CCNA Security: Security Policy Using a Life Cycle Approach

CCNA Security: Security Policy Using a Life Cycle Approach

Risk Analysis and Management

Secure Network Life Cycle

• Initiation: Preliminary risk assessments and categorization
• Acquisition/Development: Detailed risk assessment, acquiring countermeasures to reduce risk, testing countermeasures
• Implementation: Where countermeasures are deployed into a production network
• Operations/Maintenance: Monitoring and incident handling of network security devices
• Disposition: Disposing of network equipment, including wiping/sanitizing

Risk Analysis Methods

• Qualitiative: Data is gathered by an individual subject matter expert of the asset who can speak to its value and vulnerability
• Quantitative: Numbers and statistics determine risk

Using both methods yields a risk score which allows companies to justify cost of risk mitigation techniques

Security Posture Assessment

• General Assessment: High-level idea about security state of network devices with intent to identify vulnerabilities
• Internal Assessment: Identify how well protected the network is from internal attack
• External Assessment: Assess security risks from devices that connect from the outside of the network
• Wireless Assessment: Identifies vulnerabilities and weaknesses associated with wireless implementation, such as AP range allowing external access from outside the building
• Analysis/Documentation: Report combining details about vulnerabilities taht may exist following security assessments and recommended solutions to mitigate attack

One Approach to Risk Management

When determining risk score of an asset, consider:

• Asset Value
• Vulnerabilities
• Compliance Issues
• Potential Threats
• Business Needs

For new assets for which risk has not been identified, a qualitative/quantitative risk assessment should be performed, appropriate mitigation measures taken (transfer, acceptance or reduction in risk with countermeasures), and then the risk should be monitored

Regulatory Compliance Risk

Impact of not complying with local/state/federal compliance rules should be considered as part of risk assessment

Security Policy

Executive senior management is ultimately responsible for data, data governance policy must be created at high level from executive senior management such as an Acceptable Use Policy

Security policies have risk management as a primary aspect that should include an overview about the policy, what it covers and does not cover, Scope of Policy

Security policies exist to educate users about the company policy is in terms of security measures needed to be followed/enforced

Specific Types of Policy

• Guideline: AUP, audit policy, password policy, etc
• Email: Spam / Forwarding policies, etc
• Remote Access: VPN access, minimum requirements for remote access such as virus scanning, etc
• Telephony: Acceptable use of phone services
• Network: Standards for access over wired or wireless, minimum requirements for PCs connecting to network, etc
• Application: Minimum security features needed in applications, restrictions on what end users can install and run on company computers

Standards/Procedures/Guidelines

• Standard: Specifies the use of specific technologies as countermeasures
• Procedures: Document encompassing standards and guidelines for implementing security for the network, allows consistency in implementation of security
• Guidelines: Best practice, suggestions, used in place of solid direction in order to determine best course
• Policies: High-level documents that define strategic objectives of security, not technical in nature

Testing Security

Several techniques used to test security of a network:

• Network Scanning
• Password Cracking
• Penetration Testing
• Vulnerability Scanning
• Social Engineering

Responding to Incidents

• Assist in recovery of business operation while preserving attack evidence for forensics
• Document details of incident
• Prevent future incidents similar to one just experienced

Collecting Evidence

Equipment involved should be photographed or otherwise shown to be untampered with to preserve chain of evidence should a matter be brought to court. Disk storage should be saved before being disconnected, etc

Disaster Recovery and Continuity of Business Planning

Risk assessment can determine proper DR/ConOps strategy. Cost of maintaining DR should be weighed against potential business loss of not having DR. Max Tolerable Downtime (MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are needed to deterine proper DR strategy

RTO: Number of hours/days needed to resume business

RPO: State of data restoration, ie restoring to 4 hours after disaster occurred

 

CCNA Security: Network Security Concepts

               CCNA Security: Network Security Concepts

Basic Network Security Objectives

• Confidentiality

Data at rest should be protected by authentication to ensure sensitive information is restricted
Data in motion should be protected by encryption/isolation as it moves through the network

• Integrity

Data integrity is concerned with making sure that only authorized sources are manipulating data

• Availability

For systems and data, availability refers to the ability to access data by authorized users

 Cost/Benefit Security Analysis

Risk management deals with identifying assets, threats/vulnerabilities and countermeasures that make sense commeasurate to the value of the asset

Asset: Anything that has value to an organization such as property or data

Vulnerability: Exploitable weakness in a system or its design

Threat: Potential danger to an asset. An unrealized threat is a vulnerability that has not yet been exploited. A realized threat is a successful attack against an asset. Attacker is a threat agent or threat vector.

Risk: Potential for compromise/destruction/access to an asset

Countermeasure: Safeguard that mitigates risk by eliminating or reducing a vulnerability, or otherwise making the asset less vulnerable.


Thresholds apply to classification, generally a countermeasure or risk mitigation would not cost more than the value of the asset excepting government/financial regulations, etc

Classifying Assets

Assets can be classified so that policy can be developed on how to take action for certain classifications

Government Classifications

• Unclassified
• Sensitive But Unclassified
• Confidential
• Secret
• Top Secret

Private Sector Classifications

•  Public 
• Confidential
• Sensitive 
• Private

Classification Criteria

• Value
• Replacement Cost
• Lifetime
• Age

Classification Roles

• Owner: Person or group ultimately responsible for the data
• User: People who access the data any abide by acceptable use policy
• Custodian: Group responsible for implementing policy dictated by owner

Classifying Vulnerabilities

 Potential Vulnerabilities

• Policy Flaw
• Misconfiguration
• Protocol Weakness
• Design Error
• Software vulnerability
• Malware
• Hardware vulnerability
• Human ffactor
• Physical Access to Resources

 Classifying Countermeasures

Control Methods to Implement Countermeasures

• Administrative: Policy, procedure, change control
• Physical: Locked doors, access badges, cameras, etc
• Logical: Passwords, firewalls, VPN, IPS, access lists

Recognizing Current Network Threats

 

Potential Attackers

• Terrorists
• Hackers
• Government Agencies
• Competitors
• Criminals
• Nation-states
• Disgruntled Employees
• Anyone that can access a computer

Attack Methods

• Reconnaissance: Discovery process used to find information about the network. Port scans, IP scans, etc
• Social Engineering: User compromise, email, misdirection of web pages, phishing, pharming
• Privilege Escalation: Escalating level of access beyond what is allowed by policy/role
• Back Door: Application or user access left behind by an attacker to allow future access

Attack Vectors

Attacks can be launched from outside or inside company, even by authorized users. Using ICE/NAC or 802.1x can help mitigate authorized users from launching attacks internally 

 

 

Man-in-the-Middle Attack

 Attacker places itself between two devices that are communicating to perform reconnaissance or manipulate data as it moves between them. Main purpose is eavesdropping so attacker can see all traffic.


Layer 2 MITM Attacks

• ARP Poisoning: Attacker spoofs MAC address of actual default gateway in order to become gateway for the clients. Can be mitigated with Dynamic ARP Inspection
• Root Bridge Attack: Attacker connects switch to network with intent of becoming spanning-tree root bridge and forcing all traffic through that switch. Mitigated by Root Guard and BPDU Guard.

Layer 3 MITM Attacks

• Rogue Router: Rogue router can inject routes with better metric to force routing to go through the rogue router. Mitigated by routing protocol authentication and only listening for routing protocols on specific interfaces

Miscellaneous Attack Vectors

• Covert Channels: Uses communications in unintended ways such as tunnelling P2P file sharing inside of HTTP traffic, or a backdoor using ICMP to communicate with an attacker 
• Trust Exploitation:  Attacker leverages implied trust relationship to gain access, such as exploiting a DMZ server that can communicate to the inside to launch attacks internally
• Password Attack: Brute force attacks to guess passwords, MITM or key logging software
• BotNet: Infected computers that listen for command/control signals from an attacker utilizing a backdoor channel to communicate
• DoS and DDoS: Usinga  botnet to target a particular system in order to flood it with malicious traffic with the intent to deny legitimate access

Applying Fundamental Security Principles to Network Design

Guidelines

• Least Privilege: Minimal access to perform the function is assigned and no more
• Defense in Depth: Security is implemented in multiple places on the network, such as a firewall with an IPS, host-based firewall, etc
• Separation of Duty: Specific individuals are placed into specific roles, allows checks and balance regarding implementation of security policy
• Auditing: Keeping records of what is occurring on the network using things like AAA and syslogs, logs can be reviewed to check access and events

CCNA Voice: The CME Dial-Plan

The CME Dial-Plan

Physical Voice Port Characteristics

Analog Voice Ports

Foreign Exchange Station (FXS): Connect to end stations such as analog phones and fax machines

Three normal configuration options:

• Call signaling
• Call tones
• Caller ID Info

Call signaling:

voice-port (port number)

signal (loopstart or groundstart)

Call Tones: 

voice-port (port number)

cptone (Two letter country code)

Caller ID Info:

voice-port (port number)

station-id name (Name)

station-id number (Number)

Foreign Exchange Office (FXO): 

Same configuration options as above with two extra:

• Dial-Type
• Ring Number

Dial-Type: Tone or Pulse Dialing

voice-port (port number)

dial-type (dtmf or pulse)

Ring Number: Number of rings that should pass before the router picks up the line

voice-port (port number)

ring number (number)

show voice port summary shows status of voice ports on router

Digital Voice Ports

Can be configured as CAS or CCS

Common Configuration:

clock source line
framing esf
linecode b8zs

CCS:

controller (port number)

pri-group 1 timeslots 1-24 (For T1)

CAS:

controller (port number)
ds0-group 1 time-slots 1-24 (For T1)

For T1, channel 24 (time-slot 24) is signaling
For E1, channel 16 (time-slot 17) is signaling

Dial-Peers

Call Processing / Digit Manipulation

Class of Restriction

Quality of Service

CCNA Voice: Managing Users and Devices with CME

Managing Users and Devices with CME

Three key items needed to get CME configured:

• IP Source Address
• Max-DN
• Max-Ephones

IP source address determines what interface will expect IP phone registration requests

Max-DN / Max-Ephone configuration reserves resources on the router and max-ephone should not exceed number of licenses purchased

Ephone / Ephone-DN Configuration

Can be configured as single-line, dual-line or octo-line

single-line ephone-dn: Can only make or receive a single call at a time. If in use caller will receive a busy signal

dual-line ephone-dn: Phone can handle two simultaneous calls and supports features such as call waiting, conference calling and warm transfer

octo-line ephone-dn: Typically use for shared lines where many share the same extension or receptionist phones

Configuration Example with CLI

EPHONE-DN

config t

!

ephone-dn 1

number 2000

!

ehone-dn 2 dual-line

number 2001 secondary 2085551212

EPHONE

ephone 1

mac address  00ab.5454.65ba

LINK EPHONE TO EPHONE-DN

ephone 1

button 1:2

!
restart

button command links ephone-dn 2 to button 1 on ephone 1

restart command tells phone to do warm reboot and redownload configuration file from TFTP server

Button assignments can be verified with show ephone command

Configuring Users, Phones and Extensions with CCP

Telephony Service is configured from the Configure > Unified Communications > Telephony Settings

Same three key items are required:

• Max-Ephones
• Max-DNs
• IP Source Address

Once telephony services are activated, CCP can be used to configure users, extensions and phones

Configure Extensions

Configure > Unified Communications > Users, Phones and Extensions > Extensions

Configure DN, description, secondary DN if applicable, line type, click OK

Configure Phones

Configure > Unified Communications > Users, Phones and Extensions > Phones

Configure model of IP Phone, MAC address, click OK

Configure Users

Users must be created to link DN to IP Phone together with CCP

Configure > Unified Communications > Users, Phones and Extensions > User Settings

Add details:

• User ID (Only field required)

Other optional fields:

• First and last name
• Display Name for Caller ID
• Password
• PIN

Click Phones/Extensions tab to associate user with phone and extension(s) via drop-down boxes

Click OK

CCP has template of show commands via drop-down box for troubleshooting, also functions as free-form typing box for show commands that can be accessed via:

Configure > View > IOS Show Commands

CCNA Voice: Introduction to CME Administration

CME Administration

Command Line Management

Use one of three methods to access CLI:

• Console Port
• Telnet
• SSH

telephony-service configuration command activates CME functionality on a router that supports it

Core CME config commands are performed under telephony-service configuration

show ephone registered command shows phones registered with CME and is most common verification/troubleshooting command

GUI Management

Two flavors: Integrated CME GUI and Cisco Configuration Professional

Integrated CME GUI

Files loaded into flash of router, with assigned IP and http server service turned on the router

Focused on telephony, not pretty

CCP

Can configure all major elements of routers

Wizard-based

Local install on client PC, can be used to manage any supported Cisco platform

CCP Configuration

Before managing devices a community must be configured

Community consists of devices to be managed

Devices to be managed must be configured with four things to support CCP control:

1. Reachable IP from CCP
2. Level 15 Username/password on device
3. HTTP services turned on
4. Local authentication

CCP uses Telnet/HTTP by default, can be configured to use SSH/HTTPS

When a device is discovered by CCP it populates CCP with info

Unified Communications can be configured on a router (if not already enabled) in one of four ways:

1. CME Standalone
2. Voice Gateway (PSTN to VOIP or analog to digital)
3. CME as SRST (CME acts as failover device if CUCM communication is lost)
4. None

CCP has a configuration confirmation screen that shows what commands are to be delivered to the router before being applied, in order to verify correctness prior to submitting

CCNA Voice: IP Phone Concepts and Phone Registration

IP Phone Concepts and IP Phone Registration

Connecting/Powering Cisco IP Phones

Three sources of power for IP phones available:

• Catalst Switch PoE (pre-standard 802.3af)
• Power Patch Panel PoE (pre-standard 802.3af)
• Cisco IP Phone Power Brick (facility power)

Catalyst Switch PoE

Cisco Inline Power existed before official standard 802.3af was developed and used unused pairs in ethernet cable to deliver power

802.3at power standard created to increase maximum wattage fro 15.4W to 25.5W

Power Patch Panel

Patch panels are powered and inject power onto ethernet line as an intermediary

Lower cost than switch upgrades, but switches in use must otherwise support QoS and voice vlans or the switches need to be upgraded anyway, eliminating lower cost

Inline PoE Injector is even lower cost but requires dedicated power plug for each injector, not scalable

Cisco IP Phone Power Brick

Must be purchased separately from Cisco, one per phone, requires dedicated power plug for each phone brick

If IP phones have added modules (ie sidecar) then switch PoE is no longer sufficient and a brick is needed

Voice VLAN Concepts/Configuration

Cisco IP Phones support VLAN tagging and use CDP to discover voice vlan

PC can not understand tagged frames, so IP phone must strip tags before delivery to attached PC

Phone tags its own packets with voice vlan

VLAN Configuration

1.  Add voice vlan to switch
2. Configure IP phone switchport with mode access, access and voice vlan numbers
3. Enable port for spanning-tree portfast to allow IP phone to boot quickly

Cisco IP Phone Boot Process

1. IP phone receives power from the switch or one of several aforementioned power solutions
2. Switch delivers voice vlan info to phone using CDP
3. IP Phone sends DHCP request on voice vlan
4. DHCP server responds with IP address offer
5. IP phone receives DHCP option 150 with IP address and other normal info such as gateway and DNS
6. Option 150 directs IP phone to TFTP server address to pull configuration of the IP phone
7. Configuration includes call processing server IPs (CUCM or CME)
8. IP Phone attempts to register with a call processing server in order of the list in the configuration

Config files are named by phone, ie, SEP(MAC ADDRESS OF IP PHONE).cnf.xml

If this file does not exist on TFTP server, IP Phone requests XMLDefault.cnf.xml that has base configuration for auto-registration with CME/CUCM

 Configuring a Router as the TFTP Server

1. Create DHCP scope on router
2. Add network, default gateway, dns server (optional) and option 150 address pointing at the router's voice vlan IP
3. Ensure the configuration files are accessible on the router for the IP Phones to download 

NTP for Cisco Devices

Accurate clocks on devices are needed for the following reasons:

• Correct date/time displayed for users
• Correct date/time assigned to voicemail tags
• Accurate CDR records
• Many security features rely on accurate time
• Logs on routers/switches are accurate with correct time

clock set command can manually set time

Stratum of NTP server determines how far away the device is from a radio/atomic clock

ntp server (IP ADDRESS) configures the device to use a server for NTP

clock timezone (name) (UTC Offset) command configures time zone

To configure the device as an NTP server, command ntp master (stratum number) is used

IP Phone Registration

Required steps before registering:

1. IP Phone has received power
2. IP Phone has voice vlan information via CDP
3. IP Phone has DHCP address and option 150 address
4. IP Phone has downloaded its configuration from TFTP server

IP Phone configuration will list up to three call processing servers (CME/CUCM), IP Phone will attempt to register in order until it successfully registers with one

Registration is done with either SCCP or SIP depending on phone firmware

SCCP is Cisco proprietary, SIP is industry standard

Registration process is as follows;

1. IP Phone contacts call processing server, identifies itself by its MAC to the server
2. Server consults database and sends operating configuraton to the IP Phone including Directory Numbers, ring tones, softkey template, etc using SCCP or SIP
3. SCCP/SIP used to use phone from that point, when IP phone buttons are pressed, handset is lifted off-hook, etc

1. 
   

CCNA Voice: Unified Communications at a Glance

Unified Communications Pieces

Unified Communications Products

Core products:

• Cisco Unified Communications Manager Express
• Cisco Unified Communications Manager
• Cisco Unity Connection
• Cisco Unified Presence

Other products include Cisco Unified Contact Center Enterprise/Express, Cisco Unified MeetingPlace, etc

Cisco Unified Communications Manager Express

CME was designed for ISR G2 Routers, ISR G1 routers with proper IOS and hardware can also support CME 8.X

Key Features of CME:

• Call control device, handles signaling, call routing, call features
• CLI or GUI based configuration using CCP
• Local telephone directory
• CTI support for application integration
• Trunk to other VOIP systems (ie, CUCM)
• Cisco Unity Express Module direct integration with network module

CME controls almost all actions performed with Cisco IP Phones using SCCP or SIP

As user inputs to the phone, SCCP or SIP messages are sent between CME and IP Phone to determine what is happening

After call setup, RTP stream is created between two endpoints and CME is no longer involved

For calls to the PSTN, CME acts as the voice gateway and transcodes analog to digital signal using DSP/PVDM modules. During the call CME transcodes between PSTN and IP phone and can not be removed from call flow

Cisco Unity Express

Integrated hardware module for CME router to provide voicemail services. Either comes as ISM or SM. ISM is internal to CME router and uses flash memory for storage. SM is external and uses a hard drive for storage. ISM/SM replace CUE AIM and NM

CUE runs its own independent Linux-based OS which is accessible from CME router after install

Key features of CUE:

• Voicemail
• Auto-attendant for dial-by-name, basic operator/menu capabilities
• IVR system with basic menu tree system, more features than Auto-attendant
• Native T.37 Fax Processing, can receive faxes and process to user's mailbox as TIFF attachment
• SRSV sets CUE to act as backup voicemail if enterprise Cisco Unity Connection is inaccessible
• Standards-based SIP protocol signaling between CUE and CME

Cisco Unified Communications Manager

CUCM is the call processing director of a Unified Communications solution

Key Features of CUCM:

• Complete audio/visual telephony support
• Appliance-based, meaning the operating system is secured/inaccessible 
• Redundant servers
• Intercluster/voice gateway control/communications
• Disaster Recovery System
• VMWare virtualization support
• LDAP/Active Directory integration support

CUCM Database Replication

CUCM IBM Informix Database includes info such as dirctory numbers, route plan, hunt groups, etc which is replicated to all servers in cluster

CUCM Runtime (real-time) data is replicated to other cluster members using Cisco proprietary Intracluster Communication Signaling (ICSS)

All servers in CUCM cluster form TCP connecions to each other for ICSS on port 8002- 8004 and keep each other informed

CUCM Publisher holds master copy of Informix database, changes to the database happen on the Publisher and are replicated to subscribers

Each cluster supports one Publisher and up to eight Subscribers. Publisher maintains database and  serves TFTP requests and Subscribers handle phone registration and call control

If Publisher fails, changes can not be made to database, excepting user-facing features such as call forwarding and DND button, etc. Subscriber writes local copy of change and replicates to other subscribers until Publisher returns online

Cisco Unity Connection

Cisco Unity Connection is an enterprise, appliance-based voice-mail solution similar to CUCM

Key features of CUC:

• Appliance-based: Stable, hardened, appliance-based OS
• 20,000 mailboxes per server
• Remote access to voicemail via email, browser, IM and phone
• LDAP/Active Directory integration
• Microsoft Exchange supported for calendar integration, text-to-speech, etc
• Voice Profile for Internet Mail: Standard which allows other voicemail servers to integrate for exchange of voicemail and other messages
• Active/Active HA cluster with Publisher/Subscriber and Informix DB allows doubling of voicemail ports and mailboxes

If one of HA cluster fails, half the voicemail ports and mailboxes are inaccessible

CUC is able to integrate with other call control systems such as PBX and so does not have close integration with CUCM. CUC is set as an outside system that CUCM communicates with using SIP/SCCP

CUCM to CUC Call Flow:

1. Incoming voice call hits CUCM from PSTN VG or internal call
2. CUCM routes call to approriate IP phone
3. If call is not answered, CUCM forwards call to Voicemail pilot extension
4. CUCM transfers call to CUC with original extension in SCCP/SIP signaling which CUC uses to find appropriate mailbox
5. After VM is recorded, CUC calls MWI extension on CUCM to toggle light on IP phone 

All communication takes place using voicemail ports
CUC can also integrate with CME

Cisco Unified Presence

CUP is used to track availability of a user and provide enterprise IM capability

Key features of CUP:

• Enterprise IM using Jabber XCP
• Logging functionality for all types of IM communication
• Can connect to other domains such as Google Talk or WebEx
• XCP allows CUP to extend to almost any part of the network, for file sharing, app sharing, videoconferencing. XCP integrates with directory services, databases, web
• CUP application integration supports IPSec or TLS encryption to secure communication

Unified Personal Communicator

Software application that combines softphone, IM client, employee directory, video/web conferencing. Allows tracking of user status and virtual meetings

CUPC uses LDAP for login to the client and a CUPS server on the back end