• The basics of IT security: CIA (Confidentiality, Integrity, Availability)
• Confidentiality. • Measures that prevent disclosure of information or data to unauthorized individuals or systems. • Integrity. • Protecting the data from unauthorized alteration or revision. • Often ensured through the use of a hash. • Availability. • Making systems and data ready for use when legitimate users need them at any time. • Guaranteed by network hardening mechanisms and backup systems. • Attacks against availability all fall into the “denial of service” realm. • Asset. • It is anything that is valuable to an organization. • Vulnerability. • An exploitable weakness in a system or its design. • Threat. • Any potential danger to an asset. • Countermeasure. • A safeguard that somehow mitigates a potential risk. • Risk. • The potential for unauthorized access to, compromise, destruction, or damage to an asset. • Classifying Assets. • One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in a given class.
• Design errors • Protocol weaknesses • Misconfiguration • Software vulnerabilities • Human factors • Malicious software • Hardware vulnerabilities • Physical access to network resources • Classifying Countermeasures. • Administrative controls. • Consist of written policies, procedures, guidelines, and standards. • Physical controls. • Are exactly what they sound like, physical security for the network servers, equipment, and infrastructure. • Logical controls (technical controls). • Logical controls include passwords, firewalls, IPS, access lists, VPN tunnels, ……... • Potential Attackers. • Terrorists • Criminals • Government agencies • Nation states • Hackers • Disgruntled employees • Competitors • Attack Methods. • Reconnaissance. • This is the discovery process used to find information about the network. • Social engineering. • Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks): the user. • Could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information. • Phishing. • Presents a link that looks like a valid trusted resource to a user. • Pharming. • Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. • Privilege escalation. • The process of taking some level of access and achieving an even greater level of access. • Backdoor. • Application can be installed to allow access. • Code execution. • When attackers can gain access to a device, they might be able to take several actions. • Man-in-the-Middle Attacks. • Results when attackers place themselves in line between two devices that are communicating. • To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection). • Additional Attack Methods. • Covert channel. • Uses programs or communications in unintended ways. • For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to- CCNA Sec Page 2 • For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to- peer traffic inside of HTTP traffic. • Also a backdoor application collecting keystroke information from the workstation and then sending it out as ICMP or http packet. • Trust exploitation. • Ex. an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks from there to the inside network. • Brute-force (password-guessing) attacks. • Performed when an attacker’s system attempts thousands of possible passwords looking for the right match. • Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time. • DoS (Denial of Service). • An attack is launched from a single device with the intent to cause damage to an asset • DDoS (Distributed Denial-of-Service). • An attack is launched from multiple devices as from botnet network. • Botnet. • A collection of infected computers that are ready to take instructions from the attacker. • RDoS (Reflected DDoS). • When the source of the initial (query) packets is actually spoofed by the attacker. • The response packets are then “reflected” back from the unknowing participant to the victim of the attack. • Guidelines for Secure Network Architecture. • Rule of least privilege. • Minimal access should only provided to the required network resources. • Defense in depth. • You should have security implemented on an early every point of your network. • Ex. filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host-based security precautions at the servers, as well. • Separation of duties. • Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place. • Auditing. • Accounting and keeping records about what is occurring on the network. • Common forms of social engineering. • Phishing. • Elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. • The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number. • Malvertising. • This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware. • Phone scams. • An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of the organization and then using that information to start building a database to leverage for a future attack. • Defenses Against Social Engineering. • Password management. • The number and type of characters that each password must include, how often a password must be changed. • Two-factor authentication. • Use two-factor authentication rather than fixed passwords. • Antivirus/antiphishing defenses.
CCNA Sec Page 3
• Antivirus/antiphishing defenses. • Document handling and destruction. • Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash. • Physical security. • Malware Identification Tools. • Packet captures. • Snort IDS - An open source IDS/IPS developed by the founder of Sourcefire. • NetFlow • IPS events • Advanced Malware Protection (AMP). • Designed for Cisco FirePOWER network security appliances. • Provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats. • NGIPS (Next-Generation Intrusion Prevention System). • The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high inspection throughput rates. Implementing AAA in Cisco IOS • Administrative access methods. • Password only. • Local database. • AAA Local Authentication (self-contained AAA). • AAA Server-based. • AAA provides: • Authentication. • Who is permitted to access a network. • Authorization. • What they can do while they are there. • Accounting. • Records in details what they did. • Methods of implementing AAA services. • Local AAA Authentication. - Uses a local database stored in the router for authentication. • Server-Based AAA Authentication. - Uses an external database server that leverages RADIUS or TACACS+ protocols. - Preferred in large environment. • Server-Based Authentication • The user establishes a connection with the router. • The router prompts the user for a username and password. • The router passes the username and password to the Cisco Secure ACS. • The ACS authenticates and authorizes the user based on its database. • ACS (Access Control Server). • Can create a central user and administrative access DB that all network devices can access. • Can work with many external databases, such as Active Directory. • Supports both TACACS+ and RADIUS protocols. • Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS). • Provides user and device group profiles.
CCNA Sec Page 4
• • Restrictions to network access based on a specific time. • Can be software installed on windows server or a physical appliance can be purchased from Cisco. • RADIUS (Remote Authentication Dial-In User Service). • Open standard, RFCs 2865, 2866, 2867, and 2868. • Combines authentication & authorization, but separates accounting. • Supports detailed accounting required for billing users, so preferred by ISPs. • Encrypts only the password. • Does not encrypt user name, or any other data in the message. • Used UDP port 1645 & now 1812 for authentication & authorization. • Used UDP port 1646 & now 1813 for accounting. • Supports remote-access technologies, 802.1X, and SIP.
• TACACS+ (Terminal Access Control Access Control Server).
• Cisco proprietary. • Separates authentication and authorization. • Provides limited detailed accounting. • Encrypts all packet not only the password. • Utilizes TCP port 49. • Multiprotocol support, such as IP and AppleTalk. • Incompatible with any previous version of TACACS.
• AAA clients must run Cisco IOS Release 11.2 or later.
• ISE (Identity Services Engine). • An identity and access control policy platform. • Can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels, and so on before allowing the device on the network. • Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent replacement for ACS. • ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts. • Login method types:
CCNA Sec Page 5
• Login method types: • Enable. • Uses the enable password for authentication. • Line. • Uses the line password for authentication. • Local. • Uses the local username database for authentication. • Local-case. • Uses case-sensitive local username authentication. • Group radius. • Uses the list of all RADIUS servers for authentication. • Group tacacs+. • Uses the list of all TACACS+ servers for authentication. • Group group-name. • Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. • None. • To ensure that the authentication succeeds even if all methods return an error. • AAA lists. • When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods defined unless a predefined list is assigned. • If the default method list is not set and there is no other list, only the local user database is checked. • Authorization. • What a user can and cannot do on the network after that user is authenticated. • Implemented using a AAA server-based solution. • When a user has been authenticated, a session is established with the AAA server. • The router requests authorization for the requested service from the AAA server. • The AAA server returns a PASS/FAIL for authorization. • TACACS+ establishes a new TCP session for every authorization request. • When AAA authorization is not enabled, all users are allowed full access. • To enable AAA. • R(config)# aaa new-model • To Configure Authentication to Use the AAA Server. • R(config)# aaa authentication login list-name|default method method method [maximum 4 methods] • R(config)# aaa authentication login default group radius group tacacs+ local ….. • R(config)# aaa authentication enable list-name|default group tacacs+ enable • Methods are used in order, if no response from one, the next is used. • To specify the number of unsuccessful login attempts (then the user will be locked out). • R(config)# aaa local authentication attempts max-fail n • The account (non priv 15) will stay locked until it is cleared by an administrator. • To display a list of all locked-out users. • R# show aaa local user lockout • To unlock a specific user or to unlock all locked users. • R# clear aaa local user lockout all | username name • To display the attributes that are collected for a AAA session. • R# show aaa user all | unique-id • To show the unique ID of a session. • R# show aaa sessions
CCNA Sec Page 6
• R# show aaa sessions • For vty lines. • R(config)# line vty 0 4 • R(config-line)# login authentication name|default • R(config-line)# authorization exec name|default • To debug aaa authentication. • R# debug aaa authentication|authorization • Look specifically for GETUSER and GETPASS status messages. • To configure AAA with CCP. • CCP, Configure, Router, AAA,…... • To create a local user account. • CCP > Router > Router Access > User Accounts/View > Add • To configure the AAA client (router) with the TACACS+ server. • R(config)# tacacs-server host ip key the-key • To configure the AAA client (router) with the RADIUS server. • R(config)# radius-server host ip key the-key • AAA Authorization (Router) • To get the priviege level that should be given to user from the local user database. • R(config)# aaa authorization exec default local • To get the priviege level that should be given to user from the tacacs server. • R(config)# aaa authorization exec default group tacacs+ • To enable command authorization on the console. • R(config)# aaa authorization console • To assign level 15 automatically to any user just authenticated. • R(config)# aaa authorization exec default if-authenticated • To authorize each command, you enter at config and it's submode. • R(config)# aaa authorization config-commands • To authorize level x (1-15) users. • R(config)# aaa authorization commands x default group tacacs+ if-authenticated • R(config)# no aaa authorization config-commands • AAA debugging • To debug aaa. • R# debug aaa authentication • To debug RADIUS or TACACS+. • R# debug radius|tacacs events • AAA Accounting • Each session established through the ACS can be fully accounted for and stored on the server. • To configure AAA accounting. • R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 ... • ACS server configurations. • Network device groups. • Groups of network devices, normally based on routers or switches with similar functions/devices managed by the same administrators. • Network devices (ACS clients/routers/switches). • The individual network devices that go into the device groups. • Identity groups (user/admin groups). • Groups of administrators, normally based on users who will need similar rights and access to specific groups of network devices.
CCNA Sec Page 7
• of network devices. • User accounts. • Individual administrator/user accounts that are placed in identity groups. • Authorization profiles. • These profiles control what rights are permitted. • The profile is associated with a network device group and a user/administrator identity group. • To manage ACS server. • https://ip • Default username and password: acsadmin pass: default • For trial license. https://www.cisco.com/go/license username: adelmohammad , pass: P@ssw0rd get other licenses , demo and..., search for access control , • To create a device group. • ACS > Network Resources > Network Device Groups > Device Type > Create • To add a device to the group. • Network Resources > Network Devices and AAA Clients > Create • Click the Select button to the right of the device type and select the device group • Select tacacs+ and type the password • In the ip address select range and type the range (ex. 10.0.0.100-200) , Add V • To create a user group. • Users and Identity Stores > Identity Groups > Create • To create individual user. • Users and Identity Stores > Internal Identity Stores > Users and click > Create • To create a shell profile. • Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create • Custom tasks tab, Default Privilege:static, type a privilige level • To configure authorization policies (To assign permisions to identity group to access device group). • Access Policies > Access Services > Default Device Admin > Authorization > Create • Then select a shell profile or create one (shell profile has a name and defines a privilige level). • Verifying and Troubleshooting Router-to-ACS Server Interactions. • Ping the ACS server from the router. • R# test aaa group tacacs+ username password legacy • Using debug Commands to Verify Functionality • To look at the reports on the ACS server. • Monitoring & Reports > Reports > Catalog > AAA Protocol Bring Your Own Device (BYOD) • Allowing users bringing their own network-connected devices while also maintaining an appropriate security posture. • The organization’s security policy must be lever-aged to govern the level of access for BYOD devices.
CCNA Sec Page 8
•
• BYOD Solution Components.
• BYOD devices. • The corporate-owned and personally owned endpoints that require access to the corporate network regardless of their physical location. • Wireless access points (AP). • Provide wireless network connectivity to the corporate network for both local & BYOD devices. • Wireless LAN (WLAN) controllers. • Serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution. • Used to implement and enforce the security requirements for the BYOD solution. • Works with the ISE to enforce both authentication and authorization policies on each BYOD endpoint. • Identity Services Engine (ISE). • The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies put forth by the organization. • Cisco AnyConnect Secure Mobility Client. • Provides connectivity for end users who need access to the corporate network. • Inside network users leverages 802.1X to provide secure access to the corporate network. • Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking. • Integrated Services Routers (ISR). • Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments. • Can provide VPN connectivity for mobile devices that are part of the BYOD solution. • Adaptive Security Appliance (ASA). • Provides all the standard security functions for the BYOD solution at the Internet edge. • Can provide IPS and VPN for end devices. • Cloud Web Security (CWS). • Provides enhanced security for all the BYOD solution endpoints while they access Internet. • RSA SecurID. • The RSA SecurID server provides one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication.
CCNA Sec Page 9
• network devices and other applications which require OTP authentication. • Active Directory. • Restricts access to those users with valid authentication credentials. • Certificate authority. • The CA server ensures that only devices with corporate certificates can access the corporate network. • Mobile Device Management (MDM). • Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution. • Specific functions provided by MDM include: - Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached). - Enforcement of strong passwords for all BYOD devices. - Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting to use these compromised devices on the corporate network. - Enforcement of data encryption requirements based on an organization’s security policies. - Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed. • MDM Deployment Options. • On-Premise MDM Deployment. • MDM application software is installed and maintained on servers within the corporate data center. • Consists of the following topology and network components: • Data center. • The data center consists of the servers and ISE to enforce posture assessment and access control. • Internet edge. • Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices. • Services. • Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate. • Core. • Serves as the main distribution and routing point for all network traffic traversing the corporate network environment. • Campus building. • A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from the campus environment.
• Cloud-Based MDM Deployment.
• MDM application software is hosted, managed and maintained by a service provider who is solely CCNA Sec Page 10 • MDM application software is hosted, managed and maintained by a service provider who is solely responsible for the BYOD solution. • Consists of the following topology and network components: • Data Center. • The data center consists of the servers and ISE to enforce posture assessment and access control. • Internet edge. • Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices. • WAN. • Provides MPLS VPN connectivity for the branch office back to corporate network. • Internet access for the branch office. • Access to the cloud-based MDM functionality. • The cloud-based MDM provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all of the BYOD devices. • WAN edge. • Serve as the ingress/egress point for the MPLS WAN traffic entering from and exiting to the branch office environment. • Services. • Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate • Core. • Serves as the main distribution and routing point for all network traffic travers ing the corporate network environment. • Branch office. • All users requiring network connectivity within the branch office do so through either hardwired connections to the access switches or via WLAN access to the corporate APs.