Friday, September 28, 2012

IPS and Volume 1 wrap-up

IPS

  • Initial setup can be completed via the setup command, or through standard configuration
    • conf t
    • service host
      • network-settings
  • Create an inline vlan pair through the interfaces configuration
    • conf t
    • service interfaces
      • physical-interfaces gi0/0
      • subinterface-type inline-vlan-pair
        • subinterface 1
          • vlan1 101
          • vlan2 102
      • admin-state enabled
  • You must then assign the interfaces to an analysis engine
    • conf t
    • service analysis-engine
    • virtual-sensor vs0
      • physical-interface gig0/0 subinterface-number 1
There was a lot more topics on IPS, but I didn't keep notes. Just FYI - I ended up buying at 4215 as I was having too much trouble with GNS3/Qemu/Breakout Switch. Not a bad investment at $60 and I was able to complete all the topics in Volume 1.

Now that I have completed Volume 1, it's time to move on to full labs. I've also rented rack time at INE for some of the previously mentioned tasks that couldn't be completed on emulated hardware.

I will revisit topics in Volume 1 if I encounter them the full labs and I am having issues completing the task. If I had more time, I would go through volume 1 again (or at least 50% of it). 

Here's hoping I can get my full lab topology setup fairly quickly....
Posted by at No comments:

Sunday, September 16, 2012

IOS as a firewall...

CBAC

  • Also covered in CCIE R&S, so I consider this a refresher
  • You can map a global port to a specific host with an access-list
    • ip port-map http port 21 list 99
  • CBAC works for any protocol
  • Only supported mode is watch as opposed to tcp intercept
  • Limited by two basic line-rating features
    • Total half-open session
    • one-minute half-open session rate
    • High and low limits for both
  • TCP has additional parameters
    • Connection establishment/inactivity/teardown timers
    • per-host limits and block time
  • You can specify UDP sessions timeout and DNS timeout separately
  • CBAC typically used to protect servers
  • CBAC Tuning
    • Try to make the hashtable size the same as the number of average concurrent connections
    • By default, CBAC generates alerts when it finds inconsistencies in protocol tracking. You should disable alerts globally or per protocol to improve performance.
  • Session audit can also be enabled globally or per protocol.
Authentication proxy
  • Download per-user ACLs and merge with interface access-group
  • To authenticate, a HTTP session is intercepted and authentication is performed by the router
  • You have to enable user-level RADIUS/TACACS attributes, then you need to set what attributes are available through the interface configuration in ACS
  • Always remember that if you have to create an ACL, it may not always be as specific as it needs to be. For example, if your ACS is on that interface, you need to enable RADIUS/TACACS traffic in that ACL.
  • Be sure that your av-pair definition is correct. Debugs only kind of helped here, but I defined auth-proxy:prive-lvl=15 instead of the correct auth-proxy:priv-lvl=15. I was given the error Auth Fail! and the debug were not real clear.
    • Is there a list of Cisco AV Pairs on the Cisco site? Namely the cisco-av-pair valid attributes? If anyone knows, I would love the URL!
  • The priv-lvl=15 is necessary for all users
  • More Information - Authentication Proxy Configuration
Posted by at No comments:

Thursday, September 13, 2012

More VPN and Access-Lists...

IPSec High Availability

  • You can attach a crypto map to an interface running HSRP
    • crypto map VPN redundancy HSRP1
IPSec High Availability with NAT and HSRP
  • You can create NAT availability by attaching the HSRP group name to your nat statements
    • ip nat inside source static 136.1.134.1 136.1.234.1 redundancy HSRP1
IPSec Pass-Thru Inspection on ASA
  • The ASA can inspect IPSec going through the firewall. 
    • class-map IKE
      • match port udp eq 500
    • policy-map global_policy
      • class IKE
        • inspect ipsec-pass-thru
    • service-policy global_policy global
    • show service-policy global
L2TP over IPSec between ASA and Windows
  • Create a standard isakmp policy
  • Create a wildcard isakmp key
  • Create a transform set, mode transport
  • Create dynamic crypto-map that matches udp port 1701 (l2tp) and sets transform set
  • Create crypto map, assign dynamic map and attach to interface
  • Create local pool
  • Create username/password with mschap keyword
  • Create group-policy
    • Specify ipsec and l2tp-ipsec as protocols
    • default-domain name
    • dns-server
  • Modify built-in tunnel-group DefaultRAGroup general-attributes
    • Assign local address from pool
    • default local authentication
    • apply group-policy L2TP
    • Modify built-in tunnel-group DefaultRAGroup ppp-attributes
      • Use ms-chap v2 as authentication protocol
    • Modify built-in tunnel-group DefaultRAGroup ipsec-attributes
      • Specify pre-shared-key
  • Not too different than setting up other VPNs, other than the use of the default tunnel-group. There are a lot of things to configure, so it could be easy to forget an attribute
ISAKMP Profiles
  • Can support termination of multiple VPNs through use of identities
  • Match identities and use multiple lines in crypto map (10, 20, etc).
  • I will be reading more about ISAKMP identities
Access-List Refresher
  • 33434-33464 is the UDP range for UNIX/IOS traceroute
  • ICMP pMTU requires ICMP type 3, packet too big
  • ICMP traceroute uses ICMP unreachables and time-exceeded
  • Don't forget unspecified but necessary traffic - like routing protocols!
  • I've always found it easy to draw my access-lists on paper. Draw a line down the middle, left is IN, right of the line is OUT. Now draw arrows for the direction you need to allow/block. Draw it all out and then look at your drawing - is your return traffic going to make it back?
  • Some IOS versions will not policy route multicast traffic. This is a just a side note, but I needed to reflect RIP to allow routing updates on an interface and had to policy-route so they would be caught by the access-list.

I have about 140 pages left which I should complete by next Wednesday which gives me a solid two months to finish up my studying. Hopefully I will have my full labs soon. I ordered them through my employer which takes forever. Once i've finished up with my home study, I will grab some rack time to finish up the things I could not do at home. I will then circle back through the volume 1 and touch anything that I need more practice on. 

Wish me luck!
Posted by at No comments:

Friday, September 7, 2012

VPN QoS, TED and ISAKMP Authorization


L2L QoS
  • Functions much like IOS (MQC)
  • Under class-map, you match tunnel-group as well as other parameters (dscp, ipp, etc)
  • Create a policy-map
  • Attach to interface with service-policy
QoS Pre-classify
  • This was similar to some of the frame-relay shaping commands from R&S
  • Enable qos pre-classify under the crypto map
  • Configure your class-maps, policy-map just like normal
  • Create a parent policy-map, configure class-default, shape and attach your QoS policy here. It is the parent policy that will be applied to the interface.
Fragmentation
  • A near-MTU sized packet can be fragmented before or after encryption with an interface-level 'crypto ipsec fragmentation before/after' command
IOS Router ISAKMP pre-shared keys with AAA
  • Router sends remote peer ID as login name along with 'cisco' which is a hardcoded value. The attributes in reply are used to extract pre-shared key for IKE and deduce various other attributes
  • On authenticating router, set identity and password with 'crypto isakmp peer address 1.1.1.1' command
    • set aggressive-mode password CISCO
    • set aggressive-mode client-endpoint ....
  • On secure router, enable isakmp authentication with
    • crypto map VPN isakmp authorization list AAA_GRP_NAME
  • You also need to set parameters in ACS
    • AV Pair : ipsec:key-exchange=IKE
    • IETF Service : outbound
    • IETF Tunnel-Type : IP ESP
    • IETF Tunnel-Password : pre-shared key
  • Create user in ACS and add to group with the above parameters
  • For some reason, my routers weren't picking up on the ISAKMP authorization list, so I had to create a default. This could be something with GNS3 or a bug.
Tunnel Endpoint Discovery
  • Create a dynamic map that matches the IP addresses and sets the transform set. Then attach the dynamic map to a crypto map with the keyword of 'dynamic' at the end
    • crypto map VPN 10 ipsec-isakmp dynamic-map DISCOVER discover
Well, that puts the finishing touches on another couple of sections. Down to 200 pages left, which has me pretty excited. I want to make it through this so I can get some more reading done (compare to blueprint) and begin some full labs to see how this is all tied together.

Posted by at No comments:

Wednesday, September 5, 2012

EasyVPN and SSL VPN

EasyVPN

  • The below config is for client mode
  • Most EasyVPN configuration is under the 'crypto isakmp client' configuration
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local EZVPN
crypto isakmp client configuration group EZVPN
 key CISCO
 pool EZVPN
 acl SPLIT_TUNNEL
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 
crypto dynamic-map DYNAMIC 10
 set transform-set 3DES_MD5 
 reverse-route
crypto map VPN isakmp authorization list EZVPN
crypto map VPN client authentication list EZVPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC 
 crypto map VPN
  • On the client, configuration is under 'crypto ipsec client'
crypto ipsec client ezvpn EZVPN
 connect manual
 group EZVPN key CISCO
 mode client
 peer 136.1.123.3
 xauth userid mode interactive
interface Lo0
 crypto ipsec client ezvpn EZVPN inside
interface Fa0/0
 crypto ipsec client ezvpn EZVPN
  • In a manual configuration, you connect the tunnel with 'crypto ipsec client ezvpn connect'. If you have configured xauth, you will need to enter 'crypto ipsec client ezvpn xauth' following the connect statement to enter your credentials.
  • You can have multiple inside/outside interfaces
  • You can have multiple subnets, but you must use an ACL to capture the subnets.
    • crypto ipsec client ezvpn EZVPN
    • acl ACCESS_LIST_NAME
  • Show/clear commands include
    • show crypto ipsec client ezvpn
    • show ip nat statistics
    • clear crypto ipsec client ezvpn
  • You can also enable network-extension mode, which means there is no NAT, no pool and the remote addresses are routable on the protected network.
  • Configuration on an ASA is similar, albeit using tunnel-groups and group-policy
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) EZVPN
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool (inside) EZVPN
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
 address-pool EZVPN
 default-group-policy EZVPN
tunnel-group EZVPN ipsec-attributes
 pre-shared-key *
!
group-policy EZVPN internal
group-policy EZVPN attributes
 dns-server value 10.0.0.100
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 
crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5
crypto dynamic-map DYNAMIC 10 set reverse-route
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
  • Configuring ASA w/ VPN Client and external policy
    • This required configuration and setup of the ACS server. I have no experience with ACS other than adding users/groups/etc. I do have experience with RADIUS in an ISP environment, so the concept isn't totally foreign.
    • Define Radius server with the 'aaa-server' command on ASA
    • To use an external policy, use 'group-policy EZVPN external server-group RADIUS password CISCO'
    • Add ASA as AAA Client in ACS
    • Under Interface - Radius (VPN3k, ASA, PIX) enable the VSAs you are required to use such as Primary DNS, IPSec-Authentication,Split-tunnel list
    • Create an EZVPN Group in ACS and fill in the values for the selected VSA
    • Finally, add user and assign to EZVPN group
    • This configuration enables group authentication to the ACS, but user authentication to the ASA
  • Authenticate remote VPN user to ACS
    • user authentication is performed prior to group-policy download, so you can specify policy per-user.
    • The OU is used for group match in ACS
WebVPN
  • Configuration seemed straight-forward.
  • WebVPN configuration is under the webvpn context
  • You can create group-policy for webvpn
group-policy WEBVPN attributes
 webvpn
  filter value WEBACCESS
  url-entry enable
  • There are special access list for webvpn called webtype
  • There is also a webvpn tunnel-group type
  • You configure port-forwards under the main webvpn context
port-forward TELNET_R3 20023 136.1.121.1 telnet 

SSL VPN
  • Similar to WebVPN setup. You indicate where the client image as located, and enable it under webvpn
webvpn
  svc image disk0:/sslclient.pkg 1
  svc enable
  • You need to create a pool for SSL VPN users (ip local pool)
  • Create a group policy similar to webvpn
group-policy SSLVPN attributes
  vpn-tunnel-protocol webvpn
  webvpn
    svc required
    svc keep-installer installed
  • Create a tunnel group
tunnel-group SSLVPN type webvpn
tunnel-group SSLVPN general-attributes
  address-pool NAME
  default-group-policy SSLVPN
  • Attach policy to username
username CISCO attributes
  vpn-group-policy SSLVPN

Posted by at No comments:

Sunday, September 2, 2012

ASA Reading - L2L and Remote Access VPNs

Decided to do some reading this morning before my lab time. Reading "Cisco ASA, All-in-one firewall, IPS, Anti-X and VPN Adaptive Security Appliance" by Jazib Frahim and Omar Santos. Overall, I have to say it's a good intermediate level book. It does not seem to get real deep into any one topic, but it covers enough on a very wide range of topics. 

  • L2L Tunnels
    • Modify ISAKMP keepalive parameters under tunnel-group
    • Set Phase 1 mode (Agg, MM) under crypto map
    • Timers also set by crypto map
    • Enable management access across VPN tunnels with 'management-access INTERFACE' global command
    • Set reverse-route with Crypto Map
    • ASA,by default, allows fragmentation to occur before packets are encrypted. However, if DF is set, the ASA retains the DF bit. If large packets are sent through the ASA with DF bit, they are dropped. 
    • You can clear the DF bit with 'crypto ipsec df-bit clear-df INTERFACE' global command.
    • 'crypto ipsec fragmentation before-encryption INTERFACE' global command forces fragmentation before encryption, otherwise the remote end is responsible for re-assembly and defragmentation which is processor intensive
    • Like IOS, you can set a debug condition - 'debug crypto condition peer 1.12.35.8'
    • You can also monitor with the capture command
      • capture NAME type isakmp interface outside
      • show capture NAME decode
  • Remote Access
    • Group policies have inheritance
    • Group policies are attached to tunnel groups
      • group-policy IPSecPolicyName internal
      • group-policy IPSecPolicyName attributes
        • vpn-tunnel-protocol IPSec
      • tunnel-group GroupName type remote-access
      • tunnel-group GroupName general-attributes
        • default-group-policy IPSecPolicyName
      • tunnel-group GroupName ipsec-attributes
        • pre-shared-key C!$c0K3y
    • Define RADIUS server for authentication
      • aaa-server Radius protocol radius
      • aaa-server Radius (inside) host 1.12.35.8
        • key C1$c0K3y
        • exit
      • tunnel-group GroupName general-attributes
        • authentication-server-group Radius
    • Address assignment
      • Local
        • ip local pool IPPool 1.1.1.1-1.1.1.254 mask 255.255.255.0
        • group-policy IPSecPolicyName attributes
          • address-pools value IPPool
      • You can also link pool to tunnel group - group-policy is preferred.
      • DHCP
        • vpn-addr-assign dhcp
        • tunnel-group GroupName general-attributes
        • dhcp-server 1.0.0.10
    • Dynamic Crypto Map
      • Required remote remote hosts have dynamic addresses
      • Automatically created when you enable isakmp
        • crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535
      • Must set transform set
      • Attach to outside crypto map
        • crypto map outside_map 65535 ipsec-isaskmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
      • Finally, attach to interface
        • crypto map outside_map interface outside
    • Access Filtering
      • You can attach ACL to group policy
        • group-policy IPSecPolicyName attributes
          • vpn-filter value ACL_NAME
    • Split Tunneling
      • Attached to group-policy. You can define the split-tunnel ACL and the split-tunnel policy
        • group-policy-IPSecPolicyName attributes
          • split-tunnel-policy tunnelspecified
          • split-tunnel-network-list value SplitTunnelACL
    • Can also assign DNS and Wins via group-policy attributes
  • VPN Load Balancing
    • ASA devices have a priority ie; 5510 is 2, 5580 is 10. Higher wins. If same priority powered up at same time, lowest IP becomes master
    • Virtual IP
    • Clients must support IKE redirect
      • vpn load-balancing
        • priority 6
        • cluster key C1$c0K3y
        • cluster ip address 10.0.0.1
        • cluster encryption
        • participate
      • ISAKMP must be enabled on all devices/interfaces participating in load balancing
Posted by at No comments:
Subscribe to: Posts (Atom)