I passed the security written today. I made it with a fairly comfortable margin so I guess I did some things right :) There isn't much strategy help on this exam in blogs or forums, so here are a few notes.
First, I read (and re-read at various times) the ccbootcamp security guide. Get this. I read most or parts of the Cisco Press books on the security booklist, especially the more recent ones (2005+). I also purchased the Flash Cards and the Quick Reference Exam Sheets which I highly recommend. For a few specific technologies here is how I attacked them:
MARS:
Security Threat Mitigation and Response: Understanding Cisco Security MARS, great book. Cisco PEC labs, there is a great course on Cisco Mars, I didn't complete the whole thing, just about a 1/3 of it which is enough to go over the basics of installation, initializing, and adding devices. As well as the technologies and protocols it uses for various functions. I definitely felt good about the MARS questions I got on the test so this was good preparation.
NAC:
Volume I and the first few chapters of Volume II Cisco Press Series on NAC. I also read various docs on cisco.com about the Framework vs Appliance deployments. Not much available on Cisco PEC so I relied a lot on the books and some configuration examples. Know the protocols, communication methods, deployment options (in band, oob, L2, L3, etc) RADIUS attributes, etc and you should be fine.
ASA:
The All-In-One Handbook and the 8.2 Configuration guide. Also played around with the PIX emu in dynagen a lot. I focused a lot on NAT (know the various types of NAT bypass), application inspection and traffic flow in general. Still, there were a few questions that stumped me, but I felt comfortable about my answers in general.
IPSec and VPN:
This is one of those topics that is covered by a 1,000 books. I read various chapters in the Cisco VPN books (there are a few) to nail down the protocol details, phase 1 and phase 2, modes of operation, encryptions, authentication methods, etc. Read and labbed quite a few scenarios of IPSec VPN (IOS and ASA, psk and rsa-sig), DMVPN, GET VPN, Easy VPN. These are topics that you should lab and document as you go through so you can review the specific details as needed. SSL VPN is also covered well by Cisco docs. In my opinion, these should be easy points if you are at this stage of the game.
Catalyst Modules (FWSM, IDSM, etc):
Download the data sheets and installation/configuration guides. I recommend printing and popping them in a binder, highlighting bullet lists and reviewing the differences between these and their appliance counterparts.
IPS:
Broad topic in general, you have the appliance, Cisco IOS IPS, the modules and you have an HIPS in the Cisco Security Agent. I read the IPS Exam guide and the Cisco Security Agent book. If you have the capability to lab any of these, I recommend it. Especially the CSA (use a VM!).
Security General:
For things like standards bodies, I kept a paper notebook of lists that each group does. I just made a list of things covered in books. Anything from CERT to IETF, from BCP 38 to ISO 27001. It's a very random collection of details but it gives the basic of each and ability to answer general questions about those topics.
Security Solutions:
This was my weakest score, I got a 50% here so maybe I should tell you how I attacked this so you won't make the same mistakes! What I did: not much! This topic, which is blueprint section 8 is very broad and just tests your knowledge of attacks in general. I probably should have read more SAFE documents or something to get more familiar, after all, in the real world it's all about solutions.
Finally, two topics that I kind of wish I had the opportunity to play with more are MARS, and CSA. Now that I have passed the written, I will focus on the lab and my knowledge about these is surely to wane. These are impressive products to me, but I never had any exposure to them in the real world, hopefully one day I will (assuming they continue to be developed).
Anyways, I hope this gives you some things to focus on. I didn't really have a strategy going in, except to just tackle all topics with the blueprint as a pseudo-map. Take good notes and review them regularly. Took me about 6 months off and on to study. Good luck!
Monday, May 10, 2010
Sunday, May 9, 2010
Outside NAT
[R1]----inside/100[FW]dmz/50-----[R3]
-R1=192.168.1.1, R3=192.168.3.3
-R3 should be able to telnet to R1
-R3 must be NATTED to 192.168.1.0/24 (inside network)
Here is the initial FW configuration:
access-list dmz_access_in extended permit tcp any host 192.168.1.1 eq telnet
access-group dmz_access_in in interface dmz
global (inside) 1 192.168.1.3-192.168.1.4
nat (dmz) 1 192.168.3.0 255.255.255.0
Telnet works but no NAT takes place:
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>sho users
Line User Host(s) Idle Location
0 con 0 idle 00:07:53
*130 vty 0 idle 00:00:00 192.168.3.3
R1>
We need to add the "outside" keyword to the NAT translation
pixfirewall(config)# no nat (dmz) 1 192.168.3.0 255.255.255.0
pixfirewall(config)# nat (dmz) 1 192.168.3.0 255.255.255.0 outside
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>sho users
Line User Host(s) Idle Location
0 con 0 idle 00:09:00
*130 vty 0 idle 00:00:00 192.168.1.3
R1>
-R1=192.168.1.1, R3=192.168.3.3
-R3 should be able to telnet to R1
-R3 must be NATTED to 192.168.1.0/24 (inside network)
Here is the initial FW configuration:
access-list dmz_access_in extended permit tcp any host 192.168.1.1 eq telnet
access-group dmz_access_in in interface dmz
global (inside) 1 192.168.1.3-192.168.1.4
nat (dmz) 1 192.168.3.0 255.255.255.0
Telnet works but no NAT takes place:
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>sho users
Line User Host(s) Idle Location
0 con 0 idle 00:07:53
*130 vty 0 idle 00:00:00 192.168.3.3
R1>
We need to add the "outside" keyword to the NAT translation
pixfirewall(config)# no nat (dmz) 1 192.168.3.0 255.255.255.0
pixfirewall(config)# nat (dmz) 1 192.168.3.0 255.255.255.0 outside
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>sho users
Line User Host(s) Idle Location
0 con 0 idle 00:09:00
*130 vty 0 idle 00:00:00 192.168.1.3
R1>
Saturday, May 8, 2010
Login block-for
R1<---->R2
R2 has this config:
login block-for 15 attempts 2 within 30
login on-failure log every 60
R1 tries to log in twice and fails.
Log is generated, temporary ACL is put on VTY and AUX ports.
000077: *Mar 1 02:30:18.823 UTC: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 15 secs, [user: ] [Source: 192.168.12.1] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 02:30:18 UTC Fri Mar 1 2002
line con 0
exec-timeout 5 0
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
access-class sl_def_acl in
login authentication local_auth
transport output telnet
line vty 0 4
access-class sl_def_acl in
login authentication local_auth
transport input telnet ssh
After 15 seconds, the ACLs are removed:
line con 0
exec-timeout 5 0
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet ssh
!
R2 has this config:
login block-for 15 attempts 2 within 30
login on-failure log every 60
R1 tries to log in twice and fails.
Log is generated, temporary ACL is put on VTY and AUX ports.
000077: *Mar 1 02:30:18.823 UTC: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 15 secs, [user: ] [Source: 192.168.12.1] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 02:30:18 UTC Fri Mar 1 2002
line con 0
exec-timeout 5 0
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
access-class sl_def_acl in
login authentication local_auth
transport output telnet
line vty 0 4
access-class sl_def_acl in
login authentication local_auth
transport input telnet ssh
After 15 seconds, the ACLs are removed:
line con 0
exec-timeout 5 0
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet ssh
!
Wednesday, May 5, 2010
DNS Doctoring
I got this example from Cisco so it may be familiar to you if you have come across it.
Topology, this is gonna be screwed up until I learn how to fix it. The DMZ is actually off of the FW.
Inside: 192.168.0.0/24
Outside: 172.20.1.0/24
DMZ: 10.10.10.0/24
R2 "Web Server" outside address: 172.20.1.10
R2 "Web Server" inside address: 10.10.10.10
R1-----inside-----FW-----outisde-----R3 "dns server"
|
|
dmz
|
|
R2 "web server"
DNS rewrite performs two functions:
Translates a public address in a DNS reply to a private address
Translates a private address to a public address
Configuration:
access-list DNS extended permit tcp any any eq domain
access-list DNS extended permit udp any any eq domain
!
class-map DNS
match access-list DNS
!
!
policy-map global_policy
class DNS
inspect dns
!
service-policy global_policy global
!
static (dmz,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Other notes:
DNS inspection must be enabled
Translation only applies to the A-record in the DNS reply.
DNS rewrite is not compatible with static Port Address Translation (PAT)
Enforces a domain-name length of 255 bytes and a label length of 63 bytes.
Topology, this is gonna be screwed up until I learn how to fix it. The DMZ is actually off of the FW.
Inside: 192.168.0.0/24
Outside: 172.20.1.0/24
DMZ: 10.10.10.0/24
R2 "Web Server" outside address: 172.20.1.10
R2 "Web Server" inside address: 10.10.10.10
R1-----inside-----FW-----outisde-----R3 "dns server"
|
|
dmz
|
|
R2 "web server"
DNS rewrite performs two functions:
Translates a public address in a DNS reply to a private address
Translates a private address to a public address
Configuration:
access-list DNS extended permit tcp any any eq domain
access-list DNS extended permit udp any any eq domain
!
class-map DNS
match access-list DNS
!
!
policy-map global_policy
class DNS
inspect dns
!
service-policy global_policy global
!
static (dmz,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Other notes:
DNS inspection must be enabled
Translation only applies to the A-record in the DNS reply.
DNS rewrite is not compatible with static Port Address Translation (PAT)
Enforces a domain-name length of 255 bytes and a label length of 63 bytes.
Perfect Forward Secrecy (PFS)
PFS ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.
Commands:
R2(config)#crypto map map1 10
R2(config-crypto-map)#set pfs ?
group1 D-H Group1 (768-bit modp)
group2 D-H Group2 (1024-bit modp)
group5 D-H Group5 (1536-bit modp)
R2(config-crypto-map)#set pfs group2
Packet captures shows that PFS consists of a quick mode exchange after the SA times out (which is what happens anyway without PFS). I didn't notice anything different about the "debug crypto ipsec" output when PFS was enabled or disabled.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.
Commands:
R2(config)#crypto map map1 10
R2(config-crypto-map)#set pfs ?
group1 D-H Group1 (768-bit modp)
group2 D-H Group2 (1024-bit modp)
group5 D-H Group5 (1536-bit modp)
R2(config-crypto-map)#set pfs group2
Packet captures shows that PFS consists of a quick mode exchange after the SA times out (which is what happens anyway without PFS). I didn't notice anything different about the "debug crypto ipsec" output when PFS was enabled or disabled.
Thursday, April 29, 2010
IDSM-2 notes
Studying for the written right now. These are just some notes I made from various cisco docs.
IDSM vs IPS 4200:
-does not support virtualization with inline vlan groups
-does not support sub-dividing inline interfaces or vlan groups
-syncs clock with switch (or use NTP)
-two sensing interfaces
-must have a native vlan
-no console
-has a maintenance partition
FEATURES
-promiscuous: passively monitors traffic copied to data port(s)
-inline mode (5.0): each data port is an access port, ids bridges
-inline VLAN mode w/ (5.1): bridges between vlans on same port/trunk
-you can mix promiscuous mode with inline VLAN pair
-same code as IPS 4200
INTERFACES:
-Port 1: TCP resets (used in promiscuous mode)
-Port 2: command and control
-Ports 7,8: sensing (can be configured as a inline pair)
CAPTURING:
-SPAN
-VACL
INITIALIZING:
-login with session command
-user/pass: cisco/cisco
-setup command (session x)
-reset
SWITCH CONFIGURATION:
-intrusion-detection module x management-port access-vlan xx
-gateway should be that vlan on the switch
-monitor session 1 source interface g2/23 both
-monitor session 1 destination intrusion-detection-module 9 data-port 1
-intrusion-detection-module 9 data-port 1 autostate include
-intrusion-detection-module 9 data-port 1 portfast
-autostate allows SVI to stay up when data port is only port in VLAN
VACL CAPTURE:
-ip access-list standard ACLNAME, etc
-vlan access-map VACLNAME
match ip address ACLNAME
action forward capture
-vlan filter VACLNAME vlan-list XXX-XXX
-intrusion-detection-module X data-port X capture allowed-vlan XXX-XXX
MLS IP IDS:
-used when ports are routed ports
-ip access-lists standard ACLNAME
-mls ip ids ACLNAME
INLINE MODE:
-intrusion-detection-module 13 data-port 1 access-vlan 661
-intrusion-detection-module 13 data-port 2 access-vlan 662
INLINE VLAN PAIR:
-intrusion-detection-module 13 data-port 2 trunk allowed-vlan 661,662
ECLB:
-intrusion-detection-module 13 data-port 1 channel-group 3
-intrusion-detection-module 13 data-port 2 channel-group 3
-intrusion-detection-module port-channel 3 capture
ADMIN TASKS:
-hw-module module 9 reset mem-test-full
-reset 9 hdd:1 | cf:1
-upgrade
IDSM vs IPS 4200:
-does not support virtualization with inline vlan groups
-does not support sub-dividing inline interfaces or vlan groups
-syncs clock with switch (or use NTP)
-two sensing interfaces
-must have a native vlan
-no console
-has a maintenance partition
FEATURES
-promiscuous: passively monitors traffic copied to data port(s)
-inline mode (5.0): each data port is an access port, ids bridges
-inline VLAN mode w/ (5.1): bridges between vlans on same port/trunk
-you can mix promiscuous mode with inline VLAN pair
-same code as IPS 4200
INTERFACES:
-Port 1: TCP resets (used in promiscuous mode)
-Port 2: command and control
-Ports 7,8: sensing (can be configured as a inline pair)
CAPTURING:
-SPAN
-VACL
INITIALIZING:
-login with session command
-user/pass: cisco/cisco
-setup command (session x)
-reset
SWITCH CONFIGURATION:
-intrusion-detection module x management-port access-vlan xx
-gateway should be that vlan on the switch
-monitor session 1 source interface g2/23 both
-monitor session 1 destination intrusion-detection-module 9 data-port 1
-intrusion-detection-module 9 data-port 1 autostate include
-intrusion-detection-module 9 data-port 1 portfast
-autostate allows SVI to stay up when data port is only port in VLAN
VACL CAPTURE:
-ip access-list standard ACLNAME, etc
-vlan access-map VACLNAME
match ip address ACLNAME
action forward capture
-vlan filter VACLNAME vlan-list XXX-XXX
-intrusion-detection-module X data-port X capture allowed-vlan XXX-XXX
MLS IP IDS:
-used when ports are routed ports
-ip access-lists standard ACLNAME
-mls ip ids ACLNAME
INLINE MODE:
-intrusion-detection-module 13 data-port 1 access-vlan 661
-intrusion-detection-module 13 data-port 2 access-vlan 662
INLINE VLAN PAIR:
-intrusion-detection-module 13 data-port 2 trunk allowed-vlan 661,662
ECLB:
-intrusion-detection-module 13 data-port 1 channel-group 3
-intrusion-detection-module 13 data-port 2 channel-group 3
-intrusion-detection-module port-channel 3 capture
ADMIN TASKS:
-hw-module module 9 reset mem-test-full
-reset 9 hdd:1 | cf:1
-upgrade
Subscribe to:
Comments (Atom)