Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
29 views52 pages

Module 8 Slides

The document outlines various network security protocols and technologies, including TACACS+, RADIUS, IPv4 and IPv6 access control lists (ACLs), Unicast Reverse Path Forwarding (uRPF), and Control Plane Policing (CoPP). It also discusses Next Generation Firewalls (NGFW), Cisco FirePOWER solutions, and deployment models for firewalls, such as routed and transparent modes. Additionally, it covers IPv6 security features like Router Advertisement Guard, DHCPv6 Guard, and Neighbor Discovery Inspection.

Uploaded by

virendra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views52 pages

Module 8 Slides

The document outlines various network security protocols and technologies, including TACACS+, RADIUS, IPv4 and IPv6 access control lists (ACLs), Unicast Reverse Path Forwarding (uRPF), and Control Plane Policing (CoPP). It also discusses Next Generation Firewalls (NGFW), Cisco FirePOWER solutions, and deployment models for firewalls, such as routed and transparent modes. Additionally, it covers IPv6 security features like Router Advertisement Guard, DHCPv6 Guard, and Neighbor Discovery Inspection.

Uploaded by

virendra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

AAA

TACACS+ and RADIUS

Authentication:
• Proof of identity
• Username/password

Authorization:
• Privileges and restrictions
• Authentication does not
ensure authorization

Accounting:
• Record of user actions
• Log files
TACACS+ and RADIUS
External AAA:
• RADIUS
• TACACS+

RADIUS:
• IETF open standard
• UDP ports 1812/1813
• Encrypts password field only
• Network access

TACACS+:
• Cisco-proprietary
• Encrypts entire payload
• TCP port 49
• Device administration
IPv4 ACL
Troubleshooting
IPv4 ACLs

IPv4 ACLs:

• Processed in a top-down manner


• Contain access control entries (ACEs)
• Packets are processed by first matching ACE
• Implicit deny any at the bottom of every ACL
IPv6 Traffic Filter
Troubleshooting
IPv6 Traffic Filters

IPv6 Traf c Filters:

• Allows filtering based on upper-layer information


• Processed in a top-down manner
• First matching ACE is processed
• Implicit deny any at the bottom
fi
IPv6 Traffic Filters

IPv6 Traf c Filters:

• Implicit permit icmp any nd


• ND = Neighbor Discovery messages
• Neighbor Solicitation (NS) messages and Neighbor
Advertisement (NA) messages permitted by default
fi
Unicast Reverse
Path Forwarding
uRPF

Unicast Reverse Path Forwarding (uRPF):

• Guards against spoofed addresses


• Verifies reachability of packet’s source IP address
• If source IP is not reachable, packet is dropped
uRPF

uRPF Modes:

• Strict Mode
• Loose Mode
• VRF Mode
uRPF

uRPF Strict Mode:


• Verifies packet source IP arrives on the same interface
the router would use to reach the address
• Be aware of asymmetric routing paths with strict mode
• Asymmetric routing can cause legitimate packets to be dropped
uRPF

uRPF Loose Mode:

• Verifies packet source IP appears in the routing table


• Default route is not included
• If not found in the routing table, packet is dropped
uRPF

uRPF VRF Mode:

• Commonly used in ISP networks for MPLS and BGP


• Same as loose mode, except that only interfaces in the
same VRF as the receiving interface are examined
Control Plane
Policing
CoPP Configuration

Control Plane Policing (CoPP):


• Create an ACL to identify traffic
• Create a class map to classify the traffic
• Create a policy map to define the action taken
against the traffic
• Create a service policy to enable policing on
the control plane interface
IPv6 RA Guard
Firewall Solutions
IPS and Firewall Solutions

Next Generation Firewall (NGFW):


• Cisco ASA (Adaptive Security Appliance) family
• Traditional Layer 3 firewall
• VPN termination point
IPS and Firewall Solutions

Next Generation Firewall (NGFW):


• ASA 5500-X Models with FirePOWER
• FirePOWER module brings “next-generation”
features to the ASA
• IDS/IPD, application control, URL filtering,
access control, Cisco AMP, etc.
IPS and Firewall Solutions

Cisco FirePOWER Threat Defense (FTD):


• Unified software solution for ASA and FirePOWER
• Dedicated appliances such as the 1000, 2100, 4100,
and 9000 series FirePOWER
• Designed use cases for various models
• Includes Snort IPS
IPS and Firewall Solutions

Traditional IPS Issues:


• Require more management than NGIPS
• Create large amounts of data that can be
difficult to correlate
• No perspective into the existence of vulnerabilities
IPS and Firewall Solutions

Next Generation IPS (NGIPS):


• Layer 7 visibility
• Automated tuning and recommendations
• More thorough perspective into network traffic
• Better user identity management
IPS and Firewall Solutions

Cisco FirePOWER Management Center (FMC):


• Central management of multiple solutions
• Complete visibility into the network
Deployment Models
Deployment Models and Architecture

Routed Mode Firewall:


• Firewall is seen as a hop in the network
• Default mode with Cisco ASA firewall
• Each interface connects to a different subnet
• Allows for separation and protection of subnets
• Commonly uses Network Address Translation (NAT)
Deployment Models and Architecture

Transparent Mode Firewall:


• Firewall is not seen as a hop in the network
• Sits between LAN and next-hop device (router)
• Inspection and filtering at Layer 2
Deployment Models and Architecture
Routed Mode ASA Firewall

10.1.1.50

INSIDE
10.1.1.1 209.165.201.1

OUTSIDE

DMZ 10.2.1.1 kwtrain.com

Source Address Translation


10.1.1.50 209.165.201.50
Deployment Models and Architecture
Transparent Mode ASA Firewall

BVI
10.1.1.2
10.1.1.50
10.1.1.1

INSIDE OUTSIDE

kwtrain.com
Bridge Group:
• Group of interfaces bridged together
• Bridge Virtual Interface (BVI)
• BVI must share local subnet
• Multiple groups provide traffic isolation
:

Deployment Models and Architecture

Security Contexts:
• Partition a physical firewall into multiple virtual instances
• Separate functionality of all firewall and IPS features
• Contexts can use mixed modes
Deployment Models and Architecture

Cisco FirePOWER Threat Defense (FTD):


• Routed and transparent modes
• Firewall and IPS can operate on different interfaces
Deployment Models and Architecture

High Availability (Failover) Deployment:


• Supported in Cisco ASA and FTD devices
Deployment Models and Architecture

Active-Active Failover Active-Standby Failover

Active Link Active Link

Active Link Standby Link

• Supported on ASA • Supported on both ASA and FTD


Deployment Models and Architecture

Failover Deployment Requirements:


• Identical firewall mode
• Identical software version
• Identical NTP configuration and synchronization
• No DHCP configuration on interfaces
Deployment Models and Architecture
Clustering:
• Multiple standalone devices act as a single, logical unit
• Only supported on specific ASA and FTD models
IPv6 RA Guard

IPv6 Router Advertisement (RA) Guard:

• IPv6 RA messages sent periodically via multicast


• IPv6 RA Guard blocks unwanted RA messages
• Configured in L2 or L3 switches to restrict incoming
Network Discovery Protocol (NDP) messages
IPv6 RA Guard

IPv6 Router Advertisement (RA) Guard:

• RA Policy is created globally


• Policy is applied at interface or VLAN level
• RA messages are unsecure and susceptible to spoofing
IPv6 RA Guard

RA Message Validation:

• Source MAC address


• Source IPv6 address
• Source IPv6 address prefix
• Hop count limit
• Router preference priority list
• Configuration flags
IPv6 RA Guard

RA Guard Host Mode:


• All router advertisement messages disallowed

RA Guard Router Mode:


• All router advertisement messages allowed
DHCPv6 Guard
DHCPv6 Guard

DHCPv6 Guard:

• Requires a policy configuration


• Policy can be applied to interface or VLAN
v6
DHCPv6 Guard

Gig 0/1

SW(config)# ipv6 dhcp guard policy POLICY_NAME


SW(config)# device-role server
SW(config-if)# ipv6 dhcp guard attach-policy POLICY_NAME
DHCPv6 Guard

Gig 0/1

• Default mode is client mode


• Access lists can be used in conjunction with DHCPv6 Guard
IPv6 Neighbor Discovery
Inspection/ Snooping
IPv6 Neighbor Discovery Inspection/Snooping

Neighbor Discovery Protocol (NDP)

• IPv6 nodes use NDP for address discovery


• Used by both routers and hosts
• NDP messages are unsecure and susceptible
IPv6 Neighbor Discovery Inspection/Snooping

IPv6 ND Inspection/Snooping:

• DHCPv6 snooping binding table is leveraged


• Table is build by DHCPv6 message exchanges
• Information learned is populated into the table
IPv6 Neighbor Discovery Inspection/Snooping

Message Type Veri cation:

• Router solicitation messages


• Router advertisement messages
• Neighbor solicitation messages
• Neighbor advertisement messages
• Redirect messages
fi
IPv6 Neighbor Discovery Inspection/Snooping

IPv6 ND Inspection/Snooping Protection:

• Cache poisoning attacks


• Denial of Service (DoS) attacks
• Redirect attacks
IPv6 Source Guard
IPv6 Source Guard

IPv6 Source Guard:

• Filter inbound traffic on L2 switch ports


• Snooping table is only examined, not updated
• Used in conjunction with IPv6 snooping
IPv6 Source Guard

IP Address Glean:

• Traffic denied by IPv6 source guard uses this


• Queries DHCP server and IPv6 neighbors
• Attempts to populate snooping binding table with missing info
• Traffic arriving from unknown or untrusted source is blocked
IPv6 Source Guard

IPv6 Pre x Guard

• Denies traffic without a valid prefix


• Traffic from outside of local subnet is denied
fi

You might also like