Getting Ready for CCNA Security (IINS 554)
It has already happened that for the previous CCNA exam or as it is now called CCNA Routing & Switching, the software from the Cisco Networking Academy (Diccovery and Exploration) Cisco Packet Tracer is enough, but it will not be suitable for industry certifications. In this case, unless, of course, you have a physical stand at hand, GNS3 is suitable. Take a look at the topics of the CCNA Security exam . We understand that matters will not be addressed exclusively on IOS: CCP, ASA, IPS. What do you need? Correctly configured stand!
So, in one basket we put:
- PC host - CCP, ASDM, Kali - virual_box images
- IOS Switch - not implemented in GNS, so we use the cisco 3745 image with the NM-16ESW module. In this case, it will function as Switch L3 (Catalyst 3560)
- Router with Zone-based Firewall functionality - IOS image c3725-adventerprisek9-mz124-15.bin
- Cisco ASA - asa842 (kernel and initrd)
- Cisco IPS
Here's something like this ...
Virtual machines on virtual_box are already embedded in GNS (Preferences-VirtualBox-VirtualBox Guest). It remains to collect the required number. Yes, clarification, one virtual “real” machine, one host in GNS.
Next, go to IOS images & hypervisors and add the iOS images we need and calculate the Idle PC so that your iron friend does not bend when you turn on network emulation.
Finally, add ASA: Preferences-Qemu-ASA 8.4.2 - Qemu options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16.32 - Kernel cmd line: -append ide_generic.probe_mask = 0x01 ide_core. chs = 0.0: 980,16,32 auto nousb console = ttyS0,9600 bigphysarea = 65536.
Unzip all iOS images using 7-zip. Iiiii ...

Well, you already guessed that XP is a local area network, 7-DMZ, backtrack-external network.
Where do we propose to start radiation protection implementation based on iOS?
Surprisingly, with the concepts used in the course:
- C3PL - Cisco classification common policy language
- Class maps - identify traffic (ftp, http)
- Policy maps - action to take (drop, prioritize)
- Service policies - where PM to do
When we’ve figured out the concepts, consider the classic defense methods.
The Enable command has the highest privilege level (default privilege level = 15) 15 - max, 1 - min = disable. Never use the enable password command. For other custom privilege levels, you must use
enable secret level 4 0 pass4level
privilege exec level 4 ping
To hide plain-text passwords, use service password-encryption. The who or show users command - see who connected to the device.
You can use local database to store users and passwords in IOS:
username admin priv 15 sec 0 pass123
username user1 priv 4 sec 0 pass1user
line console 0
login local
line vty 0 4
login local
For enterprise, you can use AAA-server. AAA - Authen: who ?, Author: what can or cannot? Account: activity tracking.
conf t
enable secret level 15 0 cisco123
username admin priv 15 sec 0 pass123
username user1 priv 4 sec 0 pass1user
aaa new-model
aaa authen login default local
aaa author exec default local – не применяется к консольному порту по умолчанию
aaa author console – готово и для консоли
And a couple of useful parameters that you need to consider
security passwords min-length 8
aaa local authen attempts max-fail 3
sh aaa local user lockout
clear aaa local user lockout all
login block-for 300 attempts 10 within 60
If you want to connect to the device in protected mode, you need to configure ssh:
ip domain-name ca.com
crypto key generate rsa modus 1024
ip http secure-server
line vty 0 4
transport input ssh
Now according to the plan AAA TACACS + RADIUS. The characteristics of these protocols can be easily found. It is better to remember them, it is quite possible they will be on the exam. Best practice is to use tacacs + for administrators, and radius for external users, via vpn.
Because tacacs + proprietary cisco protocol, configure it:
enable secret cisco123
username admin priv 15 sec pass123
username user1 priv 1 sec pass1user
aaa new-model
tacacs-server host 192.168.0.254
tacacs-server key cisco1111
aaa authen login default group tacacs+ local
aaa authen login Free none
line console 0
login authen Free
aaa author commands 1 TAC1 group tacacs+ local
aaa author commands 15 TAC15 group tacacs+ local
aaa author config-commands
aaa account commands 1 TAC1-acc start-stop group tacacs+
Fuuuh, done with passwords. Now consider the security of the data link layer.
Everyone has heard about CAM or mac-table. This topic addresses violations such as DHCP Snooping, CAM overflow, VLAN hoping.
How to protect yourself from imposing false DHCP? Like this:
conf t
ip dhcp shooping vlan3
ip dhcp snooping
int fa 0/1
ip dhcp shooping trust
exit
sh ip dhcp snooping binding
Now let's see the overflow option - CAM Overflow. For a note (shut / no shut resets the table via the interface)
conf t
int fa 0/1
switchport mode access
swport port-sec max 5
swport port-sec violation shutdown
swport portsec !!!не забываем включить!!!
errdisable recovery cause psecure-violation
errdisable recovery interval 30
sh int status err-diasbled
sh port-sec
There is still such a thing as VLAN Hoping (Jumping). The main recommendations for VLAN are as follows: never use vlan1 in production (assign all ports some kind of “rare” vlan999), disable all unused ports, use access mode for access, and disable dynamic negotiation no negotiation trunk (dtp).
sh int fa 0/1 switchport (negot is auto)
sh int trunk
int fa 0/1
swport mode access
swport access vlan3
swport nonegotiate
And also for the sweet BPDU Guard (anti span) - BridgePDU Guard (STP)
spanning-tree portfast default
spanning-tree portfast bpduguard default
int fa 0/1
spanning-tree portfast
spanning-tree portfast bpduguard enable
errdisable recovery cause bpduguard
By the way, for monitoring CAM you can use DAI - dynamic arp inspection.
That's basically all that is required by IOS. The rest is the use of CCP for the router, ASA and ZBF.
If there is a desire, I can write a note about using the CCP interface, as there are a lot of questions on it and most importantly the laboratory on the exam.
As you know, this article is not for gurus, but for those who just decided to study Cisco equipment.
PS
Background:

