About the Author

Fahim Hussain Yusuf Bhaiji, CCIE No. 9305, has been with Cisco Systems, Inc. for over three years and is currently a CCIE proctor in Cisco Systems' Sydney, Australia Lab. He has recently been charged with the management of content development for the CCIE Security. Prior to this, he was Technical Lead for the Sydney TAC Security and VPN team. Yusufs passion for security- and VPN-related technologies has played a dominant role in his 12 years of industry experience, from as far back as his...

About the Technical Reviewers

Gert De Laet, CCIE No. 2657, has both CCIE Security and Routing and Switching certifications. He has more than nine years of experience in internetworking. Gert currently works for the CCIE team at Cisco in Brussels, Belgium, as CCIE Proctor Content Engineer and Program Manager for EMEA. He also holds an Engineering degree in Electronics. Gert Schauwers, CCIE No. 6924, has CCIE certifications in Security, Routing and Switching, and Communications and Services. He has more than four years of...

The Need for Security Certification

Security is one of the fastest-growing areas in the industry. Information security is on the top of the agenda for all organizations. Companies have a need to keep information secure, and there is an ever-growing demand for IT professionals who know how to do this. Cisco Systems delivers this by offering CCIE Security certification, setting a professional benchmark in internetworking expertise. This essential need for security in IT is undeniable. International Data Corporation predicted that...

Practice

All labs in this book are multi-protocol, multi-technology, testing you in areas such as Routing, Switching, Security, and VPN, as outlined in the CCIE Security blueprint. When you first read the questions in the lab, you might find them fairly easy, but they are carefully written to present high complexity and many hidden problems. Such is the case in the real CCIE lab exam. To assist you, solutions are provided for the entire lab, including configurations and common show command outputs from...

General Guidelines

Do not configure any static default routes unless otherwise specified required. Use DLCIs provided in the diagram. Use the IP addressing scheme provided in the diagram do not change any IP addressing unless otherwise specified. In the CCIE Lab, initial configurations are loaded, and therefore IP addresses are not to be changed. In this book, each chapter has a separate lab topology with different IP addressing, so each chapter needs to be recabled and all IP addresses need to be redone from the...

Security Written Qualification Exam

The two-hour, multiple-choice exam is computerized and administered at Cisco authorized testing centers. The exam is closed-book and contains 100 questions. No reference materials are allowed in the exam room. For more details, refer to the Security written exam blueprint at

AAA on the Router 4 points

Configure router authentication and authorization on R4 using TACACS+. Configure two users on ACS, userl and user2. Userl should have privilege level 10 and user2 privilege level 15. Configure such that Userl is able to run the command show running-configuration only, and user2 is able to run all commands. Configure redundancy such that in the event the TACACS+ server is down, both users are able to log in using the local database and maintaining the same authorization.

AAA on the Switch

Configure Authentication, Exec Authorization, and Accounting for Exec and Commands on the switch. Refer to Example 2-14 for the AAA configuration on the switch. Refer to Figure 2-11 for the Accounting logs. Figure 2-11. Exec Accounting Logs from CiscoSecure ACS Figure 2-11. Exec Accounting Logs from CiscoSecure ACS No need to create ACL on PIX for RADIUS requests, as Switch-1 and AAA are on the same VLAN.

Access Control

In this case, you can configure autocommand for a user to Telnet to the router. autocommand will execute the required command and exit the session. This way the user will not be able to keep its Telnet session username testconfig privilege 15 password 7 15060E1F1029242A2E3A32 username testconfig autocommand show run line vty 0 4 privilege level 15 password 7 110A1016141D login local Test by Telnetting from R1 to 10.50.13.2. Username testconfig Password testconfig Building configuration Current...

Access Restriction

Any connection initiated from the local host to remote destinations will be allowed back on the same ports. If the remote destination changes the ports in between, the PIX will deny it, as it will not match with its session table. Use the established command to permit return connections on ports other than those used for the originating connection based on an established connection. The source port in this case is 1515, so the remote destination should have return traffic destined for port...

Access Restriction 2 points

A local host behind PIX 10.1.1.10 starts a TCP connection using source port 1515 to a foreign host 175.1.6.10 on any destination port. PIX is denying this connection for a custom-based application on this server, which has return traffic on ports other than those used for originating the connection when establishing the session. Configure PIX to allow packets from the foreign host 175.1.6.10 source port 2525 back to local host 10.1.1.10 destination port 5252 instead of 1515.

Acknowledgments

I would like to take this opportunity to thank the members of the Sydney TAC Security and VPN team for their support in writing this book. I have benefited greatly from working with them and can proudly say that it has been the best team with which I have ever worked. The wealth of knowledge and diversity of experience within the Cisco Systems, Inc. Technical Assistance Center (TAC) is equal to none. In my mind, these people are gurus. While the list of people I could mention may be endless, I...

Advanced Context Based Access Control CBAC

Allow Java applets from 164.0.0.0 8 and 165.0.0.0 8 network(s) only, as demonstrated in the example following item 2. Configure CBAC for TCP half-open sessions on per-host to 200 concurrent embryonic connections. Offending hosts are to be blocked for 1 hour, as demonstrated in the following example ip inspect name lab6 http java-list 6 ip inspect tcp max-incomplete host 200 block-time 60 access-list 6 permit 164.0.0.0 0.255.255.255 access-list 6 permit 165.0.0.0 0.255.255.255

Advanced IPSec LANtoLAN

Configure GRE traffic in section 5.2. IPSec access list should be host-to-host and use tunnel mode. Configure ISAKMP keepalive to check the connectivity. If the peer does not respond, phase1 SA will go down and this will also take down the phase 2 SAs. Also remember to configure no ip route-cache on all GRE tunnels and physical interfaces where crypto map is applied. This is a tricky one. Configure GRE between R3 and R6. You need to configure static translation on PIX for loopback2 to the same...

Basic BGP Configuration

Configure R1 as route-reflector server for BGP connection to R5, as it is not fully meshed. Also configure next-hop-self for R5 peer, as R1 will advertise all routes learned by iBGP peers and forward to R5 without changing the next hop, and this could cause reachability problems at times if you don't have proper routes on R5. For iBGP between R3 and R6, you need to create static NAT for R6 Ethernet 10.10.6.2 to 10.50.31.22 and permit TCP port 49 on PIX for inbound connections. You will use...

Basic PIX Configuration

Configure RIP for inside outside interface using MD5 authentication. Configure two separate NAT global instances, one for Loopback-2 on R1 and the other for all networks (0.0.0.0) to PAT on the outside interface, as demonstrated in the folllowing example PIX show nat nat (inside) 2 22.22.22.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 2 122.122.122.1-122.122.122.254 netmask 255.255.255.0 global (outside) 1 interface

BGP and RIP

Traceroute 111.111.111.111 (loopback2) from R4. You will notice that the next hop is R5 10.10.45.5 and not R1 10.50.13.81 as it is for 11.11.11.11 (loopback1). Why Because we advertised 111.111.111.111 in RIP and BGP on R1, which made to BGP table on R5, and since R5 was peering eBGP with R4, it overwrote the route learned on R4 via OSPF as better admin distance. To confirm, turn on debug ip routing on R4 and clear ip route * as demonstrated in the following ip routing debug snippet from R4....

BGP Attributes

Advertise loopback1 using the network command on R6. You are restricted to use the network command to advertise loopback2 you will need to redistribute connected in BGP. Create an access list and a route map to redistribute loopback2 only. After doing so, do a show ip bgp on R6 and you will find that the origin-code for loopback2 is incomplete, denoted by a , because it has been redistributed and BGP hasn't learned this internally. To change the origin-code to denote i, use the set origin igp...

BGP Connections

The objective is to always build a BGP connection from outside-to-inside only. That is, R6 should not be able to build a BGP connection to R3, which it can by default since packets are going from a higher security level interface to a lower interface. To achieve this task, you need to configure an ACL on the inside interface and deny R6 BGP connection to R3 access-list inside deny tcp host 10.10.6.2 host 10.50.31.2 eq bgp (hitcnt 4) See also the PIX output in the Solutions...

Cabling Instructions

Use Tables 1-1 and 1-2 for cabling all devices in your topology. It is not a must to use same type or sequence of interface. You may use any combination of interface(s) as long as you fulfill the requirement. Table 1-1. Cabling Instructions (Ethernet) Table 1-1. Cabling Instructions (Ethernet) Table 1-2. Cabling Instructions (Serial) Table 1-2. Cabling Instructions (Serial)

Cbac

Configure basic IOS Firewall ip inspect commands and inspect TCP UDP HTTP only. Apply inspect outbound on serial links and ingress ACL for filtering. Inbound ACL on serial links, permit ICMP, OSPF, BGP, and replies from TACACS+ server and host 111.111.111.111 to be able to Telnet to R2. For anti-spoofing, do a show ip route connected. Whichever networks are listed should be denied in the ACL for source network r2 show access-lists 120 Extended IP access list 120 deny ip 12.12.12.0 0.0.0.255 any...

CCIE Security Practice Labs

Publisher Cisco Press Pub Date February 24, 2004 Seven comprehensive CCIE security labs to hone configuration and troubleshooting skills Prepare for the CCIE Security lab exam and hone your security configuration and troubleshooting skills with seven complete practice scenarios that cover VPN configuration, including IPSec, GRE, L2TP, and PPTP Intrusion Detection System (IDS) 42xx Appliance configuration IP services and protocol-independent features The explosive growth of the Internet economy...

Change the default network type on the ATM link from nonbroadcast to pointtopoint

< snip from R5> interface ATM0 0 ip address 171.7.5.2 255.255.255.252 ip ospf authentication-key 7 094F471A1A0A ip ospf network point-to-point no atm ilmi-keepalive pvc 0 0 700 protocol ip 171.7.5.1 broadcast broadcast < OSPF network type before changing the default> Internet Address 171.7.5.2 30, Area 10 Process ID 110, Router ID 5.5.5.5, Network Type NON_BROADCAST, Cost 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 5.5.5.5, Interface address 171.7.5.2 No...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars...

Configure ACL to deny ICMP and permit everything Apply this ACL to the Virtual Template interface

Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Templatel ip unnumbered FastEthernetl 0 ip access-group 101 in peer default ip address pool pptp-pool ppp authentication ms-chap pptp ip local pool pptp-pool 172.16.11.1 172.16.11.50 access-list 101 deny icmp any any access-list 101 permit ip any any < Launch PPTP client connection from Test PC in VLAN5. Verify PPTP session> PPTP Session Information Total tunnels 1 sessions 1 LocID RemID TunID Intf...

Configure authentication using password cisco as demonstrated in the following example

Interface Ethernet0 0 ip address 164.15.4.6 255.255.255.0 no ip redirects no ip directed-broadcast ip ospf message-digest-key 1 md5 cisco standby 1 priority 105 preempt standby 1 authentication cisco standby 1 ip 164.15.4.100 standby 1 track Serial0 0 Local state is Active, priority 105, may preempt Hot standby IP address is 164.15.4.100 configured Active router is local Standby router is 164.15.4.5 expires in 00 00 09 Standby virtual mac address is 0000.0c07.ac01 Tracking interface states for...

Configure HSRP Virtual IP 17515250 with authentication Use password cisco

< Snip from R3> interface Ethernet0 0 ip address 175.1.5.1 255.255.255.0 standby 1 preempt standby 1 authentication cisco standby 1 ip 175.1.5.250 r3 show standby Ethernet0 0 - Group 1 Local state is Standby, priority 100, may preempt Hot standby IP address is 175.1.5.250 configured Active router is 175.1.5.3 expires in 00 00 08 Standby router is local Standby virtual mac address is 0000.0c07.ac01 < Snip from R7> interface FastEthernet0 1 ip address 175.1.5.3 255.255.255.0 standby 1...

Configure LANtoLAN configuration on the VPN3000 concentrator as shown in Figures 76a through 76d

LAN-to-LAN Configuration on VPN3000 (Define Peer, Preshared, IKE Figure 7-6a. LAN-to-LAN Configuration on VPN3000 (Define Peer, Preshared, IKE Figure 7-6d. LAN-to-LAN Configuration on VPN3000 (Modify) Figure 7-6b. LAN-to-LAN Configuration on VPN3000 (Define Local and Remote Networks) i'-. llfHfirt. 1.1. vil iMi flt P liij. - _ -.-Rfuiiufnii n HI o lu AT-T t - tL r.J Ifii LAK 4 Jkif KVEb li ibv i lUT ItVKE Y l JDUt uub Clwop* II.- lu ,-, > > lu .AJ1-I'-LAJI IVVIE Jr Jvifl...

Configure local authentication for Telnet with username ADMIN password cisco

Aaa authentication login vty local-case username ADMIN password 7 00071A150754 access-list 110 permit tcp any any eq telnet time-range work-hours line vty 0 4 access-class 110 in login authentication vty time-range work-hours periodic weekdays 9 00 to 17 00 Verify Telnet from R2 to R1. r1 clock set 14 40 00 May 21 2003 r1 show clock 00 00 09 172.16.1.10 Idle Peer Address time-range entry work-hours (active) periodic weekdays 9 00 to 17 00 used in IP ACL entry r1 show access-lists 110 Extended...

Configure NAT on PIX for VLAN2 to 16415420 as demonstrated in the following example

Access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 nat (inside) 0 access-list nonat nat (inside) 2 10.1.1.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 164.15.4.254 global (outside) 2 164.15.4.20 Ping from R1 to anywhere on the network sourcing from VLAN2 network. eg 22.22.22.22 Source address or interface 10.1.1.1 Loose, Strict, Record, Timestamp, Verbose none Sweep range of sizes n Type escape sequence to abort. Sending 5, 100-byte ICMP Echos...

Configure NAT on R6 for VLAN5 to 1651220 as demonstrated in the following example

Interface Ethernet0 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface Serial1 0.1 multipoint ip address 165.1.2.17 255.255.255.248 ip nat outside crypto map lab6 ip nat pool lab6 165.1.2.20 165.1.2.20 netmask 255.255.255.0 ip nat inside source route-map nonat pool lab6 overload access-list 102 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 102 permit ip 10.1.2.0 0.0.0.255 any route-map nonat permit 10 match ip address 102 Ping from R6 to anywhere on the network sourcing...

Configure priority queuing on R6 to control congestion as demonstrated in the following example

Interface Serial1 0 no ip address no ip directed-broadcast encapsulation frame-relay no ip mroute-cache priority-group 1 access-list 110 permit eigrp any any priority-list 1 protocol ip low gt 1500 priority-list 1 protocol ip medium tcp telnet priority-list 1 interface Ethernet0 0 medium priority-list 1 protocol ip high list 110 Current priority queue configuration 1 medium protocol ip tcp port telnet 1 high protocol ip list 110

Configure queue 3 for ICMP change the queue length limit from the default 20 packets to 40 packets The following

Interface Serial1 0 ip address 179.7.2.4 255.255.255.248 encapsulation frame-relay custom-queue-list 1 access-list 103 permit icmp any 175.1.6.0 0.0.0.255 queue-list 1 protocol ip 1 tcp telnet queue-list 1 protocol ip 2 list 102 queue-list 1 protocol ip 3 list 103 queue-list 1 protocol ip 4 tcp www queue-list 1 default 5 queue-list 1 queue 3 limit 40 queue-list 1 queue 4 byte-count 2000 r4 show interfaces serial 1 0 Serial1 0 is up, line protocol is up Hardware is cxBus Serial Internet address...

Configure the established keyword for R3 to be able to Telnet R2 but not vice versa as demonstrated in the following

Interface Ethernet0 0 ip address 164.15.4.6 255.255.255.0 ip access-group 110 in access-list 110 permit tcp host 164.15.4.5 host 164.15.4.6 established access-list 110 deny tcp host 164.15.4.5 host 164.15.4.6 eq telnet access-list 110 permit ip any any Telnet from R2 to R3 successful after applying ACL. r3 telnet 164.15.4.5 Trying 164.15.4.5 Open Telnet from R2 to R3 fails after applying ACL. r2 telnet 164.15.4.6 Trying 164.15.4.6 Destination unreachable gateway or host down r2 Verify counters...

Configure Unicast OSPF on R2 R3 and R4 using the neighbor command as the Frame Relay network by default is Nonbroadcast

R2 show ip ospf interface Serial0 is up, line protocol is up Internet Address 179.7.2.2 29, Area 0 Process ID 110, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost 64 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 3.3.3.3, Interface address 179.7.2.3 Backup Designated router (ID) 4.4.4.4, Interface address 179.7.2.4 Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00 00 01 Index 1 1, flood queue length 0 Next 0x0(0) 0x0(0) Last...

Configure xlate timeout on PIX to 1 hour using the timeout command the default is 3 hours as demonstrated in the

PIX(config) show timeout timeout xlate 3 00 00 timeout conn 1 00 00 half-closed 0 10 00 udp 0 02 00 rpc 0 10 00 h323 0 05 00 sip 0 30 00 sip_media 0 02 00 timeout uauth 0 05 00 absolute Change using 'timeout' command shown below. PIX(config) timeout xlate 1 00 00 PIX(config) show timeout timeout xlate 1 00 00 timeout conn 1 00 00 half-closed 0 10 00 udp 0 02 00 rpc 0 10 00 h323 0 05 00 sip 0 30 00 sip_media 0 02 00 timeout uauth 0 05 00 absolute

Congestion ManagementQoS 4 points

Control congestion on R6 by configuring queuing using the following parameters o IP packets with a byte count greater than 1500 are assigned a low-priority queue level. IP packets originating on or destined for TCP port 23 are assigned a medium-priority queue level. IP packets entering on interface Ethernet 0 0 (VLAN5) have medium priority. All IP routing protocols configured on R6 have high priority. All other IP packets assigned have a high-priority queue level. Select a queuing type that...

Context Based Access Control CBAC

Inspect TCP, UDP, and HTTP traffic. Configure inspection inbound on Ethernet0 (VLAN_3) on R5. See Example 2-11 for testing CBAC from R7. Configure anti-spoofing inbound ACL on Serial0 on R5 for dynamic entries. See Example 2-10 to test anti-spoofing ACL. Refer to the following URL for more on configuring anti-spoofing ACL Example 2-10. Anti-Spoofing Test from R1 Create a Loopback with IP address that of VLAN3, do an Extended Ping from R1 to R5 r1 show ip interface brief...

Copyright

Cisco Press logo is a trademark of Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5...

Dedications

I dedicate this book to my father Asghar Bhaiji for his wisdom and encouragement to succeed in life to my late mother Khatija Bhaiji whose love is ever shining on me to my loving aunts, Fizza and Amina, for nurturing me through my formative years and to the rest of the family for their encouragement in every endeavor of my life. To my beloved wife Farah, for her love, her continuous support, her sharing of my visions, and her part in my success. To my daughter Hussaina and my son Abbas, whose...

Denial of ServiceDoS

Configure CAR (rate-limit) on R3 to prevent ICMP flooding interface Serial1 0.1 point-to-point ip address 10.50.13.2 255.255.255.240 rate-limit input access-group 110 560000 256000 384000 conform-action continue exceed-action drop interface Serial1 0.3 point-to-point ip address 10.50.13.18 255.255.255.240 rate-limit input access-group 110 560000 256000 384000 conform-action continue exceed-action drop Configure Unicast RPF IP spoofing protection on PIX for inside and outside interfaces pix show...

Eigrp

Configure EIGRP AS-1 between R3, R5, and R6 in the Frame Relay network 165.1.2.16 29. A hidden issue is that due to the Frame Relay hub-and-spoke issue, the hub will not advertise routes learned from spoke(s) due to split-horizon being enabled. That is, R6 (hub) will not advertise EIGRP routes from R3 to R5 and vice versa. The workaround is to disable split horizon on the Frame Relay link on R6. Again, EIGRP split horizon is disabled using no ip split-horizon eigrp AS . See the following...

Equipment List

To perform the practice labs in this book, you need the following devices 8 routersThe routers can be of any modelthat is, 2500, 2600 or 3600 series. But prefer modular routers so you can swap modules and adapt to different lab topologies. You need the following interfaces cables for different lab topologies. For more details, refer to the Equipment list in each chapter. o DTE-DCE back-to-back cable for serial ports ATM fiber cable (depending on the modules GBIC) NOTE Most labs in this book...

Example 317 Bgp Med

Snip from R2 configuration router bgp 1 no synchronization bgp router-id 2.2.2.2 neighbor 14.14.14.14 remote-as 2 neighbor 14.14.14.14 ebgp-multihop 255 neighbor 14.14.14.14 update-source Loopback1 neighbor 14.14.14.14 route-map setmed out no auto-summary access-list 1 permit 144.144.144.0 0.0.0.255 route-map setmed permit 10 match as-path 1 set metric 60 route-map setmed permit 20 match as-path 2 set metric 50 route-map setpref permit 10 match ip address 1 set local-preference 200 router bgp...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

For R4 and R5 to reach VLAN5 network via R3 configure metrictype 1 in OSPF redistribution on R3 Metric type 1 routes

< snip from R3 config> router ospf 110 router-id 3.3.3.3 redistribute eigrp 10 metric 1 metric-type 1 subnets 3d01h RT del 175.1.5.0 24 via 175.1.6.2, ospf metric 110 1 3d01h RT add 175.1.5.0 24 via 179.7.2.3, ospf metric 110 65 < R4 routing table before changing metric type, check the next-hop address for 171.7.0.0 16 is variably subnetted, 2 subnets, 2 masks O IA 171.7.5.0 30 110 12 via 175.1.6.2, 00 13 38, Ethernet0 0 O IA 171.7.5.0 24 110 11 via 175.1.6.2, 00 13 38, Ethernet0 0...

Frame Relay Configuration 5 points

Configure R1 as a Frame Relay switch using the DLCI information provided for Frame Relay routing in Figure 5-2. Configure a full-mesh Frame Relay network between R5, R6, and R7. Do not configure subinterfaces on any router. Configure static frame maps on all routers. Configure Frame Relay routers to verify end-to-end communication. Local PVC status should be active only if the PVC status on the other end is active. Configure three consecutive end-to-end confirmations received and sent before...

Frame Relay DLCI Information

Configure R8 as a Frame Relay switch and use Figure 2-2 for DLCI information. Only DLCIs indicated in Figure 2-2 should be mapped on the routers. Figure 2-2. Frame Relay DLCI Diagram Figure 2-2. Frame Relay DLCI Diagram Use Figure 2-3 to configure routing protocols for the exercises to follow. Figure 2-3. Routing Protocol Information

Hidden issue There is ingress ACL on the R5 ATM link You need to allow UDP18121813 from switch1 to the AAA server

R5 show access-lists 101 Extended IP access list 101 deny ip any 179.7.2.0 0.0.0.7 (29 matches) deny icmp any 175.1.2.0 0.0.0.255 echo-reply (26 matches) permit tcp any any eq telnet (90 matches) permit tcp any any eq bgp (34 matches) permit tcp host 171.7.5.1 host 175.1.2.3 eq tacacs (56 matches) permit udp host 175.1.5.25 host 175.1.2.3 eq 1812 (4 matches) permit udp host 175.1.5.25 host 175.1.2.3 eq 1813 (10 matches)

Hidden issue You need to configure another virtual link between R5 and R6 for redundancy of the ISDN link

< snip from R4> router ospf 110 router-id 4.4.4.4 area 0 authentication area 6 authentication area 6 virtual-link 5.5.5.5 authentication-key 7 094F471A1A0A < snip from R5> router ospf 110 router-id 5.5.5.5 area 0 authentication area 6 authentication area 6 virtual-link 6.6.6.6 authentication-key 7 13061E010803 area 6 virtual-link 4.4.4.4 authentication-key 7 110A1016141D area 10 authentication area 20 authentication < snip from R6> router ospf 110 router-id 6.6.6.6 area 0...

Hidden issue You need to configure static DLCI mapping for 1651220 on R3 and R5 to 306 and 506 respectively as

R3 show frame map Serial0 0 (up) ip 165.1.2.17 dlci 306(0x132,0x4C20), static, broadcast, CISCO, status defined, active Serial0 0 (up) ip 165.1.2.18 dlci 306(0x132,0x4C20), static, broadcast, CISCO, status defined, active Serial0 0 (up) ip 165.1.2.20 dlci 306(0x132,0x4C20), static, broadcast, Serial1 0.1 (up) ip 165.1.2.17 dlci 603(0x25B,0x94B0), static, broadcast, CISCO, status defined, active Serial1 0.1 (up) ip 165.1.2.18 dlci 603(0x25B,0x94B0), static, broadcast, CISCO, status defined,...

Hidden trick The NTP master must be configured on R3 and R7 for Switchl redundancy Configure Virtual IP as the NTP

< snip from R7> ntp authentication-key 1 md5 02050D480809 7 ntp master end Clock is synchronized, stratum 8, reference is 127.127.7.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24 reference time is C2724021.6452EDE7 (03 23 45.391 AST Mon May 19 2003) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 0.02 msec, peer dispersion is 0.02 msec 127.127.7.1 configured, our_master, sane, valid, stratum 7 ref ID 127.127.7.1, time C2724021.6452EDE7...

Info

Configure Accounting for Commands to AAA server. Define the TACACS+ server. See Example 3-29. Example 3-29. AAA Configuration on R4 logging rate-limit console 10 except errors aaa new-model aaa authentication login lab3 local-case line aaa authentication login console line aaa authorization exec lab3 local aaa authorization exec console none aaa accounting commands 1 lab3 start-stop group tacacs+ aaa accounting commands 5 lab3 start-stop group tacacs+ aaa accounting commands 11 lab3 start-stop...

Introduction

Cerf said, The wonderful thing about the Internet is that you're connected to everyone else. The terrible thing about the Internet is that you're connected to everyone else.' The luxury of access to this wealth of information comes with its risks, and anyone on the Internet potentially is a stakeholder. The risks vary from information loss corruption to information theft and much more. The number of security incidents is also growing dramatically. With all this happening, there is...

Intrusion Detection System IDS 621 Basic IDS Configuration

Configure basic IDS on R4 using the ip audit command set. Use the first example that follows to configure IDS, and use the second example for logs generated when you detect an attack signature. Note that communication between IDS and Director is on UDP port 45000. ip audit name lab1 info action alarm ip audit name lab1 attack action alarm interface FastEthernet2 0 ip address 10.10.45.4 255.255.255.0 ip audit lab1 in ip audit lab1 out duplex half 6d23h IDS-4-ICMP_FRAGMENT_SIG Sig 2150 Fragmented...

IP Fragment Attack

Configure the IP Frag Guard feature with the sysopt security fragguard command on the PIX. This feature enforces two security checks First, each noninitial IP fragment is required to be associated with an already seen valid initial IP fragment. Second, IP fragments are rated to 100 full IP fragmented packets per second to each internal host. For information on the IP Frag Guard feature, see the following URL

IP Fragmentation

Use the fragment chain 1 command to specify the maximum number of packets into which a full IP packet can be fragmented. Setting the limit to 1 means that all packets must be wholethat is, unfragmented. See Example 4-44. pix(config) show fragment Interface outside Size 200, Chain 1, Timeout 5 Queue 0, Assemble 0, Fail 0, Overflow 0 Interface inside Queue 0, Assemble 0, Fail 0, Overflow 0 For more information, see the following URL

IPSec LANtoLAN RoutertoPIX

Configure LAN-to-LAN IPSec between R6 and PIX for the VLAN5 and VLAN2 networks, respectively. Use preshared with other parameters as you feel appropriate, as demonstrated in the following example crypto isakmp policy 10 authentication pre-share group 2 crypto isakmp key cisco address 164.15.4.3 crypto ipsec transform-set lab6 esp-des esp-md5-hmac crypto map lab6 10 ipsec-isakmp set peer 164.15.4.3 set transform-set lab6 match address 101 interface Serial1 0.1 multipoint ip address 165.1.2.17...

IPSec LANtoLAN Routerto Router

Configure a LAN-to-LAN tunnel between R5 and R6 for Loopback5 networks, as demonstrated in the following example crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 173.5.1.130 crypto ipsec transform-set lab5 esp-des crypto map lab5 10 ipsec-isakmp set peer 173.5.1.130 set transform-set lab5 match address 101 interface Loopback5 ip address 192.168.1.1 255.255.255.0 interface Serial1 0 ip address 173.5.1.129 255.255.255.128 crypto map lab5 ip route 192.168.2.0...

IPSec LANtoLAN Through the Firewall Using CA

Overlapping networks on R1 and R510.1.1.0 24need to be encrypted. IPSec access list cannot be configured for this. The solution is to create NAT on both ends and use the NATed address for IPSec ACL. See Example 4-26. On an ingress IPSec packet, NAT is performed first, followed by IPSec ACL. See the following URL for more information about the order of operation

IPSec LANtoLAN Using Preshared

Encrypt BGP traffic between R1 and R7 using loopbackl(s). See Example 3-24. Use preshared authentication and choose all other parameters as appropriate. You need to create a static NAT on PIX and ACL to permit IPSec and ISAKMP traffic. See Example 3-25. Example 3-24. IPSec Configuration on R1 and R7 Snip from R1 crypto isakmp policy 10 hash md5 crypto isakmp key cisco address 17.17.17.17 crypto ipsec transform-set lab3 esp-des esp-md5-hmac crypto map lab3 local-address Loopback1 crypto map lab3...

IPSec Remote Access to VPN3000 Concentrator

Configure the VPN3000 interface setting as per the topology diagram in Figure 3-1. Configure OSPF on the private interface and RIPvl on the public interface. See Figure 3-4 for interface and routing protocol settings. Figure 3-4. Interface and Routing Protocol Settings on VPN3000 Figure 3-4. Interface and Routing Protocol Settings on VPN3000 Configure group and user information as shown in Figure 3-5. Figure 3-5. Group and User Information on VPN3000 TVi D.a ulii Ji irV q R.< i Ii * I L 1 I'm...

L2TP over IPSec Using Certificates

Configure PIX for L2TP over IPSec using CA, as demonstrated in the following example < Snip from PIX config> ip local pool l2tp 70.70.70.0-70.70.70.254 sysopt connection permit-l2tp crypto ipsec transform-set l2tp esp-des esp-md5-hmac crypto ipsec transform-set l2tp mode transport crypto ipsec security-association lifetime seconds 3600 crypto dynamic-map lab5-dyna 10 match address l2tp crypto dynamic-map lab5-dyna 10 set transform-set l2tp crypto map lab5 10 ipsec-isakmp dynamic lab5-dyna...

LAN Switch Configuration

Configure VLANs on both switches as shown in Table 6-1. Configure ISL trunking between the two switches on Port 1 and configure native VLAN for trunk ports to VLAN-100, as demonstrated in the following example < Snip from Switch1> interface FastEthernet0 1 switchport trunk encapsulation isl switchport trunk native vlan 100 switchport mode trunk < Snip from Switch2> interface FastEthernet0 1 switchport trunk encapsulation isl switchport trunk native vlan 100 switchport mode trunk

Make sure you can ping Loopback1 of R6 and all other networks Verify in the VPN client connection that only Loopback1

VPN Client Ping Split-Tunnel Network Pinning 66.66.66.66 uilii 22 byti of itoii Reply fruti 66.66.66.66 lijlei'32 t iiie-40ns TTL-255 Reply fron 66.66.66.66 bytes-32 tint-4flns TTL-255 Reply fiun 66.66.66.66 bytn -32 lie, -41ns TTL-255 Reply ffun 66.66.66.66- hjjtes 32 tiiic-40ns TTL-255 Packets Sent 11 4 _ Htceivcil *t. Lost 6 < 0* hUPiiKiniiti hound ttiu tines in nilli-stctnds iiniiwifi 4flm, Itavirion Has, IWsrago 48ms Pinging -1*1 .44 44 iti 32 hytcs of rtatai Reply fi*on...

Network Address Translation NAT

Configure NAT on both R6 and R7 for redundancy, as a packet from VLAN-4 can use either the R6 or R7 path, as demonstrated in the following example Configure static NAT on R6 and R7 (same on both routers). interface Ethernet0 0 ip address 173.5.1.2 255.255.255.128 ip nat inside interface Serial1 0 ip address 173.5.1.130 255.255.255.128 ip nat outside ip nat inside source static 173.5.1.40 173.5.1.135 ip nat outside source static 173.5.1.136 173.5.1.41 Pro Inside global...

Network Monitoring and Management

Configure community strings with ACL to allow host 140.52.0.55 only. See Example 4-49. Hidden trick. You need to punch hole in ingress ACL on R6 for UDP port 162 for snmptraps. See Example 4-50. Example 4-49. SNMP Configuration on R7 and R8 snmp-server community lab4-read RO 6 snmp-server community lab4-write RW 6 snmp-server enable traps config snmp-server enable traps frame-relay snmp-server host 140.52.0.55 frame-relay config access-list 6 permit host 140.52.0.55 Enable debug snmp packet on...

Password Protection 2 points

Make sure when users see the configuration of the router, all passwords are secured and not readable. Encrypt the enable password on R2 with a nonreversible algorithm denoted by the number 5 in the configuration. R2 should prompt for a username password for privilege access and authenticate with the TACACS server. Do not use any AAA commands to achieve this task. In the event when the TACACS server is down, allow users to log in successfully. Do not use the tacacs-server last-resort command to...

Perimeter Security

If the network is under a heavy load, and it does not give adequate CPU time to process system-level tasks such as handling routing protocols, configure the scheduler command to allocate CPU times efficiently. Configure R8 with scheduler allocate 2000 500. For more info on the scheduler command, see the following URL 39

Permit any DNS request originating from VLAN2

Interface SerialO ip address 179.7.2.2 255.255.255.248 ip access-group 199 in access-list 199 permit tcp any any eq domain established access-list 199 deny tcp any any eq domain syn Verify by telnetting from R3 to R2 on port 53 r3 telnet 179.7.2.2 53 Trying 179.7.2.2, 53 Destination unreachable gateway or host down r3 Check ACL counters on R2 r2 show access-lists 199 Extended IP access list 199 permit tcp any any eq domain established deny tcp any any eq domain syn (46 matches) permit ip any...

Policy Routing

Configure policy routing on R1 to change the next hop for mail and web server off R3 interface Serial2 0.2 point-to-point ip address 10.50.13.33 255.255.255.240 ip policy route-map server interface Serial2 0.3 point-to-point ip address 10.50.13.1 255.255.255.240 ip policy route-map server access-list 101 permit ip any host 10.50.31.98 access-list 102 permit ip any host 10.50.31.99 route-map server permit 10 match ip address 101 set ip next-hop 10.50.13.34 route-map server permit 20 match ip...

Policy Based Routing

Configure Policy-Based Routing using a route map and set the default interface to null0. See Example 3-38. An important thing to remember is to apply policy on the ingress interface (Serial0) where packets arrive from R3. Ping to any unknown networks hosts from R3 that are not used in this lab. Ping a couple of times and verify on R5 with show route-map black-hole. See Example 3-39. Example 3-38. Policy-Based Routing on R5 Snip from R5 config interface SerialO ip address 120.5.72.166...

PPP Authentication and Load Balancing

Configure PPP authentication on R3 and R6 BRI(s). Configure a username on both routers. Note that R6 is sending CHAP host name R6 (case-sensitive). Configure username R6 on R3 and username r3 on R6. See Example 4-20 in Section 3.1. Configure the backup load command on R3 to bring up the ISDN link if the VLAN-5 link load exceeds 75 percent, and tear down when the aggregate load is 5 percent. See Example 4-20 in Section 3.1.

PPTP to PIX with Radius Authentication and MPPE Encryption

Configure PPTP remote access to PIX for Test PC in VLAN9. Configure MS-CHAP authentication and 40-bit MPPE encryption and RADIUS authentication as demonstrated in the following example access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 ip local pool pptp-pool 192.168.1.1-192.168.1.10 nat (inside) 0 access-list nonat aaa-server ACS protocol radius aaa-server ACS (inside) host 10.1.1.254 cisco timeout 10 vpdn group 1 ppp authentication chap vpdn group 1 ppp...

Practice Lab 2 Exercises

As you start Lab 2, remember that each section is indicated with corresponding points. Gauge the value of the question by its points and complexity, and spend adequate time on it. Do not waste time on a section when you get stuck you must learn to move on and attend to problem sections later on. The steps in each exercise are not necessarily intended to be completed in order. They can be done in any order of preference or as you feel appropriate. There may be situations where intentionally the...

Practice Lab 3 Exercises

As you start Lab 3, remember that each section is indicated with corresponding points. Gauge the value of the question by its points and complexity, and spend adequate time on it. Do not waste time on a section when you get stuck you must learn to move on and attend to problem sections later on. The steps in each exercise are not necessarily intended to be completed in order. They can be done in any order of preference or as you feel appropriate. There may be situations where the steps have...

Practice Lab 5 Exercises

Read each exercise carefully before attempting it. Note that some parts of the exercise affect other parts, so it is very important to read the whole test before you begin. This chapter has new additions in the topology (ATM and the IDS). The ATM switch is not required ATM can be connected back-to-back for lab purposes. See Section 1.4 for ATM. The steps in each exercise are not necessarily intended to be completed in order. They can be done in any order of preference or as you feel...

Prevent this by configuring an ACL on all links to deny TCP514 used for RSH

Interface FastEthernet0 0 ip address 171.8.5.1 255.255.255.0 ip access-group 101 in interface FastEthernet0 1 ip address 178.1.1.2 255.255.255.252 ip access-group 101 in access-list 101 deny tcp any any eq cmd Verify by configuring RSH on R8 as per URL below and test by executing any IOS command on R8 remotely from any router. deny tcp any any eq cmd (16 matches) permit ip any any (22 matches)

Section 30 ISDN Configuration

Configure OSPF demand circuit for redundancy on R3. Configure R1 as callback server and R3 as callback client. Do not configure dialer-map on R1, as it will retrieve the callback number from the AAA server. Configure AAA server with username r3 and its callback attributes. Refer to Figure 1-5 for PPP callback user profile settings on ACS. Figure 1-5. PPP Callback Settings on CiscoSecure ACS Figure 1-5. PPP Callback Settings on CiscoSecure ACS As a fallback,...

Section 50 IPSecGRE Configuration

5.1.1 IPSec Remote Access Using Preshared Key 1. Configure the VPN client to terminate on PIX using the preshared key. Refer to Figure 2-5 for setting up the VPN client on Test_PC. Figure 2-5. Properties for Cisco VPN Client 3.x for Windows Figure 2-5. Properties for Cisco VPN Client 3.x for Windows Configure extended authentication and assign IP address, WINS, DNS. Refer to Figure 2-6 for screen shots of the Cisco VPN client when establishing the connection. Figure 2-6. Establishing a VPN...

Section 90 IP Services and Protocol Independent Features

Create multiple route maps to NAT to the corresponding egress interface. See Example 2-18. See the following sample config to configure GRE IPSec with NAT Example 2-18. NAT Configuration from R4 (R6 and R8 Look Similar Except for the ACL See Solutions) interface LoopbacklO ip address 10.1.4.1 255.255.255.0 ip nat inside interface Serial2 0 ip address 110.50.33.4 255.255.255.0 ip nat outside interface Dialer1 ip address 110.50.46.1 255.255.255.0 ip nat outside ip nat inside source route-map...

Section 90 IP Services and Protocol Independent Features 91 NAT

Configure NAT for Loopback3 192.168.3.1 24. The objective is that when sourced from Loopback3 to anywhere on the network, it should be translated using the egress interface. For example, if you ping 122.122.122.122, it will use egress interface Serial1 0.3, whereas if you ping 144.144.144.144, it will use egress interface Serial1 0.1. If you ping 166.166.166.166, it will use egress interface FastEthernet0 0. To configure this multihomed NAT, enter the following ip nat inside source route-map...

See Figure 711 for Tacacs accounting startstop time records for billing purposes on Cisco Secure ACS

TACACS+ Accounting for Session Start-Stop Time (Billing Purposes) See Figure 7-12a for TACACS+ administration for command authorization on CiscoSecure ACS and Figure 7-12b for failed attempts of command authorization on CiscoSecure ACS. Figure 7-12a. TACACS+ Administration for Command Authorization Figure 7-12a. TACACS+ Administration for Command Authorization Figure 7-12b. Failed Attempts for Command Authorization

Serial Configuration

Serial links between R4 and R2 are connected back-to-back, no Frame Relay. See Figure 6-1 to configure with PPP encapsulation. Configure AAA and local authentication and authorization for PPP. Configure R2 to send CHAP host name router2. Configure username router2 on R4 and username r4 on R2, as demonstrated in the following example aaa authentication ppp default local aaa authorization network default local interface SerialO ip address 165.1.2.1 255.255.255.252 aaa authentication ppp default...

Syslog reports lots of false positive alarms as shown in the following syslog snip from R6 Disable this alarm from said

*Mar 15 03 10 14.597 IDS-4-ICMP_FRAGMENT_SIG Sig 2150 Fragmented ICMP Traffic - from *Mar 15 03 10 44.658 IDS-4-ICMP_FRAGMENT_SIG Sig 215 0 Fragmented ICMP Traffic -from *Mar 15 03 11 14.767 IDS-4-ICMP_FRAGMENT_SIG Sig 215 0 Fragmented ICMP Traffic -from *Mar 15 03 11 44.901 IDS-4-ICMP_FRAGMENT_SIG Sig 215 0 Fragmented ICMP Traffic -from

Tcp Syn DoS Attack 3 points

An attacker from random source IP addresses is flooding a high number of connections to TCP-based application server(s) in VLAN-4. This is causing the servers to maintain high numbers of half-open connections, and they are getting overwhelmed, resulting in denying service to legitimate users. Configure R1 to monitor TCP traffic to servers in VLAN-7, and drop any half-open connections that do not complete within 15 seconds, hence protecting the TCP SYN-flooding attacks. Do not use IOS FW CBAC or...

The complete AAA configuration on Switchl is as follows

Aaa authentication login vty group radius local aaa authorization exec vty group radius local aaa accounting exec vty start-stop group radius username switch-telnet password 7 1511021F0725 radius-server host 175.1.2.3 auth-port 1812 acct-port 1813 radius-server retransmit 3 line con 0 exec-timeout 0 0 authorization exec con accounting exec vty login authentication con line vty 0 4 password 7 14141B180F0B authorization exec vty accounting exec vty login authentication vty See Figure 7-13 to...

Time Based Policy Routing

Configure Time-Based Access Lists on R6 and apply to the policy route and set the next hop to R5. See Example 4-51. Verify by changing the clock on R5, and traceroute to 17.17.17.17 to see if Policy Routing with Time-Based ACL is working. See Example 4-52. Example 4-51. Policy Routing with Time-Based ACL on R4 ip local policy route-map time-based-pbr access-list 170 permit ip any host 17.17.17.17 time-range pbr route-map time-based-pbr permit 10 match ip address 170 set ip next-hop 142.52.0.3...

To filter OSPF routes for R8 configure ospf databasefilter on R5 to stop advertising LSAs but continue to advertise

Interface Ethernet1 1 ip address 171.8.5.2 255.255.255.0 ip ospf database-filter all out < R8 routing table before applying database-filter on R5> r8 show ip route ospf 171.7.0.0 30 is subnetted, 1 subnets O IA 171.7.5.0 110 11 via 171.8.5.2, 00 00 50, FastEthernet0 0 175.1.0.0 24 is subnetted, 3 subnets O IA 175.1.6.0 110 11 via 171.8.5.2, 00 00 50, FastEthernet0 0 O E1 175.1.5.0 110 12 via 171.8.5.2, 00 00 40, FastEthernet0 0 O E2 175.1.2.0 110 1 via 171.8.5.2, 00 00 40, FastEthernet0 0...

Traffic Based Accounting

Configure MAC-based IP accounting on R1 on the VLAN-2 interface (Ethernet0 0), as demonstrated in the example following item 3. The MAC address accounting feature provides accounting stats for IP traffic based on the source and destination MAC addresses on a LAN interface. Verify MAC accounting information using the show interface mac command, as demonstrated in the following example interface Ethernet0 0 ip address 172.16.1.2 255.255.255.0 ip accounting mac-address input ip accounting...

Tune signature 2150 using ACL to deny from host 175152 Verify by sending large ICMP packets from Test PC and R4 or R2

Ip audit notify nr-director ip audit notify log ip audit po max-events 100 ip audit po remote hostid 3 orgid 100 rmtaddress 175.1.2.3 localaddress 175.1.6.3 port 45000 preference 1 timeout 5 application director ip audit po local hostid 1 orgid 100 ip audit signature 2150 list 5 ip audit name lab7 info action alarm ip audit name lab7 attack action alarm drop reset interface Ethernet0 0 ip address 175.1.6.3 255.255.255.0 ip audit lab7 in interface Dialer1 ip address 179.7.2.10 255.255.255.252 ip...

UDP Broadcast Forwarding

Configure R6 and R7 to forward UDP broadcasts to server 173.5.1.52 in VLAN-4. Enable custom application for UDP port 2050 and disable standard UDP NetBIOS name service 137, as demonstrated in the following example Configure same on R6 and R7 VLAN-4 interface. < Snip from R7 config> interface Ethernet0 0 ip address 173.5.1.3 255.255.255.128 ip helper-address 173.5.1.52 no ip forward-protocol udp netbios-ns ip forward-protocol udp 2050 UDP broadcasts by default are not forwarded by the...

Verification Hints and Troubleshooting Tips

As mentioned in the Overview, this section is primarily important when you're configuring the exercise and it is not working for you. You can use this section to verify and compare results by adapting the troubleshooting methods shown. Also provided are hints needed to configure and complete the respective exercises. Sometimes, it is easy to misinterpret the question, which has hidden and tricky elements required to be configured. This section also guides you in using the most common show and...

Verify ACL and CBAC configurations

< Verify by telnetting from R4 to R7, check session table and dynamic ACL entry on R5> r5 show ip inspect sessions Established Sessions Session 62D34A24 (175.1.6.1 11039) > (171.7.5.1 23) tcp SIS_OPEN r5 show access-lists 101 Extended IP access list 101 permit tcp host 171.7.5.1 eq telnet host 175.1.6.1 eq 11039 (27 matches) deny ip any 179.7.2.0 0.0.0.7 (29 matches) deny icmp any 175.1.2.0 0.0.0.255 echo-reply (10 matches) permit tcp any any eq telnet (90 matches) permit tcp any any eq...

Verify IPSec configuration by pinging 19216811 from R2 sourcing from 19216821 loopbackl Verify tunnel on R2 and

R2 show crypto engine connections active Interface < none> Ethernet0 Ethernet0 175.1.2.2 set HMAC MD5+DES 56 CB dst src state conn-id slot 175.1.2.5 175.1.2.2 QM IDLE 1 0 local ident (addr mask prot port) remote ident (addr mask prot port) current_peer 175.1.2.5 (192.168.2.0 2 55.255.255.0 0 0) (192.168.1.0 2 55.255.255.0 0 0) PERMIT, flags origin_is_acl, pkts encaps 102, pkts encrypt 102, pkts digest 102 pkts decaps 102, pkts decrypt 102, pkts verify 102 pkts compressed 0, pkts...

Verify that queuing is working as demonstrated in the following example

< Queue count before Ping note the low queue count is zero (0)> r6 show queueing interface serial 1 0 Interface Serial1 0 queueing strategy priority Output queue utilization (queue count) high 11 medium 0 normal 235164 low 0 Target IP address 22.22.22.22 Repeat count 5 Datagram size 100 2000 Timeout in seconds 2 Extended commands n Sweep range of sizes n Type escape sequence to abort. Sending 5, 2000-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds Success rate is 100 percent (5 5),...

Verify that the sensor is receiving packets and events Enable ICMP echo and echoreply signature for HIGH severity Ping

Enable ICMP signature for HIGH severity using IDM Signature Configuration mode. Ping from anywhere on the network to 11.11.11.11 and verify on sensor as follows evAlert eventId 1050202358373315320 severity high originator hostId sensori appName sensorApp applnstanceld 980 time 2003 04 24 20 20 11 2003 04 24 20 20 11 UTC interfaceGroup 0 vlan 0 signature sigId 2004 sigName ICMP Echo Req subSigId 0 version S37 participants attack addr locality OUT 164.15.4.6 victim evAlert eventId...

Verify the client connection from Test PC in VLAN 5 See Figures 78a and 78b

VPN Client Connection (General) Cisco Systems VPN Client Connection Status Cisco Systems VPN Client Connection Status Note Stateful Firewall (Always On) status is not represented above. To view this status. right click on the system tray icon. If checked, this functionality is enabled. Figure 7-8b. VPN Client Connection (Statistics) Cisco Systems VPIN Client Connection Status Packets decrypted Packets bypassed Bytes out Packets encrypted Packets discarded

Web Server Security

Configure the embryonic connection limit on static translation on PIX for web server 120.5.72.120. See Example 3-33. Example 3-33. Embryonic Connection Limit on PIX static (inside,outside) 120.5.72.120 10.1.4.120 netmask 255.255.255.255 0 5000 norandomseq For more information, see the PIX Command Reference URL

Why Security Certifications

Security is one of the fastest-growing areas in the industry. The expansive development of the Internet, the increase in e-business, and the escalating threat to both public- and private-sector networks have made security and the protection of information a primary concern for all types of organizations. There is an ever-increasing demand for experts with the knowledge and skills to do it. Therefore, trained Network Security personnel will be required in the years to come.