Only installed on specific host (server etc.

)
Implemented using CSA (Cisco Security Agent)
Checks System Resources and Files and act proactively
Traffic comes to HIPS in unencrypted clear form
DOES NOT provide complete network picture because local to host Can normalize traffic to defend
Host Based IPS (HIPS) evasion (hiding) attacks
Must be able to support Multiple Operating Systems
Host is visible to attackers
Can stop packet from
Deployed throughout the network to achieve results Network Based IPS (NIPS)
specific SRC IP
IPS can block this!
Malicious Traffic is Can see entire network picture
IDS is vulnerable to this contained in single packet Encrypted traffic can blind NIPS Can stop “trigger” (1st
Not visible for attackers attack) packet)
Target Specific port
on a specific host Operating System Independent
Only indicate presence of Intrusive activity without
Can affect live traffic
Atomic Pattern knowing fail or success
Is sequence of operation across Advantages
multiple hosts distributed over time Composite Pattern Impact network latency and
Deployment jitter Limitation/
Models Disadvantages

Real Time traffic monitoring

from Layer 2 to 7 Can look for Attack No Impact
Drop Patterns Inline of traffic path, on live
Should be able to handle faces live traffic Called “Inline Mode” traffic
Block traffic because inline
Reset IPS Advantages
Detect Attacks
NOT Inline, receives Called “Promiscuous
Shun (reject) Produce Alerts IDS copy of traffic Mode”
Limitation/Disadvantages
Take Action to stop Design Basic
(because Inline)
Prone to email and worms
IPS Deep Detects and attacks
Packet Prevents
Because receive copy of traffic so some malicious Inspection Malicious Traffic Vulnerable to evasion (attack
Operation hiding) techniques
traffic can pass through before IDS detect Mode IPS
Detect Attacks
Deny Packet Inline IDS
Attack Detection
Modify Packet Inline Produce Alerts
Methods
Deny Connection Inline Signature Based Matches on pre-defined signatures
Does not slow traffic
Many False Positives in the beginning, then reduce
Deny Attacker Inline Needs help from other devices Policy Based
(firewall, routers) to respond to attack Simple to configure
Signatures needs to be updated regularly
Actions Honeypot Based
IPS (Inline) Good to mitigate known attacks
No detection for Unknown Signatures
IDS (Promiscuous IPS)
Protocol based detection relies on this
Reset TCP Connection
Request Block Connection Can detect unknown attacks by defining specific policy for the attack
Collect information about attack so that improve existing Policy require continuous tuning
Request Block Host Signatures
Distract and confuse attackers Any traffic outside policy, generate alarm

Dummy server to attract attacks Policies are pre-configured as per Network Policy

Typically used by large organizations to better understand attacks

Also called network behavior analysis or heuristics analysis Anomaly Based

Can detect unknows attacks if they are outside Normal behavior
Challenge is to define Abnormal Behavior at 1st place
Detects Abnormal behavior
 Encryption and Tunneling Encrypt and tunnel the traffic (SSH, IPSec, SSL)
GRE Tunnel Inspection
Timings Attack Slowing down packet transmission than normal and trick IPS
Configuring Timing Intervals
Resourec Exhaustion Extreme resource consumption by generating False Alarms
Dynamic Event Summarization (send multiple events once)
Traffic Fragmentation TCP Segmentation and IP Fragmentation
Full Session Reassembly
Protocol Level Misinterpretation TTL Value and TCP Checksum Manipulation
TTL & Checksum Validation
Traffic Substitution and Insertion Substitute payload data with other/malicious data
Data Normalization
Evasion Technique (Attacker
Anti Evasion Technique by IPS attacking by hiding J )

False = “Undesired Action”, Signature is fired where suppose to

False Positive Positive = “signature is fired” be not fired

False = “Undesired Action”,

Informational Negative = “signature is not Signature is not fired where
Low False Negative fired” suppose to be fired

Medium Signature/Alarm Signature Alarms True = “Desired Action”, Signature is fired where
Severity Levels Types and Definitions True Positive Positive = “signature is fired” suppose to be fired
High IPS
True = “Desired Action”,
Negative = “signature is not Signature is not fired where
True Negative fired” suppose to be not fired

Firepower 7000 NGIPS Products

(Sourcefire)
Firepower 8000
Next Generation IPS Add ONs
Real Time Contextual Awareness Deep insight into devices, applications, users, OS files

Dedicated Appliance Advanced Threat Protection Fully integrated advanced malware protection (AMP)

Network Behavior Analysis

ASA5500X with Firepower Services Software/Hardware Modules
Application Monitoring (OSI Layer 1)
IPS License for IOS Routers

Firepower 4100/9300 NG Firewall with built-in IPS NGIPS Management IPS

Firepower Management Centre Firewall
(can manage multiple systems) Advanced Malware Protection

Firesight Management Centre

 Stateful inspection support for multicast traffic is not supported between any zones (including self zone)
Traffic Sourced From and Destined To the Router (Control Plane and Management Plane Traffic)
Pass
Traffic between User Define Zones and Self Zone is PERMIT by default 3 actions can be defined for Policy Map
Inspect
Cannot configure “inspect” rule for Self Zone. Must be explicitly “permit” if return traffic needs to be Drop
allowed
One interface cannot be member of multiple zones
If any Policy is applied involving Self Zone, then traffic to and from Self Zone will be dictated by the
Policy Interfaces cannot be assigned to Self Zone

Self Zone Rule General Guideline

Divide interfaces into zones and traffic is controlled

Types of Zones
Zone Based Concept
when traversing zones
User Defined Zones
FW
Self Zone (default zone, always available)

Traffic Control Rules Configuration Block Steps

Define Zones
Classify Traffic
Traffic between User Defined Zone and Self Zone - Firewall Policy can control
Define Policy
Traffic between interfaces in different "user defined" zones - DROP by default
Activate Policy
Traffic between interfaces in same zone - Permit by default - Firewall Policy can control
Attach Interfaces to Zones
Traffic between interfaces in a "Zone" and interface not in any zone - DROP by default - cant be fixed - invalid design
Achieved through C3PL (Cisco Common Classification Policy Language)
GRE and ESP cannot be INSPECTED - you must PASS them
If interfaces are attached to zones first and zones are not created - traffic will be DROPPED
Default zone-based firewall policy between "User Defined" zones is “Deny All" Traffic Classification Levers
Layer 4 Class Maps and Policy Maps

Layer 3 Class Maps and Policy Maps


Built-in the OS
AnyConnect
Switch
Wireless Access Point
Cisco ISE/AAA Server
User lands in Restricted VLAN if failed authentication x times (x is configurable, default x = 3)
Between Supplicant
and Authenticator
Between Authenticator and SERVER(AAA/ISE)
Only 802.1x authentication CDP, and STP allowed
Normal Traffic Flow
For LAN/WLAN User Authentication
If failed authentication x times (x is
configurable, default x = 3)
If no response for EAP request received by
Authenticator or EAPOL is not sent by Supplicant
EAP Over LAN (EAPOL)
802.1x PEAP (Protected EAP) for WLAN
Authentication
Supplicant Methods
Uses TLS (Transport Layer Security) to provide the
Authenticator secure identity transaction
Authentication Server
Main Components EAP (Extensible Authentication Protocol) defines
the transport and usage of identity credentials. EAP-TLS
Encapsulates the usernames, passwords,
certificates, tokens, OTPs, etc. that a client is Uses “Message Digest algorithm” to hide the
sending for purposes of authentication. EAP MD5 credentials in a HASH
Does not offer Mutual Authentication (meaning
Protocols Server is validating the client, but, client is not
EAPOL (EAP over LAN) validating the server)
EAP Types
RADIUS
First form encrypted TLS tunnel between the client and
server, After the tunnel has been formed, PEAP will use
another EAP type (e.g EAP-MSCHAP2 as an “inner
Port States PEAP (Protected EAP) method”)
Unauthorized
EAP-FAST (Flexible Authentication
Authorized via Secure Tunnel Very similar to PEAP
Authentication Basics
Created by Cisco Systems as an alternative to
Restricted PEAP that allows for faster re-authentications
VLAN 802.1x LAN WLAN and supports faster wireless roaming
Security
Guest VLAN
BPDU Guard If enabled globally, then will only be effective on ports with operational Port Fast state
Requires STP Portfast already configured on the port
STP If any BPDU is received, puts port in Err Disabled State (effectively Shutdown)
Root Guard Required that PortFast must already be configured on the port
Forces the port to become Designated Port
If Superior BPDU is received on the port, put port in Root-Inconsistent State
(meaning port is blocked)
 Attacker spoofs as DHCP Server
Can execute Man In The Middle Attack
Can deplete IP Addresses of DHCP Server
Can effect traffic flow
Attacker may be closer than real DHCP Server and hence can reply for DHCP requets
Can be mitigated by enabling DHCP Snooping

DHCP Spoofing

Types

Eavesdropping

End Station can spoof as switch and create trunk with Network Switch. Can happen if Native VLAN = 1
Using social media to get confidential info Social Engineering for port facing End Station

Personate someone credible to get confidential data Phishing End Station can then send 802.1q Double Encapsulated Frame. First Frame will be
decapsulated by 1st switch, 2nd Frame is decapsulated by 2nd Switch and Malicious Frame can
Resource exhaustion technique initiated by single attacker DoS reach target station
Similar to DoS generated by multiple sources called Botnets DDoS VLAN Hopping Turn Off Auto Trunking on ports facing End St
Hiding real identity and presenting fake identity Spoofing
Attacks Disable unused ports and put in unused VLAN
Spoofs an IP Address of the victim and send requests to server Reflection Safe Measures Do not use VLAN 1 for anything
to get legitimate data or to deplete resources of victim
Amplification Use 802.1q tag all on the trunk port
Spoofs IP Address of victim and send many requests and victim
receives reply for those requests Password

Trying to break the password Reconnaisance

Like scanning the network and getting info before launching an Buffer Overflow
actual attack
Man In The Middle
Trying to deplete victim resources by sending payload that victim
may not understand Malicious Codes
Effect traffic path to receive data between victim and server
Malicious code that attach itself to Virus
physical hardware (USB). Cannot Worms
propagate itself unless manually
Trojan Horse
Like viruses. Can propagate themselves
from machine to machine Persistent Attack

Full attack of Malicious codes and

embed in word/pdf and affective when
file executed

Malicious code that can keep quite and then

active and then quite. Stealth and Persistent
behavior
 Authentication DSA (Digital Signature Algorithm)-768, 1024 “Avoid”. Do not provide adequate security against modern threats
DSA-2048, 3072 “Acceptable”. provide adequate security
EC (Elliptical Curve) DSA-256 “Acceptable”. provide adequate security

ECDSA-384 Next Generation Encryption

DES “Avoid”. Do not provide adequate security against modern threats

RC4 “Avoid”. Do not provide adequate security against modern threats

Encryption RSA 768, 1024 “Avoid”. Do not provide adequate security against modern threats
3DES “Legacy”. Provide a marginal but acceptable security level. Be phased out and replaced with stronger algorithms Symmetric Key Same Key for Encryption and Decryption
Algorithm (3DES & AES)
AES “Acceptable”. provide adequate security
RSA 2048, 3072 “Acceptable”. provide adequate security

Public Key Algorithm Different Keys for Encryption and

(Assymetric also) Decryption (DSA & RSA)

Encryption & DH 768, 1024 “Avoid”. Do not provide adequate security against modern threats
Authentication
DH 2048, 3072 “Acceptable”. provide adequate security
Algorithm Functions over points
ECDH-256 “Acceptable”. provide adequate security Elliptic Curve belongs to Elliptical Curve
Cryptography
ECDH-384 Next Generation Encryption Algorithm (ECDSA)
Algorithm Basics

Key Exchange

Constant Size Output for any input

MD5 “Avoid”. Do not provide adequate security against modern threats Hash (irreversible)

SHA-1 “Legacy”. Provide a marginal but acceptable security level. Be phased out and replaced with stronger algorithms
Integrity HMAC-MD5 “Legacy”. Provide a marginal but acceptable security level. Be phased out and replaced with stronger algorithms
HMAC-SHA-1 “Acceptable”. provide adequate security

SHA 256, 384, 512 Next Generation Encryption

HMAC-SHA-256 Next Generation Encryption

 Longer to negotiate (6 unidirectional
messages, seen normally in site-to-site VPN) Main Mode

Faster to negotiate (3 unidirectional messages, seen normally Aggressive Mode 2 Modes of Phase-1
in Remote Access VPN)

Final success of Phase-1 is 1 x IKE Bi-Directional SA (Security Association)

DH works to come up with shared secret key

without exchanging over wire
Phase 1 (Standard)

Hashing
Phase 1.5 (Non-Standard, Only for Remote Access) Keys Lifetime
Encryption
Tunnel Negotiation IKE V1 and V2 is here!
Encap Mode (Tunnel or Transport)
Execution Steps Encapsulation (AH or ESP)
Only Quick Mode Proxy ACL (what data to go inside tunnel) – Also called Crypto ACL
Data Transmit Phase 2 3 Unidirectional Messages Phase 2 Negotiate

Encapsulation Protocol ESP (Encapsulation Security Protocol) provides Confidentiality (Meaning Encryption)
Between 2 VPN Integrity (Meaning Hash)
Site to Site gateways
Encapsulation Modes Authentication (meaning keys and certificates)
Authentication Header (AH) provides
Protocol # 50
IPSEC VPN & VPN Types
Transport Mode Integrity (Meaning Hash)
Tunneling Remote Between user
Access device and gateway Authentication (meaning keys and certificates)
Tunnel Mode
Protocol # 51

Original IP Header is preserved Used mostly between intra site traffic

Original IP Header is not preserved and new IP Header is attached Used mostly between inter-site traffic

Final success of Phase-2 is 2 x Uni-Directional SA (Security Association) IPSEC Operation with NAT
Features & ASA
Origin Authentication Data sent by trusted source Through keys and certificates If NO NAT, open UDP Port 500 for ISAKMP for Phase 1
Data Confidentiality Data is not viewed Through encryption (3DES, AES) If NAT, open UDP Port 4500 for ISAKMP for Phase 1
Data Integrity Data is not changed Through Hash (e.g HMAC MD5)
Anti Replay Same data is not received again Through seq num or timestamps
If NAT or No NAT, in both cases, open IP Protocol Number 50 for ESP & 51 for AH
Key Management Exchange secure keys over insecure link to begin with Through key exchange
algorithm (IKE, DH)
 1 ACLs Stateless Packets Filters
2 Application Level Gateway Web Proxy Servers
3 Stateful Packet Filters (called ASAs or Firewalls) Combines ACLS and ALGs
4 Next Generation Firewall Statefull Firewall with additional capabilities

Active-Active Used for load balancing

Active-Standby Best possible config, one will be active Primary and second will be standby waiting for Primary to fail
Clustering Multiple Physical ASAs acting as 1 logical

Deployment Modes
Nameif (Interface Name)
IP Address
Mandatory Config Security Level Default 100 for Inside Nameif
Evolution of Firewall

Enable Telnet
Remote Access By default, NO remote Access (Telnet, SSH, HTTP, HTTPs blocked)
Define Local User
To Enable Enable AAA
Allow IP Address
If ACL is applied on an interface All traffic will be dictated by ACL, no default is applicable

Extended ACLs match on SRC, DST IPs, Port, Protocol

ACL Match Standard ACL match on SRC IPs
ASA Firewall Features
Object Groups Are used to group similar objects together. Simplify management/configuration IP Addresses
Protocols
Types of Object Possible
Port #
If Malware already propagated, may not stop it or inform about it ICMP Types

Personal Firewall Layer 3 Layer 4 Stateful Firewall

Usually installed as Software on a personal computer
May provide basic level of Intrusion Detection

Firewall/ASA Stateful Keeps track of sessions

Stateless Does not keep track of sessions Filters on Layer 3 IP Addresses
Filters on Src and Dst Ports and TCP Flags
Stateless Packet Filters aka ACLs
Lot of manual config

Evolution in detail Application Level Gateways aka Proxy Servers Can look into applications
Has to perform DPI Performance Impactive
Mostly dedicated appliance
Good for SMTP and HTTP inspections
Statefull Packet Filters aka ASA/Firewall Checks traffic session by session
Built in support for routing, switching, VPN, IPS, NAT, DHCP, SSL, IKEv1, IKEv2 etc
Mostly dedicated appliance
Zone BFW and CBAC are examples of Stateful Filters
Next Generation Capabilities through FirePower module
Deployed in Routed and Transparent Mode
Operating Modes Single Context
Multiple Context Single Physical firewall has multiple contexts Each context has own policies
Interfaces has security levels Highest Level = 100
Lowest Level = 0
By default, traffic initiated from High to Low = Permit and also return traffic permit
Next Generation Firewall Identity based access Access based on specific user
Additional config is required to allow traffic between interfaces at same security level
URL Filtering
IPS Functionality NGIPS
Advanced Malware Protection
Much granular visibility into applications AVC (Application Visibility and Control)
 Protects from Web Attacks coming from Internet
WSA (Web Security Appliance) For Fixed End Points, mostly inside the network

Deployment Modes Explicit Proxy Proxy configured in web browser User is aware of proxy

Transparent Proxy Traffic is redirected through layer 3 device (Router) User is unaware of proxy

Solution Types CWS (Cloud Web Security) (Can operate only in Transparent Mode For Mobile End Points, mostly outside the network

Web Reputation Check

Web Security
Works through whole Attack Continuum
Before Web Filtering
Uses Cisco Talos Data in realtime to check against threats
Advanced Malware Protection
Works as FTP Proxy

Works as HTTP/HTTPs Proxy During

Features Sandboxing and Analysis
Does HTTPs Decryption
After

Appliance

Virtual (Software Based)

Physical

Protects against Email threats

ESA (Email Security Appliance)

Solutions
CES (Cloud Email Security)

Before
During

After
Protects against full continuum of attack (based on Inbound Email or Outbound Email)
Email Security

Features Must be configured as SMTP Relay or Gateway explicitly Hence only Explicit Mode

Allow or deny email traffic as per

Appliance Configured Policies
Email Reputation (Clean or Malicious)
Physical
Virtual
 Preferable to use for Device Management

Does not support TACACS+ yet TCP Port # 49

Mostly used for Network Access Authentication, Authori & Accounting are independent
TACACS+ Encrypts entire packet - User + Password
ISE Supports both, RADIUS and TACACS+

ACS Mostly used for Device Administration

Cisco Servers Fact Uses UDP

B/w Authenticator and Authentication Server Port 1645 (Legacy)/1812 (New) for Authen
Port 1646 (Legacy)/1813 (New) for Accounting
RADIUS
Password sent in MD5
Protocols
Authen and Authori is combined in 1 process
Username sent in cleartext

AAA Preferable to use for Network Access

Console Supports EAP transport
Telnet
HTTP
SSH
HTTPs
Device Management

B/w Supplicant and Authenticator Network Access IKE

HTTPs
HTTP
SSL
EAPoL

Authentication

Purpose Authorization

Accounting

Actors
Supplicant
Authenticator

Authentication Server
 Manage access to network based on end user
device health and related parameters that
describes the access

Basic Info

Core of Cisco Security Architecture Authorization (based on context - Who, When, Where, What)
Also called Next Generation RADIUS Once authorized, then provides VLAN/ACL Assignment, TrustSec (SGT & MACSec)
Offers Centralized Network Access Control

Supports BYOD and Guest Services

Posture Assesment System Health Check for Mobile Devices

Mobile Device Management (MDM) –
works in integration with ISE If Anti Virus is installed & updated
Authen and Author still done by ISE If Software is updated
Provides additional features to ISE for BYOD Management
If Patches are updated

ISE (Identify Services

Engine)

802.1x (EAP) for Internal Users/Systems

3 Authentication Methods
MAB and Profiling for those not supporting 802.1x (such as printers) Because MAC Address can be spoofed easily so MAB is integrated with Profiling
Web Portal for Guests and BYOD
Customized Web Portal for Guests
Guest
Credentials shared through SMS, email, print

BYOD Dedicated portal on ISE for BYOD

Self Enrolment facility into ISE for BYOD
Evaluate these before providing access
Who is user/device? 802.1x profile is pushed to BYOD from ISE so BYOD can use 802.1x
How it access the network?
From where it access the network?
At what time does it access the network?

What is the health of the system?

From what device it access the network?

 Key exchange is vulnerable to man-in-the-middle attacks
Operates at Presentation Layer
Rely on SHA-1 & MD5 (Both are weak)
Had built-in design/security flaws NO Elliptic Curve Diffie-Hellman (ECDH) & Digital Signature Algorithm (ECDSA) Support
SSL
Operates at Transport Layer Client Authenticates Server Digital Certificate
History/Intro
Current TLS version 1.2 HTTP
TLS Digital Certificate
SMTP
IETF Replaced SSL with TLS Server Authenticates Client Username/Password
IMAP Client Server Autnentication
SSL 3.0
FTP
SSL 2.0
Can Secure POP
Application Layer TLS 1.0
VPN Instead of IPSEC TLS 1.1
Protocol Support Agreement on TLS/SSL Version TLS 1.2

Key Exchange Algorithm EC (Elliptical Curve)DH/ECDHE

AES
DH (Diffie-Hellman)/DHE
3DES
RSA
Control Plane (Tunnel Negotiation) DES
SSL/TLS Port 443 IDEA
Encryption
Cypher Suite Algorithm RC4

Integrity
Data Plane (Data Flow) If UDP (e.g Video) then DTLS MD5

TLS SHA1
TCP
SHA2

Implementation
Client Based (Cisco AnyConnect) Remote Site Client is allocated an IP Address

ASA Only decrypts traffic coming from client – passes it on to get access to protected resources – ASA DO
Like HTTPs NOT act as Proxy

Mostly for Remote Access VPN Only (Cisco also) Clientless (Web Browser)

SSL VPN Intro

Remote Client is NOT allocated an IP Address

ASA Acts as Proxy – client requests resources from protected network -ASA fetches and provides