Эксперт SkillFactory Сергей Кучеренко о новых трендах в области сетевой безопасности: как ответить новым вызовам, используя уже существующее оборудование Cisco. Смотрите запись вебинара: http://www.youtube.com/watch?v=JzO8bRguh74&hd=1
3. PC Laptop Web Web PC, Laptop BYOD MDM , push , ,
4. : Cisco ISR G2 IOS 15.3(2)T1 . OS : User Based Firewall
Transparent ZBF ScanSafe Connector LDAP Server in AAA Cisco
Wireless LAN Controller 5.0.148.0 ISR WLC ISM-SRE-300 7.4.110.0 :
WEB Passthrough Authentication 802.1X
Authentication/Authorization
5. (): Microsoft Windows Server Windows Server 2008 R2 64-bit :
Active Directory DNS- (NPS) Active Directory Meraki Systems Manager
Mobile Device Manager, . : Push 802.1x
10. 2. NTLMSSP virtual-proxy, NTLM enabled browser
(IE/Mozilla/Chrome). username/password *. Credentials , Hash . hash
. NTLMSSP : Internet Explorer IP/FQDN Virtual-proxy trusted-sites
Firefox Virtual-Proxy IP name * - Windows, Domain, : LDAP ( MS
AD)
11. : local ( User Based ZBF ) radius Radius server (Cisco
ACS/Cisco ISE/Microsoft NPS/) Vendor Specific AV Pair
supplicant-group= ldap ldap . ldap memberOF= IOS memberOF=
supplicant-group= default attribute map
12. ? IP Admission Rule AAA Rule RADIUS Authentication Request
HTTP Request HTTP Redirect to Virtual Proxy IP IF NTLM with HASH
request HTTP Request Virtual Proxy IP IF NTLM with HASH
Authentication Request class-map type inspect match usergroup
Authentication Response Cisco AV Pair supplicant-group= policy-map
type inspect class type inspect inspect Authentication Request
zone-pair security LDAP Authentication Response HTTP Basic
Attribute Map Authentication Response memberOF=
13. User Based Firewall: 1. a) RADIUS MS IOS b) LDAP MS IOS c)
Microsoft NAP Radius 2. AAA authentication-proxy 3.
authentication-proxy a) / / / AAA/Virtual IP/Virtual FQDN b) c)
authentication-proxy 4. ZBF Group-Info 5.
14. User Based Firewall b) LDAP MS IOS LDAP server
R1(config)#ldap server name name , FQDN R1(config-ldap-server)#ipv4
address R1(config-ldap-server)# transport port port (3268 default
for MS) R1(config-ldap-server)#base-dn dn-name dn-name ,
R1(config-ldap-server)# bind authenticate root-dn username-dn
password password username-dn DN Router, search/read/lookup,
15. R1(config-ldap-server)# authentication bind-first ( bind)
AAA server-group R1(config)#aaa group server ldap name name , ldap
aaa group server ldap, , / R1(config-ldap-sg)#server ldap server
name
16. 2. AAA authentication-proxy AAA Framework R1(config)#aaa
new-model (Telnet/SSH/HTTP) . enable secret : R1(config)#enable
secret password R1(config)#username name secret password
R1(config)#aaa authentication login list name group {radius|ldap
grup name} list name , authentication-proxy {radius|ldap grup name}
Radius radius , ldap 1.b) aaa group server ldap LDAP_GR
17. R1(config)#aaa authorization network list name group
{radius|ldap grup name} login list name , authentication-proxy
{radius|ldap grup name} Radius radius , ldap 1 b) aaa group server
ldap LDAP_GR 3. authentication-proxy a) / / / AAA/Virtual
IP/Virtual FQDN extended ACL deny (ex: AD/DNS )
18. R1(config)#ip admission name auth-proxy name proxy
{http|telnet|ftp} list ACL name auth-proxy name
authentication-proxy, . . {http|telnet|ftp} ACL name ACL HTTP
R1(config)#ip admission name auth-proxy name {http-basic|ntlm}
R1(config)#ip admission name auth-proxy name order
{http-basic|ntlm} . .
19. Virtual IP/Virtual FQDN R1(config)#ip admission virtual-ip
ip virtual-host name ip IP address (ex:1.1.1.1), , name , FQDN
(ex:isr-proxy), . DNS A virtual IP. name . AAA R1(config)# ip
admission name name method-list authentication list name
authorization list name 2.
20. b) Auth-proxy : Inactivity Timer (def=60 min) Absolute
Timer (def=0 .. ) : Global ip admission rules Per-rule ip admission
rules name
21. c) Authentication proxy : R1(config)#interface type number
R1(config-subif)#ip admission name name authentication proxy 4. ZBF
Group-Info class-map type inspect match-all class-map match
user-group, match class-map (match-any) , match access-group IP
Note: .. auth-proxy IP match user-group policy-map type
inspect
22. 5. : R1#test aaa group radius username password legacy
R1#tes aaa group ldap group username password new-code debug:
R1#debug radius R1#debug ldap all auth-proxy: R1#sh ip admission
cache Cache: R1#clear ip admission cache {*|username} R1#sh ip
admission cache username user
23. 2. ScnaSafe Connector ScanSafe Web Cisco : URL Filtering /
URL (Social Networks/News/). / File Filtering / . Application
Filtering Web based (ex: Facebook Facebook ) Antimalware
27. ScnaSafe Connector 1. ScanSafe : ( ). e-mail of IT contact
( ) : Admin>Authentication>Company Key>Create New
28. 2. Parameter-Map Content Scan Proxy Servers .
R1(config)#parameter-map type content-scan global content-can, IOS
parameter-map Proxy Servers R1(config-profile)#server scansafe
primary name server fqdn port http 8080 https 8080
R1(config-profile)#server scansafe secondary name server fqdn port
http 8080 https 8080 FQDN ( ). http/https 8080 license
R1(config-profile)#license {0|7} key 0 ( ) 7
29. Source IP R1(config-profile)#source address ipv4 address
Default User-group R1(config-profile)#user-group group name group
name . R1(config-profile)# server scansafe on-failure
{allow-all|block-all}
30. 3. Authentication Proxy, LDAP ( MS AD NTLM) 4. AAA
authentication-proxy User Based ZBF 5. authentication-proxy User
Based ZBF
31. 6. User-Group . Basic OS 7. Content Scan http/https
ScanSafe: R1(config)#interface type number
R1(config-if)#content-scan out 8. Proxy Servers R1#show
content-scan summary User Based ZBF
44. Meraki Systems Manager : 1. 2. Deployment a) Android
Enrollment b) iOS Enrollment 3.
45. Meraki Systems Manager 1.
https://account.meraki.com/login/dashboard_login?go=
46. 2. Deployment Deployment Mobile>>>Deployment a)
Android Enrollment Enrollment: Play Market QRcode Meraki Play
Market. QR-code Web Enrolment Enrolment Code Play Market Note: Web
Enrollment email. .. Tag.
47. b) iOS Enrollment iOS Enrollment : Apple ID Meraki
Certificate Request PC Apple Push Certification Portal Meraki
Certificate Request PC Organization>>>Settings Apple ID
Enrollment: Web based QR-code Email
48. 3. Tags. Tag , Profile Tags. Profile Settings
Tag=recently-added Monitor>>>Clients Tag>>> Add
Tag Tag>>>Remove recently-added Mobile>>>Profiles
Profile Tag
49. Mobile>>>Settings
50. !
51. : R1
https://drive.google.com/file/d/0B0VvUTk8KGWfZG5jdGhFX3B4R0E/edit?usp=sharing
Security Configuration Guide: Zone-Based Policy Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-1mt/sec-data-zbf-15-mt-book.html
BRKSEC-3007 - Advanced Cisco IOS Security Features (2012 London)
https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=3025&backBtn=true
Cisco ISR Web Security with Cisco ScanSafe Solution Guide
http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf
Cisco ScanCenter Administrator Guide
http://www.cisco.com/en/US/docs/security/web_security/scancenter/administrator/guide/b_ScanCenter_Administrator_Guide.html
YouTube Meraki
http://www.youtube.com/channel/UCimwNLMzVRMp7SUPVRNaqew Wireless
LAN Controller Web Passthrough Configuration Example
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00809bdb5f.shtml
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN
Controller
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml