Foundation Summary

The "Foundation Summary" is a condensed collection of material for a convenient review of this chapter's key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the "Foundation Topics" material, the "Foundation Summary" will help you recall a few details. If you just read the "Foundation Topics" section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the "Foundation Summary" offers a convenient and quick final review.

Table 6-12 Perimeter or Firewall Router Functions

Function

Method

Sniffer or snooping capabilities

Control eavesdropping with TCP/IP service and network layer encryption (IPSec).

Control unauthorized access

Use AAA and Cisco Secure ACS. Also, use access-list filtering and PIX Firewall.

Control session replay

Control which TCP/IP sessions are authorized. Block SNMP, IP source routing, and finger services to outside hosts.

Control inbound connections

Filter internal address as the source from the outside world.

Filter all private addresses.

Filter Bootp, TFTP, and traceroute commands.

Allow connections only for required services.

Allow TCP connections established from the inside network.

Permit inbound traffic to DMZs only.

Control outbound connections

Allow only valid IP addresses to the outside world and filter remaining illegal addresses and outbound service requests.

Packet filtering

Use predefined access lists that control the transmission of packets from any given interface, control vty lines and access, and ensure that routing updates are authenticated.

Table 6-13 NAT Configuration Steps

Step

Description

1

Determine the network addresses to be translated.

2

Configure the inside interface with the IOS ip nat inside command.

3

Configure the outside interface with the IOS ip nat outside command.

4

Define a pool of addresses to be translated with the following IOS command: ip nat pool pool-name start-ip-address end-ip-address mask

5

Define the addresses allowed to access the Internet with the following IOS command: ip nat inside source list access-list-number pool pool-name

Table 6-14 Cisco PIX Model Numbers

PIX 501 PIX 506/506E PIX 515/515E PIX 520 PIX 525 PIX 535

Table 6-15 PIX Firewall Configuration Steps

Step

Description

1

Name the inside/outside interfaces and security levels.

2

Identify the hardware interfaces and speed/duplex.

3

Define the IP address for inside and outside interfaces.

4

Define NAT/PAT.

5

Define the global pool.

6

Define the IP route path.

7

Define statics or static/access lists (for outside networks to access inside hosts or networks).

Table 6-16 PIX Command Options

Option

Use

ca

Configure the PIX Firewall to interoperate with a CA.

clear xlate

Clear the contents of the translation slots.

show xlate

Display NAT translations. The show xlate command displays the contents of only the translation slots.

crypto dynamic-map

Create, view, or delete a dynamic crypto map entry.

failover [active]

Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall.

fixup protocol

View, change, enable, or disable the use of a service or protocol through the PIX Firewall.

kill

Terminate a Telnet session. Telnet sessions to the PIX must be enabled and are sent as clear text.

telnet ip_address [netmask] [if_name]

Specify the internal host for PIX Firewall console access through Telnet.

Table 6-17 Cisco IOS Firewall Feature Set

Feature

Function

CBAC

Provides to internal users secure, per-application-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet. CBAC supports the following:

• Java blocking

• VoIP/multimedia

• DHCP server support for Cisco IP Phones

• Internet Locator Service (ILS) fixup

Java blocking

Protects against unidentified, malicious Java applets.

DoS detection and prevention

Defends and protects router resources against common attacks, by checking packet headers and dropping suspicious packets.

Audit trail

Details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.

Real-time alerts

Logs alerts in case of DoS attacks or other preconfigured conditions (intrusion detection).

Firewall

An Internet firewall.

Table 6-18 PIX Syslog

Level

Function

0

Emergency—System unusable

1

Alert—Immediate action needed

2

Critical—Critical condition

3

Error—Error condition

4

Warning—Warning condition

5

Notification—Normal but significant condition

6

Informational—Informational message only

7

Debugging—Appears during debugging only

Table 6-19 Network IDS Terminology

Term

Description

Signature

A set of conditions that, when met, indicates some type of intrusion event.

Pattern matching

Searching for a fixed sequence of bytes within an IP packet (encompassing TCP or UDP details).

Stateful pattern matching

A far more sophisticated method of searching for certain patterns.

Protocol decode-based analysis

Protocol decode-based signatures are in many ways intelligent extensions to stateful pattern matches. This class of signature is implemented by decoding the various elements in the same manner as would the client or server in the conversation. When the elements of the protocol are identified, the IDS applies rules defined by the RFCs to look for violations.

Heuristic-based analysis

Heuristic-based signatures use some type of algorithmic logic on which to base their alarm decisions.

Anomaly-based analysis

Anomaly-based signatures are typically geared to look for network traffic that is a variation from the normally expected data types.

Table 6-20 Five Stages of Attack

Method

Mitigated by CSA

Probe

CSA prevents scanning of ports and ping packets.

Penetrate

CSA prevents unauthorized mail attachments running, buffer overflows, ActiveX controls, network installs, backdoors, guessing passwords, and guessing of mail users.

Persist

CSA prevents new file creation, modification of existing files, and register trap doors.

Propagate

CSA prevents mail clients from sending out e-mails to propagate the attack, web connections, FTP, and infecting file shares.

Paralyze

CSA does not permit deletion or modification of files and prevents drilling of security holes (opening new doors to provide an opening into your network or device).

0 0

Post a comment