CCIE Security Advanced Technologies Class

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section here we are going to look at the time based access list
0:00:17	that are use to activate an individual asl entry
0:00:21	based on local clock of the device
0:00:24	and this is going to be supported on the ios and the asa firewalls
0:00:30	so our first step for this type of configuration to be to
0:00:32	to define a time range
0:00:36	which is then going to control exactally what time of the day or
0:00:40	we can either define it is an absolute time
0:00:43	so for example from 9am to
0:00:46	10 am from this specific date
0:00:48	in the future or we could
0:00:50	define it as a periodic matching
0:00:53	so i would say every monday thru
0:00:55	friday from 9am to 5pm i want this time range to be active
0:01:00	then we're going to call this either
0:01:03	from an access list that is applied as a traffic filter
0:01:06	where we can use this to
0:01:08	do may be a time based quality of service
0:01:11	or as such any other application we can call an access list from
0:01:17	so a traffic filter either applied to on the interface
0:01:21	may be we will referencing this with the
0:01:23	zone based policy firewall
0:01:27	now what are the caviates of this configuration
0:01:30	is that first we want to make sure that the routers clock is correct
0:01:34	to begin
0:01:36	so when we look at the show clock
0:01:40	generally we would want to have your routers running network time protocol or ntp
0:01:45	to make sure that the time value is actually accurate
0:01:50	now in our particular topology
0:01:53	the acs server is running
0:01:56	public ntp server
0:01:58	so we can configure any of the devices to syncronize with it
0:02:03	but we need this to allow this traffic from the outside interface to the dmz
0:02:09	so this particular traffic flow of the ntp is going to be what application
0:02:13	we we're looking at the layer 3 or layer 4 classification
0:02:19	well one way we could figure this out
0:02:22	so lets assume we don't know what protocol it is
0:02:24	if i were to say access list
0:02:26	100
0:02:28	permit tcp any any
0:02:30	equal to an
0:02:32	and then ?
0:02:35	it says that it has ntp there
0:02:38	it will say udp
0:02:40	any any equal to ?
0:02:45	this is what regular ntp is
0:02:47	so its if udp port 123
0:02:50	is ntp
0:02:53	so i would then need to say on asa 2
0:02:56	on its outside interface if we show run access list
0:03:00	i would need access list outside in
0:03:03	permit udp
0:03:06	any any equal to 123
0:03:10	were if we show
0:03:11	show run access list
0:03:13	we can see thats ntp
0:03:16	and access group
0:03:19	outside in in
0:03:22	in interface
0:03:25	outside
0:03:28	so now for any of the routers we should just be able to simply say that the ntp server
0:03:32	is the acs box so 10.0.0.100 is its address
0:03:38	once we configure this we want to look at the show ntp status
0:03:43	and we should in a few minutes that this is going to change this to syncronised
0:03:49	so if it is unsyncronized
0:03:51	it could make your servers configure but may be it filtered
0:03:55	where there is something wrong with the difference between the two times
0:04:01	where generally you can see that the ntp takes a long time to syncronize
0:04:05	if you are very far off from the correct time
0:04:11	so if the current time is
0:04:14	lets say 2011
0:04:16	and my local clock is set to the
0:04:18	default 1993
0:04:20	then generally its going to take a long time as i squew to the correct time
0:04:52	so assuming that our time is actually correct
0:04:55	next thing we would do would be to define what is the time range
0:05:00	so we will say time range
0:05:02	lets say our normal
0:05:03	work hours
0:05:05	so our work hours would be
0:05:08	periodically
0:05:10	we will say on weekdays
0:05:13	from
0:05:14	0900
0:05:18	0900
0:05:20	to
0:05:22	and this is a 24 hour
0:05:23	format so if i want to say 9 to 5 monday till friday
0:05:27	this would be 0900
0:05:28	through 1700
0:05:34	if we show time range
0:05:38	want we want to look here
0:05:40	for is whether it is active or inactive
0:05:45	so it is now telling us based on what ever is the local
0:05:47	clock and the local time zone of the router
0:05:51	its somewhere in between
0:05:52	0900 and 1700
0:05:56	if we now look at the
0:05:58	show
0:06:00	show ntp status
0:06:03	and show clock
0:06:05	and eventually with the ntp should change this to syncronize and take a couple of minutes down
0:06:10	but we see right now that the time is 1607
0:06:15	on friday thats within our time range
0:06:19	if i would have a another time range lets say time range
0:06:22	after hours
0:06:26	where after hours is periodically on weekdays
0:06:33	and after hours is going to be from
0:06:35	to
0:06:37	lets say 1 min before 9 am lets say
0:06:39	0859
0:06:43	and then its also going to be from
0:06:46	1701 to
0:06:47	2359
0:06:50	so to 11:59pm
0:06:53	so two time ranges they would essentially be the opposite of each other
0:06:58	where when
0:07:00	work hours is active
0:07:03	after hours would be inactive
0:07:06	then if i would have to change the clock
0:07:09	and then after hours i would say like periodcally
0:07:12	week day weekends as well
0:07:16	so lets say time range afterhours is periodically
0:07:20	week ends from zero
0:07:23	100 to
0:07:25	2359
0:07:32	then if we're to change the clock lets say clock set
0:07:36	to
0:07:37	lets say we set it to new on saturday so 12 00
0:07:41	00
0:07:43	on 30
0:07:45	july 2011
0:07:50	and we show clock
0:07:52	now lets say its saturday at noon
0:07:54	if we show time range
0:07:57	now after hours is active and now work hours is inactive
0:08:03	so then whats we define the time range we could call this from this an access list
0:08:08	so lets say for example that
0:08:11	i want to allow
0:08:13	my users on this segment
0:08:15	so traffic is coming in here
0:08:17	and during the work hours
0:08:21	i only want tcp port 80
0:08:23	so they can only do web browsing during work hours
0:08:27	then after hrs what ever they want they can whatever
0:08:30	applications they have
0:08:33	so i could say ip access list
0:08:36	my time filter
0:08:37	so be extended
0:08:41	that says permit tcp any any
0:08:44	input to ad
0:08:46	that is during the time range
0:08:53	work hrs
0:08:59	then im going to deny anything else
0:09:04	during the time range work hrs
0:09:08	but if work hrs is not active im going to permit
0:09:12	ip any any
0:09:14	because remember when we look at the access list its always going to be processed in a top down fashion
0:09:20	so this says if it were to be work hrs
0:09:23	port 80 is going to be allowed
0:09:26	but then everything else is denied
0:09:29	if it is not work hrs then everything is allowed
0:09:39	now the only issue with this if i apply to this interface here
0:09:43	what else is going to be filtered on router 3
0:09:49	if i were to apply this in
0:09:51	on this lan interface
0:09:55	its also going to break my ehrp control plan
0:10:00	so remember any time you're appling the access list to the routers
0:10:04	if you apply it in the inbound direction
0:10:07	its going to effect everything
0:10:09	so anything that is destined to the router
0:10:11	or anything that is transmitting through the router
0:10:14	however if i would apply it in an output direction
0:10:19	this application is only going to effect to the transit traffic
0:10:25	so an outbound access list is not affect locally generated traffic on the router
0:10:29	it only effects the transit traffic
0:10:32	in the way you could see this
0:10:34	if i were to simply say on router 3 access list
0:10:37	101 deny ip any any
0:10:40	and on fast ethernet 01 i say ip access group 101 out
0:10:45	now normally that you think thats going to drop everything
0:10:49	but if you show ip interface brief
0:10:53	you look fast ethernet 0/1
0:10:56	i still unable send the traffic
0:10:59	out there
0:11:02	because when i show access list
0:11:05	my locally generated traffic does not
0:11:08	hit this acl
0:11:11	now apply it inbound that would be a different story so inbound access list apply to all the traffic
0:11:18	locally destined or transit
0:11:20	outbound access list are only apply it only to the transit traffic
0:11:23	not to locally originate
0:11:26	now we will see what we get to contenet based access control
0:11:29	in the zone based policy firewall
0:11:31	this is something we need to take into account in our design
0:11:35	when we trying to match the traffic we need to figure out is it
0:11:38	from the router itself
0:11:41	so its locally originated
0:11:43	is it destined to the router
0:11:46	or is it in transit packet
0:11:48	or transit is coming inward link and going out the other
0:11:51	the routers is going to treat those 3 different catagories differently
0:11:54	depending on what type of filter that we are applying
0:11:57

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

IOS Time Based ACLs

Create Bookmark