Thursday, October 25, 2012

INE Vol 2 Lab 2

Difficulty 6

  • Seem to forget that you can't establish BGP over a default route...amazing the things you forget
  • Always be sure to verify your tasks. Enabled RIP authentication between R2 and ASA, thought everything was ok as R2 was getting the default route. The ASA was not getting anything from R2 because of invalid authentication. 'debug ip rip' showed the issue a few moments later.
  • Do not apply key-chain to an interface before it has been created. This generally does not work.
  • Remember that you need to allow option 19 and disabled random-sequence numbers for BGP authentication!!!
  • Some times, it's easy to read too much in something. Task asked to port forward to a server, but deny this traffic on the weekends. I figured you would need to add a time range to the ACL used in the NAT statement. I'm not even sure that is possible, but since there were no further requirements in the task, easy answer was 2 static statements and an ACL attached to a time-range.....
  • If a request asks for 'minimal IPSec overhead', it requires transport mode as opposed to the default tunnel mode
    • Transport mode assumes there are just 2 endpoint addresses
    • You may need to set 'local-address' on the crypto map
  • GET VPN
    • Requires configuration of a key server
    • IPSec pretty straight forward, isakmp policy, isakmp key, ipsec transform set and IPSec profile
    • Require's generating labeled and exportable keys
      • crypto key generate rsa general-keys label GETVPN modulus 512 exportable
    • Key Server Config
      • crypto gdoi group GETVPN_GROUP
      •  identity number 1234
      •  server local
      •   rekey retransmit 10 number 2
      •   rekey authentication mypubkey rsa GETVPN_KEYS
      •   rekey transport unicast
      •   sa ipsec 1
      •    profile GETVPN_Profile
      •    match address ipv4 100
      •    replay time window-size 5
  • You can create a special port-filter policy map on control-plane host subinterface. With this, you can match closed ports. 
    • class-map type port-filter match-all CLOSED_PORTS
      • match closed-ports
    • policy-map type port-filter PORT_FILTER
      • class CLOSED_PORTS
        • drop
    • control-plane host
      • service-policy type port-filter input PORT_FILTER
  • SNMPv3
    • Need to configure engine ID for the remote entity to be able to send informs
    • Create group
      • snmp-server group TRAP v3 priv !for auth and encry
    • Create user
      • snmp-server user TRAP TRAP remote 10.0.0.100 v3 auth sha CISCO priv 3des CISCO
    • Enable
      • snmp-server host 10.0.0.100 informs version 3 priv TRAP
      • snmp-server enable traps envmon
    • Need to read more on SNMPv3
  • IPS
    • From INE Volume 2
Recall the formula for Risk Rating (RR), which defines the potential impact of a particular attack against the particular server:
           RR = (Fidelity*Severity*TVR)/(100*100).
Target Value Ratings (TVR) values are as follows: low (75), medium (100), high (150), mission-critical (200). You assign them to the company’s assets, identified by the IP addresses. Default TVR value is medium (100).
Signature severity values are: info (25), low (50), medium (75), high (100). They describe how dangerous the attack is. They are part of signature definition. Finally, fidelity values tell how well a signature “recognizes” the corresponding attack. They are also a part of signature definition and range from 0 to 100.

 That is all I have for Lab 2. Overall, I agree with the difficulty rating of 6. A few things tripped me up, but absolutely doable in 8 hours. 

Sunday, October 14, 2012

INE Volume 2 Lab 1

Difficulty 7

Remember to read the entire task list. Mark items that could collide with other configuration directives (allowing routing protocols on access-list, etc). Make sure you validate your commands, don't take them for face value.

  • When configuring failover, you can exclude interfaces from being monitored with the 'no monitor-interface inside' command
  • You must also enable HSRP-like standby IPs for each interface
  • There is a default global_policy policy-map
  • Enable TCP Options with a TCP MAP. Apply under class in policy-map with 'set connection advanced-options MAPNAME'
  • There is a default inspection_default class-map
  • UNIX Traceroute uses UDP 33434 33464 range. I've seen other docs state 33434 - 33564. In short, each 'hop' increments the port, and most system by default have a max hops of 30. So I believe the correct answer to be 33434 - 33464. INE states that for every hop, three probes are sent with a TTL=1 to incrementing port numbers. With a max of 30 hops, this bring the range up to 33434 to 33524. I'm not totally sure which is correct. Also remember, the inbound response is ICMP TTL Exceeded or ICMP Unreachable.
  • Task asked to map inside address to outside address. I did a nat (inside) 2 inside_host_address global (outside) 2 global_host_address which accomplishes the task. The better solution is static (inside,outside) global_address inside_address
  • Enabling 'inspect icmp error' under the global policy provides NAT translation for the traceroute responses.
  • Remember to pay attention to what is specifically required. To police ICMP on the outside interface only, you need to create an interface policy-map and apply it. Changing the global_policy affects all interfaces.
  • I need to make sure I name my access-list/class-map/policy-map/etc correctly as they could be used later. INE names class-map ICMP_Traffic and the policy-map OUTSIDE_Traffic. This will help identify these later for other tasks or troubleshooting.
  • It's easy to overthink some of the tasks. One task asked to allow trace route from inside to outside with only one access-list statement. I was trying to think of creative ways to do this - in actuality, you could just use an object-group. Per INE - this is a common requirement 'use X number of lines, or use minimum number of lines'
  • Still having issues with the alias command. Need to remember it's a DST NAT and a dns rewrite.
    • alias (interface) orig_address nat_address
  • With IOS ZBF, there are multiple ways to accomplish some tasks - usually hinging on if you need deep packet inspection or not. I'm getting better with this, but still need some more practice.
    • By default, routing traffic is not affected by ZBF as default traffic to self zone is permitted. 
  • Overlapping address space can be tricky. Need to determine the correct place to apply the NAT, especially when the overlapping address spaces are a few hops apart.
  • Creating an IOS PKI - not something that was covered in Vol 1
    • Set issuer name cn=NAME,ou=DEPT
    • grant auto
    • no shutdown
    • That's it. 
  • Remember for certificates you need a domain name, a key and a synced time source
  • You can change the ISAKMP source address with 'crypto map VPN local-interface lo0'
  • Logic steps to configuring ezVPN server
    • Enable AAA and define AAA lists, protect from console lockouts
    • Define ISAKMP authentication settings and global ISAKMP parameters
    • Create address-pool
    • Configure client group and split-tunnel access-list. Define group key, associate address pool and bind split-tunnel ACL. Define other required settings.
    • Create ISAKMP profile that binds together the following:
      • Calling client identity - normall group name
      • Configuration group for clients matching this profile
      • Authentication and authorization groups for ezVPN
      • Virtual-Template interface numbers
      • Enables responding to ISAKMP 1.5 transaction mode address requests for this group.
    • Create IPsec profile. Define transform set prior to this. Profile may need to define RRI settings if used.
    • Create virtual-template type tunnel and assign IPSec protection profile. Must define IP on VTI to work correctly. 
    • Lastly, configure routing process for redistribution of RRI information. Use route-map.
    • INE makes it a point - this should be remembered verbatim and you should not require a manual to complete this. I can already do this with LAN-to-LAN tunnels. I will be typing this scenario up in notepad a few times to validate I can do this.
  • ASA - Tunnel-group filter filters traffic inside the IPsec tunnel. Applied via group-policy.
  • ASA - must remember to create the tunnel-group. Shouldn't have missed this as it is the only way to define the PSK.
  • ASA - dont forget to exempt the VPN traffic from any NAT rules.
  • ASA - to apply QoS, you need to match the tunnel-group and apply to the interface. You also need to match 'flow ip destination-address' in the class-map. You must also enable priority-queue on the interface globally. 
  • ASA - policing is the only working per-flow QoS command
  • ASA - Virtual http provides transparent redirection back to the URL entered by the end-user, and HTTP server capability for authentication
  • ASA - cut-through proxy authentication. You must configure an authentication service, then create an access-list matching the traffic to authenticate as well as traffic going to the virtualIP, next configure the cut-through proxy rule. 'aaa authentication match ACL inside TACACS'
  • You can assign privilege levels through TACACS. You must enable it for group or for user under interface configuration. Don't forget to enabled shell exec and then set privilege level on TACACS. This task created the privilege level commands on the router.
  • Separation of authentication and authorization is only possible using tacacs.
  • 802.1x requires authorization as well as authentication. Watch out for CONSOLE authentication/authorization.
    • Make sure to create your guest vlans
    • To assign a vlan via dot1x, set the following under group settings
      • Tunnel-Type="VLAN"
      • Tunnel-Medium-Type="802"
      • Tunnel-Private-Group-ID="255"
  • For sending logging reports to e-mail, there is a generic 'smtp-server x.x.x.x' command under global configuration and not under 'logging'.
  • For QOS priority on a tunnel in IOS, you need to use nested policy-maps. 
    • class-map VPN_TRAFFIC
      • match access-group name TUNNEL_TRAFFIC
    • policy-map INTERFACE_POLICY
      • class VPN_TRAFFIC
      • shape average 2000000
      • bandwidth 2000000
      • service-policy TUNNEL_POLICY
    • policy-map TUNNEL_POLICY
      • class VOICE_TRAFFIC
        • priority 128
    • Shape limits the maximum speed, bandwidth provides the minimum bandwidth reservation
  • Remote Triggered Blackholes
And after entirely way too long, I have finally finished lab 1. I'm not totally worried as I remember feeling the same way after my first R&S lab. I'm off now to watch some INE videos, and then start on Lab 2 hopefully next week.

IOS IPS

You can enable IPS on your IOS routers. I seem to remember this being covered by the R&S blueprint, although it was on the outer fringes of what you should expect to know for R&S. This time around, there is probably a fair shot of seeing it on the Security lab.


  • Basic Setup
    • ip ips config location flash:/ips/
    • ip ips name IPS
    • ip ips notify log
    • ip ips signature-category
      • category all
        • retired true
      • category ios_ips basic
        • retired flase
    • interface Fa0/0
      • ip ips IPS in
  • You then need to download the signature definition file. Would you actually need to do this in the lab?
    • Store the signing key from Cisco in routers NVRAM.
    • Load signature definition file. If you dont have much of the signatures retired, this process could drain your router of memory.
      • copy flash:/IOS-S347-CLI.pkg idconf
    • Enable the necessary signatures.
      • ip ips signature-definition
        • signature 2000 0
        • status
          • retired false
          • exit
        • exit
        • signature 2004 0
        • status
          • retired false
          • exit
    • You may need to change the target value rating
      • ip ips event-action-rules
        • target-value mission-critical target-address 183.1.46.0/24
        • exit
  • Validate with 'shop ip ips all'
  • Show signatures with 'show ip ips signatures sigid 2000 subid 0'
  • Show target value rating
    • 'show ip ips event-action-rules target-value rating'
This covers just the basic setup. I will be looking IOS IPS in the configuration guide and posting more information later.