CCIE Security: Theory – Section 6

6.0 Cisco Security Technologies and Solutions

6.1 Router hardening features (for example, CoPP, MPP, uRPF, and PBR)

CoPP – Control Plane Policing
Increases security on the switch by protecting RP from unnecessary/DoS traffic. gives priority to control plane and management traffic. Works with PFC3 rates limiters.
PFC3 can be used when ACl cannot classify IP options cases, TTL & MTU failure cases, packets w/ errors & multicast packets.
CoPP protects control and management planes, ensures routing stability, reachability & packet delivery. Uses MQC to provide rate-limiting.
Disabled by default. – Enable using “mls qos”.
Supports multicast & broadcast traffic.
Use log keyword to enable CoPP-policy ACLs.
Can exhaust TCAM.
Does not support MAC ACLs
Supports ip precedence, ip dscp, access-group
Only IP ACLs are supported in hardware.
Show policy-map control-plane
MPP – Management Plane Protection
Restricts interfaces on which network management packets are allowed to enter a device.
Requires CEF
Disabled by default
Supports:
BEEP
FTP
HTTp/HTTPS
SSH (v1 & v2)
SNMP
Telnet
TFTP

Benefits:
Greater access control
Improved performance for data packets on non-management interfaces
Network scalability
Simplifies use of per-interface ACLs to restrict management access
Fewer ACLs needed to restrict access to the device
Management packet floods on switching and routing interfaces prevented from reaching CPU

Implementation:

enable
conf t
control-plane host
management-interface fa0/0 allow ssh snmp
show management-interface

uRPF – Unicast Reverse Path Forwarding
Limit malicious traffic – verifies reachability of source – if not valid then packet is discarded
Strict, loose or VFR mode
Strict
packet must be received on the interface that the router would use to forward the return packet – can drop legitimate traffic is asymmetric routing
Loose
Source address must appear in routing table. Can change using “allow-default” option – allows use of default route.More scalable than strict.
Implementation:

interface fa0/0
ip verify unicast source reachable-via {rx | any} [allow-default]

Firewall:

ip verify reverse-path interface <interface>

PBR – Policy-Based routing
flexible routing of packets by determining a defined policy for traffic flows. More control over routing.
Classify traffic (based on ACL) Match criteria
Set IP precedence (differentiated class of service)
Route packets  to specific paths.

6.2 Switch security features (for example, anti-spoofing, port, STP, MACSEC, NDAC, and NEAT)

Anti-spoofing:
– unicast RPF (above)
– ip source guard – uses information from DHCP snooping to dynamically configure a PACL on L2 interface.

ip dhcp snooping
ip dhcp snooping vlan <vlan range>
interface fa0/0
ip verify source

Port security: – same as stuff from R&S
STP: – disable dynamic trunking, restrict STP domain using PVST, BPDU guard, root guard.
MACSEC: – Provides secure communication on wired LANs. Each packet encrypted using symmetric key.
Most useful in access layer.
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/deploy_guide_c17-663760.html
offers Confidentiality, integrity, flexibility, network intelligence
Limitations:
not all endpoints support MACsec
line-rate encryption requires updated hardware on access switch
MACsec may affect other technologies (IP telephony)
Uses:
EAP, EAP method, MACsec Key Agreement (MKA), Security Association Protocol (SAP), EAPoL, RADIUS

NDAC: – TrustSec Network Device Admission Control – uses 802.1X connecting to another TrustSec device
NEAT: – Network Edge Authentication Topology
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-neat.html
– uses CISP (Client information Signalling Protocol) to propagate client MAC addresses and VLAN information between supplicant and authenticator switches. Extends secure access outside the wiring closet.
– Uses 802.1X /ACS/ ISE
Restrictions:
Not supported on an EtherChannel port
Should only be deployed w/ auto-configuration
Does not support standard ACLs on the switch port
When supplicant switch authenticates the port mode is changed from access-based to trunk-based on same vsa (device-traffic-class=switch)

6.3 NetFlow

v9 supports MPLS & IPv6

 

6.4 Wireless security

Covered pretty well under the EAP stuff.

6.5 Network segregation

6.5.a VRF-aware technologies

VTY access
Sysylog, AAA, SNMP
IPSec, GRE, VPDN
DNS, DHCP, HSRP, GLBP
NAT, IPS
H.323 & SIP

6.5.b VXLAN

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-729383.html
– flexible, multi-tenant
– Uses 24-bit segment ID )VXLAN network identifier / VNID) – enables up-to 16 million VXLAN segments.
– Uses underlying L3 header, routing, equal-cost multipath routing & link aggregation
– Uses MAC-in-UDP
– Tunnels L2 over L3
– Adds 50-bytes overhead due to encapsulation in MAC-to-UDP. Therefore needs MTU of 1550 at minimum.

6.6 VPN solutions

6.6.a FlexVPN

IPSec VPN w/ IKEv2
Combines multiple frameworks (cryptomaps, ezvpn, DMVPN) into single comprehensible set of CLI commands.
Can run alongside previous IPSec VPNs
Based on IKEv2
Uses GRE over IPSec or VTI as encapsulation.
Supports IPv4 & IPv6
Dynamic spoke to spoke tunnels

6.6.b DMVPN – already written about this

6.6.c GET VPN

Group Encrypted Transport VPN
Trusted group – GMs share a common SA (group SA). GMs can decrypt traffic encrypted by another GM.
No need to negotiate point-to-point IPSec tunnels between members – tunnel-less.
Uses GDOI – takes advantage of underlying VPN – does not require overlay routing protocol
KEK secures control plane
TEK secures data traffic

6.6.d Cisco EasyVPN

Implements Cisco Unity Client Protocol – VPN parameters defined at VPN remote access server.
Client mode – entire LAN behind Easy VPN client undergoes NAT to the IP address pushed down by VPN server.
Supports split-tunnelling.

6.7 Content and packet filtering

ACLs…

6.8 QoS application for security

Not sure

6.9 Load balancing and failover

Both are good.