Professional Documents
Culture Documents
)
Implemented using CSA (Cisco Security Agent)
Checks System Resources and Files and act proactively
Traffic comes to HIPS in unencrypted clear form
DOES NOT provide complete network picture because local to host Can normalize traffic to defend
Host Based IPS (HIPS) evasion (hiding) attacks
Must be able to support Multiple Operating Systems
Host is visible to attackers
Can stop packet from
Deployed throughout the network to achieve results Network Based IPS (NIPS)
specific SRC IP
IPS can block this!
Malicious Traffic is Can see entire network picture
IDS is vulnerable to this contained in single packet Encrypted traffic can blind NIPS Can stop “trigger” (1st
Not visible for attackers attack) packet)
Target Specific port
on a specific host Operating System Independent
Only indicate presence of Intrusive activity without
Can affect live traffic
Atomic Pattern knowing fail or success
Is sequence of operation across Advantages
multiple hosts distributed over time Composite Pattern Impact network latency and
Deployment jitter Limitation/
Models Disadvantages
Dummy server to attract attacks Policies are pre-configured as per Network Policy
Medium Signature/Alarm Signature Alarms True = “Desired Action”, Signature is fired where
Severity Levels Types and Definitions True Positive Positive = “signature is fired” suppose to be fired
High IPS
True = “Desired Action”,
Negative = “signature is not Signature is not fired where
True Negative fired” suppose to be not fired
Dedicated Appliance Advanced Threat Protection Fully integrated advanced malware protection (AMP)
BPDU Guard If enabled globally, then will only be effective on ports with operational Port Fast state
STP If any BPDU is received, puts port in Err Disabled State (effectively Shutdown)
Root Guard Required that PortFast must already be configured on the port
Forces the port to become Designated Port
DHCP Spoofing
Types
Eavesdropping
End Station can spoof as switch and create trunk with Network Switch. Can happen if Native VLAN = 1
Using social media to get confidential info Social Engineering for port facing End Station
Personate someone credible to get confidential data Phishing End Station can then send 802.1q Double Encapsulated Frame. First Frame will be
decapsulated by 1st switch, 2nd Frame is decapsulated by 2nd Switch and Malicious Frame can
Resource exhaustion technique initiated by single attacker DoS reach target station
Similar to DoS generated by multiple sources called Botnets DDoS VLAN Hopping Turn Off Auto Trunking on ports facing End St
Hiding real identity and presenting fake identity Spoofing
Attacks Disable unused ports and put in unused VLAN
Spoofs an IP Address of the victim and send requests to server Reflection Safe Measures Do not use VLAN 1 for anything
to get legitimate data or to deplete resources of victim
Amplification Use 802.1q tag all on the trunk port
Spoofs IP Address of victim and send many requests and victim
receives reply for those requests Password
Encryption RSA 768, 1024 “Avoid”. Do not provide adequate security against modern threats
3DES “Legacy”. Provide a marginal but acceptable security level. Be phased out and replaced with stronger algorithms Symmetric Key Same Key for Encryption and Decryption
Algorithm (3DES & AES)
AES “Acceptable”. provide adequate security
RSA 2048, 3072 “Acceptable”. provide adequate security
Encryption & DH 768, 1024 “Avoid”. Do not provide adequate security against modern threats
Authentication
DH 2048, 3072 “Acceptable”. provide adequate security
Algorithm Functions over points
ECDH-256 “Acceptable”. provide adequate security Elliptic Curve belongs to Elliptical Curve
Cryptography
ECDH-384 Next Generation Encryption Algorithm (ECDSA)
Algorithm Basics
Key Exchange
SHA-1 “Legacy”. Provide a marginal but acceptable security level. Be phased out and replaced with stronger algorithms
Integrity HMAC-MD5 “Legacy”. Provide a marginal but acceptable security level. Be phased out and replaced with stronger algorithms
HMAC-SHA-1 “Acceptable”. provide adequate security
Faster to negotiate (3 unidirectional messages, seen normally Aggressive Mode 2 Modes of Phase-1
in Remote Access VPN)
Hashing
Phase 1.5 (Non-Standard, Only for Remote Access) Keys Lifetime
Encryption
Tunnel Negotiation IKE V1 and V2 is here!
Encap Mode (Tunnel or Transport)
Execution Steps Encapsulation (AH or ESP)
Only Quick Mode Proxy ACL (what data to go inside tunnel) – Also called Crypto ACL
Data Transmit Phase 2 3 Unidirectional Messages Phase 2 Negotiate
Encapsulation Protocol ESP (Encapsulation Security Protocol) provides Confidentiality (Meaning Encryption)
Between 2 VPN Integrity (Meaning Hash)
Site to Site gateways
Encapsulation Modes Authentication (meaning keys and certificates)
Authentication Header (AH) provides
Protocol # 50
IPSEC VPN & VPN Types
Transport Mode Integrity (Meaning Hash)
Tunneling Remote Between user
Access device and gateway Authentication (meaning keys and certificates)
Tunnel Mode
Protocol # 51
Final success of Phase-2 is 2 x Uni-Directional SA (Security Association) IPSEC Operation with NAT
Features & ASA
Origin Authentication Data sent by trusted source Through keys and certificates If NO NAT, open UDP Port 500 for ISAKMP for Phase 1
Data Confidentiality Data is not viewed Through encryption (3DES, AES) If NAT, open UDP Port 4500 for ISAKMP for Phase 1
Data Integrity Data is not changed Through Hash (e.g HMAC MD5)
Anti Replay Same data is not received again Through seq num or timestamps
If NAT or No NAT, in both cases, open IP Protocol Number 50 for ESP & 51 for AH
Key Management Exchange secure keys over insecure link to begin with Through key exchange
algorithm (IKE, DH)
1 ACLs Stateless Packets Filters
2 Application Level Gateway Web Proxy Servers
3 Stateful Packet Filters (called ASAs or Firewalls) Combines ACLS and ALGs
4 Next Generation Firewall Statefull Firewall with additional capabilities
Deployment Modes
Nameif (Interface Name)
IP Address
Mandatory Config Security Level Default 100 for Inside Nameif
Evolution of Firewall
Enable Telnet
Remote Access By default, NO remote Access (Telnet, SSH, HTTP, HTTPs blocked)
Define Local User
To Enable Enable AAA
Allow IP Address
If ACL is applied on an interface All traffic will be dictated by ACL, no default is applicable
Evolution in detail Application Level Gateways aka Proxy Servers Can look into applications
Has to perform DPI Performance Impactive
Mostly dedicated appliance
Good for SMTP and HTTP inspections
Statefull Packet Filters aka ASA/Firewall Checks traffic session by session
Built in support for routing, switching, VPN, IPS, NAT, DHCP, SSL, IKEv1, IKEv2 etc
Mostly dedicated appliance
Zone BFW and CBAC are examples of Stateful Filters
Next Generation Capabilities through FirePower module
Deployed in Routed and Transparent Mode
Operating Modes Single Context
Multiple Context Single Physical firewall has multiple contexts Each context has own policies
Interfaces has security levels Highest Level = 100
Lowest Level = 0
By default, traffic initiated from High to Low = Permit and also return traffic permit
Next Generation Firewall Identity based access Access based on specific user
Additional config is required to allow traffic between interfaces at same security level
URL Filtering
IPS Functionality NGIPS
Advanced Malware Protection
Much granular visibility into applications AVC (Application Visibility and Control)
Protects from Web Attacks coming from Internet
WSA (Web Security Appliance) For Fixed End Points, mostly inside the network
Deployment Modes Explicit Proxy Proxy configured in web browser User is aware of proxy
Transparent Proxy Traffic is redirected through layer 3 device (Router) User is unaware of proxy
Solution Types CWS (Cloud Web Security) (Can operate only in Transparent Mode For Mobile End Points, mostly outside the network
Appliance
Before
During
After
Protects against full continuum of attack (based on Inbound Email or Outbound Email)
Email Security
Features Must be configured as SMTP Relay or Gateway explicitly Hence only Explicit Mode
Mostly used for Network Access Authentication, Authori & Accounting are independent
TACACS+ Encrypts entire packet - User + Password
ISE Supports both, RADIUS and TACACS+
Authentication
Purpose Authorization
Accounting
Actors
Supplicant
Authenticator
Authentication Server
Manage access to network based on end user
device health and related parameters that
describes the access
Basic Info
Core of Cisco Security Architecture Authorization (based on context - Who, When, Where, What)
Also called Next Generation RADIUS Once authorized, then provides VLAN/ACL Assignment, TrustSec (SGT & MACSec)
Offers Centralized Network Access Control
Integrity
Data Plane (Data Flow) If UDP (e.g Video) then DTLS MD5
TLS SHA1
TCP
SHA2
Implementation
Client Based (Cisco AnyConnect) Remote Site Client is allocated an IP Address
ASA Only decrypts traffic coming from client – passes it on to get access to protected resources – ASA DO
Like HTTPs NOT act as Proxy
Mostly for Remote Access VPN Only (Cisco also) Clientless (Web Browser)
ASA Acts as Proxy – client requests resources from protected network -ASA fetches and provides