Security

Cisco ACS Initial Setup

localhost login: setupEnter hostname[]: acs-server-1Enter IP address[]: 209.165.200.225Enter IP default netmask[]: 255.255.255.0Enter IP default gateway[]: 209.165.200.1Enter default DNS domain[]: mycompany.comEnter Primary nameserver[]: 209.165.200.254Add/Edit another nameserver? Y/N : nEnter username [admin]: adminEnter password:Enter password again:Pinging the gateway…Pinging the primary nameserver…Do not use `Ctrl-C’ from this point on…Appliance is configuredInstalling applications…Installing acs…Generating configuration…Rebooting…After the ACS server is installed, the system reboots automatically.Verify that the application has been installed properly by entering show application. Check the release and ACS version installed  by entering show application version acsCheck the status of ACS processes, at the system prompt by entering show application status acs   Password Reset – Power up the appliance.– Insert the ACS 5.3 Recovery DVD. The console displays:       Welcome to Cisco Secure ACS 5.3 Recovery                                  To boot from hard disk press <Enter>.                                           Available boot options:                                                           [1] Cisco Secure ACS 5.3 Installation (Keyboard/Monitor)                        [2] Cisco Secure ACS 5.3 Installation (Serial Console)                          [3] Reset Administrator Password (Keyboard/Monitor)                             [4] Reset Administrator Password (Serial Console)                               <Enter> Boot from hard disk In my case I used option 4 since I was connected via console. The console displays: ————————————————————————-  ———————— Admin Password Recovery ————————  ————————————————————————-   This utility will reset the password for the specified admin username.  At most the first five admin usernames will be listed. Enter Ctrl-C  to abort without saving changes and reboot.   ————————————————————————-   Admin Usernames :      [1] admin   Enter number of admin for password recovery: 1  Password:   Verify password:   Save changes and reboot? [y/n]: y     Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs.pdf

By |December 30th, 2013|Cisco, Security|0 Comments

IKE v1 vs. IKE v2

IKE Properties – Negotiate SA attributes, determine transforms, hashing and more – Generate and refresh keys using DH – Authenticate peer devices using attributes like IP, FQDN, LDAP DN and more – It has two phases IKE v1 (Phase 1 and 2) IKE v2 (Init and Auth) – Main mode & aggressive mode – ISAKMP negotiates SA for IPSEC. Quick mode & sdoi mode   IKE v2 Advantages – Simplifies the existing IKEv1 – Single RFC, including NAT-T, EAP and remote address acquisition – Replaces the 8 initial exchanges with a single 4 message exchange – Reduces the latency for the IPSEC SA setup and increases connection establishment speed. – Increases robustness against DOS attack. – Improves reliability through the use of sequence numbers, acknowledgements, and error correction. – Forward Compatibility – Simple cryptographic mechanisms – Traffic selector negotiation: – IKEv1: Responder can just say yes/no. IKEv2: Negotiation ability added – Reliability – All messages are request/response. – Initiator is responsible for retransmission if it doesn’t receive a response.   IKE v1 IKE v2 Developed in 1998, based on RFC 4995 Developed in 2006, based on RFC 5996 Pre-shared key and certificate for authentication Pre-shared key, certificate and EAP variants. Supports  for asymmetric authentication. Side A Preshared Key and Side B Certificates. No reliability Reliable. Introduces retransmission and acknowledgement functions. ack and sequenced Phase 1 generates 6 messages (main mode) 3 messages (aggressive mode) Reduced bandwidth requirements. generates only 4 messages at all. When EAP is used in IKEv2, an additional 2 messages may be required. Negotiation of the first CHILD_SA required 3 messages. Subsequent CHILD_SAs require 3 messages Negotiation of the first CHILD_SA required no messages since it is piggybacked onto the negotiation of the […]

By |December 30th, 2013|Cisco, Security|0 Comments

NMAP Cheat Sheet

Scan an IPv4 host/address nmap 192.168.1.1 Scan an IPv6 host/address nmap -6 2607:f8b0:4007:804::1009 nmap -v A -6 2607:f8b0:4007:804::1009 Scan FQDN nmap server1.cyberciti.biz Scan a host name with more info nmap -v server1.cyberciti.biz Scan a range of IP address nmap 192.168.1.1-20 nmap 192.168.1.* nmap 192.168.1.0/24 nmap 192.168.1.1,2,3 nmap 192.168.1.1 192.168.1.2 Read list of hosts/networks from a file nmap -iL /tmp/test.txt Excluding hosts/networks (IPv4) nmap 192.168.1.0/24 –exclude 192.168.1.5 nmap 192.168.1.0/24 –exclude 192.168.1.5,192.168.1.254 nmap -iL /tmp/scanlist.txt –excludefile /tmp/exclude.txt Turn on OS and version detection scanning script (IPv4) nmap -A 192.168.1.254 nmap -v -A 192.168.1.1 nmap -A -iL /tmp/scanlist.txt Find out if a host/network is protected by a firewall nmap -sA 192.168.1.254 Scan a host when protected by the firewall nmap -PN 192.168.1.1 Scan a network and find out which servers and devices are up and running nmap -sP 192.168.1.0/24 Perform a fast scan nmap -F 192.168.1.1 Display the reason a port is in a particular state nmap –reason 192.168.1.1 Only show open (or possibly open) ports nmap –open 192.168.1.1 Show all packets sent and received nmap –packet-trace 192.168.1.1 Show host interfaces and routes (netsat -nr) nmap –iflist Scan specific ports nmap -p 80 192.168.1.1 nmap -p 80,443 192.168.1.1 nmap -p 80-200 192.168.1.1 nmap -p T:80 192.168.1.1 nmap -p U:53 192.168.1.1 nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1 nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254 nmap –top-ports 5 192.168.1.1 Fastest way to scan all your devices/computers for open ports nmap -T5 192.168.1.0/24 Detect remote operating system nmap -O 192.168.1.1 nmap -O –osscan-guess 192.168.1.1 nmap -v -O –osscan-guess 192.168.1.1 Detect remote services (server / daemon) version numbers nmap -sV 192.168.1.1 Scan a host using TCP ACK (PA) and TCP Syn (PS) ping nmap -PS 192.168.1.1 nmap -PS 80,21,443 192.168.1.1 nmap -PA 192.168.1.1 nmap […]

By |October 7th, 2013|Security|0 Comments

RIP Authentication

RIPv1 does not support authentication. If you are sending and receiving RIP v2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface. Authentication, including default authentication, is performed on that interface only if a key chain is configured. Cisco supports two modes of authentication on an interface on which RIP is enabled: plain-text authentication and message digest algorithm 5 (MD5) authentication. Plain-text authentication is the default authentication in every RIPv2 packet. Do not use plain text authentication in RIP packets for security purposes, because the unencrypted authentication key is sent in every RIPv2 packet. Use plain-text authentication when security is not an issue; for example, you can use plain-text authentication to ensure that misconfigured hosts do not participate in routing. Specifying a RIP Version and Enabling Authentication Configuration example: ! router rip version {1 | 2} interface type number ip rip send version [1] [2] ip rip receive version [1] [2] ip rip authentication key-chain name-of-chain ip rip authentication mode {text | md5} ! Note: Key Chain needs to be configured for this to work. Troubleshoot: debug ip rip

By |September 4th, 2013|CCIE, Cisco, Security|0 Comments

Web Security Appliance (WSA)

The WSA main features are  L4 Traffic Monitor and Web Proxy. Other features are – URL filtering – Web usage controls – Application visibility & control – Anti-Malware scanning (Sophos, McAfee, Webroot) Secure web proxy monitors and scans web traffic for malicious  content. When you enable the web proxy, you can configure it to be in transparent or explicit forward  mode The L4 Traffic Monitor detects and blocks rogue traffic across all ports and IP addresses. The L4 Traffic Monitor listens to network traffic that comes in over all ports and IP addresses on the appliance and matches domain names and IP addresses against entries in its own  database tables to determine whether to allow outgoing traffic. L4 Traffic Monitor deployment is independent of the Web Proxy deployment. You can connect the L4 Traffic Monitor to a network tap or the mirror/span port of a switch. When you enable the web proxy, you can configure it to be in transparent or explicit forward mode. Deployment Features you enable determine how you deploy and physically connect the appliance to the network. Two main deployment methods are Explicit forward proxy and Transparent Proxy. Explicit Forward Proxy: Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch. When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network. IP spoofing is disabled by default ON – IP address of original source is maintained. OFF – Changing IP address to WSA IP address Automatic: Configure each client application to use a PAC file to detect the appliance Web […]

By |August 13th, 2013|CCIE, Cisco, Security|0 Comments

CCIE Security Lab Equipment and Software v4.0

Occasionally, you may see more recent software versions installed in the lab. Listed below are the base versions used. Only the features in these versions will be tested. We may use later software revisions in the lab to accommodate fixes etc, but we will not test features outside of those in the exam blueprints and checklist. Cisco 3800 Series Integrated Services Routers (ISR) Cisco 1800 Series Integrated Services Routers (ISR) Cisco 2900 Series Integrated Services Routers (ISR G2) Cisco Catalyst 3560-24TS Series Switches Cisco Catalyst 3750-X Series Switches Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances Cisco IPS Series 4200 Intrusion Prevention System sensors Cisco S-series Web Security Appliance Cisco ISE 3300 Series Identity Services Engine Cisco WLC 2500 Series Wireless LAN Controller Cisco Aironet 1200 Series Wireless Access Point Cisco IP Phone 7900 Series* Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required. Software Versions Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x Cisco IPS Software Release 7.x Cisco VPN Client Software for Windows, Release 5.x Cisco Secure ACS System software version 5.3x Cisco WLC 2500 Series software 7.2x Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) Cisco WSA S-series software version 7.1x Cisco ISE 3300 series software version 1.1x Cisco NAC Posture Agent v4.X Cisco AnyConnect Client v3.0X

By |August 8th, 2013|Security|0 Comments

CCIE Security Lab Exam Topics v4.0

The following topics are general guidelines for the content likely to be included on the lab exam. However, other related topics may also appear on any specific delivery of the exam. In order to reflect better the contents of the exam and for clarity purposes, the exam topics may change at any time without notice. Candidates may be required to perform implementation, optimization and troubleshooting actions in each of the exam topics sections and should also be comfortable with both IPv4 and IPv6 concepts and application.CCIE Security Lab Exam Topics v4.0 System Hardening and AvailabilityRouting plane security features (e.g. protocol authentication, route filtering)Control Plane PolicingControl Plane Protection and Management Plane ProtectionBroadcast control and switchport securityAdditional CPU protection mechanisms (e.g. options drop, logging interval)Disable unnecessary servicesControl device access (e.g. Telnet, HTTP, SSH, Privilege levels)Device services (e.g. SNMP, Syslog, NTP)Transit Traffic Control and Congestion Management Threat Identification and MitigationIdentify and protect against fragmentation attacksIdentify and protect against malicious IP option usageIdentify and protect against network reconnaissance attacksIdentify and protect against IP spoofing attacksIdentify and protect against MAC spoofing attacksIdentify and protect against ARP spoofing attacksIdentify and protect against Denial of Service (DoS) attacksIdentify and protect against Distributed Denial of Service (DDoS) attacksIdentify and protect against Man-in-the-Middle (MiM) attacksIdentify and protect against port redirection attacksIdentify and protect against DHCP attacksIdentify and protect against DNS attacksIdentify and protect against MAC Flooding attacksIdentify and protect against VLAN hopping attacksIdentify and protect against various Layer2 and Layer3 attacksNBARNetFlowCapture and utilize packet captures Intrusion Prevention and Content SecurityIPS 4200 Series Sensor Appliance(a) Initialize the Sensor Appliance(b) Sensor Appliance management(c) Virtual Sensors on the Sensor Appliance(d) Implementing security policies(e) Promiscuous and inline monitoring on the Sensor Appliance(f) Tune signatures on the Sensor Appliance(g) […]

By |June 27th, 2013|Security|0 Comments