DENY IP - road to CCIE security

Technology MiniLab ASA part I.

denyip — Sun, 28 Dec 2008 21:40:02 +0000

This Mini Lab focuses on various Cisco ASA technologies and its part of DENYIPs CCIE Security technology minilab
If you have any question or suggestion feel free to post in the discussion or contact me on milsir(at)gmail.com
Lab is based on following setup

Following HW is needed :
1x Cisco ASA or PIX
1x Switch dot1q capable
4x Router with at least one Ethernet interface

Dynamips can be use as well – I tried both LAB and Dynamips for Dynamips I used following NET file

[localhost:7200]
workingdir = C:\path to your working directory
[2621]]
 image = C:\path to your IOS
 ram = 92
 idlepc = your idle PC

 [[Router R1]]
  model = 2621
  Fa0/0 =  S1 1

 [[Router R2]]
  model = 2621
  Fa0/0 =  S1 2

 [[Router R3]]
  model = 2621
  Fa0/0 =  S1 3

 [[Router R4]]
  model = 2621
  Fa0/0 =  S1 4

[[ethsw S1]]
    1 = access 10
    2 = access 20
    3 = access 30
    4 = access 40
    5 = dot1q 1
    6 = dot1q 1

[pemu localhost]
[[525]]
serial=
key=
image = path to yout PIX image
[[fw FW1]]
 e0 = S1 5
 e1 = S1 6

TASKS

TASK1 – Addressing and basic connectivity

Configure interface (sub-interface) of FW in following way

e1.10 – nameif R10, VLAN10, security level 10, IP 10.10.10.1

e1.20 – nameif R20, VLAN20, security level 20, IP 10.10.20.1

e0.30 – nameif R30, VLAN30, security level 30, IP 10.10.30.1

e0.40 – nameif R40, VLAN40, security level 40, IP 10.10.40.1

Configure IP addressing of routers according drawing (including loopbacks)

R40 interface is DHCP client… Configure R30 to be DHCP server for this router.. make sure this interface will be always assigned IP 10.10.40.2

TASK2 – routing , ACL

Delete all static routers and run RIP v2 between all devices, propagate all networks including loopbacks, use MD5 authentication .. Permit ICMP between all routers and verify connectivity with ping (you should be able to ping all loopbacks from all routers) , use only one line in your ACL

TASK3 – SSH access
Enable SSH with local authentication on all routers do not use domain command on routers , enable SSH access through firewall

TASK4 – NAT control
On firewall enable NAT-control .. Configure FW to allow access like without NAT control (ping, ssh)

SOLUTIONS

TASK1 Solution

You need create vlans 10,20,30,40 on switch , assign vlans membership for routers R10,R20,R30,R40 and configure do1q trunks for ASA port


ASA configuration

interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
! For me is good to use nameif like R20, R30 and not traditional
! inside, outside, dmz - It helps me think out of the box
interface Ethernet0/0.30
 vlan 30
 nameif R30
 security-level 30
 ip address 10.10.30.1 255.255.255.0
!
interface Ethernet0/0.40
 vlan 40
 nameif R40
 security-level 40
 ip address 10.10.40.1 255.255.255.0
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.10
 vlan 10
 nameif R10
 security-level 10
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1.20
 vlan 20
 nameif R20
 security-level 20
 ip address 10.10.20.1 255.255.255.0
!R40 will get DHCP IP from R30 so dhcp relay needs to be
!configured 
dhcprelay server 10.10.30.2 R30
dhcprelay enable R40
dhcprelay setroute R40
dhcprelay timeout 60

R3 configuration
! create pool for R40 use client-identifier for reservation
!(client-identifier uses 01 prefix for ethernet + client MAC)
ip dhcp pool R40
   host 10.10.40.2 255.255.255.0
   client-identifier 0100.e01e.7dc7.61

interface Ethernet0/0
 ip address 10.10.30.2 255.255.255.0
! Static route for R40 network is needed
ip route 10.10.40.0 255.255.255.0 10.10.30.1

R40 configuration

! IP on interface will be DHCP and client-id e0/0 is sent
! it didn't work for me without client-id command

interface Ethernet0/0
 ip address dhcp client-id Ethernet0/0

! Static route for R30 network is needed
ip route 10.10.30.0 255.255.255.0 Ethernet0/0

TASK2 Solution


ASA configuration

! rip authentication on all subinterfaces
interface Ethernet0/0.30
 vlan 30
 nameif R30
 security-level 30
 ip address 10.10.30.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 1
!
interface Ethernet0/0.40
 vlan 40
 nameif R40
 security-level 40
 ip address 10.10.40.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 

!
interface Ethernet0/1.10
 vlan 10
 nameif R10
 security-level 10
 ip address 10.10.10.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 1
!
interface Ethernet0/1.20
 vlan 20
 nameif R20
 security-level 20
 ip address 10.10.20.1 255.255.255.0
 rip authentication mode md5
 rip authentication key cisco key_id 1
!
!RIP configuration on ASA 
router rip
 network 10.0.0.0
 version 2
 no auto-summary
!For allowing of outside communication i created one object group
! with all IPs (interface IP + loopback IP)
object-group network ROUTERS
 network-object host 10.10.10.2
 network-object host 10.10.20.2
 network-object host 10.10.30.2
 network-object host 10.10.40.2
 network-object host 192.168.10.1
 network-object host 192.168.20.1
 network-object host 192.168.30.1
 network-object host 192.168.40.1
!and permitted ICMP between those IPs
access-list Routers_in extended permit icmp object-group ROUTERS object-group ROUTERS
!and applied on interface
access-group Routers_in in interface R10
access-group Routers_in in interface R20
access-group Routers_in in interface R30

ROUTER3 configuration
! router rip configuration
router rip
 version 2
 network 10.0.0.0
 network 192.168.30.0
 no auto-summary

! router key chain configuration
key chain ccie
 key 1
  key-string cisco

! router rip authenication on interface configuration
interface Ethernet0/0
 ip address 10.10.30.2 255.255.255.0
 ip rip authentication mode md5
 ip rip authentication key-chain ccie

TASK3 Solution


ROUTER3 configuration
!Its not actually ASA task...
!thanks to Francois for the idea for this task
crypto key generate rsa general-keys label TEST
username admin password 0 cisco
line vty 0 4
 login local
 transport input ssh

ASA Configuration
! add line to ACL to permit SSH communication 
access-list Routers_in extended permit tcp object-group ROUTERS object-group ROUTERS eq ssh

TASK4 Solution

! enable nat control and create static mapping
! to allow traffic between interfaces 
nat-control

static (R40,R30) 10.10.40.2 10.10.40.2 netmask 255.255.255.255

static (R40,R20) 10.10.40.2 10.10.40.2 netmask 255.255.255.255

static (R40,R10) 10.10.40.2 10.10.40.2 netmask 255.255.255.255

static (R30,R20) 10.10.30.2 10.10.30.2 netmask 255.255.255.255

static (R30,R10) 10.10.30.2 10.10.30.2 netmask 255.255.255.255

static (R20,R10) 10.10.20.2 10.10.20.2 netmask 255.255.255.255

DENYIPs CCIE Security Technology mini LABs

denyip — Sun, 28 Dec 2008 21:39:25 +0000

I decided to create DENYIPs CCIE security free technology minilabs. I plan to focus to some technology or device and create some intersting tasks. I created those minilabs when I was reading documentation, books and I though this could be nice to practice.. I don’t aspire to compete with well known vendors. At the moment I am not owner of any CCIE security workbook ( I decided to wait for ver. 3 material) so I cannot compare but Iam 100% sure that their technology workbooks are more complex and difficult (how can I compare to few multi CCIEs)

My labs wont be tricky … Its more about bringing more technology together and its also more for CCIE security beginners or CCSP students.. thanks

I started with Technology Minilab for Cisco ASA

Denyip

You can reach me at milsir(at)gmail.com

CCIE Security Lab v3 announced

denyip — Thu, 16 Oct 2008 07:23:01 +0000

Cisco finally announced CCIE lab changes

CCIE Security v3 exam blueprints are now available and the new exam is expected to be available in April 2009.

LAB EQUIPMENT AND SOFTWARE

and

LAB EXAM blueprint v3.0

Very good thing is the devices are same routers, ASAs, switches, ACS, IPS just latest version…

NO NAC, MARS yeah!!!… strange for me that Certificate Authority Support is not listed.. I would be really surprised if its removed

Funny for me is that I was about to try the lab at end of April )) I haven’t decided yet but I will go for version 3.. Its more exciting (and more useful) to learn latest technologies .. so Iam really glad I didnt buy any workbook.. Lets wait when main vendors come with v3 workbooks

DENY IP (denyip at linuxmail.org)

QoS for CCIE security

denyip — Sat, 06 Sep 2008 09:54:59 +0000

I have just finished my QoS training…. I attended this training because my employer asked me to take over some VOIP projects.. I really like voice technology but its very difficult to study for CCIE security and CCM, unity and other voice staff..
Only one topics where is some overlap is QoS – so what how can be QoS training useful for security???

The course is focused on MQC (modular qos CLI) so I have learnt new staff about traffic policing and shaping, I got better understanding of NBAR (important for mitigating attacks) .. Cisco IOS MQC is also similar to ASA MPF (modular policy framework) so I now understand MPF better

I thing the course was really interesting and I can take advantage from it in my security studies but if you interesting only in security this course is not for you – there is lot of interesting (and tough) topics but useless for security studies (congestion management, link efficiency) etc..

CCIE security written resources

denyip — Wed, 27 Aug 2008 20:46:29 +0000

As I wrote in my profile I passed CCIE written in summer 2007 ..So for sure I wont be able schedule lab in 18 months after passing so I need pass it again … I dont study separately for written – my approach is theory – lab – theory at this stage.. For example when did study for TACACS+… First I went through RFC, security books chapters than did simple labs with debugs etc.. than I reviewed theory again

My MAIN resources for theory part are:

1) RFC

You can use this search engine a find proper RFC for Radius, Ldap, IPsec… There is lot of valuable informations

1)CCBOOTCAMP’s 2008 Cisco CCIE Security Written Study Guide

For my studies I bought its with Quick reference sheet only one CCIE written book on the market. I bought ebook with 24 Hour Print Option – I printed all pages immediately after downloading

Authors of that book are Colby LeMair (CCIE 12968 from Cisco), Farrukh Haroon (network engineer from middle east – CCSP studying for CCIE – little bit strange for me but why not) and Brad Elis (CCIE 5796 CEO of Network learning)
I think book is very good written – all topics from the written blue print are covered pretty well. It has 565 pages. The book table of contents is similar as blueprint for written . In the end of every chapter is set of tough questions…

2) Network Security Principles and Practices (CCIE Professional Development) (CCIE Professional Development)

Its quite old book but really well written and there are few great section (like AAA, IPSEC, GRE, IOS firewall)

3) Cisco website

If I need some configuration examples or some guide I search Cisco web … It doesnt apply for all topics but there is few really good documents for written exam

4) CCIE Security Exam Quick Reference Sheets

Its really quick reference , but I plan use it in final stage when you need quick review of all topics

Using AUTOCOMMANDs

denyip — Sun, 10 Aug 2008 21:11:38 +0000

I tested autocommand feature (command run automatically when user is logged in) and it looks authorization is needed in order get this features working

without commad aaa authorization exec default local it didn’t work for me (if you have other experience let us know)

So configuration is following ( I tested it with show ip interface brief command)

aaa new-model
aaa authentication login default local
aaa authorization exec default local
username user1 password 0 cisco
username user1 autocommand show version

When user1 logs in

R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open

User Access Verification

Username: user1
Password:
R1>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Loopback0 192.168.10.1 YES NVRAM up up

[Connection to 150.50.78.2 closed by foreign host]

When using NOHANGUP feature with command
username user1 nohangup autocommand show version
it doesn’t mean you will stay logged in (as I though) but you get new user login prompt(instead of [Connection to 150.50.78.2 closed by foreign host] message)

R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open

User Access Verification

Username: user1
Password:
R1>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Loopback0 192.168.10.1 YES NVRAM up up

User Access Verification

Username:

So if you have credentials only for user1 – this autocommand is only one thing you can do

Multiple TACACS+ servers with different keys

denyip — Mon, 04 Aug 2008 12:31:00 +0000

Have you ever tried to add more than one TACACS+ server??? When I tried I was forced to use same authentication key for them (it could be possible security issue)

tacacs-server host 192.168.1.100
tacacs-server host 192.168.1.101
tacacs-server key secretkey

Its difference from RADIUS command where you can specify key after IP address

radius-server host 192.168.1.100 key secretkey1
radius-server host 192.168.1.101 key secretkey2

Now I found workaround how to do same for TACACS+ it can be done with server-private command under aaa group server
NOTE this command was introduced to IOS 12.3(7)T so it doesn’t apply to current blueprint version

aaa group server tacacs+ my-servers
server-private 192.168.1.100 key secretkey1
server-private 192.168.1.100 key secretkey2

Reset ACS to its default configuration

denyip — Thu, 31 Jul 2008 15:23:33 +0000

When you finish you labs on router, pix or switch you erase configuration to be able re-doing lab or to start a new lab… But what about ACS if you add device, create users, groups… how to remove it, how to have default ACS settings???… There is nothing like write erase command so I use following easy trick…
When I install new ACS my first step is backup this fresh configuration
System configuration —>ACS Backup

s

Backup files are stored in the folder
C:\Program Files\CiscoSecure ACS v4.0\CSAuth\System Backups
File is named by default with format day-month-year time.dmp but you can manually rename it to whatever you want (as i did to defaultACS.dmp)

Than you can restore configuration anytime with
System configuration —>ACS restore
and just select your backup file and click on restore

Simple AAA lab

denyip — Wed, 30 Jul 2008 08:44:57 +0000

I decide to start with identity management part of the blueprint. I have few good reasons for that

1) We are implementing complex AAA solution in my current job (3 ACSs, accounting, assigning privilege levels to users, RSA authentication etc…)
2) Its not most difficult area – so its good for slow start
3) Those topics (AAA, 802.1x, NAC are heavily covered in the written exam)

As a first part I created simple topology with two routers and one Cisco ACS (you can get it from Cisco they offers 90 day trial – click here (you need CCO account for it)).
So with this easy lab you can practice all AAA and ACS features (privilege levels, command authorization, accounting on ACS etc..)…Its really simple lab, you need just two routers and one server… it can be also easily done with dynamips… Its really easy lab and its more for CCSP (or even for CCNA) – its more pre-configuration (in next parts I will try to dig deeper)

AAA lab

One router is used for radius (R1) second is used for tacacs+ (R2)

STEPS

1. Basic IP addressing
(loopback int will be used as source for AAA communication on ACS)

interface fa 0/0
ip address 192.168.1.1 255.255.255.0
no shut

interface loopback0
ip address 192.168.10.1 255.255.255.0

interface fa 0/0
ip address 192.168.1.2 255.255.255.0
no shut

interface loopback0
ip address 192.168.20.1 255.255.255.0

2. Set communication between ACS and radius/tacacs+ routers

aaa new-model
tacacs-server host 192.168.1.100
tacacs-server key ciscolab
ip tacacs source-interface loopback 0

R2
aaa new-model
radius-server host 192.168.1.100
radius-server key ciscolab
ip radius source-interface loopback 0

3. Add device to ACS and create ACS users

For R1 – on ACS select Network configuration and Add AAA client – enter AAA client hostname R1 , AAA client IP address 192.168.10.1 (remember we created ip radius source loopback0) and key is ciscolab, protocol is RADIUS (IETF) same for R2, IP is 192.168.20.1 and protocol is TACACS+

For users creation on ACS click on USER SETUP and fill in username/password … I created two users user1 and user2 with password cisco..

That is we have basic setup ..
You can test AAA from router with test aaa command

R1#test aaa group radius user1 cisco legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

Same for TACACS+

R1#test aaa group tacacs user1 cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

Following the blueprint

denyip — Tue, 22 Jul 2008 06:46:44 +0000

As has been already written several times in the LAB you can expect ANYTHING from the Blueprint… So i decide to organize all my study notes according this blueprint … there is 6 major topics

Firewall
VPN
Intrusion Prevention System (IPS)
Identity Management
Advanced Security
Network Attacks

My firefox bookmarks for CCIE are organized exactly in this style and order.. If I see some interesting config guide, tutorial etc. related to CCIE security I bookmark the page and place to the proper folder. |
Structure of my mailbox what I use for newsgroups like groupstudy or OSL is exactly same six folders (plus lot of subfolders)… So if need get some information (ideas for lab) i just open my bookmarks or my email folder….

If you look to the right topics for blog entries have same structure as well (maybe some topics are missing because there are no posts but I hope soon we will have complete blueprint)