CCIE R&S Written Overview: Security

Access-Lists Overview

• Used to filter traffic in the data plane

• Types of ACLs…

– Standard

– Extended

– Time Based

– Dynamic

– Reflexive

• ACLs also support logging of traffic hits

URPF

• Unicast Reverse Path Forwarding

– Used for data plane filtering based on the routing table

– Simple way of preventing spoofing attacks as opposed to long BOGON ACL filters

• Supports two modes of operation

– Strict

– Loose

TCP Intercept

• Prevents TCP SYN Flood Attacks

– TCP 3-way handshake not completed

• SYN, ACK SYN…

– Results in “half-open” or “embyonic” session

• Server’s TCP stack only supports so many connections

• TCP Intercept tries to prevent this two ways

– Intercept mode

• Proxy for all connections

• Only connect to server after 3-way handshake completes

– Watch mode

• Passively monitor session establishment

• Send TCP RST if 3-way handshake does not complete in time

Context Based Access Control

• CBAC adds true stateful inspection to IOS

• Performs protocol-specific inspection

– Protocols matched based on port-number

– Port-map table defined with ip port-map

• Inspection rule defines protocols to inspect

– ip inspect name <NAME>

– Applies to an interface inbound or outbound

– Opens hole in ACL applied in opposite direction

• CBAC integrates TCP Intercept

Zone Based Firewall

• Syntax wrapper to CBAC

– Same inspection engine inside

• Works with security zones, not interfaces

– Zones group multiple interfaces together

– Traffic is allowed inside one zone but prohibited between

– Zone defined via zone security command

• Special zone “self” is allocated to router

– By default all traffic to/from this zone is allowed

Zone Based Firewall

• Inter-zone communication requires “zone pairing”

– Defined with zone-pair

– Associated policy-map of type inspect to permit traffic

• Action “inspect” vs action “pass”

• ZFW configuration uses MQC syntax

– Class-maps/policy-maps of type inspect

– Traffic classified with match protocol

– Application still defined with ip port-map

Layer 2 Security

• Port Security

• VACLs

• DHCP Snooping

• IP Source Guard

• Dynamic ARP Inspection (DAI)