Friday, November 16, 2012

Looking up and ahead

Well, I got my results late last night and unfortunately I failed. There was two VPN related questions, a total of 11 points that would have put me over the edge and resulted in a pass. I'm kind of bummed knowing full well I could have passed that exam. To come all this way and get that close just stinks.

I'm not complaining. I learned a lot about security technologies and security devices such as ASA. For now, I am going to relax and enjoy some much needed time off. Maybe if I feel up to it, I will focus on the next version of the exam. Then again, maybe not.

Thanks to everyone for your support.

Wednesday, November 14, 2012

CCIE Security Final Push...

Well, I have completed my studying. My lab is tomorrow morning at 7am.  Unfortunately, I was unable to complete Volume 2, which is unfortunate. Every new lab was teaching me something new and/or a new way to complete a task.

I don't feel anywhere near as comfortable as I did with my last attempt at my R&S. Honestly, I feel I could use at least another 6-8 weeks just to complete Vol 2, complete Vol 1 again, and then pick and choose tasks from Vol 2 to complete. 

I don't think all of this is a total loss. If I get the right lab, I feel I have a decent chance to pass. I'm not relying on getting a lab that is more applicable to my skills, I'm just stating the facts. If I had started my studying earlier, or had more time to complete, I would be more comfortable. 

In all honesty, I think this is a one time shot at the Security CCIE. The lab exam is changing (starting next week) and it's that lovely time of year (holidays). In addition, I have had to take some time off of work just to get as much studying in as I could. I won't be able to take a lot of time off of work in the next few months. 

It will be kind of fun going in there tomorrow without so much stress and worrying about passing. I would love to pass, but it's not going to make or break me like the R&S lab did. No matter what, this has not been a total loss. I've learned so much about security and security products like the ASA and the IPS appliances. 

I will be sure to post my thoughts following tomorrows lab. Wish me luck!

Friday, November 9, 2012

INE Vol 2 Lab 5

IOS Firewall
  • 'ip options drop' can be configured from global config mode to drop all IP options
  • Enable webvpn
    • webvpn
      • port 443
      • enable outside
      • tunnel-group-list enable
      • svc image flash:/anyconnect.img
      • svc enable
  • Set the tunnel-protocol to svc under group policy
  • Enable webvpn for the tunnel group
    • tunnel-group SSLVPN webvpn-attributes
      • group-alias SSLVPN enable
      • authentication aaa
  • If necessary, create local user and attach to group
    • username SSLUSER attributes
      • group-lock value SSLVPN
  • Set encryption
    • ssl encryption rc4-md5
  • Lastly, enable NAT exemption if required
  • Interesting point, I created my tunnel interfaces first, then I was going to protect them with IPSec, but my CA enrollment kept failing. If I shutdown the tunnel interfaces, and then enroll, it works just fine. Could be a code thing, I'm not sure.
  • Remember timers are negotiated - so if you already have a isakmp policy, you will not need to create another just for different timers.
  • Set configure level privilege commands with 'privilege configure all level 7 snmp-server'
  • aaa authorization config-commands
    • Required to autorize config mode, even if you set 'aaa authorization commands 7 default start-stop group tacacs'
Process Monitoring
  • You can alert on processor and memory usage
    • memory free low-watermark processor 5000
    • process cpu threshold type total rising 75 interval 60 falling 30 interval 60
    • snmp-server enable traps cpu
    • snmp-server enable traps memory
    • logging host transport tcp
Login Security
  • login quiet-mode access-class 1
    • This exempts the hosts in ACL 1 from the login parameters
  • login parameters are only supported with local password auth or aaa
Source Tracking
  • ip source-track [address] - enables source tracking for the specified host
  • show ip source-track [address] - show results
  • specify the IPS signature location
    • ip ips config location flash:ips
  • Enable IOS basic set of signatures
    • ip ips signature-category
      • category ios_ips basic
        • retired false
      • category all
        • retired true
  • Disable a specific signature
    • ip ips signature-definition
      • signature 3106 0
        • status
          • retired true
  • Tune Signature
    • ip ips signature-definition
      • signature 2000 0
        • alert-severity high
  • Enable SDEE event report
    • ip ips notify SDEE
  • Set TVR
    • ip ips event-action-rules
      • target-value high target-address
  • Enable IPS
    • ip ips name IPS list IPS
    • int s1/0
      • ip ips IPS in
  • Show ips configuration
    • show ip ips configuration

Thursday, November 1, 2012

INE Vol 2 Lab 3

Difficulty 8

  • Lots of tasks here. Many dependent tasks. You must configure the in-line VLAN pair on the IPS before you can even reach one leg of the network
  • Lots of routing protocols to watch out for. OSPF, RIP, EIGRP and BGP
  • Lots of filtering going on here - ZBF, Two ASAs, CBAC.
  • Not a lot of PAT here (nat + global) but there is several static NATs. Must be cautious if you are using the pre-NAT or post-NAT address. 
  • Good drawings will be absolutely necessary if you get a lab like this
  • Order of operations are important too. You have to read the entire thing and plot out how to do this. A few examples -
    • You need to enable QoS on a L2L in section 1, but the tunnel isn't created until section 3
    • ZBF and other filtering comes later in the task list. Would be useful to set these up first, so you can allow specific traffic in other tasks. There is a lot of reliance on the ACS server - logging, websense, CA, etc. So this could get tricky.k
    • You have to enable ICMP to pass through all zones in a ZBF. The next task stated you had to enable logging as well. If you can read ahead and accomplish this in one step, you can save yourself a few minutes.

Websense Filter

  • After configuring the web sense filter, you need to enable HTTP inspection and attach to the interface (ip inspect name HTTP_INSPECT http).
  • 'show ip urlfilter config' shows you the port used for the web filter
VPN Client
  • Got rather easily tripped up here. My authentication to RADIUS were not passing. I was able to troubleshoot correctly, but not fix the issue. I saw packets were matching the ACS access list on my ZBF, but they were not matching the policy-map. Show ip port-map showed 1645/1646 instead of 1812/1813. Changing this on the ASA aaa-server group fixed the issue.
  • You need 'crypto isakmp identity hostname' to authenticate with certificates
  • As such, the tunnel-group name should be the FQDN of the remote side
  • 'ip nhrp shortcut' and 'ip nhrp redirect' enable spoke nodes to discover NBMA address of another spoke without querying the hub
  • Be careful of MTU sizes..
Cut-Through Authentication


Cut-through authentication was previously configured with the aaa authentication include command. Now, the aaa authentication matchcommand is used. Traffic that requires authentication is permitted in an access list that is referenced by the aaa authentication match command, which causes the host to be authenticated before the specified traffic is allowed through the ASA.
Here is a configuration example for web traffic authentication:
username cisco password cisco privilege 15

access-list authmatch permit tcp any any eq 80

aaa authentication match authmatch inside LOCAL


  • I recall this from R&S studies, need to refresh. You need to be in root view before you configure another view.
Password Encryption
  • You can decrypt a '7' key by copying the key string into a key chain and issuing a 'show key chain'. Neat
  • By default 'service password-encryption' does not encrypt all ISAKMP keys. You enable with 'password encryption aes' and setting an encryption key with 'key config-key password-encrypt KEYSTRING'
Traffic Filtering
  • RFC 2827 is for anti-spoofing. Do not allow your own network address space in, allow only your address space out.
  • Never surprised by creative requests...for example, disable IP unreachables to RFC1918 address space. Match on an access list, match in the route map, set interface to Null 0 and policy route the local traffic.
DOS Prevention
  • FPM - also remember this from R&S studies. Best bet is to string together a configuration form the configuration guide -
    • Load FPM Protocol definitions
      • load protocol system:/fpm/phdf/ip.phdf
      • load protocol system:/fpm/phdf/tcp.phdf
    • Match Traffic
      • class-map type access-control match-any TELNET
        • match field TCP dest-port eq 23
        • match field TCP source-port eq 23
    • Match TCP over IP
      • class-map type stack match-all TCP_TRAFFIC
        • match field IP protocol eq 0x6 next TCP
    • Drop matched traffic
      • policy-map type access-control BLOCK_TELNET
        • class TELNET
          • drop
      • policy-map type access-control INTERFACE_POLICY
        • class TCP_TRAFFIC
          • service-policy BLOCK_TELNET
      • interface serial1/0
        • service-policy type access-control output INTERFACE_POLICY
TCP Normalization
  • On an ASA, can be handled with TCP MAP
    • TCP Echo and Echo Reply are option 6 and 7
    • syn-data drop will make sure no data payload is carried in connection-establishment segments
Despite my lack of notes above, this lab kicked my ass. I have doubts that I am really ready for this lab. In any event, I will continue to study and take in as much as I can. Two weeks from now, I'll be walking out of the lab in RTP. I can only study hard and hope for the best....

Thursday, October 25, 2012

INE Vol 2 Lab 2

Difficulty 6

  • Seem to forget that you can't establish BGP over a default route...amazing the things you forget
  • Always be sure to verify your tasks. Enabled RIP authentication between R2 and ASA, thought everything was ok as R2 was getting the default route. The ASA was not getting anything from R2 because of invalid authentication. 'debug ip rip' showed the issue a few moments later.
  • Do not apply key-chain to an interface before it has been created. This generally does not work.
  • Remember that you need to allow option 19 and disabled random-sequence numbers for BGP authentication!!!
  • Some times, it's easy to read too much in something. Task asked to port forward to a server, but deny this traffic on the weekends. I figured you would need to add a time range to the ACL used in the NAT statement. I'm not even sure that is possible, but since there were no further requirements in the task, easy answer was 2 static statements and an ACL attached to a time-range.....
  • If a request asks for 'minimal IPSec overhead', it requires transport mode as opposed to the default tunnel mode
    • Transport mode assumes there are just 2 endpoint addresses
    • You may need to set 'local-address' on the crypto map
    • Requires configuration of a key server
    • IPSec pretty straight forward, isakmp policy, isakmp key, ipsec transform set and IPSec profile
    • Require's generating labeled and exportable keys
      • crypto key generate rsa general-keys label GETVPN modulus 512 exportable
    • Key Server Config
      • crypto gdoi group GETVPN_GROUP
      •  identity number 1234
      •  server local
      •   rekey retransmit 10 number 2
      •   rekey authentication mypubkey rsa GETVPN_KEYS
      •   rekey transport unicast
      •   sa ipsec 1
      •    profile GETVPN_Profile
      •    match address ipv4 100
      •    replay time window-size 5
  • You can create a special port-filter policy map on control-plane host subinterface. With this, you can match closed ports. 
    • class-map type port-filter match-all CLOSED_PORTS
      • match closed-ports
    • policy-map type port-filter PORT_FILTER
      • class CLOSED_PORTS
        • drop
    • control-plane host
      • service-policy type port-filter input PORT_FILTER
  • SNMPv3
    • Need to configure engine ID for the remote entity to be able to send informs
    • Create group
      • snmp-server group TRAP v3 priv !for auth and encry
    • Create user
      • snmp-server user TRAP TRAP remote v3 auth sha CISCO priv 3des CISCO
    • Enable
      • snmp-server host informs version 3 priv TRAP
      • snmp-server enable traps envmon
    • Need to read more on SNMPv3
  • IPS
    • From INE Volume 2
Recall the formula for Risk Rating (RR), which defines the potential impact of a particular attack against the particular server:
           RR = (Fidelity*Severity*TVR)/(100*100).
Target Value Ratings (TVR) values are as follows: low (75), medium (100), high (150), mission-critical (200). You assign them to the company’s assets, identified by the IP addresses. Default TVR value is medium (100).
Signature severity values are: info (25), low (50), medium (75), high (100). They describe how dangerous the attack is. They are part of signature definition. Finally, fidelity values tell how well a signature “recognizes” the corresponding attack. They are also a part of signature definition and range from 0 to 100.

 That is all I have for Lab 2. Overall, I agree with the difficulty rating of 6. A few things tripped me up, but absolutely doable in 8 hours. 

Sunday, October 14, 2012

INE Volume 2 Lab 1

Difficulty 7

Remember to read the entire task list. Mark items that could collide with other configuration directives (allowing routing protocols on access-list, etc). Make sure you validate your commands, don't take them for face value.

  • When configuring failover, you can exclude interfaces from being monitored with the 'no monitor-interface inside' command
  • You must also enable HSRP-like standby IPs for each interface
  • There is a default global_policy policy-map
  • Enable TCP Options with a TCP MAP. Apply under class in policy-map with 'set connection advanced-options MAPNAME'
  • There is a default inspection_default class-map
  • UNIX Traceroute uses UDP 33434 33464 range. I've seen other docs state 33434 - 33564. In short, each 'hop' increments the port, and most system by default have a max hops of 30. So I believe the correct answer to be 33434 - 33464. INE states that for every hop, three probes are sent with a TTL=1 to incrementing port numbers. With a max of 30 hops, this bring the range up to 33434 to 33524. I'm not totally sure which is correct. Also remember, the inbound response is ICMP TTL Exceeded or ICMP Unreachable.
  • Task asked to map inside address to outside address. I did a nat (inside) 2 inside_host_address global (outside) 2 global_host_address which accomplishes the task. The better solution is static (inside,outside) global_address inside_address
  • Enabling 'inspect icmp error' under the global policy provides NAT translation for the traceroute responses.
  • Remember to pay attention to what is specifically required. To police ICMP on the outside interface only, you need to create an interface policy-map and apply it. Changing the global_policy affects all interfaces.
  • I need to make sure I name my access-list/class-map/policy-map/etc correctly as they could be used later. INE names class-map ICMP_Traffic and the policy-map OUTSIDE_Traffic. This will help identify these later for other tasks or troubleshooting.
  • It's easy to overthink some of the tasks. One task asked to allow trace route from inside to outside with only one access-list statement. I was trying to think of creative ways to do this - in actuality, you could just use an object-group. Per INE - this is a common requirement 'use X number of lines, or use minimum number of lines'
  • Still having issues with the alias command. Need to remember it's a DST NAT and a dns rewrite.
    • alias (interface) orig_address nat_address
  • With IOS ZBF, there are multiple ways to accomplish some tasks - usually hinging on if you need deep packet inspection or not. I'm getting better with this, but still need some more practice.
    • By default, routing traffic is not affected by ZBF as default traffic to self zone is permitted. 
  • Overlapping address space can be tricky. Need to determine the correct place to apply the NAT, especially when the overlapping address spaces are a few hops apart.
  • Creating an IOS PKI - not something that was covered in Vol 1
    • Set issuer name cn=NAME,ou=DEPT
    • grant auto
    • no shutdown
    • That's it. 
  • Remember for certificates you need a domain name, a key and a synced time source
  • You can change the ISAKMP source address with 'crypto map VPN local-interface lo0'
  • Logic steps to configuring ezVPN server
    • Enable AAA and define AAA lists, protect from console lockouts
    • Define ISAKMP authentication settings and global ISAKMP parameters
    • Create address-pool
    • Configure client group and split-tunnel access-list. Define group key, associate address pool and bind split-tunnel ACL. Define other required settings.
    • Create ISAKMP profile that binds together the following:
      • Calling client identity - normall group name
      • Configuration group for clients matching this profile
      • Authentication and authorization groups for ezVPN
      • Virtual-Template interface numbers
      • Enables responding to ISAKMP 1.5 transaction mode address requests for this group.
    • Create IPsec profile. Define transform set prior to this. Profile may need to define RRI settings if used.
    • Create virtual-template type tunnel and assign IPSec protection profile. Must define IP on VTI to work correctly. 
    • Lastly, configure routing process for redistribution of RRI information. Use route-map.
    • INE makes it a point - this should be remembered verbatim and you should not require a manual to complete this. I can already do this with LAN-to-LAN tunnels. I will be typing this scenario up in notepad a few times to validate I can do this.
  • ASA - Tunnel-group filter filters traffic inside the IPsec tunnel. Applied via group-policy.
  • ASA - must remember to create the tunnel-group. Shouldn't have missed this as it is the only way to define the PSK.
  • ASA - dont forget to exempt the VPN traffic from any NAT rules.
  • ASA - to apply QoS, you need to match the tunnel-group and apply to the interface. You also need to match 'flow ip destination-address' in the class-map. You must also enable priority-queue on the interface globally. 
  • ASA - policing is the only working per-flow QoS command
  • ASA - Virtual http provides transparent redirection back to the URL entered by the end-user, and HTTP server capability for authentication
  • ASA - cut-through proxy authentication. You must configure an authentication service, then create an access-list matching the traffic to authenticate as well as traffic going to the virtualIP, next configure the cut-through proxy rule. 'aaa authentication match ACL inside TACACS'
  • You can assign privilege levels through TACACS. You must enable it for group or for user under interface configuration. Don't forget to enabled shell exec and then set privilege level on TACACS. This task created the privilege level commands on the router.
  • Separation of authentication and authorization is only possible using tacacs.
  • 802.1x requires authorization as well as authentication. Watch out for CONSOLE authentication/authorization.
    • Make sure to create your guest vlans
    • To assign a vlan via dot1x, set the following under group settings
      • Tunnel-Type="VLAN"
      • Tunnel-Medium-Type="802"
      • Tunnel-Private-Group-ID="255"
  • For sending logging reports to e-mail, there is a generic 'smtp-server x.x.x.x' command under global configuration and not under 'logging'.
  • For QOS priority on a tunnel in IOS, you need to use nested policy-maps. 
    • class-map VPN_TRAFFIC
      • match access-group name TUNNEL_TRAFFIC
    • policy-map INTERFACE_POLICY
      • class VPN_TRAFFIC
      • shape average 2000000
      • bandwidth 2000000
      • service-policy TUNNEL_POLICY
    • policy-map TUNNEL_POLICY
      • class VOICE_TRAFFIC
        • priority 128
    • Shape limits the maximum speed, bandwidth provides the minimum bandwidth reservation
  • Remote Triggered Blackholes
And after entirely way too long, I have finally finished lab 1. I'm not totally worried as I remember feeling the same way after my first R&S lab. I'm off now to watch some INE videos, and then start on Lab 2 hopefully next week.


You can enable IPS on your IOS routers. I seem to remember this being covered by the R&S blueprint, although it was on the outer fringes of what you should expect to know for R&S. This time around, there is probably a fair shot of seeing it on the Security lab.

  • Basic Setup
    • ip ips config location flash:/ips/
    • ip ips name IPS
    • ip ips notify log
    • ip ips signature-category
      • category all
        • retired true
      • category ios_ips basic
        • retired flase
    • interface Fa0/0
      • ip ips IPS in
  • You then need to download the signature definition file. Would you actually need to do this in the lab?
    • Store the signing key from Cisco in routers NVRAM.
    • Load signature definition file. If you dont have much of the signatures retired, this process could drain your router of memory.
      • copy flash:/IOS-S347-CLI.pkg idconf
    • Enable the necessary signatures.
      • ip ips signature-definition
        • signature 2000 0
        • status
          • retired false
          • exit
        • exit
        • signature 2004 0
        • status
          • retired false
          • exit
    • You may need to change the target value rating
      • ip ips event-action-rules
        • target-value mission-critical target-address
        • exit
  • Validate with 'shop ip ips all'
  • Show signatures with 'show ip ips signatures sigid 2000 subid 0'
  • Show target value rating
    • 'show ip ips event-action-rules target-value rating'
This covers just the basic setup. I will be looking IOS IPS in the configuration guide and posting more information later.