The post Cisco ACS Initial Setup appeared first on The IP Zone.
]]>
Password Reset
– Power up the appliance.
– Insert the ACS 5.3 Recovery DVD.
The console displays:
Welcome to Cisco Secure ACS 5.3 Recovery
To boot from hard disk press <Enter>.
Available boot options:
[1] Cisco Secure ACS 5.3 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS 5.3 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
In my case I used option 4 since I was connected via console.
The console displays:
————————————————————————-
———————— Admin Password Recovery ————————
————————————————————————-
This utility will reset the password for the specified admin username.
At most the first five admin usernames will be listed. Enter Ctrl-C
to abort without saving changes and reboot.
————————————————————————-
Admin Usernames :
[1] admin
Enter number of admin for password recovery: 1
Password:
Verify password:
Save changes and reboot? [y/n]: y
The post Cisco ACS Initial Setup appeared first on The IP Zone.
]]>The post IKE v1 vs. IKE v2 appeared first on The IP Zone.
]]>– Negotiate SA attributes, determine transforms, hashing and more
– Generate and refresh keys using DH
– Authenticate peer devices using attributes like IP, FQDN, LDAP DN and more
– It has two phases IKE v1 (Phase 1 and 2) IKE v2 (Init and Auth)
– Main mode & aggressive mode
– ISAKMP negotiates SA for IPSEC. Quick mode & sdoi mode
IKE v2 Advantages
– Simplifies the existing IKEv1
– Single RFC, including NAT-T, EAP and remote address acquisition
– Replaces the 8 initial exchanges with a single 4 message exchange
– Reduces the latency for the IPSEC SA setup and increases connection establishment speed.
– Increases robustness against DOS attack.
– Improves reliability through the use of sequence numbers, acknowledgements, and error correction.
– Forward Compatibility
– Simple cryptographic mechanisms
– Traffic selector negotiation:
– IKEv1: Responder can just say yes/no. IKEv2: Negotiation ability added
– Reliability
– All messages are request/response.
– Initiator is responsible for retransmission if it doesn’t receive a response.
IKE v1 | IKE v2 |
Developed in 1998, based on RFC 4995 | Developed in 2006, based on RFC 5996 |
Pre-shared key and certificate for authentication | Pre-shared key, certificate and EAP variants. Supports for asymmetric authentication. Side A Preshared Key and Side B Certificates. |
No reliability | Reliable. Introduces retransmission and acknowledgement functions. ack and sequenced |
Phase 1 generates 6 messages (main mode) 3 messages (aggressive mode) | Reduced bandwidth requirements. generates only 4 messages at all. When EAP is used in IKEv2, an additional 2 messages may be required. |
Negotiation of the first CHILD_SA required 3 messages. Subsequent CHILD_SAs require 3 messages | Negotiation of the first CHILD_SA required no messages since it is piggybacked onto the negotiation of the IKE_SA. Subsequent CHILD_SAs require 2 messages |
No NAT traversal (NAT-T) | Incorporation of NAT traversal built-in. Supports NAT traversal using UDP port 4500. |
No liveness check | Liveness check to detect whether the tunnel is still alive or not. |
Security Association lifetimes are explicitly negotiated | Security Association lifetimes are not explicitly negotiated. Each peer maintains its own local policy for Security Association lifetime. When the lifetime is about to expire, a rekeying operation is initiated. |
MOBIKE not available. | Introduces MOBIKE. MOBIKE allows IKEv2 to be used in mobile platforms like phones and by users with multi-homed setups. |
Both protocols run over UDP port 500. |
Both protocols provide identify protection, denial-of-service protection mechanism, and perfect forward secrecy. |
Both protocols utilize two phases. The first phase in each is used to create the IKE_SA. The second phase is used to establish child SAs using the IKE_SA. In IKEv2, the first child SA is piggybacked on the IKE_AUTH exchange that is used to complete the mutual peer authentication. |
The post IKE v1 vs. IKE v2 appeared first on The IP Zone.
]]>The post NMAP Cheat Sheet appeared first on The IP Zone.
]]>nmap 192.168.1.1
Scan an IPv6 host/address
nmap -6 2607:f8b0:4007:804::1009 nmap -v A -6 2607:f8b0:4007:804::1009
Scan FQDN
nmap server1.cyberciti.biz
Scan a host name with more info
nmap -v server1.cyberciti.biz
Scan a range of IP address
nmap 192.168.1.1-20 nmap 192.168.1.* nmap 192.168.1.0/24 nmap 192.168.1.1,2,3 nmap 192.168.1.1 192.168.1.2
Read list of hosts/networks from a file
nmap -iL /tmp/test.txt
Excluding hosts/networks (IPv4)
nmap 192.168.1.0/24 --exclude 192.168.1.5 nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254 nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt
Turn on OS and version detection scanning script (IPv4)
nmap -A 192.168.1.254 nmap -v -A 192.168.1.1 nmap -A -iL /tmp/scanlist.txt
Find out if a host/network is protected by a firewall
nmap -sA 192.168.1.254
Scan a host when protected by the firewall
nmap -PN 192.168.1.1
Scan a network and find out which servers and devices are up and running
nmap -sP 192.168.1.0/24
Perform a fast scan
nmap -F 192.168.1.1
Display the reason a port is in a particular state
nmap --reason 192.168.1.1
Only show open (or possibly open) ports
nmap --open 192.168.1.1
Show all packets sent and received
nmap --packet-trace 192.168.1.1
Show host interfaces and routes (netsat -nr)
nmap --iflist
Scan specific ports
nmap -p 80 192.168.1.1 nmap -p 80,443 192.168.1.1 nmap -p 80-200 192.168.1.1 nmap -p T:80 192.168.1.1 nmap -p U:53 192.168.1.1 nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1 nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254 nmap --top-ports 5 192.168.1.1
Fastest way to scan all your devices/computers for open ports
nmap -T5 192.168.1.0/24
Detect remote operating system
nmap -O 192.168.1.1 nmap -O --osscan-guess 192.168.1.1 nmap -v -O --osscan-guess 192.168.1.1
Detect remote services (server / daemon) version numbers
nmap -sV 192.168.1.1
Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
nmap -PS 192.168.1.1 nmap -PS 80,21,443 192.168.1.1 nmap -PA 192.168.1.1 nmap -PA 80,21,200-512 192.168.1.1
Scan a host using IP protocol ping
nmap -PO 192.168.1.1
Scan a host using UDP ping
nmap -PU 192.168.1.1 nmap -PU 2000.2001 192.168.1.1
Stealthy scan
nmap -sS 192.168.1.1
Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1
Find out the most commonly used TCP ports using TCP connect scan
nmap -sT 192.168.1.1
Scan a host for UDP services (UDP scan)
nmap -sU 192.168.1.1
Scan for IP protocol
nmap -sO 192.168.1.1
Scan a firewall for security weakness. TCP Null Scan to fool a firewall to generate a response
Does not set any bits (TCP flag header is 0)
nmap -sN 192.168.1.254
TCP Fin scan to check firewall. Sets just the TCP FIN bit
nmap -sF 192.168.1.254
TCP Xmas scan to check firewall. Sets the FIN, PSH, & URG flags, lighting the packet up like a Christmas tree
nmap -sX 192.168.1.254
Scan a firewall for packets fragments
nmap -f 192.168.1.1
Set your own offset size with the –mtu option
nmap --mtu 32 192.168.1.1
Cloak a scan with decoys
nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5
Spoof your MAC address
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
Add other options
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
Use a random MAC address. The number 0, means nmap chooses a completely random MAC address
nmap -v -sT -PN --spoof-mac 0 192.168.1.1
Save output to a text file
nmap 192.168.1.1 > output.txt nmap -oN /tmp/filename 192.168.1.1 nmap -oN output.txt 192.168.1.1
Find host MAC address (can only be done on same LAN segment)
sudo nmap -sP -n 192.168.0.1 sudo nmap -sP -n 192.168.0.0/24
The post NMAP Cheat Sheet appeared first on The IP Zone.
]]>The post RIP Authentication appeared first on The IP Zone.
]]>The key chain determines the set of keys that can be used on the interface. Authentication, including default authentication, is performed on that interface only if a key chain is configured.
Cisco supports two modes of authentication on an interface on which RIP is enabled: plain-text authentication and message digest algorithm 5 (MD5) authentication. Plain-text authentication is the default authentication in every RIPv2 packet.
Do not use plain text authentication in RIP packets for security purposes, because the unencrypted authentication key is sent in every RIPv2 packet. Use plain-text authentication when security is not an issue; for example, you can use plain-text authentication to ensure that misconfigured hosts do not participate in routing.
Specifying a RIP Version and Enabling Authentication
Configuration example:
! router rip version {1 | 2} interface type number ip rip send version [1] [2] ip rip receive version [1] [2] ip rip authentication key-chain name-of-chain ip rip authentication mode {text | md5} !
Note: Key Chain needs to be configured for this to work.
Troubleshoot:
debug ip rip
The post RIP Authentication appeared first on The IP Zone.
]]>The post Web Security Appliance (WSA) appeared first on The IP Zone.
]]>Secure web proxy monitors and scans web traffic for malicious content. When you enable the web proxy, you can configure it to be in transparent or explicit forward mode
The L4 Traffic Monitor detects and blocks rogue traffic across all ports and IP addresses. The L4 Traffic Monitor listens to network traffic that comes in over all ports and IP addresses on the appliance and matches domain names and IP addresses against entries in its own database tables to determine whether to allow outgoing traffic. L4 Traffic Monitor deployment is independent of the Web Proxy deployment. You can connect the L4 Traffic Monitor to a network tap or the mirror/span port of a switch.
When you enable the web proxy, you can configure it to be in transparent or explicit forward mode.
Features you enable determine how you deploy and physically connect the appliance to the network. Two main deployment methods are Explicit forward proxy and Transparent Proxy.
Explicit Forward Proxy: Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch. When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network. IP spoofing is disabled by default
ON – IP address of original source is maintained. OFF – Changing IP address to WSA IP address
Automatic: Configure each client application to use a PAC file to detect the appliance Web Proxy automatically. Then you can edit the PAC file to specify the appliance Web Proxy information. PAC files work with web browsers only.
Manual: Configure each client application to point the appliance Web Proxy by specifying the appliance hostname or IP address and the port number, such as 3128, used for listening to data traffic.
Transparent Proxy: Clients applications are unaware of the Web Proxy and do not have to be configured to connect to the proxy. This deployment requires an Layer 4 switch or a WCCP v2 router. When you specify a WCCP router, you need to configure additional settings on the appliance.When you specify a Layer 4 switch, you only need to specify that the appliance is connected to a Layer 4 switch when you configure the appliance.
Note: When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests
Management – M1 and M2: Use for management of the WSA. Can also be used for data traffic in deployments where there is no separate management network.
Data – P1 and P2: Use the Data interfaces for Web Proxy data traffic. Only P1 enabled by default. If P2 is enabled both interfaces should be connected to a different subnet.
L4 Traffic Monitor – T1 and T2: Use for Tap and Span. Can be used in simplex (only T1 for incoming and outgoing traffic) or duplex (T1 and T2 connected. T1 for outgoing and T2 for incoming) communication.
Web Security Appliance Ethernet Ports
Initial interface config can be done via CLI or by going to default IP address and configuring from browser (Wizard or manual). Default setting are:
default username/password: admin/ironport
default ip address/mask: 192.168.42.42/24
No default gateway is set
default port: 8080 and 8443 for http and https
To set up the WSA to use WCCP you need to create at least one WCCP service on the appliance and configure the router to work with the Web Security appliance.
A WCCP service is an appliance configuration that defines a service group to a WCCP v2 router. It includes information such as the service ID and ports used. Service groups allow a web proxy to establish connectivity with a WCCP router and to handle redirected traffic from the router
Example WCCP Service
ip wccp version 2 ip wccp service_group interface interface_type_number ip wccp service_group redirect direction ip wccp service_group password password ip wccp service_group redirect direction
ip wccp service_group redirect direction
Use in when you want the router to redirect packets as they enter the router
Use out when you want the router to redirect packets right before they leave the router
ASA supports only redirect in
ip wccp service_group.
Web-cache. Enter “web-cache” when the appliance WCCP service uses the standard service
Service ID number. Enter a number from 0 to 255 when the appliance WCCP service uses a dynamic service ID. The number should match the service ID number used in the appliance.
Example WCCP Service — Standard Service, No Password Required
ip wccp version 2 ip wccp web-cache [redirect-list acl] interface GigabitEthernet1/0/14 ip wccp web-cache redirect in
Example WCCP Service — Dynamic Service for IP Spoofing, Password required
ip wccp version 2 ip wccp 90 interface GigabitEthernet1/0/14 ip wccp 90 redirect in ip wccp 90 password Cisco123 show wccp show wccp 90 service show wccp 91 detail
There are 2 WCCP redirection methods
– Layer 2: WSA and router are on same layer 2 network.
– GRE
Note: ASA only supports GRE.
Configure span session for Vlan where traffic will be monitored.
WSA
packetcapture – look at packets destined any interface of the wsa.
Switch
monitor session 1 source int g1/0/1
monitor session 1 destination interface g1/0/20
show monitor
Miscellaneous commands:
showconfig – show running config
resetconfig – reset to factory defaults
interfaceconfig – configure wsa interface
setgateway – configure wsa default gateway
resetconfig – reset to factory default
ping, nslookup, grep, authcache
Source:
http://www.cisco.com/en/US/docs/security/wsa/wsa7.7.5/user_guide/WSA_7.7.5_UserGuide.book.pdf
IP Expert VOD, INE Security Boot Camp
The post Web Security Appliance (WSA) appeared first on The IP Zone.
]]>The post CCIE Security Lab Equipment and Software v4.0 appeared first on The IP Zone.
]]>Notes:
The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools.
*Device Authentication only, provisioning of IP phones is NOT required.
Software Versions
The post CCIE Security Lab Equipment and Software v4.0 appeared first on The IP Zone.
]]>The post CCIE Security Lab Exam Topics v4.0 appeared first on The IP Zone.
]]>Candidates may be required to perform implementation, optimization and troubleshooting actions in each of the exam topics sections and should also be comfortable with both IPv4 and IPv6 concepts and application.
CCIE Security Lab Exam Topics v4.0
System Hardening and Availability
Routing plane security features (e.g. protocol authentication, route filtering)
Control Plane Policing
Control Plane Protection and Management Plane Protection
Broadcast control and switchport security
Additional CPU protection mechanisms (e.g. options drop, logging interval)
Disable unnecessary services
Control device access (e.g. Telnet, HTTP, SSH, Privilege levels)
Device services (e.g. SNMP, Syslog, NTP)
Transit Traffic Control and Congestion Management
Threat Identification and Mitigation
Identify and protect against fragmentation attacks
Identify and protect against malicious IP option usage
Identify and protect against network reconnaissance attacks
Identify and protect against IP spoofing attacks
Identify and protect against MAC spoofing attacks
Identify and protect against ARP spoofing attacks
Identify and protect against Denial of Service (DoS) attacks
Identify and protect against Distributed Denial of Service (DDoS) attacks
Identify and protect against Man-in-the-Middle (MiM) attacks
Identify and protect against port redirection attacks
Identify and protect against DHCP attacks
Identify and protect against DNS attacks
Identify and protect against MAC Flooding attacks
Identify and protect against VLAN hopping attacks
Identify and protect against various Layer2 and Layer3 attacks
NBAR
NetFlow
Capture and utilize packet captures
Intrusion Prevention and Content Security
IPS 4200 Series Sensor Appliance
(a) Initialize the Sensor Appliance
(b) Sensor Appliance management
(c) Virtual Sensors on the Sensor Appliance
(d) Implementing security policies
(e) Promiscuous and inline monitoring on the Sensor Appliance
(f) Tune signatures on the Sensor Appliance
(g) Custom signatures on the Sensor Appliance
(h) Actions on the Sensor Appliance
(i) Signature engines on the Sensor Appliance
(j) Use IDM/IME to the Sensor Appliance
(k) Event action overrides/filters on the Sensor Appliance
(l) Event monitoring on the Sensor Appliance
VACL/SPAN & RSPAN on Cisco switches
WSA
(a) Implementing WCCP
(b) Active Dir Integration
(c)Custom Categories
(d) HTTPS Config
(e) Services Configuration (Web Reputation)
(f) Configuring Proxy By-pass Lists
(g) Web proxy modes
(h) App visibility and control
Identity Management
Identity Based Authentication/Authorization/Accounting
(a) Cisco Router/Appliance AAA
(b) RADIUS
(c)TACACS+
Device Admin (Cisco IOS Routers, ASA, ACS5.x)
Network Access (TrustSec Model)
(a) Authorization Results for Network Access (ISE)
(b) 802.1X (ISE)
(c)VSAs (ASA / Cisco IOS / ISE)
(d) Proxy-Authentication (ISE/ASA/Cisco IOS)
Cisco Identity Services Engine (ISE)
(a) Profiling Configuration (Probes)
(b) Guest Services
(c)Posture Assessment
(d) Client Provisioning (CPP)
(e) Configuring AD Integration/Identity Sources
Perimeter Security and Services
Cisco ASA Firewall
(a) Basic firewall Initialization
(b) Device management
(c ) Address translation (nat, global, static)
(d) Access Control Lists
(e) IP routing/Route Tracking
(f) Object groups
(g) VLANs
(h) Configuring Etherchannel
(i) High Availability and Redundancy
(j) Layer 2 Transparent Firewall
(k) Security contexts (virtual firewall)
(l) Modular Policy Framework
(j) Identity Firewall Services
(k) Configuring ASA with ASDM
(l) Context-aware services
(m) IPS capabilities
(n) QoS capabilities
Cisco IOS Zone Based Firewall
(a) Network, Secure Group and User Based Policy
(b) Performance Tuning
(c) Network, Protocol and Application Inspection
Perimeter Security Services
(a) Cisco IOS QoS and Packet marking techniques
(b) Traffic Filtering using Access-Lists
(c)Cisco IOS NAT
(d) uRPF
(e) PAM – Port to Application Mapping
(f) Policy Routing and Route Maps
Confidentiality and Secure Access
IKE (V1/V2)
IPsec LAN-to-LAN (Cisco IOS/ASA)
Dynamic Multipoint VPN (DMVPN)
FlexVPN
Group Encrypted Transport (GET) VPN
Remote Access VPN
(a) Easy VPN Server (Cisco IOS/ASA)
(b) VPN Client 5.X
(c)Clientless WebVPN
(d) AnyConnect VPN
(e) EasyVPN Remote
(f) SSL VPN Gateway
VPN High Availability
QoS for VPN
VRF-aware VPN
MacSec
Digital Certificates (Enrollment and Policy Matching)
Wireless Access
(a) EAP methods
(b) WPA/WPA-2
(c)WIPS
Source: https://learningnetwork.cisco.com/community/certifications/ccie_security
The post CCIE Security Lab Exam Topics v4.0 appeared first on The IP Zone.
]]>