This book

Every chapter of this book holds facts on one of the objectives from the CCIE Security 2.0 written exam. This book will be a valuable asset for potential CCIE Security candidates. I am positive individuals will inevitably gain extensive security network knowledge during their preparation for the CCIE Security

Catalyst Ethernet MSFC Setup 025 Hour

NOTE The CCIE R& S lab contains two Catalyst 3550s per candidate rack, and the 6500 is purposefully configured here so that the difficulty level is much higher. Configure R9 (6509 with an MSFC card) for IP routing. Example C-1 displays the hardware profile on the Catalyst 6509 switch. Example C-1 show module on R9 (MSFC) Using the information displayed in Example C-1, configure the MSFC for IP routing in VLAN 6 only using RIPv2 only. Do not route between any other interfaces.

Need for Security Certification

Security is one of the fastest-growing areas in the industry. Information security is on top of the agenda at all organizations. Companies have a need, and many times a legal requirement, to keep information secure. As a result, there is an ever-growing demand for IT professionals with the skills to implement effective, end-to-end security solutions to guard against all manner of threats. Cisco Systems helps to meet this demand by offering CCIE Security certification, setting the professional...

IP Configuration and IP Addressing No Time

NOTE Because of recent changes to the CCIE exam, the candidate is not required to configure IP addressing. However, the subject is presented here to ensure that potential CCIE candidates have a good understanding of IP address spaces and subnetting. No time is projected for this section. Use the Class B subnetted IP addresses 131.108.0.0 to 131.108.255.255 to design your network. You must use this address space for all addresses unless specified in a particular question. Read the entire task...

Cisco IOS Specifics and Security

This chapter covers the CCIE Cisco IOS specifics topic area. Unfortunately, the blueprint does not detail the exact requirements, and Cisco IOS in general could mean the entire range of topics. Thus, this chapter covers topics that are actually possible topics on the written exam and that are common to the routing and switching blueprint. This chapter covers routing and switching blueprint objectives together with the security blueprint objectives. The CCIE technical teams generally gather the...

Cisco Secure Intrusion Detection System and Catalyst Services Modules

This section covers tools that are useful for managing network security. Cisco Secure IDS, formerly known as NetRanger, is designed to efficiently and effectively protect your network against intruders from inside and outside of your networking domain. NOTE The CCIE Security written exam still refers to the term NetRanger. The new CCIE Security exam no longer tests the NetSonar application. NetRanger is now commonly known as Cisco Secure Intrusion Detection System or Cisco Secure IDS. This...

Preparing for this

You can use any combination of routers and switches to complete this lab as long as you fulfill the requirement for a properly routing and secure topology. If you do not have some of the equipment, the example displays will show you what you should expect to see in a working CCIE lab topology, which will be an invaluable resource and study guide. NOTE As of July, 2004, the hardware types you can expect to see in the real CCIE Security lab exam, as documented by Cisco, are as follows Catalyst...

Encryption Technology Overview

When prominent Internet sites, such as http www.cnn.com, are exposed to security threats, the news reaches all parts of the globe. Ensuring that data crossing any IP network is secure and not vulnerable to threats is one of today's most challenging tasks in the IP storage arena (so much so that Cisco released an entirely new CCIE for the storage networking certification track). Major problems for network administrators include the following Packet snooping (eavesdropping) When intruders capture...

Network Security Policies Vulnerabilities and Protection

This chapter reviews today's most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The security standards body, CERT CC, is covered, along with descriptions of Cisco IOS-based security methods that ensure that all attacks are reported and acted upon. This chapter will cover, in detail, common exploits such as attacks based on common vulnerabilities, reconnaissance attacks, backdoors, and protocol weaknesses. Cisco Security applications,...

IP Access List 01 Hour

You decided to secure Routers R1 and R2 such that only hosts from your address space are allowed to Telnet to it. In addition to securing these routers, you also need to make sure that the only source IP addresses that can be trusted are the predefined loopbacks on Routers R1 through R9. You must identify the denied attempts to Telnet to R1 or R2 to the local buffer log. The security architect has decided to make the allowed hosts, when Telnetting to R1 or R2, be authenticated by the router...

Cisco Threat Response

Cisco security and IDS provide a mechanism to detect when an intrusion has occurred. The only problem in an HIDS is that a lot of alarms are false positives, especially in a large installation base of CSA clients. In other words, many alarms need not cause your security team to investigate a normal IP packet or TCP segment, for example. A CCIE candidate, however, must be able to tune out normal IP packets and TCP segments in the CCIE lab portion of this certification. The main concern is to...

Scenario Solutions

The following debug output advises the network administrator of the problem 22 58 55 CRYPTO-4-IKMP_BAD_MESSAGE IKE message from 131.108.255.1 s sanity check or is malformed During the IKE negotiation, the router reports a message that identifies the fault as the share password. R2 is configured with the password, CCIe (should match R1's preshared password set to CCIE). See Example 4-17, and code line 7. Changing the IKE password to CCIE with the IOS command crypto isakmp key CCIE address...

Do I Know This Already

What IOS command will display the System Flash 2. The network administrator has forgotten the enable password, and all passwords are encrypted. What should the network administrator do to recover the password without losing the current configuration Answer c. Reboot the router, press the Break key after the reload, and enter ROM mode and change the configuration register. 3. What is the enable password for the following router enable password Simon Answer b. Simon. 4. If the configuration...

Foundation Summary

The Foundation Summary is a condensed collection of material for a convenient review of this chapter's key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the Foundation Topics material, the Foundation Summary will help you recall a few details. If you just read the Foundation Topics section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the Foundation Summary offers a...

A

Figure 2-2 displays a typical FTP mode of operation between a client PC and an FTP server in active mode. The following steps are completed before FTP data can be transferred 1. The FTP client opens a control channel on TCP port 21 to the FTP server. The source TCP port number on the FTP client is any number randomly generated above 1023. 2. The FTP server receives the request and sends an acknowledgment. FTP commands are exchanged between client and server. 3. When the FTP client requests a...

Access Control on R2 Ethernet Interface 4 Points

Configure an extended named access list on R2's Ethernet interface blocking traffic from the outside that satisfies the following criteria Ensure that World Wide Web and FTP traffic is permitted both ways. ICMP is permitted one way only. Assume R2 sends the ping request. Telnet sessions are permitted only from outside to hosts on VLAN 5, and only for an employee with the username of henrytripleccie. This access should not remain in place indefinitely. All other incoming traffic is denied and...

Address Resolution Protocol

ARP determines a host's MAC address when the IP address is known. For example, to ping one device from another, the Layer 2 MAC fields require a destination MAC address. Because this is the first such request, a broadcast packet is sent across the wire to discover the remote host's MAC address. Figure 1-11 displays a scenario where PC1 wants to ping Host PC2. When PC1 sends a ping request to PC2 using the known IP address 1.1.1.2 (Layer 3), a broadcast Layer 2 frame must first be sent by PC1...

Advanced Encryption Standard

AES, developed by Joan Daemen and Vincent Rijmen, is a new encryption standard and is considered a replacement for DES. The U.S. government made AES a standard in May 2002, and the National Institute of Standards and Technology (NIST) has adopted AES. AES provides key lengths for 128, 192, and 256 bits. AES supports Cipher Blocks Chaining (CBC), which circumvents one of the problems with block algorithms in that two equal plain-text blocks will generate the same two equal ciphertext blocks....

Advanced Security Concepts

A wealth of security concepts have been covered in the previous chapters now, you are ready to look at some of the techniques that are used to secure areas of your network that are vulnerable to attacks, in particular the demilitarized zone (DMZ). The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet. Figure 6-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of...

Application Protocols

This chapter covers some of today's most widely used application protocols. This chapter covers the following topics Domain Name System (DNS) Topics in this section include how DNS is configured on Cisco routers and what port numbers are used when delivered across an IP network. Trivial File Transfer Protocol (TFTP) This section covers the common uses of TFTP, particularly on Cisco IOS-enabled routers. The process used to copy files to and from a TFTP server is described. File Transfer Protocol...

Authentication Authorization and Accounting

Authentication, authorization, and accounting (AAA, pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices. AAA provides a method to identify which users are logged into a router and each user's authority level. AAA also provides the capability to monitor user activity and provide accounting information. In today's IP networks, access to network data is available in a variety of methods, including the...

Authorization Technologies IOS Authentication 8021X

IEEE 802.1X is a new standard that defines enhanced security for IP networks. IEEE 802.1X specifically defines a client server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. 802.1X works by authenticating every client on the network that is, every device connected to a switch port. After successful authentication, the individual switch port is assigned a VLAN. Until the client is authenticated,...

Basic Frame Relay Setup 5 Points

Configure the network in Figure 8-2 for basic physical Frame Relay connectivity. The following are the parameters You must use static Frame Relay maps for IP and disable Frame Relay inverse ARP. (Hint Use no frame-relay inverse-arp on all frame-enabled interfaces.) For the connection between R1 and R4, you are not permitted the keyword broadcast when mapping IP between the R1 R4 Frame Relay link. No dynamic mapping is permitted. No Frame Relay subinterfaces are permitted on any router. Assume...

Basic Security on Cisco Routers

You can access a Cisco router in a number of ways. You can physically access a router through the console port, or you can access a router remotely through a modem via the auxiliary port. You can also access a router through a network or virtual terminal ports (vty lines), which allow remote Telnet access. If you do not have physical access to a router either through a console port or through an auxiliary port via dialup you can access a router through the software interface, called the virtual...

BGP Routing Configuration 6 Points

After finishing this section, make sure that all configured interfaces and subnets are consistently visible on all pertinent routers, even in the event of network failure of any one router. Configure IBGP on all routers in your network Do not use any WAN IP interfaces for IBGP sessions, because your network is prone to failures across the Frame Relay cloud. Configure R4 as the route reflector and ensure that remote routers peer to R4 only. Minimize IBGP configurations as much as possible. The...

Border Gateway Protocol

BGP is an exterior routing protocol used widely on the Internet. It is commonly referred to as BGP4 (version 4). BGP4, defined in RFC 1771, allows you to create an IP network free of routing loops between different autonomous systems. (As defined in Table 11-1, an autonomous system is a set of routers under the same administrative control.) BGP is called a path vector protocol because it carries a sequence of autonomous system numbers that indicates the path taken to a remote network. This...

Bridge Port States

Every bridge and associated port is in one of the following spanning tree states Disabled The port is not participating in spanning tree and is not active. Listening The port has received data from the interface and will listen for frames. The bridge only receives data it does not forward any frames to the interface or to other ports. Learning The bridge still discards incoming frames. The source address associated with the port is added to the CAM table. BPDUs are sent and received. Forwarding...

C

Calculating hosts per subnet, 30-31 CAM tables, 22 overflow, 199-200 overflow attacks, 201-202 Catalyst 6500 Series Switch, IDSM-2, 312 CBAC (Content-Based Access Control), 378 audit trail messages, enabling, 505 configuring, 380-382 CEP (Certificate Enrollment Protocol), 272 CERT CC (Computer Emergency Response Team Coordination Center), 413-414 certification exam, objectives, 627 characteristics of RIP, 52 of RIPv1, 52 of RIPv2, 53 CIDR (classless inter-domain routing), 32 Cisco 7200 routers,...

Catalyst Ethernet Switch Setup I 5 Points

Configure the Ethernet switch for five VLANs VLAN 2, named VLAN_A, is connected to R1 and PIX inside. VLAN 3, named VLAN_B, is connected to R4 and R5 Eth0 0. VLAN 4, named VLAN_C, is connected to R5 FastEth0 1 (switch port Fast0 6). VLAN 5, named VLAN_D, is connected to R2 and R3. VLAN 6, named VLAN_E, is connected to the PIX outside interface and to the ISP managed router. Ensure that the IDS is also in the correct VLANs for the sniffing and control interfaces. Using VLAN_D (VLAN 5), configure...

CCIE Security Self Study Lab Part II Goals

Part II builds on the working IP network and requires security features such as IPSec and PIX. RIP routing is also required. You will also notice the addition of an IDS sensor. Expect to be tested on IDS sensors and the VPN Concentrator in the lab exam. You are likely to be asked to configure both devices. Part II of this lab does not include the VPN Concentrator, however. Review the additional advanced topics questions for possible exam scenarios for the VPN Concentrator. You should take no...

Central Processing Unit

The CPU is the heart of a router, and every Cisco router has a CPU. A CPU manages all the router's processes, such as IP routing, and new routing entries, such as remote IP networks learned through a dynamic routing protocol. To view a CPU's status, use the show process IOS command. Example 3-2 shows a sample display taken from a Cisco IOS router. Example 3-2 (Truncated) show process Command R1> show process CPU utilization for five seconds 9 7 one minute 9 five minutes 10 Example 3-2...

Cisco Inline IDS Intrusion Prevention System

Recently Cisco marketing released security concept, Intrusion Prevention System (IPS), along with the new router platforms, namely the 1800, 2800, and 3800. IPS is designed to leverage Cisco PIX software and Cisco IDS sensor technologies, combined with IOS software features. Cisco IOS IPS is an inline, deep-packet, inspection-based solution that helps enable Cisco IOS software to effectively mitigate network attacks. Cisco inline IDS (or IPS) allows for traffic to be dropped, can send an alarm,...

Cisco Intrusion Detection System 5 Points

The Cisco intrusion detection system is connected to the inside interface of the PIX and the segment connecting R4 and R5. The IDS in Figure 8-1 is configured for IP. Figure 8-8 displays all the details you need to complete this section. The following list outlines key details to answer the lab exam questions The IP address of the control interface is 144.254.5.3 27. The sniffing interface is connected to the PIX and R1 LAN. Ensure that only the subnet 144.254.6.0 29 can manage the IDS device....

Cisco IOS Firewall Configuration on R5 6 Points

Translate the following policy into a working CBAC configuration on R5 (assuming this router's FastEth0 1 is connected to another ISP) Allow all TCP and UDP traffic initiated on the inside from network 144.254.5.0 to access the Internet. ICMP traffic will also be allowed from the same network. Other networks (inside) must be denied. For traffic initiated on the outside, allow everyone to access only HTTP to host 144.254.5.3. All other traffic must be denied. Cisco IOS Firewall Configuration on...

Cisco IOS Firewall Feature

Cisco has developed a version of IOS with security-specific features integrated in current IOS software. It is available on only some Cisco IOS devices. NOTE The need to provide firewall functionally in existing router models led Cisco down a path of enabling IOS to be security aware. Not many folks think of Cisco as a software company but, in fact, it sells more software than hardware. The Cisco IOS Firewall feature set consists of the following Context-Based Access Control (CBAC) provides to...

Cisco PIX Firewall

The Cisco Private Internet Exchange (PIX) Firewall and Cisco IOS Firewall feature set are designed to further enhance a network's security. The PIX Firewall prevents unauthorized connections between two or more networks. The latest versions of Cisco code for the PIX Firewall also perform many advanced security features, such as AAA services, access lists, VPN configuration (IPSec), FTP, logging, and Cisco IOS-like interface commands. In addition, the PIX Firewall can support multiple outside or...

Cisco PIX Firewall Software Features

A list of the current features of the Cisco PIX Firewall product follows State-of-the-art Adaptive Security Algorithm (ASA) and stateful inspection firewalling. Cut-through proxy authenticates and authorizes connections, while enhancing performance. Easy-to-use web-based interface for managing PIX Firewalls remotely using the web-based interface is not a suggested practice by Cisco for medium to large networks. Support for up to 10 Ethernet interfaces ranging from 10BASE-T, 10 100 Fast Ethernet...

Cisco Secure IDS

Cisco Secure IDS is an enterprise intrusion detection system designed to detect, report, and, in the event of unauthorized access, terminate data sessions between users and host devices. Users are not aware that Cisco Secure IDS is watching data across the network it is transparent to all systems. Cisco Secure IDS has three components Cisco Secure IDS Sensor High-speed device that analyzes the contents of data being transported across a network and determines whether that traffic is authorized...

Cisco Secure VPN Client

The Cisco Secure VPN Client is a low-cost application available to the Internet community. You may need to purchase a license at a minimal cost. The VPN Client is free when you buy a VPN gateway and support contract, and is included with all models of Cisco VPN 3000 Series Concentrators and most Cisco PIX 500 Security Appliances. Customers with Cisco SMARTnet support contracts and encryption entitlement may download the Cisco Secure VPN Client from the Cisco Software Center at no additional...

Cisco Security Agent and Host Based IDS

CSA provides threat protection for servers and PCs. CSA identifies and prevents malicious behavior, thereby eliminating known and unknown security risks. Typically, devices with antivirus software do not detect the latest worms or code violations. CSA fills in this gap by triggering an alert to the system or the management server any time an application or packet tries to use the kernel inside a Windows-based system. CSA also blocks the attack. CSA can be installed as a standalone client or in...

Cisco Security Applications

This chapter reviews a number of Cisco-defined CCIE Security written exam blueprint objectives covering security applications and the Cisco Secure product suites. This chapter covers the following topics Cisco Secure for Windows (NT) and Cisco Secure ACS Introduces Cisco Secure, the Cisco security application that is available on Windows platforms, and Cisco Secure Access Control Server (ACS), which provides additional network security when managing IP networks designed with Cisco devices. IDS...

Cisco Works VMS

CiscoWorks VPN Security Management Solution (VMS) is core management software that provides a centralized means of defining and distributing security policies, providing patches and software updates, and ensuring communication with all agents. A Cisco Security Agent is defined as an endpoint software device that resides on servers or desktops laptops and autonomously enforces local policies that prevent attacks. CiscoWorks VMS is an integral part of the SAFE Blueprint. The following are some of...

Classless Interdomain Routing

Classless interdomain routing (CIDR) is a technique supported by BGP4 and based on route aggregation. CIDR allows routers to group routes together to reduce the quantity of routing information carried by the core Internet routers. With CIDR, several IP networks appear to networks outside the group as a single, larger entity. With CIDR, IP addresses and their subnet masks are written as four octets, separated by periods, and followed by a forward slash and a two-digit number that represents the...

Communications Server 0 Points

NOTE Not all CCIE R& S labs require you to configure a communications server. Configure the communications server so that when you type the host name of a router on the server, you are connected across the console port to that router. Set up the routers in Figure D-1 with the following physical attributes 1. Configure R1 as the communication server with the ip host command. 2. Communication server ports 2 to 4 are connected to Routers R2 to R4, respectively. 3. Communication server port 9...

Communications Server 025 Hour

NOTE Not all CCIE R& S labs require you to configure a communication server. Configure the communication server so that when you type the host name of a router on the server, you are connected across the console port to that router. Set up the routers in Figure C-1 with the following physical attributes Set up the routers, as shown in Figure C-1. Configure R1 as the communication server with the ip host command. Communication server ports 2 to 8 are connected to Routers R2 to R8,...

Conclusion

You should be able to complete the sample CCIE Routing and Switching lab in this appendix within 8 hours (this is the same allotted time for the real CCIE lab at Cisco). The difficulty level presented here is similar to what you can expect in any CCIE lab examination in fact, the difficulty level here might be higher. Focus your attention on time management and the ability to configure a set number of Cisco IOS features very quickly. If you complete this lab successfully, try it again by...

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales outside the U.S. please contact International Sales international pearsoned.com Publisher John Wait Editor-in-Chief John Kane Executive Editor Brett Bartow Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Production Manager...

Decoding Ambiguity

Cisco exams have a reputation for including questions that can be difficult to interpret, confusing, or ambiguous. In my experience with numerous exams, consider this reputation to be completely justified. The Cisco exams are deliberately tough. The only way to beat Cisco at its own game is to be prepared. You'll discover that many exam questions test your knowledge of things that are not directly related to the issue that a question raises. This means that the answers you must choose from even...

Denial of service attacks

What is the function of the signature-based IDS Answer The signature-based IDS monitors the network traffic or observes the system and sends alarms if a known malicious event is happening. It does this by comparing the data flow against a database of known attack patterns. These signatures explicitly define what traffic or activity should be considered as malicious. An excellent white paper on signature-based IDS can be found at _paper09186a0080092334.shtml.

DES and 3DES

DES is one of the most widely used encryption methods. DES turns clear-text data into cipher text with an encryption algorithm. The receiving station will decrypt the data from cipher text into clear text. The shared secret key is used to derive the session key, which is then used to encrypt and decrypt the traffic. Figure 4-5 demonstrates DES encryption. Figure 4-5 DES Encryption Methodologies Data is encrypted using mathematical formulae to scramble data with the shared private key. Data is...

DHCP Configuration 3 Points

A number of Windows XP users on VLAN_D support DHCP and the ability to receive more than one IP gateway. Configure R2 to provide only a pool of DHCP addresses with the following criteria The IP addresses pool ranges from 144.254.4.0 26 shared between R2 and R3. The DNS servers are 139.134.2.2 and 139.134.1.1. The domain name is cisco.com. Default gateway of 144.254.4.1 or 144.254.4.2 only. Hosts must retain DHCP-assigned addresses forever. The predefined addresses 144.254.4.1, 144.254.4.2, and...

Diffie Hellman

The Diffie-Hellman protocol allows two parties to establish a shared secret over insecure channels, such as the Internet. This protocol allows a secure shared key interchange over the public network, such as the World Wide Web, before any secure session and data transfer is initiated. Diffie-Hellman ensures that, by exchanging just the public portions of the key, both devices can generate a session and ensure that data is encrypted and decrypted by valid sources only. Only public keys (clear...

Do I Know This Already Quiz

The purpose of this assessment quiz is to help you determine how to spend your limited study time. If you can answer most or all of these questions, you might want to skim the Foundation Topics section and return to it later, as necessary. Review the Foundation Summary section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you already intend to read the entire chapter, you do not necessarily need to answer these questions...

Dynamic Access List Lock and Key Feature 5 Points

Make sure that during normal operation it is not possible to ping from R2 (Ethernet0 0) to R3 (FastEthernet0 0). After a Telnet login from R2 to R3, pings are allowed, but make sure that after 5 minutes of inactivity normal operation is restored. Routing should still be in place in both circumstances. Dynamic Access List Lock and Key Feature Solution This is an example where dynamic access lists are used to allow access only after a valid username password has been entered. Access is denied...

Dynamic Host Configuration Protocol

DHCP is defined in RFC 1531 (the latest is RFC 2131) and provides a comprehensive method of allocating IP addresses, subnet mask, gateway address, DNS server, WINS servers, and many more parameters for IP devices. DHCP clients send messages to the server on UDP 67, and servers send messages to the client on UDP 68. Cisco routers can also be configured for DHCP. Example 1-3 configures a Cisco IOS router to allocate the entire range 131.108.1.0 24, with a gateway address 131.108.1.1, subnet mask...

E

EAP (Extensible Authentication Protocol), 85, 272, 275-276 EAP-TLS (Extensible Authentication Protocol Transport Layer Security), 272, 275-276 eBGP (external BGP), 74 EIGRP (Enhanced Interior Gateway Routing Protocol), 57-61 election process (DRs), disabling, 70 e-mail attacks, 420 SMTP, 128-129 enable passwords, setting, 188 enabling, 428-429 HSRP, 43 Nagle algorithm, 426 PortFast on Cisco switches, 25 SSH support on Cisco routers, 136-138 encapsulation, 19 HDLC, 76 LCP, 78 PPP, 77 3DES, 250...

EBGP Configuration 02 Hour

Configure EBGP on R5 and R8 as follows R5's remote peer is 171.108.1.2 24 and remote AS is 1024. R8's remote peer is 191.200.1.2 30 and remote AS is 4345. ISP1 and ISP2 are advertising the full Internet routing table. The only route accepted is a default route and routes of the form 110.100.0.0 to 121.110.255.255. Set all routes in the range 110.100.0.0 to 121.110.255.255 with the following attributes Prepend the AS paths 1000, 999, and 100. Set the weight to 1000 for all even networks and 2000...

EBGP Configuration 8 Points

Configure EBGP on R3 and R4 as follows Configure EBGP between R3 and R4. R3 resides in AS 333 R4 resides in AS 334. The neighbor on backbone segment 2 has an IP address of 150.100.200.25 and is in Autonomous System 2554. Configure EBGP between R4 and the external lab router on backbone segment 2. Permit only the registered address space as defined in the appropriate RFC as allowed networks from any EBGP-defined routers.

Ethernet Overview

Ethernet networks are based on a development made by Xerox, Digital Equipment Corporation, and Intel Corporation. The two versions of Ethernet are commonly referred to as Ethernet I and Ethernet II (or version 2). Ethernet uses carrier sense multiple access collision detection (CSMA CD) to transmit frames on the wire. In an Ethernet environment, all hosts can transmit as long as no other devices are transmitting. CSMA CD is used to detect and warn other devices of any collisions, and colliding...

Exam Topics in This Chapter

CiscoWorks VPN Security Management Solution (VMS) Cisco Secure Intrusion Detection System (formerly NetRanger) Security Information Monitoring System (event correlation, basic forensics) You can find a list of all of the exam topics in the introduction to this book. For the latest updates on exam topics, visit Cisco.com.

Example of Peerto Peer Communication

Each layer of the OSI or TCP model has its own functions and interacts with the layer above it and layer below it. Furthermore, the communication between each layer's end devices also establishes peer-to-peer communication this means that each layer of the OSI model communicates with the corresponding peer. For example, Layer 3 of Host A in Figure 1-3 will communicate with the corresponding Layer 3 (IP) device host B. Consider the normal communication that occurs between two IP hosts over a WAN...

Extended Access Lists

Extended access lists range from 100 through 199 and 2000 through 2699. Alternatively, you can use a named access list with Cisco IOS release 12.0 or later. As mentioned earlier in this chapter, extended access lists can be applied to both source and destination addresses, as well as to filter protocol types and port numbers. Following are some examples of extended access lists that allow you to filter several different types of traffic. For Internet Control Message Protocol (ICMP) traffic, use...

Extensible Authentication Protocol Protected EAP and Temporal Key Integrity Protocol

Extensible Authentication Protocol (EAP) enables the dynamic selection of the authentication mechanism at authentication time based on information transmitted in the Access-Request (that is, via RADIUS). PPP also supports EAP during the link establishment phase. EAP allows the authenticator to request more information before determining the specific authentication mechanism. A proposal jointly submitted to the IEEE by Cisco Systems, Microsoft, and various other organizations introduced...

Fast Ether Channel

Fast EtherChannel (FEC) is a Cisco method that bundles 100-Mbps Fast Ethernet ports into a logical link. The existence of any redundant paths between two switches results in some ports being in a blocking state, thus reducing available bandwidth. Figure 1-4 displays a switched network with two 100-Mbps connections between them. Because of STP, one of the links (Switch A, in this case) will be in a blocking state after the election of a root bridge. Switch B will block one of the paths to ensure...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

File Transfer Protocol

FTP, an application layer protocol of the TCP IP protocol suite of applications, allows users to transfer files from one host to another. Two ports are required for FTP one port is used to open the connection (port 21), and the other port is used to transfer data (20). FTP runs over TCP and is a connection-oriented protocol. To provide some level of security, FTP allows usernames and passwords to be exchanged before any data can be transferred, adding some form of security authentication...

Frame Relay Setup 8 Points

Configure IP across your Frame Relay network, as displayed in Figure D-2. You have to use static maps for each protocol. No dynamic mapping is permitted. No subinterfaces are allowed on any router except on R3. You can assign a subnet from your Class B range. Use LMI-type Cisco only and do not rely on auto-sensing the LMI type on any routers. All router interface types are DTE. The Frame Relay port type is DCE. Do not use the keyword broadcast for the Frame Relay link between R3 and R4 when...

General Lab Guidelines and Setup

Follow these general guidelines during this lab Static and default routes are not permitted unless directly stated in a task. This includes floating static routes. Use the DLCIs provided in the Frame Relay diagram (presented shortly). All routers and switches should be able to ping any interface using the optimal routing path. Do not configure any authentication or authorization on any console or aux ports unless specified. Routes to Null0 generated by any routing protocol are permitted. Full...

Goals of This Book

The primary goal of this book is to ensure that a CCIE Security candidate has all the technical skills and knowledge required to pass the written exam. Most Cisco certifications require practical skills, and the only way to hone those skills is in a working environment using common Cisco-defined techniques. This book provides you with comprehensive coverage of CCIE Security exam topics. Ultimately, the goal of this book is to get you from where you are today to the point that you can...

Hypertext Transfer Protocol

HTTP, used by web browsers and web servers, transfers files, such as text and graphic files. HTTP can also authenticate users with username and password verification between clients and web servers. Cisco IOS routers can be configured from a browser client. By default, Cisco routers are disabled for HTTP servers (HTTP is enabled by default on a few Cisco 1000 models, namely the Cisco 1003, 1004, and 1005 model routers), and there have been issues with users entering certain hash pairs to gain...

Incident Response Teams

Incident response teams are too often set up only after an incident or intrusion occurs. However, sound security administration requires that such teams should already be set up to monitor and maintain network security. Incident response teams do the following 2. Determine the magnitude of the incident (hosts affected and how many). 3. Assess the damage (for example, determine if public servers have been modified). 4. Gather and protect the evidence. 5. Inspect systems to determine damage. 6....

Internet Control Message Protocol

ICMP is a network layer (Layer 3) Internet protocol that reports errors and provides other information relevant to IP packet processing. ICMP is fully documented in RFC 792. ICMP's purpose is to report error and control messages. ICMP provides a number of useful services supported by the TCP IP protocol, including ping requests and replies. ICMP Echo requests and replies enable an administrator to test connectivity with a remote device. Be aware that ICMP runs over IP, which means that there is...

Internet Newsgroups

Another important body for both network administrators and intruders themselves is Internet newsgroups. Newsgroups are mailing list-type forums where individuals share ideas and past incidents to keep current with the latest security concerns and protection policies. As a network administrator, you must be aware of both standards and topics that intruders are discussing. The following mailing lists and newsgroups are CERT CC recommended Bugtraq A full-disclosure computer security mailing list....

Internet Protocol

Internet Protocol (IP) is a widely used networking term that describes a network layer protocol that logically defines a distinct host or end system, such as a PC or router, with an IP address. An IP address is configured on end systems to allow communication between hosts over wide geographic locations. An IP address is 32 bits in length, with the network mask or subnet mask (also 32 bits in length) defining the host and subnet portion. Figure 1-6 displays the IP packet header frame format in...

Internet Security

Cerf has said, The wonderful thing about the Internet is that all these computers are connected. However, the challenge of the Internet also is that all these computers are connected. The luxury of access to this wealth of information comes with its risks, and anyone on the Internet is a potential stakeholder. The risks vary from information loss or corruption to information theft to lost revenue and productivity. The number of security incidents is also growing dramatically....

Intrusion Detection System

Intrusion detection systems (IDSs) are designed to detect and thwart network attacks. Based on their location, IDSs can be either of the following Network-based IDS (NIDS) Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature. Host-based IDS (HIDS) Examines operating system information, such as logs or system processes, against a base line. When the system deviates from the normal values because of an attack, alarms are...

IP Access List 4 Points

On R5, configure an access list that meets the following criteria and contains the fewest configuration lines as possible Apply the access list on the outbound interface on R5's Fast Ethernet link to R4. Deny any TCP packet with source address 129.57.204.0 24. Deny any TCP packet with source address 129.57.140.0 24. Deny any TCP packet with source address 225.133.29.0 24. Deny any TCP packet with source address 161.133.29.0 24. Deny every even subnet in 182.133.0.0 16. Deny every odd subnet in...

IP Host Lookup and Disable DNS 1 Point

Configure local IP host addresses on each router (R1 through R5) so that when an EXEC or privileged user types the router name (R1, R2, R3, R4, or R5), the user can ping or telnet without having to type the full IP address. Do not configure a DNS server on any router, and disable DNS lookup entries so that incorrect commands on the EXEC or PRIV prompt are not sent to any DNS server. (Hint This saves you time as well the IOS command no ip domain-lookup disables DNS queries.) IP Host Lookup and...

IP Multicast

This section briefly covers the IP multicast areas of interest for the CCIE written test. The multicasting protocol was designed to reduce the high bandwidth requirements of technologies, such as video on demand, to a single stream of information to more than one device. Applications include electronic learning, company share meetings (video on demand), and software distribution. Multicasting transmits IP packets from a single source to multiple destinations. The network device transmitting the...

Layer 2 Switching Security

Switches operating at Layer 2 of the OSI model are designed to be able to control the flow of data between their ports or interfaces. They do this by creating almost instant networks that contain only the two end devices communicating with each other so that information flow is increased to the optimal level. Devices not involved in this two-way communication are not involved at that moment in time. At the data link layer (Layer 2 of the OSI model), the only mechanism permitted to allow...

Layer 4 The Transport Layer

The transport layer is responsible for segmenting upper-layer applications and establishing end-to-end connections between devices. Other transport layer functions include providing data reliability and error-free delivery mechanisms. Information at this layer is processed in what are commonly known as segments. Examples of transport layer protocols include the following Transmission Control Protocol (TCP) Real-Time transport protocol (RTP) User Datagram Protocol (UDP) RTP has some important...

Layer 6 The Presentation Layer

The presentation layer handles data formats and code formatting. The layer's functions are normally transparent to the end user because this layer takes care of code formats and presents them to the application layer (Layer 7), where the end user can examine the data. Examples of presentation layer protocols include the following Graphics Interchange Format (GIF) Joint Photographic Experts Group (JPEG) American Standard Code for Information Interchange (ASCII) Moving Picture Experts Group...

Message Digest 5 and Secure Hash Algorithm

Several hashing algorithms are available. The two discussed here are MD5 and SHA. There is a slight, unknown difference between SHA and SHA-1. NSA released SHA and then later discovered a flaw (undisclosed). NSA fixed it, and called the new version SHA-1. In this guide, SHA refers to SHA-1 also. Message hashing is an encryption technique that ensures that a message or data has not been tampered with or modified. MD5 message hashing is supported on Cisco IOS routers. A variable-length message is...

Network Based IDS Versus Host Based IDS

Host-based IDS (HIDS) and network-based IDS (NIDS) should be seen as complimentary, because the systems fill in for each other's weaknesses. Therefore, they should be deployed together rather than only one or the other. Table 5-1 lists the most important advantages and disadvantages of deploying NIDS or HIDS. Table 5-1 Comparison of Host-Based IDS and Network-Based IDS* Table 5-1 Comparison of Host-Based IDS and Network-Based IDS* Verification of success or failure of an attack possible. Has a...

Open Shortest Path First

OSPF is a link-state routing protocol. Link-state protocols use Dijkstra's shortest path first (SPF) algorithm to populate the routing table. OSPF shares information with every router in the network. OSPF is a classless protocol and supports VLSM. When configuring any OSPF router, you must establish for which area assignment the interface will be enabled. OSPF has some basic rules when it comes to area assignment. OSPF must be configured with areas. The backbone area 0, or 0.0.0.0, must be...

Physical Connectivity 0 Points

Your network is already physically patched. Construct your network, as shown in Figure 8-1 and Figure 8-2. Configure the following characteristics for the topology in Figure 8-1 and Figure 8-2 Routers R3 and R5 are connected to an ISDN service with the switch type defined as basic-5ess. R3 connects to number plan 7775010 and R5 connects to number plan 7775020. Routers R1 through R5 are connected to the Catalyst Ethernet switch (Catalyst 3350 series switch) as follows No solution is provided on...

Preparing for the Written Exam

The best way to prepare for the test after you study is to take practice exams until you feel comfortable with your results. This certification guide includes over 500 simulated test questions on the CD-ROM, which allows you to take the sample exam (in study and exam simulation modes) as many times as you like until you are comfortable with the test format and your knowledge level. Try to identify subject areas where you are weak and use this book and other resources to study those areas more....

Protecting Cisco IOS from Intrusion

Now that you have a snapshot of modern security concerns, look at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks. There are, of course, various Cisco IOS vulnerabilities that can only be protected against by new software releases and regular Cisco IOS bulletins and e-mail blasts from Cisco Systems to ensure...

Public Key Infrastructure

In the new digital environment, Public Key Infrastructure (PKI) ensures that sensitive electronic communications are private and protected from tampering. It provides assurances of the identities of the participants in those transactions, and prevents them from later denying participation in the transaction. Protects privacy by ensuring that the data is not read, but it can't stop someone from intercepting it. (If you can't read something, what's the use of that data ) Assures the integrity of...

Q A

The Q & A questions are designed to help you assess your readiness for the topics covered on the CCIE Security written exam and those topics presented in this chapter. This format should help you assess your retention of the material. A strong understanding of the answers to these questions will help you on the CCIE Security written exam. You can also look over the questions at the beginning of the chapter again for further review. As an additional study aid, use the CD-ROM provided with...

QoS Configuration 4 Points

Configure R1 for the following Frame Relay parameters Your provider will mark any traffic in excess of 128 kbps as discard eligible. Your measurement interval is 62.5 ms. Security and NetBIOS Filtering (26 Points) 667 Users on VLAN 2 are using the network to download large FTP files and also using Kazaa for unauthorized data transfer. Configure the Ethernet interfaces on R1 and R2 so that the following conditions are met All FTP data traffic is allocated 10...

Random Access Memory

Routers use RAM to store the current configuration file and other important data collected by the router (such as Cisco Express Forwarding CEF tables and Address Resolution Protocol ARP entries, to name a few). This data includes the IP routing table and buffer information. Buffers temporarily store packets before they are processed. All Cisco IOS processes, such as routing algorithms (Open Shortest Path First OSPF and Border Gateway Protocol BGP , for example), also run in RAM. RAM information...

Read Only Memory

ROM stores a scaled-down version of a router's IOS image in the event that the Flash system becomes corrupted or no current IOS image is stored in Flash. ROM also contains the bootstrap program (sometimes referred to as the rxboot image in Cisco documentation) and a device's power-up diagnostics. You can perform a software upgrade (that is, perform a software image upgrade on ROM) only by replacing ROM chips, because ROM is not programmable. The bootstrap program enables you to isolate or rule...

Remote Data Exchange Protocol

The Cisco Intrusion Detection System (IDS) provides an in-depth, self-healing mechanism to provide network administrators a defense against attacks from inside and outside the network. The Cisco definition of a self-healing network is a network that is intelligent enough to stop unwanted traffic and correct any security vulnerabilities before they occur. Beginning with Cisco IDS 4.0, the network IDS sensors use the Remote Data Exchange Protocol (RDEP) for communication. With RDEP, the network...

Reverse ARP

RARP is the protocol that is used when a device boots up without an IP address and requests an IP address. RARP is typically not used in today's networks, and is replaced by DHCP. Inverse Address Resolution Protocol (InARP) is an addition to ARP which addresses ARP in a Frame Relay environment. InARP discovers the remote end's data-link connection identifier (DLCI). A gratuitous ARP is when the MAC address in a system is changed. That is, the MAC address for a given Hosts IP address mapping is...

Router CLI

Cisco IOS routers give network administrators access to a wide range of show and debug commands. The show command displays various information about the router's state of play, such as the Ethernet collisions on a particular interface or a router's configuration file. Only a subset of show commands is available when in user EXEC mode. The full range is available when in PRIV EXEC mode. The debug command is a more advanced IOS command that allows the administrator to view the router's analyses...

Routing Protocols

This section covers four main routing protocols Routing Information Protocol (RIP) Enhanced Interior Gateway Routing Protocol (EIGRP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) Before discussing the characteristic of each protocol, this section covers how routers (Cisco routers, in particular) generally route IP packets. Routing is a process whereby a path to a destination host is selected by either a dynamic or static routing protocol. A routing protocol is an algorithm that...

Saving and Loading Files

The configuration file can reside on the router's NVRAM or RAM, or on a TFTP server. When a router boots with the default configuration register (0x2102), the configuration file is copied from NVRAM to RAM. Network administrators typically save the configuration files to a TFTP server as a backup, in case of a router failure. To save a configuration file from RAM to NVRAM (after configuration changes are made), the IOS command is copy running-config startup-config. The write memory (legacy IOS...

Scenario Cisco Secure IDS Database Event

Figure 5-18 displays a typical network under attack from an intruder trying to destabilize the network host with the IP address 131.108.1.1 24. The security manager has e-mailed to you several files. The first is TCPDUMP output details. TCPDUMP is a powerful tool that allows you to sniff network packets and make some statistical analysis out of those dumps. (The written exam has a few questions based on the output from this program.) The manager also e-mailed to you log files taken from an IDS...

Scenario Configuring Cisco Routers for IPSec

Figure 4-21 displays a simple two-router topology where traffic from network 131.108.100.0 24 is encrypted when it is sent to the remote network 131.108.200.0 24. Example 4-19 displays the working configuration of R1, with lines numbered from 1 to 31. Example 4-19 R1's Full Configuration 7. crypto isakmp key CCIE address 131.108.255.2 8. crypto ipsec transform-set anyname esp-des esp-sha-hmac 10. crypto map anyname1 1 ipsec-isakmp 12. set security-association lifetime seconds 180 16. ip address...