200-301 Security Fundamentals

Security Fundamentals Detailed Explanation

Security is a critical aspect of networking to ensure data confidentiality, integrity, and availability.

Part 1: Device Security

5.1.1 Basic Security Measures

These are foundational steps to secure networking devices like routers and switches:

1. Password Protection:

   • Purpose: Prevent unauthorized access to device configuration.

   • Implementation:

     • Use strong passwords to protect privileged EXEC mode.

     enable secret cisco123
     

     • Encrypt passwords stored in the device configuration:

     service password-encryption
     

2. Secure Remote Access (SSH):

   • Why SSH?: Unlike Telnet, SSH encrypts communication, making it secure for remote device management.

   • Configuration Steps:

     1. Set a domain name:

        ip domain-name mydomain.com
        

     2. Generate RSA keys for encryption:

        crypto key generate rsa
        

     3. Create a username and password:

        username admin password cisco123
        

     4. Enable SSH on the vty lines:

        line vty 0 4
        login local
        transport input ssh
        

3. Disabling Unused Ports:

   • Why Disable Unused Ports? To prevent unauthorized devices from connecting to the network.

   • Configuration:

     1. Select the range of unused ports:

        interface range GigabitEthernet0/1 - 24
        

     2. Shut them down:

        shutdown
        

4. Configure Banner Messages:

   • Warn unauthorized users with a message:

     banner motd "Unauthorized access is prohibited"
     

5.1.2 Verifying Device Security

• Check Passwords:

  show running-config | include enable secret
  

• Verify SSH Configuration:

  show ip ssh
  

• Check Port Status:

  show ip interface brief
  

Part 2: Common Attacks and Mitigations

5.2.1 Types of Network Attacks

1. DDoS (Distributed Denial of Service):

   • What It Is: Overwhelms a network or device with a flood of traffic, causing service disruption.
   • Example: Sending thousands of requests per second to a server, making it inaccessible to legitimate users.

2. Phishing:

   • What It Is: A social engineering attack where attackers trick users into revealing sensitive information (e.g., passwords, credit card details).
   • Example: Fake login pages or deceptive emails that look legitimate.

3. MITM (Man-in-the-Middle):

   • What It Is: Intercepting and altering communication between two parties without their knowledge.
   • Example: An attacker intercepts login credentials during a session on an unencrypted Wi-Fi network.

5.2.2 Mitigation Strategies

1. Firewalls:

   • What They Do: Block unauthorized traffic based on predefined security rules.

   • Configuration Example:

     access-list 100 permit tcp any any eq 80
     access-list 100 deny ip any any
     interface GigabitEthernet0/0
     ip access-group 100 in
     

2. Intrusion Prevention Systems (IPS):

   • What They Do: Detect and block malicious activities in real time.
   • Deployed inline with network traffic for proactive protection.

3. Strong Password Policies:

   • Use complex passwords combining uppercase, lowercase, numbers, and special characters.
   • Example: P@ssw0rd123!.

4. Regular Updates and Patches:

   • Keep devices and software updated to mitigate vulnerabilities.

5. Encryption:

   • Use encryption protocols (e.g., HTTPS, SSH) to protect data in transit.

5.2.3 Verifying Security Measures

• Check Active ACLs:

  show access-lists
  

• Monitor for Intrusion Attempts:

  show logging
  

Part 3: Virtual Private Networks (VPNs)

5.3.1 What is a VPN?

A VPN (Virtual Private Network) creates a secure, encrypted connection (or tunnel) between two networks or between a device and a network over the internet.

5.3.2 Purpose of VPNs

1. Privacy:
   • Encrypts data to prevent eavesdropping.
2. Remote Access:
   • Allows employees to securely connect to the corporate network from remote locations.
3. Site-to-Site Connectivity:
   • Connects branch offices securely to the main office.

5.3.3 Key VPN Protocols

1. IPsec (Internet Protocol Security):

   • What It Does: Provides secure communication at the IP layer.
   • Features:
     • Authentication Header (AH) for integrity.
     • Encapsulation Security Payload (ESP) for encryption.
   • Use Case: Site-to-site VPNs.

2. SSL (Secure Sockets Layer):

   • What It Does: Secures communication at the transport layer.
   • Features:
     • Easier to deploy (no need for client software).
   • Use Case: Remote access VPNs for employees.

5.3.4 VPN Configuration Example

IPsec VPN Configuration (Basic Site-to-Site Example):

1. Define interesting traffic (traffic to be encrypted):

   access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
   

2. Configure IKE Phase 1 parameters:

   crypto isakmp policy 1
   encryption aes
   hash sha256
   authentication pre-share
   group 2
   

3. Configure IPsec parameters:

   crypto ipsec transform-set MY_SET esp-aes esp-sha-hmac
   

4. Create the VPN tunnel:

   crypto map MY_VPN 10 ipsec-isakmp
   set peer 203.0.113.2
   set transform-set MY_SET
   match address 101
   

5. Apply the crypto map to an interface:

   interface GigabitEthernet0/1
   crypto map MY_VPN
   

5.3.5 Verifying VPN Configuration

• Check IPsec Status:

  show crypto ipsec sa
  

• Verify Tunnel Establishment:

  show crypto isakmp sa
  

Part 4: Advanced VPN Concepts

5.3.6 Types of VPNs

VPNs are categorized based on their use cases and configurations:

1. Remote Access VPN:

   • Allows individual users to connect securely to a private network from remote locations.
   • Use Case: Employees accessing company resources from home.
   • Example Protocols: SSL, IPsec.

2. Site-to-Site VPN:

   • Connects entire networks (e.g., branch offices) securely over the internet.
   • Use Case: Linking two corporate offices.
   • Example Protocols: IPsec.

3. Clientless VPN:

   • Users access the VPN through a web browser without needing dedicated VPN software.
   • Use Case: Secure access for non-corporate devices.

4. Layer 2 Tunneling Protocol (L2TP):

   • Combines with IPsec for encryption to create secure VPN connections.
   • Use Case: Used in conjunction with ISPs for secure tunneling.

5.3.7 VPN Configuration Steps

Let’s expand on configuring Site-to-Site VPNs using IPsec.

Scenario:

• Office A (LAN: 192.168.1.0/24) needs to connect securely to Office B (LAN: 192.168.2.0/24) via the internet.
• Public IP of Office A: 203.0.113.1.
• Public IP of Office B: 203.0.113.2.

Step 1: Configure Interesting Traffic

Define the traffic to be encrypted between the two offices:

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Step 2: Configure IKE Phase 1 (ISAKMP Policy)

Define the security parameters for establishing the VPN tunnel:

crypto isakmp policy 1
encryption aes
hash sha256
authentication pre-share
group 2
lifetime 86400

• encryption aes: Use AES encryption.
• hash sha256: Use SHA-256 for data integrity.
• authentication pre-share: Use a shared key for authentication.
• group 2: Use DH Group 2 for key exchange.
• lifetime 86400: Set the session lifetime to 24 hours.

Step 3: Set the Pre-Shared Key

The pre-shared key must match on both ends of the VPN:

crypto isakmp key mysecurekey address 203.0.113.2

Step 4: Configure IKE Phase 2 (IPsec Policy)

Define the encryption and integrity settings for data transfer:

crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac

Step 5: Create and Apply Crypto Map

Link the policies to the VPN and apply it to the interface:

1. Create the crypto map:

   crypto map MY_VPN 10 ipsec-isakmp
   set peer 203.0.113.2
   set transform-set MY_TRANSFORM_SET
   match address 101
   

2. Apply the crypto map to the outgoing interface:

   interface GigabitEthernet0/0
   crypto map MY_VPN
   

Part 5: Advanced Security Enhancements

5.4 Firewalls

A firewall is essential for filtering and monitoring network traffic based on pre-defined rules.

Configuration Example:

1. Deny all traffic except HTTP and HTTPS:

   access-list 100 deny ip any any
   access-list 100 permit tcp any any eq 80
   access-list 100 permit tcp any any eq 443
   interface GigabitEthernet0/0
   ip access-group 100 in
   

5.5 Intrusion Prevention System (IPS)

IPS actively detects and blocks malicious traffic in real-time.

Configuration Example:

1. Enable IPS on an interface:

   ip ips config location flash:/ips
   ip ips name MY_IPS
   interface GigabitEthernet0/0
   ip ips MY_IPS in
   

5.6 Secure Network Design

1. Segmentation:

   • Use VLANs to isolate sensitive traffic (e.g., HR, Finance).

   • Example:

     vlan 10
     name HR
     vlan 20
     name Finance
     

2. DMZ (Demilitarized Zone):

   • Place public-facing servers (e.g., web, email) in a separate zone for additional protection.

Part 6: Verifying Security

1. Verify VPN Status:

   • Check IPsec SAs (Security Associations):

     show crypto ipsec sa
     

2. Verify Firewall Rules:

   show access-lists
   

3. Check IPS Logs:

   show logging
   

Summary of Security Fundamentals

Feature	Purpose	Key Concepts	Configuration Example
Device Security	Protects network devices from unauthorized access.	Passwords, SSH, disable unused ports.	plaintext<br>enable secret cisco123<br>crypto key generate rsa<br>ip access-group 10 in
Common Attacks & Mitigation	Protects against DDoS, phishing, MITM attacks.	Firewalls, IPS, encryption, strong passwords.	plaintext<br>access-list 100 deny ip any any<br>access-list 100 permit tcp any eq 80
VPNs	Securely connects remote users/sites to a network.	IPsec (Site-to-Site), SSL (Remote Access).	plaintext<br>crypto isakmp policy 1<br>crypto ipsec transform-set MY_SET esp-aes esp-sha-hmac

Security Fundamentals (Additional Content)

1. Brute Force Attack Protection

Brute force attacks involve repeated login attempts with different passwords. Cisco IOS offers a simple way to mitigate this with the login block-for command.

Configuration Example:

login block-for 60 attempts 3 within 30

Explanation:

• If 3 failed login attempts occur within 30 seconds, the device blocks further login attempts for 60 seconds.

• This discourages automated password guessing.

Use Case:

Protects console or vty lines (Telnet/SSH) from unauthorized access attempts.

2. Weak Encryption Warning – Type 7 Passwords

Cisco’s command:

service password-encryption

encrypts plain text passwords using Type 7 encryption, which is reversible and insecure.

Important Notes:

• Type 7 is not secure and can be decrypted easily.

• It is not suitable for production environments.

• Instead, use:

  enable secret <password>
  

  which uses MD5 hashing (Type 5) — a much stronger method.

3. IDS vs. IPS – Understanding the Difference

Feature	IDS (Intrusion Detection System)	IPS (Intrusion Prevention System)
Mode	Passive	Inline (Active)
Function	Detects and alerts	Detects and blocks
Action	Logs or generates alarms	Drops malicious traffic
Deployment	Monitors a copy of traffic	Directly in traffic path
Impact on traffic	None	Can affect latency if misconfigured

Key Concept:

• IDS: “I detect and notify.”

• IPS: “I detect and act.”

Cisco IPS Example:

ip ips name MY_IPS
ip ips config location flash:/ips
interface GigabitEthernet0/0
 ip ips MY_IPS in

4. VPN – GRE over IPsec (Optional Advanced Topic)

While IPsec provides secure encrypted tunnels, it cannot natively support multicast or non-IP traffic.

GRE (Generic Routing Encapsulation):

• Encapsulates multiple protocols (e.g., OSPF, multicast)

• Does not provide encryption

GRE over IPsec:

• Combines GRE tunneling with IPsec encryption

• Widely used in site-to-site VPNs that require routing protocol support

Basic Configuration Flow:

1. Create a GRE tunnel:

interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 203.0.113.2

2. Protect it with IPsec (crypto map applied to physical interface).

5. Zone-Based Firewall (ZBF) – Modern Stateful Firewall on Cisco Routers

ZBF is a stateful firewall model that segments the router into security zones and applies policies between zones.

Key Features:

• Traffic within a zone is allowed by default.

• Between zones, traffic is denied unless explicitly allowed by a policy.

• Supports inspection, state tracking, and application awareness.

Basic Configuration Steps:

1. Define zones:

zone security INSIDE
zone security OUTSIDE

2. Assign interfaces:

interface GigabitEthernet0/0
zone-member security INSIDE

interface GigabitEthernet0/1
zone-member security OUTSIDE

3. Create class-map (match traffic):

class-map type inspect match-any WEB_TRAFFIC
match protocol http
match protocol https

4. Create policy-map (define actions):

policy-map type inspect WEB_POLICY
class WEB_TRAFFIC
inspect

5. Apply policy to zone pair:

zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect WEB_POLICY

Comparison: ZBF vs Traditional ACLs

Feature	ZBF	Traditional ACLs
Stateful inspection	Yes	No
Granularity	Application-level protocols	IP/Port based only
Policy reusability	Modular class/policy-map	Line-by-line per interface

Summary of Enhancements

Topic	Key Concepts Added
Brute Force Protection	login block-for command
Password Security	Type 7 warning, recommend enable secret
IDS vs IPS	Detailed comparison + examples
GRE over IPsec	Tunneling + encryption combo use case
Zone-Based Firewall (ZBF)	Stateful firewall with zones and inspection logic