CCIE SEC Security Technologies

Content Filtering
1. Email Filtering
  1. Filtering Email based on Message Content
  2. Filtering based on source/destination e-mail address
  3. Filtering attachments
2. Anti-Spam
  1. Spam
    1. Spam is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
    2. Types
      1. Email
      2. also known as junk e-mail,
      3. nearly identical messages sent to numerous recipients by e-mail.
      4. Instant Messenger
      5. Blog Comment
      6. Forum Posting
      7. Wiki defacement
      8. Mobile Phone (TXT / SMS)
    3. Delivery
      1. Open Relays
      2. Open Proxies
      3. Zombies
  2. Phishing
    1. criminally fraudulent process of attempting to acquire sensitive information
    2. Derived from "Fishing for Information"
  3. Keyword Based
    1. Looking for words like "Vigra"
    2. Not Very Effective, i.e. v1gr4 by-passes the above example
  4. Statistical Analysis
    1. Checking if the same message was sent to many people
    2. News letters create false alarms
  5. DNSBLs
    1. DNS Black Lists
    2. Lists of know Spammer IP Addresses
    3. Can get out of date quickly
  6. Enforcing Standards
    1. Many SPAM applications are not RFC Compliant
    2. Legitimate gateways should be!
  7. Grey Listing
    1. Temporarily Rejecting incoming Messages
    2. Legitimate messages will re-try!
  8. Reverse DNS Checks
    1. Looking for PTR Records
    2. Proper Mail servers will have Proper DNS configurations.
  9. Whitelists
    1. Filtering on IP... i.e. allowed SMTP gateways (not good for internet)
    2. Filtering on Domain Name
    3. Filtering on Email Address
3. Cisco's IRON Port
4. URL Filtering
  1. Filtering Based on a websites URI
  2. Allowing or blocking website addresses like www.yahoo.com
  3. Allowing or blocking portions of website addresses like allowing bbc.co.uk.weather but denying bbc.co.uk/radio1
  4. Requires URL categorisation
    1. Large Database required
    2. Impossible to categorise EVERY URL
    3. How do you handle "unknown" allow or block?
  5. Websense
  6. Surfcontroll
  7. Bluecoat
5. Anti-Virus
  1. used to identify and remove computer viruses, as well as many other types of harmful computer software
  2. Collective name for unwanted software = MALWARE
    1. Virus
    2. Worms
    3. Trojans
    4. Spyware
  3. Methods
    1. Signature
      1. most common method that antivirus software uses to identify malware
      2. Can ONLY detect known malware
      3. Easily by-passed with minor changes
    2. Heuristics
      1. a heuristic, is an algorithm that ignores whether the solution to a problem can be proven to be correct,
      2. typically used when there is no known method to find an optimal solution
      3. file analysis
      4. antivirus software will analyze the instructions of a program
      5. Based on the instructions, the software can determine whether or not the program is malicious
      6. file emulation
      7. target file is run in a virtual system environment,
      8. The antivirus software would then log what actions the file takes in the virtual environment.
      9. If the actions are found to be damaging, the file will be marked a virus.
    3. Suspicious behavior monitoring
      1. monitors the behavior of all programs
      2. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do.
      3. Protection Against Zero-Day
      4. it can also sound a large number of false positives
      5. users may become desensitized to the warnings and click "ACCEPT" on a virus
6. content is blocked or allowed based on analysis of its content
  1. As apposed to filtering on Network Layer Attributes like IP or Port
  2. Firewalls Allow or block HTTP, Content filters allow or block HTTP Content, i.e. images
Proxy Authentication
1. IOS Authentication Proxy
2. used to authenticate inbound or outbound users
3. User or Session Authentication in Checkpoint
4. ASA Cut-Through Proxy
5. Inline Authentication on HTTP Proxy Servers!
6. Supported Servers
  1. TACACS
    1. ACS for Win
    2. ACS for Unix
    3. TACACS+ Free
  2. RADIUS
    1. ACS for Win
    2. ACS for Unix
    3. Lucent
Public Key Infrastructure (PKI)
1. Public Key Infrastructure (PKI) offers a scalable method to secure networks, reduce management overhead, and simplify the deployment of network infrastructures by enabling Cisco IOS Security features , including Cisco IOS IPsec, Secure Shell (SSH), Secure Socket Layer (SSL) , and Cisco IOS Firewall .
2. Public Key
  1. public key may be widely distributed
  2. Published via Key Servers
3. Private Key
  1. private key is kept secret
4. In PKI Cryptography
  1. Data is Encrypted with the RECIPIENTS public key
  2. RECIPIENT decrypts using their private kay
5. With PKI Signatures
  1. Data is Encrypted with the SENDERS Private key
  2. RECIPENT decryptes using SENDERS public Key
6. Certificate Authority
  1. CA
  2. Trusted 3rd Party which Signs users public key
  3. CRL
    1. Certificate Revocation List
    2. A list of Certificate Serial Numbers the CA deem to be invalid
    3. Online Certificate Status Protocol (OCSP)
7. Digital Cerificate
  1. A Public Key signed by a CA
Event Correlation
1. Event Correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important
2. Security Information Management System (SIMS)
  1. OpenSIMS
  2. OSSIM
3. Cisco Secure MARS
4. Event Management
  1. Filtering
    1. discarding events that are deemed to be irrelevant
    2. Highlighting events with great significance
  2. Aggregation
    1. Event De-duplication
    2. merging duplicates of the same event
  3. Masking
    1. ignoring events pertaining to systems that are downstream of a failed system
5. Root Cause Analysis
  1. last and most complex step of Event Correlation
  2. analyzing dependencies between events
  3. detect whether some events can be explained by others
Intrusion-prevention system - Wikipedia
1. Host-based vs. network
  1. HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host
  2. NIPS does not use processor and memory on computer hosts but uses its own CPU and memory
  3. NIPS is a single point of failure
  4. NIPS can detect events scattered over the network
2. Network Intrusion Prevention Systems
  1. A network-based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network
  2. Cisco IPS Sensors
    1. 4200 Series
    2. ASA AIP-SSM
    3. 6500 IDSM2
    4. IOS IPS
    5. IPS AIM for ISR
  3. Content Based
    1. inspects the content of network packets for unique sequences
    2. Also Called SIGNATURE based
  4. Protocol Analysis
    1. natively decode application-layer network protocols, like HTTP or FTP
    2. analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits
    3. Some products rely on simple pattern recognition techniques to look for known attack patterns
  5. Rate-based
    1. primarily intended to prevent Denial of Service and Distributed Denial of Service attacks
    2. work by monitoring and learning normal network behaviors, alerting on statistical changes
    3. Attacks are detected when thresholds are exceeded
    4. Unusual but legitimate network traffic patterns may create false alarms
      1. slashdot effect
      2. Digg!
3. Host Intrusion Prevention Systems
  1. Cisco Security Agent
  2. OSSEC
  3. A host-based IPS (HIPS) is one where the intrusion-prevention application is resident on that specific IP address, usually on a single computer.
  4. Technologies can be Same as Network Based
    1. Signature
    2. heuristic
  5. System Resource Usage can effect performance
4. Attack Types
  1. Atomic
    1. Single Packet does damage
    2. Malformed packet attacks
  2. Compound
    1. Type of attack signature that occurs across multiple packets on the context of a session
    2. referred to as composite in the Network Security Database [NSDB]
  3. DoS
    1. Denial of Service
    2. dDoS - Distributed Denial of Service
    3. Consuming resources to effect/squeeze-out legitimate traffic
5. Attack Response Actions
  1. Alarm (Send Syslog)
    1. False
      1. False Positive - Normal Traffic triggers Alarm
      2. False Negative - Attack fails to Trigger Alarm
    2. True
      1. True Positive - Attack Triggers Alarm
      2. True Negative - Normal Traffic does not Trigger Alarms
  2. Reset (Send TCP Reset)
  3. Drop (Drop packet inline)
  4. Deny Attacker Inline (Drop all packets from SRC IP)
  5. Deny Flow Inline (Drop all packets associate with a TCP Flow)
6. Deployment
  1. Inline
    1. Traffic flows through IPS
    2. Risk of Bottle Neck
  2. Promiscuous
    1. Copies of traffic is sent to IPS
    2. Risk of "missing" an attack
Adaptive Threat Defense (ATD)
1. Threat Defense Solution and Managed Services
2. Cisco Threat Control
3. Cisco Self-Defending Network
4. Umbrella name for Advanced Security Products
  1. IPS
  2. Guard Detector / Protector
  3. CSA
  4. SSL VPN
  5. ASA / PIX
  6. MARS
  7. NAC
Network Admission Control (NAC)
1. Network Access Control
  1. an approach to computer network security that attempts to unify endpoint security technology
  2. Goals
    1. Mitigation of zero-day attacks
    2. Policy enforcement
    3. Identity and access management
2. access to the network based on identity or security posture
3. Guest Access
4. Quarantine & Remediation
  1. Quarantine users / machines which fail HSP
  2. Remediate / Fix Issues
  3. HSP = Host Security Policy
5. NAC Appliance
  1. Enforcement by Dedicated Appliance
  2. Enforcement by NAC Appliance Modules
  3. Policy Controlled by Dedicated management platform
6. NAC Framework
  1. Enforcement by Routers
  2. Enforcement by Switches
  3. Policy Control
    1. Cisco ACS Server
    2. 3rd Party Policy Servers
7. Microsoft Network Access Protection
802.1x
1. Configuring IEEE 802.1x Port-Based Authentication [Cisco IOS Software Releases 12.4 T]
2. dot1x port-control auto
  1. Auto: Enables dot1x, port begins in an unauthorized state. only EAPOL (eap over LAN) frames pass thru port
  2. Force Authorize: Disables dot1x, allow all traffic thru
  3. Fore UnAuthorize: Disables Access to LAN, user canNOT authenticate
3. Can't enable dot1x on TRUNK, EtherChannel, "Secure" or SPAN ports
4. Users without supplicant get GUEST VLAN
5. Restricted VLAN is for users WITH supplicant that FAIL authentication
Endpoint Security
1. Cisco PDF
  1. Real-time prevention decisions
  2. Defense-in-depth protection from attacks
  3. Real-time correlation at the agent and enterprise levels
  4. Behavioral approach
  5. Flexibility to meet unique corporate needs
  6. Ease of deployment
  7. Centralized event management
  8. Platform coverage, with support for desktops and servers
  9. Administration
2. Cisco NAC
3. Cisco Security Agent
4. endpointsecurity.org
5. Checkpoint
6. The concept that means each device (end-point) is responsible for its own security
Network Address Translation
1. The process of modifying network address information in datagram packet headers while in transit across a traffic routing device
2. IP masquerading
  1. Hiding a Network Range Behind a single IP
  2. Hide Nat (In checkpoint)
  3. PAT in Cisco
    1. Port Address Translation
    2. Changing either the Source of Destination port of a connection
    3. Doesn't necessarily require IP address change!
    4. Also referred to as Port Forwarding
  4. NAT & Global in PIX/ASA
3. RFC1918
4. Static NAT
  1. A permanent "one to one" NAT Relationship
  2. "static" command in PIX/ASA
5. Applications Effected by NAT
  1. FTP
  2. SIP
  3. VoIP
  4. IPSEC
  5. Lots 'n' lots!
Firewall
1. Packet Filtering
  1. Early Firewall Technique
  2. Originally implemented on Routers
  3. Filters based on IP Address &/OR TCP/UDP Ports
  4. No "Connection" information stored
  5. Considered Stateless
2. Stateful Inspection
  1. Maintains Connection, "State" Tables
  2. able to determine whether a packet is either the start of a new connection, a part of an existing connection
3. Application Gateway
  1. Application Proxy
  2. Application Layer Firewall
  3. work on the application level of the TCP/IP stack
  4. may intercept all packets traveling to or from an application.
VPN
1. Virtual Private Network
2. "Private" Links over a public infrastructure
3. Not Necessarily Confidential!!!
  1. i.e MPLS
  2. Or the use of AH Tunnels without ESP
4. IPSec VPN
5. SSL VPN
  1. OpenVPN
AAA
1. Authentication Technologies
  1. Protocols
    1. RADIUS
    2. TACACS
    3. Kerberos
  2. Digital Certificates
  3. PGP
  4. One-time password
    1. OTP
    2. passwords which are only valid once
    3. S/KEY
  5. Security tokens
    1. SecureID
    2. RSA Security
    3. SMART Cards
  6. Biometrics
    1. Fingerprints
    2. Retinal scan
  7. Single sign-on
    1. SSO
    2. Reducing password fatigue from different user name and password combinations
  8. 2 Factor Authentcation
    1. Something you have
    2. Something you know
    3. Something you are
    4. 2 Factor requires two of the above
2. Authorization technologies
  1. Restricting Access after Authentication
  2. 3 Basic Types
    1. Read
      1. User Can open & view a file , directory, application
    2. Write
      1. User Can make changes to a file, directory, application
    3. Execute
      1. User can execte a file
      2. User can exectute files in a directory
  3. Guest Authorization should be the most limiting
  4. Administrator (root) authorization is the LEAST restrictive - FULL access
  5. Implementation Types
    1. discretionary access control (DAC)
    2. mandatory access control (MAC)
3. Accounting
  1. Recording Who Authenticated
  2. Recording what users did!