Jan
05

Feeling smart? :)   Give these Security CCIE core knowledge questions a try.  Click here for part 3 of this series.

Let us know what you feel the answers are, and good luck!

Implement Identity Management
Based on the example below, what commands will bob have the ability to use within the IOS?

enable secret cisco
username bob password cisco
username bob privilege 15
aaa new-model
aaa authentication login default group tacacs
aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 10.1.1.1
tacacs-server key cisco123

Implement secure networks using ASA Firewalls
When using SSH to connect to an ASA running in multiple mode, the changeto command does not work for one of the administrators. What would cause this?

Implement secure networks using IOS Firewalls
When is a standard IOS IP ACL used to identify a destination?

Configure advanced security
What does the “fragment” option mean when used with an ACE?

Best of luck!


You can leave a response, or trackback from your own site.

21 Responses to “CCIE Security Core Knowledge Questions – Part 4”

 
  1. Paul Stewart says:

    1). That really depends on how TACACS is configured. The local user bob would not be available via any of the method lists shown. So if that is the bob in question, no access. If ther is a bob on TACACS, he would access as specified in its authorization. This is assuming default line configuration.

    2). Administrator could not have authorization to use the changeto command????

    3). A standard ACL can be used to deliver the routes to an EZVPN client as routable destinations.

    4). Matches nonitial IP fragment assuming the rest of the ACE is relevant for the packet or fragment.

  2. Bheda Laxman says:

    Answer 1:
    If username “bob” is configured in AAA server(ACS) then only “bob” will be able to login into the device at the first place because there is no fallback login method(as local) specified. So local database with username “bob” with privilege level 15 will never be asked/used for authentication. Now, if user bob is configured in AAA server, and the appropriate command authorization set is assigned to that user(bob) or to the group in which the bob belongs to, these many commands only the bob will be able to execute.
    ================================================
    Answer 2:
    The context to which the administrator is connected to has been configured with Command Authorization and already logged in administrator is restricted to execute the “changeto” command. Thus preventing him from accessing other context(s) or system configuration area.
    ==================================================
    Answer 3:
    When configuring Java Applet filter in CBAC, Standard IP ACL is used to specify the destination address. So from those sites only the applet are allowed or not to allowed.
    ==================================================
    Answer 4:
    “Fragment” option in ACE defines whether to permit/deny the non-initial fragmented IP traffic and this option can not be configured with any ACE which contains L4 information.

  3. Tim Rowley says:

    1) My mind went in about 500 different ways for this one haha. Assuming he accesses the device via VTY lines, he would have to authenticate via tacacs since its the default login authentication. Assuming he has an ID on ACS, he may or may not get authenticated. There is no command for authorization exec, so, he would be in user mode. Again assuming he has an ID on ACS, he would get level 0 and 1 commands authorized. If he knew the enable password (or guessed it) he would be at priv level 15, but still, all of his commands 0 1 15 and config would be authorized against ACS. Assuming ACS is up. Too many assumptions? Am I overthinking it? hehehe
    2) changeto is only available from the admin context itself, or, if a particular context is assigned as the admin context. You can’t changeto from a non-admin context.
    3) PAM
    4) Allows or disallows non-initial fragments associated with the ACE

  4. 1. After authenticated by the tacacs server, Bob will query the tacacs server for the level 15 commands that means every single command including the config mode commands. The tacacs server will either permit or reject any specific command depending on the configuration. If the tacacs server is unavailable, Bob will access to all the available IOS commands (as he is in priv 15) without any problem.

    2. The administrator is logged into a context which is not the admin context/system execution space.

    3. Used in CBAC PAM – ip port-map port [tcp | udp] list

    4. Used to match non-initial fragments of a packet (these fragments have a non-zero fragment offset and do not contain any layer 4 above information)

  5. Made my previous comment in a hurry. So some corrections below -

    1. After authenticated by the tacacs server, Bob will query the tacacs server for the level 15 commands that means every single command including the config mode commands. The tacacs server will either permit or reject any specific command depending on the configuration. If the tacacs server is unavailable, Bob will have access to all the available IOS commands (as he is in priv 15) without any problem.

    2. The administrator is logged into a context which is not the admin context/system execution space.

    3. Used in CBAC/ZBF PAM – ip port-map protocol port [tcp | udp] port_number list standard_acl_for_destination

    4. Used to match non-initial fragments of a packet (these fragments have a non-zero fragment offset and do not contain any layer 4 above information)

  6. Paul Alexander says:

    1. If the tacacs server is available, Bob will only be able to run te commands that are allowed in ACS. He will be logged in at priv 1 by default too. If the server is not available, he should be able to run all commands once he moved in to priv 15.

    2. Just a guess here, he’s either not logged into the admin context, or there are too many administrators alreday logged in.

    3. IOS NAT load balancing

    4. Match non-initial fragments

  7. jeff_1 says:

    1.Bob will not be able to execute any command. However, this issue can be worked out if the same credentials including privilege level will exist on ACS.
    2. The context the admin used to SSH is non-admin context
    3. In EZVPN by defining an acl for split-tunneling. It should be a named ACL.
    4. Check for non-initial fragments

  8. egg says:

    Implement Identity Management
    Based on the example below, what commands will bob have the ability to use within the IOS?

    enable secret cisco
    username bob password cisco
    username bob privilege 15
    aaa new-model
    aaa authentication login default group tacacs
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    tacacs-server host 10.1.1.1
    tacacs-server key cisco123

    privilege level 15 — Includes all enable-level commands at the router# prompt.

    source: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

  9. RoutSec says:

    1) This all depends on what is configured in the Tacacs server. If user Bob is not configured in tacacs then he won’t even be able to login. If he is configured then the authorization comes from Tacacs as well. If the tacacs server is unavailable, no one will be able to log into the router, including Bob via any line (console,telnet).

    2)I would think that particular administrator was configured as a context administrator, not a system administrator.

    3) I usually use a standard ACL for a destination address when using snmp. eg:
    access-list 1 permit 10.99.99.99
    snmp-server community cciesecurity RO 1

    4)Fragment within and ACL entry will match any noninitial fragment. This entry should usually be set to deny to mitigate DOS attacks.

  10. Kent Heide says:

    RoutSec, regarding your answer #3 an ACL on the community defines which source addresses are allowed to connect to the device via SNMP :-)

  11. Paul Alexander says:

    Argh, didnt see the local wasnt on the authentication login line. So yeah, tacacs needs to be up for him to do anything.

  12. routsec says:

    @Kent

    You are absolutly right, that was a big error on my part. Thanks for pointing it out.

  13. mgeorge says:

    1. Based on the AAA default authentication list, authentication is processed via TACACS+ Server 10.1.1.1; the local user account bob will be unable to establish an exec session.

    2. Not an admin context exec session.

    3. Split Tunneling ACL

    4. Used to match non-initial fragments within an ACL entry.

  14. TacACK says:

    I’m really looking forward to what he has to say about the answers!

  15. cwham says:

    How about a route filter for item 3 (as used in a distribution list)

  16. irom says:

    For number three I’m pretty sure that CBAC PAM and URL Filter, and EzVPN Split Tunneling all use standard ACLs to identify destination

  17. Thank you to Paul, Bheda, Tim, Zakir, Jeff_1, egg, RoutSec (if that is your real name :) ), Kent, mgeorge, TacACK, cwham and irom for all your input!

    Q1: Bob can only authenticate if the ACS server is up. When he logs in, commands at level 0, 1 and 15 will be controlled by the ACS configuration. Configuration commands will be controlled by ACS. Commands that may be assigned to levels 2-14 will all be available to bob (if there are any there). If bob logged in, and after logging on, the ACS server connection failed, then he would have full access to all commands.

    Q2: Only SSH connections to the context assigned the role of “admin” would allow for the changto context command. The administrator probably connected to a context that wasn’t assigned the admin role.

    Q3: When I wrote this, I was thinking of PAM and Split Tunnel Lists. (There may be others, and I appreciate all the great ideas from your responses).

    Q4: Matches on non-initial fragments, where the fragment offset is > 0. The initial fragment, with offset=0 would not match.

    Great work to all! Thank you.

  18. Bheda Laxman says:

    Thank you. :)

  19. A friend says:

    Hello
    thank you
    I made a script for connecting to R&S racks with securecrt in TAB mode and I wanted to mail it to you but google didn’t let me
    how can i send it to you

    sincerely yours.

    PS: Always be happy that’s the point.

  20. Prateek says:

    Hi :

    Adding another one for Q3 :
    -Java Lists using Standard ACL when configured with HTTP URL Filtering option..

  21. gbar says:

    Sorry to say, but standard access-list can not be used in IOS for split tunnel definition.
    At least not in the IOS version tested in blueprint v3.0.
    You must use extende ACL. You can use std acl on ASA for that but not in IOS.
    If you have doubt just look at the command with the “?” after the “ACL” word inside the client group configuration and it will say 100-199 or name (and even the named must be extended) but the absense of 1-99 numbered will give you the clue). And besides it’s documented at the command lookup at cisco.com

 

Leave a Reply

Categories

CCIE Bloggers