A a a a

Roles-based management with centralized authentication, authorization, and logging. Centralized authentication of devices connected to the network. Traffic isolation and access controls. Encryption of all data leaving the storage network for business continuance, remote vaulting, and backup. The Cisco MDS 9000 family of products is designed to allow storage professionals to achieve optimal security for their SANs. The security features of this product line make it well suited for data-critical...

About the CCNA Security Official Exam Certification Guide

As mentioned earlier, Cisco has outlined the topics tested on the 640-553 IINS exam. This book maps to these topic areas and provides some background material to give context and to help you understand these topics. This section lists this book's variety of features. A number of basic features included in this book are common to all Cisco Press Official Exam Certification Guides. These features are designed to help you prepare to pass the official certification exam, as well as help you learn...

Acknowledgments

I want to thank the team at Cisco Press for their direction and support throughout the writing process. For their support and encouragement throughout this process, I wish to thank and acknowledge Tom Warrick and the instructor team at SkillSoft. I also wish to thank Kevin Wallace, who brought his talent and experience to this project and was an enormous help each step of the way. Finally, I want to thank my family for their continued support through this project, especially my children,...

Additional Cisco Catalyst Switch Security Features

No single network device secures an entire network from all potential attacks. Rather, multiple hardware and or software solutions work in tandem to help secure the overall network. For example, virtual private networks (VPN) and firewalls can help protect sensitive traffic from eavesdroppers and prevent unwanted traffic from entering a network. As described earlier in this chapter, a Layer 2 Cisco Catalyst switch can also aid in network security. The additional Cisco Catalyst switch security...

Additional Forms of Attack

Buffer overflows are not the only concern. The larger issue is that a buffer overflow may be used to initiate malicious code such as viruses, worms, and Trojan horses so that they may gain access to your system and begin to do their damage. Two of the most destructive worms that have been unleashed on the Internet are SQL Slammer and Code Red. The destruction these worms caused was made possible by remote root buffer overflows. In contrast to worms, viruses are more likely to take advantage of...

Anatomy of a Hash Function

A variety of hash functions exist, but they all share the common characteristic that they are built for speed and are designed to yield very few hash collisions in their expected input domains. A hash collision (sometimes called a hash clash) happens when two distinct inputs entered into a hash function produce identical outputs. Each hash function has the potential for collisions, but if you are working with a well-designed hash function, collisions should occur less frequently. In terms of...

Application Guidelines

When it comes to application design, security should not be an afterthought. It is best to approach application design with a focus on two key ideas. First, be sure to apply the least-privilege principle, limiting access where possible. Second, applications should employ modularization and multiple tiers of application functionality, spread over multiple servers. By following these two steps in your design, you can create a much more secure application. Even the best single security mechanism...

Application of Cryptographic Hashes

Let's examine a cryptographic hash to better understand how it works. Suppose Anthony presents Tom with a rather difficult math problem that he claims to have solved. Tom wants to try to solve the problem himself, but he also wants to be sure that Topic Anthony is telling the truth about having solved it. Anthony writes down his solution and then appends a random nonce, computes its hash, and tells Tom this hash value. The nonce that Anthony uses in this case is a random or pseudorandom number...

Application of Hash Functions

Hash functions may be used for a variety of applications therefore, they are often tailored to a given need. Cryptographic hash functions begin with the assumption that an adversary can deliberately try to find inputs with the same hash value. The creation of a well-designed cryptographic hash involves a one-way operation in which no practical way exists to calculate a particular data input that will result in a desired hash value. This one-way nature makes the hash very difficult to forge....

Apply Application Protection Methods

To conclude our discussion of best practices, it is important that we review four key application protection methods that can help make your environment more secure Using application access controls to enforce least privilege and using secure Topic programming practices are the most significant steps you can take toward application security. The creation of safer, high-level languages, along with the growing awareness of the need for application security among developers, has led to increased...

Authentication and Integrity

One of the more practical uses of a digital signature in today's networks is for authentication and integrity checking. An example of this is the verification of authenticity in a message sent across a network. Many times messages sent across the network include information about the entity sending the message. However, the authenticity of that information might be called into question. Digital signatures give us a mechanism to authenticate the source of such messages. With digital signatures,...

Availability Confidentiality

Data confidentiality implies keeping data private. This privacy could entail physically or logically restricting access to sensitive data or encrypting traffic traversing a network. A network that provides confidentiality would do the following, as a few examples Use network security mechanisms (for example, firewalls and access control lists ACL ) to prevent unauthorized access to network resources. Require appropriate credentials (for example, usernames and passwords) to access specific...

Best Practices for Securing Endpoints

As mentioned earlier, trusted operating systems exist, but they are expensive and can be cumbersome to support. For the most part these are used for military or government purposes, acting as critical servers or workstations. For most modern operating systems, regardless of vendor, the default configuration is still quite untrustworthy. Significant improvements have occurred in the last ten years, but the sophistication of attacks has also greatly improved. As an administrator, you should...

Book Features

To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time Do I Know This Already quiz Each chapter begins with a quiz that helps you determine how much time you need to spend studying that chapter. Foundation Topics These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter. Exam Preparation Tasks At the end of the Foundation Topics section...

Buffer Overflow Defined

With a buffer overflow, a program writes data beyond the allocated end of a buffer in memory. Often buffer overflows arise from a bug in the application or from improper use of languages such as C or C++ that are not memory-safe. When these overflows occur, valid data may be overwritten as well, making these threats particularly dangerous. Buffer overflows are one of the most commonly exploited computer security risks because of the structure of how computers handle data. Program control data...

Building a Siteto Site IPsec VPN Solution

Many companies have networks located in different geographic locations, and those networks need to communicate securely with one another. Purchasing dedicated WAN connections (for example, T1 connections using Point-to-Point Protocol PPP ) or purchasing permanent virtual circuits (PVC) (for example, Frame Relay or Asynchronous Transfer Mode ATM PVCs) are options for these interoffice connections. However, these solutions might become cost-prohibitive. As a more economical solution, consider the...

Cisco Security Device Manager Overview

Monitor Firewall Switch Ips

Cisco IOS routers support many features (including security features) that require complex configurations. To aid in a number of these configuration tasks, Cisco introduced the Cisco Security Device Manager (SDM) interface. This section introduces SDM, discusses how to configure and launch SDM, and how to navigate the SDM wizards. Cisco SDM provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router, as shown in Figure 3-3. Not only does SDM offer...

Combining IEEE 8021x with Port Security Features

Earlier in this chapter you read about port security features supported on Cisco Catalyst switches. Interestingly, these port security features can be used in conjunction with 802.1x authentication to provide enhanced port security. For example, suppose a client authenticates via 802.1x, and the switch's port security table is not full (or the client's MAC address has been statically configured in the CAM table). The client is permitted to transmit data to the network. However, suppose the...

Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. To see how well you have memorized the commands as a side effect of your other studies, cover the left side of the table with a piece of paper, read the descriptions on the right side, and see whether you remember the commands. Table 3-13 Chapter 3 Configuration Command Reference Table 3-13 Chapter 3 Configuration Command Reference A global configuration mode command that configures a router's...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Bold indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), bold indicates commands that the user enters (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars (I) separate...

Components of a PKI

Creating a large PKI involves more than simply the CA and users who obtain certificates. It also involves substantial organizational and legal work. When we consider this in its entirety, we see that five main areas constitute the PKI CAs to provide management of keys PKI users (people, devices, servers) Supporting organizational framework (practices) and user authentication through Local Registration Authorities (LRA) A number of vendors provide effective CA servers. These act as a managed...

Configuration Recommendations

Based on the Layer 2 attack mitigation strategies discussed earlier, the following list summarizes the recommended Cisco procedures for securing Layer 2 networks Limit management access for a Layer 2 switch to trusted administrators. If management protocols are used on a switch, use secure management protocols (such as SNMPv3) as opposed to management protocols that transmit information in plain text (such as SNMPvl and SNMPv2c). Disable any services running on the switch that are not...

Configuring AAA

As a network administrator, you must provide network access, as well as guard your network against improper access. The authentication, authorization, and accounting (AAA) model helps you securely manage who and what accesses the network, as well as provides a means of determining when, where, and how this network access can occur. AAA is made up of a series of network security services that together provide a framework for setting up Network Access Control (NAC). This chapter examines the...

Configuring AAA Using the Local User Database

Unauthorized access to a network creates the potential for network intruders to gain access to sensitive network equipment and services. The Cisco AAA architecture provides a means to address this threat through systematic, scalable access security. Of course, network users and would-be intruders are not the only ones to try to access the network. Network administrators also need access to network equipment, and AAA offers a secure means to provide this. Authentication, Authorization, and...

Contents

Chapter 1 Understanding Network Security Principles 5 Do I Know This Already Quiz 5 Why Network Security Is a Necessity 9 Types of Threats 9 Scope of the Challenge 10 Nonsecured Custom Applications 11 The Three Primary Goals of Network Security 12 Confidentiality 12 Integrity 12 Availability 13 Categorizing Data 13 Classification Models 13 Classification Roles 15 Controls in a Security Solution 16 Responding to a Security Incident 17 Legal and Ethical Ramifications 18 Legal Issues to Consider...

Controls in a Security Solution

As just mentioned, the work of actually securing data is the responsibility of the custodian. However, if security is applied only through technical means, the results will not be highly effective. Specifically, because most attacks originating inside a network are not technical attacks, nontechnical mitigation strategies are required to thwart them. Cisco defines three security controls contained in a more all-encompassing security solution Administrative controls are primarily policy-centric....

Creating a Cisco Self Defending Network

Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions. As computing...

Cryptographic Hash Functions

Put simply, a cryptographic hash function takes an input and returns a fixed-length string, which is called the hash value or hash sum. These hash functions, as mentioned in the preceding section, may be used for a variety of purposes, including cryptography. A hash value, as complex as it may become, is, on the surface, simply a concise representation of a longer message or document from which it was derived. The output of the hash function, often called the message digest, is a sort of...

Cryptographic Solution

The mention of cryptography may conjure up images of intrigue and cloak-and-dagger spy movies, but in the real world, cryptography is at the heart of many security implementations. Cryptographic solutions provide confidentiality and integrity of data in circumstances where data might be exposed to threats from untrusted individuals. To create a successful security policy, you must understand the basic functionality of cryptography and how you can use encryption and hashing to provide...

Data Classification Characteristics

Table 1-4 offers a few characteristics by which data can be classified. Table 1-4 Data Classification Characteristics Table 1-4 Data Classification Characteristics How valuable the data is to the organization How long the data will be considered relevant When determining a classification approach, define how many classification levels you need. Having too many classification levels can prove difficult to administer, whereas having too few classification levels lacks the granularity needed to...

Defending the Perimeter

In addition to Cisco firewall, virtual private network (VPN), and intrusion prevention system (IPS) appliances that can sit at the perimeter of a network, Cisco IOS routers offer perimeter-based security. For example, the Cisco Integrated Services Routers (ISR) can be equipped to provide high-performance security features, including firewall, VPN termination, and IPS features, in addition to other services such as voice and quality-of-service (QoS) services. This chapter introduces various ISR...

Defense in Depth

Because a security solution is only as strong as its weakest link, network administrators are challenged to implement a security solution that protects a complex network. As a result, rather than deploying a single security solution, Cisco recommends multiple, overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and...

Defining Endpoint Security

Before you can take steps to defend your endpoints, you must better understand what endpoint security is and what it consists of. We will begin by exploring the fundamental principles involved in host security, as well as discuss the need to defend endpoints from viruses, worms, Trojan horses, and other security threats. Cisco bases its strategy for securing hosts, as well as the more overarching network and enterprise security needs, on three broad elements (see Table 7-2). The Cisco Security...

Defining Voice Fundamentals

This section begins by defining voice over IP and considering why it is needed in today's corporate environment. Because voice packets are flowing across a data infrastructure, various protocols are required to set up, maintain, and tear down a call. This section defines several popular voice protocols, in addition to hardware components that make up a voice over IP network. VoIP sends packetized voice over an IP network. Typically, the IP network serves as a data network as well, resulting in...

Definition of Key Terms

Define the following key terms from this chapter, and check your answers in the glossary confidentiality, integrity, availability, preventive control, deterrent control, detective control, vulnerability, exploit, phreaker, Defense in Depth, IP spoofing, data diddling, salami attack, denial of service (DoS) This chapter covers the following topics Increasing operations security This section explains the day-to-day procedures for deploying, maintaining, and retiring information security...

Developing a Secure Network

Day-to-day network operations include adding new components to the network, monitoring and maintaining existing components, and retiring other components. While you perform these operations, security should be a consideration, so this chapter discusses how security practices can be integrated into such day-to-day operations. Also, network security practices and procedures should be governed by a documented security policy, so this chapter discusses the elements and use of an effective security...

Digital Signature Scheme

Three algorithms generally make up a digital signature scheme The key generation algorithm, which is used to randomly produce the key pair (public private keys) used by the signer The signing algorithm, which, upon input of a message and a signing key, produces a signature The signature verifying algorithm, which, upon input of a message, a verifying key, and a signature, is used to either accept or reject the signature

Do I Know This Already Quiz

The Do I Know This Already quiz helps you determine your level of knowledge of this chapter's topics before you begin. Table 7-1 details the major topics discussed in this chapter and their corresponding quiz questions. Table 7-1 Do I Know This Already Section-to-Question Mapping Table 7-1 Do I Know This Already Section-to-Question Mapping Securing Endpoints with Cisco Technologies 1. Network containment is provided by which of the following Cisco Self-Defending Network elements (Choose all...

Double Tagging

On an IEEE 802.1Q trunk, one VLAN is designated as the native VLAN. The native VLAN does not add any tagging to frames traveling from one switch to another switch. If an attacker's PC belonged to the native VLAN, the attacker could leverage this native VLAN characteristic to send traffic that has two 802.1Q tags. Specifically, the traffic's outer tag is for the native VLAN, and the traffic's inner tag (which is not examined by the switch's ingress port) is for the target VLAN to which the...

Eapfast

Extensible Authentication Protocol Flexible Authentication via Secure Tunneling (EAP-FAST) was developed by Cisco. Similar to EAP with MS-CHAPv2, EAP-FAST protects authentication messages within a secure TLS tunnel. However, EAP-FAST uses shared secret keys. These keys, which are unique to each user, are called protected access credentials (PAC). PACs, which can be automatically or manually distributed to the supplicants, cause authentication to happen much faster than using digital...

Eapmd5

EAP-MD5 is a standards-based EAP type. This EAP type uses an MD5-Challenge message. This is much like the challenge message used in PPP CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), which uses MD5 (Message Digest 5) as its hashing algorithm. Figure 6-16 shows the messages exchanged in an EAP-MD5 authentication. Notice that the authentication begins when the PC (the supplicant) sends an EAP over LAN (EAPOL) message (specifically, an EAPOL-start message) to the...

Eaptls

Microsoft developed EAP-TLS (Extensible Authentication Protocol Transport Layer Security). EAP-TLS was designed to address weaknesses found in other EAP types (such as the one-way authentication used by EAP-MD5). However, the trade-off for addressing these weaknesses is increased complexity in the deployment of EAP-TLS. Specifically, EAP-TLS uses certificate-based (that is, X.509 certificate-based) authentication. Therefore, to perform mutual authentication between the supplicant and the...

Encrypting and Decrypting Messages with RSA

Based on our earlier discussion, you know that RSA employs a combination of a public and private key to both encrypt and decrypt messages. This means that a user who wants to send and encrypt a message with RSA would transmit her public key (n and e) to another user while keeping her private key to herself. When the recipient of the public key wants to communicate with the sender, he uses the public key he received from the sender. The way this works is that the user (through an application)...

Exam Engine and Questions on the CD

The CD in the back of the book includes exam engine software that displays and grades a set of exam-realistic questions. The question database includes exam-realistic questions, including drag-and-drop and many scenario-based questions that require the same level of analysis as the questions on the IINS exam. Using the exam engine, you can either study by practicing using the questions in Study Mode or take a simulated (timed) IINS exam. The installation process requires two major steps. The CD...

Examining Application Vulnerabilities

It is important to take the proper steps to address the vulnerabilities faced by your operating system, such as applying service packs and hot fixes and tuning it for secure operation. However, the majority of attacks target applications or, perhaps more specifically, the data they are protecting (or both). These attacks against applications can be categorized as either direct or indirect Direct An attacker tricks the application into performing a task using the application's privileges....

Examining Authentication Using Certificates

After the parties involved have installed certificates signed by the same CA, they may authenticate each other, as shown in Figure 14-11. This is done when the two parties exchange certificates. The CA's part in this process is finished, so it is not involved in this exchange. Figure 14-10 Certificate Enrollment Process Figure 14-10 Certificate Enrollment Process Out-of-Band Authentication of User Public Key Out-of-Band Authentication of User Public Key Figure 14-11 Authentication Using...

Examining Endpoint Security

To devise a successful strategy to defend your endpoints, you must begin with knowledge of the defenses that are available. This section describes the current endpoint protection methods, such as Host-based Intrusion Prevention System (HIPS), integrity checkers, operating system protection, and the Cisco NAC Appliance. As part of our discussion, we will cover endpoint security and explore the fundamental principles involved in host security. We will also examine specific threats to endpoints,...

Examining Features of Digital Certificates and CAs

A number of authentication mechanisms are available to organizations. The following characteristics are unique to the use of a PKI Authentication of each party involved begins with the parties each obtaining the CA's certificate and their own certificate. To be secure, this process involves out-of-band verification. When it is complete, the presence of the CA is no longer required until the expiration of one of the certificates that is involved. PKI systems use asymmetric keys. One key is...

Examining Hash Algorithms

For centuries everyone from kings to generals to college students has wanted to ensure the authenticity of their communications. In this section we will examine the role of hash algorithms in helping provide this assurance through the process of hashing. Along the way we will examine hash functions and learn about HMAC, as well as explore MD5 and SHA-1. Let's begin with a brief overview of what a hash function does. A hash function is a means of turning data into a relatively small number that...

Examining Identity Management

CA-based solutions give an organization a means of identity management. This is accomplished in two primary ways Through the CA's acting as the trusted third party in PKI implementations. Through the use of the X.509 standard, which describes the identity and how to store an authentication key. Information about the format of the X.509 certificate and the syntax of the fields in the certificate is described in Abstract Syntax Notation 1 (ASN.1). The concept of a trusted third party embodied in...

Examining the Cisco NAC Appliance

Several technologies can defend endpoints from the common threats they face. The Cisco NAC Appliance is one device that can be used to enhance and complement other endpoint security measures. Effectively the Cisco NAC comes in two flavors. The first is the Cisco NAC framework, which is a software module embedded within NAC-enabled devices. In this framework a number of both Cisco and other NAC-aware vendor products may be used to provide security. The second flavor is the Cisco NAC Appliance....

Examining the Features of the Diffie Hellman Key Exchange Algorithm

The Diffie-Hellman (DH) Key Exchange Algorithm was invented by Whitfield Diffie and Martin Hellman in 1976. The Diffie-Hellman algorithm derives its strength from the difficulty of calculating the discrete logarithms of very large numbers. The functional usage of this algorithm is to provide secure key exchange over insecure channels such as the Internet. DH is also often used to provide keying material for other symmetric algorithms, such as DES, 3DES, or AES. The DH algorithm serves as the...

Examining the PKI Topology of Cross Certified CAs

Cross-certifying represents another form of hierarchical PKI topology. This structure has a number of flat, single-root CAs. Each of these CAs establishes a trust relationship horizontally by cross-certifying its own CA certificates, as shown in Figure 14-7. Mutual Cross-Signing of CA Certificates Mutual Cross-Signing of CA Certificates

Examining the PKI Topology of Hierarchical CAs

For organizations that want to avoid the pitfalls of the single-root CA, more complex CA structures can be devised and implemented. This section examines the hierarchical CA structure and its application, as shown in Figure 14-6. The hierarchical CA structure is a more robust and complicated implementation of the PKI. In this topology, CAs may issue certificates to both end users and subordinate CAs. These subordinate CAs then may issue their certificates to end users, other CAs, or both. This...

Examining the Principles Behind a PKI

To understand all that a PKI has to offer, first you must understand its components. A PKI provides organizations with the framework needed to support large-scale public-key-based technologies. Taken as a whole, a PKI is a set of technical, organizational, and legal components that combine to establish a system that enables large-scale use of public-key cryptography. Via a PKI, an organization can provide authenticity, confidentiality, integrity, and nonrepudiation services. This section...

Exploring Asymmetric Encryption Algorithms

Asymmetric algorithms employ a two-key technology a public key and a private key. Often this is simply called public-key encryption. In this key pair, the public key may be distributed freely, whereas the private key must be closely guarded. If it is compromised, the system as a whole fails. In fact, calling this just public-key encryption oversimplifies this process, because both keys are required, with the complementary key being used to provide decryption. Figure 14-1 shows the use of...

Exploring Firewall Technology

Securing all aspects of your network can be a daunting task. For an organization with ecommerce, intranet, and extranet sites, as well as e-mail, this only adds to the complexity of the task. Of course, there are costs to providing a high level of security, in terms of both staff and equipment needed to implement a network security policy. These costs must be weighed against the possibility of network security breaches. For many organizations, the Cisco IOS Firewall meets their need to provide...

Exploring Hash Algorithms and HMACs

Figure 13-1 is an example of how a simple sentence can be transformed using a hash function to yield a cryptographic result. You can see that changing a single word alters the hash output. Changing a single word in the text alters the output of the hash function. Changing a single word in the text alters the output of the hash function. Although you might not need to hash a simple sentence like this, many other applications exist in terms of network security. Hashes can be employed to help...

Exploring PKI and Asymmetric Encryption

Asymmetric encryption algorithms accomplish two primary objectives confidentiality and authentication. Asymmetric algorithms are slower than symmetric algorithms because they are more complex mathematically. Because asymmetric algorithms are slower, they are usually used as key exchange protocols. This chapter discusses the principles behind asymmetric encryption and provides examples of major asymmetric encryption algorithms, including Rivest, Shamir, and Adleman (RSA) Diffie-Hellman (DH) and...

Exploring Secure Voice Solutions

In the past, large companies used privately owned telephone systems (such as private branch exchanges PBX ) to provide voice services to their employees. As data networks began to emerge, most companies maintained separate voice and data networks, and perhaps even a separate video network. However, with the performance and reliability offered by modern data networks, many network administrators began to see the wisdom of consolidating voice, data, and video traffic on the same network. This...

Exploring Security Fundamentals

As new vulnerabilities and new methods of attack are discovered, a relatively unsophisticated user can potentially launch a devastating attack against an unprotected network. This section begins by describing the challenges posed by the current security landscape. You will learn about the three primary goals of security confidentiality, integrity, and availability. This section also explains traffic classification and security controls. You will learn how to...

Exploring the History of RSA

The algorithm that would become RSA was first described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman of MIT. A quick look at the first letters of their surnames tells you where the term RSA came from. Today RSA encryption is widely known and widely used for a variety of security needs. Interestingly, a British mathematician named Clifford Cocks, who worked for the UK intelligence agency GCHQ, described an equivalent system in a top-secret internal document in 1973. However, because of...

Exploring the Role of Certificate Authorities and Registration Authorities in a PKI

One central tenet behind the use of a PKI and trusted third-party protocols is that all participating parties agree to accept the word of a neutral third party. Should two parties need to validate each other, they turn to this trusted third party, which in turn provides in-depth authentication of the parties involved. This is done rather than having each party perform its own authentication. These entities rely on the third party (the CA) to conduct an in-depth investigation of each entity...

External Threats

Because external attackers probably do not have intimate knowledge of a network, and because they do not already possess access credentials, their attacks tend to be more technical in nature. For example, an attacker could perform a ping sweep on a network to identify IP addresses that respond to the series of pings. Then, those IP addresses could be subjected to a port scan, in which open services on those hosts are discovered. The attacker could then try to exploit a known vulnerability to...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members of the professional technical community. Reader feedback is a natural continuation of this process. If you have any comments about how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feed-back...

Final Preparation

The first 15 chapters of this book cover the technologies, protocols, commands, and features required for you to be prepared to pass the IINS exam. Although these chapters supply detailed information, most people need more preparation than simply reading the first 15 chapters of this book. This chapter details a set of tools and a study plan to help you complete your preparation for the exams. This short chapter has two main sections. The first discusses the exam engine and the questions on the...

Format of the IINS Exam

The 640-553 IINS exam follows the same general format of other Cisco exams. When you get to the testing center and check in, the proctor gives you some general instructions and then takes you into a quiet room with a PC. When you're at the PC, you have a few things to do before the timer starts on your exam. For instance, you can take a sample quiz, just to get accustomed to the PC and the testing engine. If you have user-level PC skills, you should have no problems with the testing...

Government and Military Classification Model

Table 1-2 provides an example of a data classification model, which is used by multiple governments and militaries. , Table 1-2 Government and Military Data Classification Example Key __ Data that has few or no privacy requirements Data that could cause embarrassment but not constitute a security threat if revealed Data that has a reasonable probability of causing damage if disclosed to an unauthorized party Data that has a reasonable probability of causing serious damage if disclosed to an...

Guidelines for Working with RSA

Although RSA is widely accepted and has a long history, it is certainly not the fastest algorithm. When compared to Data Encryption Standard (DES) in software, it is approximately 100 times slower. When compared to DES in a hardware implementation, it is nearly 1000 times slower. Because of these speed issues, RSA generally is used to protect only small amounts of data. In fact, RSA is used for two main reasons To perform encryption to ensure the confidentiality of data To generate digital...

HMAC Explained

Keyed Hash-based Message Authentication Code (HMAC) in cryptographic terms is a type of message authentication code (MAC) calculated by using a cryptographic hash function along with a secret key. It may be used to simultaneously verify the data's integrity and the message's authenticity. An iterative cryptographic hash function such as MD5 or SHA-1 may be used to calculate the HMAC. When these are used, the resulting MAC algorithm is called HMAC-MD5 or HMAC-SHA-1, for instance. The...

How This Book Is Organized

This book contains 15 core chapters Chapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics Part I Network Security Concepts Chapter 1, Understanding Network Security Principles This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and...

How to Use This Book to Prepare for the IINS Exam

Using this book to prepare for the IINS exam is pretty straightforward read each chapter in succession, and follow the study suggestions in Chapter 16, Final Preparation. For the core chapters of this book (Chapters 1 through 15), you do have some choices about how much of the chapter you read. In some cases, you may already know most or all of the information covered in a given chapter. To help you decide how much time to spend on each chapter, the chapters begin with a Do I Know This Already...

Identifying Common Voice Vulnerabilities

Because IP phones are readily accessible and plentiful in many corporate environments, they become attractive targets for attackers. Also, VoIP administrators should be on guard against VoIP variations of spam and fishing (both common in e-mail environments), as well as toll fraud (common in PBX environments). This section details these common attack targets for a VoIP network. Table 9-4 describes a few common VoIP attacks targeting endpoints. Table 9-4 Common VoIP Attack Targets Accessing VoIP...

IINS Course Outlines

Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course Implementing Cisco IOS Network Security (IINSvl.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward...

IINS Exam Topics

Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com If Cisco later adds exam...

Ill

Example 10-7 Using an ACL to Provide RIPv2 Route Filtering R1(config) access-list 12 deny 12.2.2.0 0.0.0.255 R1(config) access-list 12 permit any R1(config) router rip R1(config-router) distribute-list 12 out R1(config-router) version 2 R1(config-router) no auto-summary R1(config-router) network 12.0.0.0 R1(config-router) end Here a standard IP ACL is applied to RIP. Access list 12 is used to prevent R1 from advertising any routes of the 12.2.2.0 DMZ network out of interface e0 0. To this point...

Implementing Digital Signatures

As you examine the security at play in your network and seek to increase your defenses, it is important to have a general understanding of cryptography and digital signatures. In cryptography, a cryptographic hash function is a transformation that takes an input and returns a string, which is called the hash value. Digital signatures are rather like written signatures in that they are used to provide authentication of the associated input, typically called a message. These messages can be...

Implementing Endpoint Security

In the network world, the term endpoint can mean a myriad of devices everything from workstations to PDAs, laptops to smart phones. This chapter uses endpoint to mean an individual computer or device that acts as a network client. In addition to common endpoints such as laptops, desktop systems, and PDAs, servers may also be considered endpoints in a networked environment. This chapter looks at the variety of threats faced by endpoint devices. It also discusses specific Cisco technologies that...

Increasing Operations Security

After a network is installed, network operations personnel monitor and maintain it. From a security perspective, operations security attempts to secure hardware, software, and various media while investigating anomalous network behavior. A computer network is a dynamic entity, continuously changing to meet the needs of its users. New network components are added and eventually retired. The life of these components can be defined by the System Development Life Cycle (SDLC), which consists of...

Info

Cisco Security Agent with Internal or External Database Table 7-8 explores the underlying architectural model for the Cisco Security Agent and the two components that make it up. Table 7-8 Architectural Components of the Cisco Security Agent Table 7-8 Architectural Components of the Cisco Security Agent Management Center for Cisco Security Agents Using the Management Center for Cisco Security Agent, you can divide network hosts into groups based on function and security requirements. You may...

Internal Threats

Network security threats originating inside a network tend to be more serious than external threats. Here are some reasons for the severity of internal threats .- Inside users already have knowledge of the network and its available resources. Inside users typically have some level of access granted to them because of the nature of their job. Traditional network security mechanisms such as Intrusion Prevention Systems (IPS) and firewalls are ineffective against much of the network misuse...

International Jurisdiction Issues

A unique legal challenge for prosecuting information security offenses deals with jurisdictional issues. For example, an attacker in one country could launch an attack from a computer in another country that targets a computer in yet another country. The international boundaries that were virtually crossed could pose significant challenges to litigators. Fortunately, governments are beginning to collaborate on such investigations and prosecutions. For example, organizations that share law...

Introduction

Congratulations on your decision to pursue a Cisco Certification If you're reading far enough to look at the introduction to this book, you likely already have a sense of what you ultimately would like to achieve the Cisco CCNA Security certification. Achieving Cisco CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco certifications are recognized throughout the networking industry as a rigorous test of a candidate's knowledge of and ability to work with...

Introduction to Cisco IBNS

Cisco IBNS can be deployed on an end-to-end Cisco network, which includes components such as Cisco Catalyst switches, wireless LAN (WLAN) devices (such as wireless access points and controllers), and a RADIUS server (such as a Cisco Secure Access Control Server ACS ). However, for a client to directly benefit from IBNS, the client operating system needs to support IEEE 802.1x. Fortunately, many modern operating systems (such as Microsoft Windows Vista) support 802.1x. For greater scalability,...

Isolating Traffic Within a VLAN Using Private VLANs

Another way for a Cisco Catalyst switch to provide security is through the use of private VLANs (PVLAN). These PVLANs can provide privacy between groups of Layer 2 ports on a Cisco Catalyst switch. A PVLAN domain has a single primary VLAN. Additionally, the PVLAN domain contains secondary VLANs that provide isolation between ports in a PVLAN domain. Cisco Catalyst switches support two categories of secondary VLANs Isolated VLANs Ports belonging to an isolated VLAN lack Layer 2 connectivity...

Legal and Ethical Ramifications

Some businesses must abide by strict government regulations for security procedures. Therefore, information security professionals should be familiar with a few fundamental legal concepts. For example, most countries classify laws into one of the following three types Criminal law applies to crimes that have been committed and that might result in fines and or imprisonment for someone found guilty. Civil law addresses wrongs that have been committed. However, those wrongs are not considered...

Legal Issues to Consider

As a provider of network connectivity to customers, a service provider needs to be aware of potential liability issues. For example, if an e-commerce company lost a certain amount of business because of a service provider outage, the service provider might be found liable and have to pay damages. Also, some countries are passing laws dictating how companies handle privacy issues. For example, the Notification of Risk to Personal Data Act in the U.S. requires companies and government agencies...

MD5 Features and Functionality

Defined in RFC 1321, MD5 (Message Digest algorithm 5), with its 128-bit hash value, has been employed in a wide variety of security applications. It is also commonly used to check the integrity of files. An MD5 hash typically is expressed as a 32-character hexadecimal number. Figure 13-3 shows a single MD5 operation. In practice, MD5 consists of 64 of these operations. These are grouped in four rounds of 16 operations. In this figure, F is a nonlinear function one function is used in each...

Mitigating CAM Table Overflow Attacks

A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store the information used by the switch to make forwarding decisions. Specifically, the CAM table contains a listing of MAC addresses that have been learned from each switch port. Then, when a frame enters the switch, the switch interrogates the frame's destination MAC address. If the destination MAC address is known to exist off one of the switch ports, the frame is forwarded out only that port. For example, consider...

Nonsecured Custom Applications

The vast majority (approximately 75 percent) of network attacks target specific applications, as opposed to lower-layer attacks. One reason attacks have become more targeted is the trend of attackers to be more motivated by profit, rather than by the fame or notoriety generated by creating a virus, for example. Unfortunately, because many organizations use custom applications (often not written with security in mind), these applications can be prime attack targets. Attacks on custom...

Notifying Network Managers of CAM Table Updates

Cisco Catalyst switches can proactively notify network administrators when CAM table updates occur. For example, if a switch learns a new MAC address and adds it to the CAM table, the Cisco Catalyst switch could send a Simple Network Management Protocol (SNMP) trap (that is, a notification) to a network management station (NMS). Similarly, a trap could be sent when a MAC address is deleted from the CAM table. The mac address-table notification command is used to enable this notification...

Objectives and Methods

The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job. This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and...

Organizational Classification Model

Table 1-3 provides an example of an organizational data classification model. Table 1-3 Organizational Data Classification Example Table 1-3 Organizational Data Classification Example Information made available to the public (for example, through marketing materials) Data that could cause embarrassment but not constitute a security threat if revealed Organizational information that should be kept secret and whose accuracy should be maintained Sensitive organizational information (for example,...

Origins of MD5

Ronald Rivest of MIT created Message Digest as a series of message digest algorithms. MD5 was designed to be a secure replacement for its predecessor, MD4, when work demonstrated that MD4 was likely unsecure. Security of the MD5 algorithm was initially brought into question in 1993 when researchers found a pseudo-collision of the MD5 compression function. In other words, two different initialization vectors produced an identical digest. In 1996, a true collision of the MD5 compression function...

Overview of IEEE 8021x

IEEE 802.1x (commonly just called 802.1x) is a standards-based approach for providing port-based network access. Specifically, 802.1x is a Layer 2 protocol that defines how Extensible Authentication Protocol (EAP) frames are encapsulated typically between a user's network device (such as a PC) and a switch or wireless access point. The 802.1x standard also defines hardware components, as shown in Figure 6-15 and defined in Table 6-4. Figure 6-15 IEEE 802.1x Hardware Components P ,- u, _,o u...

Overview of SHA1

The SHA-1 hash produces a message digest that is 160 bits long, as opposed to 128 bits for MD5. A number of widely used security applications and protocols employ SHA-1, including TLS, SSL, PGP, SSH, S MIME, and IPsec. SHA-1 has been positioned as the successor to MD5, which was one of the most widely used hash functions until SHA-1 was introduced. Like its predecessor, MD5, researchers have attempted to validate the security of SHA-1. Although it has been somewhat compromised, no attacks have...

Network Security Concepts

Chapter 1 Understanding Network Security Principles Chapter 2 Developing a Secure Network Chapter 3 Defending the Perimeter This chapter covers the following topics Exploring security fundamentals This section explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed. Understanding the methods of network attacks This section makes you aware of various threats targeting the security of your network and...

Constructing a Secure Infrastructure

Chapter 7 Implementing Endpoint Security Chapter 9 Exploring Secure Voice Solutions Chapter 10 Using Cisco IOS Firewalls to Defend the Network Chapter 11 Using Cisco IOS IPS to Secure the Network This chapter covers the following topics Defending against Layer 2 attacks This section explains how Cisco Catalyst switches can be configured to mitigate several common Layer 2 attacks. Cisco Identity-Based Networking Services This section examines how Cisco Identity-Based Networking Services (IBNS)...

Extending Security and Availability with Cryptography and VPNs

Chapter 12 Designing a Cryptographic Solution Chapter 13 Implementing Digital Signatures Chapter 14 Exploring PKI and Asymmetric Encryption Chapter 15 Building a Site-to-Site IPsec VPN Solution This chapter covers the following topics Cryptographic services can be divided into two halves the construction of codes and the breaking of codes. This section explores the interworking of cryptographic services and examines symmetric and asymmetric algorithms. It also discusses the use of block and...

Peap Mschapv2

Protected Extensible Authentication Protocol (PEAP) comes in a couple of variations. PEAP version 0 uses MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2). PEAP version 1 uses GTC (generic token card). However, PEAP using MS-CHAPv2 is far more widely deployed than PEAP using a generic token card. Cisco Systems, Microsoft, and RSA Security collaborated on the development of PEAP with MS-CHAPv2. PEAP increases protection of authentication messages by creating a protected...