CAPACIDAD EFECTIVA POR TIPO DE CENTRAL
6. Proporcionar seguridad, ya que podemos dejar programada en el PLC ó computadora, ciertos horarios para crear la iluminación adecuada, que en este caso
1.11. MARCO LEGAL DEL PROYECTO
Skills Tested
Configuring support for securing dynamic routing protocol traffic
Understanding protocol-specific requirements for BGP to transit the Cisco ASA Solution and Verification
The tasks in this exercise focus on configuring and troubleshooting dynamic routing security using ASA2. MD5-authenticated BGP routing traffic must transit ASA2, which will require some
exceptions be made to the ASA default processing of TCP packets (discussed in more detail in the
“Tech Notes” section of this exercise solution). ASA2 is also an OSPF routing neighbor responsible for sourcing routing updates and maintaining peering relationships with other devices. Applying MD5 authentication to the communications between neighbors provides a layer of security by implying origin authentication and message integrity.
For all verification syntax that follows:
Required output appears in red
Task 1: BGP Connectivity Through ASA2
Verification of the solution configured on ASA2 is done by ensuring whether the BGP session
between R6 and R7 is up and the network information configured under the BGP section of the router configurations is installed in the neighbor’s BGP routing tables.
Click here to view code image
R6# show ip bgp
BGP table version is 3, local router ID is 172.18.106.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external,
BGP table version is 5, local router ID is 172.18.107.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external,
ASA2# show conn 15 in use, 31 most used
TCP outside 10.50.70.6:179 inside 10.50.40.7:55489, idle 0:00:43, bytes 229761, flags UIO
Allowing the TCP session for BGP communication has more complexity in this deployment as the routing neighbors are exchanging communications that use MD5 authentication. Verify whether MD5 has been successfully applied.
Click here to view code image
R7# show ip bgp neighbor | inc md5 Option Flags: nagle, path mtu capable, md5
Task 2: OSPF Authentication for Routing Update Security
The requirement was to enable OSPF authentication within the area:
Click here to view code image
ASA2# show ospf | inc Area 2
Verify whether the OSPF adjacencies have been reestablished after authentication was enabled:
Click here to view code image
ASA2# show ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 172.18.107.7 1 FULL/DR 0:00:38 10.50.40.7 inside
The following command output shows verification of the MD5 key ID being used on ASA2. Note that it is possible to enable authentication on a link by link basis if it is not required or supported by all neighbors in an area. Per interface authentication will allow for a mix of MD5, plaintext password, or NULL options.
Click here to view code image
ASA2# show ospf interface ....
inside is up, line protocol is up
Internet Address 10.50.40.20 mask 255.255.255.0, Area 2
Process ID 1, Router ID 10.50.50.20, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 172.18.107.7, Interface address 10.50.40.7
Backup Designated router (ID) 10.50.50.20, Interface address 10.50.40.20 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:01
Index 1/3, flood queue length 0
Next 0x00000000(0)/0x00000000(0) Last flood scan length is 1, maximum is 8
Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.18.107.7 (Designated Router) Suppress hello for 0 neighbor(s)
Message digest authentication enabled Youngest key id is 1
Configuration ASA2
Click here to view code image
tcp-map eBGP
tcp-options range 19 19 allow class-map eBGPclass
match port tcp eq bgp policy-map global_policy class inspection_default class eBGPclass
set connection random-sequence-number disable set connection advanced-options eBGP
access-list 101 extended permit tcp any any eq bgp access-list 101 extended permit tcp any eq bgp any interface GigabitEthernet0/2
nameif inside security-level 100
ip address 10.50.40.20 255.255.255.0 ospf message-digest-key 1 md5 cisco ospf authentication message-digest router ospf 1
area 2 authentication message-digest R7
Click here to view code image
interface GigabitEthernet0/1
ip address 10.50.40.7 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco
router ospf 1
area 2 authentication message-digest Tech Notes
Support for MD5 authentication for BGP through the Cisco ASA requires the default behavior of the appliance—that is, to randomize TCP sequence numbers—to be disabled. MD5 authentication is applied on the TCP pseudo-IP header, TCP header, and data. TCP uses this data—which includes the TCP sequence and ACK numbers—along with the BGP neighbor password to create a 128-bit hash number. The hash number is included in the packet in a TCP header option field. TCP option 19 is used for BGP MD5 authentication.
By default, the ASA offsets the sequence number by a random number, per TCP flow. On the sending BGP peer, TCP uses the original sequence number to create the 128-bit MD5 hash number and
includes this hash number in the packet. When the receiving BGP peer gets the packet, TCP uses the ASA-modified sequence number to create a 128-bit MD5 hash number and compares it to the hash number that is included in the packet.
The hash number is different because the TCP sequence value was changed by the ASA, and TCP on the BGP neighbor drops the packet and logs an MD5 failed message.
Section 2: Intrusion Prevention and Content Security
This section covers tasks applicable to some specialized Cisco appliances, the Intrusion Prevention Sensor (IPS) and the Web Services Appliance (WSA). Both devices will be initialized and deployed into the network toplogy as shown in Diagram 1 and Diagram 2 in Part I. The single IPS appliance will be logically partitioned using various deployment modes of operation to service distinct traffic flows in the network. The WSA will handle redirected traffic of interest via Web Cache
Communication Protocol (WCCP) from the Cisco ASA. It is important to verify whether traffic is correctly flowing through the appliances before moving on to other exercises in the lab.