ISCW - Implementing Secure Converged Wide Area Networks

Overview:

Learn to secure the network environment using existing Cisco IOS security features and configure the three primary components of the Cisco IOS Firewall Feature set (Firewall, Intrusion Prevention System [IPS], and Authentication, Authorization, and Accounting [AAA]). In this task-oriented course, you'll get the knowledge and skills needed to secure Cisco IOS router networks. Expand the reach of your enterprise network to teleworkers and remote sites, and explore implementing a highly available network with connectivity options such as VPN and wireless.

E-Labs Included for Post-Class Lab Practice:

Following classroom instruction, you will receive 5 e-Lab credits for post-class lab practice, allowing you to hone your skills using the same hands-on lab equipment you used in the classroom.

Description:

1. Network Requirements

• 
  The IIN and the SONA framework
• 
  Cisco conceptual network models, such as Cisco Enterprise Architecture
  and Cisco hierarchical network model
• 
  Requirements for establishing secure remote connections in a converged
  network

2. Connect Teleworkers

• 
  Topologies for Facilitating Remote Connections
  
  • 
    Typical remote connections an enterprise network has to support
  • 
    Challenges faced in connecting teleworkers to the enterprise network and the
    solutions that exist to address these challenges
• 
  Cable Technology
  
  • 
    Basic terminology and standards organizations that are relevant to cable
    technology
  • 
    Components of a cable system that provide data services
  • 
    Features of cable technology
  • 
    How digital cable systems use the RF bands for signal transmission
  • 
    How data services can be delivered over a cable network using an HFC
    architecture
  • 
    Combination of technologies and components that make a cable system work
  • 
    Provisioning a cable modem in a TCP/IP-based customer network
• 
  DSL Technology
  
  • 
    Features of DSL
  • 
    Variants of DSL
  • 
    Distance limitations of DSL
  • 
    Basic facts of ADSL technology
  • 
    How ADSL coexists with telephony service
  • 
    CAP and DMT: the competing modulation standards for ADSL signaling
  • 
    How data is transmitted over ADSL infrastructure with PPPoE
  • 
    How data is transmitted over ADSL infrastructure with PPPoA
• 
  Configuring the CPE as the PPPoE and PPPoA Client
  
  • 
    Configure a Cisco router as a PPPoE client
  • 
    Configure an ATM interface for PPPoE client operations
  • 
    Configure the PPPoE DSL dialer interface
  • 
    Configure PAT
  • 
    Configure a DHCP server to allocate IP address to the users behind the client
    DSL router
  • 
    Configure a static route
  • 
    Review the output of various debug and show commands to verify the PPPoE
    operations
  • 
    Step-by-step procedure to configure a PPPoA on the CPE router
  • 
    Configure the DSL ATM interface
• 
  Verifying Broadband ADSL Configurations
  
  • 
    Bottom-up approach to troubleshoot a DSL connection problem
  • 
    Isolate problems to Layer 1
  • 
    Confirm an Administratively Down state
  • 
    Confirm the correct DSL operating mode on the CPE router ATM interface
  • 
    Isolate problems to Layer 2
  • 
    Determine if data is being received from the ISP
  • 
    Determine if PPP is negotiating successfully

3. Cisco Device Hardening

• 
  Mitigating Network Attacks
  
  • 
    Cisco Self-Defending Network strategy
  • 
    Types of attacks that enterprise networks must defend against
  • 
    Mitigate reconnaissance attacks including packet sniffers, port scans, ping
    sweeps, and Internet information queries
  • 
    Mitigate access attacks including password attacks, trust exploitation, buffer
    overflow, port redirection, and man-in-the-middle attacks
  • 
    Mitigate DoS attacks including IP spoofing and DDoS
  • 
    Mitigate worm, virus, and Trojan horse attacks
  • 
    Mitigate application layer attacks
  • 
    Vulnerabilities in configuration management protocols and recommendations for
    mitigating these vulnerabilities
  • 
    Use open source tools to discover network vulnerabilities and threats
• 
  Securing Cisco Router Installations and Administrative Access
  
  • 
    Configuring passwords
  • 
    Setting a login failure rate and using IOS login enhancements
  • 
    Setting timeouts
  • 
    Setting multiple privilege levels
  • 
    Configuring banner messages
  • 
    Role-based CLI and the commands required to configure basic CLI views
  • 
    Secure the Cisco IOS boot image and configuration files
• 
  Configuring AAA on Cisco Routers
  
  • 
    Three components of AAA
  • 
    AAA access modes
  • 
    AAA RADIUS and TACACS+ protocols
  • 
    Configure AAA login authentication on Cisco routers using CLI
  • 
    Configure AAA login authentication on Cisco routers using Security Device
    Manager (SDM)
  • 
    Troubleshoot AAA on a Cisco perimeter router using the debug aaa command
  • 
    AAA authorization and the commands that are required to configure it on Cisco
    routers
  • 
    AAA accounting and the commands that are required to configure it on Cisco
    routers
• 
  Disabling Unused Cisco Router Network Services and Interfaces
  
  • 
    Router services and interfaces that are vulnerable to network attack
  • 
    Using the auto secure command to automate the process of locking down a Cisco
    router
  • 
    Configure AutoSecure on a Cisco router
  • 
    Compare the process of locking down a Cisco router with the CLI auto secure
    command and the One-Step Lockdown mode of the Security Audit wizard available in
    SDM
• 
  Securing Management and Reporting Features
  
  • 
    Factors you must consider when planning the secure management and reporting
    configuration of network devices
  • 
    Factors that affect the architecture of secure management and reporting in terms
    of in-band and OOB information paths
  • 
    Steps used to configure an SSH server for secure management and reporting
  • 
    How the syslog function plays a key role in network security
  • 
    How to configure syslog on Cisco routers using syslog router commands
  • 
    Security features of SNMPv3
  • 
    Configure SNMPv3 on a Cisco IOS router or a switch
  • 
    Configure an NTP client including authentication in client mode
  • 
    Configure a Cisco router as an NTP server
• 
  Mitigating Threats and Attacks with Access Lists
  
  • 
    Types and formats of IP ACLs used by routers to restrict access and filter
    packets
  • 
    Apply ACLs to router interfaces
  • 
    Using traffic filtering with ACLs to mitigate threats in a network
  • 
    Implement ACLs to mitigate threats
  • 
    Configure router ACLs to help reduce the effects of DDoS attacks
  • 
    Combine many ACL functions into two or three larger ACLs
  • 
    Some of the caveats to be considered when building ACLs

4. Cisco IOS Threat Defense Features

• 
  Introducing the Cisco IOS Firewall
  
  • 
    Basic structure of a layered defense
  • 
    Operational strengths and weaknesses of the three firewall technologies
  • 
    Basic operation of a stateful firewall
  • 
    Features of the Cisco IOS Firewall
  • 
    How the Cisco IOS Firewall combines the features of packet inspection and proxy
    firewalls to provide an optimal security solution
  • 
    Cisco IOS Firewall process
• 
  Implementing Cisco IOS Firewalls
  
  • 
    Configure Cisco IOS Firewall from the Cisco IOS CLI
  • 
    When and how to use the Basic and Advanced Firewall Configuration wizards in SDM
  • 
    Configure a basic firewall using SDM
  • 
    Configure the interfaces on an advanced firewall using SDM
  • 
    Configure a DMZ on an advanced firewall
  • 
    Configure inspection rules
  • 
    Complete the Advanced Firewall wizard configuration by viewing the settings in
    the Summary window
  • 
    Use the SDM logging function to monitor firewall activity
• 
  Introducing Cisco IOS IPS
  
  • 
    Functions and operations of IDS and IPS systems and the difference between IDS
    and IPS
  • 
    Types of IDS and IPS systems
  • 
    Four types of IDS and IPS signatures
  • 
    What happens when a signature is matched
• 
  Configuring Cisco IOS IPS
  
  • 
    Configure and verify IOS IPS using the CLI interface
  • 
    Cisco IOS IPS tasks you can complete with SDM
  • 
    Select interfaces and configure SDF locations within the SDM IPS Policies wizard
  • 
    View the IPS policy summary and deliver the IPS configuration to the router
    using the SDM IPS Policies wizard
  • 
    Configure IPS policies and global settings using the SDM
  • 
    View SDEE messages in the SDM
  • 
    Tune signatures using the SDM

5. IPsec VPNs

• 
  IPsec Components and IPsec VPN Features
  
  • 
    IPsec protocol and basic functions; advantages of IPsec VPNs over other types of
    VPNs
  • 
    IKE protocols
  • 
    IKE functionality
  • 
    Two protocols that are used for IPsec
  • 
    Message authentication and integrity check
  • 
    Differences and the functionality between symmetric and asymmetric encryption
    algorithms
  • 
    PKI
• 
  Site-to-Site IPsec VPN Operations
  
  • 
    Five steps of IPsec operation
  • 
    Configuration of IPsec
  • 
    Configuration of the ISAKMP parameters
  • 
    Configuration to define the IPsec transform set, the crypto ACL, and the crypto
    map
  • 
    Configuration to apply the crypto map to the interface
  • 
    Configuration of the interface ACL for IPsec
• 
  Configuring IPsec Site-to-Site VPN Using SDM
  
  • 
    Navigating the site-to-site VPN wizard interface
  • 
    Components that will be configured by the SDM site-to-site VPN wizard
  • 
    Launching the site-to-site VPN wizard
  • 
    Set the parameters of the site-to-site VPN tunnel
  • 
    How SDM sets IKE policies
  • 
    Select a transform set and associate additional transform sets as required
  • 
    Define the traffic that the VPN protects
  • 
    Complete the configuration by viewing the settings in the Summary window
• 
  Configuring GRE Tunnels over IPsec
  
  • 
    GRE
  • 
    Purpose of a secure GRE tunnel
  • 
    Components that will be configured by the SDM site-to-site VPN secure GRE tunnel
    wizard
  • 
    Configure a backup GRE-over-IPsec tunnel that the router can use when the
    primary tunnel fails
  • 
    Select the authentication method to be used on the VPN
  • 
    Configure IKE using the SDM wizard
  • 
    Configure the IPsec transform set using the SDM wizard
  • 
    Configure dynamic or static routing over the GRE and IPsec tunnel
  • 
    Complete the configuration by viewing the settings in the Summary window
• 
  High Availability Options
  
  • 
    How high availability of IPsec VPNs is achieved
  • 
    Failover option of backup IPsec peers
  • 
    Use of HSRP for IOS IPsec VPN resiliency
  • 
    IPsec stateful failover
  • 
    How a WAN connection can be backed up by using an IPsec VPN
• 
  Configuring Cisco Easy VPN and Easy VPN Server Using SDM
  
  • 
    General operation of Cisco Easy VPN including its benefits and the role of each
    of its components
  • 
    Functionality provided by Cisco Easy VPN Server, concept of dynamic crypto maps,
    and functionality provided by Easy VPN Remote
  • 
    Steps required to configure Cisco Easy VPN Server using SDM
  • 
    Configure IKE using the SDM wizard
  • 
    Configure the IPsec transform set using the SDM wizard
  • 
    Locations where Easy VPN group policies can be stored
  • 
    Locations where user records for Xauth can be stored
  • 
    Configure local group policies
  • 
    Complete the configuration by viewing the settings in the Summary window
• 
  Implementing the Cisco VPN Client
  
  • 
    Steps required to configure the software VPN client on a PC
  • 
    Steps required to configure Cisco VPN Client

6. Implement Frame-Mode MPLS

• 
  Introducing MPLS Networks
  
  • 
    Elements of the MPLS conceptual model
  • 
    Router switching mechanisms
  • 
    MPLS data and control planes
  • 
    Structure of an MPLS label and its format
  • 
    Function of different types of LSRs in MPLS networks
  • 
    Interactions between the control plane and the data plane in an LSR that enable
    the basic functions of label switching and forwarding of labeled packets to
    occur
• 
  Assigning MPLS Labels to Packets
  
  • 
    Performing label allocation in a frame-mode MPLS network
  • 
    Distributing labels in a frame-mode MPLS network
  • 
    How the LFIB table is populated
  • 
    Packet propagation across an MPLS network
  • 
    How PHP improves MPLS performance by eliminating routing lookups on egress LSRs
• 
  Implementing Frame-Mode MPLS
  
  • 
    Configuring frame-mode MPLS on a Cisco IOS router
  • 
    Enable IP CEF on a router as a step in implementing frame-mode MPLS
  • 
    Enable MPLS on a frame-mode interface as a step in implementing frame-mode MPLS
  • 
    Configure the MTU size in label switching as a step in implementing frame-mode
    MPLS
• 
  MPLS VPN Technology
  
  • 
    MPLS VPN architecture and how it improves on the traditional methods of overlay
    and peer-to-peer VPN
  • 
    Components of an MPLS VPN and how they are interconnected to enable enterprise
    network connectivity between sites
  • 
    How routing information is propagated across the P-network
  • 
    End-to-end flow of routing updates in an MPLS VPN
  • 
    MPLS VPN packet forwarding

Agenda:

Lab 1: Remote Lab Environment

• Logging In
• The System Interfaces
• Understanding the Topology
• The PC Systems
• The Network Devices

Lab 2: Configuring DSL (Simulation)

This lab uses a flash-based simulation that will provide experience in the configuration of DSL at a teleworker premises. Tasks include the configuration of a dialer interface, an ATM interface, PPPoE with CHAP authentication, DHCP services, and Port Address Translation.

• Starting the Simulation
• Using the Simulator
• Command Reference
• Completing the Simulation

Lab 3: Securing Administrative Access

In this lab, you will configure the most basic security levels for administrative access to the IOS-FW. You will configure the passwords required to reach the command line and privileged mode access. You will see how the passwords are stored and transformed by default and how to encrypt the passwords that default to clear text storage. Experiment with a password-cracking tool to test the security of the encryption and transformation methods. You will enable AAA and investigate the ramifications of enabling AAA. Once AAA is enabled, you'll be able to work with Enhanced Virtual Login, which is used to mitigate online password attacks, and Role-Based CLI, which allows specific command sets to be defined and made available to specific users.

• Exclusive - Passwords and Password Features
• Exclusive - Password Cracking
• Exclusive - Enable AAA
• Enhanced Login Features
• Role-Based CLI
• Verify the IOS-FW Configuration

Lab 4: Authentication, Authorization, and Accounting (AAA)

This lab begins with access to the IOS-FW command line protected with local AAA, and it will demonstrate the power of using an AAA server while maintaining local AAA as a fallback. You'll examine items such as users, groups, and command authorization sets on a pre-configured AAA server, Cisco Secure Access Control Server (ACS). Configuration of ACS is beyond the scope of this class and this lab. You will use the TACACS+ protocol between the IOS-FW and the ACS server. You will begin with the configuration of AAA authentication, and you may be surprised with the results. You will then configure AAA authorization for access to the exec process (the CLI of the IOS-FW), followed by AAA command authorization. You will then complete the third "Aof AAA by configuring AAA accounting for both the exec process and privileged mode and configuration mode commands. The final section of the lab will demonstrate that if the AAA server is unavailable, the fallback method of using the local database is still available.

• Exclusive - Explore the Access Control Server Configuration
• TACACS+ AAA Authentication
• TACACS+ AAA Exec Authorization
• Exclusive - TACACS+ AAA Command Authorization
• Exclusive - TACACS+ AAA Exec and Command Accounting
• Exclusive - Scenario: AAA Server Failure
• Exclusive - Verify the Router Configuration

Lab 5: IOS Device Security

In this lab, you will secure the IOS-FW itself. You will configure SSH as a remote access protocol and disable Telnet access to the IOS-FW. You will use the Security Audit feature of SDM to disable many insecure services, while enabling security-oriented services. You will configure NTP with authentication and Syslog services to allow better management of the IOS-FW. You will finish by applying access-classes to both the VTY lines and the HTTP server, restricting access to trusted IP addresses.

• SSH Server
• Security Device Manager
• SDM Security Audit
• Configure NTP
• Configure Syslog
• Exclusive - VTY and HTTP Server Access-Class
• Exclusive - Verify the Router Configuration

Lab 6: Exclusive - Perimeter Router ACLs

You will configure and test an ACL on the Perimeter Router in this lab. The Perimeter Router is used as a packet filtering firewall. In a later lab, the IOS-FW will be configured as a stateful firewall. This lab starts with the configuration of the Syslog service on the Perimeter Router, allowing it to send Syslog messages to the Sec-Server. It then moves on to the configuration of an ACL that permits only expected valid traffic from the Internet. After defining this ACL, you will apply it to the outside interface of the Perimeter Router. You will then test the results. You will see that security is certainly enhanced by this packet filtering, though some vulnerabilities still remain. These vulnerabilities will be mitigated by the IOS-FW when stateful firewalling is configured.

• Configure Syslog for the Perimeter Router
• Filter Unexpected Traffic
• Test Perimeter Policy
• Exploit Packet Filter Weaknesses
• Update an Existing ACL
• Verify Router Configuration

Lab 7: Stateful Firewall

In this lab, you will configure the IOS-FW to be a true, stateful firewall. You will use the SDM interface to configure the ACLs and Inspection Rules for the stateful firewall. After configuring the stateful firewall, you will confirm that the expected connectivity is allowed. You will also demonstrate that the vulnerabilities associated with simple packet filtering have been mitigated and defense against SYN flood attacks is also provided.

• Use SDM to Configure IOS Stateful Firewall
• Verify Expected Connectivity
• Exclusive - Demonstrate Attack Mitigation
• Exclusive - Verify the Router Configuration

Lab 8: IOS IPS

In this lab, you will explore the use of the IOS Intrusion Prevention System (IPS) feature. You will enable IOS IPS with the IPS Rule Wizard in SDM. You will then generate some suspicious traffic to test IOS IPS. You will also see that IOS IPS is not easy to trick by attempting the IDS evasion technique known as deobfuscation. After witnessing the standard IPS operation, you will take a closer look at how some of the signatures are defined. You will finish by configuring some signatures to react by blocking the offending packets and demonstrate the reaction by generating offending traffic.

• SDM IPS Rule Wizard
• Test IOS IPS
• Signature Definitions
• IOS IPS Attack Mitigation
• Exclusive - Signature Filters
• Exclusive - Verify the Router Configuration

Lab 9: Site-to-Site VPN

The goal of this lab is to configure a site-to-site IPsec tunnel between your main network and the Site1 network. This will require some configuration modifications on the Perimeter Router and L3-Switch. You will perform those modifications from the CLI. You will then use SDM on the IOS-FW to prepare that router for IPsec, and the use the Site-to-Site VPN wizard to configure the tunnel. You will then configure the Site1-Rtr from the CLI. To verify the tunnel functionality, you will open an FTP session from the Admin PC to the Site1-PC.

• Verify No Tunnel/No Connectivity
• Exclusive - Prepare Other Devices for the Tunnel
• Exclusive - Use the SDM to Prepare the IOS-FW
• Use the SDM Site-to-Site VPN Wizard
• Configure the Site1-Rtr from the CLI
• Test the Tunnel
• Exclusive - Verify the Router Configuration

Lab 10: GRE over IPsec with a Backup Tunnel

The most obvious thing about this lab as you get started is that it uses an alternate topology compared to previous labs. You now have two routers. Each has two connections to the simulated Internet. There is a GRE-over-IPsec tunnel already configured between one set of interfaces on these two routers. Your job during this lab will be to configure a second GRE-over-IPsec tunnel using the other interface pair. You will verify that both tunnels are functioning properly. The EIGRP routing protocol is configured to select the optimal route between the sites. You will modify the bandwidth parameters on the new tunnel to make the original tunnel the preferred route. You will then confirm that traffic uses the original tunnel. Then you will break the original tunnel and show that traffic will now flow over the second tunnel.

• Understand the Scenario
• Use the Site-to-Site VPN Wizard
• Generate, Edit, and Apply Mirror Configuration
• Configure Priority for the Original Tunnel
• Monitor the Tunnels with SDM
• Exclusive - Verify the Router Configuration

Lab 11: Remote Access VPN

In this lab you will use the Easy VPN Server Wizard in SDM to configure the IOS-FW to accept connections from VPN clients. You will also install and configure the Cisco VPN Client software on the Outside PC. After configuration, you will use the VPN Client on the Outside PC to provide secure access to resources on the internal networks.

• Verify No Tunnel/No Connectivity
• Use the Easy VPN Server Wizard
• Install the VPN Client
• Test the Remote Access VPN
• Monitor the VPN Connection
• Exclusive - Verify the Router Configuration

Lab 12: Frame Mode MPLS

This lab uses a unique topology to facilitate an MPLS network. You have four full-fledged IOS routers at your disposal (IOS-FW, Perimeter Router, Site1-Rtr and Site2-Rtr). The four routers all have MPLS capabilities. You will configure the Site1-Rtr and Site2-Rtr as P (Provider) routers. The IOS-FW and the Perimeter Router will be configured as PE (Provider Edge) routers. Connectivity will be provided from the main site (where the Admin PC is located) to the remote site (where the Site1 PC is located) via the MPLS network. You will see that the MPLS topology is transparent to the PCs, which only use standard IP.

• Understand the Scenario
• Prepare for the Lab
• Configure MPLS on the P and PE Routers
• Verify MPLS and LDP Operation
• Exclusive - Verify the Router Configuration
• Exclusive - Optional Written Exercise

Lab 13 : Troubleshooting (Optional)

The Scenario: When you left work yesterday, everything was functioning normally. When you got in this morning you heard that the night support engineer was "playing aroundwith some of the configurations. Unfortunately you don't have AAA configured with command authorization and command accounting, so you don't have a record of exactly what was done. Some trouble tickets are coming in, and it's up to you to determine the root causes and fix the issues. The lab is broken into four sections. The first section just describes the trouble tickets reported. Given the trouble tickets' descriptions, you are to correct the problems with the network. Should you need assistance, there are two additional sections, Little Hints and Big Hints, that provide additional details to the cause of the problems. The final fourth section will provide the solutions to the trouble tickets.

• The Trouble Tickets
• Little Hints
• Big Hints
• The Fixes

Audience:

IT professionals, network administrators, and technicians who need to design, configure, or support a Cisco WAN that utilizes Cisco's remote access technologies. This course is highly recommended for people pursuing CCNP, CCDP, and CCIE certifications.

Objectives:

• Cisco hierarchical network model as it pertains to the WAN
• Implement teleworker configuration and access
• Implement and verify frame-mode MPLS
• Configure a site-to-site IPsec VPN
• Configure Cisco Easy VPN
• Strategies used to mitigate network attacks
• Configure Cisco device hardening
• Configure IOS firewall features