安全我的遺忘小記

To help you face the complexities of managing a modern network, this chapter discusses the core principles of security-the CIA triad: confidentiality, integrity, and availability.

Step 1. Develop a security policy

Step 2. Make the network secure

Step 3. Monitor and respond.

Step 4. Test.

Step 5. Manage and improve.

User accounts can be managed on the local sensor because there is no support for AAA servers on sensor appliance. Each user is associated with a role that controls what that user can and cannot modify. There are four basic user roles:

Administrator

Operator

Viewer

Service

Port-based traffic control features can be used to provide protection at the port level. Catalyst switches offer Storm Control, Protected Ports, Private Virtual Local Area Network (PVLAN), Port Blocking, and Port Security features.

three types of PVLAN ports:Promiscuous;Isolated;Community

In summary, a Private VLAN contains three elements: the Private VLAN itself, the secondary VLANs (known as the community VLAN and isolated VLAN), and the promiscuous port.

Port Security three security violation modes: protect, restrict, shutdown

The switch supports the following four types of ACLs for traffic filtering:

Router ACL

Port ACL

VLAN ACL

MAC ACL

Spanning Tree Protocol Features:

Bridge Protocol Data Unit (BPDU) Guard

Root Guard

EtherChannel Guard

Loop Guard

The traffic managed by a device can be divided into three functional components or planes:

Data plane

Management plane

Control plane

Cisco IOS Firewall consists of several major subsystems: an advanced firewall engine for stateful-packet inspection (SPI), Context-Based Access Control (CBAC), Zone-Based Policy Firewall (ZFW), Intrusion Prevention Systems (IPS), Authentication Proxy, Port-to-Application Mapping (PAM), Multi-VRF firewall, Transparent firewall, and several others.

Note that the two configuration models (Classical CBAC and new ZFW) can be used concurrently on the same router; however, they cannot be combined on the same interface overlapping each other. An interface cannot be configured as a zone member and be configured for ip inspect simultaneously.

By default, traffic between the zones is blocked unless an explicit policy dictates the permission.

The Security Appliance supports up to eight redundant interface pairs.

ECMP is not supported across multiple interfaces.

The nat-control command is available in routed firewall mode and in single and multiple security context modes.

The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the higher-level interface. The no nat-control command does not have this requirement, nor does it require a static command to allow communication from the lower-level interface (from Outside to Inside); it relies only on access-policies-for example, permitting the traffic in ACL and having corresponding route entries.

Traffic flow is unidirectional when using the nat/global command, and bidirectional when using the static command.

Although the PIX/ASA OS is similar to the FWSM OS, there are some subtle differences. Many of the differences are enhancements that take advantage of the Catalyst 6500 Series Switch and Cisco 7600 Series Router architecture.

FWSM does not provide ××× and IPS functionality. FWSM is a purpose-built firewall device. The following separate purpose-built products are available on the Catalyst 6500 Series Switch and Cisco 7600 Series Router: IPsec ××× Service Module (×××SM), Web××× Service Module, and Intrusion Detection System Module (IDSM-2).

By default, no traffic can pass through the FWSM to access the network. On PIX and ASA appliance software, traffic flow from higher-level interfaces (Inside) to lower-level interfaces (Outside) will pass unrestricted. However, the FWSM software does not allow any traffic to flow between the interfaces unless explicitly permitted with an ACL. The security level does not provide explicit permission for traffic from a high-security interface to a low-security interface. This applies to all types of FWSM implementation (routed and transparent mode). To control network traffic, access lists are applied to FWSM interfaces. ACLs determine which IP addresses and traffic can pass through the interfaces to access other networks.

Three major types of attacks follow:

Reconnaissance

Access

Denial of Service

There are two major types of SYN-flood attacks:

Nonspoofed source addresses

Spoofed source addresses

Some techniques available to prevent or minimize the impact of SYN flood attacks include the following:

Rate-limiting (CAR).

Context-Based Access Control (CBAC).

TCP Intercept.

On security appliances such as PIX firewalls, static and nat commands provide an option to monitor and control half-open embryonic connections.

and so on

In summary, the antispoofing implementation is used to

Deny incoming packets if source address is allocated to your network

Deny outbound packets if source address is not allocated to your network

mitigate source address spoofing method:

Access List

uRPF

IP Source Guard

The IP Source Guard feature will not prevent an MITM type of attack. Use Dynamic ARP Inspection (DAI) to prevent MITM

NBAR classifies the following three types of protocols:

TCP and UDP protocols that use statically assigned port numbers

TCP and UDP protocols that use dynamically assigned port numbers, requiring stateful inspection

Non-TCP and non-UDP IP protocols such as IPsec (ESP/AH) or ICMP

Most Windows platforms allow a maximum of 128 half-open (embryonic) connections, so when setting the embryonic limit on the static, use a value less than the maximum embryonic limit allowed by the server operating system.

二層***：MAC spoofing, MAC flooding, ARP spoofing, Spanning-Tree attacks, and VLAN hopping

RADIUS (Remote Authentication Dial-In User Service)

TACACS+ (Terminal Access Controller Access Control System)

The formula to calculate the RR follows:

RR = ((ASR*TVR*SFR)/10000)+ARR-PD+WLR

IPS Interface Modes：

Promiscuous mode

Inline interface mode

Inline VLAN pair mode

VLAN Group mode

IPS Blocking (Shun)

There are three basic types of blocking:

Host block

Connection block

Network block

The IPS Sensor Software OS Version 6.0 introduces the concept of virtualization, whereby virtual sensors can be created in the Analysis Engine. Version 6.0 supports up to four virtual sensors.

A security policy configuration contains three components:

Signature definition policy

Event action rules policy

Anomaly detection policy

AD的三中ZONE：

Internal zone

Illegal zone

External zone

The AD has the following three modes:

Learn mode

Detect mode

Inactive mode

There are three possible solutions to resolve situations in which the inline IPS device may fail:

Fail-open mechanism

Failover mechanism

Load-balancing mechanism

The Cisco DDoS Anomaly Detection and Mitigation solution consists of two basic deployment components:

Cisco Traffic Anomaly Detector

Cisco Guard DDoS Mitigation