Showing posts with label ccna security. Show all posts
Showing posts with label ccna security. Show all posts

NAT Control

The firewall has always been a device supporting and even requiring NAT for maximum flexibility and security. NAT control is available as a capability in the new software release on the Security Appliance.
NAT control dictates the firewall if the address translation rules are required for outside communications and ensures that the address translation behavior is the same as versions earlier than 7.0.
The NAT control feature works as follows:
  • When NAT control is disabled, and the firewall forwards all packets from a higher-security (such as Inside) interface to a lower-security (such as Outside) interface without the configuration of a NAT rule. Traffic from a lower-security interface to a higher-security interface only requires that it be permitted in the access lists, and no NAT rule is required in this mode.
  • When NAT control is enabled, this dictates the requirement of using NAT. (The NAT rule is compulsory in this case.) When NAT control is enabled, it is also required that packets initiated from a higher security-level interface (such as Inside) to a lower security-level interface (such as Outside) must match a NAT rule (nat command with a corresponding global, or a static command), or else processing for the packet stops. Traffic from a lower-security interface to a higher-security interface also requires a NAT and is permitted in the access lists to be forwarded through the firewall.

    Example NO NAT with NAT control enable:
             static (Higher security-level IF, Lower security-level IF) 10.10.10.1 10.10.10.1 netmask 255.255.255.255
The default configuration is the specification of the no nat-control command (NAT control disabled mode). With version 7.0 and later, this behavior can be changed as required.
To enable NAT control, use the nat-control command in the global configuration mode, as shown next:
hostname(config)# nat-control

Note
The nat-control command is available in routed firewall mode and in single and multiple security context modes.

When the nat-control is enabled, each Inside address must have a corresponding Inside NAT rule. Similarly, if an Outside dynamic NAT is enabled on an interface, each Outside address must have a corresponding Outside NAT rule before communication is allowed through the Security Appliance.
By default, NAT control is disabled (no nat-control command). The no nat-control command allows Inside hosts to communicate with outside networks without the need to configure a NAT rule. In essence, with NAT control disabled, the Security Appliance does not perform an address translation function to any packets. To disable NAT control globally, use the no nat-control command in global configuration mode:
hostname(config)# no nat-control

The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the higher-level interface. The no nat-control command does not have this requirement, nor does it require a static command to allow communication from the lower-level interface (from Outside to Inside); it relies only on access-policies—for example, permitting the traffic in ACL and having corresponding route entries.
To summarize, traffic traversing from a
More Secure to a Less Secure interface
  • Is designated as outbound traffic.
  • The firewall will allow all IP-based traffic unless restricted by access lists, authentication, or authorization.
  • One or more of the following commands are required:
    - nat, nat 0, global, static
Less Secure to a More Secure interface
  • Is designated as inbound traffic.
  • Outside to Inside connections.
  • Inbound permission is required.
  • The firewall will drop all packets unless specifically allowed in the access-list that is applied on the arriving interface. Further restrictions apply if authentication and authorization are used.
  • One or more of the following commands are required:
    - nat 0 with ACL, static and inbound access-list on the ingress interface.
No comments:

CCNA Security Commands

Routers
username test secret 0 cisco >>>>>>>>>> El 0 puedo no ponerlo es lo mismo.
username test secret 5 $okjnioio$iuhiuh$IiniN$ >>>>> 5 me permite poner la clave ya encriptada.

ip http server >>>>>>>>> Habilito la interface web HTTP(SDM).
no ip http server >>>>>>>>> Se recomienda deshabilitar la interface web HTTP (SDM).
ip http secure-server >>>>>>>>>>>>>>> Habilito la interface web HTTPS.


ip http authentication enable >>>>>>>>> Para utilizar el password de enable
ip http authentication local >>>>>>>> Me habilita el uso de los usuarios locales

line vty 0 4
privilege level 15 >>>>>>>>> 15 is full privilege access en vty le da a todos los que acceden via vty full access.
0 user mode.
1 a 14 es customizable

username test privilege 15 >>>>> le da a este usuario full access.


o todo en uno:
username test privilege 15 secret 0 cisco

line vty 0 4 >>>>>> OJO
no login >>>>>>>> Si dejo la linea no me pide nada y entra a modo full access.
login local >>>>>>> uso la base local.


router#auto secure >>>>>>>> same as SDM lockdown. Step by step like audit on SDM

  1. terminal monitor

  1. line vty 0 4
#logging synchronous
  1. logging buffer ####
show log

SSH on router
I need
Hostname and domain name for CERT
ip domain-name gsgf.com
crypto key generate rsa >>>> step by step
1024 bits >>>> good option

Need User
  1. line vty 0 4
  2. login local
  3. transport input ssh
  4. ip ssh version 2
  5. ip ssh time-out
  6. ip ssh authentication-retries <0 5>
  7. show ip ssh
  8. show users


AAA
Radius OPEN
Tacacs+ CISCO proprietario

aaa new-model OJO no bloquearse el acceso al router

Switch security

Defauld at switch
switchport mode dynamic desirable - Acepta todo PC, switchs, etc.

Para PCs:
  1. switchport mode access
  2. switchport port-security Habilita las opciones de seguridad. Debo configurarlas.

  1. switchport port-security Maximun 1-xxx - Cantidad de macs permitidas. Si tengo un telefono y una PC necesito poner 2
  2. switchport port-security violation protect - Solo permite la primera mac. Pero no me entero de lo que pasa.
  3. switchport port-security violation restrict - Solo permite la primera mac. Y loguea lo que pasa.
  4. switchport port-security violation shutdown - Deshabilita el puerto.


Spanning Tree Security:
Root Guard
SW(config-if)#spanning-tree guard root

SW(config-if)#spanning-tree bpduguard enable
SW(config-if)#spanning-tree portfast

o a nivel global se puede hacer asi:
SW(config)#spanning-tree portfast bpduguard default

DHCP Server Security:
SW(config)#ip dhcp snooping ######## Lo activa nada mas
SW(config)#ip dhcp snooping vlan 20,30

SW(config-if)#ip dhcp snooping trust ##### Lo aplico en la IF que tiene el server de DHCP

SPAN Port Monitor
SW(config)#monitor session 1 source interface fa 0/1 - 20 rx ####Desde donde

SW(config)#monitor session 1 destination interface fa 0/24 ###### a donde mando la info

Storm Control:
SW(config-if)#storm-control action shutdown
SW(config-if)#storm-control broadcast level 70 #### Es el % maximo antes del shutdown

Best practices:
Use secure maangement: SSH, OOB, access-class
Make an audit list!!!!!!!!
Try ti eliminate vlan 1
Eliminate dynamic ports
Lock down snmp, only RO community


NAC: Cisco lo llamaba IBNS. 802.1x
NAC=802.1x is EAP over LAN. "EAPOL"
EAP:Pequeño encabezado que permite luego autenticar y validar la PC.

CSA:
Cisco Security Agent. IDS/IPS agent and also AV.
No comments:

CCNA Security 640-553 IINS Exam Topics

640-553 IINS Exam Topics (Blueprint)

Exam Description

The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification. This exam tests a candidate's knowledge of securing Cisco routers and switches and their associated networks. It leads to validated skills for installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices and develops competency in the technologies that Cisco uses in its security infrastructure.

Candidates can prepare for this exam by taking the Implementing Cisco IOS Network Security (IINS) course.

Exam Topics

The following topics are general guidelines for the content likely to be included on the Implementing Cisco IOS Network Security (IINS) exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.

Describe the security threats facing modern network infrastructures

Describe and list mitigation methods for common network attacks
Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks
Describe the Cisco Self Defending Network architecture

Secure Cisco routers

Secure Cisco routers using the SDM Security Audit feature
Use the One-Step Lockdown feature in SDM to secure a Cisco router
Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements
Secure administrative access to Cisco routers by configuring multiple privilege levels
Secure administrative access to Cisco routers by configuring role based CLI
Secure the Cisco IOS image and configuration file

Implement AAA on Cisco routers using local router database and external ACS

Explain the functions and importance of AAA
Describe the features of TACACS+ and RADIUS AAA protocols
Configure AAA authentication
Configure AAA authorization
Configure AAA accounting



Mitigate threats to Cisco routers and networks using ACLs

Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets
Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI
Configure IP ACLs to prevent IP address spoofing using CLI
Discuss the caveats to be considered when building ACLs

Implement secure network management and reporting

Use CLI and SDM to configure SSH on Cisco routers to enable secured management access
Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server

Mitigate common Layer 2 attacks

Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features

Implement the Cisco IOS firewall feature set using SDM

Describe the operational strengths and weaknesses of the different firewall technologies
Explain stateful firewall operations and the function of the state table
Implement Zone Based Firewall using SDM

Implement the Cisco IOS IPS feature set using SDM

Define network based vs. host based intrusion detection and prevention
Explain IPS technologies, attack responses, and monitoring options
Enable and verify Cisco IOS IPS operations using SDM

Implement site-to-site VPNs on Cisco Routers using SDM

Explain the different methods used in cryptography
Explain IKE protocol functionality and phases
Describe the building blocks of IPSec and the security functions it provides
Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM
No comments:
Subscribe to: Posts (Atom)