Getting ready for CCNA Security (IINS 554)
Hello! I hope this post will be useful for those who want to pass IOS-based security certification.
It has already happened that the CCNA Routing & Switching test lacks software from Cisco Networking Academy (Diccovery and Exploration) Cisco Packet Tracer for the former CCNA exam or as it is now called, but it will not work for industry certifications anymore. In this case, if, of course, you do not have a physical stand at hand, GNS3 will do. Take a look at the topics of the CCNA Security exam. We understand that matters solely on IOS will not do: CCP, ASA, IPS. What do you need? Properly configured stand!
So, in one basket we put:
Here something should be ...
Virtual machines on virtual_box are already embedded in GNS (Preferences-VirtualBox-VirtualBox Guest). It remains to collect the required amount. Yes, clarification, one virtual “real” machine, one host in GNS.
Next, go to IOS images & hypervisors and add the IOS images we need and calculate Idle PC so that your iron friend will not be bent when you turn on network emulation.
Finally, add the ASA: Preferences-Qemu-ASA 8.4.2 - Qemu options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32 - Kernel cmd line: -append ide_generic.probe_mask = 0x01 ide_core. chs = 0.0: 980,16,32 auto nousb console = ttyS0,9600 bigphysarea = 65536.
You can unpack all iOS images using 7-zip. Iiiii ...
Well, you already guessed that XP is a local network, 7-DMZ, backtrack-external network.
Where do we propose to start radiation implementation of IOS-based security?
No matter how surprising the concepts used in the course are:
When we have dealt with the concepts, consider the classical methods of protection.
The Enable command has the highest privilege level (default privilege level = 15) 15 - max, 1 - min = disable. Never use the enable password command. For other custom privilege levels you need to use
To hide plain-text passwords use service password-encryption. Team who or show users - see who connected to the device.
To store users and passwords in IOS, you can use the local database:
For enterprise, you can use AAA-server. AAA - Authen: who ?, Author: what can or cannot do? Account: action tracking.
And a couple of useful parameters that need to be considered
If you want to connect to the device in protected mode, you must configure ssh:
Now according to the AAA TACACS + RADIUS plan. The characteristics of these protocols can be easily found. Better to remember them, it is possible they will be on the exam. Best practice is to use tacacs + for administrators, and radius for external users, via vpn.
Since tacacs + proprietary protocol cisco, configure it:
Fuuuh, done with passwords. Now consider the security level of the channel.
About CAM or mac-table everyone heard. On this topic, such violations as DHCP snooping, CAM overflow, VLAN hoping are considered.
How to protect against imposing false DHCP? Like this:
Now let's look at the overflow option - CAM Overflow. For notes (shut / no shut resets the table by interface)
There is also such a thing as VLAN Hoping (Jumping). The main recommendations for VLANs are the following: never use vlan1 in production (assign all the rare vlan999 to all ports), disable all unused ports, use access mode for access, and disable dynamic negotiation no negotiation trunk (dtp).
And more for sweet BPDU Guard (anti span) - BridgePDU Guard (STP)
By the way, you can use dynamic arp inspection to monitor CAM.
That's basically all that is required by IOS. The rest is CCP usage for the router, ASA and ZBF.
If there is a desire, I can write a note about using the CCP interface, since there are a lot of questions about it and the main laboratory at the exam.
As you understand, this article is not for the gurus, but for those who have only decided to study the Cisco equipment.
PS
Reference Information:
It has already happened that the CCNA Routing & Switching test lacks software from Cisco Networking Academy (Diccovery and Exploration) Cisco Packet Tracer for the former CCNA exam or as it is now called, but it will not work for industry certifications anymore. In this case, if, of course, you do not have a physical stand at hand, GNS3 will do. Take a look at the topics of the CCNA Security exam. We understand that matters solely on IOS will not do: CCP, ASA, IPS. What do you need? Properly configured stand!
So, in one basket we put:
- PC host - CCP, ASDM, Kali - virual_box images
- IOS Switch - in GNS is not implemented, so we use a cisco 3745 image with the module NM-16ESW. In this case, it will function as a Switch L3 (Catalyst 3560)
- Router with Zone-based Firewall functionality - IOS image c3725-adventerprisek9-mz124-15.bin
- Cisco ASA - asa842 (kernel and initrd)
- Cisco IPS
Here something should be ...
Virtual machines on virtual_box are already embedded in GNS (Preferences-VirtualBox-VirtualBox Guest). It remains to collect the required amount. Yes, clarification, one virtual “real” machine, one host in GNS.
Next, go to IOS images & hypervisors and add the IOS images we need and calculate Idle PC so that your iron friend will not be bent when you turn on network emulation.
Finally, add the ASA: Preferences-Qemu-ASA 8.4.2 - Qemu options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32 - Kernel cmd line: -append ide_generic.probe_mask = 0x01 ide_core. chs = 0.0: 980,16,32 auto nousb console = ttyS0,9600 bigphysarea = 65536.
You can unpack all iOS images using 7-zip. Iiiii ...
Well, you already guessed that XP is a local network, 7-DMZ, backtrack-external network.
Where do we propose to start radiation implementation of IOS-based security?
No matter how surprising the concepts used in the course are:
- C3PL - Cisco classification common policy language
- Class maps - identify traffic (ftp, http)
- Policy maps - action to take (drop, prioritize)
- Service policies - where PM to do
When we have dealt with the concepts, consider the classical methods of protection.
The Enable command has the highest privilege level (default privilege level = 15) 15 - max, 1 - min = disable. Never use the enable password command. For other custom privilege levels you need to use
enable secret level 4 0 pass4level privilege exec level 4 ping To hide plain-text passwords use service password-encryption. Team who or show users - see who connected to the device.
To store users and passwords in IOS, you can use the local database:
username admin priv 15 sec 0 pass123 username user1 priv 4 sec 0 pass1user line console 0 login local line vty 0 4 login local For enterprise, you can use AAA-server. AAA - Authen: who ?, Author: what can or cannot do? Account: action tracking.
conf t enable secret level 15 0 cisco123 username admin priv 15 sec 0 pass123 username user1 priv 4 sec 0 pass1user aaa new-model aaa authen login default local aaa author exec default local – aaa author console – And a couple of useful parameters that need to be considered
security passwords min-length 8 aaa local authen attempts max-fail 3 sh aaa local user lockout clear aaa local user lockout all login block-for 300 attempts 10 within 60 If you want to connect to the device in protected mode, you must configure ssh:
ip domain-name ca.com crypto key generate rsa modus 1024 ip http secure-server line vty 0 4 transport input ssh Now according to the AAA TACACS + RADIUS plan. The characteristics of these protocols can be easily found. Better to remember them, it is possible they will be on the exam. Best practice is to use tacacs + for administrators, and radius for external users, via vpn.
Since tacacs + proprietary protocol cisco, configure it:
enable secret cisco123 username admin priv 15 sec pass123 username user1 priv 1 sec pass1user aaa new-model tacacs-server host 192.168.0.254 tacacs-server key cisco1111 aaa authen login default group tacacs+ local aaa authen login Free none line console 0 login authen Free aaa author commands 1 TAC1 group tacacs+ local aaa author commands 15 TAC15 group tacacs+ local aaa author config-commands aaa account commands 1 TAC1-acc start-stop group tacacs+ Fuuuh, done with passwords. Now consider the security level of the channel.
About CAM or mac-table everyone heard. On this topic, such violations as DHCP snooping, CAM overflow, VLAN hoping are considered.
How to protect against imposing false DHCP? Like this:
conf t ip dhcp shooping vlan3 ip dhcp snooping int fa 0/1 ip dhcp shooping trust exit sh ip dhcp snooping binding Now let's look at the overflow option - CAM Overflow. For notes (shut / no shut resets the table by interface)
conf t int fa 0/1 switchport mode access swport port-sec max 5 swport port-sec violation shutdown swport portsec !!! !!! errdisable recovery cause psecure-violation errdisable recovery interval 30 sh int status err-diasbled sh port-sec There is also such a thing as VLAN Hoping (Jumping). The main recommendations for VLANs are the following: never use vlan1 in production (assign all the rare vlan999 to all ports), disable all unused ports, use access mode for access, and disable dynamic negotiation no negotiation trunk (dtp).
sh int fa 0/1 switchport (negot is auto) sh int trunk int fa 0/1 swport mode access swport access vlan3 swport nonegotiate And more for sweet BPDU Guard (anti span) - BridgePDU Guard (STP)
spanning-tree portfast default spanning-tree portfast bpduguard default int fa 0/1 spanning-tree portfast spanning-tree portfast bpduguard enable errdisable recovery cause bpduguard By the way, you can use dynamic arp inspection to monitor CAM.
That's basically all that is required by IOS. The rest is CCP usage for the router, ASA and ZBF.
If there is a desire, I can write a note about using the CCP interface, since there are a lot of questions about it and the main laboratory at the exam.
As you understand, this article is not for the gurus, but for those who have only decided to study the Cisco equipment.
PS
Reference Information:
')
Source: https://habr.com/ru/post/195558/
All Articles