EIGRP routing on a Cisco 3550 Switch

This evening I was trying to get a Cisco 3550 switch (EMI) to form an EIGRP adjacency with a router directly connected to it. However, I kept getting the following syslog message:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 172.26.6.9 (GigabitEthernet0/0) is down: retry limit exceeded

… and the ip route command showed nothing. Same with show eigrp neighbor and topology command. So what was going on?

3550 Neighbors
3550 Neighbors
Router neighbors
Router neighbors

I ran the debugs on both the router and switch, and that showed me nothing.  I checked all manor of protocol settings, rebooted both devices, checked CPU usage etc.

I could ping the router from the switch and vice versa, so what was I doing wrong?

I had missed one vitally important step when using L3 capability on a switch; I had neglected to enable the routing.

As soon as I issued the command ip routing, my neighbor adjacencies came up and my route tables now held the correct shared routes.

So, what was it that tipped me off? I was checking to see if the switch was enabled to handle multicast traffic. Now this is important because the EIGRP routing updates are multicast. The way to do this is to type:

(config)# ip m?

and you will see the multicast commands listed. I did not see that, in fact I saw nothing. So I backed up a little and typed:

(config)# ip ?

and as I was scrolling through the list of possibilities, I saw, routing … and my memory was jogged.

Sometimes you just have to remember the basics!

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

CCNA Security – 1.4 Describe Network Topologies

Section 1.4 concerns network typologies. There is not a great deal of material out there for the this topic with regards the CCNA security course, however this is my best guess.

1.4.a Campus area network (CAN)
1.4.b Cloud, wide area network (WAN)
1.4.c Data center
1.4.d Small office/home office (SOHO)
1.4.e Network security for a virtual environment

Most of us by now are probably familiar with the Cisco 3 layer switching model and have some knowledge of various Cisco network models, so lets dive in.

1.4.a Campus area network (CAN)

Sometimes the term Campus area network can be confusing, after all we don’t all work on a campus and just what is a campus anyway. Essentially you can consider a campus to be a large local area network, but including all the data center type services.

(insert diagram here)

The campus can be built up from multiple buildings, each with its own access and distribution layers. Traffic from these buildings will be switched/routed via a fast core switch.

Often there are other parts to the CAN such as data center, WAN and internet connections. Security is usually layered but starts at the edge with Firewalls, IDS/IPS at the wan and internet edge, and port security and other measures on the access switches.

Other measures include network access control, and MPF/ACLs at the distribution layer. The core is generally left just to perform switching.

1.4.b Cloud, wide area network (WAN)

Cloud based and virtual data centers add more complexity to the security measures we need to take. For instance, much of the server infrastructure is now virtualized, but at the same time we can also virtualize switches and security devices. This means we can migrate our port security, security policies and access control into the same virtual environment

 

1.4.c Data Center

The data center is generally speaking on an intranet or enterprise network and access is secured via VPN technology however we still need to provide, firewalls, IDS/IPS and access control, to guard against internal threats as well as external (internet) threats.

Data centers generally follow the three layer model and so we still secure our access switches with port security, ACLs and policy.

(add data center drawing here)

 

1.4.d Small office/home office (SOHO)

An integrated services router running an IOS that can support ZBF and ACLs, with access control and VPN connection across the internet to an HQ or data center contains all the elements required to secure a SOHO site.

Policy for remote offices and/or teleworkers can also pay a part here.

 

In all of the above, there are some constants that appear in all of this and one of these is BYOD which we will cover in other posts.

 

Flexconnect is a java based language used for controlling APs at remote sites where no controller is installed.

1.4.e Network security for a virtual environment

There are a number of variations of virtual environments

If we are looking at Cloud services:

SaaS – Software as a service
The software as a service model is where the providor has software services available (like sharepoint from Microsoft or sales force) but the client uses as much or as little for this as they need and are charged accordingly. The client however has no control over the hardware platforms and often patch levels of the software.

PaaS – Platform as a service
This is primarily for creating and using development platforms. The client is given a sandboxed dev environment and the tools to enable and test software. In addition, the PaaS provider might also provide the basic building blocks of any given system, like SQL, LAMP etc.

IaaS – Infrastructure as a service
This is the basic nuts and bolts of a virtual environment. The provider will offer virtual servers and workstations, virtual networking and sometimes virtual network devices (firewalls, proxy servers etc) but the user does not have the ability to access the underlying hardware but can make changes to memory and CPU allocation etc.

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

CCNA Security – 1.3 Cryptography Concepts

Section 1.3 covers the basics of cryptography:

1.3.a Describe key exchange
1.3.b Describe hash algorithm
1.3.c Compare and contrast symmetric and asymmetric encryption
1.3.d Describe digital signatures, certificates, and PKI

1.3 Cryptography concepts

Before we start, lets make a couple of quick notes about cryptography. If we refer back to CIA (Confidentiality, Integrity and Availability), we are talking about securing data either at rest or in motion.

  • Data can be at rest (caches, hard drives, servers, memory etc.)
  • Data can be in motion (currently on the network moving from place to place)

There are also some terms we should get to know:

  • Infosec – information security – where is the data:
  • NFP – Network Foundation Protection
    • management plane – logical ability to manage device (Admin login)
    • control plane – how routers communicate to each other
    • Data plane – moving traffic through the device
1.3.a Describe Key Exchange

Each encryption method requires a key. The key plus the encryption method produces the encrypted data. To reverse the process, one has to reverse the encryption method, to decrypt, with the key to produce the original raw data.
See (http://www.simonsingh.net/The_Black_Chamber/caesar.html) for an example of the caesar cypher) where the key is the offset value.

One could add complexity by changing the offset based on hour of transmission (requires accurate clocks).

1.3.b Describe Hash Algorithm

Hash algorithms are used to ensure the integrity of data. Two methods commonly available:

  • MD5 – 128bit
  • SHA – 160bit

There are a number of SHA variants; SHA-256 and SHA384 for instance. They use larger numbers of bit and therefore are more secure. MD5 is old tech where as SHA256 and beyond is considered next generation.

Hashing uses a mathematical process to create a digest (small amount of data) from the bulk data. The sender will send the data plus digest.

The receiver takes data and runs its own hash to create a digest. The receiver then compares digests. If the two digests are the same, then the receiver can be sure the data was not manipulated in transit.

Cisco uses hash digests to secure its IOS downloads and if you need to check a downloaded file the following command can be used:

#: verify /md5 <file name>

While hash algorithms can indicate a change in the data, what they cannot protect against is malicious actors changing the data. For this we need a secure hash algorithm, or HMAC.

HMAC – Hashed Message Authentication Code

HMAC – or the Hash Message Authentication Code – is where we use the hash algorithm on the data plus a secret key that only the sender and receiver know. This prevents a man in the middle attacks by making it very difficult to modify the data and create a new hash.

Hashing is used to secure communications in networking such as:

  • IPSEC VPN tunnels to ensure packet integrity and authenticity
  • Routing protocol updates authentication
  • Securing IOS images to guarantee they have not been tampered with.
1.3.c Compare and Contrast Symmetric and Asymmetric Encryption

There are two types of encryption key; symmetrical and asymmetric.

Symmetrical key – Use the same key to encrypt and decrypt.
This is less secure but the algorithms involved require lower overhead to run.

Asymmetric algorithms – Use one key to encrypt and a different key to decrypt.
This is an extremely complex algorithm called the Diffie Hellman algorithm and requires a lot of CPU overhead to run.

Symmetrical Algorithms
The Caesar cipher is an example of symmetrical encryption, as it uses one key for encryption and the same key for decryption (one key). Other current symmetrical algorithms are:

  • DES – Data Encryption Standard – symmetrical 56 bit algorithm. Not very secure now and not recommended except for regions that cannot use next gen encryption. This is relatively easy to break.
  • 3DES – where the DES algorithm is run three times in succession.  This is more secure but is still not classified as a next generation algorithm.
  • AES – Advanced Encryption standards – currently a 128 bit algorithm with 192 and 256 bit versions also available. AES256 is considered next generation and is a very secure algorithm.
  • IDEA – International Data Encryption Algorithm (used in PGP)

Because symmetrical algorithms require low CPU overhead, these standards are used for bulk data transfer.

Asymmetrical Algorithms
Asymmetrical algorithms use a key pair (2 keys). Data encrypted with Key 1 can be decrypted with Key 2 and vice versa. These algorithms require more overhead in terms of CPU but have better security, and are harder to crack.

Usually a key pair is a public and private key. Anything encrypted with the public key, can be decrypted with the private key. Asymmetrical algorithms are used mostly for authentication functions such as the Public Key Infrastructure (PKI). Typical asymmetric algorithms are:

1.3.d Describe digital signatures, certificates, and PKI

Digital signatures are used to prove who is sending the data.

  • The sender generates key pair (private & public key)
    • sends public key to the receiver
    • takes data and creates a hash
    • encrypts hash with private key
    • This becomes the digital signature.
  • The receiver receives the data and encrypted hash
    • generates a hash from the data
    • decrypts the received signature to reveal the sender’s hash
    • compares hashes

If the two hashes are the same, the receiver can be assured that the data is genuine from the sender and not from a man in the middle attack or a spoof of some kind.

Certificates
A certificate is a really handy way of sending a public key to an end user for public/private key encryption. Any data sent by the end user can be encrypted using the public key, and the certificate originator can decrypt using their private key.

The end user can also respond with its own certificate (if required) providing their public key.

However; how does the end user know the certificate it has been sent, with the public key, is valid? It could be a spoof attack, where a nefarious site is trying to get end user information by spoofing the connection certificate?

The way around this is the public Key Infrastructure. The public key infrastructure provides a mechanism for checking the authenticity of the issued certificate. It works like this:

PKI (Public Key Infrastructure)
https://en.wikipedia.org/wiki/Public_key_infrastructure

Certificate Authorities like Verisign , Go Daddy, etc. form a network of trust, providing PKI services. Many browsers come with these CAs (certificate authorities) installed with their certificate, which include the public key for the CA.

The way this works is as follows:

  • We generate public/private key pair with our own servers, then register (enrolls) with CA
  • CA then checks authenticity (in real life, phone calls, visits etc)
  • CA then creates a digital certificate for the organization.
    • Different types of certificates available
      • X.509 format (serial number, version number, hash (SHA), algorithm (RSA), issuer (GoDaddy) etc)
      • Also date and digital signature.
      • Digital signature (encrypted hash) can be verified because we (the browser) have the CA public key.

So lets use the example of logging into my bank to check my account.

  • When I start a session with the bank, the bank will send a certificate with the public key.
  • We can guarantee the authenticity of the certificate and thus the public key, because we have the CA public key.
  • That means we can check the digital signature of the certificate
    we perform a hash on the certificate
  • we decrypt the certificate digital signature using the CA public key and compare the hash values
    • If they are the same, we are sure it is the bank we are talking to
    • we check the validity dates to make sure the certificate is valid
    • we check the URL to make sure it matches the certificate URL
    • we check the CA revocation list to make sure the certificate has not been revoked.

This gives a clean copy of the bank’s public key (from the certificate)
Now we can send an encrypted packet to the bank and negotiate a session key. Once that happens, we are in business.

Having your own internal PKI CA.
Many companies have their own internal CA server that is used for company internal certificates.

And finally some LAB work:

Installing a certificate on the ASA
When working in the lab with an ASA, we are usually working with the ASA’s own self signed certificate. This is fine for lab work, but in real world production environments, we need to have certificates that are recognized in the PKI.
Why? Because a self signed certificate is not recognized by browsers and users SHOULD not connect if their browser doesn’t trust the certificate.

So we need to obtain a trusted certificate from a Certificate Authority and install that as our root certificate on the ASA. Once that is done we can use certificates generated from that root to authenticate out SSL (and IPSEC) capabilities.

There are two ways we can do this:

  • Low Budget – we generate a permanent self sign certificate. Then each machine that connects has to be configured to accept the certificate – this is manual and not scale able.
  • Big Budget – we purchase a root certificate from a CA.(this runs about $270 or there abouts). The root certificate is really the certificate to authenticate our organization. Once we have the root certificate (which can have a wild card to support subdomains), we enroll the device, and that gives us an identity certificate. The device has its own key pair which is sent to the CA.

Once all this happens, we will have two certificates – the root and the identity. Both will be installed on the ASA
This is scaleable and requires no manual configuration of the client PCs.

It is also possible to create our own CA server – This is outside of the scope of the CCNA Sec, but if I have time I might look into this.

Final Notes:

NTP is also important because certificates have expiration dates. The last thing we want to do is make this mistake.

To implement this on the ASA, we do the following:

  • Set Up NTP
    • Configuration > NTP > System Time
    • Clock – check and set time zone etc
    • NTP – add an NTP server
    • Show Clock
      • Sh NTP status
      • sh ntp associations … to verify
    • To Authenticate
    • Configuration > Device Management > Certificate
    • Management > CA Certificates
    • Add a new CA – browse for a file or use SCEP
    • SCEP or manual

To Enroll – we need to generate an identity certificate

  • Configuration > Device Management > Certificate Management > Identity Certificates
    • Add new certificate
    • generate new key pair
    • Advanced – add URL of CA server
    • Add outside IP address of ASA

Apply to the interface

  • Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles
  • Where the access interface section is, select Device Certificate
  • Select the identity certificate
  • Apply
Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

CCNA Security – 1.2 Common Security Threats

Section 1.2 of the CCNA Security covers the types of attacks most commonly encountered, and how we lose or expose data.

1.2.a  Identify common network attacks
1.2.b  Describe social engineering
1.2.c  Identify malware
1.2.d  Classify the vectors of data loss/exfiltration

1.2  Common Security Threats

Threat-scape Definitions:
When looking at threats to the network, there are some terms we should be familiar with, and we’ll cover some of those here:

  • Vulnerability – a flaw in the system.
  • Exploit – a way to make use of the vulnerability in order to attack the system
    • An example of an exploit would be MACOFF, the program that can create a CAM table overflow
  • Threat – anything that can execute on an exploit
    • A targeted potential attack
      • Denial of service and Botnet for instance
  • Risk – probability of success
    • hard to measure
    • Can be lowered by using mitigations
      • IPS/IDS, Firewalls, Anti malware and anti virus software etc

So we might have a high risk of a threat, exploiting a vulnerability on our network, causing our network to fail, if we don’t have adequate security.

1.2.a Identify common network attacks

It is important for us in security to have an understanding of the basic network attacks that we are likely to see.

Reconnaissance Attacks

This is where a bad actor exploits a vulnerability to gather data, most likely for a subsequent attack of some sort.

Types of recon attacks might be:

  • Scanning
    • up/down probes for IP address – ping sweep
    • port scans – what services are open
    • OS scans – what operating systems are on the network
    • Vulnerability scanners – complex scans for per host vulnerabilities
  • Examing public data
    • dig, nslookup, whois
    • googling physical locations, org lists and structures, exec bios etc.
    • targeted scanning – look for specific IT users requesting info on public forums, may even turn up configs with hashed or clear passwords etc.
  • Idle scan
    • spoofs a scapegoat IP address to scan systems for open ports and services
    • The scapegoat MUST be idle on the system during the scan (Hence idle)
Access Attacks

This is where an attacker will attempt to gain access to your network. There are a number of ways this can happen:

  • Password attack – there are a number of ways to crack passwords
    • dictionary attack – where the attacker uses common passwords of codes, stored in a dictionary
    • Brute force – this is the most likely to succeed, but requires an attacker to run through combinations of characters until the right combination is found.
    • Social Engineering – guessing based on human interraction or spoof the user to gain the password.
    • Network sniffing – use something like wireshark to see the password on the wire.
  • Trust exploitation – gaining access through trusted assets like DMZ servers
  • Port Redirection – SPAN attack. Using a compromised system as a base for attacks.
  • Man-in-the-middle attack – Can happen at layer 2 or 3.The attacker is the man in the middle. The purpose of a MITM attack can be to:
    • manipulate, inject or steal data
    • Generally completely defeats 2 factor or strong authentication

    These types of attacks can be accomplished on both the local LAN and remotely by using the following techniques:

    • ARP Cache Poisoning
    • Remote man in the middle
      • Tamper with DNS, routing, DHCP
      • Mitigate with secure protocol, authentication and encryption
        • SSL, TLS, IPSEC
  • Buffer Overflow – Buffer memory is allocated (by program or OS) to be a certain size for a given port, as Input to that buffer is of an expected size. If the input data is more than expected the buffer can ‘overflow” causing corruption of the memory adjacent the buffer
    • This can cause data corruption or a system crash
    • This can also lead to the injection of malicious code
    • Blaster worm caused and overflow in the DCOM RPC service of windows for instance.
  • IP, MAC & DHCP Spoofing – as a means to gain access for man in the middle attacks.
Denial of service (DoS) attacks

There are two types of DoS:

  • DoS – Denial of service (single system)
  • DDoS – Distributed denial of service (multiple or coordinated attack)
    • Zombies and Botnets are used in DDoS attacks
    • Zombies can also be used for clickfraud and bitcoin mining

Both attack types can cause services to become unavailable through two mechanisms

  • system crash
    • buffer overflow
    • invalid input – causing exceptions
  • consume all resources – CPU, Memory, bandwidth
    • syn flood attack
    • valid login slots

These in turn are caused because an attacker exploited a vulnerability in a device or the network as a whole. Sometimes as little as a single packet is needed to cause the system to crash.
Typical DoS/DDoS attacks are:

  • Ping of death – an extremely large ICMP packet that can crash legacy systems
  • Smurf Attack – broadcast a ping with the source IP address spoofed to the target system
  • TCP SYN Flood – attempt to create a large number of half formed TCP transactions, causing system resources to be drained

 

Spoofing

Spoofing is not actually an attack, it is a concept, but it can be used as a tool for forming attacks.

  • IP Spoofing – source IP is spoofed. This is the most popular spoofing method
  • MAC spoofing – source MAC address is spoofed
  • Application Spoofing – Email ID
  • LAND Attack – Source IP and port = dest IP and port. Send a syn request and the target system replies to itself making itself vulnerable.
Reflection and Amplification Attacks

These are denial of service attacks that aim to target bandwidth. The attacker uses a few packets to generate a large amount of traffic that is directed at the victim. An example is the Smurf attack

  • A ping to a subnet broadcast address is sent with the IP address spoofed to the attack target
  • Each device on the subnet will reply to the ping
  • Those replies go to the attack target
  • With a large enough subnet, the target machine can be overwhelmed
  • Mitigated using no ip directed broadcast which is now standard on all Cisco routers

DNS and NTP can also be used in amplification attacks. Combine reflection and amplification with DDoS and we can really hammer systems by generating huge amounts of DDoS traffic.  In Feb 2014, an amplified DDoS attack created almost 400Gbps of traffic, directed at a services vendor.

Hacking tools
  • The intention of the tool use is what differentiates between the security tool and the hacking tool
    • check out sec-tools.org
      • Wireshark
      • Metasploit – can be used by novices
      • Nessus
      • aircrack
      • snort – open source version of Firepower IDS/IPS

 

1.2.b Describe social engineering
Social Engineering

Social engineering is when someone tricks someone else into helping them with an attack. Often exploits the very human vulnerability of wanting to be helpful and polite. The attacks can take a number of different forms:

  • Tailgating – Holding a door open allowing badge readers to be bypassed
  • Curiousity – Opening an email attachment containing malicous code or malware
  • Visual hacking – people don’t like to be rude and won’t stop you looking over their shoulder
  • Helpful – call and ask for help. If you sound like you belong, you can get info
  • trash – incorrectly disposed can expose all sorts of information
  • USB Memory Keys – used to create back doors
  • Phishing – email spoofing and redirecting to gain sensitive info like passwords, credit card and SSNs.
    • Sometimes the link is legitimate, but the Phisher is executing a man in the middle attack and is reading traffic.
    • Spear Phishing – targeting smaller groups down to the individual
    • Whaling – high profile individuals (C suite etc)
    • Pharming – DNS attack. The attacker poisons the DNS for the victim, sending the victim to the spoof site.
      • The attacker may also add an entry into the victim’s host file
      • the attacker may also spoof dhcp to direct the victim to a fradulent DNS server
    • Watering Hole – targets web sites where groups of people gather.
      • can be achieved by targeting ad servers that link to the target web site (for instance)
  • Vishing – Phishing techniques using voice systems
  • Smishing – Phishing techniques using SMS

 

1.2.c Identify Malware
  • Malware very simplay stated is malicious software:
    • Virus – can replicate itself using unaware humans. Data files and macros etc
    • Worm – can propagate without human help.
      • Can use multiple vulnerabilities
      • Botnets and stuxnet
    • Trojan – Beware of Geeks bearing gifts. These are generally code that looks legitimate, but has malicious code creating back doors etc.
      • Keystroke logging, data corruption etc
    • Ransomware – code that locks your data and won’t unencrypt it until you pay for the ‘ransom’.
    • Spyware – code that runs and gathers information about the systems and the user’s internet activity, with a goal of passing that information back to ad generators who target ads at the user.
    • Adware – code that delivers pop up ads, that the attacker often gets paid for,
    • Scareware – fake threats.
  • APT – Advanced Persistent Threats
    • high tech, organised, remain undetected

 

1.2.d Classify the vectors of data loss/exfiltration

This is the means by which data can leave an organization without authority to do so. Frequently this by accident or failure to comply with procedure and policy, but can have serious consequences. (Stolen laptop containing SSNs and CC numbers?)

  • Data loss can be a hard drive failure
  • Data exfiltration is the loss of data via nefarious means
  • This is mitigated by Data Loss prevention policies
    • Data at rest – data on a hard drive or in storage of some sort
    • data in transit – data moving from one system to another
    • data in use – residing in RAM on a workstation or server
  • Vectors of data loss
    • Email and email attachment
      • generally an accidental issue
      • just trying to be helpfull
      • can be a phishing or social engineering attack
    • mobile devices
      • unencrypted data with lax access controls
    • cloud services
      • unencrypted data with lax access controls
    • removable storage devices
    • Improper access controls
Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

CCNA Security – 1.1 Common Security Principles

Section 1.1 of the CCNA Security covers the very basic definitions of what security is in IT.

1.1.a Describe confidentiality, integrity, availability (CIA)
1.1.b Describe SIEM technology
1.1.c Identify common security terms
1.1.d Identify common network security zones
1.1.a  What is CIA?

These are the three basic components of information security. They are the following:

  • Confidentiality – only the people who are supposed to see the data, can see it. All others cannot. This is ensured through the use of Encryption
  • Integrity – ensuring the data is untouched and has not been manipulated, except by authorized people. This can be ensured through the use of hashing.
  • Availability – the people who need it can get to it. This usually takes the form of redundancy – of circuits, devices, servers etc.

Encryption is the use of a mathematical algorithm that can be used to encode or obfuscate the original data in such a way that the receiver of the data can reverse the algorithm to see the data.
As a part of the algorithm, there is a key that is required for the encryption. Once encrypted a key is required for the decryption process.

Hashing is a mathematical algorithm that is used to take data and create a signature or checksum from it.

Digital signatures are the use of both hashing and encryption. First the data is hashed to create a checksum, which is then encrypted.

Just an aside, there are a couple of ways of looking at data. It can either be in motion or at rest. When in motion, we can use VPN to sure our data, and at rest (on a hard drive) we can use encryption

1.1.b  What is SIEM?
Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. The acronym is pronounced “sim” with a silent e.

In Cisco terms this applies to the collection, correlation and acting on security information.

SEIM is supposed to integrate into the overall architecture of the network. What this means is the security and monitoring of a network should be aspects of the initial design and not afterthoughts as they so often are.

SEIM comes from the convergence of SIM (Security information Management) and SEM (security event management), and what we are essentially talking about is a single pane of glass for the security systems.
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security-technology-partners/bn_cisco_siem.pdf

Cisco have a number of products that fall into the Security Information and event management category. Routers, firewalls, IDS and IPS can all integrate into security information and event management systems through the use of SYSLOG and SNMP.

The driver for Security information and event management is the borderless network. Organizations can no longer consider themselves stand alone entities; with mobility and cloud services, SEIM is becoming more important. Regulatory considerations and internal policy can add additional burden to security information and event management, as does application integration, video, VOIP and other services.

Where would we add SIEM devices?

At the internet edge we might have

  • routers with ZBFs
  • ASA firewalls with IPS/IDS
  • Ironport email security appliances (ESA)
  • Ironport Web security appliances (WSA)
Additionally we might add MARS in the data center for:

  • log collection
  • normalization
  • correlation
  • aggregation
  • reporting

What products does Cisco have in this arena.

  • Cisco Security Manager
  • Cisco Security Monitoring, Analysis and Response system (MARS)
  • ASA Security Device Manager

SEIM logs can be moved via SCP (Secure Copy protocol) or FTP (open text)

SDEE (security device event exchange)
What is SDEE?
Security Device Event Exchange is a protocol or language used for security devices  (providers) to communicate with security monitor systems (clients)

SDEE is communicated via HTTP or HTTPS (SSL & TLS) with the provider essentially working as a web server and the client initiating requests

The language is device agnostic (industry standard) controlled by the ISCA (International Computer Security Association)

Cisco has their own extensions to this language called CIDEE
Cisco Intrusion Detection Event Exchange

Clients requesting data from a provider, must authenticate

 

1.1.c Identify common security terms

Security terms can mean a variety of things depending on who you are talking to but for everyday life in security and especially for the exam, these are the terms we need to be familiar with and understand.

  • Asset – this is what we are attempting to keep secure. It might be a server or an entire network or some data.
  • Vulnerability – A weakness in the system. This can be anything from a weak operating system, weak password, poor policy and procedure or device capability.
  • Threat – this is the exploitation of the vulnerability
  • Risk – the chance of that exploit being used against you
  • Countermeasure – Steps we take to mitigate the risk of the exploit being used against us.

Be familiar with the syslog messaging levels. Just like with learning the OSI model for the CCNA R&S, get to know these:

Alert Messages            Severity 1
Critical Messages         Severity 2
Error Messages            Severity 3
Warning Messages          Severity 4
Notification Messages     Severity 5
Informational Messages    Severity 6
Debugging Messages        Severity 7

In my role as a network engineer, I use these categories every day and it is likely that you will too.

Some other terms that you will need to be familiar with for the exam are:

The Open Web Application Security Project (OWASP) offers several ways to help organizations to secure web infrastructures, including by providing education about common web site vulnerabilities. They also have created a number of tools, guides, and testing methodologies that are free for anyone to use. They publish a list of top 10 web vulnerabilities.

They release material under the Free/Libre Open Source Software licenses (FLOSS), is a non profit and is Multinational


The National Institute of Standards and Technology (NIST) is a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. The NIST 800-115 is a Technical Guide to Information Security Testing that provides guidance and a methodology for reviewing security that is required for the U.S. government’s various departments to follow. It is NOT focused solely on common Web site vulnerabilities.

The Open Source Security Testing Methodology Manual (OSSTMM) is a free methodology to conduct security testing in a thorough and repeatable manner developed under the Creative Commons License. It is NOT focused solely on common Web site vulnerabilities.

The Information Systems Security Assessment Framework (ISSAF) is one of the largest free-assessment methodologies available. It is focused on the business aspect of security, and on a penetration test framework. It is NOT focused solely on common Web site vulnerabilities.

Other terms can be found here:

1.1.d Identify common network security zones

Zones are an important concept in security. In fact the definition of a firewall is that it controls access between zones. In terms of firewalls, (both ASA and IOS) there are 3 zones to be aware of:

  • Inside – this is the local LAN side of the firewall. Typical high security, #100 and trusted
  • Outside – this is the wild untamed internet, lowest security #0, not trusted at all
  • DMZ – This is a zone that has one foot in each camp – lower security for internet facing servers, proxies etc. #1-99

Modern firewalls perform inspection of traffic and use that inspection to form tables of what traffic is allowed to flow from untrusted to trusted network. By default, no traffic is allowed to flow from untrusted to trusted so:

  • inside to outside traffic is ok
  • inside to DMZ traffic is ok
  • Outside to inside is no allowed
  • DMZ to inside is not allowed
  • DMZ to outside is allowed
  • Outside to DMZ is not allowed

 

 

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

TonyPickett.com