Thursday, October 25, 2012

INE Vol 2 Lab 2

Difficulty 6

  • Seem to forget that you can't establish BGP over a default route...amazing the things you forget
  • Always be sure to verify your tasks. Enabled RIP authentication between R2 and ASA, thought everything was ok as R2 was getting the default route. The ASA was not getting anything from R2 because of invalid authentication. 'debug ip rip' showed the issue a few moments later.
  • Do not apply key-chain to an interface before it has been created. This generally does not work.
  • Remember that you need to allow option 19 and disabled random-sequence numbers for BGP authentication!!!
  • Some times, it's easy to read too much in something. Task asked to port forward to a server, but deny this traffic on the weekends. I figured you would need to add a time range to the ACL used in the NAT statement. I'm not even sure that is possible, but since there were no further requirements in the task, easy answer was 2 static statements and an ACL attached to a time-range.....
  • If a request asks for 'minimal IPSec overhead', it requires transport mode as opposed to the default tunnel mode
    • Transport mode assumes there are just 2 endpoint addresses
    • You may need to set 'local-address' on the crypto map
  • GET VPN
    • Requires configuration of a key server
    • IPSec pretty straight forward, isakmp policy, isakmp key, ipsec transform set and IPSec profile
    • Require's generating labeled and exportable keys
      • crypto key generate rsa general-keys label GETVPN modulus 512 exportable
    • Key Server Config
      • crypto gdoi group GETVPN_GROUP
      •  identity number 1234
      •  server local
      •   rekey retransmit 10 number 2
      •   rekey authentication mypubkey rsa GETVPN_KEYS
      •   rekey transport unicast
      •   sa ipsec 1
      •    profile GETVPN_Profile
      •    match address ipv4 100
      •    replay time window-size 5
  • You can create a special port-filter policy map on control-plane host subinterface. With this, you can match closed ports. 
    • class-map type port-filter match-all CLOSED_PORTS
      • match closed-ports
    • policy-map type port-filter PORT_FILTER
      • class CLOSED_PORTS
        • drop
    • control-plane host
      • service-policy type port-filter input PORT_FILTER
  • SNMPv3
    • Need to configure engine ID for the remote entity to be able to send informs
    • Create group
      • snmp-server group TRAP v3 priv !for auth and encry
    • Create user
      • snmp-server user TRAP TRAP remote 10.0.0.100 v3 auth sha CISCO priv 3des CISCO
    • Enable
      • snmp-server host 10.0.0.100 informs version 3 priv TRAP
      • snmp-server enable traps envmon
    • Need to read more on SNMPv3
  • IPS
    • From INE Volume 2
Recall the formula for Risk Rating (RR), which defines the potential impact of a particular attack against the particular server:
           RR = (Fidelity*Severity*TVR)/(100*100).
Target Value Ratings (TVR) values are as follows: low (75), medium (100), high (150), mission-critical (200). You assign them to the company’s assets, identified by the IP addresses. Default TVR value is medium (100).
Signature severity values are: info (25), low (50), medium (75), high (100). They describe how dangerous the attack is. They are part of signature definition. Finally, fidelity values tell how well a signature “recognizes” the corresponding attack. They are also a part of signature definition and range from 0 to 100.

 That is all I have for Lab 2. Overall, I agree with the difficulty rating of 6. A few things tripped me up, but absolutely doable in 8 hours. 

No comments:

Post a Comment