Wednesday, March 22, 2017

Botnet Traffic Filter

Botnet Traffic Filter
checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist and then logs or blocks any suspicious activity.
A static whitelist can be created for addresses that should not be on the blacklist.

Botnet Traffic Filter Addresses Categories:

1) Known malware addresses - These addresses are on the blacklist identified by the dynamic database and the static blacklist.
2) Known allowed addresses - these addresses are on the whitelist.
3) Ambiguous address - these addresses are associated with multiple down names (greylists)
4) Unlisted addresses - These addresses are unknown and not included on any list.

Cloud Deployments

Four types of Cloud Deployments

1) Private Cloud
The cloud is operated solely for an orangizaiton.

2) Community Cloud
The cloud infrastructure is shared by several organizations and supports specific community that has shared concerns (e.g mission, security requirements, policy and compliance considerations)

3) Public Cloud
The cloud infrastructure is made available to the general public or a large industry group

4) Hybrid Cloud
the cloud infrastructure is a composition  of two or more  clouds (private, community or public) that remain unique entities but are bound together by standards.

Cisco CP (Configuration Professional) and Cisco CP Express

Cisco CP (Configuration Professional)

  • enhance productivity and help network security administrators and channel partners to deploy routers with increased confidence and ease.
  • advanced configuration support for LAN and WAN interfaces Network Address Translation (NAT), stateful and application firewall policy features.
  • the firewall wizard allows a single step deploy of high, medium or low firewall policy settings.
  • IT managers can easily organize and manage multiple routers at a single site.
Cisco Configuration Professional Offers:

  1. One-click rotuer lockdown
  2. Innovative voice and security auditing capabilities to check and recommend changes to router configurations.
  3. Monitor of router status.
  4. Troubleshooting of WAN and VPN connectivity issues.
Cisco Configuration Professional Express Offers:

  1. Basic configuration of router WAN and LAN interfaces.
  2. Hostname, Dynamic Name Server (DNS) and Dynamic Host Configuration Protocol (DHCP) config
  3. User Management for the router.
  4. Configuration of plug-n-play server.
  5. Dashboard, basic troubleshooting and command line interface (CLI) tool.
NB
CCP Express is a GUI -bases embedded device management tool for Cisco Integrated Services Router (ISR). 
It is avail on the flash of the router and used for bootstrapping and basic configurations.

Random Sampled Flow

Random Sampled Flow

  • Netflow provides highly granular per-flow traffic statistics in a Cisco router
  • a flow is unidirectional set of packets that arrive at the router on the same subinterface, have the same source  and destination ip address, layer 4 protocol the same source and destination  part.
  • router accumulates Netflow statistics  in Netflow cache and can export them to an external device i.e Cisco CNS Netflow collection engine for further processing.
Defining a Netflow Sampler Map

Summary Steps

1) enable
2) configure terminal
3) flow-sampler-map
4) mode random on-out-of
5) end

show flow-sampler
displays  attributes  (including mode, sampling rate and number of sampled packets)  of one of all Random Sampled Netflow samplers.

show ip  cache verbose flow
displays additional Netflow fields in the header  when Random Sampled Netflow is  configured.

Cisco Accurate Inline Prevention (AIP) SSM uses:

1) Accurate inline prevention technologies
  • offer intelligent, automated, contextual analysis of your data

2) Multi-vendor threat identification
  • protects network from policy violations, vulnerability exploitations and anomalous activity through layer 2 through layer 7

3) Unique Network Collaboration
  • ehances scalability and resiliency through network collaboration, efficient traffic capture and load balancing.

4) Powerful management, event correlation and support services
  • the Cisco Security Monitoring  Analysis and Response System (Cisco Security MARS) identifies, isolates and recommends removal of offending elements.
  • the Cisco Incident Control System (ICS) prevents new worm and virus outbreaks.

CISCO IOS Zone based Firewall Tutorial

Security Zone

  • is a group of interfaces to which a policy can be applied.
  • by default traffic can flow freely within that zone but all traffic to and from that zone is dropped by default.
Note
To allow traffic to pass between zones, administrators must explicitly declare by creating a zone pair and a policy for that zone.
Another notice is that traffic originated from the router itself is allowed to pass freely.

Zone-pair

  • Allows you to specify a uni-directional firewall policy between two zones.
  • A zone-pair specifies the direction of the interesting traffic.
  • defying by specifying a source and destination zone.
  • we can't define a zone as both source and destination zone.
Zone Policy
defines what we want to allow or deny to go between zones  e.g we just want to allow HTTP while droppping SMTP, ICMP we have 3 actions "pass" "drop" and "inspect".
the action "inspect" tell the router  to use a predefined class-map to filter the traffic

Tuesday, March 21, 2017

Cisco Routers log messages can handle five different ways

Console Logging

  • by default the router sends all log messages to its console port.
  • these can only be viewed by those who are physically connected
Terminal logging
  • displays log messages to the routers VTY lines instead. (Not enabled by default)
Buffered Logging
  • uses routers RAM for storing log messages.
  • buffer has a fixed size to ensure that the log will not deplete valuable system memory.
  • it deletes old messages from buffer as new ones come in.
Syslog server logging
  • router can use syslog to forward log messages to external syslog servers for storage.
SNMP trap logging
  • the router is able to use SNMP traps to send log messages to an external SNMP server.

Logging Level Messages

0        Emergencies, system shutdown due to missing fan tray
1        Alerts, temperature limit exceeded
2        Critical, memory allocation failures
3        Errors, Interface up/down messages
4        Warnings, config file written to server
5        Notifications, Line protocol up/down
6        Information, Access list violation logging
7        Debugging, debugging messages