Network Security

1
Network Security

• Ryan Greer
• CCNP, CCDP, MCSE
• Pat Bittner
• Keller Schroeder Associates, Inc.
• Evansville, Indiana

2
Module 1

• Evaluating Network Security Threats

3
Primary Reasons for Security Issues

• Technology Weakness
• Configuration Weakness
• Policy Weakness

4
Technology Weaknesses

• TCP/IP
• Operating System
• Network Equipment Weaknesses

5
Configuration Weakness

• Insecure default Settings
• Misconfigured network equipment
• Insecure user accounts
• System accounts with easy to guess password
• Misconfigured Internet services
• Java JavaScript

6
Policy Weakness

• Lack of security policy
• Internal Politics (political battles, turf wars)
• Lack of business continuity (high turnover)
• Poorly enforced
• Inadequate monitoring
• Lack of awareness of being attacked
• Installations that do not follow policy
• Security incident and DRP not in place

7
Types of Threats

• Internal Threats
• External Threats

8
Internal Threats

• Current employees with less-than-honorable
  intentions
• Current complyees pursing unintentional
  activities
• Employees who mismanaged environment
• Use insecure passwords
• Misconfigure equipment out of ignorance

9
External Threats

• Thrill Seakers
• Competitors
• Enemies
• Thieves

• Spies
• Hostile ex-employees
• Others
• Intrusion for sport
• Intrusion to learn

10
Security Threat Types

• Reconnaissance
• Unauthorized Access
• Denial of Service
• Data Manipulation

11
Reconnaissance

• Target Discovery
• Eavesdropping
• Information Theft

12
Unauthorized Access

• Gaining Initial Access
• Password-Based Attacks
• Gaining Trusted or Priviledged Access
• Misuse of Systems after gaining access
• Counteracting Remote-Access Attacks

13
Denial of Service

• Resource Overload
• Out-of-Band Data DoS Attacks
• Others
• Counteracting

14
Data Manipulation

• IP Spoofing
• Session Replay and Hijacking
• Rerouting

15
Module 2

• Securing the Network Infrastructure

16
Securing Physical Devices

• Establish Configuration and Control Policy
• Properly lock, power, wire and cool equipment
• Control direct access to all network equipment
• Secure access to network links
• Plan for Disaster Recovery

17
Securing Administrative Interface

• Setting Console Access
• Using Password Encryption
• Fine-Tuning Line Parameters
• Setting Multiple Privileged Levels
• Setting Device Banner Messages
• Controlling Telnet Access
• Controlling SNMP Access

18
Setting Console Passwords

• Tips
• Immediately configure
• Make privileged and user passwords different
• Use mixed characters
• Do not write down

19
Setting Console Access
User Mode Passwords router(config)line console
0 router(config-line)login router(config-line)pa
ssword ruHamlet User Access Verification Passwor
d ruHamlet routergt
20
Setting Console Passwords
Privileged Mode Passwords router(config)enable
secret 2br!2b_at_? routergt enable Password
2br!2b_at_? router
21
Using Password Encryption
Using Service Password Encryption router(config)
service password-encryption line con 0
password 7 094F471A1A0A line vty 0 4 password
7 05080F1C2243
22
Fine-Tuning Line Parameters
Unattended Timeout router(config)line console
0 router(config-line)exec-timeout 2 30
23
Setting Multiple Privilege Levels
24
Setting Multiple Privilege Levels
Setting Privilege Levels for Commands router(confi
g)privilege exec level 2 show startup-config rout
er(config)privilege exec level 2 show debug ip
rip router(config)privilege exec level 2 show
ping router(config)enable secret level 2
2kdo40d Logging into Privilege Level routergt
enable 2
25
Setting Device Banner Messages

• Banner Messages
• Do not use Welcome
• Banner command
• router(config)banner exec
• Session activated. Enter commands at the prompt

26
Controlling Telnet Access

• Considerations
• telnet ports called virtual terminal (vty) ports
• Enable password must be configured to enable via
  Telnet
• Should restrict telnet access by using ACL
• Configure all vty ports (as many as 15)
• Limit, block, disable aux ports with no exec

27
Telnet Examples
VTY Configuration router(config)line vty 0
4 router(config-line)login router(config-line)pa
ssword shakespeare Restricting
Access router(config)access-list 21 permit
10.1.1.4 router(config)line vty 0
4 router(config-line)access-class 21 in
28
Controlling SNMP Access

• SNMP Overview
• Configuring SNMP Agent
• Controlling SNMP access with community strings
• Configuring Traps and Informs

29
SNMP System

• Components
• Managed device (router or switch)
• SNMP agents and MIBs running on managed device
• SNMP management application (CiscoWorks 2000)

30
SNMP Agent Functions

• MIB variable access
• MIB variable setting
• SNMP trap
• SNMP community strings

31
Controlling SNMP Access with Community Strings
Nonprivileged SNMP Access router(config)snmp-serv
er community secure ro Privileged SNMP
Access router(config)snmp-server community
semisecure rw Access List SNMP Access router(confi
g)access-list 1 permit 10.1.1.4 router(config)ac
cess-list 1 permit 10.1.1.5 router(config)snmp-se
rver community semisecure rw 1
32
SNMP Traps and Informs
Trap router(config)snmp-server host 10.1.1.4
trap Inform router(config)snmp-server host
10.1.1.4 inform
33
Controlling router-router Communications

• Routing Protocol Authentication
• Secure router Configuration Files
• Controlling Traffic Using Filters

34
Routing Protocol Authentication

• Plaintext
• Neighbors must share authentication key
• Key sent in plainttext
• Message Digest Algorithm 5 (MD5)
• Hash of key
• Key not actually sent over wire
• Prevents eavesdropping

35
Securing Configuration Files

• TFTP
• Not secure protocol, no password required
• Anyone with access to TFTP server can modify the
  configuration file
• TFTP server can be detected with port scans
• Recommendations
• Manually enable/disable TFTP software when needed

36
Controlling Traffic Using Filters

• Access Lists
• Filtering Routing Updates
• Incoming Network Filters

37
Access List Tips

• Use ACL to control whether traffic is forwarded
  or blocked at the router interface
• ACL do not authenticate individual users but
  filter based on information in the packets

38
Filtering Networks in Routing Updates

• Helps secure networks
• Increases security
• Increases stability
• Configuration
• router(config)access-list 45 deny 10.1.2.0
  0.0.0.255
• router(config)access-list 45 permit any any
• router(config)router eigrp 200
• router(config-router)distribute-list 45 out
  serial0

39
Suppressing Updates from Being Processed
Suppress Updates from Being Processed router(confi
g)access-list 46 permit 10.2.0.0
0.0.255.255 router(config)router eigrp
200 router(config-router)distribute-list 46 in
serial0 Suppress Updates through
Interface router(config)router eigrp
200 router(config-router)passive-interface
ethernet0
40
Incoming Network Filters
Deny Spoofed Packets from Internal
Network router(config)access-list 102 deny ip
10.1.2.0 0.0.0.255 any log router(config)interfac
e serial0 router(config-router)ip access-group
102 in
41
Module 3

• Cisco AAA Security Technology

42
AAA Security Architecture

• Authentication
• Requires users to prove that they really are who
  they say they are
• Authorization
• Decide which resources the user is allowed to
  access and which operations the user is allowed
  to perform
• Accounting
• Records what the user actually did, what was
  accessed, and how long it was accessed
• Counteracts repudiation

43
Authentication Methods

• Username and Password Authentication
• S/Key Authentication
• Token Cards and Servers
• PAP and CHAP Authentication

44
Usernames and Passwords

• No username/password
• Username/password static
• Username/password aging
• S/Key one-time passwords
• One-time passwords
• Token cards/soft tokens

45
PAP CHAP Authentication

• Important component of dialup access
• Authentication accomplished by PAP or CHAP
• PPP standard encapsulation protocol for
  transport of different L3 protocols across serial
  or point-to-point links (PSTN,ISDN)

46
PAP Authentication over PPP

• Two-way handshake only after initial PPP link
  establishment
• Client sends username and password
• NAS accepts or rejects
• Not a strong authentication method
• Username and password sent in cleartext
• No protection against playback or repeated
  trial-and-error attacks

47
PAP Authentication over PPP
48
CHAP Authentication over PPP

• Stronger than PAP
• Password never crosses network
• 3-way handshake
• NAS sends challenge message to client
• Client replies with one-way hash value
• NAS processes hash and compared to NASs
  calculation

49
CHAP Contd

• Protection against playback
• Constantly changing string prevents eavesdropping
  and replaying
• Problem not supported in NT (NT uses MS-CHAP)

50
CHAP Authentication over PPP
51
Authorization Methods

• Control services available to each user
• Works by assembling a set of attributes
  describing what a use is authorized to perform
• Local or remote authorization database

52
Accounting Methods

• Track amout of resources users are accessing and
  types of services they are using
• Ex billing departments for usage

53
AAA Security Servers

• Local Security Database
• Remote Security Database

54
Local Security Database

• Characteristics
• Few users though few access servers
• Usernames/passwords stored locally
• Saves costs of marinating remote security
  database
• Operation
• Prompt for username/password
• NAS authenticates using local security database

55
Local Security Database
56
Remote Security Database

• Characteristics
• Best for medium to large-size networks
• Usernames/passwords centrally stored in remote
  security database
• Saves cost of administering each NAS on network
• Operation
• Prompt
• NAS passes username and password to remote server
• Remote database authenticates and passes response
  to NAS

57
Remote Security Database
58
Remote Database Standards

• TACACS
• RADIUS
• Kerberos

59
TACACS RADIUS Comparison
60
Module 4

• Configuring Network Access Server for
• AAA Security

61
Remote Access Security Problem

• Intruder Methods
• Gaining access to the devices console port
• Guessing current username/password combinations
  if device is discovered to be a remote access
  device
• Considering a lack of policy notifications to be
  permission to attempt access
• Solutions
• Block entry points
• Control remote access

62
NAS AAA Configuration

• Secure access to privileged EXEC
• Enable AAA
• Configure Authentication
• Configure Authorization
• Configure Accounting
• Debug Configuration

63
Step 1 Secure Privileged EXEC
Setting Enable Password and Password
Encryption router(config)enable secret
supersecret router(config)service
password-encryption
64
Step 2 Enable AAA
Establish a new AAA configuration router(config)a
aa new-model Secure access to all lines (except
PPP) router(config)aaa authentication login
default enable
65
Step 3 Configure Authentication

• Define Method
• Apply to Interface

Configure AAA Authentication router(config)aaa
authentication login tech-pubs local router(config
)line console 0 router(config-line)login
authentication tech-pubs
66
Step 4 Configure Authorization
Authorize level 1 commands locally router(config)
aaa authorization commands 1 Orion
local Authorize level 15 commands
locally router(config)aaa authorization commands
15 Andromeda local
67
Step 5 Configure Accouting
Audits system events using the wait-start
method router(config)aaa accounting system
wait-start local Sends stop record notices when
network services terminate router(config)aaa
accounting network stop-only local Sends stop and
start notice with EXEC router(config)aaa
accounting exec start-stop local
68
Step 6 Debug Configuration

• Debug aaa authentication
• Debug aaa authorization
• Debug aaa accouting

69
Configuring TACACS RADIUS Support
TACACS router(config)aaa new-model router(config
)tacacs-server host 10.1.1.4 router(config)tacac
s-server key 2bor!2b_at_? RADIUS router(config)aaa
new-model router(config)radius-server host
10.1.1.4 router(config)radius-server key
2bor!2b_at_?
70
Module 4

• Configuring Cisco Perimeter router

71
Cisco Perimeter routers
72
Other Perimeter Security Systems

• DMZ
• Bastion Host
• Firewall

73
Firewall

• Traffic choke point all traffic passing to and
  from outside must pass through
• Only authorized traffic is allowed pass
• Firewall itself is configured to be immune to
  penetration
• Firewall itself makes inside network invisible to
  the outside

74
Firewall Implementations

• Packet Filter
• Inspects each packet but does not keep track of
  sessions
• Circuit-Level Gateway
• Validates TCP/UDP session before opening a
  connection
• Maintains a table of valid session connections
  and lets data pass when match session entry
• Proxy Server
• Firewall

75
Controlling TCP/IP ServicesGlobal Config Mode
76
Controlling TCP/IP ServicesInterface Config Mode
77
Preventing Rerouting Attacks

• Static Routes
• Controlling Route Advertisement
• Route Authentication

78
Controlling Access Inbound

• Inbound Packet Filter
• Filter packets with internal addresses as source
• Filter packets with RFC-reserved address as
  source
• Filter bootp, TFTP, SNMP and traceroute to
  prevent access and reconnaissance attacks
• Allow TCP connections initiated from internal
  networks to prevent
• Prevent direct pings to PIX outside

79
Inbound Example
Inbound Filter Example router(config)interface
serial 0 router(config-if)ip address 216.135.3.0
255.255.255.0 router(config-if)ip access-group
101 in router(config)interface Ethernet
0 router(config-if)ip address 216.135.4.0
255.255.255.0 router(config-if)ip access-group
102 in router(config)access-list 101 deny ip
10.0.0.0 0.255.255.255 any router(config)access-l
ist 101 deny ip 172.16.0.0 0.15.255.255 any
router(config)access-list 101 deny ip
192.168.0.0 0.0.255.255 any router(config)access-
list 101 permit ip any any router(config)access-l
ist 102 permit ip 216.135.4.0 0.0.0.255
any router(config)access-list 102 deny ip any any
80
Controlling Access Outbound

• Outbound Packet Filter
• Allow only packets with a source address from
  internal network to Internet
• Allow only packets with a source address from the
  bastion host to the the Internet
• Filter any IP addresses that are not allowed out
  as defined by the security policy

81
DoS Protection Prevent DoS

• Actions
• Prevent equipment being used in DDoS attack
• No ip directed-broadcast
• Filter all incoming for private and reserved
  addresses
• ACL
• Filter all outgoing traffic to prevent spoofing
• ACL ip verify unicast reverse-path
• Use Committed Access Rate (CAR) to rate-limit
  ICMP packet floods
• Use Committed Access Rate (CAR) to rate-limit for
  SYN packets

82
TCP Intercept to Control SYN Attack

• Procedure
• Define ACL
• Enable TCP Intercept
• Set Intercept Mode

TCP Intercept for all TCP servers on
192.168.1.0/24 subnet router(config)ip tcp
intercept list 101 router(config)access-list 101
permit tcp any 192.168.1.0 0.0.0.255
83
Module 5

• PIX Firewall Basics

84
What is the PIX Firewall

• Features
• Stateful filtering
• Prevents against session-hijacking
• Secure, real-time, embedded OS
• Adaptive Security Algorithm (ASA) and cut-through
  proxy provides outstanding performance
• Intel Pentium-based lower TCO

85
PIX Security Enhancements

• Inbound connections are denied unless
  specifically allowed
• Outbound connections are allowed unless
  specifically denied

86
Getting Through PIX from Outside

• ASA
• Static Tunnel that bypasses ASA

87
ASA Advantages

• Secure stateful connection and does it an an
  extremely efficient, high performance manner
• No packets traverse PIX without connection and
  stat information that matches table maintained by
  ASA
• All attempts to bypass ASA are dropped and logged
• All ICMP packets denied unless specifically
  permitted

88
ASA Operation

• Outbound packet arrives on inside PIX interface
• PIX determines connection OK
• PIX checks table
• Connection present ok
• Connection absent record information
• Destination sends packet back, checked against ASA

89
Cut-Through Proxy User Authentication

• Advantages
• After authentication, session flow shifted to ASA
  for high performance
• Can authenticate against security database
• Authenticates both inbound and outbound
• Operation
• User attempts connection and PIX Intercepts
• Prompt for username/password
• Validate username/password
• Validated, PIX shifts the session flow to L3 for
  duration of connection

90
PIX Models
91
Configuring the PIX

• CLI
• Unprivileged mode
• pixfirewallgt
• Privilged mode
• pixfirewall
• Configuration mode
• pixfirewall(config)

92
PIX Security Levels

• Inside/Outside Interface
• Inside (100) - Connect to internal/protected
  network
• Outside (0) - Connect to internet
• Higher Security Level to Lower Security Level
• Nat, global
• Lower Security Level to Higher Security Level
• Static, conduit/ACL

93
PIX Security Levels
94
Implementing Interface Security

• Security Levels
• Decide on security levels
• Set security levels with nameif command

Nameif command pixfirewall(config)nameif
ethernet0 outside 0 pixfirewall(config)nameif
ethernet1 inside 100 pixfirewall(config)nameif
ethernet2 dmz 50
95
Other Commands
Interface command pixfirewall(config)interface
ethernet0 10baset pixfirewall(config)interface
ethernet2 auto shutdown IP address
command pixfirewall(config)ip address outside
216.135.4.1 pixfirewall(config)ip address inside
192.168.1.1 Passwords pixfirewall(config)passwd
changeme pixfirewall(config)enable password
th1nkad
96
Write command
pixfirewall(config)write erase pixfirewall(config
)write memory pixfirewall(config)write
terminal pixfirewall(config)write net
192.168.1.10router.cfg
97
PIX Translations

• Nat
• Specified what addresses are translated
• Global
• Define pool of addresses

pixfirewall(config)nat (inside) 1
192.168.1.0 pixfirewall(config)global (outside)
1 216.135.4.10-216.135.4.254 netmask
255.255.255.0
98
Testing Basic PIX Config

• Show ip address
• Show interface
• Show arp/clear arp
• Ping ltif_namegt ltip_addressgt
• Debug icmp trace
• Debug packet

99
Module 6

• Configuring Access through the PIX

100
Outbound Access Control

• NAT Overview
• Configuring NAT
• Nat 0
• Port Address Translation

101
NAT Overview

• Packet reaches inside interface
• PIX replaces source address with its own and
  sends to destination
• When destination responds, PIX replaces
  destination address with original inside address
  and forwards to ultimate destination

102
NAT Overview
103
Configuring NAT
pixfirewall(config)global (outside) 3
216.135.4.10-216.135.4.115 pixfirewall(config)nat
(inside) 3 10.1.0.0 255.255.255.0 pixfirewall(con
fig)nat (inside) 3 10.1.1.0 255.255.255.0 pixfire
wall(config)nat (inside) 3 10.1.2.0
255.255.255.0 pixfirewall(config)nat (inside) 3
10.1.3.0 255.255.255.0
104
Nat 0
Non-translated addresses pixfirewall(config)nat
(inside) 0 10.1.1.15 255.255.255.255
105
Port Address Translation

• Use single address for outside
• Maps specifict TCP port numbers to preselected IP
  address and port number

pixfirewall(config)global (outside) 1
216.135.4.10 pixfirewall(config)nat (inside) 1
10.1.0.0 255.255.255.0
106
Port Address Translation
107
Controlling Inbound Access

• Static Translation
• Conduit
• Access List
• Permitting PING

108
Static Translation

• Creates Permanent Mapping between an inside ip
  address and an outside ip address

Static Translation pixfirewall(config)static
(dmz,outside) 216.135.4.15 10.1.1.15 netmask
255.255.255.255 Static Port Translation pixfirewa
ll(config)static (dmz,outside) 216.135.4.15 80
10.1.1.15 80 netmask 255.255.255.255
109
Conduit or ACL

• Opens a designated port in the firewall and
  allows traffic to flow from the outside to the
  inside
• Can use conduit or ACL

Conduit pixfirewall(config)conduit permit tcp
host 216.135.4.15 eq www any ACL pixfirewall(confi
g)access-list internet-inbound permit tcp any
host 216.135.4.15 eq www pixfirewall(config)acces
s-group internet-inbound in interface outside
110
Permitting Ping

• Permit only echo-reply
• More granularity
• Conduit or ACL

Conduit pixfirewall(config)conduit permit icmp
any any echo-reply ACL pixfirewall(config)access-
list internet-inbound permit tcp any any
echo-reply pixfirewall(config)access-group
internet-inbound in interface outside
111
Module 7

• Configuring Multiple Interfaces and AAA on the
  PIX Firewall

112
Multiple Interfaces

• Multiple Interface Support
• Security Levels

Multiple Interfaces pixfirewall(config)nameif
ethernet2 dmz 10 pixfirewall(config)nameif
ethernet3 vendor1 50 pixfirewall(config)interface
ethernet2 auto pixfirewall(config)interface
ethernet3 auto
113
Multiple Interfaces
114
Inside to the World

• Nat
• Global

Lower Security To Higher Security pixfirewall(conf
ig)global (dmz) 1 192.168.2.5 pixfirewall(config)
nat (dmz) 1 192.168.2.0 255.255.255.0
115
Outside to DMZ

• Static
• Conduit
• Access List

Higher Security Level to Lower Security
Level pixfirewall(config)static (dmz,outside)
216.135.4.15 192.168.2.4 netmask
255.255.255.255 pixfirewall(config)access-list
internet-inbound permit tcp any host 216.135.4.15
eq www pixfirewall(config)access-group
internet-inbound in interface outside
116
Permitting Ping Access
Permitting Ping pixfirewall(config)access-list
internet-inbound permit icmp any any eq
echo-reply pixfirewall(config)access-list
internet-inbound permit icmp any any eq
unreachable pixfirewall(config)access-list
internet-inbound permit icmp any any eq
time-exceeded pixfirewall(config)access-group
internet-inbound in interface outside
117
Conifiguring Syslog Output
Configuring Syslog pixfirewall(config)logging
on pixfirewall(config)logging host inside
10.1.1.20 pixfirewall(config)logging trap
debugging pixfirewall(config)logging console
debugging pixfirewall(config)logging monitor
debugging pixfirewall(config)logging buffered
debugging
118
Configuring PIX AAA

• Remote Security Database
• Authentication
• Authorization
• Accounting

119
PIX AAA Remote Security DB
Configuring a Remote Security Database pixfirewall
(config)aaa-server MainAuth protocol
radius pixfirewall(config)aaa-server MainAuth
(inside) 10.1.1.4 cisco123 timeout 20
120
AAA Configuration
AAA Authentication pixfirewall(config)aaa
authentication include http inside 0 0 0 0
MainAuth AAA Authorization pixfirewall(config)aaa
authorization include telnet inside 0 0 0 0
MainAuth AAA Accounting pixfirewall(config)aaa
accounting include any outside 0 0 0 0 MainAuth
121
Module 8

• Configuring Advanced PIX Firewall Features

122
Controlling Outbound Access

• Outbound Command
• Best match
• Access List
• Sequential match

123
Outbound Command
Outbound Command pixfirewall(config)outbound 10
deny 0 0 0 0 pixfirewall(config)outbound 10
permit 10.1.1.0 255.255.255.0 80 tcp Apply to
Interface pixfirewall(config)apply (inside) 10
outgoing_src
124
ACL Outbound Restrictions
ACL pixfirewall(config)access-list
inside-outbound permit tcp 10.1.1.0 255.255.255.0
any eq www Apply to Interface pixfirewall(config)
access-group inside-outbound in interface
inside
125
URL Filtering

• Permits/Denies HTTP connections based on policy
• WebSENSE

URL Filtering pixfirewall(config)url-server
(inside) host 10.1.1.42 timeout
10 pixfirewall(config)filter url http 10.1.1.0
255.255.255.0 0 0 allow
126
PIX Failover

• Allows two separate PIXs to provide redundancy
• Types
• Basic
• Failover Cable only
• Exchange basic information (IP, MAC)
• Standby assumes IP and MAC of primary during
  failover
• All active connections dropped during failover,
  client must reestablish connections and
  translations
• Stateful
• Failover Cable and dedicated Ethernet Interface
• All connection states are relayed between the two
  units
• Connections do not drop during failover

127
Module 9

• Configuring Encryption Technology

128
Data Integrity Problems

• Eavesdropping
• Packet sniffers to capture and decode traffic
• Launch information-gathering attacks
• Data manipulation
• Modify captured traffic and replay to recipient
• Intercept a message, change header and payload
  and send to recipient
• Session hijacking

129
What is Encryption

• Data Privacy
• Change message from original form to encrypted
  form. Message only read by intended recipients
• Data Integrity
• Ensure the integrity of received messages
  protecting against data manipulation
• Nonrepudiation
• Prove a message has been sent and received
• Attach digital signature that proves identity of
  sender, the time the message was sent and the
  authenticity of the data

130
How Encryption Works

• Data message in clear text
• Key sequence of digits of a certain length used
  to encrypt and decrypt data
• Encryption Algorithm mathematical formula
  designed to scramble input data
• Encrypted Data message that has been run
  through an encryption algorithm undecipherable
  to the observer

131
Cisco Cryptosystem Overview

• Technologies
• DES encrypt and decrypt data
• MD5 hashing algorithm used with DSS to create
  digital signatures
• DSS encryption method that produces an
  encryption checksum attach to a message as a
  signature
• Ensures the identity of peer encrypting routers
• Diffe-Hellman secure method of establishing
  public keys used to create the shared secret keys
  for a DES session

132
DES

• Block-cipher algorithm
• Takes cleartext and breaks into 64-bit blocks
• Encrypts blocks
• Outputs encrypted data in 64-bit blocks
• Standard key length is 56 bits

133
DES Encryption Process

• Initial permutation of cleartext block
• Key is transformed
• 64-bit block is broken into two 32-bit halves
• One of the halves is run through complex
  substitution that is dependent on the transformed
  key
• Function takes place in 16 cycles, called rounds
• After each cycle, the 32-bit halves are swapped
• Following the final round, a final permutation is
  applied
• Result block is a series of 64 bits, each of
  which depends on every bit of the input and every
  bit of the key

134
MD5 Message Hashing

• Input text of variable length
• MD5 algorithm run on input
• Output is a fixed-length, 128-bit message digest
• Computationally infeasible to reverse the hash
  process or to produce two messages having the
  same message digest

135
Diffe-Hellman

• Used to securely exchange public keys so shared
  secret keys can be securely generated for use
  with DES
• Secure because key never actually transmitted

136
Module 10

• Understanding Cisco IPSec Support

137
Type of VPNs

• Remote Access
• Telecommuters, mobile users, remote
  administration
• Intranets
• Instead of WAN
• Extranets
• Limited access of resources to business partners

138
What is IPSec

• Industry-standard IPSec protocol suite
• Cisco products use for VPNs
• IPSec enables
• Data confidentiality
• Data integrity
• Data origin authentication
• Anti-replay

139
IPSec Security Associations

• Transforms
• Standard encryption and authentication algorithms
• Security Association (SA)
• Negotiated policy on the handling of data
• Ex algorithm used to encrypt data
• Internet Key Exchange (IKE)
• Utility services for IPSec
• Authentication of peers, negotiation of SAs,
  establishment of keys for encryption algorithms
  used by IPSec

140
How IPSec Works

• Step 1 IPSec process initiation
• Step 2 Authenticate peers and negotiates IKE SAs
• Step 3 Negotiate IPSec SAs
• Step 4 Data transfer
• Step 5 IPSec tunnel termination

141
Step 1 IPSec Process Initiation

• Determine traffic must be protected
• ACL
• Permit encrypted
• Deny not encrypted
• VPN Initiated

142
Step 2 IKE Phase 1

• Negotiates matching IKS SA policy
• Protect IKE exchange
• Authenticated Diffe-Hellman exchange
• End result matching shared secret keys used by
  IPSec encryption
• Authenticates and protects identities of IPSec
  peers
• Sets up a secure tunnel to negotiate IKE Phase2

143
Step 3 IKE Phase 2

• Negotiates IPSec SA parameters protected by and
  existing IKE SA
• Establishes IPSec SAs
• Periodically renegotiates IPSec SAs to ensure
  security

144
Step 4 Data Transfer

• Information exchanged via the IPSec tunnel
• Packets encrypted and decrypted using encryption
  algorithms and keys specified in IPSec SA

145
Step 5 Tunnel Termination

• IPSec SAs terminate because they are deleted or
  their lifetime expires
• Keys also discarded
• New SAs needed, IKE performs Phase 2 and, if
  necessary, Phase 1 negotiation

146
Encapsulated Security Payload

• Provide confidentiality, data origin
  authentication, integrity
• Encryption at the IP packet layer
• DES or 3DES
• Can also provide authentication
• SHA1 or MD5

147
DES Encryption Process

• Initial permutation of cleartext block
• Key is transformed
• 64-bit block is broken into two 32-bit halves
• One of the halves is run through complex
  substitution that is dependent on the transformed
  key
• Function takes place in 16 cycles, called rounds
• After each cycle, the 32-bit halves are swapped
• Following the final round, a final permutation is
  applied
• Result block is a series of 64 bits, each of
  which depends on every bit of the input and every
  bit of the key

148
3DES Algorithm

• Data broken int 64-bit blocks
• Processes each block 3 times
• Each time with an independent 56-bit key
• Effectively triples encryption strength

149
Module 11

• Configuring PIX Remote Access VPN

150
Steps

• Step 1 Prepare for IPSec
• Step 2 Configure IKE
• Step 3 Configure IPSec
• Step 4 Configure VPNGroup
• Step 5 Test and Verify

151
Step 1 Prepare for IPSec

• Determine Client IP Address Pool
• Determine IKE (Phase 1) Policy
• Determine IPSec (Phase 2) Policy
• Determine VPN Group Policy
• Check current configuration
• Ensure network connectivity (ping)

152
Step 2 Configure IKE (Phase 1)
Enable IKE pixfirewall(config)isakamp enable
outside Configure IKE Policies pixfirewall(config)
isakmp policy 100 authentication
pre-share pixfirewall(config)isakmp policy 100
hash md5 pixfirewall(config)isakmp policy 100
encryption des pixfirewall(config)isakmp policy
100 group 2 Configure Preshared
Keys pixfirewall(config)isakmp identity
address
153
Step 3 Configure IPSec (Phase 2)
Create Transform Set pixfirewall(config)crypto
ipsec transform-set ClientVPNSet esp-des
esp-md5-hmac Create Dynamic Map pixfirewall(config
)crypto dynamic-map dyn-map 10 set transform-set
ClientVPNSet Configure IPSec Policies pixfirewall(
config)crypto map ClientVPNMap 10 ipsec-isakmp
dynamic dyn-map pixfirewall(config)crypto map
ClientVPNMap client configuration address
initiate pixfirewall(config)crypto map
ClientVPNMap client authentication
RadiusAuth Apply Crypto Map to Interface pixfirewa
ll(config)crypto map ClientVPNMap interface
outside
154
Step 3a Configure Client Parameters
Configure ACL pixfirewall(config)access-list 151
permit ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0 Configure Client IP
Pool pixfirewall(config)ip local pool
VPNClientPool 192.168.2.1-192.168.2.254 Configure
Nat 0 pixfirewall(config)nat (inside) 0
access-list 151 Configure Raduis pixfirewall(confi
g)aaa-server RadiusAuth protocol
radius pixfirewall(config)aaa-server RadiusAuth
(inside) host 10.10.1.20 cisco123 timout 10
155
Step 4 Configure VPN Group
Configure VPN Group pixfirewall(config)vpngroup
TestGroup address-pool VPNClientPool pixfirewall(c
onfig)vpngroup TestGroup split-tunnel
151 pixfirewall(config)vpngroup TestGroup
password TestPasswd pixfirewall(config)vpngroup
TestGroup dns-server 10.1.1.20
156
Step 5 Test and Verify
IKE Commands Show crypto isakmp policy Show
crypto isakmp sa Debug crypto isakmp IPSec
Commands Show crypto map Show crypto ipsec
security-association lifetime Show crypto ipsec
sa Debug crypto ipsec
157
Module 12

• Configuring IOS IPSec

158
Steps

• Step 1 Prepare for IPSec
• Step 2 Configure IKE
• Step 3 Configure IPSec
• Step 4 Test and Verify

159
Step 1 Prepare for IPSec

• Determine IKE (Phase 1) Policy
• Determine IPSec (Phase 2) Policy
• Check current configuration
• Ensure network connectivity (ping)

160
Step 2 Configure IKE (Phase 1)
Enable IKE router(config)crypto isakmp
enable Configure IKE Policies router(config)crypt
o isakmp policy 100 router(config-isakmp)hash
md5 router(config-isakmp)authentication
pre-share router(config-isakmp)group 2 Configure
Preshared Keys router(config)crypto isakmp
identity address router(config)crypto isakmp key
WhatLight address 172.16.2.1
161
Step 3 Configure IPSec (Phase 2)
Create Transform Set router(config)crypto ipsec
transform-set routerSet esp-des
esp-md5-hmac Configure IPSec Policies router(confi
g)crypto map routerMap 10 ipse-isakmp router(conf
ig-crypto-map)match address 151 router(config-cry
pto-map)set peer 172.16.2.1 router(config-crypto-
map)set transform-set routerSet Apply Crypto Map
to Interface router(config)int serial
0 router(config-int)crypto map routerMap
162
Step 3a Configure ACL
Configure ACL router(config)access-list 151
permit ip 192.168.2.0 0.0.0.255 192.168.1.0
0.0.0.255
163
Step 4 Test and Verify
IKE Commands Show crypto isakmp policy Show
crypto isakmp sa Show crypto isakmp Debug crypto
isakmp IPSec Commands Show crypto ipsec
transform-set Show crypto map Show crypto ipsec
security-association lifetime Show crypto ipsec
sa Debug crypto ipsec
164
Module 13

• Configuring PIX IPSec

165
Steps

• Step 1 Prepare for IPSec
• Step 2 Configure IKE
• Step 3 Configure IPSec
• Step 4 Test and Verify

166
Step 1 Prepare for IPSec

• Determine IKE (Phase 1) Policy
• Determine IPSec (Phase 2) Policy
• Check current configuration
• Ensure network connectivity (ping)

167
Step 2 Configure IKE (Phase 1)
Enable IKE pixfirewall(config)isakamp enable
outside Configure IKE Policies pixfirewall(config)
isakmp policy 100 authentication
pre-share pixfirewall(config)isakmp policy 100
hash md5 pixfirewall(config)isakmp policy 100
encryption des pixfirewall(config)isakmp policy
100 group 2 Configure Preshared
Keys pixfirewall(config)isakmp identity
address pixfirewall(config)isakmp key WhatLight
address 172.16.2.1
168
Step 3 Configure IPSec (Phase 2)
Create Transform Set pixfirewall(config)crypto
ipsec transform-set RouterSet esp-des
esp-md5-hmac Configure IPSec Policies pixfirewall(
config)crypto map RouterMap 10
ipse-isakmp pixfirewall(config)crypto map
RouterMap 10 match-address 151 pixfirewall(config)
crypto map RouterMap 10 set peer
172.16.2.1 pixfirewall(config)crypto map
RouterMap 10 set transform-set RouterSet Apply
Crypto Map to Interface pixfirewall(config)crypto
map RouterMap interface outside
169
Step 3a Configure ACL
Configure ACL pixfirewall(config)access-list 151
permit ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
170
Step 4 Test and Verify
IKE Commands Show crypto isakmp policy Show
crypto isakmp sa Debug crypto isakmp IPSec
Commands Show crypto map Show crypto ipsec
security-association lifetime Show crypto ipsec
sa Debug crypto ipsec