This book

Every chapter of this book holds facts on one of the objectives from the CCIE Security 2.0 written exam. This book will be a valuable asset for potential CCIE Security candidates. I am positive individuals will inevitably gain extensive security network knowledge during their preparation for the CCIE Security

Catalyst Ethernet MSFC Setup 025 Hour

NOTE The CCIE R& S lab contains two Catalyst 3550s per candidate rack, and the 6500 is purposefully configured here so that the difficulty level is much higher. Configure R9 (6509 with an MSFC card) for IP routing. Example C-1 displays the hardware profile on the Catalyst 6509 switch. Example C-1 show module on R9 (MSFC) Using the information displayed in Example C-1, configure the MSFC for IP routing in VLAN 6 only using RIPv2 only. Do not route between any other interfaces.

Need for Security Certification

Security is one of the fastest-growing areas in the industry. Information security is on top of the agenda at all organizations. Companies have a need, and many times a legal requirement, to keep information secure. As a result, there is an ever-growing demand for IT professionals with the skills to implement effective, end-to-end security solutions to guard against all manner of threats. Cisco Systems helps to meet this demand by offering CCIE Security certification, setting the professional...

IP Configuration and IP Addressing No Time

NOTE Because of recent changes to the CCIE exam, the candidate is not required to configure IP addressing. However, the subject is presented here to ensure that potential CCIE candidates have a good understanding of IP address spaces and subnetting. No time is projected for this section. Use the Class B subnetted IP addresses 131.108.0.0 to 131.108.255.255 to design your network. You must use this address space for all addresses unless specified in a particular question. Read the entire task...

Cisco IOS Specifics and Security

This chapter covers the CCIE Cisco IOS specifics topic area. Unfortunately, the blueprint does not detail the exact requirements, and Cisco IOS in general could mean the entire range of topics. Thus, this chapter covers topics that are actually possible topics on the written exam and that are common to the routing and switching blueprint. This chapter covers routing and switching blueprint objectives together with the security blueprint objectives. The CCIE technical teams generally gather the...

Cisco Secure Intrusion Detection System and Catalyst Services Modules

This section covers tools that are useful for managing network security. Cisco Secure IDS, formerly known as NetRanger, is designed to efficiently and effectively protect your network against intruders from inside and outside of your networking domain. NOTE The CCIE Security written exam still refers to the term NetRanger. The new CCIE Security exam no longer tests the NetSonar application. NetRanger is now commonly known as Cisco Secure Intrusion Detection System or Cisco Secure IDS. This...

Preparing for this

You can use any combination of routers and switches to complete this lab as long as you fulfill the requirement for a properly routing and secure topology. If you do not have some of the equipment, the example displays will show you what you should expect to see in a working CCIE lab topology, which will be an invaluable resource and study guide. NOTE As of July, 2004, the hardware types you can expect to see in the real CCIE Security lab exam, as documented by Cisco, are as follows Catalyst...

Encryption Technology Overview

When prominent Internet sites, such as http www.cnn.com, are exposed to security threats, the news reaches all parts of the globe. Ensuring that data crossing any IP network is secure and not vulnerable to threats is one of today's most challenging tasks in the IP storage arena (so much so that Cisco released an entirely new CCIE for the storage networking certification track). Major problems for network administrators include the following Packet snooping (eavesdropping) When intruders capture...

Network Security Policies Vulnerabilities and Protection

This chapter reviews today's most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The security standards body, CERT CC, is covered, along with descriptions of Cisco IOS-based security methods that ensure that all attacks are reported and acted upon. This chapter will cover, in detail, common exploits such as attacks based on common vulnerabilities, reconnaissance attacks, backdoors, and protocol weaknesses. Cisco Security applications,...

IP Access List 01 Hour

You decided to secure Routers R1 and R2 such that only hosts from your address space are allowed to Telnet to it. In addition to securing these routers, you also need to make sure that the only source IP addresses that can be trusted are the predefined loopbacks on Routers R1 through R9. You must identify the denied attempts to Telnet to R1 or R2 to the local buffer log. The security architect has decided to make the allowed hosts, when Telnetting to R1 or R2, be authenticated by the router...

Cisco Threat Response

Cisco security and IDS provide a mechanism to detect when an intrusion has occurred. The only problem in an HIDS is that a lot of alarms are false positives, especially in a large installation base of CSA clients. In other words, many alarms need not cause your security team to investigate a normal IP packet or TCP segment, for example. A CCIE candidate, however, must be able to tune out normal IP packets and TCP segments in the CCIE lab portion of this certification. The main concern is to...

Scenario Solutions

The following debug output advises the network administrator of the problem 22 58 55 CRYPTO-4-IKMP_BAD_MESSAGE IKE message from 131.108.255.1 s sanity check or is malformed During the IKE negotiation, the router reports a message that identifies the fault as the share password. R2 is configured with the password, CCIe (should match R1's preshared password set to CCIE). See Example 4-17, and code line 7. Changing the IKE password to CCIE with the IOS command crypto isakmp key CCIE address...

Do I Know This Already

What IOS command will display the System Flash 2. The network administrator has forgotten the enable password, and all passwords are encrypted. What should the network administrator do to recover the password without losing the current configuration Answer c. Reboot the router, press the Break key after the reload, and enter ROM mode and change the configuration register. 3. What is the enable password for the following router enable password Simon Answer b. Simon. 4. If the configuration...

Foundation Summary

The Foundation Summary is a condensed collection of material for a convenient review of this chapter's key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the Foundation Topics material, the Foundation Summary will help you recall a few details. If you just read the Foundation Topics section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the Foundation Summary offers a...

A

Figure 2-2 displays a typical FTP mode of operation between a client PC and an FTP server in active mode. The following steps are completed before FTP data can be transferred 1. The FTP client opens a control channel on TCP port 21 to the FTP server. The source TCP port number on the FTP client is any number randomly generated above 1023. 2. The FTP server receives the request and sends an acknowledgment. FTP commands are exchanged between client and server. 3. When the FTP client requests a...

Ckk

Accounting, 231-232 authentication, 230 authorization, 230-231 ABRs (Area Border Routers), 63 access lists, 353-355 extended, 196-198 IP packet debugging, 179-180 standard, 190-195 wildcard masks, 192 accessing Cisco routers, 187 accounting, 228, 231-232 ACKs (acknowledgments), 58 ACS (Cisco Secure Access Control Server). See Cisco Secure Active Directory, 135 Active FTP, 116-118 adaptive cut-through switching, 23 adjacencies, 62 administrative distances, 51 AES (Advanced Encryption Standard),...

Access Control on R2 Ethernet Interface 4 Points

Configure an extended named access list on R2's Ethernet interface blocking traffic from the outside that satisfies the following criteria Ensure that World Wide Web and FTP traffic is permitted both ways. ICMP is permitted one way only. Assume R2 sends the ping request. Telnet sessions are permitted only from outside to hosts on VLAN 5, and only for an employee with the username of henrytripleccie. This access should not remain in place indefinitely. All other incoming traffic is denied and...

Access List 6 Points

On R1, configure an access list that meets the following criterion and contains the minimum number of configuration lines possible Apply the access list on the outbound interface on R1's link to R3. Deny any TCP packet with source address 109.57.204.0 24. Deny any TCP packet with source address 109.57.140.0 24. Deny any TCP packet with source address 225.132.9.0 24. Deny any TCP packet with source address 161.132.9.0 24. Deny every even subnet in 108.13.0.0 16. Deny every odd subnet in...

Active FTP

FTP active mode is defined as one connection initiated by the client to the server for the FTP control connection. Remember that FTP requires two port connections through TCP ports 20 (data) and 21 (control). The second connection is made for the FTP data connection (where data is transferred), which is initiated from the server back to the client. Active FTP is less secure than passive mode because the FTP server, which, in theory, could be any host, initiates the data channel. Also, port 20...

Address Resolution Protocol

ARP determines a host's MAC address when the IP address is known. For example, to ping one device from another, the Layer 2 MAC fields require a destination MAC address. Because this is the first such request, a broadcast packet is sent across the wire to discover the remote host's MAC address. Figure 1-11 displays a scenario where PC1 wants to ping Host PC2. When PC1 sends a ping request to PC2 using the known IP address 1.1.1.2 (Layer 3), a broadcast Layer 2 frame must first be sent by PC1...

Advanced Encryption Standard

AES, developed by Joan Daemen and Vincent Rijmen, is a new encryption standard and is considered a replacement for DES. The U.S. government made AES a standard in May 2002, and the National Institute of Standards and Technology (NIST) has adopted AES. AES provides key lengths for 128, 192, and 256 bits. AES supports Cipher Blocks Chaining (CBC), which circumvents one of the problems with block algorithms in that two equal plain-text blocks will generate the same two equal ciphertext blocks....

Advanced Security Concepts

A wealth of security concepts have been covered in the previous chapters now, you are ready to look at some of the techniques that are used to secure areas of your network that are vulnerable to attacks, in particular the demilitarized zone (DMZ). The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet. Figure 6-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of...

Anomaly Based IDS

The anomaly-based IDS looks for traffic that deviates from what is seen normally. The definition of the normal and abnormal network traffic patterns forms the identity of the culprit. Once the definition is in place, the anomaly-based IDS can monitor the system or network and send an alarm if an event outside known normal behavior is detected. An example of suspicious behavior is the detection of specific data packets (routing updates) that originate from a user device rather than from a...

Application Protocols

This chapter covers some of today's most widely used application protocols. This chapter covers the following topics Domain Name System (DNS) Topics in this section include how DNS is configured on Cisco routers and what port numbers are used when delivered across an IP network. Trivial File Transfer Protocol (TFTP) This section covers the common uses of TFTP, particularly on Cisco IOS-enabled routers. The process used to copy files to and from a TFTP server is described. File Transfer Protocol...

Authentication Authorization and Accounting

Authentication, authorization, and accounting (AAA, pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices. AAA provides a method to identify which users are logged into a router and each user's authority level. AAA also provides the capability to monitor user activity and provide accounting information. In today's IP networks, access to network data is available in a variety of methods, including the...

Authorization

Authorization comes into play after authentication. Authorization allows administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS allows certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a privilege level of 0 cannot issue many IOS commands. There are five commands at privilege level 0 disable, enable, exit, help, and logout. A user with a privilege level of 15...

Authorization Technologies IOS Authentication 8021X

IEEE 802.1X is a new standard that defines enhanced security for IP networks. IEEE 802.1X specifically defines a client server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. 802.1X works by authenticating every client on the network that is, every device connected to a switch port. After successful authentication, the individual switch port is assigned a VLAN. Until the client is authenticated,...

Basic Frame Relay Setup 5 Points

Configure the network in Figure 8-2 for basic physical Frame Relay connectivity. The following are the parameters You must use static Frame Relay maps for IP and disable Frame Relay inverse ARP. (Hint Use no frame-relay inverse-arp on all frame-enabled interfaces.) For the connection between R1 and R4, you are not permitted the keyword broadcast when mapping IP between the R1 R4 Frame Relay link. No dynamic mapping is permitted. No Frame Relay subinterfaces are permitted on any router. Assume...

Basic IBGP Configuration 02 Hour

Configure IBGP on all routers in your network. Do not use any WAN IP interfaces for IBGP sessions, because your network is prone to failures across the Frame Relay cloud. Configure R5 and R8 as route reflectors and ensure that all IP traffic has a preferred path that is via Router R5. Minimize IBGP configurations as much as possible. Do not disable BGP synchronization. Use AS 2002 on all IBGP routers. As long as your network has IP connectivity, ensure that BGP is active in all routers. Using...

Basic IBGP Configuration 4 Points

Configure IBGP on Routers R1, R2, and R3 in your network (use AS 333) Do not use any WAN IP interfaces for IBGP sessions, because your network is prone to failures across the Frame Relay cloud. Configure R3 as route reflector. Minimize IBGP configurations as much as possible. Do not disable BGP synchronization. Use AS 333 on all IBGP routers. As long as there is IP connectivity in your network, ensure that BGP is active in all routers. Using the network command only, advertise all networks to...

Basic Rate and Primary Rate Interfaces

ISDN can be supplied by a carrier in two main forms Basic Rate Interface (BRI) and Primary Rate Interface (PRI). An ISDN BRI consists of two 64-kbps services (B channels) and one 16-kbps signaling channel (D channel). An ISDN PRI consists of 23 B or 30 B channels, depending on the country. In North America and Japan, a PRI service consists of 23 B channels. In Europe and Australia, a PRI service consists of 30 B channels. A signaling channel (or D channel) is used in a PRI service and is a...

Basic Security on Cisco Routers

You can access a Cisco router in a number of ways. You can physically access a router through the console port, or you can access a router remotely through a modem via the auxiliary port. You can also access a router through a network or virtual terminal ports (vty lines), which allow remote Telnet access. If you do not have physical access to a router either through a console port or through an auxiliary port via dialup you can access a router through the software interface, called the virtual...

BGP Routing Configuration 6 Points

After finishing this section, make sure that all configured interfaces and subnets are consistently visible on all pertinent routers, even in the event of network failure of any one router. Configure IBGP on all routers in your network Do not use any WAN IP interfaces for IBGP sessions, because your network is prone to failures across the Frame Relay cloud. Configure R4 as the route reflector and ensure that remote routers peer to R4 only. Minimize IBGP configurations as much as possible. The...

Border Gateway Protocol

BGP is an exterior routing protocol used widely on the Internet. It is commonly referred to as BGP4 (version 4). BGP4, defined in RFC 1771, allows you to create an IP network free of routing loops between different autonomous systems. (As defined in Table 11-1, an autonomous system is a set of routers under the same administrative control.) BGP is called a path vector protocol because it carries a sequence of autonomous system numbers that indicates the path taken to a remote network. This...

Bridge Port States

Every bridge and associated port is in one of the following spanning tree states Disabled The port is not participating in spanning tree and is not active. Listening The port has received data from the interface and will listen for frames. The bridge only receives data it does not forward any frames to the interface or to other ports. Learning The bridge still discards incoming frames. The source address associated with the port is added to the CAM table. BPDUs are sent and received. Forwarding...

C

Calculating hosts per subnet, 30-31 CAM tables, 22 overflow, 199-200 overflow attacks, 201-202 Catalyst 6500 Series Switch, IDSM-2, 312 CBAC (Content-Based Access Control), 378 audit trail messages, enabling, 505 configuring, 380-382 CEP (Certificate Enrollment Protocol), 272 CERT CC (Computer Emergency Response Team Coordination Center), 413-414 certification exam, objectives, 627 characteristics of RIP, 52 of RIPv1, 52 of RIPv2, 53 CIDR (classless inter-domain routing), 32 Cisco 7200 routers,...

Catalyst Ethernet Switch Setup I 0 Points

Configure the Ethernet switch for three VLANs. VLAN 2 named VLAN_A is connected to R1, R2, and backbone segment 1. VLAN 3 named VLAN_B is connected to R3. VLAN 4 named VLAN_C is connected to R4 and backbone segment 2. VLAN D and E are preconfigured. Using VLAN_A, configure the management interface sc0 with the address 133.33.0.2 25. Ensure that all devices in your network can Telnet to the switch even if R1 or R2 is down. (Note that you may need to configure an additional IP address to...

Catalyst Ethernet Switch Setup I 025 Hour

Configure the Ethernet switch for six vLANs. VLAN 2, named VLAN_A, is connected to R1 and R2. VLAN 3, named VLAN_B, is connected to R3. VLAN 4, named VLAN_C, is connected to R4. VLAN 5, named VLAN_D, is connected to R5. VLAN 6, named VLAN_E, is connected to R6 and R9. VLAN 7, named VLAN_F, is connected to R7. Using VLAN_A, configure the management interface sc0 with the address 131.108.0.2 25. Ensure that all devices in your network can Telnet to the switch even if R1 or R2 is down. Make sure...

Catalyst Ethernet Switch Setup I 5 Points

Configure the Ethernet switch for five VLANs VLAN 2, named VLAN_A, is connected to R1 and PIX inside. VLAN 3, named VLAN_B, is connected to R4 and R5 Eth0 0. VLAN 4, named VLAN_C, is connected to R5 FastEth0 1 (switch port Fast0 6). VLAN 5, named VLAN_D, is connected to R2 and R3. VLAN 6, named VLAN_E, is connected to the PIX outside interface and to the ISP managed router. Ensure that the IDS is also in the correct VLANs for the sniffing and control interfaces. Using VLAN_D (VLAN 5), configure...

Catalyst Ethernet Switch Setup II 025 Hour

Configure the following spanning-tree parameters on the Catalyst 6509 Ensure that the switch never becomes the root bridge on VLAN_D. Ensure that the switch has the best possible chance of becoming the root bridge in VLAN_E. Set all the Ethernet ports to forward data immediately after a device is plugged in or activated. Set the hello time on VLAN_B to 10 seconds. Set the max age on VLAN_F to 10 seconds. Configure the following miscellaneous parameters Disable Cisco Discovery Protocol on ports...

Catalyst Ethernet Switch Setup II 6 Points

Configure the following security features on the Catalyst 3550 Ensure that all of your interfaces are secure and that, if a secure breach occurs, the network administrator should take the strictest action possible. Set the Ethernet ports 0 1-8 to forward data immediately after a device is plugged in or activated. Set all interfaces such that unnecessary broadcast traffic will be suppressed once the switch has anything over 50 percent of total traffic. Catalyst Ethernet Switch Setup II Solution...

Catalyst Ethernet Switch Setup II 9 Points

Configure the following spanning-tree parameters on the Catalyst 3550 Ensure that the switch never becomes the root bridge on VLAN_A. Configure the switch to be a VTP client once all VLANs have been created. Set the maximum spanning-tree age on VLAN_B to 15 seconds, the forward delay to 10 seconds, and the hello interval to 3 seconds for this instance of spanning tree only. Do not modify any other VLANs on the 3550. Ensure that the switch will be elected the root bridge for VLAN 1. Set all...

CCIE Security Self Study Lab Part II Goals

Part II builds on the working IP network and requires security features such as IPSec and PIX. RIP routing is also required. You will also notice the addition of an IDS sensor. Expect to be tested on IDS sensors and the VPN Concentrator in the lab exam. You are likely to be asked to configure both devices. Part II of this lab does not include the VPN Concentrator, however. Review the additional advanced topics questions for possible exam scenarios for the VPN Concentrator. You should take no...

Central Processing Unit

The CPU is the heart of a router, and every Cisco router has a CPU. A CPU manages all the router's processes, such as IP routing, and new routing entries, such as remote IP networks learned through a dynamic routing protocol. To view a CPU's status, use the show process IOS command. Example 3-2 shows a sample display taken from a Cisco IOS router. Example 3-2 (Truncated) show process Command R1> show process CPU utilization for five seconds 9 7 one minute 9 five minutes 10 Example 3-2...

Cisco Hardware

Cisco routers consist of many hardware components. The main components of a Cisco router include the following Figure 3-1 illustrates the hardware components on Cisco routers. Figure 3-1 Components of a Cisco Router Figure 3-1 illustrates the hardware components on Cisco routers. Read-Only Nonvolatile RAM Memory (ROM) (NVRAM) Each hardware component is vital for Cisco routers to operate properly. To help you prepare for the CCIE Security written exam, the next few sections present the main...

Cisco Inline IDS Intrusion Prevention System

Recently Cisco marketing released security concept, Intrusion Prevention System (IPS), along with the new router platforms, namely the 1800, 2800, and 3800. IPS is designed to leverage Cisco PIX software and Cisco IDS sensor technologies, combined with IOS software features. Cisco IOS IPS is an inline, deep-packet, inspection-based solution that helps enable Cisco IOS software to effectively mitigate network attacks. Cisco inline IDS (or IPS) allows for traffic to be dropped, can send an alarm,...

Cisco Intrusion Detection System 5 Points

The Cisco intrusion detection system is connected to the inside interface of the PIX and the segment connecting R4 and R5. The IDS in Figure 8-1 is configured for IP. Figure 8-8 displays all the details you need to complete this section. The following list outlines key details to answer the lab exam questions The IP address of the control interface is 144.254.5.3 27. The sniffing interface is connected to the PIX and R1 LAN. Ensure that only the subnet 144.254.6.0 29 can manage the IDS device....

Cisco IOS Firewall Configuration on R5 6 Points

Translate the following policy into a working CBAC configuration on R5 (assuming this router's FastEth0 1 is connected to another ISP) Allow all TCP and UDP traffic initiated on the inside from network 144.254.5.0 to access the Internet. ICMP traffic will also be allowed from the same network. Other networks (inside) must be denied. For traffic initiated on the outside, allow everyone to access only HTTP to host 144.254.5.3. All other traffic must be denied. Cisco IOS Firewall Configuration on...

Cisco IOS Firewall Feature

Cisco has developed a version of IOS with security-specific features integrated in current IOS software. It is available on only some Cisco IOS devices. NOTE The need to provide firewall functionally in existing router models led Cisco down a path of enabling IOS to be security aware. Not many folks think of Cisco as a software company but, in fact, it sells more software than hardware. The Cisco IOS Firewall feature set consists of the following Context-Based Access Control (CBAC) provides to...

Cisco PIX Firewall

The Cisco Private Internet Exchange (PIX) Firewall and Cisco IOS Firewall feature set are designed to further enhance a network's security. The PIX Firewall prevents unauthorized connections between two or more networks. The latest versions of Cisco code for the PIX Firewall also perform many advanced security features, such as AAA services, access lists, VPN configuration (IPSec), FTP, logging, and Cisco IOS-like interface commands. In addition, the PIX Firewall can support multiple outside or...

Cisco PIX Firewall Software Features

A list of the current features of the Cisco PIX Firewall product follows State-of-the-art Adaptive Security Algorithm (ASA) and stateful inspection firewalling. Cut-through proxy authenticates and authorizes connections, while enhancing performance. Easy-to-use web-based interface for managing PIX Firewalls remotely using the web-based interface is not a suggested practice by Cisco for medium to large networks. Support for up to 10 Ethernet interfaces ranging from 10BASE-T, 10 100 Fast Ethernet...

Cisco Secure IDS

Cisco Secure IDS is an enterprise intrusion detection system designed to detect, report, and, in the event of unauthorized access, terminate data sessions between users and host devices. Users are not aware that Cisco Secure IDS is watching data across the network it is transparent to all systems. Cisco Secure IDS has three components Cisco Secure IDS Sensor High-speed device that analyzes the contents of data being transported across a network and determines whether that traffic is authorized...

Cisco Secure VPN Client

The Cisco Secure VPN Client is a low-cost application available to the Internet community. You may need to purchase a license at a minimal cost. The VPN Client is free when you buy a VPN gateway and support contract, and is included with all models of Cisco VPN 3000 Series Concentrators and most Cisco PIX 500 Security Appliances. Customers with Cisco SMARTnet support contracts and encryption entitlement may download the Cisco Secure VPN Client from the Cisco Software Center at no additional...

Cisco Security Agent and Host Based IDS

CSA provides threat protection for servers and PCs. CSA identifies and prevents malicious behavior, thereby eliminating known and unknown security risks. Typically, devices with antivirus software do not detect the latest worms or code violations. CSA fills in this gap by triggering an alert to the system or the management server any time an application or packet tries to use the kernel inside a Windows-based system. CSA also blocks the attack. CSA can be installed as a standalone client or in...

Cisco Security Applications

This chapter reviews a number of Cisco-defined CCIE Security written exam blueprint objectives covering security applications and the Cisco Secure product suites. This chapter covers the following topics Cisco Secure for Windows (NT) and Cisco Secure ACS Introduces Cisco Secure, the Cisco security application that is available on Windows platforms, and Cisco Secure Access Control Server (ACS), which provides additional network security when managing IP networks designed with Cisco devices. IDS...

Cisco Threat Response IDS Requirements

CTR works in conjunction with intrusion detection systems. Your network should have an installation of either or both of the following IDSs Cisco Intrusion Detection System version 3.x or higher Internet Security Systems RealSecure CTR has been tested with RealSecure versions 6.5 and 7.0 You can access the CTR GUI from any computer in your environment CTR uses an SSL connection under Microsoft Internet Explorer. For example, to access the CTR server with an IP address of 192.168.100.100, simply...

Cisco Works VMS

CiscoWorks VPN Security Management Solution (VMS) is core management software that provides a centralized means of defining and distributing security policies, providing patches and software updates, and ensuring communication with all agents. A Cisco Security Agent is defined as an endpoint software device that resides on servers or desktops laptops and autonomously enforces local policies that prevent attacks. CiscoWorks VMS is an integral part of the SAFE Blueprint. The following are some of...

Classless Interdomain Routing

Classless interdomain routing (CIDR) is a technique supported by BGP4 and based on route aggregation. CIDR allows routers to group routes together to reduce the quantity of routing information carried by the core Internet routers. With CIDR, several IP networks appear to networks outside the group as a single, larger entity. With CIDR, IP addresses and their subnet masks are written as four octets, separated by periods, and followed by a forward slash and a two-digit number that represents the...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Command Reference, which describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. Italics indicate arguments for which you supply actual values. Vertical bars ( ) separate alternative, mutually exclusive elements. Square brackets, , indicate optional elements. Braces, , indicate a required choice. Braces within brackets, ,...

Communications Server 0 Points

Configure the communication server (R1) so that when you type the host name of a router on the communications server, you are connected across the console port to that router Disable the break command on R1 so that R1 will not permit an intruder to issue a break command and perform password recovery. (Hint Change the configuration register to 0x2002.) Set up the routers, as shown in Figure 8-1. Configure R1 as the communication server using the ip host command. Communication server ports 2 to 5...

Communications Server 025 Hour

NOTE Not all CCIE R& S labs require you to configure a communication server. Configure the communication server so that when you type the host name of a router on the server, you are connected across the console port to that router. Set up the routers in Figure C-1 with the following physical attributes Set up the routers, as shown in Figure C-1. Configure R1 as the communication server with the ip host command. Communication server ports 2 to 8 are connected to Routers R2 to R8,...

Conclusion

You should be able to complete the sample CCIE Routing and Switching lab in this appendix within 8 hours (this is the same allotted time for the real CCIE lab at Cisco). The difficulty level presented here is similar to what you can expect in any CCIE lab examination in fact, the difficulty level here might be higher. Focus your attention on time management and the ability to configure a set number of Cisco IOS features very quickly. If you complete this lab successfully, try it again by...

Contents

Foreword xviii Introduction xx Chapter 1 General Networking Topics 3 Do I Know This Already Quiz 4 Foundation Topics 14 Networking Basics The OSI Reference Model 14 Layer 1 The Physical Layer 14 Layer 2 The Data Link Layer 15 Layer 3 The Network Layer 16 Layer 4 The Transport Layer 17 Layer 5 The Session Layer 17 Layer 6 The Presentation Layer 17 Layer 7 The Application Layer 18 TCP IP and OSI Model Comparison 18 Example of Peer-to-Peer Communication 19 Ethernet Overview 20 Switching and...

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales outside the U.S. please contact International Sales international pearsoned.com Publisher John Wait Editor-in-Chief John Kane Executive Editor Brett Bartow Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Production Manager...

D

3DES, 250 AES, 250-251 DES, 248-250 Diffie-Hellman, 252-253 IPSec, 254 MD5, 251-252 principles of, 247-248 data link layer. See Layer 2 security data manipulation, 417 DDOS (Distributed Denial Of Service) attacks, 420 debug all command, 179 debug commands, 175, 182 options, 177-178 debugging, turning off, 171 default services, disabling, 429 defining HTTP port number, 121 TFTP download directory, 115 deploying NAT, 357 DES (Data Encryption Standard), 248-250 development of Ethernet, 20 of OSI...

Decoding Ambiguity

Cisco exams have a reputation for including questions that can be difficult to interpret, confusing, or ambiguous. In my experience with numerous exams, consider this reputation to be completely justified. The Cisco exams are deliberately tough. The only way to beat Cisco at its own game is to be prepared. You'll discover that many exam questions test your knowledge of things that are not directly related to the issue that a question raises. This means that the answers you must choose from even...

Denial of service attacks

What is the function of the signature-based IDS Answer The signature-based IDS monitors the network traffic or observes the system and sends alarms if a known malicious event is happening. It does this by comparing the data flow against a database of known attack patterns. These signatures explicitly define what traffic or activity should be considered as malicious. An excellent white paper on signature-based IDS can be found at _paper09186a0080092334.shtml.

DES and 3DES

DES is one of the most widely used encryption methods. DES turns clear-text data into cipher text with an encryption algorithm. The receiving station will decrypt the data from cipher text into clear text. The shared secret key is used to derive the session key, which is then used to encrypt and decrypt the traffic. Figure 4-5 demonstrates DES encryption. Figure 4-5 DES Encryption Methodologies Data is encrypted using mathematical formulae to scramble data with the shared private key. Data is...

DHCP Allocation on R4 5 Points

There are a number of Windows XP users on VLAN_C that support DHCP and the ability to receive more than one IP gateway. Configure R4 to provide only a pool of DHCP addresses with the following criteria IP addresses in the pool range 133.254.4.0 26 DNS servers 1.1.2.2 and 1.1.1.2 Default gateway 133.254.4.1 Hosts must retain DHCP-assigned addresses forever. Ensure that the predefined addresses 133.254.4.1, 133.254.4.2, and 133.254.4.3 are never allocated to DHCP clients. You can assume that you...

DHCP Configuration 3 Points

A number of Windows XP users on VLAN_D support DHCP and the ability to receive more than one IP gateway. Configure R2 to provide only a pool of DHCP addresses with the following criteria The IP addresses pool ranges from 144.254.4.0 26 shared between R2 and R3. The DNS servers are 139.134.2.2 and 139.134.1.1. The domain name is cisco.com. Default gateway of 144.254.4.1 or 144.254.4.2 only. Hosts must retain DHCP-assigned addresses forever. The predefined addresses 144.254.4.1, 144.254.4.2, and...

DHCP Starvation Attacks

As the name implies, a DHCP starvation attack is where a DHCP server is sent so many DHCP requests that eventually there are no more IP addresses available to allocate to legitimate devices, hence rendering the network unusable. A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. As you have seen, there are many tools available on the Internet to send out these sorts of frames. The end result may involve the attacker installing their own DHCP server and...

Diffie Hellman

The Diffie-Hellman protocol allows two parties to establish a shared secret over insecure channels, such as the Internet. This protocol allows a secure shared key interchange over the public network, such as the World Wide Web, before any secure session and data transfer is initiated. Diffie-Hellman ensures that, by exchanging just the public portions of the key, both devices can generate a session and ensure that data is encrypted and decrypted by valid sources only. Only public keys (clear...

DLSw Configuration 05 Hour

Configure DLSw+ on R1, R2, R5, and R6. VLANs 2, 5, and 6 should have DLSw configured to allow SNA devices to communicate between each other. Do not enable DLSw on R9, but allow any future segments connected to R9 reachability to VLAN 2 only. SNA NetBIOS hosts reside on VLANs 2 and 5. Hosts on VLAN 2 are used only when VLAN 5 is not reachable. Make sure all routers peer to R1 and that only in a network failure will DLSw+ circuits terminate on R2 or R5. DLSw+ peers should be active only when...

Do I Know This Already Quiz

The purpose of this assessment quiz is to help you determine how to spend your limited study time. If you can answer most or all of these questions, you might want to skim the Foundation Topics section and return to it later, as necessary. Review the Foundation Summary section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you already intend to read the entire chapter, you do not necessarily need to answer these questions...

Dynamic Access List Lock and Key Feature 5 Points

Make sure that during normal operation it is not possible to ping from R2 (Ethernet0 0) to R3 (FastEthernet0 0). After a Telnet login from R2 to R3, pings are allowed, but make sure that after 5 minutes of inactivity normal operation is restored. Routing should still be in place in both circumstances. Dynamic Access List Lock and Key Feature Solution This is an example where dynamic access lists are used to allow access only after a valid username password has been entered. Access is denied...

Dynamic Host Configuration Protocol

DHCP is defined in RFC 1531 (the latest is RFC 2131) and provides a comprehensive method of allocating IP addresses, subnet mask, gateway address, DNS server, WINS servers, and many more parameters for IP devices. DHCP clients send messages to the server on UDP 67, and servers send messages to the client on UDP 68. Cisco routers can also be configured for DHCP. Example 1-3 configures a Cisco IOS router to allocate the entire range 131.108.1.0 24, with a gateway address 131.108.1.1, subnet mask...

E

EAP (Extensible Authentication Protocol), 85, 272, 275-276 EAP-TLS (Extensible Authentication Protocol Transport Layer Security), 272, 275-276 eBGP (external BGP), 74 EIGRP (Enhanced Interior Gateway Routing Protocol), 57-61 election process (DRs), disabling, 70 e-mail attacks, 420 SMTP, 128-129 enable passwords, setting, 188 enabling, 428-429 HSRP, 43 Nagle algorithm, 426 PortFast on Cisco switches, 25 SSH support on Cisco routers, 136-138 encapsulation, 19 HDLC, 76 LCP, 78 PPP, 77 3DES, 250...

EBGP Configuration 02 Hour

Configure EBGP on R5 and R8 as follows R5's remote peer is 171.108.1.2 24 and remote AS is 1024. R8's remote peer is 191.200.1.2 30 and remote AS is 4345. ISP1 and ISP2 are advertising the full Internet routing table. The only route accepted is a default route and routes of the form 110.100.0.0 to 121.110.255.255. Set all routes in the range 110.100.0.0 to 121.110.255.255 with the following attributes Prepend the AS paths 1000, 999, and 100. Set the weight to 1000 for all even networks and 2000...

EBGP Configuration 8 Points

Configure EBGP on R3 and R4 as follows Configure EBGP between R3 and R4. R3 resides in AS 333 R4 resides in AS 334. The neighbor on backbone segment 2 has an IP address of 150.100.200.25 and is in Autonomous System 2554. Configure EBGP between R4 and the external lab router on backbone segment 2. Permit only the registered address space as defined in the appropriate RFC as allowed networks from any EBGP-defined routers.

EIGRP Configuration 05 Hour

Configure EIGRP on Routers R3, R7, and R8 only. Configure EIGRP in domain 333 between the serial link on R7 to R8, R3 to R8, and VLAN 3. Summarize as much as possible to reduce the redistributed routes into OSPF, but make sure all routes appear in the IS-IS and RIP domains. Ensure that EIGRP is authenticated across the Frame Relay connections. Redistribute the EIGRP routes into the OSPF domain with a cost metric of 1000 seen on all OSPF routers. Ensure that R3 never sends any updates across the...

Ethernet Overview

Ethernet networks are based on a development made by Xerox, Digital Equipment Corporation, and Intel Corporation. The two versions of Ethernet are commonly referred to as Ethernet I and Ethernet II (or version 2). Ethernet uses carrier sense multiple access collision detection (CSMA CD) to transmit frames on the wire. In an Ethernet environment, all hosts can transmit as long as no other devices are transmitting. CSMA CD is used to detect and warn other devices of any collisions, and colliding...

Exam Topics in This Chapter

Switching and Bridging (including VLANs, Spanning Tree, and more) Routing Protocols (including RIP, EIGRP, OSPF, and BGP) Integrated Services Digital Network (ISDN) Access Devices (for example, Cisco AS5300 series) You can find in this book's introduction a list of all of the exam topics. For the latest updates on exam topics, visit Cisco.com.

Example of Peerto Peer Communication

Each layer of the OSI or TCP model has its own functions and interacts with the layer above it and layer below it. Furthermore, the communication between each layer's end devices also establishes peer-to-peer communication this means that each layer of the OSI model communicates with the corresponding peer. For example, Layer 3 of Host A in Figure 1-3 will communicate with the corresponding Layer 3 (IP) device host B. Consider the normal communication that occurs between two IP hosts over a WAN...

Extended Access Lists

Extended access lists range from 100 through 199 and 2000 through 2699. Alternatively, you can use a named access list with Cisco IOS release 12.0 or later. As mentioned earlier in this chapter, extended access lists can be applied to both source and destination addresses, as well as to filter protocol types and port numbers. Following are some examples of extended access lists that allow you to filter several different types of traffic. For Internet Control Message Protocol (ICMP) traffic, use...

Extensible Authentication Protocol Protected EAP and Temporal Key Integrity Protocol

Extensible Authentication Protocol (EAP) enables the dynamic selection of the authentication mechanism at authentication time based on information transmitted in the Access-Request (that is, via RADIUS). PPP also supports EAP during the link establishment phase. EAP allows the authenticator to request more information before determining the specific authentication mechanism. A proposal jointly submitted to the IEEE by Cisco Systems, Microsoft, and various other organizations introduced...

Fast Ether Channel

Fast EtherChannel (FEC) is a Cisco method that bundles 100-Mbps Fast Ethernet ports into a logical link. The existence of any redundant paths between two switches results in some ports being in a blocking state, thus reducing available bandwidth. Figure 1-4 displays a switched network with two 100-Mbps connections between them. Because of STP, one of the links (Switch A, in this case) will be in a blocking state after the election of a root bridge. Switch B will block one of the paths to ensure...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

File Transfer Protocol

FTP, an application layer protocol of the TCP IP protocol suite of applications, allows users to transfer files from one host to another. Two ports are required for FTP one port is used to open the connection (port 21), and the other port is used to transfer data (20). FTP runs over TCP and is a connection-oriented protocol. To provide some level of security, FTP allows usernames and passwords to be exchanged before any data can be transferred, adding some form of security authentication...

File Transfer Protocol and Trivial File Transfer Protocol

FTP and TFTP are application layer protocols (part of the TCP IP protocol suite of applications). FTP is a connection-oriented protocol running over TCP. FTP uses two connections to maintain connectivity between two IP hosts port 20 is used for the data port and port 21 is used for control. TFTP runs over UDP port 69 and is a connectionless protocol. TFTP commonly uploads Cisco IOS and configurations to a TFTP server. TFTP is regarded as the simple version of FTP. TFTP does not require any...

Frame Relay Setup 05 Hour

Configure IP across your Frame Relay network, as displayed in Figure C-2. You have to use static maps for each protocol. No dynamic mapping is permitted. No subinterfaces are allowed on any router. Use the most efficient subnetwork for IP addresses on the Frame Relay cloud. You can assign a subnet from your Class B range. Use LMI-type Cisco only and do not rely on auto-sensing the LMI type on any routers. All router interface types are DTE. The Frame Relay port type is DCE. Do not use the...

Frame Relay Setup 8 Points

Configure IP across your Frame Relay network, as displayed in Figure D-2. You have to use static maps for each protocol. No dynamic mapping is permitted. No subinterfaces are allowed on any router except on R3. You can assign a subnet from your Class B range. Use LMI-type Cisco only and do not rely on auto-sensing the LMI type on any routers. All router interface types are DTE. The Frame Relay port type is DCE. Do not use the keyword broadcast for the Frame Relay link between R3 and R4 when...

General Lab Guidelines and Setup

Follow these general guidelines during this lab Static and default routes are not permitted unless directly stated in a task. This includes floating static routes. Use the DLCIs provided in the Frame Relay diagram (presented shortly). All routers and switches should be able to ping any interface using the optimal routing path. Do not configure any authentication or authorization on any console or aux ports unless specified. Routes to Null0 generated by any routing protocol are permitted. Full...

Goals of This Book

The primary goal of this book is to ensure that a CCIE Security candidate has all the technical skills and knowledge required to pass the written exam. Most Cisco certifications require practical skills, and the only way to hone those skills is in a working environment using common Cisco-defined techniques. This book provides you with comprehensive coverage of CCIE Security exam topics. Ultimately, the goal of this book is to get you from where you are today to the point that you can...

Hypertext Transfer Protocol

HTTP, used by web browsers and web servers, transfers files, such as text and graphic files. HTTP can also authenticate users with username and password verification between clients and web servers. Cisco IOS routers can be configured from a browser client. By default, Cisco routers are disabled for HTTP servers (HTTP is enabled by default on a few Cisco 1000 models, namely the Cisco 1003, 1004, and 1005 model routers), and there have been issues with users entering certain hash pairs to gain...

Incident Response Teams

Incident response teams are too often set up only after an incident or intrusion occurs. However, sound security administration requires that such teams should already be set up to monitor and maintain network security. Incident response teams do the following 2. Determine the magnitude of the incident (hosts affected and how many). 3. Assess the damage (for example, determine if public servers have been modified). 4. Gather and protect the evidence. 5. Inspect systems to determine damage. 6....

Internet Control Message Protocol

ICMP is a network layer (Layer 3) Internet protocol that reports errors and provides other information relevant to IP packet processing. ICMP is fully documented in RFC 792. ICMP's purpose is to report error and control messages. ICMP provides a number of useful services supported by the TCP IP protocol, including ping requests and replies. ICMP Echo requests and replies enable an administrator to test connectivity with a remote device. Be aware that ICMP runs over IP, which means that there is...

Internet Newsgroups

Another important body for both network administrators and intruders themselves is Internet newsgroups. Newsgroups are mailing list-type forums where individuals share ideas and past incidents to keep current with the latest security concerns and protection policies. As a network administrator, you must be aware of both standards and topics that intruders are discussing. The following mailing lists and newsgroups are CERT CC recommended Bugtraq A full-disclosure computer security mailing list....

Internet Protocol

Internet Protocol (IP) is a widely used networking term that describes a network layer protocol that logically defines a distinct host or end system, such as a PC or router, with an IP address. An IP address is configured on end systems to allow communication between hosts over wide geographic locations. An IP address is 32 bits in length, with the network mask or subnet mask (also 32 bits in length) defining the host and subnet portion. Figure 1-6 displays the IP packet header frame format in...

Internet Security

Cerf has said, The wonderful thing about the Internet is that all these computers are connected. However, the challenge of the Internet also is that all these computers are connected. The luxury of access to this wealth of information comes with its risks, and anyone on the Internet is a potential stakeholder. The risks vary from information loss or corruption to information theft to lost revenue and productivity. The number of security incidents is also growing dramatically....

Intrusion Detection System

Intrusion detection systems (IDSs) are designed to detect and thwart network attacks. Based on their location, IDSs can be either of the following Network-based IDS (NIDS) Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature. Host-based IDS (HIDS) Examines operating system information, such as logs or system processes, against a base line. When the system deviates from the normal values because of an attack, alarms are...