TacAck – My security journey!

Hey!

Day 3 of the bootcamp is DONE. I’m glad i started this bootcamp , ‘coz there are many things i’m learning as i go along. Here are Day 3 notes!

GETVPN

• IP Header preservation
• Protocols used
  • UDP 848 -> GDOI
  • Protocol 50 -> ESP
• It keeps the original header and ecrypts only the payload
• So the intermediate routers will see the packet with a source of the original host who sent it and the destination as the destination router ( not the IPSEC peers )
• Make sure that we permit this traffic ( ‘coz this is a little different from theconventional VPN methodologies )
• The concept of KS and GM’s help reduces misconfiguration.
• In a L2L VPN, we see two separate unidirectional SPI’s in each IPsec peer, here we use 1 SPI
• If there is a change in the SA information on the KS, then the KS can push out these configurations to the GMs immediately. It won’t till the rekey timer expires.
• Ensure that the rekey messages are also allowed by the firewalls/routers in between the KS-GM
• Double check rekeying
• We need to have 2 ACL’s for each pair, for both directions.
• The “server address” order under the GM configuration defines who is primary and who is the failover
• GETVPN also supports multicast traffic encryption

WEBVPN & SSL VPN

• ASA Webvn structure
  • • WEBVPN
      • enable outside
      • tunnel-group-list enable
    • GROUP POLICY
    • TUNNEL GROUP
    • If using local authentication add this to the username attributes
    • username <test> attributes
      • service-type remote-access
  • TIP : Use a “sh run all”
    • SSLVPN extendeds WEVPN by allowing an SVC to be downloaded automagically.
    • Uses normal RRI / Address allocation like EZVPN
    • #webvpn
      • #enable outside
      • #tunnel-group-list enable
      • #svc image <path>
      • #svc enable
    • #group-policy
      • #vpn-tunnel-protocol webvpn
      • #split-tunel-policy..
      • #split-tunnel-network-list value [acl]
      • #webvpn
      • #svc required < Forces users to download the SVC >
    • #tunnel-group
      • #default-group-policy
• IOS SSL VPN structure
  • GATEWAY
    • termination info, etc
    • Trustpoint
  • CONTEXT
    • Terminates VPN / establishes user session
    • contains user policies
  • POLICY GROUP
    • Set policy information
  • DEFAULT GROUP POLICY
  • Don’t forget the “inservice” commands to turn on the various configuration elements
  • Even if we don’t generate the trust point for the gateways, it would be self-generated.
  • We use the “domain” keyword after the “gateway < gateway > in the context configuration ”
    • This is used to differentiate users logging into the same gateway.
    • Suppose we use the command “gateway gateway1 domain INE”
    • Then the users connecting to the gateway will have to use ” https://<GATEWAY IP>/INE”
    • This way we can use the same gateway for more than 1 contexts
  • To turn on SVC , we use “functions svc-enabled” under the policy-group configuration
• Ensure that in the real-lab, always use a Split tunnelling ACL when trying to connect from the Test-PC ( ‘coz if you don’t have any, you might lock yourself out )
• Enter the “set isakmp-profile” command under the “crypto ipsec profile” configuration

AAA PASSWORDS/PRIVILEGES

• The user needs to be at a level “higher or equal” to the command level, to be able to run it
• “sh run” will only sh commands that you have permission to configure. This is assuming we have permission to run “sh run” to in the first place
• If we have just a “username xxx privi 7 password cisco” ( without any aaa new-model ), the user would be authenticatied and authorized locally , and he would be set at privi 7.
• If we ‘ve configured the aaa-newmodel, then authentication and authorization is done separately.’coz separate commands are now needed.

ADVANCED AAA

• On the actual lab, the access to the AAA server , would be via browser only ( we woulnd’t be able to RDP into it )
• Dynamic ACLs are not scalable , “access enable” opens up all dynamic ACL
• Using auth-proxy, per-user-ACL’s can be put into place.
• AUTH-PROXY
  • User should be denied access via a Static ACL
  • Make sure you don’t lock yourself out after configuring “AAA authentication” . Try and insert a local fallback in the authentication command
  • Use the command “aaa authorization auth-proxy”
  • Enable the HTTP server
  • Deny all traffic inbound , except the traffic which you need to trigger the Auth-proxy
  • Specify the triggerring ACL and add it to the “auth-proxy” command, and don’t forget to turn pn auth-proxy on the interface
  • Remember the issue regarding local auth-proxy ( read blog )
  • For radius, we use the Cisco AV Pairs : “auth-proxy : priv-lvl = 15 “, etc. The only difference between RADIUS and TACACS+ is the “auth-proxy” keyword
• CUT-THRU-PROXY
  • IN ASA , using HTTP/HTTPS , FTP , TELNET , the asa can do in-line cut-though for these protocols
  • For others, we cannot do the authentication in-stream.
  • If you wanna add ACL entries in the “outside” acl, then we need the “per-user-override” acl
  • For inside to outside, you just need the authentication, no need for acls
  • Must configure this
• ASA-LDAP
  • Configure the LDAP server
  • aaa-server test protocol ldap
  • aaa-server test host 10.0.0.100
  • <parameters>
  • Attribute map
    • ldap attribute-map MYMAP
    • Is used to determine what group a user gets put into, based on the group-membership returned from the LDAP server
    • We then apply the LDAP attribute map to the LDAP server configuration
    • Based on the different group-policies specified in the Attribute map, we should configure different group-policies on the ASA

Next, Day 4!

Cheers,

TacACK