News and Views from CCPrep.com

Introducing CCNA Security – Implementing Cisco IOS Network Security (IINS) 
by Sean Murphy
October 3rd, 2008

Earlier this year Cisco introduced three new Associate level certifications in the disciplines of Voice, Wireless and Security, each designed to reinforce relevant concepts from topics covered in the CCNA curriculum, and expand on that foundation as a stepping stone towards the associated Professional level certification.  For more information on the launch of these new certifications see Lou Rossi’s article.  Here I’ll take a closer look at the new CCNA Security course, Implementing Cisco IOS Network Security, IINS. 

I was very pleased to see that many topics that were referenced in the CCNA curriculum were reinforced in IINS.  Topics such as port security and trunk port configuration were previously presented simply as best practices.  While they remain best practices in IINS, they now discuss the specific types of threats these features are intended to help mitigate.    

CLI purists, consider yourselves warned!  The majority of the lab exercises are performed using the Cisco Security Device Manager, including the configuration of SSH, ACLs, the IOS Firewall, IPS, a site-to-site VPN, and others.  While some of these I personally prefer to configure through the CLI, the SDM has earned its place in my arsenal of tools for firewall and IPS configuration and monitoring.  However you prefer to use the SDM in a production environment, be prepared to know it well for testing purposes.

One of the most common questions I hear as an instructor: What should I expect on the exam?  While I cannot tell you exactly what will be on the test, I will share what I found helpful for this course.  In the midst of my studying for the exam I decided to jump out to the Cisco website and review Cisco’s own list of exam topics.  These proved to be very helpful in targeting my studies.  I’ve included some comments below for each of the exam topics.

Describe the security threats facing modern network infrastructures

The first module of the IINS course presents a lot of information on types of threats, motivations of attackers, and tools commonly used to gather information in preparation for an attack, including Nmap and SuperScan.  With all of this in mind, our objective is to mitigate the threats that hackers present. 

A few best practices for defeating hackers include:

- Keeping patches on systems up to date
- Disable any unneeded services and ports
- Warn employees about social engineering
- Develop and adhere to a security policy that changes with the needs of the business

Secure Cisco routers

The CCNA curriculum references a number of recommended best practices to help protect your network infrastructure from external threats.  These include disabling unneeded services, implementing strong encrypted passwords, and disabling an account after a number of failed login attempts.

Security passwords should not only be complex, but you should set a minimum password length required.  This can be set from 0 to 16 characters.

RouterA(config)#security passwords min-length 10

An additional step recommended is blocking incoming login requests for a set amount of time after successive failed attempts.  Ensure you familiar with the following configuration and verification.  In addition to the example below I recommend configuring a quiet-mode access-list to ensure legitimate access requests from your management network will not be blocked.

RouterA(config)#login block-for 120 attempts 3 within 100
RouterA(config)#login delay 10
RouterA(config)#login on-failure log
RouterA(config)#login on-success log
RouterA(config)#end
RouterA#sh login

*Oct  2 11:46:39.266: %SYS-5-CONFIG_I: Configured from console by console

       A login delay of 10 seconds is applied.
     No Quiet-Mode access list has been configured.
     All successful login is logged.
     All failed login is logged.

     Router enabled to watch for login Attacks.
     If more than 3 login failures occur in 100 seconds or less,
     logins will be disabled for 120 seconds.

     Router presently in Normal-Mode.
     Current Watch Window
         Time remaining: 99 seconds.
         Login failures for current window: 0.
     Total login failures: 0.

In ICND 1 the configuration register value is lightly discussed along with ROM Monitor mode, which is commonly used for password recovery procedures.  To disable the ability to ‘break’ into ROMMON mode disable the password-recovery feature as follows.

RouterA(config)#no service password-recovery

Additional topics presented include securing the boot-image and boot-config, configuring role-based CLI access, and creating additional privilege levels. 

Implement AAA on Cisco routers using local router database and external ACS

This may be the first exposure that many students have with Authentication, Authorization and Accounting (AAA), including the installation and configuration of Cisco Secure Access Control Server (ACS).  Highlights include the commands necessary to enable AAA (aaa new-model), and the key differences between the TACACS+ and RADIUS protocols. 

The majority of the router configuration for AAA is done through the SDM, however it is important to be able to decipher how login attempts will be handled based upon a review of the resulting configuration as viewed through the CLI.

Mitigate threats to Cisco routers and networks using ACLs

Much of the content on configuring ACL (aka static packet filters) is carried over from ICND 2, but the topic has been enhanced with some best practices from a security perspective.  For example, not allowing a packet inbound from the WAN with a source IP address of the LAN IP address space, or just the opposite, being a good Internet citizen and not allowing an outbound packet with a source IP address that does not align with the LAN IP address space.

The most significant contrast between ACL configurations in IINS from the previous look in ICND 2 is that the configuration is done through the SDM.  Again, the resulting CLI output is provided and I recommend being comfortable configuring and viewing both through SDM and the CLI.

Implement secure network management and reporting

Logging is critical component in determining not only what happened within your network during a threat or outage, but also in which order the events occurred.  Since multiple devices may have been affected having a syslog server is very common, and it is critical that the system time on those devices be synchronized (likely using an NTP server). 

Kiwi is used in IINS to capture log messages of varying severity levels from devices in the lab topology.  You should be able to interpret an output similar to the one shown here.

Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by  vty0 (10.2.2.6)

SSH is once again reinforced as the preferred method of remote access to networking devices, and is configured through the SDM.

Mitigate common Layer 2 attacks

CCNA students, here comes more port-security!  Both ICND courses included discussion of the port-security feature as a best practice but fell short of introducing it as a threat mitigation technique.  Ensure you are comfortable with the following configuration.

SwtichA(config)#interface FastEthernet 0/10
SwtichA(config-if)#switchport mode access
SwtichA(config-if)#switchport port-security
SwtichA(config-if)#switchport port-security maximum 3
SwtichA(config-if)#switchport port-security violation shutdown

Additional Layer 2 mitigation techniques include best practices with Native VLANs, trunk links and access port configurations.

Implement the Cisco IOS firewall feature set using SDM

It will be important to absorb the key differences between the different firewall technologies, with a concentration on the benefits and operations of a stateful firewall including the contents of the state table. 

The SDM certainly makes it easy to implement the Zone-based policy firewall.  It automates the process of defining the class maps which are used to match specific types of traffic, creating the policy maps used to specify the action you wish to take with the classes of traffic (inspect, drop or pass), and applies the policy map to a Zone Pair.

I recommend you invest extra time familiarizing yourself with the resulting configuration through the SDM interface, ensuring you can quickly extract information about the current firewall configuration.

Implement the Cisco IOS IPS feature set using SDM

Host and Network based IPS are discussed in the course, with Network IPS being the focus in the lab activities.  Staring with IOS version 12.4(11)T, Cisco routers, which primarily use signature-based detection, use the (version5) signature file format.  In IINS you learn how to configure your router for IPS through the SDM.

Implement site-to-site VPNs on Cisco Routers using SDM

Expect a large focus on VPN technologies despite a fairly short lab exercise during class.  Both SSL and IPsec VPN connections are discussed, with increased emphasis on IPsec.  Key areas of focus include: the different encryption algorithms, which ones are symmetric versus asymmetric, secure hashing methods, digital signatures and the IPsec framework.

Also critical to reinforce is the IPsec connection establishment process using the Internet Key Exchange protocol (IKE). 

During IKE Phase 1: the IKE policy is negotiated based upon matching policies, a Diffie-Hellman key exchange takes place to determine a shared secret key, and the identity of the peer is validated most commonly using Pre-Shared Keys or RSA signatures.

During IKE Phase 2: IKE negotiates a matching IPsec policy, and the unidirectional IPsec SAs are established.

You should be able to configure an IPsec site-to-site VPN using SDM, and extract relevant information from the interface.

In Conclusion

I found this to be a very enriching course which appropriately serves as a stepping stone towards the CCSP certification.