Back to Home

Getting Ready for CCNA Security (IINS 554)

ccna security · networking · cisco certification

Getting Ready for CCNA Security (IINS 554)

    Hello! I hope this post will be useful for those who want to take iOS certification of security.
    It has already happened that for the previous CCNA exam or as it is now called CCNA Routing & Switching, the software from the Cisco Networking Academy (Diccovery and Exploration) Cisco Packet Tracer is enough, but it will not be suitable for industry certifications. In this case, unless, of course, you have a physical stand at hand, GNS3 is suitable. Take a look at the topics of the CCNA Security exam . We understand that matters will not be addressed exclusively on IOS: CCP, ASA, IPS. What do you need? Correctly configured stand!
    So, in one basket we put:
    • PC host - CCP, ASDM, Kali - virual_box images
    • IOS Switch - not implemented in GNS, so we use the cisco 3745 image with the NM-16ESW module. In this case, it will function as Switch L3 (Catalyst 3560)
    • Router with Zone-based Firewall functionality - IOS image c3725-adventerprisek9-mz124-15.bin
    • Cisco ASA - asa842 (kernel and initrd)
    • Cisco IPS

    Here's something like this ...
    Virtual machines on virtual_box are already embedded in GNS (Preferences-VirtualBox-VirtualBox Guest). It remains to collect the required number. Yes, clarification, one virtual “real” machine, one host in GNS.
    Next, go to IOS images & hypervisors and add the iOS images we need and calculate the Idle PC so that your iron friend does not bend when you turn on network emulation.
    Finally, add ASA: Preferences-Qemu-ASA 8.4.2 - Qemu options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16.32 - Kernel cmd line: -append ide_generic.probe_mask = 0x01 ide_core. chs = 0.0: 980,16,32 auto nousb console = ttyS0,9600 bigphysarea = 65536.
    Unzip all iOS images using 7-zip. Iiiii ...
    image
    Well, you already guessed that XP is a local area network, 7-DMZ, backtrack-external network.
    Where do we propose to start radiation protection implementation based on iOS?
    Surprisingly, with the concepts used in the course:
    • C3PL - Cisco classification common policy language
    • Class maps - identify traffic (ftp, http)
    • Policy maps - action to take (drop, prioritize)
    • Service policies - where PM to do

    When we’ve figured out the concepts, consider the classic defense methods.
    The Enable command has the highest privilege level (default privilege level = 15) 15 - max, 1 - min = disable. Never use the enable password command. For other custom privilege levels, you must use
    enable secret level 4 0 pass4level
    privilege exec level 4 ping
    

    To hide plain-text passwords, use service password-encryption. The who or show users command - see who connected to the device.
    You can use local database to store users and passwords in IOS:
    username admin priv 15 sec 0 pass123
    username user1 priv 4 sec 0 pass1user
    line console 0
    login local
    line vty 0 4
    login local
    

    For enterprise, you can use AAA-server. AAA - Authen: who ?, Author: what can or cannot? Account: activity tracking.
    conf t
    enable secret level 15 0 cisco123
    username admin priv 15 sec 0 pass123
    username user1 priv 4 sec 0 pass1user
    aaa new-model
    aaa authen login default local
    aaa author exec default local – не применяется к консольному порту по умолчанию
    aaa author console – готово и для консоли
    

    And a couple of useful parameters that you need to consider
    security passwords min-length 8
    aaa local authen attempts max-fail 3 
    sh aaa local user lockout 
    clear aaa local user lockout all
    login block-for 300 attempts 10 within 60
    

    If you want to connect to the device in protected mode, you need to configure ssh:
    ip domain-name ca.com
    crypto key generate rsa modus 1024
    ip http secure-server
    line vty 0 4 
    transport input ssh 
    

    Now according to the plan AAA TACACS + RADIUS. The characteristics of these protocols can be easily found. It is better to remember them, it is quite possible they will be on the exam. Best practice is to use tacacs + for administrators, and radius for external users, via vpn.
    Because tacacs + proprietary cisco protocol, configure it:
    enable secret cisco123
    username admin priv 15 sec pass123
    username user1 priv 1 sec pass1user
    aaa new-model
    tacacs-server host 192.168.0.254
    tacacs-server key cisco1111
    aaa authen login default group tacacs+ local
    aaa authen login Free none
    line console 0
    login authen Free
    aaa author commands 1 TAC1 group tacacs+ local
    aaa author commands 15 TAC15 group tacacs+ local 
    aaa author config-commands
    aaa account commands 1 TAC1-acc start-stop group tacacs+
    

    Fuuuh, done with passwords. Now consider the security of the data link layer.
    Everyone has heard about CAM or mac-table. This topic addresses violations such as DHCP Snooping, CAM overflow, VLAN hoping.
    How to protect yourself from imposing false DHCP? Like this:
    conf t
    ip dhcp shooping vlan3
    ip dhcp snooping
    int fa 0/1
    ip dhcp shooping trust
    exit
    sh ip dhcp snooping binding
    

    Now let's see the overflow option - CAM Overflow. For a note (shut / no shut resets the table via the interface)
    conf t
    int fa 0/1
    switchport mode access
    swport port-sec max 5
    swport port-sec violation shutdown
    swport portsec !!!не забываем включить!!!
    errdisable recovery cause psecure-violation
    errdisable recovery interval 30
    sh int status err-diasbled
    sh port-sec
    

    There is still such a thing as VLAN Hoping (Jumping). The main recommendations for VLAN are as follows: never use vlan1 in production (assign all ports some kind of “rare” vlan999), disable all unused ports, use access mode for access, and disable dynamic negotiation no negotiation trunk (dtp).
    sh int fa 0/1 switchport (negot is auto)
    sh int trunk
    int fa 0/1
    swport mode access
    swport access vlan3
    swport nonegotiate
    

    And also for the sweet BPDU Guard (anti span) - BridgePDU Guard (STP)
    spanning-tree portfast default
    spanning-tree portfast bpduguard default
    int fa 0/1
    spanning-tree portfast
    spanning-tree portfast bpduguard enable
    errdisable recovery cause bpduguard
    

    By the way, for monitoring CAM you can use DAI - dynamic arp inspection.
    That's basically all that is required by IOS. The rest is the use of CCP for the router, ASA and ZBF.
    If there is a desire, I can write a note about using the CCP interface, as there are a lot of questions on it and most importantly the laboratory on the exam.
    As you know, this article is not for gurus, but for those who just decided to study Cisco equipment.
    PS
    Background:
    image
    image

    Read Next