Forming CCIE sec study group
Hi,
Iam about to start CCIE security group (around 10 people)
The goal is share study approaches , ideas, problems etc.. to stay motivated, to have good study pace and to be in the touch with other students.
Ideas is to sent an one email per week (kind of report)to other students within group and inform about progress, problems , setbacks etc..
You should be
1)At any stage of your CCIE security preparation but be serious about studying
2)Willing to write one mail per week about your progress, experiences etc..
So If you interested drop me an email on
ccie.sec.group@gmail.com
With short introduction (location, stage of your preparation)
Technology MiniLab ASA part I.
This Mini Lab focuses on various Cisco ASA technologies and its part of DENYIPs CCIE Security technology minilab
If you have any question or suggestion feel free to post in the discussion or contact me on milsir(at)gmail.com
Lab is based on following setup
Following HW is needed :
1x Cisco ASA or PIX
1x Switch dot1q capable
4x Router with at least one Ethernet interface
Dynamips can be use as well – I tried both LAB and Dynamips for Dynamips I used following NET file
[localhost:7200]
workingdir = C:\path to your working directory
[2621]]
image = C:\path to your IOS
ram = 92
idlepc = your idle PC
[[Router R1]]
model = 2621
Fa0/0 = S1 1
[[Router R2]]
model = 2621
Fa0/0 = S1 2
[[Router R3]]
model = 2621
Fa0/0 = S1 3
[[Router R4]]
model = 2621
Fa0/0 = S1 4
[[ethsw S1]]
1 = access 10
2 = access 20
3 = access 30
4 = access 40
5 = dot1q 1
6 = dot1q 1
[pemu localhost]
[[525]]
serial=<removed>
key=<removed>
image = path to yout PIX image
[[fw FW1]]
e0 = S1 5
e1 = S1 6
TASKS
TASK1 – Addressing and basic connectivity
Configure interface (sub-interface) of FW in following way
e1.10 – nameif R10, VLAN10, security level 10, IP 10.10.10.1
e1.20 – nameif R20, VLAN20, security level 20, IP 10.10.20.1
e0.30 – nameif R30, VLAN30, security level 30, IP 10.10.30.1
e0.40 – nameif R40, VLAN40, security level 40, IP 10.10.40.1
Configure IP addressing of routers according drawing (including loopbacks)
R40 interface is DHCP client… Configure R30 to be DHCP server for this router.. make sure this interface will be always assigned IP 10.10.40.2
TASK2 – routing , ACL
Delete all static routers and run RIP v2 between all devices, propagate all networks including loopbacks, use MD5 authentication .. Permit ICMP between all routers and verify connectivity with ping (you should be able to ping all loopbacks from all routers) , use only one line in your ACL
TASK3 – SSH access
Enable SSH with local authentication on all routers do not use domain command on routers , enable SSH access through firewall
TASK4 – NAT control
On firewall enable NAT-control .. Configure FW to allow access like without NAT control (ping, ssh)
SOLUTIONS
TASK1 Solution
You need create vlans 10,20,30,40 on switch , assign vlans membership for routers R10,R20,R30,R40 and configure do1q trunks for ASA port
ASA configuration interface Ethernet0/0 no nameif no security-level no ip address ! ! For me is good to use nameif like R20, R30 and not traditional ! inside, outside, dmz - It helps me think out of the box interface Ethernet0/0.30 vlan 30 nameif R30 security-level 30 ip address 10.10.30.1 255.255.255.0 ! interface Ethernet0/0.40 vlan 40 nameif R40 security-level 40 ip address 10.10.40.1 255.255.255.0 ! interface Ethernet0/1 no nameif no security-level no ip address ! interface Ethernet0/1.10 vlan 10 nameif R10 security-level 10 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/1.20 vlan 20 nameif R20 security-level 20 ip address 10.10.20.1 255.255.255.0 !R40 will get DHCP IP from R30 so dhcp relay needs to be !configured dhcprelay server 10.10.30.2 R30 dhcprelay enable R40 dhcprelay setroute R40 dhcprelay timeout 60 R3 configuration ! create pool for R40 use client-identifier for reservation !(client-identifier uses 01 prefix for ethernet + client MAC) ip dhcp pool R40 host 10.10.40.2 255.255.255.0 client-identifier 0100.e01e.7dc7.61 interface Ethernet0/0 ip address 10.10.30.2 255.255.255.0 ! Static route for R40 network is needed ip route 10.10.40.0 255.255.255.0 10.10.30.1 R40 configuration ! IP on interface will be DHCP and client-id e0/0 is sent ! it didn't work for me without client-id command interface Ethernet0/0 ip address dhcp client-id Ethernet0/0 ! Static route for R30 network is needed ip route 10.10.30.0 255.255.255.0 Ethernet0/0
TASK2 Solution
ASA configuration ! rip authentication on all subinterfaces interface Ethernet0/0.30 vlan 30 nameif R30 security-level 30 ip address 10.10.30.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id 1 ! interface Ethernet0/0.40 vlan 40 nameif R40 security-level 40 ip address 10.10.40.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id ! interface Ethernet0/1.10 vlan 10 nameif R10 security-level 10 ip address 10.10.10.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id 1 ! interface Ethernet0/1.20 vlan 20 nameif R20 security-level 20 ip address 10.10.20.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id 1 ! !RIP configuration on ASA router rip network 10.0.0.0 version 2 no auto-summary !For allowing of outside communication i created one object group ! with all IPs (interface IP + loopback IP) object-group network ROUTERS network-object host 10.10.10.2 network-object host 10.10.20.2 network-object host 10.10.30.2 network-object host 10.10.40.2 network-object host 192.168.10.1 network-object host 192.168.20.1 network-object host 192.168.30.1 network-object host 192.168.40.1 !and permitted ICMP between those IPs access-list Routers_in extended permit icmp object-group ROUTERS object-group ROUTERS !and applied on interface access-group Routers_in in interface R10 access-group Routers_in in interface R20 access-group Routers_in in interface R30 ROUTER3 configuration ! router rip configuration router rip version 2 network 10.0.0.0 network 192.168.30.0 no auto-summary ! router key chain configuration key chain ccie key 1 key-string cisco ! router rip authenication on interface configuration interface Ethernet0/0 ip address 10.10.30.2 255.255.255.0 ip rip authentication mode md5 ip rip authentication key-chain ccie
TASK3 Solution
ROUTER3 configuration
!Its not actually ASA task...
!thanks to Francois for the idea for this task
crypto key generate rsa general-keys label TEST
username admin password 0 cisco
line vty 0 4
login local
transport input ssh
ASA Configuration
! add line to ACL to permit SSH communication
access-list Routers_in extended permit tcp object-group ROUTERS object-group ROUTERS eq ssh
TASK4 Solution
! enable nat control and create static mapping ! to allow traffic between interfacesnat-control
static (R40,R30) 10.10.40.2 10.10.40.2 netmask 255.255.255.255
static (R40,R20) 10.10.40.2 10.10.40.2 netmask 255.255.255.255
static (R40,R10) 10.10.40.2 10.10.40.2 netmask 255.255.255.255
static (R30,R20) 10.10.30.2 10.10.30.2 netmask 255.255.255.255
static (R30,R10) 10.10.30.2 10.10.30.2 netmask 255.255.255.255
static (R20,R10) 10.10.20.2 10.10.20.2 netmask 255.255.255.255
DENYIPs CCIE Security Technology mini LABs
I decided to create DENYIPs CCIE security free technology minilabs. I plan to focus to some technology or device and create some intersting tasks. I created those minilabs when I was reading documentation, books and I though this could be nice to practice.. I don’t aspire to compete with well known vendors. At the moment I am not owner of any CCIE security workbook ( I decided to wait for ver. 3 material) so I cannot compare but Iam 100% sure that their technology workbooks are more complex and difficult (how can I compare to few multi CCIEs)
My labs wont be tricky … Its more about bringing more technology together and its also more for CCIE security beginners or CCSP students.. thanks
I started with Technology Minilab for Cisco ASA
Denyip
You can reach me at milsir(at)gmail.com
CCIE Security Lab v3 announced
Cisco finally announced CCIE lab changes
CCIE Security v3 exam blueprints are now available and the new exam is expected to be available in April 2009.
and
Very good thing is the devices are same routers, ASAs, switches, ACS, IPS just latest version…
NO NAC, MARS yeah!!!… strange for me that Certificate Authority Support is not listed.. I would be really surprised if its removed
Funny for me is that I was about to try the lab at end of April 
)) I haven’t decided yet but I will go for version 3.. Its more exciting (and more useful) to learn latest technologies .. so Iam really glad I didnt buy any workbook.. Lets wait when main vendors come with v3 workbooks
DENY IP (denyip at linuxmail.org)
QoS for CCIE security
I have just finished my QoS training…. I attended this training because my employer asked me to take over some VOIP projects.. I really like voice technology but its very difficult to study for CCIE security and CCM, unity and other voice staff..
Only one topics where is some overlap is QoS – so what how can be QoS training useful for security???
The course is focused on MQC (modular qos CLI) so I have learnt new staff about traffic policing and shaping, I got better understanding of NBAR (important for mitigating attacks) .. Cisco IOS MQC is also similar to ASA MPF (modular policy framework) so I now understand MPF better
I thing the course was really interesting and I can take advantage from it in my security studies but if you interesting only in security this course is not for you – there is lot of interesting (and tough) topics but useless for security studies (congestion management, link efficiency) etc..
CCIE security written resources
As I wrote in my profile I passed CCIE written in summer 2007 ..So for sure I wont be able schedule lab in 18 months after passing so I need pass it again … I dont study separately for written – my approach is theory – lab – theory at this stage.. For example when did study for TACACS+… First I went through RFC, security books chapters than did simple labs with debugs etc.. than I reviewed theory again
My MAIN resources for theory part are:
1) RFC
You can use this search engine a find proper RFC for Radius, Ldap, IPsec… There is lot of valuable informations
1)CCBOOTCAMP’s 2008 Cisco CCIE Security Written Study Guide
For my studies I bought its with Quick reference sheet only one CCIE written book on the market. I bought ebook with 24 Hour Print Option – I printed all pages immediately after downloading
Authors of that book are Colby LeMair (CCIE 12968 from Cisco), Farrukh Haroon (network engineer from middle east – CCSP studying for CCIE – little bit strange for me but why not) and Brad Elis (CCIE 5796 CEO of Network learning)
I think book is very good written – all topics from the written blue print are covered pretty well. It has 565 pages. The book table of contents is similar as blueprint for written . In the end of every chapter is set of tough questions…
Its quite old book but really well written and there are few great section (like AAA, IPSEC, GRE, IOS firewall)
If I need some configuration examples or some guide I search Cisco web … It doesnt apply for all topics but there is few really good documents for written exam
4) CCIE Security Exam Quick Reference Sheets
Its really quick reference , but I plan use it in final stage when you need quick review of all topics
Using AUTOCOMMANDs
I tested autocommand feature (command run automatically when user is logged in) and it looks authorization is needed in order get this features working
without commad aaa authorization exec default local it didn’t work for me (if you have other experience let us know)
So configuration is following ( I tested it with show ip interface brief command)
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username user1 password 0 cisco
username user1 autocommand show version
When user1 logs in
R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open
User Access Verification
Username: user1
Password:
R1>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Loopback0 192.168.10.1 YES NVRAM up up
[Connection to 150.50.78.2 closed by foreign host]
When using NOHANGUP feature with command
username user1 nohangup autocommand show version
it doesn’t mean you will stay logged in (as I though) but you get new user login prompt(instead of [Connection to 150.50.78.2 closed by foreign host] message)
R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open
User Access Verification
Username: user1
Password:
R1>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Loopback0 192.168.10.1 YES NVRAM up up
User Access Verification
Username:
So if you have credentials only for user1 – this autocommand is only one thing you can do
Multiple TACACS+ servers with different keys
Have you ever tried to add more than one TACACS+ server??? When I tried I was forced to use same authentication key for them (it could be possible security issue)
tacacs-server host 192.168.1.100
tacacs-server host 192.168.1.101
tacacs-server key secretkey
Its difference from RADIUS command where you can specify key after IP address
radius-server host 192.168.1.100 key secretkey1
radius-server host 192.168.1.101 key secretkey2
Now I found workaround how to do same for TACACS+ it can be done with server-private command under aaa group server
NOTE this command was introduced to IOS 12.3(7)T so it doesn’t apply to current blueprint version
aaa group server tacacs+ my-servers
server-private 192.168.1.100 key secretkey1
server-private 192.168.1.100 key secretkey2
Reset ACS to its default configuration
When you finish you labs on router, pix or switch you erase configuration to be able re-doing lab or to start a new lab… But what about ACS if you add device, create users, groups… how to remove it, how to have default ACS settings???… There is nothing like write erase command so I use following easy trick…
When I install new ACS my first step is backup this fresh configuration
System configuration —>ACS Backup
s
Backup files are stored in the folder
C:\Program Files\CiscoSecure ACS v4.0\CSAuth\System Backups
File is named by default with format day-month-year time.dmp but you can manually rename it to whatever you want (as i did to defaultACS.dmp)
Than you can restore configuration anytime with
System configuration —>ACS restore
and just select your backup file and click on restore
Simple AAA lab
I decide to start with identity management part of the blueprint. I have few good reasons for that
1) We are implementing complex AAA solution in my current job (3 ACSs, accounting, assigning privilege levels to users, RSA authentication etc…)
2) Its not most difficult area – so its good for slow start
3) Those topics (AAA, 802.1x, NAC are heavily covered in the written exam)
As a first part I created simple topology with two routers and one Cisco ACS (you can get it from Cisco they offers 90 day trial – click here (you need CCO account for it)).
So with this easy lab you can practice all AAA and ACS features (privilege levels, command authorization, accounting on ACS etc..)…Its really simple lab, you need just two routers and one server… it can be also easily done with dynamips… Its really easy lab and its more for CCSP (or even for CCNA) – its more pre-configuration (in next parts I will try to dig deeper)
AAA lab
One router is used for radius (R1) second is used for tacacs+ (R2)
STEPS
1. Basic IP addressing
(loopback int will be used as source for AAA communication on ACS)
R1
interface fa 0/0
ip address 192.168.1.1 255.255.255.0
no shut
interface loopback0
ip address 192.168.10.1 255.255.255.0
R2
interface fa 0/0
ip address 192.168.1.2 255.255.255.0
no shut
interface loopback0
ip address 192.168.20.1 255.255.255.0
2. Set communication between ACS and radius/tacacs+ routers
R1
aaa new-model
tacacs-server host 192.168.1.100
tacacs-server key ciscolab
ip tacacs source-interface loopback 0
R2
aaa new-model
radius-server host 192.168.1.100
radius-server key ciscolab
ip radius source-interface loopback 0
3. Add device to ACS and create ACS users
For R1 – on ACS select Network configuration and Add AAA client – enter AAA client hostname R1 , AAA client IP address 192.168.10.1 (remember we created ip radius source loopback0) and key is ciscolab, protocol is RADIUS (IETF) same for R2, IP is 192.168.20.1 and protocol is TACACS+
For users creation on ACS click on USER SETUP and fill in username/password … I created two users user1 and user2 with password cisco..
That is we have basic setup ..
You can test AAA from router with test aaa command
R1#test aaa group radius user1 cisco legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
Same for TACACS+
R1#test aaa group tacacs user1 cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
