Government and Military Classification Model: Unclassified, Sensitive but Unclassified, Confidential, Secret, Top-secret.
Organisational Classification: Public, Sensitive, Private, Confidential
Classification Roles: owner, Custodian, User
Controls in a Security Solution: Administrative, Physical, Technical. Further classified as Preventive, Deterrent, Detective.
Security Incident: Motive, Means, Opportunity
Legal and Ethical Ramifications: Criminal Law, Civil Law, Administrative Law
Attack Categories: Passive, Active, Close-in, Insider, Distribution
Defence in Depth: Host-based Intrusion Prevention System (HIPS), Network-based Intrusion Prevention System (NIPS), Network-based Intrusion Detection System (NIDS)
IP Spoofing: blind / nonblind spoofing
Confidentiality Attack Strategies: Packet Capture, Ping sweep / port scan, dumpster diving, EMI interception, wiretapping, social engineering, sending information over overt / covert channels.
Integrity Attack Strategies: Salami attack, data diddling, trust relationship exploitation, password attack, botnet, session hijack
Availability Attack Strategies: Denial of Service, DDoS, TCP SYN Flood, ICMP Attacks, Electrical Disturbance, physical attacks
System Development Life Cycle:
- Initiation (security categorization and preliminary risk assessment)
- Acquisition and development (risk assessment, security functional requirement analysis, security assurance requirements analysis, cost considerations and reporting, security planning, security control development, developmental security test and evaluation)
- Implementation (inspection and acceptance, system integration, security certification, security accreditation
- Operations and maintenance (configuration management and control, continuous monitoring)
- Disposition (Information preservation, media sanitation, hardware and software disposal).
Operations Security Overview:
- Separation of duties
- Rotation of duties
- Trusted recovery
- Configuration and change control
Disruptions: Nondisaster, disaster, catastrophe
Backup Sites: Hot site, warm site, cold site.
Security Policies: governing policy, technical policies, end user policies
Router Security:
#security authentication failure rate 5 log
change the default of 10 attempts for a 15 second cool off period for attempted logins.
#conf t
#privilege exec level 6 debug
#username bob priv 5 pass bob
change the debug command to a privilege level 6 command, bob can no longer run the debug command
#security authentication failure rate 5 log
change the default of 10 attempts for a 15 second cool off period for attempted logins.
#conf t
#privilege exec level 6 debug
#username bob priv 5 pass bob
change the debug command to a privilege level 6 command, bob can no longer run the debug command
#enable view
password: <enter enable password>
#conf t
#parser view MyView
#secret 0 password
#commands exec exclude show
#username bob view MyView password 0 bob
create a view called MyView which is excluded from using all show commands and assign that view to bob
Protecting Router Files
#conf t
#secure boot image
#secure boot config
#do show secure bootset
VTY Security
#conf t
#login block for <seconds> attempts <attempts> within <seconds>
#login quite-mode access class <ACL>
first command specifies a quiet period after a number of failed login attempts, the second command specifies an ACL of exemptions from this rule.
#login delay <seconds>
#login on-failure | on-success log
#do show login
Cisco Access Control Server:
Ports used:
RADIUS Authentication / Authorization: 1645, 1812 (UDP)
RADIUS Accounting: 1646, 1813 (UDP)
TACACS+: 49 (TCP)
Various other management: 2000 - 2002 (TCP)
Sample IOS Configuration:
#conf t
#aaa new-model
#tacacs-server host 192.168.1.1
#tacacs-server key c1sco
#aaa authentication login default tacacs+
Securing the Router
#auto secure
one step lockdown of router security. Can also be done through SDM via Configure --> Security Audit
Syslog severity levels:
Level - Name - Description
0 - Emergencies - system unusable
1 - Alerts - Requires immediate attention
2 - Critical - possible interruption of services
3 - Errors - system is still usable, errors are occurring
4 - Warnings - certain operations failed to complete
5 - Notifications - alert administrators about a state change
6 - Informational - normal operation alerts
7 - Debugging - detailed troubleshooting info
SSH Configuration:
#conf t
#ip domain-name mydomain.local
#crypto key generate rsa general-keys modulus 1024
1024 modulus is the recommended minimum size
#do show crypto key my pubkey rsa
#line vty 0 4
#no transport input telnet
#transport input ssh
To remove all rsa keys use the command:
#conf t
#crypto key zeroize rsa
Layer 2 Security
VLAN Hopping - switch spoofing (emulate a trunk port) and double tagging
#conf t
#interface g1/0/1
#spanning-tree root guard
if a superior BPDU packet is received on this port it will go into a "root inconsistent" state. This should be enabled on all ports that will never be a path to the root.
#conf t
#interface g1/0/1
#spanning-tree portfast bpduguard
a port immediately goes into the forwarding state but will disable itself on receipt of a BDPU packets
#conf t
#ip dhcp spoofing
#ip dhcp spoofing 1, 10, 20-30
#interface g1/0/1
#ip dhcp spoofing trust
enable dhcp spoofing on vlans 1, 10 and 20 through 30. Configure g1/0/1 as a dhcp trusted port (i.e. a DHCP server is attached to this port). All other ports are untrusted by default.
#conf t
#ip arp inspection vlan 10
#interface g1/0/1
#ip arp inspection trust
enable DAI (Dynamic ARP Inspection) on VLAN 10 and add g1/0/1 as a trusted port). DAI works by comparing arp replies with the DHCP binding table to make sure they are legitimate.
#conf t
#access-list 101 permit tcp any host 192.168.1.1 eq smtp
#vlan access-map JUST_MAIL 10
#match ip address 100
#action forward
#exit
#vlan filter JUST_MAIL vlan-list 10-20
enable a VACL to just allow smtp to host 192.168.1.1 and apply it to all VLANs in the range 10 to 20.
Private VLAN (PVLAN) Port Types:
- Promiscuous - can communicate with all other PVLAN ports
- Isolated - can only communicate with promiscuous ports
- Community - can communicate with other ports in the same community and promiscuous ports
Port Security - in the event of a CAM table overflow a port can be configured to go into one of the following modes:
- Protect - packets to known MAC addresses are forwarded, unknown ones are dropped. No alert is sent to the administrator
- Restrict - same as protect but an SNMP trap and syslog message are generated if configured.
- Shutdown
Secure MAC Address Types
- Static Secure MAC - statically configured MAC address on a port configured with the command switchport port-security mac-address <address>
- Sticky Secure MAC - same as above but learned dynamically and automatically added to running config
- Dynamic Secure MAC - same as sticky but NOT stored in the running config
Default setting on switchports is:
#switchport mode dynamic desirable
(which means auto configure for a PC or another switch connection)
#int fa0/1
#switchport port-security maximum 1
(only allow one MAC address per interface)
#switchport port-security violation protect | restrict | shutdown
(protect = first MAC will work, others will not. restrict does the same but logs)
#switchport port-security mac-address sticky
(first address learned is allowed)
#show port-security interface fa0/1
802.1x
- Supplicant - end user device (PC etc.) seeking access to the network
- Authenticator - switch etc that acts as a bridge between the supplicant and the authentication server. Translates between EAPOL and RADIUS
- Authentication Server - RADIUS server that performs the authentication
#conf t
#int fa0/1
#dot1x port-control forced-authorized | forced-unauthorized | auto
Extensible Authentication Protocols
- EAP-MD5 - EAP with MD5 checksum
- EAP-TLS - X.509 certificates create secure tunnel
- PEAP (MS-CHAP v2) - MS CHAP authentication from within a s secure tunnel
- EAP-FAST - similar to PEAP but using shared secret keys
#conf t
#dot1x guest-vlan supplicant
Guest VLAN
802.1x Authenticator Configuration
#conf t
#aaa new-model
#aaa authentication dot1x default group radius
#aaa authorization network default group radius
Last command is optional and instructs the authenticator to consult the authentication server for VLAN assignment etc.
#dot1x system auth-control
enable dot1x authentication globally on the switch
#int g1/0/1
#switchport mode access
#dot1x port-control auto
commands below are optional
#dot1x host-mode multi-host
#dot1x guest-vlan <vlan-id>
#dot1x auth-fail vlan <vlan-id>
#show dot1x [all | interface]
#show aaa servers
Worm Attacks
Phases of a worm attack; enabling vulnerability, propagation mechanism, payload, probe phase, penetration phase, persist phase, propagate phase, paralyse phase.
SAN Security
FCIP = Fibre Channel over IP
FCSP = Fibre Channel Security Protocol
FCAP = Fibre Channel Authentication Protocol
iSCSI = Internet Small Systems Computer Systems Interface
LUN = Logical Unit Number
HBA = Host Bus Adaptor
WWN = World Wide Name
VSAN = Virtual Storage Area Network
DHCHAP = Diffie-Hellman Challenge Handshake Authentication Protocol
ACL Types:
IP Standard ACL: 1 - 99 and 1300 - 1999
IP Extended ACL: 100 - 199, 2000 - 2699
Turbo ACLs - #access-list compiled
Standard - only permit /deny on source. Apply as close to destination as possible.
e.g.
#access-list 50 deny 192.168.1.0 0.0.0.255
#access-list 50 permit any
#interface f0/0
#ip access-group 50 out
Extended - permit deny on source and / or destination or protocol / port number. Apply as close to source as possible
e.g.
#access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 80
#interface f0/0
#ip access-group 100 in
Named - Sequence numbers
e.g.
#ip access-list extended MY_ACL
#permit tcp any any established
#permit tcp any host 1.2.3.4 eq 80
#interface fa0/0
#ip access-group MY_ACL in
#sh access-lists MY_ACL
Extended IP access list MY_ACL
10 permit tcp any any established
20 permit tcp any host 1.2.3.4 eq www
Reflexive / Established - respond to established sessions
Lock and Key Access List - user telnets to the the router (10.10.10.6) and authenticates with account cisco/cisco which then allows access. Timeout 1 means that the session stays active for 1 minute - see show command below with remaining time for that session.
interface FastEthernet0/0
ip address 10.10.10.6 255.255.255.0
ip access-group 101 in
!
username cisco password cisco
!
access-list 101 dynamic ALLOW_TELNET timeout 120 permit ip any any
!
line vty 0 4
exec-timeout 0 0
login local
autocommand access-enable timeout 1
!
R6#show access-lists
Extended IP access list 101
10 permit tcp any host 10.10.10.6 eq telnet (114 matches)
20 Dynamic ALLOW_TELNET permit ip any any
permit ip any any (26 matches) (time left 20)
Router Based Firewalls
CBAC = context based access control (dynamically opens ports for udp and tcp sessions)
Cisco IOS Based Zone Firewall - interfaces placed in zones
To create a zone:
#zone security DMZ-zone
#interface fa0/0
#zone-member security MyZone
To create a class map:
#class-map type inspect match-any SMTP-DMZ
#match protocol smtp
#policy-map type inspection Towards-DMZ
#class type inspect SMTP-DMZ
#no drop
#pass
To create a zone pair:
#zone-pair security EXTERNAL-TO-DMZ source out-zone destination DMZ-zone
#service-policy type inspect Towards-DMZ
Valid actions for a policy are: Pass, Inspect, Drop
IPS/IDS
IPS/IDS detection methods;
- Signature Based
- Policy Based
- Anomaly Based
- Honey Pot
Site to Site VPN
Sections highlighted are what should be mirrored at the other site.
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.1.1
!
crypto ipsec security-association lifetime kilobytes 5000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto map R2-R1 100 ipsec-isakmpset peer 192.168.1.1
set transform-set MyTransformSet
match address R2-R1-VPN
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
crypto map R2-R1
!
interface FastEthernet0/1
ip address 192.168.200.1 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 192.168.100.0 255.255.255.0 192.168.1.1
!
!
!
!
ip access-list extended R2-R1-VPNpermit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
