Cisco Security Fundamentals: Key Concepts & Configuration

Posted on Jun 2, 2025 in Communications Electronic Engineering

1. Securing the Edge Router

Three Areas of Router Security:

  • Physical: Lock the device in secure rooms; use UPS or generators.
  • Operating System: Use the latest IOS; increase memory; back up configurations.
  • Router Hardening: Disable unused ports/services, restrict access.

Admin Access Security:

  • Local:
    line console 0
password [pw]
login
  • VTY (Remote):
    line vty 0 15
password [pw]
login
  • Privileged Mode:
    enable secret [pw]
  • Encrypt Passwords:
    service password-encryption
  • Minimum Password Length:
    security passwords min-length 8
  • Brute Force Prevention:
    login block-for 60 attempts 3 within 60

2. AAA (Authentication, Authorization, Accounting)

Definitions:

  • Authentication: Identity verification (e.g., username/password, token).
  • Authorization: Determines what a user can do.
  • Accounting: Tracks what was done, for how long, and by whom.

Local AAA Example:

aaa new-model
username admin secret cisco123
aaa authentication login default local
line vty 0 4
login authentication default

Server-Based AAA:

  • Uses RADIUS (UDP, combines Authentication/Authorization) or TACACS+ (TCP, separates all three: Authentication, Authorization, Accounting).
  • Cisco ISE provides identity policies, posture checks, and BYOD (Bring Your Own Device) control.

3. Access Control Lists (ACLs)

Types:

  • Standard (1–99, 1300–1999): Filters based on source IP address only.
  • Extended (100–199, 2000–2699): Filters based on source/destination IP addresses, protocols, and ports.

Wildcard Masking:

  • host 192.168.1.10.0.0.0
  • any255.255.255.255
  • Subnet 255.255.255.0 → wildcard 0.0.0.255

Examples:

access-list 10 permit 192.168.1.0 0.0.0.255
ip access-list extended BLOCK_HTTP
deny tcp any any eq 80
permit ip any any

Apply to Interface:

interface g0/0
ip access-group 10 in

Placement Rule:

  • Standard: Place near the destination.
  • Extended: Place near the source.

4. Firewalls

Types:

  • Packet Filtering (Stateless): Simple, ACL-based filtering.
  • Stateful: Tracks session state for more intelligent filtering.
  • Application Gateway (Proxy): Inspects Layer 7 (Application Layer) traffic.
  • Next-Generation Firewall (NGFW): Adds Intrusion Prevention System (IPS), Application Identification (App ID), and advanced malware defense.

Designs:

  • Private/Public Zones
  • DMZ (Demilitarized Zone): Area for public-facing servers.
  • Zone-Based Policy Firewall (ZPF): Applies policies between logical security zones.

Layered Defense:

  • Combines security measures across the network core, perimeter, communication channels, and endpoints.

5. Cisco ASA Firewall

ASA: Adaptive Security Appliance

Modes:

  • Routed (Layer 3): Supports routing and Network Address Translation (NAT).
  • Transparent (Layer 2): Acts as a “bump in the wire” without requiring IP address changes.

Security Levels:

  • 0: Outside (untrusted network).
  • 100: Inside (trusted network).
  • 1–99: DMZ (Demilitarized Zone).

ASA Interface Setup:

enable
configure terminal
interface g1/1
nameif outside
ip address dhcp setroute
security-level 0
no shutdown

Failover:

  • Supports Active/Standby configurations with identical configurations and licensing for high availability.

Licensing:

  • show version
  • show activation-key

6. Zone-Based Policy Firewall (ZPF)

Benefits:

  • Scalable and readable security policies.
  • Reduced dependency on Access Control Lists (ACLs).
  • Traffic policies are tied to logical zones, not specific interfaces.

Configuration Steps:

1. Create Zones:

zone security INSIDE
zone security OUTSIDE

2. Classify Traffic:

class-map type inspect match-any WEB_TRAFFIC
match protocol http

3. Define Actions:

policy-map type inspect POLICY_WEB
class WEB_TRAFFIC
inspect

4. Apply to Zone-Pair:

zone-pair security ZP_INSIDE_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POLICY_WEB

5. Assign Interfaces:

interface g0/0
zone-member security INSIDE

Actions:

  • inspect: Tracks sessions and allows return traffic.
  • drop: Denies traffic.
  • pass: Permits traffic without session tracking.

7. Intrusion Prevention System (IPS)

IDS vs. IPS:

  • IDS (Intrusion Detection System): Detection only.
  • IPS (Intrusion Prevention System): Detection and prevention.

Deployment:

  • Inline: Deployed in the traffic path for active blocking.
  • Promiscuous: Monitors a copy of traffic without active blocking.

Cisco Snort IPS:

  • Signature-based detection.
  • Updates via Cisco Talos.
  • Can run inside ISR routers as a VM container.
  • Modes: IDS (alert only), IPS (block).
  • Requires a K9 license and subscription.

Example Actions:

  • Drop packets, reset connections, or temporarily deny source IP addresses.

8. Layer 2 Security (Switch Attacks)

Threats:

  • MAC Flooding: Overwhelms the switch’s MAC address table, leading to a broadcast storm.
  • VLAN Hopping: An attacker spoofs trunking to gain access to multiple VLANs.

Defenses:

  • Disable unused ports: shutdown
  • Assign unused ports to an unused VLAN (e.g., VLAN 999).
  • Disable DTP (Dynamic Trunking Protocol):
    switchport nonegotiate

Port Security Setup:

interface f0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky

Port Violation Modes:

  • protect: Silently drops violating packets.
  • restrict: Drops violating packets and logs the event.
  • shutdown: Disables the port (default action).

9. Endpoint Security

Traditional Endpoint Security:

  • Antivirus software, Host-based Intrusion Prevention Systems (HIPS), and personal firewalls on endpoints.

Modern Threats:

  • Bring Your Own Device (BYOD), remote users, and IoT (Internet of Things) devices introduce new vulnerabilities.

Network-Based Protection:

  • Cisco Advanced Malware Protection (AMP), Email Security Appliance (ESA), and Web Security Appliance (WSA).
  • NAC (Network Access Control): Blocks non-compliant devices from accessing the network.

802.1X Authentication Roles:

  • Supplicant: The client device (e.g., PC).
  • Authenticator: The network device (e.g., switch).
  • Authentication Server: Typically a RADIUS server.

Disk Encryption:

  • Use AES-256 encryption to secure local drives.

10. VPNs (Virtual Private Networks)

Purpose:

  • Secure communication over public internet.
  • Creates an encrypted tunnel between sites or devices.

Types:

  • Site-to-Site VPN: Permanent connection between routers or firewalls, connecting two networks.
  • Remote Access VPN: Dynamic connection from an individual user to a central gateway.

SSL VPN:

  • Browser-based and often clientless.
  • Easier to deploy but offers less granular control.

IPsec VPN:

  • Stronger security, supports tunnel and transport modes.

IPsec Core Concepts:

  • Confidentiality: Achieved through encryption algorithms (e.g., AES > 3DES > DES).
  • Integrity: Ensured by hashing algorithms (e.g., SHA > MD5).
  • Authentication: Verifies identities using Pre-shared Keys (PSK) or RSA certificates.
  • Key Exchange: Uses protocols like Diffie-Hellman for secure key establishment.

Protocols:

  • Authentication Header (AH): IP Protocol 51 (provides authentication and integrity only).
  • Encapsulating Security Payload (ESP): IP Protocol 50 (provides authentication, integrity, and encryption).

Example:

  • VPN Gateway encrypts and tunnels traffic.
  • Remote site decrypts and forwards traffic internally.