WIXLIB

CCNP Security SECURE NotesPrivate Vlans:vtp mode transparentvlan 600private-vlan communityvlan 400private-vlan isolatedvlan 200private-vlan primaryprivate-vlan association 400,600int gi1/0/13switchport mode private-vlan hostswitchport private-vlan host-association 200 400int range gi1/0/14 – 15switchport mode private-vlan hostswitchport private-vlan host-association 200 600int gi1/0/16switchport mode private-vlan promiscuousswitchport private-vlan mapping 200 400,600Verification Commands:show vlan private-vlan typeshow vlan private-vlanPVLAN Edge:int gi1/0/18switchport protectedThe PVLAN edge (protected port) is a feature that has only local significance to theswitch (unlike Private Vlans), and there is no isolation provided between two protectedports located on different switches. A protected port does not forward any traffic(unicast, multicast, or broadcast) to any other port that is also a protected port in thesame switch. Traffic cannot be forwarded between protected ports at L2, all trafficpassing between protected ports must be forwarded through a Layer 3 (L3) device.

uRPF (Unicast Reverse Path Forwarding):Strict uRPF:When a packet arrives, it extracts the SOURCE IP ADDRESS and searches the FIB tolocate the network. If the found location does NOT match the INPUT interface (theinterface on which the packet arrived), then the packet is DROPPED.Loose uRPF:Like strict, except that the found location can match ANY interface as long as thereis a route in the FIB, it is happy!ip cefint fa0/0ip verify unicast source reachable-via [any rx] [allow-default] [allow-self-ping][acl]reachable-via any Loose uRPFreachable-via rx Strict uRPFallow-default Use default route for matching. If used in combination with“reachable-via any”, it totally invalidates the configuration and is pointless.acl Specify ACL name or number to use with uRPFVerification Commands:show ip cef summaryshow ip int fa0/0 (look for “IP verify source ”)Guidelines: Symmetric routing and FIB trusted – use Strict uRPFAsymmetric routing or FIB untrusted – use anti-spoofing ACLsEliminate bogon-sourced traffic – use Loose uRPFDon’t use default route with Loose uRPFNetflow:High-level reporting, diagnostics, and anomaly detectionSimilar to granularity of a cell phone billTelemetry is pushed to Netflow collectorsVariety of metrics are reportedFlow is defined by 7 keys:SRC IP, DST IP, SRC PT, DST PT, L3 PROTO TYPE, COS/TOS, IFINDEX Version 5 is common, Version 9 is the future (and supports Flexible Netflow)

flow exporter RICHARD EXPORTERdestination 192.168.2.10transport udp 9996export-protocol [netflow-v5 netflow-v9]flow monitor RICHARD MONITORrecord netflow ipv4 original-inputexporter RICHARD EXPORTER(use classic netflow)(the name you used above)int fa0/0ip flow monitor RICHARD MONITOR inputControl Plane Security:(other planes include Management Plane and Data Plane)The Control Plane is a logical part of the router that performs base functions such asbuilding the routing and forwarding tables (dynamic routing protocols, PIM, HSRP, nonIP protocols such as ARP, IS-IS, etc.)Protection includes: iACLs, CoPP, CPPr, and Routing Protocol Auth/FilteringiACLs (Infrastructure ACLs):Legacy technology – if not using CoPP/CPPr, you should at least use iACLsThey are usually applied INBOUND on interfaces facing the user, or an externalnetwork (e.g. the Internet).CoPP (Control Plane Policing):Configuration Example:ip access-list extended MATCH-OSPFpermit ospf 10.0.0.0 0.255.255.255 anyclass-map COPP-CLASSmatch access-group name MATCH-OSPFpolicy-map COPP-POLICYclass COPP-CLASSpolice rate 250 pps conform-action transmit exceed-action dropclass class-defaultpolice rate 10 pps conform-action transmit exceed-action dropexit (back to global configuration mode)control-plane (host is default, other options are cef-exception and transit)service-policy input COPP-POLICY

CPPr (Control Plane Protection):Although it is similar to Control Plane Policing (CoPP), CPPr has the ability torestrict/police traffic using finer granularity than that used by CoPP.CPPr divides the aggregate control plane into three separate control planecategories, known as sub-interfaces: (1) host, (2) transit, and (3) cef-exceptionCPPr configuration same as CoPP, except applied to all sub-interfaces!Verification Commands:show policy-map control-plane host KNOW THIS!!!FPM (Flexible Packet Matching) – uses PHDF files:Configuration Example:load protocol flash:ip.phdfload protocol flash:tcp.phdfclass-map type stack match-all FPM-STACK-CLASSmatch field ip protocol eq 0x6 next tcp In English: we are matching ip protocol equal to 6, which is TCP – also notice theclass-map is of type STACK and we are using MATCH-ALL (logical AND), instead ofthe default MATCH-ANY (logical OR) class-map type access-control match-all FPM-AC-CLASSmatch field tcp dest-port eq 80match start tcp payload-start offset 0 size 256 regex “[cC][mM][dD]\.[eE][xX][eE]” In English: we are using RegEx to look at the TCP payload starting at offset 0through 256, and we are looking for any case variation of “cmd.exe” – also notice theclass-map is of type ACCESS-CONTROL and we are again using MATCH-ALL policy-map type access-control FPM-POLICYclass FPM-AC-CLASSdroppolicy-map type access-control FPM-POLICY-FINALclass FPM-STACK-CLASSservice-policy FPM-POLICY We are referencing the first policy-map we created above by calling that policy-mapfrom within the second policy-map. We have now “glued” everything together.int s0service-policy type access-control input FPM-POLICY-FINAL

Routing Protocol Authentication: this further helps to secure our Control PlaneWhat are the bad guys doing?Trying to spoof neighbor relationships! They may even send masqueraded updates tocorrupt routing tables. We are going to leverage HMACs (hashes) as acountermeasure.RIPv2 supports Plain Text and MD5EIGRP supports MD5OSPF supports Plain Text and MD5 (and v3 supports AH)BGP supports MD5Configuration Example for RIPv2:key chain RICHARDkey 1key-string mypasswordYou can create multiple keys, and you can use these options as well:accept-lifetime 12:00:00 Jan 1 2011 11:59:59 Dec 31 2011send-lifetime 12:00:00 Jan 1 2011 11:59:59 Dec 31 2011Apply this in INTERFACE configuration mode:int s0ip rip authentication mode md5ip rip authentication key-chain RICHARD(or text, which is plain text)Configuration Example for EIGRP: you can use the same key chain we created aboveint s0ip authentication mode eigrp 100 md5ip authentication key-chain eigrp 100 RICHARDConfiguration Example for OSPF (Plain Text):int s0ip ospf authenticationip ospf authentication-key mypassword

Configuration Example for OSPF (MD5):int s0ip ospf authentication message-digestip ospf message-digest-key 1 md5 mypasswordYou can selectively turn on authentication for specific areas:router ospf 1area 5 authentication message-digest-OR-area 5 authenticationConfiguration Example for BGP: no key chains used for BGP!Apply this in BGP ROUTING PROCESS configuration mode:router bgp 64512neighbor 10.0.0.1 remote-as 64512neighbor 10.0.0.1 password mypasswordConfiguration Example for HSRP (Plain Text):standby 1 authentication mypasswordConfiguration Example for HSRP (MD5):standby 1 authentication md5 key-string mypasswordHelpful debugs:debug rip eventsdebug eigrp packetsdebug ip ospf adjdebug standby errors (for HSRP)Management Plane Security:Access control for VTY lines can be accomplished using the access-class command,or via CoPP/CPPr.

Configuration Example for VTY/SSH Access Control (using access-class):ip access-list standard RESTRICT-SSHpermit 10.0.0.0 0.0.0.255deny any logline vty 0 15transport input sshaccess-class RESTRICT-SSH inAccess control can also be applied to SNMP traffic.Configuration Example for SNMP Access Control:ip access-list extended RESTRICT-SNMPpermit udp 10.0.0.0 0.0.0.255 any eq 161deny ip any any logsnmp-server community secretcommunitystring ro RESTRICT-SNMPNow we will look at access control for VTY/SSH and SMTP via CoPP/CPPr. We canrestrict the traffic to a particular interface we designate as a MANAGEMENTINTERFACE.Configuration Example for CoPP/CPPr Access Control:ip access-list extended RESTRICT-SSH-SNMPpermit tcp 10.0.0.0 0.0.0.255 any eq 22permit udp 10.0.0.0 0.0.0.255 any eq 161class-map CPPR-CLASSmatch access-group name RESTRICT-SSH-SNMPpolicy-map CPPR-POLICYclass CPPR-CLASSpolice rate 50 pps conform-action transmit exceed-action dropcontrol-plane hostservice-policy input CPPR-POLICYMPP (Management Plane Protection):Configuration Example (same as above, but under control-plane host add this):control-plane hostmanagement-interface fa0/1 allow ssh snmp

RBAC Views (Role Based Access Control):Configuration Example:aaa new-model(AAA MUST BE ENABLED FIRST!!!)Enter the ROOT VIEW to start the configuration:enable view then under global configuration mode parser view MYVIEWsecret mypasswordCommands Syntax:commands exec [exclude include include-exclusive] commands exec include show access-listcommands exec include show running-configcommands exec include configure terminalcommands configure include ip access-list extendedcommands configure include ip access-list standardcommands ipenacl include all denycommands ipenacl include all permitSNMP Views:These views restrict access to ONLY certain MIB parameters!Configuration Example:snmp-server view MYVIEW interfaces includedsnmp-server group MYGROUP v3 priv read MYVIEW access RESTRICT SNMPsnmp-server user RDAVIS MYGROUP v3 auth sha mypassword priv aes 128mysecretkeyThere are SNMP INFORMS and TRAPS.INFORMS are superior to traps!snmp-server host 10.0.0.50 traps version 3 priv RDAVISsnmp-server enable traps

CPU / Memory Thresholds:Configuration Example (CPU):process cpu threshold type total rising 80 interval 10Configuration Example (Memory):memory free low-watermark processor 8000Zone-Based Firewalls:Configuration Example:ip access-list extended OUT-TO-IN-ACLpermit tcp host 184.75.249.120 host 172.16.10.99 eq 9997permit ip 172.16.30.0 0.0.0.255 anyip access-list extended OUT-TO-SELF-ACLpermit udp any eq bootps any eq bootpcpermit ahp any anypermit esp any anypermit udp any any eq isakmppermit udp any any eq non500-isakmppermit 41 any anypermit icmp host 184.75.249.120 anypermit ip 172.16.30.0 0.0.0.255 anyclass-map type inspect match-any IN-TO-OUT-CLASSmatch protocol tcpmatch protocol udpmatch protocol icmppolicy-map type inspect IN-TO-OUT-POLICYclass type inspect IN-TO-OUT-CLASSinspectclass class-defaultdropclass-map type inspect match-any OUT-TO-IN-CLASSmatch access-group name OUT-TO-IN-ACLpolicy-map type inspect OUT-TO-IN-POLICYclass type inspect OUT-TO-IN-CLASSinspectclass class-defaultdrop

class-map type inspect match-any OUT-TO-SELF-CLASSmatch access-group name OUT-TO-SELF-ACLpolicy-map type inspect OUT-TO-SELF-POLICYclass type inspect OUT-TO-SELF-CLASSpassclass class-defaultdrop logzone security INSIDEzone security OUTSIDEint tunnel0zone-member security INSIDEint vlan10zone-member security INSIDEint vlan20zone-member security INSIDEint virtual-template1zone-member security OUTSIDEint fa4zone-member security OUTSIDEzone-pair security IN-TO-OUT source INSIDE destination OUTSIDEservice-policy type inspect IN-TO-OUT-POLICYzone-pair security OUT-TO-IN source OUTSIDE destination INSIDEservice-policy type inspect OUT-TO-IN-POLICYzone-pair security OUT-TO-SELF source OUTSIDE destination selfservice-policy type inspect OUT-TO-SELF-POLICYVerification Commands:show class-map type inspectshow policy-map type inspectshow policy-map type inspect zone-pairshow zone security zonename (ex. INSIDE, OUTSIDE, self)