CCNA Security

1. Chapter 19 - Fundamentals of IP Security

2. Chapter 1 - Networking Security Concepts

2.1. Concepts

2.1.1. Confidentiality

2.1.1.1. There are two types of data: data in motion as it moves across the network; and data at rest, when data is sitting on storage media (server, local workstation, in the cloud, and so forth). Confidentiality means that only the authorized individuals/systems can view sensitive or classified information. This also implies that unauthorized individuals should not have any type of access to the data. Regarding data in motion, the primary way to protect that data is to encrypt it before sending it over the network. Another option you can use with encryption is to use separate networks for the transmission of confidential data. Several chapters in this book focus on these two concepts.

2.1.2. Integrity

2.1.2.1. Integrity for data means that changes made to data are done only by uthorized individuals/systems.Corruption of data is a failure to maintain data integrity.

2.1.3. Availability

2.1.3.1. This applies to systems and to data. If the network or its data is not available to authorized users—perhaps because of a denial-of-service (DoS) attack or maybe because of a general network failure—the impact may be significant to companies and users who rely on that network as a business tool. The failure of a network generally equates to loss of revenue. Perhaps thinking of these security concepts as the CIA might help you remember them: confidentiality , integrity , and availability .

3. Chapter 2 - Understanding Security Policies Using a Lifecycle Approach

3.1. Secure Network Lifecycle

3.1.1. Initiation

3.1.2. Acquisition and development

3.1.3. Implementation

3.1.4. Operations and maintenance

3.1.5. Disposition

3.2. Risk management

3.2.1. Value of the asset

3.2.2. Vulnerabilities

3.2.3. Potencial threats

3.2.4. Compliance issues

3.2.5. Business requirements

3.3. Security Policies

3.3.1. Senior management

3.3.2. Security Policy

4. Chapter 3 - Building a Security Strategy

4.1. Borderless Network Components

4.1.1. Borderless Data Center

4.1.2. Bordeless Internet

4.1.3. Borderless end zone

4.1.3.1. This is where devices connect to the network. It is here that we are concerned with viruses, malware, and other malicious software. Using techniques such as Network Admissions Control (NAC) and Identity Services Engine (ISE) , we can properly interrogate devices before they are allowed onto the network to verify they meet certain minimum requirements (installations of virus scanning tools, service packs, patch revision levels, and so on).

4.1.4. Policy management point

4.2. SecureX and Context-aware Security

4.2.1. Context awareness

4.2.1.1. For example, you might want to confirm a basic set of parameters (who users are, how they are accessing a network, the condition of the computer they are using to access the network, and so on) before giving users access. Actual tools to implement this include ISE, NAC, and AAA.

4.2.2. AnyConnect Client

4.2.2.1. You can establish Secure Sockets Layer (SSL) or IPsec VPNs for clients.

4.2.3. TrustSec

4.2.3.1. This creates a distributed access policy enforcement mechanism, and can also use encryption to provide confidentiality. The intent is to provide and control end-to-end security, based on who, what, where, and how users are connected to the network. Endpoint systems are analyzed to verify they meet corporate security requirements. Actual tools to implement this include ISE, NAC, and AAA. If security group tags (SGT) are used, devices involved in forwarding the traffic can implement the appropriate security based on the tag.

4.2.4. Security Intelligence Operations

4.2.4.1. (SIO) is a cloud-based service that Cisco manages. This service identifies and correlates realtime threats so that customers can leverage this information to better protect their networks.

4.3. Controlling and Containing Data Loss

4.3.1. ASA Firewalls

4.3.2. IPS

4.3.2.1. Module that goes into a Cisco ASA firewall or router. In addition, you can place a blade module in a 6500 series switch.

4.3.3. Scansafe

4.3.3.1. Dynamically categorize search engine results to prevent access to undesired sites or content, and can also look for malicious content, thus offering protection for zero-day attacks that have not been identified through traditional IPS signatures.

4.3.4. ISR

4.3.4.1. Additional security into the router itself using features such as zonebased firewalls and IPSs

4.3.5. IronPort email security and WSA

4.3.5.1. Provide granular control of email and, in the case of web traffic and WSA,

5. Chapter 4 - Network Foundation Protection

5.1. Network Foundation Protection

5.1.1. Management Plane

5.1.1.1. This includes the protocols and traffic that an administrator uses between his workstation and the router or switch itself. An example is using a remote management protocol such as Secure Shell (SSH) to monitor or configure the router or switch.

5.1.1.2. Measures: AAA, NTP, SSH, SSL/TLS, Protect Syslog , SNMPv3, Parser views.

5.1.2. Control Plane

5.1.2.1. This includes protocols and traffic that the network devices use on their own without direct interaction from an administrator. An example is a routing protocol.

5.1.2.2. Measures: CoPP , CPPr and authentication routing protocol

5.1.2.3. CoPP- Control plane policing. You can configure this as a filter for any traffic destined to an IP address on the router itself. For example, you can specify that management traffic, such as SSH/HTTPS/SSL and so on, can be rate-limited (policed) down to a specific level. This way, if an attack occurs that involves an excessive amount of this traffic, the excess traffic above the threshold set could simply be ignored and not have to be processed directly by the CPU. Another way to think of this is as applying quality of service (QoS) to the valid management traffic and policing to the bogus management traffic. This is applied to a logical control plane interface (not directly to any Layer 3 interface) so that the policy can be applied globally to the router.

5.1.2.4. CPPr - Control plane protection. This allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling.can be classified are traffic to one of the physical or logical interfaces of the router, certain data plane traffic that requires CPU intervention before forwarding (such as IP options), and Cisco Express Forwarding (CEF) exceptions (traffic related to network operations, such as keepalives or packets with Time-To-Live (TTL)

5.1.3. Data Plane

5.1.3.1. This includes traffic that is being forwarded through the network (sometimes called transit traffic). An example is a user on one part of the network who is accessing a server; the data plane represents the traffic that is either being switched or forwarded by the network devices between the client and server.

5.1.3.2. Measure: for Layer 3: ACL, L2 control (private vlan, STP guards). IOS IPS, Zone-based firewalls. Adicional: TCP intercept, uRPF(spoofed IP), Block unwanted traffic. For layer 2: Port Security, DHCP snooping, DAI

6. Chapter 5 - Using Cisco Configuration Professional to Protect the Network Infrastructure

6.1. CCP

6.1.1. Cisco Configuration Professional is an application that you can run from your computer. The files for the program may be local on the computer or on the flash file system of the router.

6.2. Preparing the Router to Accept HTTP/HTTPS Connections from CCP

6.2.1. R1(config)# ip http server R1(config)# ip http secure-server R1(config)# username admin privilege 15 secret cisco R1(config)# ip http authentication local

6.3. Community

6.3.1. A community is a group of routers that share something in common. That “something in common” could be the routers at a single geographic location or a similar function, such as that they are all running firewall services. The concept of having a community makes it easier for the administrator to work with a group of devices from one common interface.

6.4. Templates

6.4.1. If you are going to do the same type of configuration over and over again, why not do it once and then just copy/paste for the rest of them? That is where templates can come in handy.

6.5. User Profiles

6.5.1. The user profile feature enables you to restrict which features show up as available in the left side navigation pane of CCP. The profile controls which options are shown, based on which devices the user is managing.

6.6. CCP Audit Features

6.6.1. The CCP Security Audit can look at your current router configuration and then make recommendations on how it could be more secure. The CCP Security Audit feature is based on the command-line IOS auto secure feature, and can perform an almost identical list of tasks as its CLI counterpart. Security Audit can operate in one of two ways. You can use an interactive wizard to choose which potential security threats may be changed via configuration. You can also use an option called One Step-Lockdown, which takes a subset of the features that the audit would do, most of which will not require user intervention, and then modifies the configuration to implement those security measures.

7. Chapter 6 - Securing the Management Plane on Cisco IOS Devices

7.1. Management Plane Best Practices

7.1.1. * Strong passwords * User authentication and AAA * Role-based access control (RBAC) * Encrypted management protocols * Logging * Network Time Protocol * Secure system files

7.2. AAA Components

7.2.1. Authentication

7.2.1.1. Authentication is the process by which individuals prove that they are who they claim to be. The network environment has a variety of mechanisms for providing authentication, including the use of a username and password, token cards, and challenge and response. A common use is authenticating an administrator’s access to a router console port, auxiliary port, or vty lines.

7.2.2. Authorization

7.2.2.1. After the user or administrator has been authenticated, authorization can be used to determine which resources the user or administrator is allowed to access, and which operations may be performed. In the case of the average user, this might determine what hours that user is allowed on the network

7.2.3. Accounting and auditing

7.2.3.1. After being authenticated and possibly authorized, the user or administrator begins to access the network. It is the role of accounting and auditing to record what the user or administrator actually does with this access, what he accesses, and how long he accesses it. This is also known as creating an audit trail .

7.3. Ways to implement AAA services

7.3.1. * Cisco Secure ACS Solution Engine * Cisco Secure ACS for Windows Server * Current flavors of ACS functionality * Self-contained AAA

7.4. Role-Base Access Control

7.4.1. The concept of role-based access control (RBAC) is to create a set of permissions or limited access and assign that set of permissions to users or groups. Those permissions are used by individuals for their given roles, such as a role of administrator or a role of a help desk person and so on There are different ways to implement RBAC, including creating custom privilege levels and creating parser views (coming up later in this section).

7.4.2. RBAC Privilege Level/Parser View

7.4.2.1. You may implement RBAC through AAA, with the rules configured on an ACS server, but you may implement it in other ways, too, including creating custom privilege levels and having users enter those custom levels where they have a limited set of permissions, or creating a parser view

7.5. Using Logging Files

7.5.1. * Console * Vty lines * Buffer * SNMP server * Syslog server

7.6. User Authentication with AAA

7.6.1. R1(config)# aaa new-model R1(config)# tacacs-server host 50.50.4.101 R1(config)# tacacs-server key ToUgHPaSsW0rD-1#7 R1(config)# aaa authentication login default local enable R1(config)# aaa authentication login MY-LIST-1 group tacacs local enable R1(config)# aaa authorization commands 1 TAC1 group tacacs+ local R1(config)# aaa authorization commands 15 TAC15 group tacacs+ local R1(config)# aaa accounting commands 1 TAC-act1 start-stop group tacacs+ R1(config)# aaa accounting commands 15 TAC-act15 start-stop group tacacs+ R1(config)# username admin privilege 15 secret 4Je7*1swEsf R1(config)# line vty 0 4 R1(config-line)# login authentication MY-LIST-1 R1(config-line)# authorization commands 1 TAC1 R1(config-line)# authorization commands 15 TAC15 R1(config-line)# accounting commands 1 TAC-act1 R1(config-line)# accounting commands 15 TAC-act15

7.7. SNMP Features

7.7.1. Component

7.7.1.1. SNMP manager

7.7.1.2. SNMP agent

7.7.1.3. Management Information Base

7.7.2. SNMPv3

7.7.2.1. SNMPv3 offers three primary security enhancements:

8. Chapter 7 - Implementing AAA Using IOS and the ACS Server

8.1. Why Use Cisco ACS?

8.1.1. Most midsize and large companies using Cisco equipment are also going to use ACS servers so that they can centrally manage the users and control what those users are authorized to do.

8.2. Protocols Used Between the ACS and the Router

8.2.1. TACACS+

8.2.1.1. Traditionally, and in common practice, if you are authenticating and authorizing administrators for command-line access, it is likely that you will configure TACACS+ on both the ACS server and the router for their communication with each other

8.2.2. RADIUS

8.2.2.1. If you are authenticating and authorizing end users who just want their packets to go through a network device (when authentication and authorization is required), it is likely that you are using RADIUS as the communications method between the ACS server on the router. RADIUS is an open IETF standard and is used by most vendors, including Cisco, when doing AAA for end users.

9. Chapter 8 - Securing Layer 2 Technologies

9.1. Layer 2 Best Practices

9.1.1. *Select an unused VLAN (other than VLAN 1) and use that for the native VLAN for all your trunks. * Avoid using VLAN 1 anywhere, because it is a default. * Administratively configure access ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking Protocol [DTP] ). * Limit the number of MAC addresses learned on a given port with the port security feature. * Control spanning tree to stop users or unknown devices from manipulating spanning tree. You can do so by using the BPDU guard and root guard features. * Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive. (CDP operates at Layer 2 and may provide attackers information we would rather not disclose.) * On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed.

9.2. Configuring PortFast, Then Rapid Spanning Tree

9.3. Configuring Router on a Stick and Switch Support for the Router

9.4. Administratively Locking Down Switch Ports

9.5. Specific Layer 2 Mitigation for CCNA Security

9.5.1. BPDU Guard SW2(config-if)# int fa 0/2 SW2(config-if)# spanning-tree bpduguard enable Configuring the Switch to Automatically Restore Err-Disabled Ports SW2(config)# errdisable recovery cause bpduguard SW2(config)# errdisable recovery interval 30 Root Guard SW1(config)# int fa 0/24 SW1(config-if)# spanning-tree guard root %SPANTREE-2-ROOTGUARD_ Port Security SW2(config-if)# int fa 0/2 SW2(config-if)# switchport port-security SW2(config-if)# switchport port-security maximum 5 SW2(config-if)# switchport port-security violation protect SW2(config-if)# switchport port-security mac-address stick

10. Chapter 9 - Securing the Data Plane in IPv6

10.1. IPv4 Versus IPv6

10.1.1. IPV4

10.1.1.1. * 32-bit * You can use NAT to extend address space limitations. * Administrators must use Dynamic Host Configuration Protocol (DHCP) or static configuration to assign IP addresses to hosts. * IPsec support is an optional add-on concept to protect IP packets through encryption, validating a peer, data integrity, and antireplay support. * Multiple pieces in an IPv4 header. * Uses broadcasts for several functions, including Address Resolution Protocol (ARP).

10.1.2. IPV6

10.1.2.1. * 128-bit * Does not support NAT by design (and has plenty of addresses for everyone). * Hosts can use stateless address autoconfiguration to assign an IP address to themselves, but can also use DHCP features to learn more information, such as about Domain Name System (DNS) servers. * IPsec support is supposed to be “required.” This really means that it is supported for IPv6 from the beginning, but IPv6 does not require it to be configured for IPv6 to work. * Simplified (but larger) IPv6 header, with options for header extensions as needed. * Does not use any broadcasts and does not use ARP. Instead, it uses multicast addresses and Neighbor Discovery Protocol (NDP also called ND) . ND replaces ARP Devices can automatically discover the IPv6 network address and many other housekeeping features such as discovering any routers on the network. ND uses IPv6’s version of Internet Control Message Protocol (ICMP) as the workhorse behind most of its functions.

10.1.3. IPv6 Types

10.1.3.1. Link local address: Begin with the characters FE80

10.1.3.2. Loopback address: ::1

10.1.3.3. All-nodes multicast address: In IPv6, multicasts begin with FFxx

10.1.3.4. All-routers multicast address: In addition to the group address of FF02::1 that is joined by all devices configured for IPv6, routers that have had routing enabled for IPv6 also join the group FF02::2.

10.1.3.5. Unicast and anycast addresses (configured automatically or manually): A global IPv6 address, unlike a link local address, is routable and can be reached through one or more routers that are running IP routing and that have a correct routing table. Global IPv6 unicast addresses have the first four characters in the range of 2000 to 3FFF.

10.1.3.6. Solicited-node multicast address for each of its unicast and anycast addresses: When a device has global and link local addresses, it joins a multicast group of FF02::1:FFxx:xxxx The x characters represent the last 24 bits of the host ID being used for the addresses. If a device needs to learn the Layer 2 address of a peer on the same network, it can send out a neighbor solicitation (request) to the multicast group that the device that has that address should have joined. This is the way IPv6 avoids using broadcasts.

10.1.3.7. Multicast addresses of all other groups to which the host belongs: If a router has enabled IPv6 routing, it joins the FF02::2 group (all routers), as mentioned earlier. If a router is running RIPng (the IPv6 flavor), it joins the multicast group for RIPng, which is FF02::9, so that it will process updates sent to that group from other RIP routers. Notice again some similarities. RIPv2 in IPv4 uses 224.0.0.9 as the multicast address!

10.2. Best Practices Common to Both IPv4 and IPv6:

10.2.1. * Physical security * Device hardening * Control access between zones * Routing protocol security * Authentication, authorization, and accounting (AAA): * Mitigating DoS attacks * Have and update a security policy.

10.3. Threats Common to Both IPv4 and IPv6

10.3.1. * Application layer attacks * Unauthorized access * Man-in-the-middle attacks * Sniffing or eavesdropping * Denial-of-service (DoS) attacks * Spoofed packets * Attacks against routers and other network devices

10.4. New Potential Risks with IPv6

10.4.1. * Network Discovery Protocol * DHCPv6: * Hop-by-hop extension headers: * Packet amplification attacks * ICMPv6: * Tunneling options: * Autoconfiguration: * Dual stacks * Bugs in code:

10.5. IPv6 Best Practices

10.5.1. * Filter bogus addresses * Filter non-local multicast addresses: * Filter ICMPv6 traffic that is not needed on your specific networks * Drop routing header type 0 packets * Use manual tunnels rather than automatic tunnels * Protect against rogue IPv6 devices:

11. Chapter 10 - Planning a Threat Control Strategy

11.1. Threat Control and Mitigation Strategy Components

11.1.1. Formal process for policy creation, implementation, and review.

11.1.1.1. Senior management, ultimately, is responsible for policy. The job of the network administrator is to implement and enforce through technical and logical controls the policy that has been mandated.

11.1.2. * Mitigation policies and techniques * End-user education and awareness * Defense in depth * Centralized monitoring and analysis * Application layer visibility * Incident response

11.2. Security Features on Cisco Switches

11.2.1. * Port security * DHCP snooping * Dynamic Address * Resolution Protocol (ARP) inspection * IP source guard * Root guard, BPDU guard, BPDU filtering * Storm control * Additional modules

11.3. Security Features of IOS Routers

11.3.1. * Reflexive access lists * Context-based access * control (CBAC) * Zoned-Based Firewall * Packet-filtering ACLs * AAA * VPNs * IPS * Routing protocol authentication * Control plane protection and control plane policing * Secure management protocols

11.4. Security Features of ASA Firewalls

11.4.1. * Stateful filtering * Modular policy framework (MPF) * URL filtering * Packet-filtering ACLs * AAA * VPNs * IPS * Routing protocol authentication * Secure management protocols

12. Chapter 11 - Using Access Control Lists for Threat Mitigation

12.1. What Can We Protect Against?

12.1.1. * IP address spoofing * TCP SYN-flood attacks * Reconnaissance attacks * General vulnerabilities

12.2. Line Numbers Inside an Access List

12.2.1. An access list is a collection of entries, or lines. Sometimes, these are called access control entries (ACE) . By default, adding a new line to an access list places that line at the bottom of the list. Based on your policy, that might not be the position where you want this entry in the list (which is processed by the security guard from top to bottom). By default, the router automatically assigns sequence numbers to each line. Normally they begin with 10, and increment by 10 for each new line.

12.3. Features That Can Use an Access List

12.3.1. * IOS Inspect class map * IOS class map * Routing protocols * Quality of service (QoS) * VPN * ASA Firewall Modular * Policy Framework * Network/Port Address Translation (NAT/PAT) * Packet filtering

12.4. Importante considered for ACL

12.4.1. If an empty access list is applied to an interface, it will not deny any traffic. The implicit deny takes effect only when there is at least one configured line in the ACL.

12.5. Standard vs Extended Access Lists

12.5.1. Standard ACL

12.5.1.1. Standard ACL 1-99, 1300-1999 What they can match on: Source IP only of the packet being compared to the list. Where to place: Unfortunately, these need to be placed relatively close to the destination. Applying these access lists too close to the source may limit that source from reaching other destinations that were not intended to be limited.

12.5.2. Extended ACL

12.5.2.1. 100-199, 2000-2699 What they can match on: Source or destination IP, plus most Layer 4 protocols, including items in the Layer 4 header of the packet being compared. Where to place: You can place these very close to the source of the host who is generating the packet, because it will only deny the traffic to the specific destination and will not cause a loss of service to other destinations that are still being permitted.

13. Chapter 12 - Understanding Firewall Fundamentals

13.1. Five Basic Firewall Methodologies

13.1.1. Static Packet Filtering

13.1.1.1. Static packet filtering is based on Layer 3 and Layer 4 of the OSI model. An example of a firewall technology that uses static packet filtering is a router with an access list applied to one or more of its interfaces for the purpose of permitting or denying specific traffic. One of the challenges with static packet filtering is that the administrator must know exactly what traffic needs to be allowed through the firewall, which can be tricky if you have many users that need to access many servers.

13.1.2. Stateful Packet Filtering

13.1.2.1. Stateful packet filtering is one of the most important firewall technologies in use today. It is called stateful because it remembers the state of sessions that are going through the firewall.

13.1.3. Application Layer Gateway

13.1.3.1. Application layer firewalls, which are also sometimes called proxy firewalls or application gateways , can operate at Layer 3 and higher in the OSI reference model. Most of these proxy servers include specialized application software that takes requests from a client, puts that client on hold for a moment, and then turns around and makes the requests as if it is its own request out to the final destination. A proxy firewall acts as an intermediary between the original client and the server. No direct communication occurs between the client and the destination server. Because the application layer gateway can operate all the way up to Layer 7, it has the potential to be very granular and analytical about every packet that the client and server exchange and can enforce rules based on anything the firewall sees.

13.1.4. Application Inspection

13.1.4.1. An application inspection firewall can analyze and verify protocols all the way up to Layer 7 of the OSI reference model, but does not act as a proxy between the client and the server being accessed by the client.

13.1.5. Transparent Firewalls

13.1.5.1. A transparent firewall is more about how we inject the firewall into the network as opposed to what technologies it uses for filtering. A transparent firewall can use packetbased filtering, stateful filtering, application inspection as we discussed earlier, but the big difference with transparent firewalls are that they implemented at Layer.

13.2. NAT Deployment Options

13.2.1. Static NAT

13.2.2. Dynamic NAT

13.2.3. Dynamic PAT (NAT with overload)

13.2.4. Policy NAT/PAT

14. Chapter 13 - Implementing Cisco IOS Zone-Based Firewalls

14.1. How Zone-Based Firewall Operates

14.1.1. With ZBFs, interfaces are placed into zones. Zones are created by the network administrator, using any naming convention that makes sense (although names such as inside, outside, and DMZ are quite common). Then policies are specified as to what transit (user) traffic is allowed to be initiated

14.2. Putting the Pieces Together

14.2.1. Class maps

14.2.1.1. These are used to identify traffic, such as traffic that should be inspected.

14.2.2. Policy maps

14.2.2.1. These are the actions that should be taken on the traffic.

14.2.2.2. Policy Map Actions

14.2.2.2.1. Inspect

14.2.2.2.2. Log

14.2.2.2.3. Pass

14.2.2.2.4. Drop

14.2.3. Service policies

14.2.3.1. This is where you apply the policies, identified from a policy map, to a zone pair. This step actually implements the policy.

14.3. ZBF components: _ Zones _ Interfaces that are members of zones _ Class maps that identify traffic _ Policy maps that use class maps to identify traffic and then specify the actions which should take place _ Zone pairs, which identify a unidirectional traffic flow, beginning from devices in one zone and being routed out an interface in a second zone. _ Service policy, which associates a policy map with a zone pair

14.4. The Self Zone Traffic directed to the router itself (as opposed to traffic going through the router as transit traffic that is not destined directly to the router) involves the self zone. Traffic destined to the router, regardless of which interface is used, is considered to be going to the self zone. Traffic being sourced from the router is considered to be coming from the self zone. By default, all traffic to the self zone or from the self zone (which really means all traffic from the router or to the router) is allowed.

15. Chapter 14 - Configuring Basic Firewall Policies on Cisco ASA

15.1. ASA Features and Services

15.1.1. Packet filtering: Simple packet filtering normally represents an access list. It is also true with regard to this feature that the ASA provides. The ASA supports both standard and extended access lists. Stateful filtering: By default, the ASA enters stateful tracking information about packets that have been initially allowed through the firewall. Therefore, if you have an access list applied inbound on the outside interface of the firewall that says deny everything, but a user from the inside makes a request to a server on the outside, the return traffic is allowed back in through the firewall (in spite of the access lists that stops initial traffic from the outside) because of the stateful inspection that is done by default on the initial traffic from the client out to the server, which is now dynamically allowing the return traffic to come back in. Application inspection/awareness: The ASA can listen in on conversations between devices on one side and devices on the other side of the firewall. DHCP: The ASA can act as a Dynamic Host Configuration Protocol (DHCP) server or client or both. Routing: The ASA supports most of the interior gateway routing protocols, including RIP, EIGRP, and OSPF. Layer 3 or Layer 2 implementation: The ASA can be implemented as a traditional Layer 3 firewall, which has IP addresses assigned to each of its routable interfaces. The other option is to implement a firewall as a transparent firewall, in which the actual physical interfaces receive individual IP addresses, but a pair of interfaces operate like a bridge.

15.2. Modular Policy Framework

15.2.1. For IOS ZBFs, class maps are used to identify traffic, policy maps are used to implement actions on that traffic, and the application of those policies is done with the service policy commands. On the IOS router, all of these features included the keywords inspect to differentiate them from normal class maps and policy maps and service policies. On the ASA, you also use class maps to identify traffic, policy maps to identify the actions you are going to take on that traffic, and service policy commands to implement the policy.

16. Chapter 15 - Cisco IPS/IDS Fundamentals

16.1. Positive/Negative Terminology

16.1.1. A false positive is when the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network. False positives are easy to identify because alerts are generated, and easily viewed. What is tricky are the false negatives. A false negative is when there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on. In the case of a false negative, you must use some third-party or external system to alert you to the problem at hand, such as syslog messages from a network device. The true positives and true negatives are fantastic. A true positive means that there was malicious traffic and that the sensor saw it and reported on it; if the sensor was an IPS, it may have dropped the malicious traffic based on your current set of rules in place. A true negative is also a wonderful thing in that there was normal non-malicious traffic, and the sensor did not generate any type of alert, which is normal sensor behavior regading non-malicious traffic.

16.2. Identifying Malicious Traffic on the Network

16.2.1.  Signature-based IPS/IDS  Policy-based IPS/IDS  Anomaly-based IPS/IDS  Reputation-based IPS/IDS

16.3. Risk Rating (RR) Calculation Factors

16.3.1. Target value rating (TVR) Signature fidelity rating (SFR) Attack severity rating (ASR) Attack relevancy (AR) Global correlation

16.4. IPS vs IDS

16.4.1. Position in the network flow: IDS > Off to the side, the IDS is sent copies of the original packets. IPS > Directly inline with the flow of network traffic and touches every packet on its way through the network. Also known as: IDS > Promiscuous mode, out of band IPS > Inline mode Latency or delay: IDS > Does not add delay to the original traffic because it is not inline. IPS > Adds a small amount of delay before forwarding it through the network. Impact caused by the sensor failing to forward packets: IDS > There is no negative impact if the sensor goes down. IPS > If the sensor goes down, traffic that would normally flow through the sensor could be impacted Ability to prevent malicious traffic from going into the network: IDS > By itself, a promiscuous mode IDS cannot stop the original packet. Options do exist for a sensor in promiscuous mode to request assistance from another device that is inline which may block future packets. IPS > The IPS can drop the packet on its own because it is inline. The IPS can also request assistance from another device to block future packets just as the IDS does. Normalization ability: IDS > Because the IDS does not see the original packet, it cannot manipulate any original inline traffic. IPS > Because the IPS is inline, it can normalize (manipulate or modify) traffic inline based on a current set of rules.

17. Chapter 16 - Implementing IOS-Based IPS

17.1. Hand on Lab. rsrsrs

18. Chapter 17 - Fundamentals of VPN Technology

18.1. Types of VPN

18.1.1. IPsec

18.1.2. SSL

19. Chapter 18 - Fundamentals of the Public Key Infrastructure

20. Chapter 20 - Implementing IPsec Site-to-Site VPNs

21. Chapter 21 - Implementing SSL VPNs Using Cisco ASA