CCIE Security v6 Bootcamp

Introduction

ine.com
Piotr Kaluzny
CCIE #25665

[email protected]
linkedin.com/in/piotrkaluzny

CCIE Security
 Bootcamp Introduction

+ General Information
+ The class starts at 9 am EST every day
+ Sessions will be recorded in the HD format
+ Please report any video/voice issues immediately via chat

+ Class Format
+ Lectures & instructor demos
+ Student hands-on tasks
+ Rack Access
+ http://labs.ine.com/workbook/view/sc-rack-rental/task/sc-rack-overview-NjU4
 Class Agenda

+ Day 1 - Perimeter Security & Intrusion Prevention (ASA & IOS)

+ Basic ASA concepts
+ ASA Deployment modes
+ ASA Policies, Inspections & NAT
+ ASA High availability
+ IOS Zone-Based Firewall

+ Day 2 - Perimeter Security & Intrusion Prevention (FTD)

+ Basic concepts
+ Deployment modes
+ Policies
+ Intrusion Prevention
 Class Agenda

+ Day 3 - Secure Connectivity

+ Introduction to VPNs & PKI
+ L2L VPNs
+ Remote Access VPNs
+ DMVPN
 Class Agenda

+ Day 4 - Identity Management & Access Control

+ ISE Fundamentals & Policies
+ AAA & Administrative Access
+ Profiling
+ Wired 802.1x
+ Wireless 802.1x
 Class Agenda

+ Day 5 - Advanced Threat Protection & Content Security

+ Starting with WSA
+ WSA Policies
+ Starting with ESA
+ ESA Policies
+ Cisco Umbrella
 Class Agenda

+ Day 6 - Infrastructure Security & Automation

+ Securing Management & Control Planes
+ Securing Layer 2
+ Python Programming
+ Security Automation Example

+ Day 7 - Mock Lab

+ Design
+ Deploy, Operate & Optimize
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - ASA

ine.com
 + ASA overview
Module Overview
+ Interface types
+ Management
 Cisco Adaptive Security Appliance (ASA) Overview

+ Advanced firewall & network security platform

+ Powerful stateful filtering and application-layer inspection capabilities
+ Session tracking, TCP Sequence Randomization, etc.
+ VPN gateway
+ IKEv1/IKEv2 L2L and IKEv1/IKEv2/SSL Remote Access
+ Next-generation IPS
+ ASA with FirePOWER, AMP & Reputation URL Filtering
+ Virtualization
+ Contexts
+ High availability
+ Failover & Clustering
 ASA Basics

+ Interfaces Types
+ Physical (interface physifname)
+ Single port
+ Redundant (interface redundant nr)
+ Two ports (active/standby)
+ EtherChannel (interface port-channel nr)
+ Two or more ports (active/active)
+ Virtual (also known as Subinterfaces)
+ Traffic is logically separated at L2 by using VLAN tags
+ Configure with interface name.nr & vlan
+ Corresponding switchport(s) must be configured as 802.1q trunk
 ASA Basics

+ Interface Settings
+ IP address (ip/ipv6 address [standby])
+ Security level (security-level)
+ Specifies how „trusted” a given interface is
+ Controls the default filtering ASA’s behavior
+ Interface name (nameif)
+ Default security level for „inside” is 100 and 0 for any other name
+ (Optional) VLAN tag (vlan)
+ Watch for Native VLAN and DTP
+ Activation (no shut)
 Redundant Interfaces

+ A link aggregation technique

+ Groups two interfaces into one logical
+ Active-Standby - redundancy but no load distribution/balancing
+ Redundant interface uses a single MAC
+ First active port from the running configuration

+ Configuration
+ Switch: configuration of member–connected switchports must match
+ ASA
interface Redundant nr
member-interface int1
member-interface int2
 EtherChannel

+ Another link aggregation technique

+ Groups two or more interfaces into one logical („bundle”)
+ Active-Active
+ Increases available bandwidth through Load Distribution
+ Represented with a single MAC
+ Links can be bundled statically or dynamically (LACP)

+ Configuration
+ Switch: corresponding switchports must be configured for EtherChannel
+ ASA
interface member_interface_name
channel-group nr [active | passive | on]
 ASA Management

+ ASA can be managed through a console port or remotely

+ Remote Management
+ In-band (any data interface)
+ Out-of-band (the management port)
+ Does not allow traffic to go in/out the management network
+ By default interface management acts as a mangement port
+ Other interface can be selected with management-only
+ Supported methods include Telnet, SSH and HTTPS
 ASA Management

+ By default to-the-box traffic, including management packets, is blocked

+ Change with configuration
+ Management access is controled with telnet, ssh and http
+ Telnet can’t be used to access the lowest sec-level port unless via VPN

+ Adaptive Security Device Manager (ASDM)

+ Java applet GUI for ASA configuration (connects over HTTPS)
+ Unless factory defaults are used, ASA must be configured for ASDM
+ Select an image (asdm image)
+ Enable HTTPS (http server enable) & allow access (http)
+ Using AAA is recommended (aaa authentication http console)
 ASA Routing

+ Routing configuration syntax is similar to IOS

+ Static route ([ipv6] route interface)
+ Default route example : route outside 0 0 next_hop_ip
+ OSPF
+ Configure the process (router ospf) & enable it (network)
+ OSPFv3 : ipv6 router ospf & ipv6 ospf process_id area nr
+ EIGRP
+ Configure the process (router eigrp AS_nr) & enable it (network)
+ BGP
+ Configure ASN (router bgp asn) & peers (neighbor)
 ASA Routing

+ ASA supports ECMP over a single interface by default

+ ASA’s security algorithm bounds the state of a packet to a single port only
+ Up to 8 equal routes per interface can be used

+ Traffic Zones
+ Groups interfaces into one logical to loosen the ASA’s security check
+ Useful with Asymmetric Routing and ECMP
+ Configuration
+ Create a zone with zone name
+ Assign it under interface with zone-member name
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - ASA

ine.com
Module Overview
+ Modes of operation
 ASA Modes Overview

+ ASA supports two operation modes

+ Firewall mode controls ASA’s forwarding behavior
+ Transparent
+ Routed
+ Including IRB (Integrated Routing & Bridging)
+ Context mode controls firewall virtualization
+ Single vs Multiple
+ Both Modes affect features supported on the ASA
 Firewall Mode - Routed

+ ASA bootstraps in the Routed mode by default

+ Each firewall interface connects to a different L3 subnet
+ ASA acts as a L3 hop
+ All regular features are supported
+ Might not be easy to insert a firewall into existing network
 Firewall Mode - Transparent

+ Makes ASA act as a L2 switch

+ Interfaces are bridged (grouped) & placed into one L3 network
+ Multiple bridge-groups are supported
+ Similar to VLANs
+ Unsupported features
+ VPNs, dynamic routing protocols, multicast routing and QoS
+ Advantages
+ Easy deployment - no need to re-address existing devices
+ Control over non-IP packets
+ Configure with firewall transparent
+ Start with a BVI interface for management (interface bvi nr)
+ Associate interfaces with a bridge-group (bridge-group nr)
 Context Modes

+ Single (default)
+ No virtualization : one firewall & one policy
+ Supports all regular features

+ Multiple
+ Enables virtualization
+ Multiple logical firewall instances can co-exist on a single physical unit
+ Each of the virtual firewalls is configured with an interface set & policy
+ Limited feature support
+ VPN, QoS, multicast routing & some routing protocols
+ Configure with mode multiple and then context
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - ASA

ine.com
 + Traffic control
Module Overview + Objects/object groups
+ MPF
+ NAT
 Traffic Control

+ Default ASA Filtering Policy

+ Traffic coming from a higher security level interface is allowed
+ Traffic coming from a lower security level interface is blocked
+ Exceptions can be made with an Access List
+ If src & dst interface have the same security level, traffic is blocked
+ Change with same-security-traffic permit inter-interface
+ If src & dst interface is the same (Hairpinning/U-Turn), traffic is blocked
+ Change with same-security-traffic permit intra-interface
+ Useful in certain VPN scenarios
+ Traffic destined to the firewall (to-the-box) is dropped
+ Except for ICMP & DHCP/HTTPS to the management port
 Traffic Control

+ Interface ACL
+ Affects traffic going through a single interface
+ access-group interface [in | out]

+ Global ACL
+ Affects all incoming transit packets (any interface)
+ Changes the Default Filtering Policy
+ May be deployed in addition to Interface ACL(s)
+ Interface ACL explicit permit/deny always takes precedence
 Traffic Control

+ ASA ACL Facts

+ Interface & Global ACLs are for transit traffic only
+ To-the-box traffic can be controlled with a Control Plane ACL
+ access-group control-plane
+ ACL syntax is now unified (access-list)
+ IPv4 & IPv6
+ No more ipv6 access-list
 Objects & Object Groups

+ Objects
+ Reusable components for storing certain data
+ IP addresses, subnets or ranges (object network)
+ Protocols and TCP/UDP port numbers (object service)
+ Contain a single element

+ Object Groups
+ Like Objects, but capable of storing multiple elements and/or other Objects
+ Allow to group data of other type (e.g. icmp-types, users)
+ object-group [protocol | network | icmp-type | service | user |
security]
 Modular Policy Framework (MPF)

+ MPF configuration rules control many of the ASA’s features

+ Inspection engines, TCP Normalization, QoS & more
+ Work on traffic permited by the firewall policy (access rules, default policy)
+ Managed by MQC-like framework
+ Classification (class-map)
+ Policy Configuration (policy-map)
+ Policy Activation (service-policy)
+ Per-interface (service-policy interface)
+ Globally (service-policy global)
+ By default a preconfigured policy (global_policy) takes effect
 Network Address Translation (NAT)

+ NAT rewrites IP addresses (and possibly port numbers) in a packet

+ Typically to hide private IP addresses (RFC 1918)
+ Also used for traffic redirection or overlapping subnet problems
+ Not a security tool

+ NAT Types
+ Static (one-to-one, fixed pre-configured mapping)
+ Dynamic (one-to-one, new IP address is allocated dynamically from a pool)
+ PAT (many-to-one, source IP address & source port is changed dynamically)
+ Static PAT (many-to-one, address & port mapping is pre-configured)
+ Policy NAT (any condition-based translation)
 ASA NAT Modes

+ NAT on the ASA can be configured in Auto or Manual mode

+ Auto NAT is used to build simple translation rules
+ For src IP address/port translation only
+ Does not allow for Policy NAT or destination IP address translation
+ Configured within a network object (object network) with nat
+ Manual NAT is suited for complex translations
+ Policy NAT or Twice NAT (source & destination IP/port changes)
+ Implemented through global configuration command - nat
+ Operates on objects and object-groups
 ASA NAT Rule Processing

+ Each of the configured rules goes to one of three sections

+ Section 1 (Manual NAT)
+ User-sequenced
+ Section 2 (Auto NAT)
+ Sequenced dynamically based on the ASA’s internal algorithm
+ Prefers static rules over dynamic
+ Section 3 (Manual NAT)
+ For Manual NAT rules entered with „after-auto” option
+ User-sequenced
+ Rules are checked in section 1 first, then in section 2 and finally in section 3
+ Rules within each section are processed top-down, until first match
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - ASA

ine.com
Module Overview
+ High Availability (HA)
 ASA HA Options

+ Failover
+ Activate-Standby
+ Active-Active
+ Allows both units to forward traffic
+ Multiple context mode

+ Stateful replication is supported

 ASA HA Options

+ Clustering
+ Combines multiple ASAs into one logical unit
+ Results in increased throughput and redundancy
+ Cluster traffic delivery methods
+ Spanned EtherChannel (L2 mode)
+ Individual Interfaces (L3 mode)
+ ECMP or PBR
+ L2 mode is generally recommended for faster convergence

+ Documentation
+ https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-
config/ha-cluster.html
 Failover Configuration

+ Failover Unit
+ failover lan unit [primary | secondary]

+ Failover Interface
+ failover lan interface + failover interface [ip | ipv6]
+ failover link (optional) + failover interface [ip | ipv6] state

+ Enable Failover
+ failover
+ Physical ports are monitored by default
+ For other ports issue monitor-interface
 Active-Active Mode Configuration

+ Failover Groups
+ failover group [1 | 2]
+ Unit to be active for the group [primary | secondary]
+ preempt (optional)

+ Context Activation
+ context
+ join-failover-group [1 | 2]
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - IOS

ine.com
Module Overview
+ Zone-Based Firewall
 Zone-Based Firewall (ZFW) Overview

+ The newest implementation of a stateful firewall on IOS

+ Much more granular and advanced than older CBAC
+ Many settings can be tuned, including L7 engines
+ Uses a concept of security zones, similar to the ASA
+ A zone consists of at least one physical/logical interface of the router
+ A pre-defined zone „self” is automatically associated with all router’s ZFW
interfaces
+ A pair of zones (aka „zone-pair”) is used to define traffic to act on
+ Source zone is where the traffic originates from, destination is where it
goes (direction does matter)
 ZFW Overview

+ Default Traffic Processing

+ Intra-zone communication (source zone = destination zone) is allowed
+ Inter-zone traffic (source zone != destination zone) is blocked
+ Exception : traffic destined to/ sourced from zone „self” is allowed
+ Zone to no-zone (and vice versa) is always dropped
+ No-zone refers to an interface that was not assigned to any zone

+ Intra-zone & inter-zone default traffic processing behavior can be

changed by associating a zone-pair with a policy
 ZFW Overview

+ ZFW uses Port-to-Application Mapping (PAM)

+ A preconfigured database of applications/protocols & their default transport
+ For example HTTP -> TCP 80, IKE -> UDP 500
+ Existing entries can be updated with [ip|ipv6] port-map [list acl_nr]
+ Useful when non-standard ports are needed, e.g. ip port-map http
port tcp 8080
+ New entries can be added for custom applications/protocols but their name
must start with a prefix „user-”, for example ip port-map user-IKEv3
 ZFW Configuration

+ Configuration Steps
+ Traffic classification
+ Policy configuration
+ Policy activation

+ Classification (class-map type inspect)

+ Condition/criteria types
+ Access-list (match access-group)
+ Protocol (match protocol)
+ Existing class (match class-map)
+ Condition/criteria processing logic (match-all vs match-any)
 ZFW Configuration

+ Policy Configuration (policy-map type inspect)

+ Classes are processed top-down like an ACL
+ An implicit class-default matches all remaining packets and by default
drops them
+ Policy actions
+ Content filtering for HTTP[S] (urlfilter)
+ Drop (drop) or drop & log (drop log)
+ Rate-limit (police)
+ One-way allow (pass)
+ Stateful inspection (inspect parameter_map)
+ Unless match protocol was used in a class, relies on PAM to find the
inspection engine which results in unoptimized lookups
 ZFW Configuration

+ Parameter Maps
+ Control common inspection options, such as timeouts or session parameters
+ The „default” map is used every time inspect is configured with no options
+ A custom map can be configured with parameter-map type inspect
+ Activated in a policy with inspect map_name
+ All undefined settings are inherited from the „default” map
+ The „global” map allows to enable logging of packets dropped by the
firewall due to reasons other than your policy drop action

+ Parameter Maps other than „inspect” can be also configured

+ For example to control URL Filtering settings
 ZFW Configuration

+ Policy Activation
+ Create zones (zone security)
+ Define required zone-pairs (zone-pair security)
+ Attach your policy (service-policy type inspect)
+ Associate interfaces with zones (zone-member security)

+ Application Layer inspection tuning

+ Create L7 class-map (class-map type inspect [http|smtp|...])
+ Create L7 policy-map (policy-map type inspect [http|smtp|...])
+ Nest L7 child policy in the L3/4 parent (inspect + service-policy type
inspect L7polname)
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - FTD

ine.com
 + Platform overview
+ Management
Module Overview
+ FTD Modes
+ Registration
+ Basic setup
 Firepower Threat Defense (FTD) Overview

+ A combination of NGIPS (Snort-based) & ASA with additional features

+ Also known as Next-Generation Firewall (NGFW) or NGFW/NGIPS

+ FTD Features
+ ASA : L2-L4 Stateful Firewall, L7 Inspection, NAT, ACL, Routing, HA
+ Firepower : IPS, AVC, URL Filtering, AMP
+ Other : Security Intelligence, Prefiltering & more
 FTD Management

+ FTD can be configured using two solutions

+ Firepower Device Manager (FDM)
+ Software-included
+ Accessible through a browser
+ Firepower Management Center (FMC) Appliance
+ Recommended

+ FDM functionality is limited

+ Unsupported features
+ Might work for very small networks
 FTD Management

+ The management port can be configured for SSH

+ Login with user „admin” & password „Admin123”

+ FTD Shell Types

+ Default shell (CLISH)
+ Diagnostic CLI
+ Moves you to the ASA aka „LINA” OS
+ system support diagnostic-cli
+ Linux shell
+ expert
+ FXOS (hardware platforms only)
 FTD Modes

+ Operational/Firewall
+ Routed vs Transparent
+ Affects available Interface Modes

+ Functional
+ NGIPS vs NGFW
+ Determined by selected Interface Modes

+ Interface
+ Routed, Switched/BVI/Transparent
+ Inline Pair, Inline Pair with Tap, Passive, Passive (ERSPAN)
 Operational/Firewall Modes

+ Deploying Routed FTD into a live network causes problems

+ Requires new IP subnet(s) and re-addressing
+ Supports all main FTD features

+ Transparent FTD easily fits into existing infrastructure

+ L3 settings don’t change
+ Commonly deployed in Data Centers
+ Does not support certain features, such as dynamic routing, QoS or VPNs

+ NGIPS functions can be enabled in any Firewall Mode

 NGIPS Modes

+ Passive (IDS)
+ Works on a copy of real traffic (SPAN, RSPAN, ERSPAN)

+ Inline (IPS)
+ Packets coming in on one interface always leave through the other
+ The device can drop or normalize packets
+ Interface pair(s) must be associated with an Inline Set
+ Devices -> Device Management -> Inline Sets
+ The “Tap” mode (also called Inline Tap) may be enabled to test the policies
+ Inline cabling is used but only a copy of the traffic is processed
 The Registration

+ To manage a sensor with FMC you need to first register it

+ Requires a working license

+ The registration is performed over an encrypted tunnel

+ Built between management ports (FMC -> FTD) over TCP port 8305

+ The Procedure
+ Console/SSH to FTD and add FMC (configure manager add)
+ Verify TCP socket with netstat
+ Configure FMC (Devices -> Device Management -> Add Device)
+ Check the session details on FTD (show managers or sftunnel-status)
 Basic Setup

+ Regular firewall interfaces support HA modes & 802.1q trunking

+ Redundant Interfaces
+ EtherChannel
+ Physical appliances only
+ Subinterfaces

+ Configuration
+ Devices -> Device Management -> Interfaces
+ Enable the physical port
+ Choose the interface type with Add Interfaces
 Basic Setup

+ Routing on FTD is very similar to routing on the ASA

+ AD, metrics, static routes, separate RIB for management & data, etc.

+ Supported Routing Protocols

+ OSPF (v2/v3)
+ BGP for IPv4 & IPv6
+ RIP for IPv4
+ EIGRP via FlexConfig

+ Configuration
+ Devices -> Device Management -> Routing
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - FTD

ine.com
 + Policies overview
Module Overview
+ Access control policy
+ Other policies
 Policies Overview

+ Policies control the traffic traversing through FTD

+ Each Policy offers a unique type of functionality
+ SSL
+ Intrusion Detection
+ Access Control & more
 Policies Overview

+ Common Policies characteristics

+ Consist of rules
+ Processed top down using first-match algorithm*
+ Each rule is made of several elements
+ Conditions
+ Actions
+ Explicit or implicit
+ Position
+ Logging settings & Comments
+ Policy-specific attributes
 Policy Processing Order

+ FTD policies & features are processed in a sequential order

+ Prefilter (global L3/L4 ACL)
+ Access Control Policy
+ L3/L4 ACL
+ Security Intelligence (IP)
+ SSL
+ Network Analysis (IPS – Preprocessors) & Network Discovery (Apps)
+ Security Intelligence (DNS, URL)
+ Identity
+ L7 (Application & URL filtering)
+ File + AMP
+ Intrusion Detection (IPS - Snort)
Full Packet Processing
 Access Control Policy (ACP) Overview

+ Main source of policy information for FTD

+ Describes HOW traffic should be handled
+ E.g. allow or block
+ Invokes other Policies
+ SSL, Intrusion Detection & more

+ ACP rules can be placed under two sections

+ Mandatory or Default
+ Important if you use Hierarchical Policies
+ Base Policy Mandatory rules go to the top
 ACP Rule Actions

+ Monitor
+ Tracks & logs traffic
+ The Policy processing does not stop - other rules are still evaluated

+ Block (and Reset)

+ Blocks traffic without further processing

+ Interactive Block (and Reset)

+ Works with HTTP & HTTPS only
+ Blocks traffic but displays a warning page allowing user to bypass the block
+ Bypassed traffic is processed like with “Allow” action (inspections
apply)
 ACP Rule Actions

+ Allow
+ Inspects traffic with all configured Policies
+ E.g. Snort, File/AMP, Network Discovery, etc.
+ The traffic is allowed to pass unless blocked by one of these engines

+ Trust
+ Bypasses Snort, File/AMP & Network Discovery inspections
+ FTD does not perform DPI on Trusted, Blocked or Encrypted traffic
+ Traffic is inspected by SI, Identity & QoS Policies
+ The traffic is allowed to pass unless blocked by one of these engines
+ Don’t use it for protocols negotiation secondary channels
 ACP Default Action

+ Traffic not matching any ACP rule is subject to the Default Action
+ Network Discovery Only
+ Trust All Traffic
+ Block All Traffic
+ Recommended for NGFW deployments
+ Intrusion Prevention
+ Snort + Network Discovery
+ File/AMP is not supported
+ Recommended for NGIPS deployments
 Prefilter Policy

+ Allows to exclude certain traffic from any Firepower inspections

+ Prefilter rules are evaluated before any other ACP rules at the LINA level

+ E.g. trusted elephant/latency-sensitive/control plane flows or any tunnels

 Prefilter Policy

+ Prefilter Policy supports two types of rules : Tunnel & Prefilter

+ Tunnel
+ Useful to quickly match plain-text tunnels
+ GRE, IP-in-IP, IPv6-in-IP, Teredo
+ Bidirectional (default) or unidirectional
+ Supports rezoning
+ Tagging the tunnel with a new zone for re-evaluation in ACP
+ Prefilter
+ Used to match non-tunnel traffic based on L2-L4 conditions
+ VLAN, Security Zone, IPs, Protocol, Ports
+ Unidirectional
 Prefilter Policy

+ Supported Actions
+ Block - blocks traffic without any further inspections
+ Analyze - passes traffic to ACP for further analysis
+ Does not drop/allow packets on its own
+ Fastpath - enables prefiltering
+ Exempts traffic from ALL further inspections
+ ACP Rules, SI, Identity, SSL, IPS, File/AMP, Network Discovery & QoS
+ Similar to ACP "Trust" but not the same
+ ACP bypasses DPI & Network Discovery, but e.g. not SI or rate-limiting
+ ACP supports conditions other than L3/L4
+ User, application, etc.
+ ACP inspects the innermost header
 Prefilter Policy Configuration

+ Prefilter Policy is invoked by ACP

+ The Default Prefilter Policy is used if no custom policy was defined
+ Affects tunnels only – passes traffic to the ACP
+ May be changed to „Block all tunnel traffic”
+ A new policy can be added under Policies -> Access Control -> Prefilter
+ Activate it under Policies -> Access Control -> Advanced
 Security Intelligence (SI)

+ Special FTD engine designed to quickly drop certain traffic

+ I.e. traffic originated by known malicious sources
+ IP addresses, URLs & domains
+ Identified by Talos
+ Improves performance
+ Early phase of ACP

+ SI Information Sources
+ Feeds
+ Manual Lists
+ Blacklist/Whitelist IP Now
 DNS Policy

+ Enables domain support for SI

+ Stops DNS Queries for known malicious or unsafe domains
+ No IP address -> no traffic to inspect

+ DNS Policy consists of Whitelist & Blacklist sections

+ Whitelist rules take precedence over all Blacklist rules
+ First global, then custom
+ Policy actions
+ Whitelist
+ Monitor
+ Blacklist
+ Drop, Domain Not Found, Sinkhole
 SI Configuration - IPs & URLs

+ Dynamic Blacklisting
+ Update the Feed (Object -> Object Management -> Update Feeds)
+ Select the categories to use
+ Policies -> Access Control -> Security Intelligence

+ Manual Lists
+ Add your entries into a .txt file
+ One record per line
+ Upload the file under Object -> Object Management -> Security
Intelligence
+ Update ACP (Security Intelligence) with the new Object
 SI Configuration - Domains

+ The system-provided DNS Policy is used by default

+ Custom Policy
+ Define a custom Policy
+ Policies -> Access Control -> DNS
+ Edit rules
+ Add objects to use
+ Object -> Object Management -> Security Intelligence -> DNS Lists &
Feeds
+ Enable the Policy
+ Policies -> Access Control -> Security Intelligence -> DNS Policy
 File Policy

+ File Policy allows to detect & inspect transmitted files

+ Supported protocols: FTP, HTTP, SMTP, IMAP, POP3 & NetBIOS-ssn
+ Consists of two separate features : File Control & AMP
+ File Control
+ Capble of blocking files of a certain type/extension
+ Requires Threat License
+ Advanced Malware Protection (AMP) for Networks
+ Detects & handles malware
+ Requires Malware License
 File Policy Configuration

+ Pre-requisites
+ Adaptive Profiling must be enabled
+ Policies -> Access Control -> Advanced

+ File Policy manages File Control and/or AMP settings

+ Policies -> Access Control -> Malware & File
+ Select application, transfer direction, files and/or categories
+ Enable File Control and/or AMP by using the appropriate action

+ File Policy must be invoked by the ACP

+ Policies -> Access Control -> Inspection
+ Use “Allow” & not “Trust” or Prefilter for the inspected traffic
CCIE Security v6 Bootcamp
Perimeter Security & Intrusion Prevention - FTD

ine.com
 + NGIPS overview
Module Overview + Default Policies
+ Snort variables & rules
+ Configuration
 NGIPS Overview

+ FTD offers top-notch NGIPS functionality based on Snort

+ Legacy IPS systems focus on threats (sigs) - NGIPS is much more than that
+ Application/Protocol/User/Vulnerability/Context awareness
+ Advanced Event Correlation & more

+ Deployment Modes
+ Passive (IDS)
+ Requires Passive, Passive ERSPAN or Inline Pair with Tap interface
+ Inline (IPS)
+ Requires Inline Pair interface
 Normalization

+ Snort requires packets to be presented in a standardized way

+ Handled by Preprocessors during Normalization
+ Stream/fragment reassembly, checksuming, protocol-specific, etc.
+ Evasion & attack detection

+ Preprocessors are controlled by the Network Analysis Policy (NAP)

 Default Policies

+ FTD comes with several Default Policies to expedite a deployment

+ Used as a baseline for a custom policy
+ Intrusion and/or Network Analysis

+ Default Intrusion Policies

+ Differ in number of enabled rules & Preprocessor settings
+ No Rules Active
+ Balanced Security and Connectivity
+ Connectivity over Security
+ Security over Connectivity
+ Maximum Detection
 Snort Variables

+ Snort rules work on variables rather than actual IPs/ports

+ Allows to use rules in any environment without modifying them
+ Located under Objects -> Object Management -> Variable Set

+ Variable Types
+ $*_NET
+ Network/subnet addresses, such as $HOME_NET
+ $*_SERVERS
+ Individual server IPs, e.g. $DNS_SERVERS
+ $*_PORTS
+ TCP/UDP ports, like $HTTP_PORTS
 Snort Variables

+ Correct variable definition is critical to proper NGIPS operations

+ Always tune $HOME_NET and $EXTERNAL_NET values
+ Setting $EXTERNAL_NET to !$HOME_NET won’t always work
+ May leave trusted segments unprotected
+ Best Practices
+ Set $HOME_NET to all protected subnets & public ranges you own
+ Leave $EXTERNAL_NET as “any”
+ Tune all used $*_SERVERS and appropriate $*_PORTS
+ If in doubt, set $*_SERVERS to $HOME_NET

+ Using multiple Variable Sets might be an alternative

 Snort Rules

+ Each Snort Rule consists of a Header and a Body

+ Rule Header
+ Tells what traffic to look at (L3/L4)
+ Source/destination IPs/ports, protocol & flow direction
+ Defines an action to take
+ Alert, pass, disabled, generate events, drop and generate event
+ Rule Body (Rule Options)
+ Describes the attack (Payload)
+ Keywords, arguments & patterns
+ A match triggers the rule action
+ Contains Event Message
 Snort Rules

+ Rule Header
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

+ Rule Body
(msg:“Test rule fires”; flow:to_server,established; \
uricontent: “cgi/main/malware.exe”; reference:cve-1991-1345; \
classtype:web-application-activity; sid:9991; rev:1;)
 NGIPS Configuration

+ NGIPS is controlled by three Policies

+ Network Analysis
+ Intrusion
+ Access Control
 NGIPS Configuration

+ Network Analysis Policy (NAP)

+ ACP uses one global NAP by default
+ ACP -> Advanced -> Network Analysis and Intrusion Policies
+ For Custom NAP navigate to NAP from ACP or Intrusion Policy page
+ “Balanced Security and Connectivity” is recommended as a base
+ Tuning IP Defragmentation & TCP Stream is considered as a best practice
+ Custom NAP rules
 NGIPS Configuration

+ Intrusion Policy
+ Pre-requisites
+ Configure Snort Variables
+ Accurate $HOME_NET is critical to proper NGIPS operations
+ Policies -> Access Control -> Intrusion
+ “Balanced Security and Connectivity” is recommended as a base
+ Enable/disable/tune Snort rules
+ Objects -> Intrusion Rules
+ Consider using Firepower Recommendations
 NGIPS Configuration

+ Access Control Policy

+ Start with Advanced settings
+ Ensure that Adaptive Profiles are enabled
+ Tune the pre-scan Policy & choose NAP
+ Network Analysis and Intrusion Policies
+ Invoke Intrusion Policies in the ACP rules
+ Inspection
+ Re-configure the Default Action, if needed

+ Verification
+ Analysis -> Intrusions -> Events
 Firepower Recommendations

+ Advises on which rules to enable/disable in a given network

+ Heavily relies on Network Discovery
+ Use Firepower Recommendations AFTER the discovery

+ Configuration
+ Define networks to examine
+ Should match Network Discovery settings
+ Set Recommendation Threshold
+ Considers rule’s CPU overhead
+ As a best practice schedule Recommendations to re-run periodically
 Network Discovery Policy

+ Controls the type & amount of discovered data

+ The Default Network Discovery Policy analyzes all IP traffic (0.0.0.0/0 + ::/0)
+ Detects applications only
+ Application detection engine requires first few packets in a session

+ The Default (or new) Network Discovery Policy must be tuned

+ Policies -> Network Discovery
+ Replace the default “any IP” with your own networks to save resources
+ Choose the data to collect (Applications, Hosts, Users)
+ Host Profiles might be very useful for IPS deployments
+ Exclude Load Balancers & NAT devices from the discovery
CCIE Security v6 Bootcamp
Secure Connectivity

ine.com
Module Overview + VPNs
+ IKE & IPsec
 Virtual Private Network (VPN)

+ Virtual Private Network (VPN) serves as a logical connection

+ Its primary function is to provide end-to-end connectivity
+ Usually built over an unsecured network, such as the Internet

+ VPNs rely on Tunneling

+ A process of encapsulating the original packet into a new header
+ Not all VPN implementations are secure

+ VPN Types
+ Remote Access
+ Site-to-Site (LAN-to-LAN or L2L)
 IP security (IPsec) overview

+ The most common implementation of VPNs

+ RFC 4301 „Security Architecture for the Internet Protocol”
+ Layer 3

+ IPsec Security Services

+ Authentication
+ Data Confidentiality
+ Data Integrity
+ Anti-replay
 IPsec overview

+ IPsec consists of multiple protocols & standards

+ Internet Security Association & Key Management Protocol (ISAKMP)
+ A framework describing core IPsec functions (RFC 2408)
+ Specifies that keying & authentication should occur
+ Describes the procedures to establish, negotiate, modify & delete tunnel
information
+ Internet Key Exchange (IKE) is an implementation of ISAKMP
+ Performs main Control Plane functions, like key exchange,
authentication, etc.
+ IKEv1 (RFC 2409) & IKEv2 (RFC 7296)
 IPsec overview

+ IPsec heavily relies on Cryptography

+ Control Plane
+ Key Management : DH, ECDH
+ Authentication : PSK, RSA, ECDSA
+ Data Plane
+ Security Protocols : ESP, AH
+ Confidentiality : DES, 3DES, AES, SEAL
+ Data Integrity and Origin Authentication : MD5, SHA-1, SHA-2

+ IPsec is a framework of open standards

+ Obsolete technologies can be replaced without changing the framework
 IPsec with IKEv1

+ IKEv1 operates in two phases

+ ISAKMP/IKE Phase I
+ Performed in one of two Modes : Main (MM) or Aggressive (AM)
+ ISAKMP/IKE Phase II
+ Quick Mode (QM)

+ Both negotiations run over UDP port 500 by default

+ Successful Phase I negotiation results in an IKE Security Association (SA)
+ Successful Phase II negotiation results in two separate IPsec SAs

+ SAs are re-negotiated („rekeying”) before their lifetime expires

 IPsec with IKEv1

+ IKEv1 Phase I exchanges

+ IKE Policy
+ Encryption : DES, 3DES, AES (128, 192, 256)
+ Hash : MD5, SHA-1, SHA-2 (256, 384, 512)
+ Diffie-Hellman Group : 1, 2, 5, 14, 15, 16 or ECDH* 19, 20 and 24
+ Authentication Method
+ Lifetime
+ The only parameter that does not have to match the peer's setting
+ Diffie-Hellman (DH)
+ Authentication
+ Pre-shared keys (PSKs) or digital certificates
 IPsec with IKEv1

+ IKEv1 Phase II exchange (Quick Mode)

+ Encryption & Hashing functions (3DES, MD5, etc.)
+ Proxy Identities (traffic to be protected)
+ ACL must be mirror-image
+ Security Protocol (AH or ESP)
+ Encapsulation Mode (Transport or Tunnel)
+ (Optional) Perfect Forward Secrecy (PFS)
+ An additional DH exchange to derive a fresh set of symmetric keys

+ All Quick Mode settings must match between the peers

 IPsec with IKEv2

+ IPsec IKEv2 tunnels are subject to at least two exchanges

+ IKE_SA_INIT
+ Security algorithms, DH information
+ IKE_AUTH
+ Identities, authentication data*, traffic selectors

+ Both negotiations run over UDP port 500 by default

+ Successful IKE_AUTH results in an IPsec tunnel (CHILD_SA)
+ If more SAs are needed, additional exchanges will follow

+ *Authentication method is NOT negotiated in IKEv2

 IPsec Components

+ Encapsulation Modes
+ Tunnel
+ Creates a virtual tunnel (new IP header)
+ Allows to protect traffic between different sites and/or non-IPsec
capable devices
+ Transport
+ Tunnel-less protection
+ Communicating devices are IPsec endpoints in the same time
+ They must run IPsec software
+ Proxy ACL must include addresses of VPN endpoints themselves
 IPsec Components

+ Security Protocols
+ Authentication Header (AH)
+ Offers Data Integrity, Authentication and Replay Protection
+ No encryption
+ Protects the entire packet, including the header

+ Encapsulating Security Payload (ESP)

+ Offers Data Integrity, Authentication, Confidentiality and Replay Protection
+ Integrity checks are performed on the ESP header and entire payload
+ Encryption is performed on the entire payload
 ASA Considerations

+ Tunnel Group
+ A virtual interface for terminating & controlling VPN connections
+ Controls the VPN connection by choosing a Group Policy
+ Few settings can be set directly, such as AAA database or DHCP/DNS

+ Group Policy
+ A container for VPN connection settings & attributes
+ Makes application of the VPN policy easier & more scalable
+ Group Policy settings & attributes
+ Allowed VPN protocol
+ Split Tunneling List & Policy
+ IP address pool, session timeout, ACL filters & more
 FTD Considerations

+ Certificate Setup (optional)

+ Devices -> Certificates

+ Tunnel Configuration
+ Similar to the ASA
+ Devices -> VPN -> Site To Site

+ Verification & Troubleshooting

+ Overview -> Dashboards -> Access Controlled User Statistics -> VPN
+ Devices -> VPN -> Troubleshooting
 IOS Configuration (IKEv1)

+ Phase I Settings
+ crypto isakmp policy
+ crypto isakmp key or crypto pki trustpoint

+ Phase II Settings
+ crypto ipsec transform-set
+ access-list
+ crypto map ipsec-isakmp
+ interface
+ crypto map
 ASA Configuration (IKEv1)

+ Phase I & II Settings

+ crypto ikev1 policy
+ access-list
+ crypto ipsec ikev1 transform-set
+ crypto map [set | match]
+ crypto map interface

+ ASA-specific
+ group-policy [internal | external]
+ group-policy attributes
+ tunnel-group type ipsec-l2l
+ tunnel-group [general-attributes | ipsec-attributes]
CCIE Security v6 Bootcamp
Secure Connectivity

ine.com
Module Overview + PKI
+ FlexVPN
 Public Key Infrastructure (PKI)

+ A system providing secure & scalable authentication with Asymmetric

Keys
+ PKI components
+ Digital Certificates
+ Electronic files used to prove an identity
+ Certificate Authority (CA)
+ Issues digital certificates
+ Controls digital certificates
+ Revocation
+ Trusted by all PKI members
 PKI Operations

+ Enrollment
+ A process of joining a PKI
+ Time synchronization
+ Asymmetric Key Pair

+ Authentication Process
+ Certificate Validation
+ Signature Check
+ Expiration Dates
+ Revocation Check (optional)
+ Assymetric Encryption / Decryption
+ Only if a Certificate was successfully validated
 PKI Configuration

+ Prerequisites
crypto key generate [rsa | ecdsa] [label] [exportable]
ntp [master | server]

+ IOS CA
ip http server
crypto pki server CA_name
[options]
no shutdown
 PKI Configuration

+ Client
crypto pki trustpoint
enrollment url http://ip_address
rsakeypair/eckeypair

crypto pki authentication

crypto pki enroll
 FlexVPN Overview

+ Cisco’s IOS implementation of IKEv2

+ Unified VPN configuration framework based on tunnel interfaces
+ L2L, Remote Access & Spoke-Spoke VPNs

+ FlexVPN Components
+ IKEv2 Proposal, Policy & Profile
+ Credential Store
+ IPsec Profile
+ Tunnel interface
+ Static vs Dynamic
+ Routing
 FlexVPN Configuration

+ Cisco Documentation
+ FlexVPN and Internet Key Exchange Version 2 Configuration Guide
CCIE Security v6 Bootcamp
Secure Connectivity

ine.com
Module Overview + SSL/TLS
+ Remote Access VPNs
 SSL/TLS Overview

+ Secure Socket Layer (SSL)

+ Client-server protocol created by NetScape to protect WWW traffic
+ Capable of protecting other application-layer protocols
+ SMTP, FTP, LDAP & more

+ Transport Layer Security (TLS)

+ IETF-standardized, improved & more secure version of SSL

+ SSL & TLS rely on Asymmetric Key Cryptography

+ Require PKI (typically public)
+ Server's certificate protects the exchange of symmetric keys
 Remote Access VPNs

+ Provide secure access for individual users

+ Solution Components
+ Client
+ Gateway (headend)

+ SSL/TLS VPNs
+ Clientless
+ Thin Client
+ Extends browser capabilities
+ Full Client
+ AnyConnect
 Remote Access VPNs

+ ASA
+ Using ASDM may help
+ asdm image
+ http server enable
+ http
+ aaa authentication http console
+ Start with Wizards -> VPN Wizards
+ Documentation
+ ASA Series VPN CLI Configuration Guide
+ AnyConnect VPN Client Connections
 Remote Access VPNs

+ FTD
+ Requires RADIUS (user) & certificate (server) authentication
+ Configuration is similar to the ASA
+ Devices > VPN > Remote Access
+ Documentation
+ TechNotes "AnyConnect Remote Access VPN configuration on FTD"
+ https://www.cisco.com/c/en/us/support/docs/network-management/remote-
access/212424-anyconnect-remote-access-vpn-configurati.html
+ FMC Documentation
+ Firepower Threat Defense VPN
CCIE Security v6 Bootcamp
Secure Connectivity

ine.com
Module Overview
+ DMVPN
 DMVPN Overview

+ Scalable solution for centrally managed VPNs

+ Easy to deploy and manage
+ Hub and Spoke Architecture
+ On-demand Spoke-Spoke tunnels
+ Dynamic Routing
+ Pseudo-Broadcast
+ Redundancy
+ Dual Hub
+ Not secure
+ IPsec or GETVPN
 DMVPN Overview

+ DMVPN uses GRE tunneling

+ Requires an additional network and addressing
+ Non-Broadcast Multi Access (NBMA)
+ Public „underlay”
+ VPN
+ Private „overlay”
+ Needed for routing

+ Multipoint GRE (mGRE)

+ Represents one or more VPN
 DMVPN Overview

+ Next-Hop Resolution Protocol (NHRP)

+ Allows Spokes to join to a DMVPN network/cloud
+ Registration
+ Provides Spokes with IP address information
+ VPN to NBMA

+ DMVPN Routing Protocol

+ IGP or BGP
 DMVPN Overview

+ Latest DMVPN implementation is known as "Phase III"

+ Allows for effective route Summarization
+ Next-Hop must point to the Hub
+ Supports multi-tier designs

+ NHRP Message Types

+ Registration
+ Resolution Request
+ Resolution Reply
+ Redirect (ip nhrp redirect)
+ NHRP Shortcut (ip nhrp shortcut) allows to overwrite CEF
 DMVPN Configuration - Hub

+ mGRE Tunnel (interface tunnel)

+ ip address
+ tunnel source
+ tunnel mode gre multipoint
+ NHRP Settings
+ ip nhrp network-id
+ ip nhrp map multicast dynamic
+ ip nhrp redirect
 DMVPN Configuration - Spoke

+ mGRE Tunnel (interface tunnel)

+ ip address
+ tunnel source
+ tunnel mode gre multipoint
+ NHRP Settings
+ ip nhrp network-id
+ ip nhrp nhs hub_tunnel_IP
+ ip nhrp map hub_tunnel_IP hub_NBMA_IP
+ ip nhrp map multicast hub_NBMA_IP
+ ip nhrp shortcut
 DMVPN Configuration - IPsec

+ Enabled through an IPsec Profile on DMVPN tunnels

+ crypto ipsec transform-set
+ crypto ipsec profile
+ tunnel protection ipsec profile

+ IKE settings and Authentication data are still needed

+ crypto isakmp policy
+ crypto isakmp key or crypto pki trustpoint

+ Documentation
+ Dynamic Multipoint VPN Configuration Guide
CCIE Security v6 Bootcamp
Identity Management & Access Control

ine.com
 + ISE overview
Module Overview + Deployment models
+ The Policies
+ AD Integration
 Identity Services Engine (ISE) Overview

+ Next-generation Identity Management system

+ Similar to ACS but much more powerful
+ Context-based access
+ Network visibility
+ Centralized policy enforcement
+ Guest & endpoint management

+ Available as a physical or virtual appliance

+ 1 RU 3600-series Secure Network Server (SNS)
+ VMware ESXi/Red Hat KVM/Microsoft Hyper-V software image
 ISE Overview

+ Main features (2.4)

+ Centralized Management & AAA
+ Flexible rule-based policies
+ RADIUS & TACACS+
+ External Databases
+ Profiling
+ BYOD
+ Guest Services
+ Posture Assessment
+ TrustSec
+ Platform Exchange Grid (pxGrid) Integration
+ Internal Certificate Authority (CA)
 ISE Documentation

+ Cisco Documentation -> Security -> Identity Services Engine

+ https://www.cisco.com/c/en/us/support/security/identity-services-engine/tsd-
products-support-series-home.html
+ See "Documentation Roadmaps"
 ISE Terminology

+ Node
+ Single ISE instance

+ Persona
+ A role describing the main function of a Node
+ Service refers to individual features Persona provides
 ISE Terminology

+ ISE Personas
+ Policy Administration Node (PAN)
+ Handles all system & policy related configuration (“mothership”)
+ Synchronizes databases of all other nodes
+ Policy Service Node (PSN)
+ Delivers all configured services (“workhorse”)
+ Monitoring & Troubleshooting (MnT)
+ Enables ISE to function as a Log Collector
+ Stores logs from all other nodes – PAN & PSNs
+ pxGrid
+ Shares context-sensitive data with other systems
+ NGFW, Stealthwatch, non-Cisco ISE partner systems (“ecosystems”)
 ISE Design

+ Deployment Models
+ Standalone
+ Distributed
+ Redundancy & improved performance

+ Check out the documentation

+ Network Deployments in Cisco ISE
+ Cisco ISE Ports Reference
 Policies Overview

+ ISE services are controlled through Policies

+ Authentication, Authorization, Posture, Profiler & more
+ Policies consist of rules that are generally processed top-down*
+ Default Rule (if exists) acts as a catch-all

+ Policies and/or Policy Rules are made of two types of Policy Elements:
+ Conditions
+ Matching criteria
+ Results
+ Action(s)
 Policy Sets

+ Logical groupings of Authentication & Authorization policies

+ Default in ISE 2.3+
+ Simplify policy structure
+ Separate sets for wired/wireless/guest/etc. access
+ Processing
+ Policy-set-level rules are evaluated first (top-down) until a match
+ The Default Set is checked last
+ For the set to be processed, Allowed Protocols must be met
+ Rules within the processed set follow top-down first-match evaluation
+ Available for network access & device administration
 Authentication (AuthC) Policy

+ Establishes an Identity

+ Matched Rule Processing

+ Identity Store Selection
+ E.g. Identity Source Sequence
+ Identity Validation
+ PASS
+ FAIL
 Authentication Policy

+ Successful Authentication (PASS) leads to Authorization

+ Failure Scenarios (FAIL)
+ Authentication failed
+ User not found
+ Process failed

+ Failover Options
+ Reject
+ Drop
+ Continue
 Authorization (AuthZ) Policy

+ Determines access to the network/device

+ Authorization Policy Types
+ Standard
+ Exception
+ Local vs Global
+ Exception rules take precedence over Standard rules
+ Top-down, first-match
+ The "Multiple Matched" option is deprecated since 2.3

+ A matching rule returns an Authorization Profile

+ Set of permissions to be enforced on the session
 Authorization Policy

+ Policy Enforcement Methods

+ Downloadable ACL (dACL)
+ VLAN Segmentation
+ Web Authentication
+ Central or Local
+ Security Group Tag (SGT)
+ Any other RADIUS AV Pairs (including VSAs)
+ MACsec Policy, Reauthentication, Smartport Macros & more
 AD Integration

+ Prerequisites
+ ISE Super/System User account
+ Time synchronization (NTP)
+ Port openings
+ DNS
+ MS-RPC
+ Kerberos
+ LDAP & LDAP (GC)
+ NTP
+ IPC
CCIE Security v6 Bootcamp
Identity Management & Access Control

ine.com
Module Overview + AAA
+ Administrative Access
 AAA Overview

+ AAA is a framework for configuring three different security functions

+ Authentication is a process of providing and verifying an identity
+ May involve multiple factors/elements
+ Something you know (e.g. password)
+ Something you have (e.g. token)
+ Something you are (e.g. biometrics)
+ Authorization enforces a policy
+ Privileges, access level/scope etc.
+ Accounting is a process of tracking and recording activities
+ What and when
 AAA Security Protocols

+ AAA could be deployed directly on Network Access Devices (NADs)

+ Not scalable, limited AAA functionality
+ Centralized AAA is only possible with RADIUS or TACACS+
+ A client device (NAD) does AAA with a RADIUS/TACACS+ server

+ RADIUS & TACACS+ exchange the client-server info using Attributes

+ Each Attribute is designed to carry a certain type of info
+ Value is the data
+ RADIUS supports Vendor Specific Attributes (VSAs) to allow vendors carry
proprietary data
 AAA Configuration Overview

+ IOS AAA framework is by default disabled

+ Activate it with aaa new-model

+ AAA functions are controlled with Method Lists

+ Default
+ Custom (user-defined)
+ Must be activated
+ Overrides a corresponding Default List

aaa [authentication | authorization | accounting] service [name | default] method

 AAA Configuration Overview

+ AAA Method (database)

+ RADIUS
+ radius-server
+ TACACS+
+ tacacs-server

+ Database configuration
+ ACS
+ ISE
+ LOCAL
 Authentication (AuthC)

+ A process of verifying an identity

+ Commonly authenticated services
+ IEEE 802.1x (dot1x)
+ Enable password (enable)
+ Login (login)
+ To activate a custom list use login authentication under a line

+ Fallback Authentication
+ More than one method can be defined (backup)
+ aaa authentication login default group tacacs+ local
 Authorization (AuthZ)

+ A process of enforcing a policy

+ Commonly authorized services
+ Network (network)
+ EXEC/Shell (exec)
+ To activate a custom list use authorization exec
+ Commands (command)
+ To activate a custom list use authorization commands
+ Console access is not authorized unless aaa authorization console

+ Fallback Authorization works similar to Fallback Authentication

 Accounting

+ A process of logging session activities

+ Common applications
+ EXEC/Shell (exec)
+ start-stop vs stop-only
+ To activate a custom list use accounting exec
+ Commands (commands)
+ To activate a custom list use accounting commands

+ Works with RADIUS or TACACS+

CCIE Security v6 Bootcamp
Identity Management & Access Control

ine.com
Module Overview + Profiling
+ Probes overview
 Profiling Overview

+ ISE uses Profiling for endpoint detection & classification

+ Relies on Probes & Policies
+ Profiling Probes analyze received network traffic
+ Collect endpoint attributes
+ Profiling Policies
+ Analyze attributes to determine the endpoint’s Profile

+ Profiling information aids in building accurate Policies

 The Process

+ Profiling is ongoing & consists of several steps

+ Analysis of the received network traffic
+ RADIUS, SNMP, DHCP and more
+ Extraction of profiling data
+ Attributes
+ Addresses
+ MAC, IP or both
+ Endpoint database update
+ Evaluation of the attributes against Profiling Policies
+ Usually results in Profile assignment or update
 Profiling Policies

+ Profiling Policies are similar to IPS signatures

+ Consist of Rules
+ If condition then action
+ Actions : Increase Certainty Factor (CF), Network Scan, Exception
+ May be hierarchical

+ Policy selection
+ Based on the highest total Certainty Factor (CF)
+ Rules with “Increase CF”
+ For the Child Policy to be selected its Parent must match as well
+ Ties are handled alphabetically
 Profiling Policies

+ Policy match aftermath

+ Profile assignment
+ If none Policy was matched, the endpoint gets profiled as “Unknown”
+ Identity Group assignment
+ Not very important since 1.2
+ May be useful for MAC address management (e.g. blacklisting)

+ Static Policy assignment disables Profiling for the endpoint

+ Manual
+ Exception action
 RADIUS Probe

+ Originally used to gather MAC & IP address information

+ Calling-Station-ID
+ MAC
+ Framed-IP-Address (Accounting packets)
+ IP

+ RADIUS Probe is commonly deployed along with Device Sensor

 Device Sensor

+ Enables a switch/WLC to include additional profiling attributes inside of

RADIUS Accounting packets
+ CDP, LLDP & DHCP
+ Recommended for scaling the deployment

+ Configuration (switch)
+ Turn on RADIUS Accounting, Accounting VSAs, CDP/LLDP & DHCP
Snooping
+ Enable with device-sensor accounting & device-sensor notify all-changes
+ Verify with show device-sensor cache
 SNMP Probe

+ Only recommended if Device Sensor is not supported

+ TRAP
+ Sent by NAD to ISE on a link up/down event
+ QUERY
+ Sent by ISE to NAD to fetch CDP/LLDP/ARP data
+ In response to SNMP TRAP or RADIUS Accounting packet
+ Periodically
+ During Network Scan (NMAP)
 DHCP Probe

+ Useful to capture IP-MAC address bindings & OS information

+ DHCP (no SPAN)
+ Requires DHCP packets to be sent to ISE
+ Accomplished by using a Relay Agent (ip helper-address)
+ DHCP SPAN
+ Might be hard to deploy and cause replication issues
 HTTP Probe

+ Main source of the OS information (User Agent)

+ HTTP (no SPAN)
+ Requires HTTP packets to be sent to ISE portals
+ Traffic will be profiled even if the Probe is disabled
+ HTTP SPAN
+ Commonly deployed in the Internet Edge
+ Might be too resource-intensive
 Other Probes

+ DNS
+ Acquires FQDN based on a reverse DNS lookup

+ Active Directory
+ Extracts AD-related information (Windows systems)

+ NetFlow
+ Profiles endpoints based on flow characteristics rather than attributes
+ NetFlow data may quickly oversubscribe a PSN
+ Only use Flexible NetFlow v9 along with a filtering solution (e.g.
Stealthwatch)
 Other Probes

+ NMAP
+ “Active” mechanism communicating directly with an endpoint
+ TCP/UDP Port Scans including SNMP walk
+ Activation
+ Manual
+ IP host, subnet
+ Dynamic
+ Profiling Policy “Take Network Scan”

+ Like HTTP & DNS requires ISE to already know the IP-MAC address
binding
 Profiling Configuration

+ Enable the Profiling Engine

+ Administration -> System -> Deployment -> General Settings -> Enable
Profiling Service

+ Activate Probes
+ Administration -> System -> Deployment -> Profiling Configuration

+ Configure Probe-related ISE & NAD settings

+ Most Probes require NADs to be added to Network Devices
CCIE Security v6 Bootcamp
Identity Management & Access Control

ine.com
Module Overview + 802.1x standard
+ Wired 802.1x example
 802.1x Overview

+ L2 authentication standard (IEEE) for wired & wireless networks

+ Used for identity-based networking
+ Implemented through EAP (EAP over LAN “EAPOL”)
+ A framework for exchanging arbitrary authentication data

+ 802.1x components
+ Supplicant
+ Client software
+ Authenticator
+ Policy enforcement (Switch/AP/WLC)
+ Authentication Server (RADIUS)
 802.1x Authentication

+ Authenticator drops non-EAPOL frames before/during AuthC

+ Cisco switches add exceptions for STP, CDP & LLDP

+ The Process
+ Authentication process starts on reception of a EAP Request Identity frame
+ Sent on link up/w-less connection or upon reception of EAPOL START
+ Authenticator acts as a proxy between Supplicant & RADIUS server
+ EAP data is extracted & encapsulated using two RADIUS EAP-specific
attributes
+ Authentication method is negotiated followed by authentication
 802.1x Authentication

+ Authentication results determine network access rights

+ Success (Access-Accept – EAP Success)
+ Allow access + return optional AuthZ data (dACL/VLAN)
+ Failure (Access-Reject - EAP Failure)
+ Wireless
+ No access
+ Wired
+ No access (reauthenticate after dot1x timeout quiet-period)
+ Next authentication method
+ Auth-Fail VLAN
 MAC Authentication Bypass (MAB)

+ An alternative authentication method for 802.1x environments

+ Needed for non-Supplicant devices (IP cameras, printers, etc.)

+ MAB Details
+ If enabled (mab), triggers after 802.1x times out (dot1x timeout tx-period)
+ In wireless for WLANs configured with MAC Filtering
 802.1x Documentation

+ Wired
+ Switches -> Catalyst 3750X Series Switch -> Configuring IEEE 802.1x
Port-Based Authentication
+ Old ISE Administrator Guide -> Reference -> Switch and Wireless LAN
Controller Configuration Required to Support Cisco ISE Functions

+ Wireless
+ Wireless -> Wireless LAN Controller Software -> Client Network -> WLAN
Security
CCIE Security v6 Bootcamp
Identity Management & Access Control

ine.com
Module Overview + Wireless 802.1x
example
 802.1x Configuration (Wireless)

+ WLC
+ Add an interface & WLAN
+ Define RADIUS Server(s)
+ Secure WLAN
+ Authentication method
+ Advanced options
+ Create ACL(s) and additional interface(s) if needed
 802.1x Configuration (Wireless)

+ RADIUS Server
+ Add Network Devices
+ Configure Identity Stores & AuthC policy
+ Create authorization elements/profiles
+ Configure AuthZ policy
CCIE Security v6 Bootcamp
Advanced Threat Protection & Content Security

ine.com
 + WSA overview
Module Overview
+ Basic setup
+ Policies
 Web Security Appliance (WSA) Overview

+ Advanced web content-filtering solution

+ Fast Web Proxy services
+ Granular traffic control
+ Malware & Spyware protection

+ Key Features
+ URL Filtering
+ Application Visibility & Control
+ File Control & AMP
+ HTTPS Decryption & more
 WSA Interfaces

+ Data
+ Web Proxy (P1, P2)
+ Only P1 can be used (inbound & outbound communication)
+ L4TM (T1, T2)
+ Only T1 can be used (inbound & outbound communication)

+ Administration
+ Management (M1)
+ HTTP, HTTPS & SSH
+ Might be used for Data as well
 WSA CLI

+ WSA runs on AsyncOS

+ AsyncOS CLI is partially similar to the IOS equivalent
+ Command completion (Tab), process termination (CTRL+C), etc.
+ Many commands use the “Interactive Mode”
+ Configuration changes must be approved (commit) to take effect
 WSA Deployment Modes

+ WSA supports two Proxy Modes with an optional L4TM service

+ Proxy Modes
+ Explicit Forward
+ Transparent
+ L4TM (Layer 4 Traffic Monitor) Mode
+ Requires traffic to be copied to T1 and/or T2 ports (promiscuous mode)
+ SPAN/RSPAN, Hub, Network Tap
+ Turns WSA into an IDS-like system
+ Detects malware over HTTP & non-HTTP ports (TCP 1-65535)
+ Infected flows can be blocked with an RST (TCP)
 Explicit Forward Mode

+ Requires web traffic to be sent to the WSA itself

+ Client’s browser proxy settings
+ IP address, port number
+ Proxy Auto-Configuration (PAC)
+ JavaScript with coded URL & proxy settings information

+ Important Considerations
+ DNS resolution is performed by the WSA
+ Clients send all web traffic with a destination IP of the WSA
+ A Client does not need a default route to download any web content
 Transparent Mode

+ Web traffic is redirected to the WSA

+ Clients & their browsers are unaware of the proxy
+ The redirection is performed by the network
+ Router/switch/ASA running WCCPv2

+ Important Considerations
+ DNS lookups are performed by the Client
+ A Clients does require a default route
+ Web packets are sent to the server and not WSA
 WCCP Configuration

+ IOS
ip wccp version 2
ip wccp (service_nr | web-cache) [redirect-list acl] [group-list acl]
interface ifname
ip wccp (service_nr | web-cache) redirect [in | out]

+ ASA
+ wccp (service_nr | web-cache) [redirect-list acl] [group-list acl]
+ wccp interface ifname (service_nr | web-cache) redirect in
 Identification Profiles

+ Identification Profiles are used for transaction classification

+ Group transactions based on common criteria to simplify the Access Policy
+ Subnet, Protocol, Port, User Agent & URL Category
+ Control authentication requirements
+ Visibility
+ Identity-based policies
 Identification Profiles

+ Identification Profiles are evaluated first for each new transaction

that have not bypassed the proxy
+ Top-down first-match processing
+ All Profile conditions must be met to match the Profile
+ Protocol, Client Subnet IP, User Agent & more
+ Global Identification Profile acts as a catch-all
+ No authentication
 WSA Policies

+ Access Policies inspect all transactions processed by the WSA

+ Plain-text HTTP & FTP traffic
+ Including decrypted HTTPS
+ HTTPS
+ Only if HTTPS proxy is disabled

+ Traffic can be allowed/blocked by one of the Control Settings

+ URL Filtering, Application Visibility & Control, Malware Scanning & more
 WSA Policies

+ Policy Table is evaluated similar to Identification Profiles

+ Top-down first-match processing
+ All Policy conditions must be met to match the Policy
+ Identification Profile, Protocol, Port, Client Subnet IP & more
+ Global Policy acts as a catch-all
+ It also serves as a source of default settings for Custom Policies
WSA Policies
CCIE Security v6 Bootcamp
Advanced Threat Protection & Content Security

ine.com
 + ESA overview
Module Overview
+ Basic setup
+ Policies
 What is Email Security Appliance (ESA)?

+ Advanced email filtering solution

+ Protection, security & control
+ Not a SMTP server

+ Key Features
+ Email traffic & content control
+ Malware protection
+ Data Loss Prevention
+ Authentication & Encryption
 Design Considerations

+ ESA includes two or more ports labeled as „Data”

+ Used for data & management traffic
+ Management (M1) port is available on most platforms
+ Same as data ports

+ ESA is commonly deployed behind a firewall

+ Internet Edge (DMZ)
+ Needs certain firewall rules
 The Listener

+ SMTP deamon required to process email traffic

+ Controls connection setup & major ESA features
+ Host Access Table (HAT), Recipient Access Table (RAT)
+ A number of Listeners used depends on the organization
+ One Listener may be hard to manage & offers less bandwidth
+ Two Listeners (Public & Private) make an alternative
+ Two interfaces are preferred but one is enough
 Initial Flow Processing

+ ESA starts flow processing at the TCP level

+ Double DNS lookup
+ Reverse (connecting IP address) & Forward (returned FQDN)
+ If any lookup fails or results don’t match, Sender is deemed unverified
+ SenderBase Reputation Score (SBRS) lookup
+ Sender’s IP i checked against the SenderBase

+ The SBRS, IP & FQDN (optional) information is then used by HAT

 Host Access Table (HAT)

+ A set of rules controlling email Senders

+ Who can connect & how
+ Rules consist of Sender Groups (conditions) & Mail Flow Policies (results)
+ Top-down first-match processing
+ Sender Group conditions are processed as logical OR
+ The Default Rule allows everyone (ALL) to connect (ACCEPTED)
 HAT Elements

+ Sender Group
+ SBRS
+ IP address, IP range
+ FQDN, domain
+ Only if the Sender is verified (double DNS lookup match)
+ Unverified Senders

+ Mail Flow Policy

+ Controls SMTP conversation
+ Message & recipient limits, SPAM & virus protection, encryption &
more
+ Classifies messages as incoming or outgoing
 HAT Elements

+ Mail Flow Policy Actions

+ Continue
+ Accept
+ Connection is accepted & treated as incoming
+ Email acceptance is limited according to RAT
+ Relay
+ Connection is accepted & treated as outgoing
+ RAT is not used
+ TCP Refuse
+ Reject
 Recipient Access Table (RAT)

+ Destination-based email filtering mechanism

+ Emails can be accepted or rejected based on the recipient address (RCPT
TO)
+ No processing & forwarding messages sent to invalid recipients
+ Saves resources, no bounce messages
+ Stops ESA from acting as an Open Relay

+ RAT checks don’t apply to Private Listeners (outgoing emails)

 ESA Policies

+ Used to satisfy different security needs of users and/or groups

+ Configuration Steps
+ Policy Engine activation
+ Mail Policy definition
+ Incoming
+ HAT “ACCEPT”
+ Outgoing
+ HAT “RELAY”
+ Policy settings configuration
ESA Policies
CCIE Security v6 Bootcamp
Advanced Threat Protection & Content Security

ine.com
Module Overview
+ Cisco Umbrella
 Umbrella Overview

+ Umbrella offers an advanced recursive DNS service

+ Secure
+ DNS inspection & much more
+ Cloud-based
+ Consolidates security services at one place despite of the recent
"decentralized network" trend
+ Fully controllable
+ Single configuration/reporting dashboard
+ APIs
 Deployment Options

+ DNS traffic can be redirected to Umbrella in several ways

+ On-network
+ DHCP
+ Locations with no internal domain(s)
+ Static endpoints may need to be configured manually
+ Internal DNS
+ Umbrella Virtual Appliance
+ Network devices
+ Roaming & Mobile
+ Umbrella Roaming Client
+ AnyConnect Umbrella module
+ Cisco Security Connector (iOS agent)
 Access & Documentation

+ Umbrella Dashboard
+ https://login.umbrella.com

+ Umbrella Documentation
+ Cisco Umbrella
+ https://docs.umbrella.com/deployment-umbrella/docs
+ Cisco Umbrella SIG
+ https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/welcome-
to-cisco-umbrella
 Basic Configuration

+ Register the organization

+ Deployments -> Core Identities -> Networks
+ A public IP (including dynamic IPv4)
+ Or a VA’s/Network redirector’s IP
+ Edit internal domains (Domain Management)

+ Send non-local DNS traffic to the Umbrella Cloud

+ Modify DHCP/DNS server and/or endpoint settings
+ 208.67.222.222 & 208.67.220.220
+ 2620:119:35::35 & 2620:119:53::53
+ Test with http://welcome.umbrella.com
+ Optionally adjust your firewall rules (DNS)
 Policies Overview

+ Umbrella enforces security & access controls through Policies

+ A policy points to at least one identity
+ Policies are evaluated top-down
+ Only the first policy matching the identity gets executed
+ Default Policy is a catch-all (applies to all identities)

+ Policy Engines
+ DNS Layer Security
+ Content Inspection
+ Application Inspection
+ File Analysis
+ Destination Lists
CCIE Security v6 Bootcamp
Infrastructure Security & Automation

ine.com
 + uRPF
Module Overview + CoPP
+ CPPr
+ MPP
 Unicast Reverse Path Forwarding (uRPF)

+ Dynamic L3 anti-spoofing filtering tool

+ Commonly deployed at the network edge to replace/complement ACLs
+ Requires working CEF
+ Filters packets based on their source IP addresses and FIB
+ Packets with sources for which there is no entry in the FIB are dropped
+ Packets with sources recursing to Null0 are dropped
+ Used along with Remotely Triggered Black Hole Filtering (RTBH)
 Unicast Reverse Path Forwarding (uRPF)

+ Loose
+ A source-matching FIB entry is all what’s needed to allow the packet

+ Strict
+ Only allows packets received on the interface used to reach the source
+ Does not work in environments where routing is assymetrical
+ Packets are received on one interface, sent through another
 Control Plane Policing (CoPP)

+ CPU protection mechanism

+ Allows to rate-limit or drop packets destined to the CPU, including IPv6
+ Also allows to control traffic generated by the router
+ Examples of process-switched packets
+ Receive-adjacency
+ To-the-router traffic such as Management Plane packets or broadcasts
+ Data Plane Exceptions
+ Packets that require specialized handling
+ IP Options, low TTL (0 or 1), traffic to be fragmented, non-IP packets
+ Traffic matching ACL „log”, traffic generating ICMP Unreachables
 Control Plane Policing (CoPP)

+ Configuration of CoPP is defined through Modular QoS CLI (MQC)

+ Class Maps (class-map) are used for traffic classification
+ Policy Map (policy-map) specifies actions for individual classes
+ The Policy is activated via service-policy [input|output] under control-
plane

+ Classification Options
+ Access-list
+ Network-Based Application Recognition (NBAR)
+ Only for PPP and ARP
+ ToS (DSCP and IP Precedence)
 Control Plane Protection (CPPr)

+ Control Plane Protection (CPPr) is an extension of CoPP

+ Offers more selective classification of CPU-destined packets
+ Divides Control Plane into three subinterfaces – Host, Transit and CEF
Exception
+ Results in a better performance
+ Provides additional functionality
+ Port Filtering and Queue Thresholding

+ Limitations
+ No control over router-generated packets
+ No IPv6 support
+ Requires CEF (ip cef)
 CPPr Subinterfaces

+ Host
+ Router-destined traffic that is not CEF Exception
+ Management packets, EIGRP, IP fragments, other receive-adjacency
packets

+ Transit
+ Transit IP traffic that is software-switched
+ Packets logged by an ACL

+ CEF Exception
+ CEF-redirected packets to the CPU
+ TTL-1 such as OSPF, CDP, ARP, L2 Keepalives & other non-IP traffic
 CPPr Mechanisms

+ Port Filtering
+ Provides early dropping of packets destined to closed UDP/TCP ports
+ Once enabled a dynamic table of open ports is created and maintained

+ Queue Thresholding
+ Limits a number of packets a protocol may have in the CP input queue
+ For BGP, DNS, FTP, HTTP, IGMP, SNMP, SSH, TFTP, Syslog & Telnet
+ Other TCP/UDP based protocols can be classified as an aggregate
+ host-protocols

+ Both features are only available under the Host subinterface

 CPPr Configuration

+ Similar to CoPP
+ Class Maps (class-map) are used for traffic classification
+ Policy Map (policy-map) specifies actions for individual classes
+ Then use service-policy under control-plane [host|transit|cef-exception]

+ Port Filtering & Queue Thresholding

+ All elements are type port-filter (PF) or type queue-threshold (QF)
+ Port Filtering
+ Classify with match [closed-ports|not|port]
+ Queue Thresholding
+ Classify with match protocol
+ Use queue-limit to define a threshold
 Management Plane Protection (MPP)

+ Simplifies device access control on IOS

+ Restricts management traffic to the management port(s) only
+ Other interfaces drop to-the-box management traffic
+ Transit management packets are not affected
+ Dropped packets don’t affect CPU
+ Works for BEEP, FTP, HTTP, HTTPS, Telnet, TFTP, SSH, and SNMP
 MPP Configuration

+ Activated through the CPPr syntax

control-plane host
management-interface interface allow [protocol]

+ Verification
+ show management-interface
CCIE Security v6 Bootcamp
Infrastructure Security & Automation

ine.com
Module Overview + Layer 2 attacks
+ Layer 2 mitigation tools
 MAC Spoofing & Flooding

+ MAC Spoofing
+ Sending frames with someone else’s MAC address in the source
+ Causes a switch to update its CAM and forward traffic to the attacker

+ MAC (CAM) Flooding

+ Generating a large number of frames with spoofed sources
+ Exhausts the entire CAM space for a given VLAN
+ Traffic sent to destinations not found in CAM gets flooded out all ports
like with a network Hub

+ Mitigation
+ Port Security
 Port Security

+ Port Security serves two purposes:

+ To Identify source MAC addresses allowed on a port
+ Dynamic (default)
+ Sticky (switchport port-security mac-address sticky)
+ Static (switchport port-security mac-address addr)
+ To Limit a number of MAC addresses seen on a port
+ switchport port-security maximum

+ Violation Modes (switchport port-security violation)

+ Shutdown Port (shutdown), Shutdown VLAN (shutdown vlan)
+ Restrict (restrict)
+ Protect (protect)
 VLAN Hopping

+ Allows to obtain access to another VLAN(s)

+ Switch Spoofing
+ An attempt to negotiate a trunk with a switch by using DTP
+ Mitigate with shutting down all unused ports or disable DTP
+ Double Tagging
+ Injecting a frame with two 802.1q tags
+ The outer tag matches access port VLAN which is also trunk’s Native
VLAN
+ The inner header tag is set to the „attacked” VLAN number
+ Mitigate with vlan dot1q tag native or never use Native VLAN on
access ports
 DHCP Attacks

+ DHCP Starvation
+ An attempt to starve server’s pools by sending spoofed requests
+ Source MAC and/or DHCP header’s Client HW Identifier

+ Rogue DHCP Server

+ Used to inject false default gateway and/or DNS server IPs
+ Usually accompanied by a regular DoS on the legitimate server

+ Mitigation
+ Filtering (deny udp any eq 67 any eq 68)
+ For DHCPv6 use deny udp any eq 547 any eq 546
+ DHCP Snooping or IPv6 First Hop Security (DHCP Guard)
 DHCP Snooping

+ Primary mitigation tool for attacks on DHCP

+ Distinguishes between DHCP client (untrusted) and server (trusted) ports
+ A port connected to your DHCP Server should be configured as trusted
+ Enables inspection on all client-server DHCP exchanges
+ Updates the DHCP Snooping Binding table
+ Checks subsequent DHCP packets against the table entries

+ Configuration
+ Enable it globally (ip dhcp snooping) & for VLAN(s) (ip dhcp snooping vlan)
+ Configure at least one trusted port (ip dhcp snooping trusted)
+ Optionally disable Option 82 insertion (no ip dhcp snooping information
option)
 ARP Spoofing

+ Also known as ARP Cache Poisoning

+ An attacker claims to own someone else’s MAC address
+ Results in a DoS or MiTM
+ Mitigate with encryption/integrity services or enable DAI

+ Dynamic ARP Inspection (DAI)

+ Relies on the DHCP Snooping table to verify incoming ARP frames
+ Packets with mismatched addresses are dropped
+ Traffic received on DAI trusted port (ip arp inspection trust) is never
checked
+ Configured per-VLAN (ip arp inspection vlan)
+ Manual entries will be needed in non-DHCP environments
CCIE Security v6 Bootcamp
Infrastructure Security & Automation

ine.com
 + Python overview
Module Overview + Data Types
+ API overview
+ FMC REST API
 Python Overview

+ Open source interpreted programming language created in late 1980’s

+ Popular for many reasons
+ Easy to use & read
+ Portable
+ Extendable
+ Object-Oriented
+ Works in virtual environments
+ Single Python installation may not meet requirements of all applications
+ Virtual environments with self-contained directories resolve the conflict
+ E.g. "venv" or "virtualenv" packages

+ Generally deemed as a natural choice for Network Programmability

 Python Overview

+ Version 3.x fixes problems found in version 2.x (EOL in 2020)

+ https://wiki.python.org/moin/Python2orPython3

+ The Python code (CPython) can be downloaded from www.python.org

+ Some OSes come with Python pre-installed

+ Python Documentation can be found at https://docs.python.org

 Data Types

+ Used to distinguish between the different types of values a Python

program may use
+ Common built-in Data Types
+ String (str)
+ Boolean (bool)
+ List (list)
+ Dictionary (dict)
 Python Strings

+ Represent textual data (a sequence of characters)

+ Defined within single (') or double ("") quotes
+ E.g. interface = 'Gig0/1' or interface = "Gig0/1"
+ Triple quotes (''' or """) allow to write strings that span multiple lines
+ Quotation within the text itself can be maintained with backslash (\)
+ Also works for special code sequences, such as tab (\t) or new line (\n)
+ Data can be converted to String using the str() function
 Python Lists

+ An ordered sequence of objects (elements) of any type

+ List elements are enclosed by brackets ([ ]) and separated with commas
+ E.g. duplex=['half', 'full', 'auto'] or mix=['str', 4]
+ The len() function returns the total number of list objects/elements

+ Accessing List Elements

+ Indexing
+ Use list[x] to get object positioned at x
+ Slicing
+ Use list[a:b:c] to get a slice of list from a to b-1 with step c
+ At least one argument is needed, e.g. list[2:]
 Python Dictionaries

+ A unordered collection of key-value pairs, known as Items

+ Dictionary items (key: value) are enclosed by curly brackets ({ }) and
separated with commas
+ E.g. device1={'hostname': 'R1', 'os': 12.1}
+ Values can be of any type, but Keys must be "hashable"
+ Any immutable data type will work, such as String, Integer or Tuple
+ The dict() function is an alternative way of creating Dictionaries

+ Accessing the Dictionary

+ To access value mapped to key key from dictionary dict use dict[key]
+ Since Dictionary is mutable, values can be modified
 Conditional Statements

+ Special structures used to control the program's flow

+ The if statement tests a condition using Boolean logic
+ True (or anything else than numerical 0)
+ False (or numerical 0)
+ The statement(s) after if is/are only executed if the test result equals True
+ If the result is False, the statement(s) is/are ignored

+ Syntax
if condition:
statement
+ Important: a colon ':' follows condition & indentation precedes statement(s)
 Conditional Statements

+ Alternative conditions may be specified to "extend" the if statement

+ The elif clause is evaluated only if the preceding if/elif expression is False
+ The else clause is evaluated only if all preceding expressions are False

if condition:
statement(s)
elif altcondition1:
statement(s)
elif altcondition2:
statement(s)
…
else:
statement(s)
 Supported Operators

+ The if/elif conditions are often built using multiple elements tied together
with Operators
+ Comparison
+ Equal (==), not equal (!=)
+ Less than (<), greater than (>)
+ Less than or equal (<=), greater than or equal (>=)
+ Boolean
+ and, or, not
+ Membership
+ in, not in
 Loops Overview

+ Python loops provide a way to implement Iteration

+ Repetitive execution of the same block of code

+ Loop Types
+ while
+ for
 The while Loop

+ Syntax
while condition:
statement(s)

+ Executed until the condition turns to False

+ Good for an indefinite type of Iteration
+ Unknown number of "cycles"
 The for Loop

+ Syntax
for variable(s) in iterable:
statement(s)

+ Iterable is an object that can be used in iteration

+ A sequence/collection of elements, e.g. List, Tuple, String or File
+ The iter() function tells if an object is iterable or not

+ Executed from the beginning to the end of the iterable object

+ Represents a definite type of Iteration
+ The number of cycles is finite and determined by the object
 APIs Overview

+ Application Programming Language (API)

+ Special software used for inter-system communication
+ Returns well-structured data
+ Representational State Transfer (REST) is an example of a commonly used
API technology
+ HTTP[S]-based, fast & easy to use, fits into REST Architecture

+ REST API Documentation

+ Critical for understanding the syntax of API calls & responses
+ Base URLs & Endpoints (for supported resources)
+ Supported Parameters & Attributes
+ Response structure & more
 Python Requests Library

+ General Syntax
+ requests.method(params)
+ Returns the Response Object that may be acted upon
+ E.g. response = requests.get('https://ASA_IP')

+ Useful Parameters
+ Authentication
+ Basic HTTP, OAuth, None, Custom
+ Importing the HTTPBasicAuth function is optional
+ Headers may be added to specify the formatting
+ headers = { 'Accept': 'application/json', 'Content-Type':
'application/json' }
 Python Requests Library

+ Response Attributes
+ status_code
+ text

+ JSON Methods
+ dumps()
+ Dictionary -> String
+ loads()
+ String -> Dictionary
 FMC REST API

+ API Explorer
+ https://FMC_IP_FQDN/api/api-explorer

+ Authentication
+ First API call must be authenticated with username & password
+ "Empty" POST request to /api/fmc_platform/v1/auth/generatetoken
+ Subsequent calls must be authorized
+ Access Token
 Thank You!

ine.com