_TELNET_POL
    • class-type inspect ICMP_TELNET
    • inspect
  • zone security outside
  • zone security inside
  • zone-pair security in-to-out source inside destination outside service-policy type inspect ICMP_TELNET_POL
  • int gig0/1
    • zone-member security outside
    • exit
  • int gig0/0
    • zone-member security inside
    • exit

Configuring ZBF in CCP

Configuration -> Firewall -> Firewall -> Basic Wizard

Possible security levels for ZBF

High: Drops instant messaging and peer-to-peer traffic. Inspection is performed on non-compliance email and web traffic. It also does generic inspection on TCP and UDP
Medium: Same as high, but no web and email filtering for non-compliant traffic.
Low: No application inspection. Just TCP and UDP.

Verifying ZBF in CCP

Configure -> Firewall -> Firewall -> Edit Firewall
Monitor -> Security -> Firewall

Enabling NAT in CCP

Configure -> Router -> NAT

Enabling NAT in CLI

  • int gig0/1
    • ip nat inside
  • int gig0/0
    • ip nat outside
  • ip access-list extended NAT permit ip
  • ip nat inside source list NAT interface gig0/0 overload

The ASA Family

  • 5505 uses SVI’s as the switching ports. The 5505 is the only ASA to do this. Two of the 8 total ports are POE with the possibility of an extension (IPS) module being added.
  • 5510 has four routable interfaces, with one ‘management-only’ interface, which can be used as a fifth routable interface if no management-interface is entered under the interface.
  • 5520, 5540, 5550 are the same as the 5510, but have more capacity.
  • The 5585 uses more rack units than the 5510 and 5550.

ASA Features

  • Packet filtering
  • Stateful filtering
  • Application inspection
  • NAT
  • DHCP
    • dhcpd
  • Routing
    • OSPF
    • EIGRP
    • RIP
    • Static Routing
  • Layer 2 or 3 implementation
  • VPN Support
    • Remote Access SSL
    • Remote Access IPsec
    • Site to Site IPsec
  • Object groups
  • Botnet traffic filtering
  • AAA support

ASA Security Zones

Security zones can range from 0 – 100, 100 being the most secure and 0 being the least. These security levels work in a similar manner to the ZBF in regards to the traffic flow. Traffic sourced from a higher security level is able to initiate connections to any security zone with a lesser security value.

Lower security zones cannot initiate connections to a higher security zone unless an access list specifies so.
Lower security zones can return traffic to a higher security zone if  the higher zone initiated the session (Stateful Inspection).

Tools to mange the ASA

  • ASDM
  • CLI
  • Cisco Security Manger (CSM)

Packet Filtering

Access lists applied inbound or outbound can get around the ‘higher to lower’ requirement, which results in the lower security zone being allowed to initiate traffic to a higher security zone.

Modular Policy Framework (MPF)

The MPF is essentially what we discussed in the ZBF section. It uses class maps to identify traffic, policy maps to perform an action on the matched traffic, and service policies to apply the policy map to an interface.

  • Class Maps can match on:
    • Access lists
    • Set DSCP bit
    • TCP or UDP ports
    • IP precedence
    • RTP ports
    • VPN Tunnel Groups
  • Policy Maps can:
    • Reroute traffic to an IPS
    • Perform inspection
    • Give priority
    • Rate limit
    • Perform advanced traffic handling

Firewall Policy on ASA

Configuring Interfaces using ASDM
Configure -> Device Setup -> Interfaces
Configuring DHCP using ASDM
Configure -> Device Management -> DHCP -> DHCP Server
Using CLI
dhcpd address inside
dhcpd enable
dhcpd dns interface inside
dhcpd domain interface inside
Basic Routing
Configure -> Device Setup -> Routing
Configure -> Firewall -> NAT
PAT with CLI
object network INSIDE_HOSTS
nat (inside, outside) 1 source dynamic INSIDE_HOSTS interface
Access Lists
Configuration -> Firewall -> Access Lists

Packet-tracer allows you simulate traffic flow to test, well, traffic flow is working correctly, or which area it is being stopped at.
Packet-tracer input inside tcp 1621 80 would test a TCP session from inside address to destination address on port 80.

Cisco IPS/IDS Fundamentals

IPS are inline, which has a network performance hit and if it fails, traffic flow will stop. IDS systems are out of line, and the packet is spanned to the IDS for analysis. IDS sits in promiscuous mode, has no delay and sensor failures will not stop traffic flow.

Sensor Platforms

  • Dedicated IPS appliance
  • Software on IOS router
  • Module on IOS, such as AIM-IPS and NME-IPS
  • Module on ASA, AIP module for IPS
  • A blade which works in a Cisco 6500 switch

True Positives, True Negatives, False Positives and False Negatives

True Positives indicate that the IPS/IDS did see malicious traffic, and that there was malicious traffic present.
True Negatives indicate that the IPS/IDS did not detect malicious traffic, and no alert was sent.
False Positive indicate that the IPS/IDS detected malicious traffic, however there was none present
False Negative indicate that the IPS/IDS did not detect malicious traffic when malicious traffic was present.

Identifying Malicious Traffic

Signature Based

Signature based rules look at characteristics of a packet or stream of packets. Signature based identifies are easy to configure, simple to implement.

Policy Based
Administratively set policy to block particular traffic. Only uses the defined policy and must be manually created.

Anomaly Based
Gathers a baseline of traffic flow and if a sudden spike in traffic occurs, then the IDS/IPS will take action. This method is self contained and difficult to implement in larger networks.

Reputation Based
Uses information from global sources. This method requires timely updates and requires participation in global correlation rules.

Target Value Rating (TVR)
TVR is the rating given to a destination host where critical devices are present
Signature Fidelity Rating (SFR)
The accuracy of the signature as determined by the creator of the signature
Attack Severity Rating (ASR)
How critical the attack is defined by the person who created the signature. Uses a scale between 0 – 100 to determine the rating.
Attack Relevancy (AR)
How relevant an attack is. Example would be that the windows servers are located in a particular subnet. An attack is most relevant at this subnet because the windows servers are there.
Global Correlation
If the sensor is participating and receives information about a specific source address that is attacking, the risk rating for that source range increases

IDS/IPS Evasion Techniques


Evasion Anti Evasion
Traffic Fragmentation Complete the session before applying IDS/IPS inspection
Traffic Substitution and insertion Looks for unicode dots, case sensitivity, spaces, tabs etc..
Protocol Level Misinterpretation IP TTL and TCP checksum validation
Timing Attacks Configure intervals
Encryption/Tunneling Cannot see encrypted traffic. Can see traffic inside GRE tunnel if no encryption is used
Resource Exhaustion Summaries common attack types to find underlying attacks.

Micro Engines

Atomic Engine: The Atomic Engine matches uses signatures to match against a single packet.
Service Engine: The Service Engine matches against layer 7 services, regardless of operating system.
String or Multi string Engine: Supports flexible pattern matching, and can be used to identify single packets, or a group of packets such as sessions
Misc Engines: There are many other engines which don’t fit under any other category.

The higher the severity, the greater factor for risk rating.

Monitoring and Managing Alerts/Alarms

There are three protocols used. SDEE, SYSLOG and SNMP.
SDEE is Cisco propriety and ensures logging information is secure.
SYSLOG is an industry standard for sending system logging messages.
SNMP can be used to send traps about certain alerts/alarms.

IPS Manager Express (IME) can view up to 10 sessions. Cisco Security Manager (CSM) can view up to 25 hosts without clutter being an issue.

Cisco Security Intelligence Operations (SIO) utilizes global reporting to update the IPS/IDS signatures.

IPS/IDS Best Practices

  • Implement IPS going to critical devices
  • Use modular IPS of you cannot afford physical appliances
  • Take advantage of global correlation
  • Use risk based approaches on calculating the risk rating.
  • Use automated signature updates
  • Continue to tune/edit the IDS/IPS signatures

Implementing IOS IPS

IOS IPS Features

  • Regular string pattern matching
  • Response action
    • Denying
    • Alerting
    • RST SYN
  • Alarm Summarization
  • Threshold conflagration
  • Risk Ratings

Configure IPS in CCP

Configure -> Security -> Intrusion Prevention -> Launch IPS Wizard
– Enable SDEE if disabled as this allows sending of logging information

To view/edit signatures

Configure -> Security -> Intrusion Prevention -> Edit IPS -> Signatures -> Right click a signature and select actions
– A green tick indicates the rule is enabled
– A red symbol indicates the rule is disabled

Configure IPS via CLI

ip ips notify sdee
ip ips name name
interface gig0/0 ip ips name in | out

Monitoring & Managing IPS Alarms

CCP: Monitor -> Security -> IPS Status
CLI: show ip sdee alerts & show ip ips statistics

Enabled, disabled, retired and unretired IPS rules

  • Enabled enables the IPS signature
  • Disabled disables the IPS signature
  • Retire removes the signature from it’s compiled list of signatures, reducing RAM consumption on the router
  • Unretire adds the signature to it’s compiled signature list.

If a signature is enabled, but retired, no RAM consumption and no signature matching occurs
If a signature is disabled, and retired, no RAM consumption and no signature matching occurs
If a signature is enabled and not retired, the signature consumes RAM and signatures will match
If a signature if disabled and not retired, the signature consumes RAM and will not match

Actions an IPS can take

  • Deny attack inline
    • Denies the attackers source IP address for a configurable time duration
  • Deny connection inline
    • Stops the session that the signature detected malicious traffic on. An attacker could start a new session and resume the attack.
  • Deny packet inline
    • Denies the packet that triggered the alert
  • Log attacker packets
    • Logs packets from the attackers source address for a short duration
  • Log victim packets
    • Logs the destination packets that triggered the alert
  • Log pair packets
    • Logs both the source and destination packets for a short duration
  • Produce alert
  • Produce verbose alert
    • Produces as alert, but also captures the entire packet that triggered the alert.
  • Request block connection
    • If you have control of an upstream device which can block the traffic at the border of your network, this mode can request the border devices to just that
  • Request block host
    • Blocks connections from the source address, regardless of TCP or UDP ports used
  • Request SNMP trap
    • Sends an SNMP trap
  • Reset TCP connection
    • Sends a RST SYN packet back to the source  address.

Best Practices for IPS

  • Begin with basic signatures, check CPU/RAM consumption before applying more advanced signatures
  • Schedule downtime for IPS installations/upgrades
  • Retire unused signatures so they don’t affect CPU/RAM
  • Fail open will forward traffic if the IPS fails, but no IPS functionality will work
  • Fail closed will deny all traffic if the IPS fails and no IPS functionality will work.

Fundamentals of VPN Technology

  • IPsec
    • Security of the IP packet at layer 3. Can be used for Remote Access and Site to Site VPN’s
  • SSL
    • Secure sockets layer implementation. Security at the TCP / layer 4 level. Can be used for Remote Access uses, as well as HTTPS
    • Layer 3 VPN outside of the scope of CCNA Security

Benefits of VPN’s

  • Confidentiality through encryption
  • Data integrity though hashing
  • Authentication through PSK/PKI
  • Anti replay through checksums

Confidentiality uses encryption algorithms/ciphers to encrypt data. Symmetric ciphers use the same key for encryption and decryption.
Data integrity comes in the form of hashing. MD5, SHA, HMAC are all forms of hashing
Authentication comes in the form of a pre-shared key (PSK) or public key infrastructure (PKI), which is essentially a certificate; More on this later.
Anti-replay uses a method of stamping the packet so it cannot be used again

  • Algorithms/Ciphers
    • Ciphers are sets of rules about how to perform encryption/decryption
  • Substitution
    •  Substitution replaces one character with another
  • Polyalphabetic
    • Instead of replacing a character, it could use multiple characters and switch between them by some trigger in the encoded message
  • Transposition
    • Uses many methods such as rearrangement of text
  • Keys
    • One time pads

Blocks and Stream Ciphers

Encryption algorithms can operate on blocks of data or by bits and bytes of data based on the cipher in use.

Block ciphers with symmetric keys: AES, DES, 3DES, Blowfish, IDEA

Block ciphers may pad the packet if there is not enough data to fill the block.

Stream Ciphers

A stream cipher is a symmetrical cipher where each bit of plain text is encrypted individually, also called a cipher digit stream.

Symmetrical ciphers are the most common as they use less CPU time. The higher the bit count the better.

Asymmetrical ciphers use different keys to encrypt and decrypt data. A private and public key are used to encrypt/decrypt data. This is called a key pair.


Hashing is a method for data integrity by taking a block and creates a hash. The other party receives the block, runs the same hash on the block to verify if it has been tampered. If one bit is off, the hash will be different and data integrity cannot be validated.
MD5, SHA 1 and SHA 2 are common hashes.

Hashed message authentication code (HMAC) uses hashing, but also includes a key.

Digital Signatures

Core benefits:

  • Authentication
  • Data integrity
  • Non-reproduction

IPsec and SSL

Summary: Confidentiality through encryption, data integrity through hashing and authentication with PSK or PKI.

IPsec protects layer 3 packets.

Encapsulating Security Protocol (ESP) and Authentication Header (AH)

ESP can do all features of IPsec, and AH which can do many parts of the IPsec objectives, but cannot encrypt the data. For this reason, ESP is more commonly used.

  • Encryption
    • AES, DES, 3DES
  • Hashing
    • SHA, HMAC, MD5
  • Authentication
    • PKI, PSK and RSA signatures
  • Key management
    • Diffie-hellman generates symetrical keys.
  • Internet key exchange (IKE) does a lot of the negotiating for using DH

Fundamentals of Public Key Infrastructure

  • Key chains use public and private keys
  • If you encrypt with the public key, you use the private key to decrypt the data
  • Types of key pairs
    • RSA
      • Also known as PKSC #1
    • DH
      • Asymmetrical, but can transfer keys which are symmetrical
    • ELGamal
      • An asymmetric encryption system based on DH
    • DSA
      • Digital Signature Algorithm. Developed by the NSA
    • ECC
      • Elliptical Curve Cryptography

A common asymmetric cipher is RSA

The certificate authority (CA) takes both users’ public keys’, names and IP addresses who wish to communicate securely and creates each their own certificate

When the two parties want to communicate, they send a copy of their digital certificates. Both parties verify the public key of the CA and each party now has each others public keys. Party A then encrypts his data with the private key.

Certificate Authorities

Certificates can be made of:

  • IP addresses
  • FQDN
  • Public Key of the device

The final certificate has the URL of the domain.

Root Certificates

Root Certificates contain the public key of the CA server and other details about the root server.

  • Serial Number: Issued and tracked by the CA which issued the certificates
  • Issuer: The issuer of the certificate, even if it was issued by a root.
  • Validity Dates: The two dates in which the certificate is valid between
    • It is critical to ensure the devices clock is accurate because of this
  • Subject of the certificate: Contains the organizational unit (OU), Country (C) and other details found in an X.500 structured directory
    • LDAP uses X.500 directory structuring
  • The subject of the root certificate is the root itself
  • The subject of a clients identity certificate is the clients’
  • Public key: Contents of the public key and the length
  • Thumbprint ciphers and thumbprint: This is the hash for the certificate. On a new root certificate, you could phone and have them read to you the hash of the certificate. This is called and Out Of Band (OOB) method.

Identity Certificate

These are similar to root certificates, but identify the client and provides the public key for that host. SSL or VPN using PKI can utilise the identity certificate.

In a SSL connection, both clients go to the CA and verify the digital signature is correct. If both clients receive the correct digital signature, the secure connection is formed.

X.500 is the structure or format to store directories

  • Contain common name (CN)
  • Orginizatioanal Unit (OU)
  • Orginization (O)
  • Plus many more in an org-chart style fashion

X.509v3 is the standard for issuing digital certificates

  • Serial number assigned by the CA to identify the certificate
  • Subject: The person or entity being identified
  • Signature algorithm: The specific cipher used when signing the certificate
  • Signature: Used by devices to authenticate the authenticity of the certificate by looking at the certificate authorities signature
  • Issuer: Which CA issued the certificate
  • Valid from/to
  • Public Key
  • Thumbprint algorithm: The hashing method used
  • Thumbprint: The hash itself
  • Certificate Revocation List (CRL): The URL that can be used to check the serial number of any certificates issued by the CA to see if they have been revoked.

Authenticating and Enrolling with a CA

  1. Download the root certificate, verify the hash using an OOB method
    1. This is called authenticating the CA
  2. Create the public/private key chain and send the public portion in the request for a identity certificate

Public Key Cryptography Standards (PKCS)

  • PKCS#10
    • Includes the public key in the request for a Identity Certificate
  • PKCS#7
    • The format in reply to PKCS#10
  • PKCS#1
    • The RSA cryptographic standard
  • PKCS#3
    • Diffie-Hellman key exchange

Cisco Simple Certificate Enrollment Protocol (SCEP)

Is propietry to Cisco and automates the enrollment process.

Revoked Certificates

Clients must check the CRL to ensure the certificate is not retired when authenticating. This ensures the certificate is valid and can be trusted.

Methods to check for Revoked Certificates

  • CRL
  • Online Certificate Status Protocol (OSCP)
    • A client requests to see if the client is valid without checking the CRL.
  • AAA can be used to see if a certificate has been revoked.

PKI Topologies

Because it’s not feasible to have one device, a root authoirity if you will, providing certificates out, the root CA will issue subordinate CA’s the ability to issue certificates

Creating the CA with SCEP

crypto key generate rsa label label modulus keysize noconfirm
crypto ca trustpoint caname
keypair label
id-usage ssl-ipsec
no fqdn
subject-name CN=ASA
enrollment url
crypto ca authenticate caname noconfirm


RSA digital signatures: Uses a secret key to encrypt a generated hash and a digital signature is created. The receiver uses the public key to verify the digital signature and verify the identity of the peer.
Digital Certificate: Contains the public key, serial number, signature of the CA that issued the certificate
Public and private keys are used to encrypt and decrypt traffic.
CA’s jobs is to fulfill certificate requests, and also maintains a CRL.
X.509v3 is a common certificate format
PKCS stands for public key cryptography standards and are implemented to have a common standard

Implementing IPSEC Site to Site VPN

Protocols in use:
UDP 500 for IKE phase 1 negotiating
UDP 4500 for NAT Traversal
Layer 4:
ESP – ESP encapsulates the entire packet
AH – Lacks encryption for user data

IKE phase 1:
Hash: Sha1
Encryption: AES 256
Authentication: RSA using PKI
DH Group: 5
Lifetime: Shorter is better

IKE phase 2:
Peer IP address
Interesting ACL
Transform set
HMAC Method
Lifetime of the SA
PFS – PFS can generate a new DH key for the phase 2 tunnel.
Which interface to apply the crypto map


Clientless SSL/Web VPN

  • No client required
  • Web browser based
  • IOS or ASA with correct licensing
  • Looks like PAT from the corporate network
  • Most SSL capable browsers are supported

Clientless SSL VPN with plugins

  • Small applets and or configuration required to be installed on the host device
  • Can use some software locally over the VPN, as well as the web based clientless VPN
  • IOS and ASA with correct licensing
  • Traffic looks like PAT on port 443
  • Computers with Java and SSL are supported

Full AnyConnect SSL VPN

  • Full client installation required
  • Full access to the corporate network without using any web based methods
  • Clients are assigned their own virtual IP address. Traffic is forwarded from this virtual IP address to the corporate network

Clientless SSL VPN Configuration

group-policy RAVPN internal
SSL trustpoint trustpoint outside
enable outside
group-policy RAVPN attributes
vpn-tunnel-protocol SSL-clientless
url-list value name
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
default group-policy RAVPN
group-url http://outside address enable

Monitoring on the ASA

Monitoring -> VPN -> VPN States -> Sessions -> Details


object network
ip local pool RAPOOL mask
group-policy RAVPN internal
group-policy RAVPN attributes
vpn-tunnel-protocol ssl-client
wins-server none
enable outside
anyconnect image flash:/anyconnect-win.pkg
anyconnect enable
tunnel-group-list enable
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
default-group-policy RAVPN
address-pool RAPOOL
nat (inside,outside) 3 source static inside interface destination static no-proxy-arp route-lookup


About The Author

Timothy started his networking career in 2014, working for one of the largest telecommunication operators in Australia. He has a passion for networking and cyber security. When he's not working, he's obsessing over German Shepherd Dogs.