Cisco CCNA 200-301 – The Security Threat Landscape Part 4

7. TLS Transport Layer Security

You’ll learn about firewalls IDs, intrusion detection systems and IPS intrusion prevention systems. So I’ll tell you about the characteristics of each, the differences between them, and how they best work together to provide security for an organization. So starting off with the IDs and the IPS, IDs Transfer Intrusion Detection System and IPS is an intrusion prevention system.

The IDs, or IPS, uses signatures to inspect packets up to layer seven of the OSI stack, looking for traffic patterns which match knowing attacks. They can also use anomaly based inspection to look for unusual behavior, such as a host which is sending a lot more traffic than usual that would indicate that it has been infected by a worm. So your IDs and IPS actually are quite similar to the antivirus software that you’ll find on your PC and that they use signatures to look for knowing attacks.

They can also use heuristics to look for characteristics which would indicate an attack. So something out of the normal or something which looks similar to another known attack. The IDs and IPS require skilled staff to tune them to their own particular environment and minimize false positives and false negatives. A false positive is when the IPS triggers because it thinks there’s been an attack, when actually that was legitimate traffic, and a false negative is worse, that is when there is an attack, but the IPS does not recognize it and does not trigger.

So your IDs and your IPS, they do need tuning because each separate environment has got its own separate traffic patterns. So something that might be legitimate in your organization would maybe indicate an attack in a different organization. So it does take some time to tune the IPS when you first install it to tune out, to filter out those false positives and false negatives. And as things can change in your network over time, it requires the IPS to be updated to reflect that the difference between an IDs and an IPS.

So an IDs and Intrusion detection system sits alongside the traffic flow and informs security administrators of any potential concerns, anything that looks like an attack. An IPS and intrusion prevention system sits in line with the traffic flow and it can also block attacks as well as notify you about them. An IDs may also have the capability to tell a firewall to block attacks if a firewall is in line with the traffic flow, but the IDs is not. Obviously you would need to have an IDs and a firewall which are compatible to be able to do that. The Cisco IDs. And firewall can do that. Okay, so here’s a diagram showing the difference between the IPS and the IDs.

And you can see we’ve got the IPS on the top here. It is in line with the traffic flow. The traffic flow is going through it, so if it detects an attack, it can stop, it can block that traffic. An IDs on the other hand, is off to the side of the traffic flow. So here we’re going to be using mirroring to send a mirror copy of the traffic to the IDs. Because the traffic is actually going through a different path. We’re just sending a copy to the IDs. The IDs itself cannot drop the traffic in line. But if there was a firewall here and it was a compatible firewall, the IDs could send a message to the firewall telling the firewall to do it.

The reason that we have the two different options here is that an IPS can sometimes be a bottleneck. If there’s not enough throughput on the IPS to handle the amount of traffic going through it, you don’t want it to slow down the network traffic.

You could use an IDs instead in that situation. There are other things we can do to help with that, such as clustering as well. I’ll talk about clustering a little bit later on. Okay, so that was the IDs and the IPS comparing them with firewalls. Now, an IPS and IDs uses signatures to inspect packets up to layer seven of the OSI stack, looking for traffic patterns which match known attacks. So IPS uses signatures, firewalls block or permit traffic based on rules such as destination, IP address, and port number. So an IPS uses signatures, a firewall uses rules. Organizations will always deploy firewalls on their internet edge. There’s no way an organization would connect to the Internet without having a firewall there. To protect themselves, they may also deploy firewalls at suitable security points inside their internal network. So for sure they’ll have a firewall between them and the Internet.

They might also have a part of their network which has got sensitive servers there. Maybe we’d have another separate firewall there also as well. IPSes are typically seen as an option. So where firewalls are mandatory, you’re always going to have a firewall between you and the Internet. IPS are traditionally seen as optional rather than mandate. They may be deployed in conjunction with your firewalls. Now, the lines have blurred in recent years between IPS and Firewalls, so the things that they do are separate, but you can now get all in one devices. You get firewalls which have also got IPS capability built into them as well, and that is becoming particularly prevalent since the emergence of next generation firewalls. So modern firewalls do also often have IPS capability as well as the firewall capability. They’re also often capable of acting as the endpoint of VPN tunnels as well. I’ll talk about VPN tunnels later in this section. So organizations have a choice.

They can deploy an all in one solution with a firewall which also has IPS capability, or they might split out those functions to provide better scalability specialized devices to separate firewall. And IPS may also have more advanced features than would be available with an all in one solution. Another option for scalability and higher throughput is clustered devices. So you saw in the diagram earlier, I had that inline IPS you saw that it’s possible that it could become a bottleneck if it doesn’t support enough throughput for the amount of traffic going through it.

Well, a solution that will often resolve that issue is by putting in multiple hardware devices there and sending the traffic through those multiple hardware devices. If the devices support clustering, then they act as a single solution for management and also for all of their features as well. But because you’ve got multiple devices there, they now support higher throughput and it also gives you redundancy in case one of them fails as well. Okay, let’s wrap up this lecture with a look at an example network topology showing how firewalls and IPS can work together.

So in the example network here, we’ve got a couple of departments on the inside, department A and Department B. They’re connected into a layer three switch, and then that’s connected to the inside interface on the firewall. The outside interface on the firewall is connected out to the Internet. We also have a DMZ here, that’s a demilitarized zone where we’re going to put our sensitive internal servers there. By having the servers in a DMZ rather than on the inside, that allows us to have a more suitable policy, separate policies for our servers and for our normal internal hosts. So you can see here, we’ve also got an IPS as well, which is protecting those internal servers.

Now, some things to say here. If this firewall was an all in one solution, next generation firewall, which also had IPS capabilities such as the Cisco ASA with firepower, then we wouldn’t need to have a separate IPS here and that would also protect the inside hosts as well as the internal servers. Right now, if this firewall is just fulfilling the firewall duties, it doesn’t have any IPS features on there and we’ve got the IPS down here. Well, right now the IPS is just protecting our internal servers.

We don’t have an IPS protecting the internal host. Depending on your particular situation and environment, that might be acceptable. So you can see here just an example of one way that you could do it. You’re always going to have a firewall protecting yourself from the Internet. An IPS is typically seen as optional. The IPS can be a separate device or it can be built into the firewall. Okay, that’s everything that I needed to, to tell you here. In the next lecture, we’ll have a look at how firewalls work in some more detail and also compare them to packing.

8. Site-to-Site VPN Virtual Private Networks

Lecture you’ll learn about VPNs that’s virtual private networks. I’ll start off with site to site VPNs and then after this we’ll get on to client to site remote Access VPNs. So with a site to site VPN you can see in my example here I’ve got an office in New York and I’ve got an office in Boston. When hosts in New York York communicate with each other that traffic will be unencrypted. And when hosts in Boston communicate with each other in our example that’s unencrypted as well. But when hosts in New York and Boston communicate with each other across the untrusted network of the internet, that traffic is going to go through our VPN tunnel and it’s going to be encrypted. So anybody on the internet that’s able to sniff traffic, they will be able to see it but they won’t be able to read it because it’s encrypted traffic. So your site to site VPNs used symmetric encryption algorithms such as Des, Triple, Des and AES, more likely to be AAS. Nowadays to send encrypted traffic between locations over an untrusted network such as the Internet.

Traffic inside an office is often left unencrypted as inside the office is often seen as a trusted network. However, VPN tunnels can also be deployed internally. And Cisco Trust SEC is another more manageable solution for internal authentication and encryption, but it’s not covered in the CCNA exam sector. Site VPN tunnels typically terminate on a firewall or a router on both sides and a preshared key can be configured on both sides of the tunnel. Or certificates can be used. And certificates offer a more scalable solution because each of your different tunnels should have a different key. You don’t want to reuse the same key again because if one tunnel gets compromised, if you were using the same key everywhere then that means that all of your tunnels are compromised. So certificates can give you a more scalable solution to manage this. But to be honest, in real world deployments, preshared keys are very commonly used. It’s just easier to set them up.

IPsec is a framework of open standards that provide secure encrypted communication on an IP network. And it’s IPsec that we’re going to use for our site to site VPN tunnels inside IPsec. Internet Key Exchange that’s IC handles negotiation of protocols and algorithms and generates the encryption and authentication keys. And Isaacamp that’s Internet Security Association and Key Management Protocol defines the procedures for authenticating and communicating peer creation and management of security associations. Isaacamp typically uses IC for the key exchange. So IC and Isaacamp, you’ll often find those terms being used interchangeably. So even though there is a slight difference there, you’ll often see them being used as cinnamons of each other authentication header. Ah provides integrity authentication and protection from replay attacks and ESP.

Then Captulating Security Payload provides confidentiality, integrity authentication and protection from replay attacks. So when you’re implementing IPsec, you’ve got the option of doing it either with Ah or with ESP. You may be noticed there that there’s a big one missing for Ah which is confidentiality. When you are using a VPN tunnel, pretty much always you’re going to want the actual data to be encrypted. So you’ve got the confidentiality. So ESP is a lot more commonly used than AHS and as well as the choice between Ah and ESP, you can also use either tunnel mode or Transport mode. Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by another set of IP headers and ESP tunnel mode is widely implemented in site to site VPN scenarios. The other option is Transport mode. You use one or the other transport mode encrypts only the payload and the ESP trailer.

So the IP header of the original packet is not encrypted and the Ipick transport mode is implemented for client to site remote access VPN scenarios. Transport Mode is usually used when another tunneling protocol such as GRE or LTP is used to first encapsulate the IP data packet. Then IPsec is used to protect the GRE L two TP tunnel packets. So GRE and L two TP, those are other methods you can use to create a tunnel. GRE and L two TP are not encrypted. So if you are using them and then you want to secure them, then you can use ESP Transport mode around that.

Now the thing with whether you’re going to use Ah or ESP and whether you are going to use tunnel mode or transport mode really you’re always going to be using ESP, not Ah. And whether you’re going to use the tunnel mode or the transport mode, well you don’t really need to think about that either because when you’re configuring the tunnel, depending on the application you’re actually using it for and where you’re setting up, almost always this is going to be done for you as well. So you don’t need to think about making a decision. It’s going to be a default based on how you’re setting up the tunnel anyway. Okay, so let’s have a look at how we are going to do our IPsec VPN implementation.

If we’re terminating the tunnel on a Cisco router, the first thing to configure is the interesting traffic, that is the IP subnets on both sides of the link that you want to encrypt traffic between. So I’ll just have a look at my next slide here for a second. So in the example topology here we’ve got the ten 1010 00:24 network on the left, the 1020 00:24 network on the right. Our interesting traffic would be traffic that is going between those two subnets. It’s an interesting traffic that is going going to be encrypted and sent through the tunnel. You use an access control list to specify the interesting traffic. Other things to configure is Isaacamp or IC. Phase one.

As I mentioned earlier, the terms is a camp and IC are often used interchangeably. So you could call this Isaacamp Phase One. Or you could call it Ike Phase one. In phase one, the VPN devices that’s the two routers negotiate an ICC security policy, authenticate each other and establish a secure channel. So in phase one, that’s about the initial authentication and the initial set up of the tunnel. Then in phase two, the VPN devices negotiate an IPsec security policy to protect the IPsec data. So phase one is the two devices authenticating each other with phase two. That’s where the two devices are going to negotiate on the settings and algorithms that are going to be used for the encryption of the actual data that is being sent over the tunnel. And finally, you’re going to have the data transfer. The VPN devices will apply security services to the traffic, encrypt it and send it over the tunnel. So I’m going to have a look at an example configuration here.

Now you don’t need to know the configuration for the CCNA exam, but I’m going to include it here because I always find it easier to see what is going on, to understand something when I can see how it’s actually configured. So in our example, we’ve got the two offices, the ten 1010 network on the left, the 1020 network on the right, and the outside interface on the router on the left. It’s connected to the Internet, has got IP address 203 011313. And on the router on the right it’s connected to the Internet with public IP 203 011353. Now those are 30. So with the 30, the subnet on the left, it’s going to have the valid host addresses 203 1131 and two on the right. The valid host addresses will be five and six. So you can see that those are actually two different IP subnets there. So they’re on different sides of the Internet.

Those two routers are not directly connected to each other. They’re both connected to the Internet and they can reach each other on each other’s public IP addresses over the Internet cloud because the traffic is going over the Internet as an untrusted network. When we send traffic between our two different offices, we want it to be encrypted. So we’re going to send it over our IPsec VPN tunnel. So let’s have a look at the configuration. So first off, we configure phase one, the commands. Here I’ll show you the configuration for R one, the configuration for R Two, which is on the right hand side, it’s going to be exactly the same. It’s going to be a mirror image of this. So on the router on the left, R One, we say a global config crypto Isaacamp policy one to set up our first Isacamp policy. And then the encryption here we’re using AES. We could have also used triple Des, for example. The AES is more secure. The hash we’re using sha. We could have also used MD five.

But sha is more secure. So we’re using that. Then we’re seeing authentication preshare, meaning we’re going to configure the same pre shared keys to the same password on both sides. Our other option here would have been to use certificates. Then we say group two, that is the Diffie Hellman group that is being used for this initial set up. The lifetime eight 6400, that’s actually the default, which is one day. So with your VPN tunnels, they are going to be rekeyed regularly because somebody could be trying to reverse engineer, trying to hack into this. So what you want to do is make sure the keys are changed regularly. So the actual shared secret that you see are flat box which is on the next line, that never changes, but that is just used for the initial setup.

During the initial setup, a key will be chosen, then a shared key which will be available on both sides. That shared key that’s actually used for the encryption is going to be getting changed regularly. Then the last line here we’ve got Crypto Isaacamp key. We’ve used flatbox, that’s the key or the password here and address 203 1135. That’s the public IP address of the router on the other side. So the router on the other side, the configuration there is going to be exactly the same, apart from the address is going to be pointing at our address and the password needs to be the same on both sides. Then we are going to configure our ACL to define the interesting traffic. Here we’re on the router on the left, so the interesting traffic is going to be traffic going from the ten 1010 00:24 network behind us going to the 1010 20 O network over on the other side. So we have said IP accesslist extended flatbox VPN ACL permit IP 1010 or 25 five, going to 1010 20 odor 25. So that’s an ACL saying whenever traffic is coming from ten 1010 on our side, going to 1010 20 on the other side, we’re going to configure this, that this is going to be going through the VPN tunnel and get encrypted. Then we configure phase two, which is for the actual encryption of the actual data that is being sent over our config for that we say crypto IPsec transform set. And then here I’ve called it flatbox TS for transform set. And I’ve said, espaes ESP. Sha. HMAC. So this is the encryption algorithms that are going to be acceptable here. We want to have that the same on the other side because both sides are going to negotiate what is acceptable. Now, notice if I go back to phase one, I also specified the encryption and the hash there as well. This is for the initial authentication of the routers, the initial set up of the tunnel. I need to specify the algorithms I’m using again for phase two as well. This is going to be used for the actual transport of the actual data between the clients. Then I have crypto map. I’ve got it. Flatbox CM for the crypto Mac, ten IPsec, isaacamp and Nsepier 203 1135. That’s the public IP address of the router on the other side. Set transform set, flatbox TS that references the transform set that I configured up at the top here. And then match address, flatbox VPN ACL that matches the access control list that I configured on the previous slide. And then I need to apply it to my outside interface.

So if it said interface serial 10, crypto Mac, crypto map, flackbox CM. So that is the full config to set up the VPN tunnel. I still have one other thing to do though. You probably noticed that I was using private IP addresses on both sides there. So those addresses are going to need to be Natted whenever we’re talking to the Internet. So if any of my hosts on the inside and either site are communicating with an external public web server for private IP address needs to be Natted. But when traffic is going through the VPN tunnel, it needs to be noted.

So I need to disable nutting traffic between those two subnets in my ACL that is being used for not. So here I’ve got IP access list, extended flatbox, not ACL. So it’s a different ACL than the one I was using to specify the traffic going through the tunnel. This is my ACL that I’m using for not. If you want a reminder of how you set up not, go back and have a look at the Nat section again.

So I’m altering my normal Nat ACL here and I’ve said deny IP from ten going to 1020. So that just stops the traffic going over the VPN tunnel from being knotted. And then I’ve got permit IP 10 10 55 NA. So any traffic going anywhere else, meaning going out to public internet servers is going to be madded. Okay, so that is our site to site VPN tunnels and how to configure them. In the next lecture we’ll have a look at client to site remote.

• Category: Uncategorized