IOS Security Reference Manual Ver. 0.9

Reference Manual ver. 1.
0 (2012-14)
Created by Paul Nadstoga (pnadstoga@gmali.com)
Contents
SECURING THE EDGE ROUTER
AAA
ACLs
CLI BASED FIREWALLS
IPS & IDS
LAYER 2 SECURITY
IPSec
APPENDIXES
1
22
28
39
50
60
67
81
SECURITY THE
EDGE ROUTER
Administrative Access Security
Banners
Login Security
SSH
Securing the System Files
Clock Configuration
System Logging
Role-Based CLI
Privilege Levels
Enabling SDM Support
Routers Passwords Recovery Procedure
Security Audits
Sample Routing Hardening Configuration
ADMINISTRATIVE ACCESS SECURITY

STEP #
COMMANDS
COMMENTS
GLOBAL SETTINGS
CONFIGURE ENABLE PASSWORD
<Router(config)#enable secret (password)>
MIN. PASSWORD LENGTH
<Router(config)#security password min-length (0-16)>
The recommended min. password length is 10 characters.
<Router(config)#service password-encryption>
enable secret - password restricts access to privilege

level 15 and it is always hashed in the config. using MD5
algorithm
The password encryption affects all the passwords created

after the command was issued passwords created prior to
activation are not affected.
ENCRYPT PASSWORDS STORED

IN CONFIG FILE
Type 7 encryption is used (very weak algorithm).

Removing the command will keep already existing passwords
encrypted.
CREATE LOCAL USER DATABASE
<Router(config)#username (username) secret (0 | 5) (password)>
0 indicates that plain text password will follow

5 indicates that MD5 hashed password will follow
ADMINISTRATIVE PORTS
<Router(config)#line con 0>
ACCESS LINES CONFIG MODE
<Router(config)#line vty 0 4>

<Router(config)#line aux 0>
CONFIGURE PASSWORDS
<Router(config-line)#password (password)>
The password has to be configured before trying to issue the

login | login local commands.
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA (PNADSTOGA@GMAIL.COM) 2012-14
<Router(config-line)#login | login local>
ENABLE PASSWORD PROMPT
login enables the password prompt when trying to

access a given line; checks the password against
configured value
login local enables the username | password prompt
when trying to access a given line; checks the username
and password against entries in the local user database
<Router(config-line)#exec-timeout (0-35791min.) (0-2147483 sec.)

To disable idle timeout:
CONFIGURE IDLE TIMEOUT
<Router(config-line)#no exec-timeout>
OR
<Router(config-line)#exec-timeout 0 0>
*DISABLE INCOMING
CONNECTIONS
<Router(config-line)#no exec>
Allows only outgoing connections on the line.

Issuing the command will not terminate the ongoing
connection but wont allow establishing new ones.
BANNERS
STEP #
COMMANDS
<Router(config)#banner (type) & MESSAGE+TOKENS &>
COMMENTS
Banner types:
CONFIGURE BANNERS
EXEC displayed when an EXEC process is created

INCOMING displayed when theres an incoming connection on a
terminal line
LOGIN displayed before username and password login prompts
MOTD displayed upon successful login
SLIP-PPP displayed when SLIP/PPP connection is made
Tokens:
$(hostname)
$(domain)
$(line)
$(line-desc)
& - delimiting character, indicates the beginning and end of the message
(cannot be part of the message itself)
LOGIN SECURITY
STEP #
COMMANDS
COMMENTS
<Router(config)#login block-for (1-65535) attempts (1-65535) within (1-65535)>
Activates other login enhancements.
<Router(config)#login quiet-mode access-class (ACL name | #)>
Starts in NORMAL (WATCH) mode during which the router

keeps track of number of failed logins.
The QUIET mode is initialized when number of failed login
attempts exceeds the defined limit. Blocks all login attempts
for a defined number of seconds.
ENABLE LOGIN ENHANCEMENTS
An ACL can be applied to allow login attempts, while in the

QUIET mode, coming from permitted destinations.
Introduces a 1 sec. delay between login attempts.
The feature is helpful in mitigating DoS attacks.
<Router(config)#login delay (1-10)>
Delay in sec. between successive login attempts (both failed

and successful).
CONFIGURE LOGIN DELAY
Helps mitigate dictionary attacks.

<Router(config)#login on-success (*log | trap) (*every (1-65535))>
RECORD SUCCESSFUL LOGINS
To verify:
Logs every successful login attempt.
log - generates a syslog message

trap - generates a SNMP trap
log - logs every failed login attempt

security authentication failure - generates a syslog
entry (TOOMANY-AUTHFAILS)
<Router#show login>
<Router(config)#login-on failure (*log | trap) (*every (1-65535))>
Alternatively:
RECORD FAILED LOGINS
<Router(config)#security authentication failure rate (2-1024) log

To verify:
<Router#show login (failures)>
SSH (SECURE SHELL)

STEP #
COMMANDS
COMMENTS
CONFIGURE HOSTNAME
<Router(config)#hostname (hostname)>
CONFIGURE DOMAIN NAME
<Router(config)#ip domain-name (domain name)>
GENERATE 1-WAY SECRET KEY
<Router(config)#crypto key generate rsa general-keys modulus (360-2028)>
A minimum recommended value is 1024 bits.
To verify:
SSH ver. 1 is automatically enabled once keys are

generated.
<Router#show crypto key mypublic rsa>

To erase:
<Router(config)#crypto key zeroize rsa>
<Router(config)#username (username) secret (password)>
CREATE LOCAL USER DATABASE ENTRY
ENABLE VTY INBOUND SSH SESSIONS
*SET SSH VERSION
*TUNE EXEC-TIMEOUT
<Router(config)#ip ssh time-out (1-120)>
*TUNE LOGIN ATTEMPTS LIMIT
<Router(config)#ip ssh authentication-retries (3, 0-5)>
TSHOOT
<Router(config-line)#login local>
<Router(config-line)#transport input ssh>
<Router(config)#ip ssh version (1-2)>
Version 2 provides better encryption and integrity

check than ver. 1.
show ip ssh
show ssh
SECURING THE SYSTEM FILES

STEP #
COMMANDS
COMMENTS
TO SECURE THE IOS IMAGE + CONFIGURATION
SECURE THE IOS IMAGE
<Router(config)#secure boot-image>
<Router(config)#secure boot-config>
Secure IOS Resiliency feature securely archives files in

persistent storage - the secured files dont appear in the
output of the dir or show flash commands.
The feature will not prevent someone from viewing the files
or accessing files from ROMMON mode.
SECURE THE CONFIGURATION FILE
Denies all requests to copy, modify, or erase the files

secured.
Only files run locally can be secured.
TSHOOT
show secure bootset
TO RESTORE SYSTEM USING SECURED FILES:
RELOAD THE ROUTER
<Router#reload>
ENTER ROMMON MODE
Hold the BREAK key
VIEW FILES
<rommon #1>dir
BOOT WITH SECURED IOS
<rommon #2>boot (image name)
RESTORE CONFIGURATION
<Router(config)#secure boot-config restore>
CLOCK CONFIGURATION
STEP #
COMMANDS
COMMENTS
MANUAL
ISSUE CLOCK COMMAND
<Router#clock set HH:MM:SS MONTH DAY YEAR>
Even when NTP is used, the clock still needs to be configured

manually on the NTP server.
<Router#ntp master (stratum 1-15)>
Sets the router as a NTP master with the number of hops

away from the authorative server.
<Router(config)#ntp server (A.A.A.A)>
Sets the router as a NTP slave with the IP address of the NTP
master.
NTP
CONFIGURE NTP MASTER
CONFIGURE NTP SLAVE
<Router(config)#ntp authenticate>
<Router(config)#ntp authentication-key (1-4294967295) md5 (key name)>
ENABLE NTP AUTHENTICATION
<Router(config)#ntp trusted-key (1-4294967295)>
ntp authenticate - turns NTP authentication on.
The authentication is for the benefit of a client to ensure that

it is getting the time from an authenticated server.
Clients configured without authentication still get the time
from the server.
The difference is that these clients do not authenticate the
server as a secure source.
TSHOOT
show ntp status

show ntp associations details
SYSTEM LOGGING
STEP #
COMMANDS
<Router(config)#logging host (hostname | A.A.A.A)>
LOCATE LOGGING SERVER
*<Router(config)#logging source-interface (interface)>
source-interface is optional and can be useful in

situations where more than one link to the server exists
(normally, the router will use information in the routing
table to select the best path)
SET LOGGING SEVERITY FOR THE MESSAGES SENT TO THE :

LVL
KEYWORD
SERVER
<Router(config)#logging trap (lvl | keyword)>
CONSOLE
<Router(config)#logging console (lvl | keyword)>
EMERGENCIES
BUFFER
<Router(config)#logging buffered (lvl | keyword)>
ALERTS
<Router(config)#logging monitor (lvl | keyword)>
CRITICAL
ERRORS
WARNINGS
NOTIFICATIONS
INFORMATIONAL
DEBUGGING
LINES
<Router(config)#logging on>
COMMENTS
logging on - enables logging on all outputs
Only the console logging is enabled by default.
ENABLE LOGGING
Logging to specific destinations can be controlled individually.
TSHOOT
show logging
ROLE-BASED CLI
STEP #
ENABLE AAA
COMMANDS
COMMENTS
<Router(config)#aaa new-model>
Using CLI roles requires enabling AAA first.
<Router#enable view (enable password)>
Equivalent to a level 15 privilege user.

Only Root can add / delete / modify views
ACCESS ROOT VIEW
The enable password is only required if it has been already

configured.
<Router(config)#parser view (view name)>
The password has to be configured before trying issuing any

other commands in the view sub-configuration mode.
<Router(config-view)#secret (password)>
CREATE VIEWS
To switch between views:

<Router#enable view (view name)>
To verify:
<Router#show parser view (all)>
<Router(config-view)#commands (mode) (include | exclude | include-exclusive)
(all | command)>
ADD COMMANDS TO A VIEW
Examples:
<Router(config-view)#commands exec include configure>
<Router(config-view)#commands configure include interface>
include adds a command to the view

exclude remove a command from the view
include-exclusive adds a command to the view and
prohibits it from being added to other views
all include all commands in a given mode that start
with the same keyword
<Router(config-view)#commands interface include shutdown>
SUPERVIEW
<Router(config)#parser view (name) superview>
Superview is a collection of individual views.
<Router(config-view)#secret (0 | 5) (password)>
Commands cannot be added to a superview - they need to be

added to one of subordinate views.
<Router(config-view)#view (view name)>
Deleting a superview does not delete subordinate views.
<Router(config-view)#view (view name)>
ASSIGN A VIEW TO A USER
<Router(config)#username (username) view (view name) secret (password)>
10
PRIVILEGE LEVELS
STEP #
COMMANDS
COMMENTS
Privilege level assigned to enable command:
LEVEL 0 (predefined for a user-level access)
<Router(config)#enable secret level (1-15) (0 | 5) (password)>

Privilege level assigned to a specific user from the local user database:
<Router(config)#username (username) privilege (0-15) secret (password)>
To check what privilege level is assigned to the current user:
<Router#show privilege>
LEVEL 1
DEFINE METHODS TO ACCESS A

SPECIFIC PRIVILEGE LEVEL
DISABLE
ENABLE
EXIT
HELP
LOGOUT
user cant introduce any changes

user cant view the running-config.
LEVEL 2-14
customizable
commands available at lower levels are available at
higher levels
LEVEL 15
all IOS commands are available
Assuming that a user has access to show running command,

the information displayed will be only on resources the user
has access to.
<Router(config)#privilege (mode) level (level #) (command)>
Examples:
ASSIGN A PRIVILEGE LEVEL TO

AN IOS COMMAND
configure
<Router(config)#username Admin privilege 7 secret cisco123>
exec
global config.
EXEC mode
<Router(config)#privilege exec level 7 show>

<Router(config)#privilege configure level 7 interface>
interface
<Router(config)#privilege interface level 7 shutdown>
line
interface subconfig.
line subconfig.
11
ENABLING SDM SUPPORT

STEP #
COMMANDS
COMMENTS
CONFIGURE HOSTNAME
<Router(config)#hostname (hostname)>
CONFIGURE DOMAIN NAME
<Router(config)#ip domain-name (domain name)>
ENABLE HTTP SERVICES
<Router(config)#ip http server>
ip http server - enables HTTP services
ENABLE HTTPS SERVICES
<Router(config)#ip http secure-server>
ip http secure-server - enables SSL services
ENABLE AUTHENTICATION
CREATE A PRIVILEGE LVL 15 USER
<Router(config)#ip http authentication (local | aaa)>
Enables user authentication either via an AAA server

or local user database.
<Router(config)#username (username) privilege 15 secret (password)>
The user running SDM has to have unrestricted access

to the routers resources.
<Router(config)#ip http timeout-policy idle (1-600) life (1-86400) requests (1-86400)>
TUNE HTTP CONNECTIONS
idle defines how long the connection will

remain open if no data is sent / received (default
= 180 sec.)
life defines how long the connection will be
kept open to the server from the time it has
been established (default = 180 sec.)
requests the number of concurrent requests
processed on an existing connection
CONFIGURE VIRTUAL LINES:

o
GRANT LVL 15 PRIVILEGES TO

ANY USER THAT LOGS IN ON
THE LINE
<Router(config-line)# privilege 15>
ENABLE AUTHENTICATION
VIA THE LOCAL USER
DATABASE
<Router(config-line)#login local>
ENABLE SSH
<Router(config-line)#transport input ssh>
12
ROUTERS PASSWORDS RECOVERY PROCEDURE

STEP #
COMMANDS
COMMENTS
The procedure requires physical access to the device
and cannot be performed over a virtual connection.
CONNECT TO THE ROUTER VIA CONSOLE PORT

<Router#show version>
The register value dictates how the router acts during

the bootup process e.g. how the router boots and
what options its using.
() Configuration register is 0x2102
Relevant values:
RECORD CURRENT REGISTER VALUE
POWER ROUTER OFF / ON
ENTER THE ROMMON MODE
Issue the break sequence within 60 seconds of power up.
MODIFY THE REGISTER TO IGNORE THE STARTUP

CONFIGURATION DURING BOOTUP
rommon #1>confreg 0x2142
REBOOT THE ROUTER
rommon #2>reset
COPY STARTUP CONFIGURATION TO NVRAM
VIEW THE STARTUP CONFIG
RESTORE THE REGISTER VALUE
0x2102
default setting
enters ROM if booting fails
0x2142
ignores content of NVRAM
<Router#copy startup-config running-config>
The command will override the default configuration

the router booted up with.
<Router#show startup-config>
The purpose here is to view the startup configuration

and try to recover the passwords
If the passwords are stored in an encrypted form and
cannot be recovered, new ones should be configured.
<Router(config)#config-register 0x2102>
Register is changed again to load the NVRAM content

during boot up.
13
<Router(config)#no service password-recovery>
To recover after the command was issued:
* DISABLE PASSWORD RECOVERY
issue break within 5 sec. of image being

decompressed
confirm to delete the startup config
the router will boot with default settings
14
SECURITY AUDITS
DISABLES
ENABLES
SETS
SDM SECURITY AUDIT WIZARD / CLI AUTO SECURE
SNMP
Finger
PAD
TCP Small Servers
UDP Small Servers
IP BootP
IDENT
CDP
IP Source Route
IP Redirects
IP Proxy ARP
IP Directed Broadcast
MOP
IP Unreachables
IP Mask Reply
password encryption
IP CEF
firewall rules on all outbound interfaces
unicast RPF on all outbound interfaces
logging
minimum password length to 6 characters

local user database entries
password encryption
IP CEF
firewall rules on all outbound interfaces
unicast RPF on all outbound interfaces
SSH
AAA
TCP Keepalives Inbound / Outbound
seq. # and timestamps on debugs
minimum password length to 6 characters

authentication failure rate <3 retries
TCP synwait time
notification banner
logging parameters
enable secret password
scheduler interval
scheduler allocate
users
Telnet settings
ACLs on HTTP server service
ACLs on VTY lines
ONE STEP LOCKDOWN
SNMP
Finger
PAD
TCP Small Servers
UDP Small Servers
IP BootP
IDENT
CDP
IP Source Route
IP Redirects
IP Proxy ARP
MOP
IP Unreachables
IP Mask Reply
15
SAMPLE ROUTING HARDENING CONFIGURATION

GLOBAL
set hostname
<RTR1(config)#hostname RTR1>
set domain name
<RTR1(config)#ip domain-name archimetric.com>
enable password encryption
<RTR1(config)#service password-encryption>
set minimum password length = 7
<RTR1(config)#security passwords min-length 7>
set privilege EXEC password
<RTR1(config)#enable secret cisco123>
generate a 1024 bit RSA key
<RTR1(config)#crypto key generate rsa encryption modulus 1024>
enable SSH ver.2
<RTR1(config)#ip ssh version 2>
set SSH timeout to 60
<RTR1(config)#ip ssh time-out 60>
set SSH authentication retires limit to 2
<RTR1(config)#ip ssh authentication-retries 2>
create a user Admin with lvl. 15 privileges and encrypted password
<RTR1(config)#username Admin privilege 15 secret cisco123>
SSH
16
LOGIN
disable login for 60 sec. if there are 3 failed login attempts within 20 sec.
<RTR1(config)#login block-for 60 attempts 3 within 20>
set login delay of 5 sec.
<RTR1(config)#login delay 5>
BANNERS
MOTD
<RTR1(config)# banner motd WARNING!!! RESTRICTED ACCESS!!!>
LOGIN
<RTR1(config)#banner login ENTER YOUR USERNAME AND PASSWORD:
EXEC
<RTR1(config)#banner enable LOGIN SUCCESSFUL! HAPPY ROUTING!
<RTR1(config)#line con 0>
MANAGEMENT LINES
CONSOLE
o
configure password cisco123
<RTR1(config-line)#password cisco123>
enable synchronous logging
<RTR1(config-line)#logging synchronous>
set idle timeout to 10 min.
<RTR1(config-line)#exec-timeout 10 0>
AUX LINE
<RTR1(config)#line aux 0>
allow only outbound connections
<RTR1(config-line)#no exec>
VTY LINES
<RTR1(config)#line vty 0 4>
17
allow only SSH connections
<RTR1(config-line)#transport input ssh>
grant level 15 privileges to users logging in on VTY lines
<RTR1(config-line)#privilege 15>
LOGGING
enable logging to buffer of lvl. 7 messages (buffer size = 8192 bits)
<RTR1(config)#logging buffered 8192 debugging>
enable logging to console of lvl. 7 messages
<RTR1(config)#logging console informational>
enable logging to routers lines other than console of lvl. 7 messages
<RTR1(config)#logging monitor debugging>
enable logging to a syslog server (10.1.60.12) of lvl. 5 messages
<RTR1(config)#logging trap notifications>
<RTR1(config)#logging host 10.1.60.12>
generate log on every successful login attempt
<RTR1(config)#login on-success log>
generate log on every unsuccessful login attempt
<RTR1(config)#login on-failure log>
SDM SUPPORT
enable HTTP services
<RTR1(config)#ip http server>
enable HTTPS services
<RTR1(config)#ip http secure-server>
use local user database to authentication incoming HTTP connections
<RTR1(config)#ip http authentication local>
terminate the connection after 360 sec. of inactivity

leave the connection open for 360 sec. from the time its established
allow only 1 request at a time
<RTR1(config)#ip http timeout-policy idle 360 life 360 requests 1>
18
DISABLE FEATURES AND SERVICES
GLOBALLY
o
IP Source Routing
<RTR1(config)#no ip source-route>
Finger
<RTR1(config)#no service finger>
TCP Small Servers
<RTR1(config)#no service tcp-small-servers>
UDP Small Servers
<RTR1(config)#no service udp-small-servers>
Cisco Discovery Protocol
<RTR1(config)#no cdp run>
BootP
<RTR1(config)#no ip bootp server>
TFTP Broadcast IOS
<RTR1(config)#no boot network>
TFTP Broadcast Config.
<RTR1(config)#no service config>
DNS Lookup
<RTR1(config)#no ip domain-lookup>
IDENTD Services
<RTR1(config)#no ip identd>
X.25 PAD
<RTR1(config)#no service pad>
Gratuitous ARPs
<RTR1(config)#no ip gratuitous-arps>
SNMP
<RTR1(config)#no snmp-server>
19
ON INTERFACES
o
Proxy ARP
<RTR1(config-if)#no ip proxy-arp>
ICMP Redirects
<RTR1(config-if)#no ip redirects>
ICMP Unreachables
<RTR1(config-if)#no ip unreachables>
ICMP Mask Reply
<RTR1(config-if)#no ip mask-reply>
Maintenance Operation Protocol
<RTR1(config-if)#no mop enable>
Cisco Discovery Protocol
<RTR1(config-if)#no cdp enable>
<RTR1(config-if)#no ip directed-broadcast>
ENABLE FEATURES AND SERVICES
GLOBALLY
o
TCP Keepalives IN
<RTR1(config)#service tcp-keepalives-in>
TCP Keepalives OUT
<RTR1(config)#service tcp-keepalives out>
Sequence Numbers And Timestamps On Debugs
<RTR1(config)#service timestamps debug datatime show-timezone msec>
Sequence Numbers And Timestamps On Logs
<RTR1(config)#service timestamps log datatime show-timezone msec>
TCP Synwait Time
<RTR1(config)#ip tcp synwait-time 10>
20
AAA
AAA Local Authentication
AAA Server Authentication (TACACS+)

AAA Server Authorization (TACACS+)
AAA Server Accounting (TACACS+)
AAA LOCAL AUTHENTICATION

STEP #
ADD USERS TO THE LOCAL USER

DATABASE
COMMANDS
COMMENTS
<Router(config)#username (username) secret (password)>
Disables all other forms for authentication on the router
ENABLE AAA
Local AAA Authentication is similar to login local command

with the addition of fallback mechanisms.
<Router(config)#aaa authentication login (default | name) (method1) (method2)
(method3) (method4)>
The list is sequential.
EXAMPLE:
Next method is used only when theres no response or error

from the previous method
<Router(config)#aaa authentication login default local-case enable>

<Router(config)#aaa authentication login CONSOLE line enable>
1-4 methods can be specified.
The default list is used for all authentication if no other lists

were specifically assigned.
The default list contains only one method: local
On the console line, login succeeds without any
authentication checks if default is not set.
DEFINE A LIST OF
AUTHENTICATION METHODS
METHOD
enable
line password
local
local user database
none
ASSIGN A LIST TO LINES /

INTERFACES
<Router(config-line)#login authentication (default | name)>
enable password
line
local-case
USES
local user database (case sensitive)

no password required
Different lists can be assigned to different lines / interfaces.
21
<Router(config)#aaa local authentication attempts max-fail (1-65535)>

To view locked accounts:
* DEFINE A LIMIT FOR FAILED

AUTHENTICATION ATTEMPTS
If the threshold is exceeded the user is locked out and further

attempts are only possible if the administrator unlocks the
account first.
<Router#show aaa local user lockout>

To unlock an account:
<Router#clear aaa local user lockout (all) | username (username)>
<Router(config)#aaa authentication banner & BANNER &>
* CONFIGURE BANNERS AND

PROMPTS
<Router(config)#aaa authentication username-prompt (prompt)>
aaa authentication banner - overrides LOGIN banner

aaa authentication fail-message - text displayed upon
failed authentication
<Router(config)#aaa authentication password-prompt (prompt)>

<Router(config)#aaa authentication fail-message & MESSAGE &>
TSHOOT
show aaa user (all | username)

show aaa sessions
debug aaa authentication
EXAMPLE:
<Router(config)#username Admin secret cisco123>
<Router(config)#aaa authentication login default local-case enable>
<Router(config-line)#login authentication default> (* hardcoding a default method is not necessary)
<Router(config)#aaa local authentication attempts max-fail 2>
<Router(config)#aaa authentication banner & Authentication commences: &>
<Router(config)#aaa authentication username-prompt Username:>
<Router(config)#aaa authentication password-prompt Password:>
<Router(config)#aaa authentication fail-message & Wrong password &>
22
AAA SERVER AUTHENTICATION (TACACS+)

STEP #
ENABLE AAA
DEFINE TACACS+ SERVER
COMMANDS
COMMENTS
<Router(config)#tacacs-server host (A.A.A.A) (*single-connection) key (key)>
To assign the same key for all TACACS+ server used:
<Router(config)#tacacs-server key (key)>
DEFINE A LIST OF
AUTHENTICATION METHODS
<Router(config)#aaa authentication login ((default) | (name)) group tacacs+

(method 1) (method2) (method3) (method4)>
ASSIGN THE LIST TO LINES
<Router(config-line)#login authentication (default) | (list name)>
TSHOOT
EXAMPLE
single-connection sends all AAA traffic using a single

TCP connection
key - has to be identical to the one defined on the
TACACS+ server
debug tacacs authentication
<Router(config)#tacacs-server host 10.0.0.3 single connection key cisco123>
<Router(config)#aaa authentication login default group tacacs+ local-case enable>
<Router(config)#login authentication default>
23
AAA SERVER AUTHORIZATION (TACACS+)

STEP #
COMMANDS
COMMENTS
<Router(config)#username (username) privilege 15 secret (password)>
When AAA authorization is not enabled, all users are allowed

full access.
After authentication is started, the default changes to allow no
access.
This means that the administrator must create a user with full
access rights before authorization is enabled.
CREATE A LEVEL 15 PRIVILEGE USER
Failure to do so immediately locks the administrator out of the

system the moment the aaa authorization command is
entered.
To recover reboot the router.
ENABLE AAA
<Router(config)#tacac-server host (A.A.A.A) (*single-connection) key (key)>

<Router(config)#aaa authorization (resource type) (default | name) (method1)
(method2) (method3) (method4)>
RESOURCE TYPE
network
DEFINE A LIST OF AUTHORIZATION

METHODS
TSHOOT
DESCRIPTION
authorization for starting L2
connections
exec
verifies if a user has access to an

EXEC shell
commands level_#
verifies if a user has access to a

command at a specific privilege
level
debug aaa authorization

debug tacacs authorization
24
EXAMPLE
<Router(config)#username Admin privilege 15 secret cisco123>

<Router(config)#tacacs-server host 10.0.0.3 single-connection key cisco123>
<Router(config)#aaa authorization exec default group tacacs+ local>
<Router(config)#aaa authorization commands 15 default group tacacs+ local>
25
AAA SERVER ACCOUNTING (TACACS+)

STEP #
COMMAND
COMMENTS
ENABLE AAA
<Router(config)#tacac-server host (A.A.A.A) (*single-connection) key (key)>

<Router(config)#aaa accounting (usage type) (default | name) (trigger)
(*broadcast) group tacacs+)>
Example:
DEFINE A LIST OF ACCOUNTING

METHODS
broadcast sends record to multiple server; by default it

is sent only to the first available server
USAGE TYPES:
<Router(config)#aaa accounting exec default start-stop group tacacs+>

<Router(config)#aaa accounting system default start-stop group tacacs+>
TYPE
DESCRIPTION
network
records requests for L2 DDL connections
exec
records any requests for access to an

EXEC shell
command lvl
records all commands executed at the

specific EXEC level
system
records system events not associated

with the user e.g. interface status
change
TRIGGERS:
TYPE
DESCRIPTION
start-stop
accounting recording starts at the

beginning of the users action and
stops at the end of users action
stop-only
accounting is generated only at the end

of users action
none
disable accounting for a line
26
TSHOOT
debug aaa accounting

debug tacacs accounting
EXAMPLE
<Router(config)#tacacs-server host 10.0.0.3 single-connection key cisco123>
<Router(config)#aaa accounting exec default start-stop group tacacs+>
<Router(config)#aaa accouting command 15 default stop-only group tacacs+>
<Router(config)#aaa accouting system default stop-only group tacacs+>
27
ACLs
Standard ACLs
Extended ACLs
Misc ACL Features
o
o
o
o
o
o
o
o
Sequencing
Wildcards
Port Operators
TCP Established
Reflexive ACLs
Dynamic ACLs
Time Based ACLs
Turbo ACLsMisc ACL Features
ACLs Verification and Tshooting
STANDARD ACLs
RANGE
1 - 99
1300 - 1999
FILTER BASED ON
SOURCE ADDRESS
POSITION
AS CLOSE TO DESTINATION AS POSSIBLE
WORK AT
L3 NETWORK LAYER
CONFIGRAUTION: STANDARD MODE

ELEMENT
REMARK
SYNTAX
COMMENTS
<R1(config)#access-list (1-99 | 1300-1999) remark (remark up to 100 characters)>
Remarks are saved in routers NVRAM.
<R1(config)#access-list (1-99 | 1300-1999) (permit | deny) (source A.A.A.A W.W.W.W) (*log)>
log generates a log entry every time a packet

matches the ACLs statement
Log messages are generated on the first match and

then at 5 min. intervals
RULES
Should only be used when the network is under attack

(very resources consuming)
ACTIVATION
<R1(config-if)#ip access-group (1-99 | 1300-1999) (in | out)>

<R1(config-line)#access-class (1-99 | 1300-1999) (in | out)>
EXAMPLE
deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)

allow all other traffic
<Perth(config)#access-list 10 remark Deny traffic from Sydney (192.168.0.1)>

<Perth(config)#access-list 10 deny 192.168.0.1 0.0.0.0>
<Perth(config)#access-list 10 permit 0.0.0.0 255.255.255.255>
<Perth(config-if)#ip access-group 10 in>
28
CONFIGURATION: SUB-CONFIGURATION MODE

ELEMENT
SYNTAX
COMMENTS
CREATE ACL
<R1(config)#ip access-list standard (1-99 | 1300-1999 | name)>
REMARK
<R1(config-std-acl)#(*sequence number 1-2147483647) (remark up to 100 characters)>
RULES
<R1(config-std-acl)#(*sequence number 1-2147483647) (permit | deny) (source A.A.A.A W.W.W.W

(*log)>
<R1(config-if)#ip access-group (1-99 | 1300-1999 | name) (in | out)>
ACTIVATION
<R1(config-line)#access-class (1-99 | 1300-1999 | name) (in | out)>
The router doesnt evaluate traffic against outbound

set ACL if the traffic is originated by the router itself
e.g. routing protocol updates
EXAMPLE
deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)

allow all other traffic
<Perth(config)#ip access-list standard DENY_SYD>

<Perth(config-std-acl)#remark Denies Sydney (192.168.0.1) from reaching Perth (192.168.0.2)
<Perth(config-std-acl)#10 deny 192.168.0.1 0.0.0.0>
<Perth(config-std-acl)#20 permit 0.0.0.0 255.255.255.255>
<Perth(config)#interface fa0/0>
<Perth(config-if)#ip access-group DENY_SYD in>
29
EXTENDED ACLs
RANGE
100 - 199
2000 - 2699
DESTINATION ADDRESS
SOURCE ADDRESS
IP PROTOCOL (NAME / NUMBER)
PROTOCOL INFORMATION
o ICMP: message type
o TCP /UDP: source and/or destination port names and numbers
o TCP: flags
FILTER BASED ON
POSITION
AS CLOSE TO SOURCE AS POSSIBLE
WORK AT
L3 NETWORK LAYER
L4 TRANSPORT LAYER
CONFIGRAUTION: STANDARD MODE

ELEMENT
SYNTAX
COMMENTS
REMARK
<R1(config)#access-list (100-199 | 2000-2999) remark (remark up to 100 characters)>
RULES
<R1(config)#access-list (100-199 | 2000-2699) (permit | deny) (protocol name | 0-255)

(source A.A.A.A W.W.W.W) (destination A.A.A.A W.W.W.W) (*log)>
ACTIVATION

EXAMPLE
allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)
<Perth(config)#access-list 100 remark Allows IPSec traffic originated by Sydney>

<Perth(config)#access-list 100 permit ahp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config)#access-list 100 permit esp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config)#access-list 100 permit udp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
30
CONFIGURATION: SUB-CONFIGURATION MODE

ELEMENT
SYNTAX
COMMENTS
CREATE ACL
<R1(config)# ip access-list extended (100-199 | 2000-2999 | name)>
REMARK
<R1(config-ext-nacl)#(*sequence number 1-2147483647) remark (remark up to 100 characters)>
RULES
<R1(config-ext-nacl)#(*sequence number 1-2147483647) (permit | deny) (protocol name | 0-255) (source

A.A.A.A W.W.W.W) (destination A.A.A.A W.W.W.W) (*log)>
ACTIVATION

EXAMPLE
allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)
<Perth(config)#ip access-list extended IPSEC_TRAFFIC>

<Perth(config-ext-nacl)#remark Allow IPSec traffic originated by Sydney>
<Perth(config-ext-nacl)#10 permit ahp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config-ext-nacl)#20 permit esp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config-ext-nacl)#30 permit udp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0>
<Perth(config)#interface fa0/0>
31
MISC ACL FEATURES
ACLs are processed:

o top-down, from the first to the last statement
o until a packet matches a statement or the packet matches none of the statements
o once a match is found, no more statements are processed
the more restrictive statements should be at the top of the list and the less restrictive ones at the bottom
by default, statements are added to the end of the list (can be overridden by using the sequence numbers)
there is an invisible deny 0.0.0.0 255.255.255.255 statement at the end of the list that drops all traffic not explicitly permitted
one ACL per protocol, per interface and per direction is allowed
an empty ACL permits all traffic
an ACL needs to have at least one statement permitting traffic for the invisible deny any to take effect
explicit deny ip any any statement should be put at the end of the ACL to be able to view hit counts for denied traffic
SEQUENCING
SYNTAX
COMMENTS
<R1(config-std/ext-nacl)#(sequence number 1-2147483647) (ACL rules)>
Sequencing works only in sub-configuration mode (for

both standard and extended ACLs).
To resequence:
Each entry is given a unique sequence number.
<R1(config)#ip access-list resequence (name | #) (starting number 1-2147483647) (increment 1-2147483647)>
By default starts at 10 and increments by 10.

Not stored in NVRAM; the IOS adds them when router
loads the startup config. into RAM.
If no sequence number is specified the number will be
the next increment (starting with 10).
WILDCARDS
SYNTAX
host A.A.A.A = A.A.A.A 0.0.0.0
access-list 100 permit ip 192.168.0.1 0.0.0.0 192.168.0.11 0.0.0.0
COMMENTS
access-list 100 permit ip host 192.168.0.1 host 192.168.0.11
any = 0.0.0.0 255.255.255.255
0 = match exactly
1 = ignore
If wildcard is omitted it defaults to 0.0.0.0 (only true

for standard ACLs)
access-list 10 permit 0.0.0.0 255.255.255.255 access-list 10 permit any

ip access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ip access-list 100 permit ip any any
32
PORT OPERATORS
SYNTAX
COMMENTS
<Router(config)#access-list (name | #) (permit | deny) (tcp | udp) (source) (*operator) (protocol name | 0-255)
(destination) (*operator) (protocol name | 0-255)>
Example:
eq
allow only HTTP traffic from R1 (10.0.0.1) to the R2 server (10.0.0.2)
<R2(config)#access-list 100 permit tcp host 10.0.0.1 host 10.0.0.2 eq 80>
OPERATOR
deny all incoming traffic on ports 10-25
<R2(config)#access-list 144 deny any range 10-25 any>
range
MATCHES
match only packets on a given port
match only packets in the range of ports
gt
match only packets with a greater port number
lt
match only packets with a lower port number
neq
match only packets not on a given port number
TCP ESTABLISHED PARAMETER

SYNTAX
COMMENTS
<Router(config)#access-list (100-199 | 2000-2699 | name) tcp (source) (destination) established>
Works only with extended ACLs.
Example:
Allows / denies traffic coming from the outside that was initiated
from the inside.
allow any HTTPS traffic to host SYDNEY (10.0.0.3) as long as it was originated by SYDNEY.
<Sydney(config)#access-list 100 permit tcp any host 10.0.0.3 eq 443 established>

<Sydney(config)#interface s1/0>
<Sydney(config)#ip access-group 100 in>
Does not maintain stateful information.

Checks TCP segments for the following flags (ACK or RST) and
permits the packets if these bits are have the flags set on.
Available only for TCP; UDP and ICMP can only be permitted or
denied.
33
REFLEXIVE ACLs
allow to perform session filtering for any type of IP traffic

remembers outgoing traffic by dynamically building ACL entries and permits returning traffic
allow the local device to initiate traffic to the remote devices and get response (but denies traffic initiated by remote devices)
SYNTAX
COMMENTS
CREATE AN OUTBOUND ACL
<R1(config)#ip access-list extended (name)>

<R1(config-ext-nacl)#permit (protocol name | 0-255) (source) (destination) reflect (reflexive ACL name) (*timeout (1-2147483))>
reflect creates reflexive access list entry in the

reflexive ACL (name) with the source and
destination addresses swapped
timeout maximum time for the ACL to live
(default = 300 sec.)
reflexive ACLs are allowed on named ACLs only
evaluate nests ACL within ACL
CREATE AN INBOUND ACL
<R1(config)#ip access-list extended (name)>

<R1(config-ext-nacl)#evaluate (reflexive ACL name)>
ASSIGN THE ACL TO AN INTERFACE
<R1(config)#interface (interface)>
<R1(config-if)#ip access-group (outbound ACL name) out>
<R1(config-if)#ip access-group (inbound ACL name) in>
EXAMPLE
allow only TELNET and ICMP traffic into the local network as long as it was originated by HOME (98.174.249.99)
deny all traffic originated from the remote network
the ACLs need to be configured on the border router CLOUD on the outside interface s1/1
<Cloud(config)#ip access-list extended OUTBOUND>

<Cloud(config)#permit tcp host 98.174.249.99 host 67.40.69.33 eq telnet reflect REFLEXIVE_ACL>
<Cloud(config)#permit icmp host 98.174.249.99 host 67.40.69.33 reflect REFLEXIVE_ACL>
<Cloud(config-ext-nacl)#exit>
<Cloud(config)#ip access-list extended INBOUND>
<Cloud(config-ext-nacl)#evaluate REFLEXIVE_ACL>
<Cloud(config-ext-nacl)#exit>
<Cloud(config)#interface s1/1>
<Cloud(config-if)#ip access-group OUTBOUND out>
<Cloud(config-if)#ip access-group INBOUND in>
34
DYNAMIC ACLs (LOCK AND KEY)
opens a temporary door in the firewall and grants access to specified resources provided the user is authenticated using Telnet / SSH
the access request is put on hold until the user is authenticated using a Telnet / SSH connection
once authentication is complete the remote connection is dropped and a single-entry dynamic ACL is added to the existing extended ACL
the traffic is permitted for specified period (idle and absolute timeouts)
only one policy can be configured for all dynamic ACL users and this single policy is applied to all the authenticated users
SYNTAX
COMMENTS
Supported methods of authentication:
CREATE LOCAL USER DATABASE ENTRY
<R1(config)#username (name) secret (password)>
The first statement has to allow remote access

connections (Telnet or SSH)
CREATE A DYNAMIC ACCESS LIST
<R1(config)#access-list (100-199 | 2000-2699) permit tcp (source) (destination) eq telnet>

<R1(config)#access-list (100-199 | 2000-2699) dynamic (name) (*timeout (1 9999)) (permit | deny) (port 0-255 | name)
(source) (destination)>
local user database

AAA server
line password
dynamic - defines what resources are available /

prohibited once the authentication is successful
only one dynamic statement per an ACL is allowed
timeout (absolute timer) specifies the time
window during which the DYNAMIC ACL rules are in
effect (in minutes)
ASSIGN THE ACL TO AN INTERFACE
<R1(config-if)#ip access-group 101 in>
CONFIGURE THE VTY LINES
<R1(config-line)#login local>
<R1(config-line)#autocommand access-enable (*host) (*idle (1-9999))>
autocommand - executes the command that follows

after successful authentication
access-enable creates a temporary ACL entry
host replaces the ACL entry any with the users IP
address (dependent on ACL direction)
idle idle timeout (overridden by the absolute
timer configured in the DYNAMIC ACL)
35
EXAMPLE
allow remote host JEREMY (172.30.2.11/24) to access 192.168.1.0/24 network upon successful authentication with REMOTE router (67.40.69.33/24)
<REMOTE(config)#access-list 101 permit tcp host 172.30.2.11 host 67.40.69.33 eq telnet>

<REMOTE(config)#access-list 101 dynamic DYN_ACL timeout 10 permit ip host 172.30.2.11 192.168.1.0 0.0.0.255>
<REMOTE(config)#interface s1/1>
<REMOTE(config-if)#ip access-group DYN_ACL in>
<REMOTE(config-if)#exit>
<REMOTE(config)#line vty 0 4>
<REMOTE(config)#autocommand access-enable>
36
TIME BASED ACLs
CREATE TIME RANGE
<R1(config)#time-range (range name)>

<R1(config-time-range)#absolute start (hh:mm) (1-31) (month) (1993-2030) end (hh:mm) (1-31) (month) (1993-2030)>
<R1(config-time-range)#periodic (Monday Sunday | weekend | weekdays | daily) (hh:mm) to (hh:mm)>
absolute single time period for which the time

range is valid; if start time is omitted it defaults to
current time on the router; if end time is omitted it
defaults to 23:59 31 December 2035
periodic recurring time period for which the time
range is valid; if the day of week parameter is
omitted, it defaults to the day of week configured
for the beginning time
APPLY TIME RANGE TO AN ACL
<R1(config)#access-list 101 (permit | deny) (0-255 | name) (source) (destination) time-range (range name)>
APPLY ACL TO AN INTERFACE
<R1(config-if)#ip access-group 101 in>

EXAMPLE
allow web surfing only on the weekdays between 17:00 6:00
<R1(config)#time-range WWW_ACCESS>
<R1(config-time-range)#periodic weekdays 05:59 to 16:59>
<R1(config)#access-list 101 deny tcp any any eq 80>
<R1(config)#interface s1/0>
<R1(config-if)#ip access-list 101 out>
TURBO ACLs
SYNTAX
<Router(config)#access-list compiled>
To verify:
<Router#show access-list compiled>
COMMENTS
Reduces the ACL lookup time by compiling ACLs into a hash
table.
The lookup time is the same no matter which ACL command is
being looked up
Can only be used on an ACL that has more than three entries!
37
ACL VERIFICATION AND TSHOOTING
show access-list
show ip access-list (1-1999 | 1300-2799 | name | dynamic | (interface (interface))
show running-config
show ip interface (interface)
debug ip packet (1-99 | 1300-2699) (*detail)
COMMAND
VERIFIES
ACL type
ACL number / name
ACL sequence number
ACL rules
ACL matches
does not display remarks
show access-list (1-2799 | name | compiled)
show ip access-list (1-1999 | 1300-2799 | name | dynamic | (interface (interface))
same as above but only for ACLs created for IP protocol
show running-config
ACL remarks
ACL rules
ACL and direction bound to an interface
*the order of rules for a given ACL matches the order the rules where entered (even if ACLs
were re-sequenced)
show ip interfaces (*interface)
ACL and direction bound to the interface
debug ip packet (1-99 | 1300-2699) (*detail)
captures the packets that are process-switched

received, generated and forwarded
detail packet types and codes, source and destination port numbers
38
CLI BASED
FIREWALLS
CBAC
Zone Based Firewall
CBAC (Context Based Access Control)
Cisco IOS based firewall that filters TCP and UDP packets based on their L7 Application Layer information
generates real time audits and trails
creates and maintains session table to build dynamic ACL entries
CBAC CONFIGURATIONS
STEP #
COMMANDS
COMMENTS
On what interfaces does the external traffic arrive?
What outbound interfaces are used to reach external networks?
IDENTIFY INTERFACE ROLES
Example:
FILTER INGRESS TRAFFIC

USING ACLs
DEFINE INSPECTION RULES
INTERNAL interface on which sessions can be

initiated
EXTERNAL sessions initiated from external
interfaces will be blocked
the ACL for the return traffic must be an
extended ACL
Allow protocols that are necessary for the network to

be operational e.g. routing protocols.
<Router(config)#ip access-list 101 permit udp any any eq rip>

<Router(config)#ip access-lsit 101 deny ip any any>
<Router(config)#interface s1/1>
<Router(config)#ip access-group 101 in>
Deny all external traffic that tries to access internal

network.
<Router(config)#ip inspect name (rule name) (protocol name) (*alert (on | off)) (*routertraffic) (*audit-trail (on | off)) (*timeout 5-43200)>
Example:
<Router(config)#ip inspect name CBAC_RULES tcp router-traffic audit-trail on>

<Router(config)#ip inspect name CBAC_RULES udp>
<Router(config)#ip inspect name CBAC_RULES icmp>
alert on | off displays messages on the console

line concerning CBAC operation e.g. DoS attacks
(to globally disable alerts: no ip inspect alert-off)
audit-trail on | off keeps track of the
connection inspected by CBAC (including valid
and invalid access attempts) e.g. displays
messages when CBAC adds / removes an entry
from the state table. By default outputs to the
console line but logging to a syslog server is
possible if enabled.
router-traffic inspects traffic generated by the
router itself
timeout - overrides the global TCP and UDP
timeouts but does not override the global
Domain Name Service (DNS) timeout
39
<Router(config-if)#ip inspect (rule name) in | out>
ASSIGN INSPECTION RULES

TO AN INTERFACE
It also resets all timeout and threshold values to their

factory defaults. After CBAC is removed, all inspection
processes are no longer available, and the router uses
only the current ACL implementations for filtering.
<Router(config)#ip inspect tcp synwait-time (1-2147483)>
<Router(config)#ip inspect tcp finwait-time (1-2147483)>
<Router(config)#ip inspect tcp idle-time (1-2147483)>
<Router(config)#ip inspect udp idle-time (1-2147483)>
<Router(config)#ip inspect max-incomplete high (1-2147483647)>

<Router(config)#ip inspect max-incomplete low (1-214748364)7>
<Router(config)#ip inspect one-minute high (1-2147483647)>

<Router(config)#ip inspect one-minute low (1-2147483647)>
<Router(config)#ip inspect tcp max-incomplete host (1-4294967295) block-time (0-35791)>
in - on an INTERNAL interface
out - on an EXTERNAL interface
no ip inspect - removes all CBAC commands, the
state table, and all temporary ACL entries
created by CBAC.
*TIMERS + THRESHOLDS
tcp synwait-time length of time CBAC waits for

a new TCP session to reach established state
(default = 30 sec.)
tcp finwait-time length of time CBAC continues
to manage a TCP session after receiving a FIN
flag (default = 5 sec.)
tcp idle-time length of time CBAC continues to
manage a TCP session with no activity
(default = 3600 sec.)
udp idle-time length of time CBAC continues to
manage an UDP session with no activity
(default = 30 sec.)
max-incomplete high once the threshold for
incomplete connections has been reached, CBAC
will actively begin to delete them (default = 500
sessions)
max-incomplete low if the threshold for
incomplete session have been breached, they
will be deleted until this value is reached
(default = 400 sessions)
one-minute high / low as above but over the
course of one minute
max-incomplete host threshold for incomplete
TCP connections from a single host (default = 50
connections), and how long should connection
attempts be rejected if the threshold is reached
(default = 0)
40
EXAMPLE
the border Router, Cloud, has two active interfaces: s1/0 (INSIDE) and s1/1 (OUTSIDE)
the OUTSIDE traffic cannot initiate connection to the devices on the INSIDE and is dropped at the border router
RIP updates are excepted; their exchange is crucial for the network operation
device on the INSIDE can initiate connection to the OUTSIDE devices and the return traffic is permitted through the border router
allowed protocols: HTTP, ICMP, TELNET
<Router(conf)#ip access-list extended 100>

<Router(conf-ext-nacl)#permit udp any any eq rip>
<Router(conf-ext-nacl)#deny ip any any>
<Router(conf-ext-nacl)#exit>
<Router(conf)#interface s1/1>
<Router(config-if)#ip access-group 100 in>
<Router(config-if)#exit>
<Router(config)#ip inspect name IN-OUT-IN http>
<Router(config)#ip inspect name IN-OUT-IN icmp>
<Router(config)#ip inspect name IN-OUT-IN telnet>
<Router(config)#ip inspect IN-OUT-IN out>
41
CBAC VERIFICATION AND TSHOOTING
show ip inspect (parameter)

debug ip inspect detailed
debug ip inspect object-creation
debug ip inspect object-deletion
debug ip inspect function-trace
debug ip inspect events
debug ip inspect protocol (protocol)
COMMAND
VERIFIES
PAREMTER
all
config
show ip inspect (parameter)
interfaces
name
sessions
session details
DESCRIPTION
all available information
CBAC configuration
rules activated on interfaces
rules details
summary of inspections in the CBAC table
detailed information on inspection in the CBAC table
debug ip inspect detailed
debugs information about all CBAC processes on the router
debug ip inspect timers
debugs information related to CBAC timers e.g. idle timers expiration
debug ip inspect object-creation
debugs information about added entry to the CBAC table
debug ip inspect object-deletion
debugs information about removed entry from the CBAC table
debug ip inspect function-trace
debugs information about the software function that CBAC calls
debug ip inspect events
debugs CBAC events, including processing of packets
42
debug ip inspect protocol (protocol)
debugs protocol related events
43
ZONE BASED FIREWALL

ZBF CONFIGURATION
STEP #
COMMANDS
COMMENTS
<Router(config)#zone security (zone name up to 256 characters)>
The zone cannot be named self or null.
<Router(config-sec-zone)#description (description)>
Traffic flowing to and from the routers interfaces is excluded

from zone policies.
Traffic between a zone and self zone is permitted by default (the
self zone is the only exception to the default deny all policy).
CREATE ZONES
A policy can be defined using the self zone either as the source or
destination.
The self zone does not require any interfaces to be configured as
members all the IP interfaces on the router are automatically
assigned to the self zone.
<Router(config)#interface (interface)>
<Router(config-if)#zone-member security (zone name)>
Once an interface is a member of a zone all traffic to and from

that interface (except traffic going to the router or initiated by
the router) is dropped by default.
An interface can only belong to a single zone.
Traffic cannot flow between an interface with an zone
assignment and an interface without a zone assignment.
ASSIGN INTERFACES
TO THE ZONES
Traffic between interfaces in the same zone is never filtered.

Interfaces should be grouped together based on their security
requirements.
A zone must be created before interfaces can be assigned to it.
If there is no need for the interface to be a member of a zone it
may be necessary to put that interface into a zone and configure
a pass-all policy (dummy policy) between that zone and any
other zone to which traffic flow is desired.
44
L3/4 TYPE
<Router(config)#class-map type inspect (match-any | match-all) (class map name)>
The order is significant since the statements are processed topdown for a match.
<Router(config-cmap)#match protocol (protocol name)>

<Router(config-cmap)#match access-group (ACL_# | name (ACL name))>
<Router(config-cmap)#match class-map (class map name)>
CREATE CLASS MAPS
Only stateful protocols supported by the router can be

inspected.
Example:
L3/4 maps classify traffic based on information in the L3/4

headers.
<Router(config)#class-map type inspect match-any MYMAP>

<Router(config-cmap)#match protocol http>
<Router(config-cmap)#match protocol tcp>
L3/4 TYPE
<Router(config)#policy-map type inspect (policy map name)>
*<Router(config-pmap)#description (description of the policy map; up to 200 characters)
CREATE POLICY MAPS
*<Router(config-pmap)#rename (new policy map name)>
*<Router(config-pmap)#class class-default>
<Router(config-pmap)#class type inspect (class map name)>

<Router(config-pmap-c)#((pass | drop) (*log)) (inspect (*parameter map name)>
*<Router(config-pmap-c)#police rate (8000-2000000000) burst (1000-512000000)>
type inspect only maps defined with this parameter can

be used with ZBF
match-any a match on any of the conditions in the class
map satisfies the requirements
match all specifies that traffic needs to match all entries
in the class map to be considered a match.
match protocol specifies a particular protocol (only
stateful are allowed)
match access-group traffic matching permit statements
in a given ACL will be included in the class map (statements
matching an ACL deny rule are excluded).
match class-map includes (embeds) another class map
which allows for nesting.
type inspect only maps defined with this parameter can
be used with ZBF
inspect enables stateful packet inspection of the traffic in
the class map (parameter map optional)
pass packets are allowed to through but no stateful
inspection is applied
drop packets are dropped
police rate specifies an average traffic rate in bits /
seconds and an allowed burst size in number of bytes
log creates a log msg. for matching traffic
class class-default class map that covers all packets that
do not match any of the other class maps in the configured
policy map
45
<Router(config)#zone-pair security (zone pair name) source (zone name | self)

destination (zone name | self)>
PAIR ZONES
APPLY POLICY MAP

TO ZONE PAIRS
<*Router(config-sec-zone-pair)#description (zone pair description)>
Interfaces that belong to the same zone cannot be paired!
zone-pair security pairs together two zones in a specify

direction; if a policy needs to be applied in the reverse
direction a new pair has to be created with reversed source
/ destination values
interfaces belonging to the same zone cannot be paired
service-policy associates a policy to a zone pair
<Router(config-sec-zone-pair)#service-policy type inspect (policy map name)>
46
ZBF VERIFICAITON AND TSHOOTING
show zone security (*zone_name)

show zone-pair security (*source (source zone)) destination (destination zone))
show class-map type inspect (*class-map_name)
show policy-map type inspect (*policy-map_name)
show policy-map type inspect zone-pair sessions
(config)#ip inspect log drop-pkt
debug zone security events
COMMAND
VERIFIES
show zone security (*zone_name)
zones configured
interfaces associated with zones
show zone-pair security (*source (source zone)) destination (destination zone))
source and destination zones

policy associated with zone pairs
show class-map type inspect (*class-map_name)
class maps configured on the router
show policy-map type inspect (*policy-map_name)
policy maps configured on the router
show policy-map type inspect zone-pair sessions
ZBF state table (number of established sessions)

zone-pair and associated policy-map
policy-map and associated class-map
class-map and hits statistics
action to be taken with regards to packets that fall under class-map
default class-map characteristics
(config)#ip inspect log drop-pkt
packets dropped by the firewall
debugs events associated with ZBF
47
ZBF LOGIC
48
YES
DOES THE POLICY INCLUDE

A CLASS MAP?
NO
DROP
YES
DOES THE TRAFFIC

MATCHES THE CLASS-MAP
ASSOCIATED WITH POLICYMAP?
NO
HAS THE DEFAULT POLICY

BEEN MODIFIED?
YES
YES
APPLY POLICY-MAP:
APPLY DEFAULT POLICY
NO
DROP
POLICY STATEMENTS:
DROP
PASS
INSPECT
49
IDS & IPS

IDS vs IPS
IPS Implementations
IPS Signatures
IPS Management and Monitoring
ISP Configurations
IPS Verification and Tshooting
IDS vs IPS
IDS (Intrusion Detection System)
implemented to passively monitor network traffic

an IDS-enabled device (e.g. Switch) copies all traffic passing through on the port to which IDS is connected
the IDS appliance analyses traffic in an off-line manner by comparing it to a known malicious signatures
if a match is found the IDS sends a command to a device to deny access / block traffic
PROS
off-line implementation (promiscuous mode) ensures no impact on network performance

does not introduce latency, jitter or other traffic flow issues
CONS
IDS cannot stop malicious traffic from single-packet attacks from reaching the target system
IDS requires assistance from other networking devices (e.g. routers, firewalls) to respond to attack
less helpful in stopping email viruses and automated attacks e.g. worms
more vulnerable to network evasion techniques
a well thought-out security policy is essential to successfully deploy an IDS
IPS (Intrusion Prevention System)
implemented in inline mode all ingress and egress traffic must flow through it for processing
no traffic is allowed into the trusted network without first being analyzed
IPS can drop the trigger packet, the packets in connection or packets from a source IP address
PROS
CONS
if the traffic matches a signature the IDS can stop the attack immediately
IDS can use traffic normalization techniques to reduce or eliminate many of the network evasion capabilities
can negatively affect the packet flow of the forwarded traffic

must be appropriately sized and implemented so that time-sensitive applications e.g. VoIP are not negatively
affected
errors, failures and overrunning the IPS sensor with too much traffic
can introduce jitter and latency
50
IPS IMPLEMENTATIONS
HOST BASED IPS IMPLEMENTATION
COMMENTS
installed on individual computers using HIPS (Host Intrusion Prevention System) e.g. CSA
HIPS audits host log files, file systems and resources
protect systems using policies that network administrators configure and deploy on agents
the agents check whether an action is allowed or denied before any system resources are accessed and acted upon
can stop attacks by reacting in real time without any updates
PROS
can monitor OS processes and protect critical system resources including files that may exist only on that specific host
has access to traffic in unencrypted form
with HIPS the success or failure of an attack can be readily determined
does not provide a complete network pictures and has difficulty coordinating the events happening across the entire
network
has to support multiple OS
CONS
CSA contains two components:
NETWORK BASED IPS IMPLEMENTATION
COMMENTS
analyze network-wide activity looking for malicious activity

sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring
(regardless of the location)
PROS
CONS
additional hosts can be deployed without requiring more sensors

can easily see attacks that are occurring across the entire network
does not need to support every type of OS
does not know whether an attack was successful

cannot examine encrypted traffic
Management Center (installed on a

central server)
Security Agents (installed on hosts)
Sensors can be deployed as:
a module on a device
a dedicated appliance
a networking device with IPS
capabilities (e.g. router)
Additional sensors are only required when

their rated traffic capacities are exceeded
or their performance does not meet
current needs.
51
IPS SIGNATURES
malicious traffic displays distinct characteristics (signatures)

a set of rules that and IDS and IPS use to detect typical intrusive activity
ATOMIC SIGNATURES
COMMENTS
consists of a single packet, activity or event that is examined to determine if it matches a configured signature
because they can be matched on a single event there is no need to maintain state information by the IPS
the entire inspection can be accomplished in an atomic operation that does not require knowledge of past / future activities
detecting atomic signatures require minimal resources (e.g. RAM) on the IPS /IDS device
easy to identify and understand because they are compared against a specific event or packet
an IDS is vulnerable to an atomic packet attacks because until it finds the attack malicious single packets are allowed into the network
an IPS prevents atomic packet attacks from entering the network
COMPOSITE (STATEFUL) SIGNATURES
COMMENTS
the signature identifies a sequence of operations distributed across multiple hosts over a period of time
stateful properties of a composite signature usually require several pieces of data to match an attack signature
IPS SIGNATURE CHARACTERISTICS
ATOMIC
SERVICE
event horizon - the length of time

that the signature must maintain
state (can be adjusted)
EXAMPLE
signatures that examine simple packets
ATOMIC.IP
ATOMIC.ICMP
ATOMIC.IPOPTIONS
ATOMIC.UDP
ATOMIC.TCP
signatures that examine service that are attacked
SERVICE.DNS
SERVICE.HTTP
SERVICE.FTP
signatures that use regular expression-based patterns to detect intrusions
STRING.TCP
STRING.UDP
STRING.ICMP
STRING
MULTI-STRING
supports flexible pattern matching and Trend Labs signatures
MULTI-STRING
OTHER
internal engine that handles misc. signatures
NORMALIZER
52
IPS SIGNATURES ALARMS
PATTERN BASED
COMMENTS
simplest triggering mechanism

searches for a specific, pre-defined pattern
network traffic is compared to a database of known attacks and triggers alarm if a match is found
can be detected in a single packet (atomic) or in a sequence of packets (composite)
this technique helps to lessen the amount of inspection done on every packet
makes it more difficult for systems to deal with protocols and attacks that do not utilize well-defined ports
also known as profile-based detection

triggers alarms upon detecting traffic that deviates from normal profile (requires base-lining first)
can detect new and unpublished attacks
alarms can be misleading because not every traffic deviating from normal means a malicious activity
the administrator must guarantee that network is free of attack during base-lining
might be difficult to correlate an alert back to a specific attack (because it only indicates that non-normal traffic
was detected)
ANOMALY
POLICY
the administrator defines behaviors that are suspicious based on historical analysis
enables a single signature to cover an entire class of activities without having to specify each individual situation
HONEYPOT
uses a dummy server to attract attacks
IPS SIGNATURES ALARM TYPES
COMMENTS
FALSE POSITIVE
alarm generated in response to normal traffic
FALSE NEGATIVE
alarm not generated in response to malicious traffic
TRUE POSITIVE
alarm generated in response to malicious traffic
TRUE NEGATIVE
alarm generated in response to normal traffic
53
IPS SIGNATURE ACTIONS
COMMENTS
ATOMIC ALERTS
- generated every time a signature is detected

- can be exploited by sending numerous bogus alerts against an IPS or applications
GENERATE AN ALERT
SUMMARY ALERTS
- a single alert that indicates multiple occurrences of the same signature from the same source
- limit the number of alerts generated and make it difficult for an attacker to consume resources on the sensor
- can be configured to summarize atomic alerts as well
LOG THE ACTIVITY
DROP / PREVENT THE

ACTIVITY
RESET TCP
CONNECTION
by logging the alerts the administrator can perform analysis later and identify exactly what is taking place
and make a decision as to whether it should be allowed or denied in the future
enables the device to stop an attack before it has the chance to perform malicious activity
the analysis engine determines which packets should be forwarded and which should be dropped
the drop action can be expanded to drop all packets for a specific session or all packets from a specific host
for a specific amount of time
used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set
an IPS can use the TCP reset action to abruptly end a TCP connection that is performing unwanted
operation
can be used with conjunction with deny packet / connection actions
future traffic can be blocked by the IPS device update the ACL on one of the infrastructure devices
the ACL expires after defined amount of time
can be used with conjunction with other actions such as dropping unwanted traffic
the IPS can block traffic at multiple locations throughout the network
allows to configure exceptions
BLOCK FUTURE
ACTIVITY
ALLOW THE ACTIVITY
54
IPS MANAGEMENT AND MONITORING
MANAGEMENT
METHOD
LOCAL
sensors can be managed individually or centrally

in larger networks a centralized management system that allows to configure and manage all IPS devices
from a single device
correlating attacks and other events that are happening simultaneously at different points across the
network
NTP should be used to ensure that all alerts are accurately time-stamped
a correlation tool can correlate the alerts based on the timestamps
a centralized monitoring facility allows for accurate even correlation
SECURITY STAFF
INCIDENT RESPONSE
PLAN
MANAGING
SIGNATURES
large enterprises require the appropriate security staff to analyze numerous alerts and to tune and
optimize IPS sensors
a response plan needs to be designed to restore the state of the system to the state before the attack
upgrading sensors will mean network downtime

automatic update rather than manual if the number of sensors is high
signature packs should be placed on a dedicated FTP server within the management network
the FTP server should be allowed only read-only access
a custom signature can be created if an update is not available
the FTP server should be queried periodically and an update time windows should be set
IEV
CSM
MARS
SDEE (Secure Device Event Exchange):
EVEN CORRELATION
CISCO MARS allows for correlate not only

IPS events but other events on the
network e.g. syslog messages and
NetFlow input.
SDM
IDM
CENTRAL
an alternative to syslog
format was developed to improve
communication of events generated
by security devices
primarily communicates IDS events
but the protocols is intended to be
extensible and allows additional
event types to be included as they
are defined
Cisco SDM can monitor syslog and
SDEE-generated events
55
IPS CONFIGURATIONS
CONFIGURATION VIA CISCO CLI
STEP #
COMMANDS
COMMENTS
Required files:
In Cisco IOS software T-Train releases prior to

12.4(11)T, and in all Cisco IOS Software 12.4
Mainline releases, IPS signature selection involves
loading an XML file onto the router.
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt
XML - called the signature definition file (SDF),

contains a detailed description of each selected
signature in Cisco IPS Sensor software 4.x signature
format.
DOWNLOAD IOS IPS FILES
Starting with Cisco IOS release 12.4(11)T, there are

no built-in (hard-coded) signatures within the Cisco
IOS software. Instead all signatures are stored in a
separate signature file and must be imported. IOS
releases 12.4(11)T and later use the newer 5.x
format signature files, which can be can be
downloaded from Cisco.com
CREATE AN IPS CONFIGURATION

DIRECTORY IN FLASH
CONFIGURE AN IOS IPS CRYPTO KEY
<R1#mkdir (directory_name)>
Any system location will be accepted as long there

is write access.
<R1#dir flash:>
<R1(config)#crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
exit
The crypto key verifies the digital signature for the

master signature file (sigdef-default.xml). The
content of the file is signed by a Cisco private key
to guarantee its authenticity and integrity.
56
exit>
To remove:
<R1(config)#no crypto key pubkey-chain rsa)
<R1(config)#no named-key realm-cisco.pub>
Identify the IPS rule name and specify the location
<R1(config)#ip ips name (rule name) list (ACL name | #)>
ENABLE IOS IPS
If an ACL is used all traffic matching the permit

statement is subject to inspection by the IPS; traffic
that is denied is not inspected.
Configure the IPS signature storage location
<R1(config)#ip ips config location (location)>

<R1(config)#ip http server>
<R1(config)#ip ips notify sdee>
ENABLE SDEE AND LOGGING
<R1(config)#ip ips notify log>
<R1(config)#ip ips signature-category>
<R1(config-ips-category)#category (all | attack | ddos | dos | email)>

<R1(config-ips-category-action)# retired (true | false)>
<R1(config-ips-category-action)#exit>
<R1(config-ips-category)#exit>
CONFIGURE THE SIGNATURE

CATEGORY
Do you want to accept these changes? [confirm] (Y | N)
ip http server if not enable the router wont

be able to respond to SDEE clients
ip ips notify sdee (disabled by default)
enables SDEE notifications
ip ips notify log generates syslog messages
(if logging console is enabled messages are
displayed on the console)
ip ips signature-category - all signatures are
grouped into categories and the categories
are hierarchical
retired (true | false) retiring a signature
means that IPS does not compile that
signature into memory for scanning and
ultimately the traffic is not scanned against it.
Initially the all category should be retired and
then selected signature unretired.
IOS IPS processes the category commands in the

order listed in the configuration
If multiple categories are configured and a
signature belongs to more than one of them, IOS
IPS uses the signatures properties in the last
configured category e.g. retired, unretired
APPLY THE IPS RULE TO AN

INTERFACE
<R1(config)#interface (interface)>
A rule can be applied in both directions
<R1(config-if)#ip ips (rule name) (in | out)>
57
<R1#copy (source) idconf>
LOAD SIGNATURE PACKAGE TO THE

ROUTER
Commonly a FTP or TFTP server is used.
To verify:
<R1#show ip ips signature>
MODIFYING IPS SIGNATURES

<R1(config)#ip ips signature-category>
event-action modify the action associated

with a signature
signature (ID) (SUBID)

status sub-configuration for retiring or unretiring a signature
engine sub-configuration for modifying a
signature action
<R1(config-)#category>
<R1(config-ips-category)#(all | ios_ips (basic | advanced))>
MODYFING A GROUP OF
SIGNATURES
<R1(config-ips-category-action)#event-action (action)>
<R1(config-ips-category-action)#exit
<R1(config-ips-category)#exit>
<R1(config)#ip ips signature-definition>
<R1(config-sigdef)#signature (1-65535) (0-65535)>
<R1(config-sigdef-sig)#status>
<R1(config-sigdef-sig-status)#retired (true | false)>

<R1(config-sigdef-sig-status)#enabled (true | false)>
MODYFING AN INDIVIDUAL
SIGNATURE
<R1(config-sigdef-sig-status)#exit
<R1(config-sigdef-sig)#engine>
<R1(config-sigdef-sig-engine)#event-action (action)>
<R1(config-sigdef-sig)#exit>
<R1(config-sigdef)#exit>
58
IPS VERIFICATION AND TSHOOTING
show ip ips all

show ip ips configuration
show ip ips interfces
show ip ips signatures (detail)
show ip ips statistics
clear ip ips statistics
clear ip ips configuration
COMMAND
VERIFIES
show ip ips all
Displays all IPS configuration data
show ip ips configuration
Displays additional configuration data that is not displayed with the show running-config
show ip ips interfaces
show ip ips signatures (detail)
Vverifies the signatures configuration
show ip ips statistics
Displays number of packets audited and the number of alarms set
clear ip ips statistics
Resets statistics on packets analyzed and alarms set
clear ip ips configuration
Removes all IPS configuration entries and releases dynamic resources
interface configuration data

inbound / outbound rules
59
LAYER 2
SECURITY
Layer 2 Attacks
Securing Layer 2
o
o
o
o
DTP Modes
Switchport Security
STP Security
Misc
LAYER 2 ATTACKS
ATTACK
HOW IT WORKS
MAC ADDRESSING SPOOFING
MAC ADDRESS TABLE

OVERFLOW
COMMENTS
a rouge host masquerades or poses as another to receive otherwise inaccessible data or to

circumnavigate security appliances
performed by changing the MAC address of the rouge device to match another known MAC
address of a known device
the attacking hosts then sends a frame throughout the network with the newly configured MAC
address
when the switch receives the frame with new MAC address it removes the original entry and
assigns the new MAC address to the new port
when the target host sends traffic the switch receives and examines the frame, which results in the
MAC address table being rewritten
takes advantage of the MAC table limited size and bombards the switch with fake source MAC
addresses until the switch MAC table is full if enough entries are entered into MAC addresses
table before older entries expire, the table fills up to the point that no new entries are can be
accepted
when this happens the switch begins to flood all incoming traffic to all ports (effectively turning into
hub)
the attacker can see all of the frames sent from one host to another (but only within the local
VLAN)
If the intruder does not maintain the

flood of invalid source MAC addresses
the switch eventually ages out the older
MAC addresses from the table.
Most common protection would be set a
limit to dynamically learnt MAC
addresses.
macof this tool floods a switch with
frames containing randomly generated
source MAC and IP addresses; as long as
it is running the switch acts as a hub.
STP MANIPULATION ATTACKS
LAN STORM ATTACKS
the attacker broadcasts BPDUs that contain false STP configuration and topology changes
aim to promote the rouge device to the rank of ROOT BRIDGE, which will result in the attacker
having access to otherwise inaccessible traffic
LAN Storm packets flood the LAN creating excessive traffic and hurting network performance
broadcasts and multicasts are flooded on all ports within the same VLAN
storms can increase the CPU utilization on a switch to 100%
PortFast
ROOT guard
BPDU guard
May be caused by errors in stack

implementation, configuration or user
initiated DoS attacks.
60
VLAN ATTACKS
exploiting DTP (Dynamic Trunking Protocol)

double-tagging
Can be done by spoofing DTP messages

or using a rouge switch.
Works only if the rouge and trunk port
have the same native vlan configured.
61
SECURING LAYER 2
DTP MODES
MODE
OVERVIEW
COMMENTS
starts as a TRUNK port

periodically sends DTP frames (advertisements) to the remote host
unconditional trunking state
TRUNK
To hardcode mode on an interface:
DYNAMIC AUTO
<S1(config-if)#switchport mode trunk>
starts as an ACCESS port

periodically sends DTP frames to the remote host
advertises that it is able to trunk
does not request remote host to go into trunking mode
DYNAMIC DESIRABLE (default)
< S1(config-if)#switchport mode dynamic auto>
starts as an ACCESS port

periodically sends DTP frames to the remote host
advertises that is able to trunk
requests remote host to go into trunking mode
NON-NEGOTIATE
<S1(config-if)#switchport mode dynamic desirable>
disables DTP protocol

use when connecting switch from different vendors
<S1(config-if)#switchport nonegotiate>
62
ACCESS
TRUNK
DYNAMIC AUTO
DYNAMIC DESIRABLE
NON-NEGOTIATE
ACCESS
ACCESS
MISMATCH
ACCESS
ACCESS
MISMATCH
TRUNK
MISMATCH
TRUNK
TRUNK
TRUNK
TRUNK
DYNAMIC AUTO
ACCESS
TRUNK
ACCESS
TRUNK
MISMATCH
DYNAMIC DESIRABLE
ACCESS
TRUNK
TRUNK
TRUNK
MISMATCH
NON-NEGOTIATE
MISMATCH
TRUNK
MISMATCH
MISMATCH
TRUNK
63
SWITCHPORT SECURITY
STEP #
SET PORT TO ACCESS MODE
ENABLE SWITCHPORT SECURITY
MAXMIUM MAC ADDRESSESES
SECURITY VIOLATION MODE
COMMANDS
COMMENTS
<S1(config-if)#switchport mode access>
A port can only be secured if it is in explicit ACCESS

mode.
<S1(config-if)#switchport port-security>
None of the port security settings will take effect

until this command is issued.
<S1(config-if)#switchport port-security maximum (1-132)>
Number of MAC addresses allowed on the port.
<S1(config-if)#switchport port-security violation (protect | restrict | shutdown)>
To recover a port from err-disabled state:
<S1(config-if)#shutdown>
<S1(config-fi)#no shutdown>
protect blocks all MAC addresses above the

limit
restrict as above + sends a syslog msg. +
sends a SNMP trap + increments violation
counter
shutdown puts port into err-disabled state
OR
<S1(config)#errdisable recovery cause psecure-violation>
<S1(config-if)#switchport port-security mac-address (H.H.H | sticky)>
H.H.H.H enter MAC address manually

sticky learns the incoming MAC addresses
and adds them to the running configuration; if
the command is later removed all sticky MACs
remain a part of the running conf. but are
removed from the MAC table
<S1(config-if)#switchport port-security aging static time (0-1440) type (absolute |

inactivity)>
absolute - all secure addresses on this port are

age out exactly after specified time and
removed from the secure address list
inactivity secure address on this port are
aged out only if there is no data traffic from
the secure source for the specified time period
MAC ADDRESS ENTRY
AGING
TSHOOT
show port-security (interface)

show port-security address
64
STP SECURITY
STEP #
COMMANDS
<S1(config)#spanning-tree portfast default>
PortFast
<S1(config-if)#spanning-tree portfast>
<S1(config)#spanning-tree portfast bpduguard default>
COMMENTS
<S1(config-if)#spanning-tree bpduguard enable>
spanning-tree portfast default sets all nontrunking ports to PortFast

spanning-tree portfast sets given port to
PortFast (instant transition to ACCESS mode)
spanning-tree portfast bpduguard default
enable BPDU Guard on all PortFast ports
If a port with BPDU Guard enabled receives a BPDU

it will be blocked.
BPDU Guard
Should be enabled on all non-trunking ports.
BPDU Filter
Root Guard
<S1(conif-if)#spanning-tree bpdufilter>
spanning-tree bpdufilter disable sending and

receving of BPDUs
<S1(config-if)#spanning-tree guard root>
spanning-tree guard root enables root guard

on a per-interface basis
If a port with Root Guard enabled receives a BPDU

with a lower priority than those issued by the
current root bridge, that port is moved into rootinconsistent state (STP listening state) - the port
recovers as soon as the offending BPDUs stop being
received.
Best deployed toward ports that connect to switches
that should never become the root bridge.
65
MISC
<S1(config-if)#storm-control (broadcast | multicast | unicast) level ()>
level (level-low)
bps (bps-low)
pps (pps-low)
Allows to shutdown interfaces sending excessive

traffic.
The blocked port remains shut until the traffic drops
below the falling threshold.
<S1(config-if)#storm-control action (shutdown | trap)>

To verify:
<S1#show storm-control (broadcast | multicast | unicast)>
Storm Control
<S1(config)#monitor session 1 source(interface | vlan) (i-face | vlan) (both | rx | tx)>

<S1(config)#monitor session 1 destination interface (interface)>
SPAN Ports
To verify:
<S1#show monitor>
level (level-low) specifies the rising and

falling suppression levels as a % of total
bandwidth of the port:
level rising suppression (0.00 100.00);
flooding of storm packets is blocked when the
value specified is reached
level-low falling suppression level (0.00
100.00); by default equals to the value of rising
suppression
bps (bps-low) specifies the rising and falling
suppression levels as a rate in bits per seconds
at which traffic is received on the port.
pps (pps-low) specifies the rising and falling
suppression levels as a rate in packets per
seconds at which traffic is received
action shutdown err-disabled status
action trap the switch sends a SNMP trap
when a storm occurs
Forwards all the traffic received on port specified to

a specified destination port (mirrors the traffic) for
further analysis (to an IPS / IDS).
RSPAN allows for mirroring traffic to a port on a
remote device.
66
IPSec
IPSec Configuration
IKE Phase 1
IKE Phase 2
IPSec Verification and Tshooting

IPSec Configuration Example
IPSec Planning Template
IPSec CONFIGURATION
IKE PHASE 1
IKE - Internet Key Exchange

PHASE 1 is used:
o to exchange and agree on policy sets to be used
o to exchange DH keys
o to authenticate the peer
can run in MAIN or AGGRESSIVE mode
STEP #
COMMANDS
COMMENTS
<Router(config)#access-list 102 permit ahp host A.A.A.A host A.A.A.A>

<Router(config)#access-list 102 permit esp host A.A.A.A host A.A.A.A>
*ENSURE IPsec TRAFFIC IS

ALLOWED
<Router(config)#access-list 102 permit udp host A.A.A.A host A.A.A.A eq isakmp>

<Router(config)#interface (interface)>
<Router(config-if)#ip access-group 102 in>
ENABLE ISAKMP
<Router(config)#crypto isakmp enable>
IPSec uses the following protocols:
ESP (IP 50)

AH (IP 51)
ISAKMP (UDP 500)
They have to be permitted i.e. not blocked on the interfaces

using IPSec (restrictive traffic policies are most likely to be
present on perimeter routers).
The default state of isakmp will differ depending on the IOS
version.
67
<Router(config)#crypto isakmp policy (1-10000)>

<Router(config-isakmp)#authentication (pre-share | rsa-encr | rsa-sig)>
<Router(config-isakmp)#encryption (3des | aes | des)>
<Router(config-isakmp)#hash (md5 | sha)>
<Router(config-isakmp)#group (1 | 2 | 5 | 14 | 15 | 16)>
<Router(config-isakmp)#lifetime (60 - 86400)>
To verify:
Each policy configured on a router is assigned a priority

number, which is only locally significant (the lower the number
the higher the priority).
The peer initiating the negotiation sends all of its policies to the
remote peer, who compares them with the locally configured
until a match is found - the policies with higher priorities are
compared first (thats why the most secure policies should
have lower priorities).
For a match to be found, two policies have to use identical
following protocols:
<Router#show crypto isakmp policy>
CREATE ISAKMP POLICY
AUTHENTICATION
ENCRYPTION
HASH
DH LEVEL
If a match is found ISAKMP will use DH algorithm to exchange

keys and authenticate the peers
If a match is not found ISAKMP refuses negotiation.
<Router(config)#crypto isakmp identity (address | hostname)>
CREATE ISKAMP LOCAL ID
lifetime - specifies after what time the IKE Phase 1 tunnel

is torn down and re-established (the value does not have
to be identical on both ends and if a non-default value is
used the lower the value on either sides is used).
The router can ID itself when communicating with the remote

end using either its IP address or hostname (both ends need to
use the same form of authentication).
Hostname should only be used when the routers IP address is
a subject to frequent changes e.g. by the ISP.
If hostname is used a DNS server must be present to resolve
the hostname to its IP address.
68
IF LOCAL ID = HOSTNAME
The PKS has to be identical on both ends.
<Router(config)#crypto isakmp key (key up to 128 char) hostname (remote devices

hostname)>
IF LOCAL ID = IP ADDRESS
CREATE PSKs
<Router(config)#crypto isakmp key (key up to 128 char) address (remote devices IP

address)>
To verify:
<Router#show crypto isakmp key>
69
IKE PHASE 2
PHASE 2 is used to:

o negotiates and establishes IPSec SA (Security Associations) parameters protected by the existing IKE SA
o periodically renegotiates IPSec SA to ensure security
o optionally performs an additional DH exchange (with PFS)
STEP #
COMMANDS
COMMENTS
<Router(config)#crypto ipsec transform set (name) (AH authentication) (ESP

authentication) (ESP encryption) (compression)>
*<Router(cfg-crypto-trans)#mode (transport | tunnel)>
Multiple sets can be configured and multiple sets can be

specified in a crypto map
To verify:
<Router#show crypto ipsec transform-set (sets name)>
transform set - groups together security protocols and

their protection methods and create security parameters
that protect traffic traveling through the IPSec tunnel
Each set is compared against each of the sets configured on the

peer - at least one needs to match
There are four groups of transforms (only one transform from
each category can be used):
CREATE TRANSFORM SET
o
o
o
o
<Router(config)#crypto ipsec security-association lifetime kilobytes (2560 - 4294967295)
mode transport - protection of L2 and below

mode tunnel - protection of L3 and below
lifetime kilobytes - sets the amount of data limit after

reaching which will cause the tunnel to be torn down and
renegotiated (default = 460800 kb)
lifetime seconds - sets the time period after which the
tunnel will be torn down and renegotiated (default =
3600 sec.)
idle-timer - disabled by default
<Router(config)#crypto ipsec security-association lifetime seconds (120 - 86400)>
*TUNE IPSec SA
PARAMETERS
<Router(config)#crypto ipsec security-association idle-time (60 - 86400)>
AU AUTHENTICATION (hashing)
ESP AUTHENTICATION (hashing)
ESP ENCRYPTION
COMPRESSION
70
<Router(config)#ip access-list extended (ACL name | #)>

<Router(config-ext-nacl)#(permit | deny) ip (source) (destination)>
<Router(config)#crypto map (map name) (sequence number) ipsec-isakmp>
Crypto map binds all the IPSec information together.
<Router(config-crypto-map)#match address (crypto ACL)>
Only one crypto map can exist on an interface.
<Router(config-crypto-map)#set peer (remote peers IP address)>
If no PKS are configured, the SA keys Phase 1 connection.
CREATE CRYPTO MAP
*<Router(config-crypto-map)#set pfs (1 | 2 | 5 )>
ASSIGN CRYPTO MAP TO

AN INTERFACE
permit - encrypt data

deny - send in plain text
The ACL criteria are applied in the forward direction to traffic

exiting the router, and in the backward direction to the traffic
entering the router (the outbound ACL source becomes the
inbound ACL destination).
CREATE CRYPTO ACL
<Router(config-crypto-map)#set transform-set (transform sets name)>
sequence number - used to prioritize multiple maps that

may exist on a router (the lower the number the higher
the priority)
set pfs - (Perfect Forward Secrecy) performs a new DH
exchange with each quick mode and provides key
material that has greater life and thereby greater
resistance to cryptographic attacks (increases CPU usage)
<Router(config-if)#crypto map (crypto map name)>
71
IPSec VERIFICATION AND TSHOOTING
show crypto isakmp policy

show crypto ipsec transform-set
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto session detail
debug crypto isakmp
debug crypto ipsec
clear crypto isakmp (connection ID)
clear crypto sa
clear crypto sa peer
clear crypto sa map
clear crypto sa counters
COMMAND
VERIFIES
EXAMPLE
Displays all of the isakmp policies defined on the router:
policy number
encryption algorithm
hashing algorithm
authentication method
DH group
lifetime
Displays all of the transform sets defined on the router:
transform set name

encryption algorithm
hashing algorithm
72
Displays all of the crypto maps defined on the router:
show crypto map
maps name and sequence number

peer associated with the map
ACL defining interesting traffic associated
with the map
transform set associated with the map
interface associated with the map
IKE Phase 1 Tunnel information:
source and destination

tunnels state (QM_IDLE desired)
tunnels status (ACTIVE desired)
MM = Main Mode
QM = Quick Mode
PHASE / STATE
DESCRIPTION
The tunnel has been initialized but nothing
has been negotiated yet.
MM_NO_STATE
AG_NO_STATE
MM_SA_SETUP
The peers have negotiated IKE Phase 1

policies.
MM_KEY_EXCH
DH has completed.
AG_INIT_EXCH
The peers have negotiated the Phase 1

policies and performed DH.
AG_AUTH
QM_IDLE
The Phase 1 authentication has completed.
The Phase 1 and/or Phase 2 sessions have

completed successfully.
73
IKE Phase 2 Tunnel information:
local and remote identity

packets encapsulated / encrypted / digested
packets decapsuated / decrypted / verified
74
Displays tunnels information and statistics
show crypto session detail
debug crypto isakmp
Debugs the process of creating IKE Phase 1 tunnel
debug crypto ipsec
Debugs the process of creating IKE Phase 2 tunnel
clear crypto isakmp (connection ID)
Clears active ISAKMP connections
clear crypto sa
Clears all data SA
clear crypto sa peer (IP Address |

hostname)
Clears data SA associated with specific peer.
clear crypto sa map
Clears all data SA associated with specific crypto map.
clear crypto sa counters
Clears the counters in the output of the show crypto ipsec sa
75
IPSec CONFIGURATION EXAMPLE

Secure the traffic sent between 172.30.2.0 /24 and 192.168.1.0 /24
IKE PHASE 1: PLANNING

PEERS
PEER 1: HOME
LOCAL ID
IP ADDRESS
PEER 2: REMOTE
IP ADDRESS
98.174.249.99
67.40.69.33
#10
#60
POLICY
NUMBER
AUTHENTICATION
ENCRYPTION
HASHING
DH LVL
LIFETIME
PRE SHARED KEY

AES 128
SHA 1
2
86,400
PRE SHARED KEY
NAME
ACCEPTED FROM
cbtkey
67.40.69.33
98.174.249.99
IKE PHASE 2: PLANNING

TRANSFORM SET
CBTVPN
NAME
AH HASHING
N/A
ESP HASHING
ESP-AES 123
ESP ENCRYPTION
COMPRESION
ESP-SHA-1-HMAC
N/A
76
CRYPTO ACL
S2S-VPN-TRAFFIC
NAME
INTERESTING TRAFFIC
S2S-VPN-TRAFFIC
172.30.2.0 /24 192.168.1.0 /24
CRYPTO MAP
S2S-VPN
S2S-VPN
SEQUENCE #
100
200
INTERFACE
s1/0
s1/1
NAME
IKE PHASE 1: CONFIGURATION

STEP #
1. ENABLE ISAKMP
COMMANDS
<Router(config)#crypto isakmp enable>
<Rotuer(config)#crypto isakmp policy 10>
<Router(config-isakmp)#authentication pre-share>
<Router(config-isakmp)#encryption aes 128 >
<Router(config-isakmp)#group 2>
2. CREATE ISAKMP POLICY
<Router(config-isakmp)#hash sha>
<Router(config-isakmp)#lifetime 86400>
VERIFY:
<Router#show crypto isakmp policy>
3. CREATE ISAKMP LOCAL IDENTITY
<Router(config)#crypto isakmp identity address>

<HOME(config)#crypto isakmp key cbtkey address 67.40.69.33>
<REMOTE(config)#crypto isakmp key cbtkey address 98.174.249.99>
4. CONFIGURE PRE-SHARED KEYS

VERIFY:
<Router#show crypto isakmp key>
77
IKE PHASE 2: CONFIGURATION

STEP #
COMMANDS
5. CREATE TRANSFORM SET
<Router(config)#crypto ipsec transform-set CBTVPN esp-aes 128 esp-sha-hmac>

<Router(config)#ip access-list extended S2S-VPN-TRAFFIC
6. CREATE CRYPTO ACL
<HOME(config-ext-nacl)#permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255>

<REMOTE(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.30.2.0 0.0.0.255>
<Router(config)#crypto map S2S-VPN 100 ipsec-isakmp>
<Router(config-crypto-map)#match address S2S-VPN-TRAFFIC>
<HOME(config-crypto-map)#set peer 67.40.69.33>
<REMOTE(config-crypto-map)#set peer 98.174.249.99>
7. SET UP IPSec CRYPTO-MAP
<Router(config-crypto-map)#set transform-set CBTVPN)>

VERIFY:
<Router#show crypto map>
<HOME(config)#interface s1/0>
8. ASSIGN CRYPTO MAP TO AN INTERFACE
<HOME(config-if)#crypto map S2S-VPN>

<REMOTE(config)#interface s1/1>
<REMOTE(config-if)#crypto map S2S-VPN>
VERIFICATION AND TSHOOTING

show crypto isakmp key
show crypto ipsec transport-set
show crypto map
debug crypto isakmp
debug crypto ipsec
78
CONFIGURATION FILES
HOME
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 67.40.69.33
!
crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 67.40.69.33
set transform-set CBTVPN
match address S2S-VPN-TRAFFIC
!
interface Serial1/0
ip address 98.174.249.99 255.255.255.0
serial restart-delay 0
crypto map S2S-VPN
!
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
REMOTE
!
encr aes
group 2
crypto isakmp key cbtkey address 98.174.249.99
!
crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 98.174.249.99
set transform-set CBTVPN
match address S2S-VPN-TRAFFIC
!
interface Serial1/1
ip address 67.40.69.33 255.255.255.0
serial restart-delay 0
crypto map S2S-VPN
!
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 172.30.2.0 0.0.0.255
!
79
IPSec PLANNING TEMPLATE

IKE PHASE 1
PEER
PEER 1
LOCAL ID
IP ADDRESS
PEER 2
POLICY
NUMBER
AUTHENTICATION
ENCRYPTION
HASHING
DH LVL
LIFETIME
PRE SHARED KEY
NAME
ACCEPTED FROM
IKE PHASE 2
TRANSFORM SET
NAME
AH HASHING
ESP HASHING
ESP ENCRYPTION
COMPRESION
CRYPTO ACL
NAME
INTERESTING TRAFFIC
CRYPTO MAP
NAME
SEQUENCE #
INTERFACE
80
APPENDIXES
IPv4 Subnetting
Common Ports
ACLs
Zone Based Firewall
IPSec
IOS IPV4 ACCESS LISTS
packetlife.net
Standard ACL Syntax
Actions
! Legacy syntax
access-list <number> {permit | deny} <source> [log]
! Modern syntax
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log]
permit
Allow matched packets
deny
Deny matched packets
remark
Record a configuration comment
evaluate
Evaluate a reflexive ACL
Extended ACL Syntax

! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
ACL Numbers
1-99
IP standard
1300-1999
Source/Destination Definitions
any Any address
host <address> A single address
100-199
IP extended
2000-2699
<network> <mask> Any address matched by the wildcard mask
200-299 Protocol
IP Options
300-399 DECnet
400-499 XNS
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
TCP Options
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
urg Match URG flag
established
Match packets in an
established session
Logging Options
log Log ACL entry matches
Log matches including
log-input ingress interface and
source MAC address
by Jeremy Stretch
dscp <DSCP> Match the specified IP DSCP

fragments Check non-initial fragments
option <option> Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl <count> Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq <port> Equal to
neq <port> Not equal to
lt <port> Less than
gt <port> Greater than
range <port> <port> Matches a range of port numbers

Miscellaneous Options
reflect <name> Create a reflexive ACL entry
time-range <name> Enable rule only during the given time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0
ip access-group {<number> | <name>} {in | out}
Troubleshooting
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
v2.0
COMMON PORTS
packetlife.net
TCP/UDP Port Numbers
7 Echo
554 RTSP
19 Chargen
2745 Bagle.H
6891-6901 Windows Live
546-547 DHCPv6
2967 Symantec AV
6970 Quicktime
560 rmonitor
3050 Interbase DB
7212 GhostSurf
22 SSH/SCP
563 NNTP over SSL
3074 XBOX Live
23 Telnet
587 SMTP
3124 HTTP Proxy
8000 Internet Radio
25 SMTP
591 FileMaker
3127 MyDoom
8080 HTTP Proxy
42 WINS Replication
593 Microsoft DCOM
3128 HTTP Proxy
43 WHOIS
631 Internet Printing
3222 GLBP
8118 Privoxy
49 TACACS
636 LDAP over SSL
3260 iSCSI Target
8200 VMware Server
53 DNS
639 MSDP (PIM)
3306 MySQL
8500 Adobe ColdFusion
646 LDP (MPLS)
3389 Terminal Server
8767 TeamSpeak
69 TFTP
691 MS Exchange
3689 iTunes
8866 Bagle.B
70 Gopher
860 iSCSI
3690 Subversion
79 Finger
873 rsync
3724 World of Warcraft
80 HTTP
902 VMware Server
20-21 FTP
67-68 DHCP/BOOTP
88 Kerberos
989-990 FTP over SSL
102 MS Exchange
110 POP3
113 Ident
9800 WebDAV
4444 Blaster
9898 Dabber
995 POP3 over SSL
4664 Google Desktop
9988 Rbot/Spybot
4672 eMule
9999 Urchin
1026-1029 Windows Messenger
4899 Radmin
1080 SOCKS Proxy
5000 UPnP
1080 MyDoom
5001 Slingbox
1194 OpenVPN
5001 iperf
143 IMAP4
1214 Kazaa
5004-5005 RTP
1241 Nessus
5050 Yahoo! Messenger
177 XDMCP
1311 Dell OpenManage
5060 SIP
179 BGP
1337 WASTE
5190 AIM/ICQ
201 AppleTalk
9119 MXit
4333 mSQL
135 Microsoft RPC
161-162 SNMP
9100 HP JetDirect
9101-9103 Bacula
3784-3785 Ventrilo
123 NTP
137-139 NetBIOS
8086-8087 Kaspersky AV
993 IMAP4 over SSL
1025 Microsoft RPC
119 NNTP (Usenet)
7648-7649 CU-SeeMe
1433-1434 Microsoft SQL
5222-5223 XMPP/Jabber
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
264 BGMP
1512 WINS
5432 PostgreSQL
19226 AdminSecure
318 TSP
1589 Cisco VQP
5500 VNC Server
19638 Ensim
1701 L2TP
5554 Sasser
20000 Usermin
5631-5632 pcAnywhere
24800 Synergy
381-383 HP Openview
389 LDAP
1723 MS PPTP
411-412 Direct Connect
1725 Steam
443 HTTP over SSL
1741 CiscoWorks 2000
445 Microsoft DS
1755 MS Media Server
464 Kerberos
1812-1813 RADIUS
5800 VNC over HTTP

5900+ VNC Server
6000-6001 X11
6112 Battle.net
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
465 SMTP over SSL
1863 MSN
6129 DameWare
497 Retrospect
1985 Cisco HSRP
6257 WinMX
500 ISAKMP
2000 Cisco SCCP
512 rexec
2002 Cisco ACS
6500 GameSpy Arcade
Chat
513 rlogin
2049 NFS
6566 SANE
Encrypted
6588 AnalogX
Gaming
514 syslog
2082-2083 cPanel
6346-6347 Gnutella
515 LPD/LPR
2100 Oracle XDB
6665-6669 IRC
520 RIP
2222 DirectAdmin
6679/6697 IRC over SSL
521 RIPng (IPv6)
2302 Halo
540 UUCP
2483-2484 Oracle DB
31337 Back Orifice

33434+ traceroute
6699 Napster
Legend
Malicious
Peer to Peer
Streaming
6881-6999 BitTorrent
IANA port assignments published at http://www.iana.org/assignments/port-numbers
by Jeremy Stretch
v1.1
IOS IPV4 ACCESS LISTS
packetlife.net
Standard ACL Syntax
Actions
! Legacy syntax
access-list <number> {permit | deny} <source> [log]
! Modern syntax
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log]
permit
Allow matched packets
deny
Deny matched packets
remark
Record a configuration comment
evaluate
Evaluate a reflexive ACL
Extended ACL Syntax

! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
ACL Numbers
1-99
IP standard
1300-1999
Source/Destination Definitions
any Any address
host <address> A single address
100-199
IP extended
2000-2699
<network> <mask> Any address matched by the wildcard mask
200-299 Protocol
IP Options
300-399 DECnet
400-499 XNS
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
TCP Options
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
urg Match URG flag
established
Match packets in an
established session
Logging Options
log Log ACL entry matches
Log matches including
log-input ingress interface and
source MAC address
by Jeremy Stretch
dscp <DSCP> Match the specified IP DSCP

fragments Check non-initial fragments
option <option> Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl <count> Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq <port> Equal to
neq <port> Not equal to
lt <port> Less than
gt <port> Greater than
range <port> <port> Matches a range of port numbers

Miscellaneous Options
reflect <name> Create a reflexive ACL entry
time-range <name> Enable rule only during the given time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0
ip access-group {<number> | <name>} {in | out}
Troubleshooting
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
v2.0
IOS ZONE-BASED FIREWALL

Terminology
Inspection Class Configuration
Security Zone
A group of interfaces which share a common level of security
Zone Pair
A unidirectional pairing of source and destination zones to which a
security policy is applied
Inspection Policy
An inspect-type policy map used to statefully filter traffic by
matching one or more inspect-type class maps
Parameter Map
An optional configuration of protocol-specific parameters referenced
by an inspection policy
MPLS WAN
Internet
G0/0
G0/1
! Match by protocol
class-map type inspect match-any ByProtocol
match protocol tcp
match protocol udp
match protocol icmp
! Match by access list
ip access-list extended MyACL
permit ip 10.0.0.0 255.255.0.0 any
!
class-map type inspect match-all ByAccessList
match access-group name MyACL
Parameter Map Configuration
Security Zones
Trusted
packetlife.net
Internet
parameter-map type inspect MyParameterMap

alert on
audit-trail off
dns-timeout 5
max-incomplete low 20000
max-incomplete high 25000
icmp idle-time 3
tcp synwait-time 3
Guest
Inspection Policy Actions

Drop Traffic is prevented from passing
Corporate
LAN
G0/2.10
G0/2.20
Guest
Wireless LAN
! Defining security zones

zone security Trusted
zone security Guest
zone security Internet
! Assigning interfaces to security zones
interface GigabitEthernet0/0
zone-member security Trusted
!
interface GigabitEthernet0/1
zone-member security Internet
!
interface GigabitEthernet0/2.10
zone-member security Trusted
!
interface GigabitEthernet0/2.20
zone-member security Guest
Zone Pair Configuration

! Service policies are applied to zone pairs
zone-pair security T2I source Trusted destination Internet
service-policy type inspect Trusted2Internet
Pass
Traffic is permitted to pass without

stateful inspection
Traffic is subjected to stateful

Inspect inspection; legitimate return traffic is
permitted in the opposite direction
Inspection Policy Configuration
policy-map type inspect MyInspectionPolicy
! Pass permitted stateless traffic
class VPN-Tunnel
pass
! Inspect permitted stateful traffic
class Allowed-Traffic1
inspect
! Stateful inspection with a parameter map
class Allowed-Traffic2
inspect MyParameterMap
! Drop and log unpermitted traffic
class class-default
drop log
Troubleshooting
show zone security
show zone-pair security
show policy-map type inspect
zone-pair security G2I source Guest destination Internet

service-policy type inspect Guest2Internet
zone-pair security I2T source Internet destination Trusted
service-policy type inspect Internet2Trusted
by Jeremy Stretch
show class-map type inspect

show parameter-map type inspect
v1.0
IPSEC
packetlife.net
Protocols
Encryption Algorithms
Internet Security Association and Key Management

Protocol (ISAKMP)
A framework for the negotiation and management of
security associations between peers (traverses UDP/500)
Internet Key Exchange (IKE)
Responsible for key agreement using asymmetric
cryptography
Encapsulating Security Payload (ESP)
Provides data encryption, data integrity, and peer
authentication; IP protocol 50
Authentication Header (AH)
Provides data integrity and peer authentication, but not data
encryption; IP protocol 51
L2
IP
TCP/UDP
Transport
Mode
L2
IP
ESP/AH
Tunnel
Mode
L2
New IP
ESP/AH
Strength
56
Weak
168
Medium
AES Symmetric
128/192/256
Strong
RSA Asymmetric
1024+
Strong
DES Symmetric
3DES Symmetric
Hashing Algorithms
Length (Bits)
MD5 128
Strength
Medium
SHA-1 160
Strong
IKE Phases
Phase 1.5 (optional)

Xauth can optionally be implemented to enforce
user authentication
TCP/UDP
IP
TCP/UDP
Transport Mode
The ESP or AH header is inserted behind the IP header; the
IP header can be authenticated but not encrypted
Tunnel Mode
A new IP header is created in place of the original; this
allows for encryption of the entire original packet
Configuration
encryption aes 256
hash sha
group 2
lifetime 3600
Key Length (Bits)
Phase 1
A bidirectional ISAKMP SA is established
between peers to provide a secure management
channel (IKE in main or aggressive mode)
IPsec Modes
Original
Packet
Type
ISAKMP Policy
Phase 2
Two unidirectional IPsec SAs are established for
data transfer using separate keys (IKE quick
mode)
Terminology
Data Integrity
Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Data Confidentiality
Encryption is used to ensure data cannot be
intercepted by a third party
Data Origin Authentication
Authentication of the SA peer
ISAKMP Pre-Shared Key
crypto isakmp key 1 MySecretKey address 10.0.0.2

IPsec Transform Set
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac

mode tunnel
IPsec Profile
crypto ipsec profile MyProfile

set transform-set MyTS
Virtual Tunnel Interface
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
Anti-replay
Sequence numbers are used to detect and
discard duplicate packets
Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
provide message authenticity
Diffie-Hellman Exchange
A shared secret key is established over an
insecure path using public and private keys
Troubleshooting
debug crypto {isakmp | ipsec}
by Jeremy Stretch
v2.0

IOS Security Reference Manual Ver. 0.9

Uploaded by

Copyright:

Available Formats

IOS Security Reference Manual Ver. 0.9

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IOS Security Reference Manual Ver. 0.9

Uploaded by

Copyright:

Available Formats

Reference Manual ver. 1.

Created by Paul Nadstoga (pnadstoga@gmali.com)

ADMINISTRATIVE ACCESS SECURITY

CONFIGURE ENABLE PASSWORD

<Router(config)#enable secret (password)>

MIN. PASSWORD LENGTH

<Router(config)#security password min-length (0-16)>

The recommended min. password length is 10 characters.

enable secret - password restricts access to privilege

The password encryption affects all the passwords created

ENCRYPT PASSWORDS STORED

Type 7 encryption is used (very weak algorithm).

CREATE LOCAL USER DATABASE

<Router(config)#username (username) secret (0 | 5) (password)>

0 indicates that plain text password will follow

ACCESS LINES CONFIG MODE

<Router(config)#line vty 0 4>

The password has to be configured before trying to issue the

<Router(config-line)#login | login local>

ENABLE PASSWORD PROMPT

login enables the password prompt when trying to

<Router(config-line)#exec-timeout (0-35791min.) (0-2147483 sec.)

CONFIGURE IDLE TIMEOUT

Allows only outgoing connections on the line.

EXEC displayed when an EXEC process is created

<Router(config)#login block-for (1-65535) attempts (1-65535) within (1-65535)>

Activates other login enhancements.

<Router(config)#login quiet-mode access-class (ACL name | #)>

Starts in NORMAL (WATCH) mode during which the router

ENABLE LOGIN ENHANCEMENTS

An ACL can be applied to allow login attempts, while in the

Delay in sec. between successive login attempts (both failed

CONFIGURE LOGIN DELAY

Helps mitigate dictionary attacks.

RECORD SUCCESSFUL LOGINS

Logs every successful login attempt.

log - generates a syslog message

log - logs every failed login attempt

RECORD FAILED LOGINS

<Router(config)#security authentication failure rate (2-1024) log

SSH (SECURE SHELL)

CONFIGURE DOMAIN NAME

<Router(config)#ip domain-name (domain name)>

GENERATE 1-WAY SECRET KEY

<Router(config)#crypto key generate rsa general-keys modulus (360-2028)>

A minimum recommended value is 1024 bits.

SSH ver. 1 is automatically enabled once keys are

<Router#show crypto key mypublic rsa>

CREATE LOCAL USER DATABASE ENTRY

ENABLE VTY INBOUND SSH SESSIONS

*SET SSH VERSION

<Router(config)#ip ssh time-out (1-120)>

*TUNE LOGIN ATTEMPTS LIMIT

<Router(config)#ip ssh authentication-retries (3, 0-5)>

Version 2 provides better encryption and integrity

SECURING THE SYSTEM FILES

TO SECURE THE IOS IMAGE + CONFIGURATION

SECURE THE IOS IMAGE

Secure IOS Resiliency feature securely archives files in