Password Reset

– Power up the appliance.
– Insert the ACS 5.3 Recovery DVD.

The console displays:

      Welcome to Cisco Secure ACS 5.3 Recovery                                 
To boot from hard disk press <Enter>.                                          
Available boot options:                                                        
  [1] Cisco Secure ACS 5.3 Installation (Keyboard/Monitor)                     
  [2] Cisco Secure ACS 5.3 Installation (Serial Console)                       
  [3] Reset Administrator Password (Keyboard/Monitor)                          
  [4] Reset Administrator Password (Serial Console)                            
  <Enter> Boot from hard disk

In my case I used option 4 since I was connected via console.

The console displays:

————————————————————————-
  ———————— Admin Password Recovery ————————
  ————————————————————————-

  This utility will reset the password for the specified admin username.
  At most the first five admin usernames will be listed. Enter Ctrl-C
  to abort without saving changes and reboot.

  ————————————————————————-

  Admin Usernames :

     [1] admin

  Enter number of admin for password recovery: 1
  Password:
  Verify password:

  Save changes and reboot? [y/n]: y

Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs.pdf

The post Cisco ACS Initial Setup appeared first on The IP Zone.

– Negotiate SA attributes, determine transforms, hashing and more
– Generate and refresh keys using DH
– Authenticate peer devices using attributes like IP, FQDN, LDAP DN and more
– It has two phases IKE v1 (Phase 1 and 2) IKE v2 (Init and Auth)
– Main mode & aggressive mode
– ISAKMP negotiates SA for IPSEC. Quick mode & sdoi mode

IKE v2 Advantages
– Simplifies the existing IKEv1
– Single RFC, including NAT-T, EAP and remote address acquisition
– Replaces the 8 initial exchanges with a single 4 message exchange
– Reduces the latency for the IPSEC SA setup and increases connection establishment speed.
– Increases robustness against DOS attack.
– Improves reliability through the use of sequence numbers, acknowledgements, and error correction.
– Forward Compatibility
– Simple cryptographic mechanisms
– Traffic selector negotiation:
– IKEv1: Responder can just say yes/no. IKEv2: Negotiation ability added
– Reliability
– All messages are request/response.
– Initiator is responsible for retransmission if it doesn’t receive a response.

The post IKE v1 vs. IKE v2 appeared first on The IP Zone.

Application-layer management protocol used for monitoring and administration. SNMP operates by sending information to Network Management Servers (NMS). The NMS learns about problems in the network by receiving traps or inform messages generated by the individual device running SNMP or what is more commonly called the managed device.

SNMP Operations

– Agents listen to UDP port 161 for messages sent by the NMS

– Responses are sent back to the originating NMS port from a dynamic port. Many agents use port 161 also for this target

– Traps are received on port 162 of a NMS

The first two variants of SNMP have pretty much the same protocol structure.  (V3 is shown below.) This means that each of them will encapsulate the same general message format into a UDP packet. This message will be similar to this:

SNMP Message Sequence Diag

SNMP Message Diagram

Shark Capture showing Version, String and PDU

SNMP Version field will be an integer value and it should be noted that both the NMS and the agent must agree on the version of SNMP being used to communicate.

SNMP community string is best described as a string value used for the password check for the NMS before the managed device will allow it to access or manipulate the agent process.

SNMP Protocol Data Unit (PDU).

The actual communication of information in the SNMP Protocol is performed through the exchange of SNMP messages. These messages are sometimes called protocol data units or PDUs. The PDU is the higher-layer data that SNMP encapsulates; The values applied to this field represent various PDU types and formats.

See SNMP Versions for SNMP PDUs

SNMP Versions

SNMP V1:

–          Simple request/response model protocol. GetRequest and GetResponse message types

–          The NMS issues requests and the managed devices supplied responses.

–          Community strings that operate via plain text.

–          Read Only (RO) and Read Write (RW). RO community only allows information to be gathered from the designated SNMP agent, and RW community accomplishes the same as the RO but adds the ability to set values and implement control.

–          Access-list to define what hosts can query or control the managed device.

SNMP V2

–          New trap operation (GetInform) requires packet acknowledgement.

–          New trap operation (GetBulk) retrieves large blocks of data.

–          Community strings supports encrypted passwords. Note operational data is not encrypted.

SNMP V3

–          New message format has security field that includes authentication and privacy, authorization and access control (password security, authentication and encryption).

–          Ability to dynamically configure the SNMP agent using SNMP SET commands. This can be addition, deletion, and modification of configuration entries either locally or remotely.

–          An Administrative Framework that allows us to define: entities with names, people and policies, username and role based management, notification destination, proxy relationships, remote configuration via SNMP operations

Auth: Specified the process of authenticating a packet without encrypting it.

noAuth: Specifies that no authentication process takes place on SNMP packets.

Priv: Specifies that the contents of a SNMP packet is “scrambled” or encrypted.

noPriv: Specifies that no SNMP packets will be “scrambled” or encrypted.

Security model ensures:

–          Ensure that packets have not been manipulated in transit

–          Verify that the packets are arriving from a valid source

–          Capability to scramble the contents of a packet to keep unauthorized sources from seeing its contents

Data Collection

Two processes (polling and notification) define how an NMS will learn the condition of its managed devices.

Polling

snmp-server community community [ro|rw] [ipv6 acl] [acl]

The NMS will either poll the agent periodically using RO or RW community strings,

Notification

snmp-server enable traps

snmp-server host [traps|informs]

The agent itself will actively notify the NMS about changes through the use of traps or informs.

V3 SNMP Poling/Notification

snmp-server group gname [auth|noauth|priv] [access [ipv6] acl]

snmp-server group uname [auth md5|sha] [priv des|3des|aes] [access [ipv6] acl]

Managed Information Base

These monitored values are defined in a hierarchical database that contains system information. This includes things like temperature, location, interface status or interface utilization.

The MIB is set up like a directory that defines standard monitoring variables. These variables are referenced for interpretation by a sending and receiving system based on the use of Object Identifiers (OID).

An OID is a number that is used to represent the identity of a given MIB entry as well as clarify where in the hierarchical structure that given entry can be found.

Source:

IP Expert VOD

blog.ipexpert.com/2012/06/11/snmp-theory-and-operation/

The post SNMP appeared first on The IP Zone.

Route filtering with EIGRP & EIGRP V6
– Passive interface (passive-interface)
– Distribute-list [in|out] – IPV4 ACLs only
– Prefix-list (prefix prefix-list-name[in|out])
– Route-map  (route-map map-tag [permit|deny] [sequence-number])
– Administrative distance (distance)

Route filtering with OSPF
– Stub area (area stub & area nssa)
– LSA Type 3 filtering (area filter-list) – IPV4 only
– Summarization (area range/summary address [not-advertise])
– Redistribution (redistribute protocol route-map)

Route filtering with BGP & BGP for IPV6
– Prefix list (neighbor prefix list [in|out])
– Distribute list (neighbor distribute list [in|out])
– Filter list (neighbor filter list [in|out])
– Route maps (neighbor route-map [in|out])

Regex characters on IOS
“.”         – match any character
“|”         – concatenates constructs. matches one of the characters or character patterns on either side of the vertical bar.
“[]”        – matches the character following the backslash
“[0-9]”   – match any single digit
“[a-z]”   – match any lower case
“[A-Z]   – match any upper case
“_”        – replaces a long regular expression list by matching a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, a space or the end of an AS Path.
“^”       – match the beginning of a string.
“$”       – match the end of a string
“\”        – matches the character following the backslash and also escapes special characters.

Regex Occurrence Modifiers on IOS
“?”     – means 0 or 1 times. matches zero or one occurrence of the pattern
“*”     – mean 0 or any times. matches zero or one occurrence of the pattern
“+”     – means 1 or any times. matches zero or one occurrence of the pattern

Source:
IP Expert VOD
Cisco Doc: Additional and Legacy Protocols/Terminal Services Configuration Guide, Cisco IOS Release

The post Filtering Routes on IOS appeared first on The IP Zone.

The key chain determines the set of keys that can be used on the interface. Authentication, including default authentication, is performed on that interface only if a key chain is configured.

Cisco supports two modes of authentication on an interface on which RIP is enabled: plain-text authentication and message digest algorithm 5 (MD5) authentication. Plain-text authentication is the default authentication in every RIPv2 packet.

Do not use plain text authentication in RIP packets for security purposes, because the unencrypted authentication key is sent in every RIPv2 packet. Use plain-text authentication when security is not an issue; for example, you can use plain-text authentication to ensure that misconfigured hosts do not participate in routing.

Specifying a RIP Version and Enabling Authentication

Configuration example:

!
router rip 
version {1 | 2} 
interface type number 
ip rip send version [1] [2] 
ip rip receive version [1] [2] 
ip rip authentication key-chain name-of-chain 
ip rip authentication mode {text | md5} 
!

Note: Key Chain needs to be configured for this to work.

Troubleshoot:

debug ip rip

The post RIP Authentication appeared first on The IP Zone.

It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings. If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key

key chain commandkey chain name-of-chain
no key chain name-of-chain 

Configuration example

!
key chain MD5
key 1
  key-string MD5HASH
  accept-lifetime 13:30:00 Jan 25 1996 duration 7200
  send-lifetime 14:00:00 Jan 25 1996 duration 3600
  exit
!   
key chain TEXT
key 1
  key-string CLEARTEXT
key 2
  key-string KEY2
!

The post Cisco Key Chains appeared first on The IP Zone.

Secure web proxy monitors and scans web traffic for malicious  content. When you enable the web proxy, you can configure it to be in transparent or explicit forward  mode

The L4 Traffic Monitor detects and blocks rogue traffic across all ports and IP addresses. The L4 Traffic Monitor listens to network traffic that comes in over all ports and IP addresses on the appliance and matches domain names and IP addresses against entries in its own  database tables to determine whether to allow outgoing traffic. L4 Traffic Monitor deployment is independent of the Web Proxy deployment. You can connect the L4 Traffic Monitor to a network tap or the mirror/span port of a switch.

When you enable the web proxy, you can configure it to be in transparent or explicit forward mode.

Deployment

Features you enable determine how you deploy and physically connect the appliance to the network. Two main deployment methods are Explicit forward proxy and Transparent Proxy.

Explicit Forward Proxy: Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch. When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network. IP spoofing is disabled by default

ON – IP address of original source is maintained. OFF – Changing IP address to WSA IP address

Automatic: Configure each client application to use a PAC file to detect the appliance Web Proxy  automatically. Then you can edit the PAC file to specify the appliance Web Proxy information. PAC files work with web browsers only.
Manual: Configure each client application to point the appliance Web Proxy by specifying the  appliance hostname or IP address and the port number, such as 3128, used for listening to data  traffic.

Transparent Proxy: Clients applications are unaware of the Web Proxy and do not have to be configured to connect to the proxy. This deployment requires an Layer 4 switch or a WCCP v2  router. When you specify a WCCP router, you need to configure additional settings on  the appliance.When you specify a Layer 4 switch, you only need to specify that the appliance is connected to a Layer 4 switch when you configure the appliance.

Note: When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through  explicit HTTPS connections and it drops transparently redirected HTTPS requests

Device Interface:

Management – M1 and M2: Use for management of the WSA. Can also be used for data traffic in deployments where there is no separate management network.
Data – P1 and P2: Use the Data interfaces for Web Proxy data traffic. Only P1 enabled by default. If P2 is enabled both interfaces should be connected to a different subnet.
L4 Traffic Monitor – T1 and T2: Use for Tap and Span. Can be used in simplex (only T1 for incoming and outgoing traffic) or duplex (T1 and T2 connected. T1 for outgoing and T2 for incoming) communication.

Web Security Appliance Ethernet Ports

WSA Initial Configs

Initial interface config can be done via CLI or by going to default IP address and configuring from browser (Wizard or manual). Default setting are:

default username/password: admin/ironport
default ip address/mask: 192.168.42.42/24
No default gateway is set
default port: 8080 and 8443 for http and https

Implementing WCCP

To set up the WSA to use WCCP you need to create at least one WCCP service on the appliance and configure the router to work with the Web Security appliance.

A WCCP service is an appliance configuration that defines a service group to a WCCP v2 router. It includes information such as the service ID and ports used. Service groups allow a web proxy to establish  connectivity with a WCCP router and to handle redirected traffic from the router

Example WCCP Service

ip wccp version 2
ip wccp service_group 
interface interface_type_number
ip wccp service_group redirect direction
ip wccp service_group password password 
ip wccp service_group redirect direction

ip wccp service_group redirect direction
Use in when you want the router to redirect packets as they enter  the router
Use out when you want the router to redirect packets right before they leave the router
ASA supports only redirect in

ip wccp service_group.
Web-cache. Enter “web-cache” when the appliance WCCP service uses the standard service
Service ID number. Enter a number from 0 to 255 when the appliance WCCP service uses a  dynamic service ID. The number should match the service ID number used in the appliance.

Example WCCP Service — Standard Service, No Password Required

ip wccp version 2
ip wccp web-cache [redirect-list acl]
interface GigabitEthernet1/0/14
ip wccp web-cache redirect in

Example WCCP Service — Dynamic Service for IP Spoofing, Password required

ip wccp version 2
ip wccp 90
interface GigabitEthernet1/0/14
ip wccp 90 redirect in
ip wccp 90 password Cisco123

show wccp
show wccp 90 service
show wccp 91 detail

There are 2 WCCP redirection methods
– Layer 2: WSA and router are on same layer 2 network.
– GRE

Note: ASA only supports GRE.

Implementing L4 Traffic Monitor

Configure span session for Vlan where traffic will be monitored.

WSA
packetcapture – look at packets destined any interface of the wsa.

Switch
monitor session 1 source int g1/0/1
monitor session 1 destination interface g1/0/20
show monitor

Miscellaneous commands:

showconfig –  show running config
resetconfig – reset to factory defaults
interfaceconfig – configure wsa interface
setgateway – configure wsa default gateway
resetconfig – reset to factory default

ping, nslookup, grep, authcache

Source:
http://www.cisco.com/en/US/docs/security/wsa/wsa7.7.5/user_guide/WSA_7.7.5_UserGuide.book.pdf
IP Expert VOD, INE Security Boot Camp

The post Web Security Appliance (WSA) appeared first on The IP Zone.