Cisco Secure ACS

Cisco Secure Access Control Server (ACS) is a network security software application that provides a number of security features such as logging, debugging, authorization, and authentication of users. Cisco ACS supports both RADIUS and TACACS+. You can download a trial version of the software that is supported on a Windows-based platform at http cisco.com public sw-center . Click the link to Cisco Secure Software. Although the CCIE Security written exam does not heavily test this application, it...

This book

Every chapter of this book holds facts on one of the objectives from the CCIE Security 2.0 written exam. This book will be a valuable asset for potential CCIE Security candidates. I am positive individuals will inevitably gain extensive security network knowledge during their preparation for the CCIE Security

Catalyst Ethernet MSFC Setup 025 Hour

NOTE The CCIE R& S lab contains two Catalyst 3550s per candidate rack, and the 6500 is purposefully configured here so that the difficulty level is much higher. Configure R9 (6509 with an MSFC card) for IP routing. Example C-1 displays the hardware profile on the Catalyst 6509 switch. Example C-1 show module on R9 (MSFC) Using the information displayed in Example C-1, configure the MSFC for IP routing in VLAN 6 only using RIPv2 only. Do not route between any other interfaces.

Need for Security Certification

Security is one of the fastest-growing areas in the industry. Information security is on top of the agenda at all organizations. Companies have a need, and many times a legal requirement, to keep information secure. As a result, there is an ever-growing demand for IT professionals with the skills to implement effective, end-to-end security solutions to guard against all manner of threats. Cisco Systems helps to meet this demand by offering CCIE Security certification, setting the professional...

IP Configuration and IP Addressing No Time

NOTE Because of recent changes to the CCIE exam, the candidate is not required to configure IP addressing. However, the subject is presented here to ensure that potential CCIE candidates have a good understanding of IP address spaces and subnetting. No time is projected for this section. Use the Class B subnetted IP addresses 131.108.0.0 to 131.108.255.255 to design your network. You must use this address space for all addresses unless specified in a particular question. Read the entire task...

Cisco IOS Specifics and Security

This chapter covers the CCIE Cisco IOS specifics topic area. Unfortunately, the blueprint does not detail the exact requirements, and Cisco IOS in general could mean the entire range of topics. Thus, this chapter covers topics that are actually possible topics on the written exam and that are common to the routing and switching blueprint. This chapter covers routing and switching blueprint objectives together with the security blueprint objectives. The CCIE technical teams generally gather the...

Cisco Secure Intrusion Detection System and Catalyst Services Modules

This section covers tools that are useful for managing network security. Cisco Secure IDS, formerly known as NetRanger, is designed to efficiently and effectively protect your network against intruders from inside and outside of your networking domain. NOTE The CCIE Security written exam still refers to the term NetRanger. The new CCIE Security exam no longer tests the NetSonar application. NetRanger is now commonly known as Cisco Secure Intrusion Detection System or Cisco Secure IDS. This...

Preparing for this

You can use any combination of routers and switches to complete this lab as long as you fulfill the requirement for a properly routing and secure topology. If you do not have some of the equipment, the example displays will show you what you should expect to see in a working CCIE lab topology, which will be an invaluable resource and study guide. NOTE As of July, 2004, the hardware types you can expect to see in the real CCIE Security lab exam, as documented by Cisco, are as follows Catalyst...

Encryption Technology Overview

When prominent Internet sites, such as http www.cnn.com, are exposed to security threats, the news reaches all parts of the globe. Ensuring that data crossing any IP network is secure and not vulnerable to threats is one of today's most challenging tasks in the IP storage arena (so much so that Cisco released an entirely new CCIE for the storage networking certification track). Major problems for network administrators include the following Packet snooping (eavesdropping) When intruders capture...

Network Security Policies Vulnerabilities and Protection

This chapter reviews today's most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The security standards body, CERT CC, is covered, along with descriptions of Cisco IOS-based security methods that ensure that all attacks are reported and acted upon. This chapter will cover, in detail, common exploits such as attacks based on common vulnerabilities, reconnaissance attacks, backdoors, and protocol weaknesses. Cisco Security applications,...

IP Access List 01 Hour

You decided to secure Routers R1 and R2 such that only hosts from your address space are allowed to Telnet to it. In addition to securing these routers, you also need to make sure that the only source IP addresses that can be trusted are the predefined loopbacks on Routers R1 through R9. You must identify the denied attempts to Telnet to R1 or R2 to the local buffer log. The security architect has decided to make the allowed hosts, when Telnetting to R1 or R2, be authenticated by the router...

Scenario Solutions

The following debug output advises the network administrator of the problem 22 58 55 CRYPTO-4-IKMP_BAD_MESSAGE IKE message from 131.108.255.1 s sanity check or is malformed During the IKE negotiation, the router reports a message that identifies the fault as the share password. R2 is configured with the password, CCIe (should match R1's preshared password set to CCIE). See Example 4-17, and code line 7. Changing the IKE password to CCIE with the IOS command crypto isakmp key CCIE address...

Do I Know This Already

What IOS command will display the System Flash 2. The network administrator has forgotten the enable password, and all passwords are encrypted. What should the network administrator do to recover the password without losing the current configuration Answer c. Reboot the router, press the Break key after the reload, and enter ROM mode and change the configuration register. 3. What is the enable password for the following router enable password Simon Answer b. Simon. 4. If the configuration...

Foundation Summary

The Foundation Summary is a condensed collection of material for a convenient review of this chapter's key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the Foundation Topics material, the Foundation Summary will help you recall a few details. If you just read the Foundation Topics section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the Foundation Summary offers a...

Address Resolution Protocol

ARP determines a host's MAC address when the IP address is known. For example, to ping one device from another, the Layer 2 MAC fields require a destination MAC address. Because this is the first such request, a broadcast packet is sent across the wire to discover the remote host's MAC address. Figure 1-11 displays a scenario where PC1 wants to ping Host PC2. When PC1 sends a ping request to PC2 using the known IP address 1.1.1.2 (Layer 3), a broadcast Layer 2 frame must first be sent by PC1...

Advanced Security Concepts

A wealth of security concepts have been covered in the previous chapters now, you are ready to look at some of the techniques that are used to secure areas of your network that are vulnerable to attacks, in particular the demilitarized zone (DMZ). The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet. Figure 6-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of...

Authentication Authorization and Accounting

Authentication, authorization, and accounting (AAA, pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices. AAA provides a method to identify which users are logged into a router and each user's authority level. AAA also provides the capability to monitor user activity and provide accounting information. In today's IP networks, access to network data is available in a variety of methods, including the...

Authorization

Authorization comes into play after authentication. Authorization allows administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS allows certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a privilege level of 0 cannot issue many IOS commands. There are five commands at privilege level 0 disable, enable, exit, help, and logout. A user with a privilege level of 15...

Authorization Technologies IOS Authentication 8021X

IEEE 802.1X is a new standard that defines enhanced security for IP networks. IEEE 802.1X specifically defines a client server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. 802.1X works by authenticating every client on the network that is, every device connected to a switch port. After successful authentication, the individual switch port is assigned a VLAN. Until the client is authenticated,...

Basic Frame Relay Setup 5 Points

Configure the network in Figure 8-2 for basic physical Frame Relay connectivity. The following are the parameters You must use static Frame Relay maps for IP and disable Frame Relay inverse ARP. (Hint Use no frame-relay inverse-arp on all frame-enabled interfaces.) For the connection between R1 and R4, you are not permitted the keyword broadcast when mapping IP between the R1 R4 Frame Relay link. No dynamic mapping is permitted. No Frame Relay subinterfaces are permitted on any router. Assume...

Basic Security on Cisco Routers

You can access a Cisco router in a number of ways. You can physically access a router through the console port, or you can access a router remotely through a modem via the auxiliary port. You can also access a router through a network or virtual terminal ports (vty lines), which allow remote Telnet access. If you do not have physical access to a router either through a console port or through an auxiliary port via dialup you can access a router through the software interface, called the virtual...

BGP Routing Configuration 6 Points

After finishing this section, make sure that all configured interfaces and subnets are consistently visible on all pertinent routers, even in the event of network failure of any one router. Configure IBGP on all routers in your network Do not use any WAN IP interfaces for IBGP sessions, because your network is prone to failures across the Frame Relay cloud. Configure R4 as the route reflector and ensure that remote routers peer to R4 only. Minimize IBGP configurations as much as possible. The...

Border Gateway Protocol

BGP is an exterior routing protocol used widely on the Internet. It is commonly referred to as BGP4 (version 4). BGP4, defined in RFC 1771, allows you to create an IP network free of routing loops between different autonomous systems. (As defined in Table 11-1, an autonomous system is a set of routers under the same administrative control.) BGP is called a path vector protocol because it carries a sequence of autonomous system numbers that indicates the path taken to a remote network. This...

Catalyst Ethernet Switch Setup I 5 Points

Configure the Ethernet switch for five VLANs VLAN 2, named VLAN_A, is connected to R1 and PIX inside. VLAN 3, named VLAN_B, is connected to R4 and R5 Eth0 0. VLAN 4, named VLAN_C, is connected to R5 FastEth0 1 (switch port Fast0 6). VLAN 5, named VLAN_D, is connected to R2 and R3. VLAN 6, named VLAN_E, is connected to the PIX outside interface and to the ISP managed router. Ensure that the IDS is also in the correct VLANs for the sniffing and control interfaces. Using VLAN_D (VLAN 5), configure...

CCIE Security Self Study Lab Part II Goals

Part II builds on the working IP network and requires security features such as IPSec and PIX. RIP routing is also required. You will also notice the addition of an IDS sensor. Expect to be tested on IDS sensors and the VPN Concentrator in the lab exam. You are likely to be asked to configure both devices. Part II of this lab does not include the VPN Concentrator, however. Review the additional advanced topics questions for possible exam scenarios for the VPN Concentrator. You should take no...

Cisco Hardware

Cisco routers consist of many hardware components. The main components of a Cisco router include the following Figure 3-1 illustrates the hardware components on Cisco routers. Figure 3-1 Components of a Cisco Router Figure 3-1 illustrates the hardware components on Cisco routers. Read-Only Nonvolatile RAM Memory (ROM) (NVRAM) Each hardware component is vital for Cisco routers to operate properly. To help you prepare for the CCIE Security written exam, the next few sections present the main...

Cisco Inline IDS Intrusion Prevention System

Recently Cisco marketing released security concept, Intrusion Prevention System (IPS), along with the new router platforms, namely the 1800, 2800, and 3800. IPS is designed to leverage Cisco PIX software and Cisco IDS sensor technologies, combined with IOS software features. Cisco IOS IPS is an inline, deep-packet, inspection-based solution that helps enable Cisco IOS software to effectively mitigate network attacks. Cisco inline IDS (or IPS) allows for traffic to be dropped, can send an alarm,...

Cisco Intrusion Detection System 5 Points

The Cisco intrusion detection system is connected to the inside interface of the PIX and the segment connecting R4 and R5. The IDS in Figure 8-1 is configured for IP. Figure 8-8 displays all the details you need to complete this section. The following list outlines key details to answer the lab exam questions The IP address of the control interface is 144.254.5.3 27. The sniffing interface is connected to the PIX and R1 LAN. Ensure that only the subnet 144.254.6.0 29 can manage the IDS device....

Cisco PIX Firewall

The Cisco Private Internet Exchange (PIX) Firewall and Cisco IOS Firewall feature set are designed to further enhance a network's security. The PIX Firewall prevents unauthorized connections between two or more networks. The latest versions of Cisco code for the PIX Firewall also perform many advanced security features, such as AAA services, access lists, VPN configuration (IPSec), FTP, logging, and Cisco IOS-like interface commands. In addition, the PIX Firewall can support multiple outside or...

Cisco Secure IDS

Cisco Secure IDS is an enterprise intrusion detection system designed to detect, report, and, in the event of unauthorized access, terminate data sessions between users and host devices. Users are not aware that Cisco Secure IDS is watching data across the network it is transparent to all systems. Cisco Secure IDS has three components Cisco Secure IDS Sensor High-speed device that analyzes the contents of data being transported across a network and determines whether that traffic is authorized...

Cisco Secure VPN Client

The Cisco Secure VPN Client is a low-cost application available to the Internet community. You may need to purchase a license at a minimal cost. The VPN Client is free when you buy a VPN gateway and support contract, and is included with all models of Cisco VPN 3000 Series Concentrators and most Cisco PIX 500 Security Appliances. Customers with Cisco SMARTnet support contracts and encryption entitlement may download the Cisco Secure VPN Client from the Cisco Software Center at no additional...

Cisco Security Agent and Host Based IDS

CSA provides threat protection for servers and PCs. CSA identifies and prevents malicious behavior, thereby eliminating known and unknown security risks. Typically, devices with antivirus software do not detect the latest worms or code violations. CSA fills in this gap by triggering an alert to the system or the management server any time an application or packet tries to use the kernel inside a Windows-based system. CSA also blocks the attack. CSA can be installed as a standalone client or in...

Cisco Security Applications

This chapter reviews a number of Cisco-defined CCIE Security written exam blueprint objectives covering security applications and the Cisco Secure product suites. This chapter covers the following topics Cisco Secure for Windows (NT) and Cisco Secure ACS Introduces Cisco Secure, the Cisco security application that is available on Windows platforms, and Cisco Secure Access Control Server (ACS), which provides additional network security when managing IP networks designed with Cisco devices. IDS...

Cisco Works VMS

CiscoWorks VPN Security Management Solution (VMS) is core management software that provides a centralized means of defining and distributing security policies, providing patches and software updates, and ensuring communication with all agents. A Cisco Security Agent is defined as an endpoint software device that resides on servers or desktops laptops and autonomously enforces local policies that prevent attacks. CiscoWorks VMS is an integral part of the SAFE Blueprint. The following are some of...

Communications Server 0 Points

Configure the communication server (R1) so that when you type the host name of a router on the communications server, you are connected across the console port to that router Disable the break command on R1 so that R1 will not permit an intruder to issue a break command and perform password recovery. (Hint Change the configuration register to 0x2002.) Set up the routers, as shown in Figure 8-1. Configure R1 as the communication server using the ip host command. Communication server ports 2 to 5...

Communications Server 025 Hour

NOTE Not all CCIE R& S labs require you to configure a communication server. Configure the communication server so that when you type the host name of a router on the server, you are connected across the console port to that router. Set up the routers in Figure C-1 with the following physical attributes Set up the routers, as shown in Figure C-1. Configure R1 as the communication server with the ip host command. Communication server ports 2 to 8 are connected to Routers R2 to R8,...

Conclusion

You should be able to complete the sample CCIE Routing and Switching lab in this appendix within 8 hours (this is the same allotted time for the real CCIE lab at Cisco). The difficulty level presented here is similar to what you can expect in any CCIE lab examination in fact, the difficulty level here might be higher. Focus your attention on time management and the ability to configure a set number of Cisco IOS features very quickly. If you complete this lab successfully, try it again by...

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales outside the U.S. please contact International Sales international pearsoned.com Publisher John Wait Editor-in-Chief John Kane Executive Editor Brett Bartow Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Production Manager...

Denial of service attacks

What is the function of the signature-based IDS Answer The signature-based IDS monitors the network traffic or observes the system and sends alarms if a known malicious event is happening. It does this by comparing the data flow against a database of known attack patterns. These signatures explicitly define what traffic or activity should be considered as malicious. An excellent white paper on signature-based IDS can be found at _paper09186a0080092334.shtml.

DES and 3DES

DES is one of the most widely used encryption methods. DES turns clear-text data into cipher text with an encryption algorithm. The receiving station will decrypt the data from cipher text into clear text. The shared secret key is used to derive the session key, which is then used to encrypt and decrypt the traffic. Figure 4-5 demonstrates DES encryption. Figure 4-5 DES Encryption Methodologies Data is encrypted using mathematical formulae to scramble data with the shared private key. Data is...

DHCP Starvation Attacks

As the name implies, a DHCP starvation attack is where a DHCP server is sent so many DHCP requests that eventually there are no more IP addresses available to allocate to legitimate devices, hence rendering the network unusable. A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. As you have seen, there are many tools available on the Internet to send out these sorts of frames. The end result may involve the attacker installing their own DHCP server and...

Do I Know This Already Quiz

The purpose of this assessment quiz is to help you determine how to spend your limited study time. If you can answer most or all of these questions, you might want to skim the Foundation Topics section and return to it later, as necessary. Review the Foundation Summary section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you already intend to read the entire chapter, you do not necessarily need to answer these questions...

Dynamic Access List Lock and Key Feature 5 Points

Make sure that during normal operation it is not possible to ping from R2 (Ethernet0 0) to R3 (FastEthernet0 0). After a Telnet login from R2 to R3, pings are allowed, but make sure that after 5 minutes of inactivity normal operation is restored. Routing should still be in place in both circumstances. Dynamic Access List Lock and Key Feature Solution This is an example where dynamic access lists are used to allow access only after a valid username password has been entered. Access is denied...

Dynamic Host Configuration Protocol

DHCP is defined in RFC 1531 (the latest is RFC 2131) and provides a comprehensive method of allocating IP addresses, subnet mask, gateway address, DNS server, WINS servers, and many more parameters for IP devices. DHCP clients send messages to the server on UDP 67, and servers send messages to the client on UDP 68. Cisco routers can also be configured for DHCP. Example 1-3 configures a Cisco IOS router to allocate the entire range 131.108.1.0 24, with a gateway address 131.108.1.1, subnet mask...

Exam Topics in This Chapter

Switching and Bridging (including VLANs, Spanning Tree, and more) Routing Protocols (including RIP, EIGRP, OSPF, and BGP) Integrated Services Digital Network (ISDN) Access Devices (for example, Cisco AS5300 series) You can find in this book's introduction a list of all of the exam topics. For the latest updates on exam topics, visit Cisco.com.

Example of Peerto Peer Communication

Each layer of the OSI or TCP model has its own functions and interacts with the layer above it and layer below it. Furthermore, the communication between each layer's end devices also establishes peer-to-peer communication this means that each layer of the OSI model communicates with the corresponding peer. For example, Layer 3 of Host A in Figure 1-3 will communicate with the corresponding Layer 3 (IP) device host B. Consider the normal communication that occurs between two IP hosts over a WAN...

Extended Access Lists

Extended access lists range from 100 through 199 and 2000 through 2699. Alternatively, you can use a named access list with Cisco IOS release 12.0 or later. As mentioned earlier in this chapter, extended access lists can be applied to both source and destination addresses, as well as to filter protocol types and port numbers. Following are some examples of extended access lists that allow you to filter several different types of traffic. For Internet Control Message Protocol (ICMP) traffic, use...

Extensible Authentication Protocol Protected EAP and Temporal Key Integrity Protocol

Extensible Authentication Protocol (EAP) enables the dynamic selection of the authentication mechanism at authentication time based on information transmitted in the Access-Request (that is, via RADIUS). PPP also supports EAP during the link establishment phase. EAP allows the authenticator to request more information before determining the specific authentication mechanism. A proposal jointly submitted to the IEEE by Cisco Systems, Microsoft, and various other organizations introduced...

Fast Ether Channel

Fast EtherChannel (FEC) is a Cisco method that bundles 100-Mbps Fast Ethernet ports into a logical link. The existence of any redundant paths between two switches results in some ports being in a blocking state, thus reducing available bandwidth. Figure 1-4 displays a switched network with two 100-Mbps connections between them. Because of STP, one of the links (Switch A, in this case) will be in a blocking state after the election of a root bridge. Switch B will block one of the paths to ensure...

Frame Relay Setup 05 Hour

Configure IP across your Frame Relay network, as displayed in Figure C-2. You have to use static maps for each protocol. No dynamic mapping is permitted. No subinterfaces are allowed on any router. Use the most efficient subnetwork for IP addresses on the Frame Relay cloud. You can assign a subnet from your Class B range. Use LMI-type Cisco only and do not rely on auto-sensing the LMI type on any routers. All router interface types are DTE. The Frame Relay port type is DCE. Do not use the...

General Lab Guidelines and Setup

Follow these general guidelines during this lab Static and default routes are not permitted unless directly stated in a task. This includes floating static routes. Use the DLCIs provided in the Frame Relay diagram (presented shortly). All routers and switches should be able to ping any interface using the optimal routing path. Do not configure any authentication or authorization on any console or aux ports unless specified. Routes to Null0 generated by any routing protocol are permitted. Full...

Goals of This Book

The primary goal of this book is to ensure that a CCIE Security candidate has all the technical skills and knowledge required to pass the written exam. Most Cisco certifications require practical skills, and the only way to hone those skills is in a working environment using common Cisco-defined techniques. This book provides you with comprehensive coverage of CCIE Security exam topics. Ultimately, the goal of this book is to get you from where you are today to the point that you can...

Hypertext Transfer Protocol

HTTP, used by web browsers and web servers, transfers files, such as text and graphic files. HTTP can also authenticate users with username and password verification between clients and web servers. Cisco IOS routers can be configured from a browser client. By default, Cisco routers are disabled for HTTP servers (HTTP is enabled by default on a few Cisco 1000 models, namely the Cisco 1003, 1004, and 1005 model routers), and there have been issues with users entering certain hash pairs to gain...

Internet Control Message Protocol

ICMP is a network layer (Layer 3) Internet protocol that reports errors and provides other information relevant to IP packet processing. ICMP is fully documented in RFC 792. ICMP's purpose is to report error and control messages. ICMP provides a number of useful services supported by the TCP IP protocol, including ping requests and replies. ICMP Echo requests and replies enable an administrator to test connectivity with a remote device. Be aware that ICMP runs over IP, which means that there is...

Internet Newsgroups

Another important body for both network administrators and intruders themselves is Internet newsgroups. Newsgroups are mailing list-type forums where individuals share ideas and past incidents to keep current with the latest security concerns and protection policies. As a network administrator, you must be aware of both standards and topics that intruders are discussing. The following mailing lists and newsgroups are CERT CC recommended Bugtraq A full-disclosure computer security mailing list....

Internet Protocol

Internet Protocol (IP) is a widely used networking term that describes a network layer protocol that logically defines a distinct host or end system, such as a PC or router, with an IP address. An IP address is configured on end systems to allow communication between hosts over wide geographic locations. An IP address is 32 bits in length, with the network mask or subnet mask (also 32 bits in length) defining the host and subnet portion. Figure 1-6 displays the IP packet header frame format in...

Intrusion Detection System

Intrusion detection systems (IDSs) are designed to detect and thwart network attacks. Based on their location, IDSs can be either of the following Network-based IDS (NIDS) Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature. Host-based IDS (HIDS) Examines operating system information, such as logs or system processes, against a base line. When the system deviates from the normal values because of an attack, alarms are...

IP Multicast

This section briefly covers the IP multicast areas of interest for the CCIE written test. The multicasting protocol was designed to reduce the high bandwidth requirements of technologies, such as video on demand, to a single stream of information to more than one device. Applications include electronic learning, company share meetings (video on demand), and software distribution. Multicasting transmits IP packets from a single source to multiple destinations. The network device transmitting the...

Open Shortest Path First

OSPF is a link-state routing protocol. Link-state protocols use Dijkstra's shortest path first (SPF) algorithm to populate the routing table. OSPF shares information with every router in the network. OSPF is a classless protocol and supports VLSM. When configuring any OSPF router, you must establish for which area assignment the interface will be enabled. OSPF has some basic rules when it comes to area assignment. OSPF must be configured with areas. The backbone area 0, or 0.0.0.0, must be...

Physical Connectivity 0 Points

NOTE From October 1, 2001 onward, a CCIE candidate is not required to physically cable up the lab network. Therefore, no time allocation is given to this section, which is added for completeness only. The Security lab examination also will have some elementary tasks such as Frame Relay and basic IP routing preconfigured to allow the candidate more time to configure more advanced features in Cisco IOS software. This is a great time saver for the candidate. Your network is already physically...

Protecting Cisco IOS from Intrusion

Now that you have a snapshot of modern security concerns, look at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks. There are, of course, various Cisco IOS vulnerabilities that can only be protected against by new software releases and regular Cisco IOS bulletins and e-mail blasts from Cisco Systems to ensure...

Q A

The Q & A questions are designed to help you assess your readiness for the topics covered on the CCIE Security written exam and those topics presented in this chapter. This format should help you assess your retention of the material. A strong understanding of the answers to these questions will help you on the CCIE Security written exam. You can also look over the questions at the beginning of the chapter again for further review. As an additional study aid, use the CD-ROM provided with...

QoS Configuration 4 Points

Configure R1 for the following Frame Relay parameters Your provider will mark any traffic in excess of 128 kbps as discard eligible. Your measurement interval is 62.5 ms. Security and NetBIOS Filtering (26 Points) 667 Users on VLAN 2 are using the network to download large FTP files and also using Kazaa for unauthorized data transfer. Configure the Ethernet interfaces on R1 and R2 so that the following conditions are met All FTP data traffic is allocated 10...

Remote Data Exchange Protocol

The Cisco Intrusion Detection System (IDS) provides an in-depth, self-healing mechanism to provide network administrators a defense against attacks from inside and outside the network. The Cisco definition of a self-healing network is a network that is intelligent enough to stop unwanted traffic and correct any security vulnerabilities before they occur. Beginning with Cisco IDS 4.0, the network IDS sensors use the Remote Data Exchange Protocol (RDEP) for communication. With RDEP, the network...

Routing Protocols

This section covers four main routing protocols Routing Information Protocol (RIP) Enhanced Interior Gateway Routing Protocol (EIGRP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) Before discussing the characteristic of each protocol, this section covers how routers (Cisco routers, in particular) generally route IP packets. Routing is a process whereby a path to a destination host is selected by either a dynamic or static routing protocol. A routing protocol is an algorithm that...

Scenario Cisco Secure IDS Database Event

Figure 5-18 displays a typical network under attack from an intruder trying to destabilize the network host with the IP address 131.108.1.1 24. The security manager has e-mailed to you several files. The first is TCPDUMP output details. TCPDUMP is a powerful tool that allows you to sniff network packets and make some statistical analysis out of those dumps. (The written exam has a few questions based on the output from this program.) The manager also e-mailed to you log files taken from an IDS...

Scenario Configuring Cisco Routers for IPSec

Figure 4-21 displays a simple two-router topology where traffic from network 131.108.100.0 24 is encrypted when it is sent to the remote network 131.108.200.0 24. Example 4-19 displays the working configuration of R1, with lines numbered from 1 to 31. Example 4-19 R1's Full Configuration 7. crypto isakmp key CCIE address 131.108.255.2 8. crypto ipsec transform-set anyname esp-des esp-sha-hmac 10. crypto map anyname1 1 ipsec-isakmp 12. set security-association lifetime seconds 180 16. ip address...

Scenario Configuring Cisco Routers for Passwords and Access Lists

Figure 3-10 displays a simple one-router network with two Ethernet LAN interfaces connecting users on subnet 131.108.1.0 24 to the server IP network, 131.108.2.0 24. Figure 3-10 Scenario Physical Topology Example 3-46 displays the working configuration file on Router R1, numbered from line 1 to 25. Example 3-46 R1's Full Configuration 2. no service password-encryption 4. no logging console debugging 5. enable secret 5 1 TBUV od27CrEfa4UVICBtwvqol 8. ip address 131.108.1.1 255.255.255.0 10. ip...

Scenario Defining Cisco IOS Commands to View DoS Attacks in Real Time

Figure 7-3 displays a typical two-router topology with an external connection to the Internet via R1. Figure 7-3 Two-Router Network Attacked by External Intruder ICMP TCP UDP attack Administrator is not sure ICMP TCP UDP attack Administrator is not sure In this scenario, a Cisco IOS router is subjected to ICMP, TCP, or UDP IP packets. The network administrator is not sure of what type but notices the log file that is buffered to Router R2 has just increased from 1 MB to 2.5 MB in less than 5...

Scenario Routing IP on Cisco Routers

Figure 1-21 displays a network with one Cisco router and two directly attached Ethernet interfaces. Use Figure 1-21 to answer the following questions. E0 IP address 1.1.1.100 MAC address 3333.3333.3333 E1 IP address 2.1.1.100 MAC address 4444.4444.4444 E0 IP address 1.1.1.100 MAC address 3333.3333.3333 E1 IP address 2.1.1.100 MAC address 4444.4444.4444 1. In Figure 1-21, PC1 cannot communicate with PC2. What is the likely cause of the problem, assuming that the router is configured correctly a....

Secure Sockets Layer

SSL is an encryption technology for web host devices used to process secure transactions. For example, a secure transaction is required when a client enters their credit card number for e-commerce via their browser. When the end user enters a web address via an Internet browser, such as Internet Explorer, instead of entering HTTP web address in the address window, the end user enters HTTPs web address. NOTE Secure Hypertext Transfer Protocol (S-HTTP) transports HTTP-based traffic over an SSL...

Security Policy Best PracticesA Cisco View

Cisco released a number of excellent SAFE blueprints containing security design guideless. The material at http www.cisco.com safe is a must read for any IP engineer or designer. Too many organizations have not followed the fundamental crucial step of developing a security policy upon which to base all security strategies. Any network without a security policy is liable to be compromised, because when an event does occur, there are no processes in place to mitigate the event efficiently and...

Security Protocols

This chapter covers some of today's most widely used technologies that enable network administrators to ensure that sensitive data is secure from unauthorized sources. Standards such as IP Security (IPSec) and encryption standards are covered, as are all the fundamental foundation topics you need to understand to master the topics covered in the CCIE Security written exam. The chapter ends with a discussion of some of the security features used in wireless networking to improve security....

Security Technologies

This chapter covers some of today's most widely used technologies that enable network administrators to ensure that sensitive data is secured from unauthorized sources. Cisco security products are also covered, as are all the fundamental foundation topics you need to understand to master the security CCIE Security written exam. This chapter covers the following topics Advanced Security Concepts Describes advanced security policies in demilitarized zones (DMZs). Packet Filtering, Proxies, NAT,...

Spanning Tree Protocol Manipulation

Another common attack against switches is to manipulate the STP configuration by sending valid bridge protocol data units (BPDUs) and changing the topology of the network so as to create a spanning-tree loop. A Layer 2 loop in any network will bring down the entire broadcast domain and render all services unusable. Sometimes, in fact, spanning-tree loops occur naturally, so do not always assume that a Layer 2 loop is the result of an attacker's involvement without first properly investigating....

Standards Bodies and Incident Response Teams

Numerous standards bodies today help a network administrator design a sound security policy. The two main entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT CC) and the various newsgroups that enable you to share valuable security information with other network administrators. CERT CC is a U.S. federally-funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the infamous worm incident (Morris Worm a...

Switching and Bridging

This section covers Layer 2 devices that are used to bridge, or switch, frames using common techniques to improve network utilization, such as VLANs. The terms switch and bridge are used to refer to the same technology. Switching, or bridging, is defined as a process of taking an incoming frame from one interface and delivering it through another interface. Source stations are discovered and placed in a switch address table (called a content-addressable memory CAM table in Cisco terms). Routers...

Tacacs Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks Step 1 Use the aaa new-model global configuration command to enable AAA, which must be configured if you plan to use TACACS+. For more information about using the aaa new-model command, refer to Step 2 Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons tacacs-server host hostname single-connection port integer timeout integer key string Use the tacacs-server key command to...

Tacacs Versus RADIUS

Table 4-4 compares the main differences between TACACS+ and RADIUS. Table 4-4 TACACS+ RADIUS Comparison Encrypts only the password in the access-request packet from the client to the server. Encrypts the entire body of the packet but leaves a standard TCP header. Combines authentication and authorization. Uses the AAA architecture, separating authentication, authorization, and accounting. Supports other protocols, such as AppleTalk, NetBIOS, and IPX. Can pass a privilege level down to the...

TCPIP and OSI Model Comparison

TCP IP is the most widely used networking protocol and is often compared to the industry-defined OSI model. Figure 1-2 displays the TCP IP model in relation to the OSI model and shows where the protocol suite of TCP IP lines up with the ISO standard. This comparison is provided to demonstrate that TCP IP does not conform exactly to the OSI model. For example, the TCP IP model has no Layer 5 or 6. Applications such as Telnet, FTP. and ping

Terminal Access Controller Access Control System Plus

Cisco IOS supports three versions of TACACS TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username password pairing. TACACS+ is Cisco proprietary, whereas RADIUS is an open standard originally created by Livingston Enterprises. Cisco has also developed Cisco Secure Access Control Server (ACS), a flexible family of security servers that supports both RADIUS and TACACS+. You can even run debugging commands on the Cisco...

Trivial File Transfer Protocol

TFTP is a protocol that allows data files to be transferred from one device to another using the connectionless protocol, UDP. TFTP uses UDP port number 69. TFTP is typically used in environments where bandwidth is not a major concern and IP packets that are lost can be re-sent by the higher layers (typically the application layer). TFTP has little security. In fact, the only way to provide security to TFTP transfer is by defining (on the TFRTP server) the directory on the host TFTP device and...

Virtual Private DialUp Networks VPDN

A VPDN is a network that extends remote access dialup clients to a private network. VPDN tunnels use either Layer 2 forwarding (L2F) or Layer 2 Tunnel Protocol (L2TP). Cisco introduced L2F in RFC 2341. It is also used to forward PPP sessions for Multichassis Multilink PPP. L2TP, introduced in RFC 2661, combines the best of the Cisco L2F protocol and Microsoft Point-to-Point Tunneling Protocol (PPTP). Moreover, L2F supports only dial-in VPDN, while L2TP supports both dial-in and dial-out VPDN....

Vulnerabilities Attacks and Common Exploits

This section covers some of the vulnerabilities in TCP IP and the tools used to exploit IP networks. TCP IP is an open standard protocol, which means that both network administrators and intruders are aware of the TCP IP architecture and vulnerabilities. NOTE There are a number of network vulnerabilities, such as insufficient password protection, lack of authentication mechanisms, use of unprotected routing protocols, and firewall holes. This section concentrates on TCP IP vulnerabilities....

Wireless Best Practices

Cisco Architecture for Voice, Video and Integrated Data (AVVID) also contains details on best practices for wireless networks. As wireless networks grow around the globe, Cisco intends to ensure that you can connect wherever you are, 24 hours a day, thereby boosting your connectivity to the workplace. This means, of course, that connectivity is required in areas where there are no cables, such as caf s, airplanes, street corners, and hotel lobbies. Wireless networks have become one of the most...

Goal of This

This lab should assist you in your final preparation for the CCIE Security lab exam. Sample solutions are provided here, but you need to research other various solutions on your own. Feel free to modify the questions to suit any design scenario and discover new IOS commands by using the Cisco Universe CD-ROM. This lab is not the only tool you should use rather, it is provided here to demonstrate the minimum level of difficulty you will encounter when attempting the CCIE Security lab exam. This...

IDS sensors

Software versions are constantly updated. Be sure to verify revision levels at the following URL You should expect the CCIE lab exams to mirror the general deployment releases by Cisco. Make sure you practice with and understand these devices. Practice configuring almost every Cisco IOS feature and fully understand what each Cisco IOS command actually enables, rather than just relying on limited experience with certain commands. Anyone can configure a Cisco router, but the ability to understand...

You Failed

If you fail the CCIE Security written exam, don't worry about the result. You can still take advantage of the situation. While the test is fresh in your mind, jot down problem areas on a notepad (the sooner you make notes for yourself the better). Try to remember questions you felt less comfortable with and study those areas before taking the exam again. The CCIE Security written exam is not an easy exam to pass. In fact, this exam ranks among the toughest networking exams in today's...

Final Thoughts

Having many Cisco certifications myself, the joy and success they can help bring has significantly changed my life and that of my family. There are always challenges facing network engineers, and no doubt once you are a CCIE, meeting those challenges will drive you to acquire skills you never knew you could master. I sincerely hope you enjoy your time spent with this book it took over 6 months of long exhausting nights to complete to ensure that you have the perfect companion through your...

Show Commands

The best method to appreciate the use of show commands is to display sample output from a Cisco IOS router. Example 3-6 displays a list of truncated show commands available from the CLI on a Cisco router in PRIV EXEC mode. (Version 12.2 was used to supply this output.) Information on terminal lines used as router Bridge Forwarding Filtering Database verbose Display information about dialup connections Dynamic Host Configuration Protocol status Show diagnostic information for port Dial Plan...

Radius Configuration Task List

A RADIUS server is usually software that runs on a variety of platforms, including Microsoft Windows 2000 Server and various UNIX hosts. RADIUS can authenticate router users and even validate IP routes. To configure RADIUS on your Cisco router or NAS, perform the following tasks Step 1 Enable AAA with the aaa new-model global configuration command. AAA must be configured if you plan to use RADIUS. Step 2 Use the aaa authentication global configuration command to define method lists for RADIUS...

Debugging Cisco Routers

The debug command is one of the best sets of tools you will encounter on Cisco routers. The debug command is available only from PRIV EXEC mode. Cisco IOS routers' debugging includes hardware and software to aid in troubleshooting internal problems and problems with other hosts on the network. The debug privileged EXEC mode commands start the console display of several classes of network events. For debug output to display on a console port, you must ensure that debugging to the console has not...

IDS Placement

The HIDS is typically placed in a number of locations, such as the DMZ, behind a firewall, inline inside a Catalyst 6500, or on the inside network. Figure 5-2 displays a typical IDS placement and shows how this technology can be used to prevent attacks from within and from outside an organization. Figure 5-2 displays a network with three NIDSs in place communicating back to an IDS Device Manager (IDM). Figure 5-2 displays a network with three NIDSs in place communicating back to an IDS Device...

VLAN Hopping

VLAN hopping is a network attack whereby an end system sends out packets destined for a system on a different VLAN that cannot normally be reached by the end system. Typically, for a device to reach another device in a different VLAN, a Layer 3 device such as a router or Layer 3-aware switch is required. The attacker manipulates the frame and sends the traffic based on a different VLAN ID. The attacker may even attempt to be a trunk port and send 802.1q frames with data inside those frames....

Security Information Monitoring System

This section covers how Cisco IDS can monitor and identify intruder-based attacks and how security information is monitored and acted upon. Cisco IDS uses multilayer protection options to prevent an attack from successfully reaching the end target system such as a file server or desktop computer. After the attack or intruder-based traffic is identified and determined to be intrusive, the network administrator can stop the attack before any serious damage occurs. This can involve dropping the...

Virtual Private Networks

A virtual private network (VPN) enables IP traffic to travel securely over a public TCP IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level. VPN communication is encrypted, private and secure, even though it traverses the public network. VPN is very loosely defined as a network in which a customer or end user connects to one or more sites through a public infrastructure, such as the Internet or World Wide Web. VPNs...

Telephony Best Practices

IP networks are a prime target for intruders and hackers. Traditionally, voice networks were secure because the PBXs in place did not have any IP connectivity. In today's Voice over IP (VoIP) telephony-based networks, every IP phone contains a routable IP address and thus is a prime target. For example, a hacker could program the Cisco Call Manager (CCM) to make every IP phone call the number 911 (or 000, depending on what part of the world you are in). If you do not secure the voice networks...

About the Technical Reviewers

Yusuf Bhaiji, CCIE No. 9305, has been with Cisco Systems, Inc., for four years and is currently the content manager, CCIE security, and proctor in the Cisco Systems Sydney, Australia Lab. Prior to this, he was technical lead for the Sydney TAC Security and VPN team. Yusuf's passion for security- and VPN-related technologies has played a dominant role in his 14 years of industry experience, from as far back as his initial master's degree in computer science, and since is reflected in his...

Secure Shell and Cisco Ios Ssh

Secure Shell (SSH) is a protocol that provides a secure connection to a router. Cisco IOS supports version 1 and 2 of SSH, which enables clients to make a secure and encrypted connection to a Cisco router. Cisco refers to this SSH support as Cisco IOS SSH. Before SSH was implemented, the only form of security available when accessing devices such as routers was Telnet username password authentication, which is clearly visible with a network sniffer. Telnet is insecure because a protocol...

CCIE Security Written Exam Blueprint

Table I-1 lists the CCIE Security written exam blueprint topics and the corresponding chapters where you can find the material covered in this book. As you can see, the blueprint places the objectives into eight categories. The book covers all of these topics. This blueprint is a guideline for the type of content that is likely to appear on the exam. You can also find it at Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System Plus (TACACS+)...