CCIE Security: Theory – Section 5.2 – 5.5

5.2 Cisco IOS firewalls and NAT

5.2.a CBAC

Filters TCP & UDP based on application-layer protocol session information. Does deep packet inspection.

ip inspect name MyCBAC ftp
ip inspect name MyCBAC smtp
ip inspect name MyCBAC tcp

int fa0/0
ip inspect MyCBAC in

Also need ACL

5.2.b Zone-based firewall

Stateful firewall – Creates zones instead of ACLs. Interfaces assigned to zones, security policies assigned to traffic between zones. Zones are security borders. Default policy between zones is deny all. Can drop, pass or inspect traffic passing between zones

Supports Stateful packet inspection, VRF-aware, URL filtering, DoS mitigation

zone security Zone1
zone security Zone2

int fa0/0
zone-member security Zone1
int fa0/1
zone member security Zone2
zone-pair security Zone1->Zone2 source Zone1 destination Zone2

policy-map type inspect trusted
class class-default

zone-pair security Zone1->Zone2
service-policy type inspect trusted

5.2.c Port-to-application mapping

PAM – Enables CBAC-supported applications to be run on non-standard ports. Customize TCP or UDP port numbers for network services or applications. Establishes table of default port-to-application mapping at the firewall.

User-Defined Port Mapping – can specify range of ports, saved with default mapping information.
Host-Specific Port mapping- port mapping for specific hosts or subnets.Can map HTTP on port 8000 to one host, and Telnet on 8000 to different host.

When to use:
to apply non-standard port number for a service or application
specific hsot or subnet uses a port for an app that is different to default in PAM table
different hosts use same port number for different applications

5.2.d Identity-based firewalling

See previous post about IDFW. Links in to Microsoft AD…

5.3 Cisco Intrusion Prevention Systems (IPS)
5.4 Cisco IOS IPS

Supports standardized regex.
Inline or Promiscuous

Analysis engine – packet analysis & alert detection – create virtual sensors in Analysis engine.
sensors receive data from monitored streams. Virtual sensor is a collection of data defined by set of configuration policies. Default is vs0.

MainApp – initializes system, stops/starts other applications. Contains:

  • ctlTransSource – allows sensors to send control transactions
  • Event Store – stores IPS events
  • InterfaceApp – handles bypass & physical settings, defines paired interfaces
  • Logger – writes all log messages
  • Attack Response Controller (ARC) – manages remote network devices to provide blocking capabilities. Creates and applies ACLs on controlled network devices, or shun command on firewalls
  • NotificationApp – sends SNMP traps
  • Web Server (SDEE) – web interface
  • AuthenticationApp

SensorApp – analysis engine – packet capture & analysis:

  • Time processor
  • Deny filters processor
  • Signature Event Action processor – does resets, IP log, deny packets/flow/attacker, alert, block host/connection, generate SNMP trap, capture trigger packet
  • Statistics processor
  • L2 processor
  • Database processor
  • Fragment reassembly processor
  • Stream reassembly processor
  • Signature analysis processor
  • Slave dispatch processor

CollaborationApp – interfaces MainApp & SensorApp
CLI – user roles:
Viewer – can view configurations and events – no modification
Operator – can view everything & modify signature tuning, virtual sensor definition, managed router, their user passwords
Service – can only use bash shell – only one service account

Signature engines:

AIC – analysis of web traffic, and FTP
Atomic – L3&L4 attributes, standard regex

  • Atomic ARP
  • Atomic IP Advanced – IPv6 L3 & ICMPv6 L4
  • Atomic IP – IP protocol packets & L4 transport protocols
  • Atomic IPv6 – Detects two IOS vulnerabilities that are simulated by malformed IPv6 traffic. Inspects ND protocols types 133/134/135/136/137

Has restrictions:
Cannot detect L4 field if packets are fragmented so L4 identifier does not appear in first packet
Cannot detect L4 attacks in flows w/ packets fragmented by IPv6 (no fragment reassembly)
Cannot detect attacks w/ tunnelled flows
Limited checks provided for fragmentation header
AIM IPS and NME IPS do not support IPv6 features
Anomaly detection does not support IPv6 traffic – only IPv4
Rate limiting & blocking not supported for IPv4 traffic
Fixed – parallel regular expression matches up to a fixed depth – ICMP, TCP, UDP
Flood – detects floods – flood Host & Flood Net.
Meta – Defines events
Multi String – L4 matching several strings for one signature – inspects stream-based TCP, UDP & ICMP
Normalizer – RFC compliance. Cannot add custom signatures, but can tune existing

  • DNS
  • FTP
  • Generic
  • H225
  • HTTP
  • NTP
  • P2P
  • RPC
  • SMB Advanced
  • SNMP
  • SSH
  • TNS

State – searches strings
String – search on regex – Sweep & Sweep other TCP
Traffic Anomaly – detects worms
Traffic ICMP – detects TFN2k, LOKI and DDOS
Trojan – BO2K & TFN2K and UDP

Event Actions:

Alert & Log Actions
produce-alert – writes evIDsAlert to Event Store
produce-verbose-alert – includes encoded dump
log-attacker-packets – starts IP logging w/ attacker address
log-victim-packets – starts IP logging w/ victim address
log-pair-packets – does both of the above (inline only)
request-snmp-trap – sends request to NotificationApp
Deny Actions
deny-packet-inline – does not transmit this packet
deny-connection-inline – does not transmit this packet & future packets on TCP flow
deny-attacker-victiom-pair-inline – attacker/victim pair
deny-attacker-service-pair-inline – attacker/port pair
deny-attacker-inline – does not transmit this packet & future packets from attacker for specific period of time – uses dACL
modify-packet-inline – modifies packet to remove ambiguity – see normalizer
Other Actions
request-block-connection – requests ARC to block connection
request-block-host – Requests ARC block attacker host
reset-tcp-connection – TCP resets

5.5 Cisco AAA protocols and application

5.5.a RADIUS


5.5.b TACACS+


5.5.c Device administration

Not sure what to write here.

5.5.d Network access

Or here! Probably just need to be logical…

5.5.e IEEE 802.1X


5.5.f VSAs

Vendor specific attributes – Cisco vendor-ID = 9, vendor-type = 1, strings. See RADIUS.