CCIE Security Advanced Technologies Class v3.5 - IOS Lock & Key Security with Dynamic ACLs

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	next section we are going to look at the dynamic access list or lock and key access list on the ios
0:00:21	that is used to open a temporary hole in an access list based on authentication into the router
0:00:29	now some of the potential applications of these
0:00:31	for traffic moving from the inside network to the outside network
0:00:36	is that the user would first have to authenticate before they send traffic out to the public network
0:00:41	so for example if we want to allow them to use only port 80 for web browsing
0:00:46	but they first have to authencticate with the username and password
0:00:49	before they actually allow to inbound
0:00:52	then on the flip side is we are going from outside to inside
0:00:55	we could say that may be there is some internal webserver
0:00:58	that we want people on the public network to reach
0:01:01	but they first have to authenticate
0:01:03	as they are coming in from the outside
0:01:06	now in general this feature has been replaced by a more scalable and manageable version of it
0:01:12	that is known as authentication proxy
0:01:15	which allows us to do per user downloadable acces list from a aaa server
0:01:22	so when we get into our identity management we will take a look at authentication proxy
0:01:27	where dynamic access list is
0:01:28	just a local version that we could do of this on the router
0:01:32	and we will see it is not as scalable because we cannot do it for separate users
0:01:38	what the difference here with the dynamic acl is that when anyone aurthenticates
0:01:42	the hole on the access list is going to open
0:01:44	for authentication proxy we can assign different users on a different access list on the per user basis
0:01:52	now the configuration of this is going to be made up of two main portions
0:01:56	first is going to be the actual access list entry
0:01:59	where we define in this as a dynamic entry
0:02:03	in this example we are saying for access list 100
0:02:06	it has a dynamic entry that we are naming test
0:02:09	it has access to permit any traffic permit ip any any
0:02:14	second portion of the feature is to actually activate
0:02:17	that dynamic entry
0:02:19	which is done by issuing the access-enable command from the exact process
0:02:26	now what this implies is that if the user wants to open the access list
0:02:30	they actually have to telnet or to ssh into the router
0:02:33	and then actually issue the access-enable command
0:02:37	but for end users this is probably not what we want them to do
0:02:41	so what we could do
0:02:43	is take this access-enable command
0:02:45	and define it on either a per user basis or a
0:02:48	per line basis
0:02:50	as an auto command
0:02:53	where on the username we could say when they login they are automatically going to run the command that is access-enable
0:03:00	or under the vty lines when someone auhenticates with telnet or with ssh
0:03:05	the command access-enable is automatically going to run
0:03:10	there is also an option on the end here that is the host keyword
0:03:15	where the host keyword says that only the particular address that is authenticating
0:03:20	is then going to be placed in the access list entry in the active
0:03:24	access list entry
0:03:29	now documentation wise under the
0:03:32	the ios configuration guides
0:03:35	this is going to be under securing the data plane
0:03:39	then configuring lock and key security for dynamic access lists
0:03:44	so if we look at the particular example
0:03:51	they are saying we have an access list 101 that applied in on an ethernet interface
0:03:57	first entry says i am going to allow any telnet access
0:04:02	that is going to
0:04:04	172.18.21.2 this must be an address thats on the router itself
0:04:10	then if its not telnet traffic
0:04:13	its going to be permitted
0:04:16	so permit anything but only if the dynamic entry is actually open
0:04:21	and this is the keypoint because the third entry that we don't actually see here
0:04:25	is our implicit deny
0:04:27	where been if its not telnet
0:04:29	if the dynamic entry is not open
0:04:31	then the traffic is going to be dropped
0:04:35	then under the vty line they are saying anyone who logs in
0:04:38	with a local username and password
0:04:41	we are then going to run command access-enable
0:04:45	where access-enable is actually going to open up
0:04:47	that particular entry
0:04:53	so in our particular design lets say that we want to apply this in
0:04:57	on router 1
0:04:59	as it is watching traffic coming from this test pc
0:05:03	that is trying to do web browsing
0:05:05	to the acl server
0:05:10	so first make sure that the traffic flow is going to work
0:05:13	on asa 2 i am going to allow tcp traffic
0:05:16	that is equal to port 80
0:05:18	to go to the acl server
0:05:21	and we should see that from the test pc we should be allowed to
0:05:24	to send the traffic from the inside to the outside and then return
0:05:28	because the tcp traffic is going to be inspected by default
0:05:32	so once we actually can get the web browser working
0:05:35	that will look at applying the dynamic access list
0:05:37	on router 1
0:05:42	so first i am going to go to asa 2
0:05:45	and if we look at the show run access list and the show run access group
0:05:52	i have this access list that is outside in
0:05:57	i am going to permit tcp
0:06:00	any any for any
0:06:01	host i should say any host going to 10.0.0.100 that is equal to
0:06:05	port 80
0:06:20	and additionally for testing here
0:06:23	just to make sure there is nothing wrong in the rest of our control
0:06:25	plane i am also going to permit
0:06:29	lets permit icmp
0:06:34	lets just say permit icp any any
0:06:44	now this holds true this is the test pc that again is inside
0:06:48	this segment is on vlan 118
0:06:53	so ideally we should be able to ping
0:06:57	10.0.0.100 thats the acl server
0:07:07	and lets see if we can web browse to it
0:07:12	now if we can head it through the web interface but i cannot head it through the icmp
0:07:20	which is this probably mean then
0:07:32	so from the test pc i was able to do web browsing
0:07:35	to them
0:07:37	but i wan't able to ping them
0:07:42	so this probably two potential cases here
0:07:46	it means either asa 1
0:07:48	is not inspecting the icmp as it is going out
0:07:52	or asa 2 is not allowing it to go outside to dmz
0:07:58	so lets go back to the
0:08:01	to the machine here
0:08:03	and i am going to do this ping and i am going to say -t
0:08:06	which is the continually
0:08:08	send the pings
0:08:11	so its basically internetwork p count
0:08:13	then i am going to do the login on the asas
0:08:16	from asa 1 i would need to look at this from that particular context
0:08:21	which if we show run context this is the
0:08:24	the switch to vlan 18 context
0:08:28	by change to context
0:08:30	switch to vlan 18
0:08:32	i'll say logging console 7 and logging
0:08:36	logging is on
0:08:42	says that it has denied
0:08:44	icmp traffic on the outside interface that came from
0:08:50	the 10.0.0.100 address
0:08:54	going to 192.168.118.100 which is the inside host
0:09:00	so this means that the traffic is actually getting there its going from the test pc all the way out
0:09:04	but then when its returning its getting dropped
0:09:10	so again you do need to think about whats going on the overall network topology
0:09:15	because we may be working on tasks
0:09:17	that this is related to a dynamic access list on router 1
0:09:21	but i need to take into account whats going on on the other filtering devices in the network
0:09:26	and what then the scope of the ccie lab exam
0:09:29	they won't necessarily say
0:09:31	configure the dynamic access list to do this
0:09:34	then make sure you go to asa1 and account for the icmp going out in it
0:09:38	or do you go to asa 2 and allow
0:09:41	tcp port 80 to go to the acl server
0:09:44	so we will see a lot of these type of requiremnets are getting implicit
0:09:48	then you just know whats required to get it working
0:09:51	and then you do those individual steps
0:09:55	so next on asa 1 i need to inspect this traffic
0:10:01	if we show run policy map
0:10:05	i will say for the default inspection policy i am going to
0:10:09	inspect
0:10:11	icmp
0:10:15	so lets see now so now from the windows machine can we now
0:10:19	in that address which we can
0:10:22	so this is now telling me atleast i have basic connectivity
0:10:25	if there is some sort of problem later
0:10:28	i know that its not related to routing
0:10:31	because this is working now so it would probably be related to some sort of security filtering
0:10:37	so now what i want to do with this dynamic access list
0:10:40	is i want to deny
0:10:42	this web browsing traffic
0:10:45	this is going to be denied until they telnet into router 1
0:10:49	logging with a username and password
0:10:52	and then the web browsing traffic should be allowed
0:10:56	then again later when we get to identity management we will take a look at doing this with
0:11:00	the authentication proxy
0:11:02	which is the more scalabale version of this config
0:11:07	next its going to router 1
0:11:10	and i am getting to find
0:11:12	my accesses we will say
0:11:15	ip access list
0:11:18	vlan 111 in
0:11:21	and this will be extended
0:11:25	now there is a couple of ways that i can do this logic
0:11:28	the ultimate goal is that i want the web browsing traffic to be dropped
0:11:33	unless they are first authenticated
0:11:37	so i can either
0:11:38	dynamically
0:11:39	permit the traffic
0:11:42	explicitly deny it
0:11:45	and then allow everything else
0:11:48	or i could dynamically permit the traffic and use the implicit deny to drop all the other traffic
0:11:54	so really depends exactly what i want to filter
0:11:56	so i do i want this filter
0:11:59	to effect anyone else's traffic on the segment
0:12:02	if i don't want it to affect switch 1 or switch 2
0:12:05	then probably i want to be more specific
0:12:08	so i am going to have this effect just
0:12:10	this particular
0:12:11	host just this paticular segment
0:12:15	for web browsing to the acs
0:12:21	so i am going to dynamically
0:12:24	give it a name we will say dynamic 1
0:12:28	i am going to permit tcp thats coming from the segment
0:12:32	192.168.118.0
0:12:38	that is going to the host
0:12:40	10.0.0.100
0:12:42	that is equal to 80
0:12:47	so this entry here if we do show run
0:12:52	show run section access list
0:12:55	essentially this same exact entry
0:12:57	i am going to now deny this
0:13:01	so if the dynamic entry is not open
0:13:03	then the traffic would be dropped so deny this flow
0:13:10	then i am going to permit
0:13:11	ip any any so permit anything else
0:13:17	next i need to figure out
0:13:19	how is the user actually going to run the auto command
0:13:22	are they going to telnet into the router
0:13:24	and then actually manually enter the command
0:13:27	or do i want to do this automatically
0:13:30	again i go do it either automatically on a per user basis
0:13:33	or under the vty line
0:13:37	so lets say we do this on a per user basis we will say username
0:13:41	web password cisco
0:13:45	when the username web logs in i want them to automatically run the command
0:13:50	access-enable
0:13:54	now know here with the auto command
0:13:57	there is not going to be any context since it will help
0:14:00	after you issue the auto command keyword
0:14:03	so after this you need to know exactly what the syntax is it has to be exactly access-enable
0:14:08	now if i say access-enable without the e this would be fine because that still
0:14:16	is not ambiguous
0:14:18	but generally you would want to put the fall syntax there
0:14:21	so here its not going to give you context since it will help
0:14:27	then under the vty lines i want to make sure to check the logo there is logging logo
0:14:37	then under this particular interface which is
0:14:40	fa 0/0 i am going to apply that acl in
0:14:48	we will say ip access screw
0:14:51	the name is vlan 111 in
0:14:54	apply inbound
0:15:01	so lets look at the show
0:15:04	access list and we could see the counters
0:15:08	so eventually we should see the
0:15:10	the third entry for permit ip any any
0:15:14	the counters are going to go up there for any other types of traffic
0:15:17	so for example if i were to go to switch 2
0:15:19	and switch 2
0:15:21	likewise is going to ping the acs server
0:15:24	so this is not being filtered out
0:15:26	from router 1 this should fall back to its last entry
0:15:30	we could see that is being matched
0:15:34	now likewise from switch 1 if i were to telnet
0:15:37	to the acs server
0:15:40	at port 80
0:15:42	this is not being filtered
0:15:44	its only that one particular subnet
0:15:47	is being filtered 192.168.118.0
0:15:52	so if i were to try the same thing from
0:15:56	switch 2
0:16:02	this is what is being denied
0:16:05	because i am now sourcing traffic from that
0:16:09	subnet 192.168.118.0
0:16:13	we can also see router 1 here is replying back with the icmp unreachable message
0:16:19	that says administratively prohibited
0:16:22	and the reason why i see this if we look at the show debug
0:16:28	that debug ip icmp is on
0:16:32	so this is what we want to see upto this point that this traffic is being denied
0:16:37	because the user is not authenticated
0:16:39	i would say the same thing if i want to
0:16:43	the web browser here
0:16:44	the pings should be allowed
0:16:49	with then i browse to
0:16:51	the web server we should see this should time out
0:16:57	so next lets try the authentication we are going to telnet now into router 1
0:17:00	we will telnet to
0:17:02	200.0.0.1
0:17:04	this one router 1's addresses
0:17:05	if i now login as web with the password cisco
0:17:10	which should happen is that is should close the connection
0:17:13	because i am done with the
0:17:15	the exact session i am not going to be able to issue any other commands
0:17:18	but if i go back to router 1 now and look at the show access list
0:17:22	se should now see
0:17:24	that this entry is now open
0:17:30	so if we now open the web browser again
0:17:34	now since they have authenticated now the hole is open in the acl
0:17:40	another potential issue in this design if we look at the result on router 1
0:17:44	it now says that any source
0:17:46	on the network 192.168.118.0
0:17:51	is allowed to send that traffic in
0:17:54	which means that other host on the subnet like switch 2
0:17:58	even though they did not authenticate
0:18:00	now their packets are allowed
0:18:04	the reason why this is the case
0:18:07	is that i did not say under the access-enable command
0:18:11	access-enable host
0:18:16	and you should see here it in this documentation somewhere for the feature
0:18:23	if we search for access-enable
0:18:36	this option here host
0:18:38	says if the optional host keyword is not specified all host on the entire network are allowed to set up a temporary entry
0:18:46	really what the chip says what happens if the host is there
0:18:49	what this keyword means
0:18:52	is that if we say host
0:18:54	whoever is the person that actually did this authentication
0:18:58	they are the only address that is entered into the acl
0:19:02	so you would generally want to do that to make the security a little bit more exact
0:19:08	where what i would need to say is
0:19:11	on router 1 if i look at the
0:19:13	the show run section access list
0:19:18	i am going to change not the access list the access list is fine but the
0:19:21	actually its the username for show run include username
0:19:28	i want to say
0:19:31	for username
0:19:34	web are command access enabled
0:19:37	and again its not going to give you context since it will help there i want to say host at the end
0:19:50	you will also see that there is an option for a timeout
0:19:53	where the timeout could be configured on the end of the access list
0:19:57	or could be configured on the end of the auto command
0:20:00	so if i say acsess-enable host timeout and then give it a value
0:20:04	one of them is an idle timer and one of them is an absolute timer
0:20:08	normally you would want to configure one of them otherwise this dynamic entry is going to be there permanently
0:20:15	now to remove this this syntax is going to order i need to say clear
0:20:21	access template
0:20:25	the access list name vlan 111 in
0:20:30	and the dynamic access list name is dynamic 1
0:20:35	and the source
0:20:39	is this address
0:20:45	wildcard actually pretty much this whole entry
0:20:53	now its going to remove that entry
0:20:55	so its clear access template
0:20:58	the other option would be that i could just delete the access list from the interface and then reapply it
0:21:04	that would delete the entry
0:21:09	hey so now lets see what happens when the user authenticates lets say show access list
0:21:18	and lets also clear access list
0:21:21	clear access list counters
0:21:24	so we see right now none of the entries are getting hits
0:21:28	if we go back to the windows machine
0:21:31	we try to hit the webpage
0:21:34	we should see that router 1
0:21:39	is matching this against the deny statement so these packets are getting denied
0:21:46	next if we telnet in
0:21:49	login with the username and password combo
0:21:53	but see it doesn't say authentication failed thats just dropping the connection
0:21:58	now the acl entry should be open
0:22:01	but notice that it specific to the host to do the authentication
0:22:05	where here 192.168.118.100
0:22:12	this is the ip address of that windows machine
0:22:19	so now it should be able to
0:22:22	to open this page which you can
0:22:32	but if i were to go to anyone else on that segment like switch 2
0:22:39	we see that they are no longer able to open the session
0:22:46	so it is kind of a need feature it does have its
0:22:49	its used in a very small scale application
0:22:52	but again the problem is that you cannot separate
0:22:55	the dynamic access list entries on a per user basis
0:23:00	so essentially anyone who logs in is going to open up this entry
0:23:04	the more scalabale version of this is going to be with the authentication proxy
0:23:08	but that requires that we have a aaa server to actually download the access list from
0:23:14	but for a very small scale just a local
0:23:17	implementation
0:23:20	thats what the lock and key or the dynamic access list here is used for

Now Viewing

CCIE Security Advanced Technologies Class v3.5
Title:	CCIE Security Advanced Technologies Class v3.5
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

IOS Lock & Key Security with Dynamic ACLs

Create Bookmark