ISO/IEC 27001 and 27002
ISO/IEC 27001 and 27002 (International Standards Organization/International Electrotechnical Commission)(International standards for ISMS (Information Security Management Systems))(10 sections known as clauses and 4.0 to 10.0 are mandatory)(Clause 6.0 requirements are also called Annex A which has 14 sections and 114 clauses)
https://www.itgovernance.co.uk/blog/iso-27001-the-14-control-sets-of-annex-a-explained
SNMP Configuration Cisco
Switches
ip access-list standard SNMP-Permitted
10 permit 192.168.130.242
1.3.6.1.2.1.4.21 – ipRouteTable (IP route table)
1.3.6.1.2.1.4.22 – ipNetToMediaTable (IPv4 ARP table) (deprecated by ipNetToPhysicalTable)
1.3.6.1.2.1.4.35 – ipNetToPhysicalTable (combined IPv4/IPv6 translation table)
1.3.6.1.2.1.3 – atTable (layer two address table)
and
snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB Objects excluded below
snmp-server view Company-RO iso included
snmp-server view Company-RO 1.3.6.1.2.1.4.21 excluded
snmp-server view Company-RO 1.3.6.1.2.1.4.22 excluded
snmp-server view Company-RO 1.3.6.1.2.1.4.35 excluded
snmp-server view Company-RO 1.3.6.1.2.1.3 excluded
snmp-server view Company-RO 1.3.6.1.6.3.15 excluded
snmp-server view Company-RO 1.3.6.1.6.3.16 excluded
snmp-server view Company-RO 1.3.6.1.6.3.18 excluded
snmp-server enable traps
snmp-server ifindex persist
snmp-server engineID local 8000000903005C710DE1D280
snmp-server location London
snmp-server contact support@Company.com
snmp-server group Company_snmp_mon_grp v3 priv read Company-RO access SNMP-Permitted
snmp-server user Company_snmp_mon Company_snmp_mon_grp v3 auth sha 3ZU50CjGs56ikZwxVLLy-5bm07WEQo priv aes 128 09pxfF-HTIJnhxZvL_vJ-VBKZawXqN
snmp-server host 192.168.130.242
snmp-server host 192.168.130.242 version 3 priv Company_snmp_mon
Meraki Devices Series
GETVPN (Group Encrypted Transport VPN) Config (Commands)
GETVPN is not used on public internet rather on a closed network e.g. MPLS where all the IP routing works becasue the header has the original internal source and destination IPs even after the ESP encrypted header.
GM (Group Member): Encrypts and Forwards on the Data Plane
KS (Key Server): Control Plane for IPSec (IKEv1 policy, IPsec transform set, IPsec Profile, Crypto ACL, Re-keying policy)
TEK:Traffic Encryption Key (Encryption key between GMs for data traffic encryption
KEK: Key Encryption Key (Encryption Key between GMs and KS using UDP port 848)
GDOI (Group Domain Of Interpretation): Group Members Common Agreement
COOP: Protocol used between primary and secondary key servers
(Routing should needs to work fully before starting to configure GET VPN)
KeyServer (R4):
crypto isakmp policy 10
enc aes 128
hash sha256
group 14
authen pre-share
exit
crypto isakmp key Cisco123 address 0.0.0.0
crypto ipsec transform-set Our-Transform-Set esp-aes esp-sha-hmac
crypto ipsec profile Our-IPSec-Profile
set transform-set Our-Transform-Set
set security=association lifetime seconds 3600
exit
KS Key-Pair generation:
crypto key generate rsa general-keys label KS-Keys mod 2048
exportable
ip access-list extended Our-List
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip any any
exit
crypto gdoi group Our-GETVPN-Group
identity number 6783
server local
address ipv4 4.4.4.4 (this is the loopback ip address)
reley lifetime seconds 1800 (rekey the GMs)
rekey retransmit 40 number 2
rekey authentication mypubkey rsa KS-Keys
rekey transport unicast
sa ipsec 777 (it can be any number)
profile Our-IPSec-Profile
match address ipv4 Our-List
replay time window-size 5
end
Group Member R1 (similar config except apply it to the correct exit interface):
crypto isakmp policy 10
enc aes 128
hash sha256
gruop 14
authen pre-share
exit
crypto isakmp key Cisco123 address 0.0.0.0
crypto gdoi group Our-GETVPN-Group
identity number 6783
server address ipv4 4.4.4.4
crypto map GM-Map 10 gdoi
set group Our-GETVPN-Group
interface g0/1
crypto map GM-Map
Verification:
ping x.x.x.x
show ip route
show crypto gdoi
show crypto gdoi gm
show crypto gdoi ks
show crypto ipsec sa
show crypto isakmp sa
Protected: Professional Services/Consultancies
DMVPN (Dynamic Multi Point VPN) Config (Commands)
(Publically reachable IP addresses in a DMVPN is called NBMA (Non-Broadcast Multi Access) network)
(mGRE (Multi Point GRE) is used instead of using separate tunnel interfaces for each router)
(NHRP (Next Hop Resolution Protocol) is used to know each other’s next hop NBMA address. Also, helps building spoke to spoke dynamic tunnel if there is a route to both the spoke’s via a hub)
(with DMVPN we don’t specify tunnel destinations, but we specify NHS (Next Hop Server))
CONFIGURING THE DMVPN HUB – R1 ROUTER:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.1.0.1 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 15.1.1.1 255.255.255.0
duplex auto
speed auto
interface Tunnel0
description mGRE – DMVPN Tunnel
ip address 172.16.123.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/1
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp redirect (if pahse3 is supported based on the new IOS version or you can use ‘no ip next-hop-self’ on hub router to not use its ip advertised when advertising the spokes)
no ip split-horizon eigrp 1
end
CONFIGURING THE DMVPN SPOKES – R2 & R3 ROUTERS:
R2:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.2.0.2 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 25.2.2.2 255.255.255.0
duplex auto
speed auto
interface Tunnel0
description DMVPN Spoke site R2
ip address 172.16.123.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/2
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
end
R3:
interface GigabitEthernet0/0
description LAN-Network
ip address 10.3.0.3 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-Network
ip address 35.3.3.3 255.255.255.0
duplex auto
speed auto
interface Tunnel0
description DMVPN Spoke site R3
ip address 172.16.123.3 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig 0/3
tunnel mode gre multipoint
tunnel key 6783
ip nhrp authen Cisco123
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
end
ROUTING BETWEEN DMVPN mGRE TUNNELS:
R1(config)#router eigrp 1
R1(config-router)#network 10.0.0.0
R1(config-router)#network 172.16.123.0 0.0.0.255
R1(config-router)#end
R2(config)#router eigrp 1
R2(config-router)#network 10.0.0.0
R2(config-router)#network 172.16.123.0 0.0.0.255
R2(config-router)#end
R3(config)#router eigrp 1
R3(config-router)#network 10.0.0.0
R3(config-router)#network 172.16.123.0 0.0.0.255
R3(config-router)#end
PROTECTING – ENCRYPTING DMVPN MGRE TUNNELS WITH IPSEC:
R1:
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 86400
exit
!
crypto isakmp key Cisco123 address 0.0.0.0
!
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
mode transport
exit
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
exit
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
end
R2 and R3:
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 86400
exit
!
crypto isakmp key Cisco123 address 0.0.0.0
!
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
mode transport
exit
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
exit
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
end
Verification Commands:
show run int tun 0
show dmvpn
show ip nhrp
traceroute 10.3.0.50 source 10.2.0.2
show crypto session
show ip eigrp interfaces
show ip route eigrp
show ip route
show ip cef 10.3.0.0
show isakmp sa
show ipsec sa
show crypto engine connections active
show crypto map
show crypto
debug nhrp
GRE (Generic Route Encapsulation) over IPSec VPN Configuration on a Cisco Router
CREATING A CISCO GRE TUNNEL:
R1(config)# interface Tunnel0
R1(config-if)# ip address 10.12.12.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 15.1.1.1
R1(config-if)# tunnel destination 25.2.2.2
ROUTING NETWORKS THROUGH THE GRE TUNNEL:
R1(config)#route eigrp 1
R1(config-router)#no auto-summary
R1(config-router)#10.0.0.0 0.255.255.255
R1(config-router)#end
SECURING THE GRE TUNNEL WITH IPSEC:
(GRE is not protected or encrypted so we use IPSec)
CONFIGURE ISAKMP (IKE) – (ISAKMP PHASE 1):
R1(config)# crypto isakmp policy 7
R1(config-isakmp)# encr aes 256
R1(config-isakmp)# hash sha256
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)# lifetime 5000
Create PSK:
R1(config)# crypto isakmp key cisco123 address 0.0.0.0
CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY):
R1(config)# crypto ipsec transform-set TS esp-aes 128 esp-sha384-hmac
R1(cfg-crypto-trans)# mode tunnel
(Old way was using crypto map and use an ACL for interesting traffic, but the new way is to use VTIs (VIrtual Tunnel Interface). Default mode for the tunnel is GRE but we will change it to IPSec and apply IPSec profile we created)
Create IPSec Profile :
R1(config)# crypto ipsec profile protect-gre
R1(ipsec-profile)# set security-association lifetime seconds 86400
R1(ipsec-profile)# set transform-set TS
Apply it to the tunnel:
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile protect-gre
Verification Commands:
show run int tun 0
show ip route
show eigrp interfaces
show crypto isakmp policy
show crypto isakmp key
show crypto engine connections active
show crypto isakmp sa
show crypto ipsec sa
show crypto session
Site to Site VPN Config on a Cisco Router
Config isakmp (IKE) – (ISAKMP PHASE 1):
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
Config Pre-Shared Key – PSK:
R1(config)# crypto isakmp key firewallcx address 1.1.1.2
- Create IPSec Transform (ISAKMP PHASE 2 POLICY):
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#mode tunnel (by default it is tunnel mode so don’t have to specify) - Create extended ACL (Interesting Traffic):
R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 - Create Crypto Map:
R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC
R1(config-crypto-map)# set pfs group 2 - Apply crypto map to the public interface:
R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP
Verification Commands:
show run | section crypto
show crypto isakmp policy
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto isakmp sa detail
show crypto ipsec sa detail
show crypto engine connections active
debug crypto isakmp
debug crypto ipsec
Note: Limitations of IPsec Tunnel with Crypto maps is that we can not use Dynamic Routing Protocols over the tunnel so use GRE tunnel.
Note: ESP (Encapsulating Security Payload) is protocol 50 and GRE (Generic Route Encryption) is protocol 47.
Checkpoint Evaluation License steps (cplic)
https://help.checkpoint.com/s/
Learn>Product Evaluation>All-in-One-Evaluation
Download the license file
cplic put -l LICENSEFILE.lic
cplic print -x (to get the hash and del old ones)
cplic del KEY_HASH (remove all the old ones)
cplic print -t (to check whether central or local)
cpstop
cpstart
upload the license file on Smart Update as well and attach. Dettach all the old ones.