A

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, could be captured by a third party. The RADIUS server supports a variety of methods to authenticate a user. When it is provided with the username and original password given by the user, it can support PPP, PAP, CHAP, UNIX login, and other authentication mechanisms. RADIUS combines...

AAA Overview

Access control is the cornerstone in ensuring the integrity, confidentiality, and availability of a network and its resources. Enforcing identification and verification of users, permitting, and then reporting or auditing their activity provides a solid framework for security. You can think of it as accessing some secure buildings today. When you first walk in front door, you are asked to provide your identification. Your name is logged in and then you are permitted to go beyond the lobby into...

Access Attacks

As the name implies, the goal of an access attack is to gain access to a computer or a network. Having gained access, the user can perform many different functions. These functions can be broken into three distinct categories Interception If the unauthorized user is able to capture traffic going from the source to the destination, that user can store that data for later use. The data could be anything that is crossing the network segment that is connected to the sniffer and could include...

Accessing the Cisco Router CLI

You can access the Cisco router CLI via any of three methods Console The console connection requires a direct connection to the console port of the router using a rollover cable normally from the serial interface of a computer. This is considered to be the most secure method for administration of the router because it requires a physical connection to the router. This method can be very impractical for enterprise networks. Auxiliary The auxiliary connection is normally a remote dialup...

Accounting

AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending on your configuration. You can easily import these logs into popular database and spreadsheet applications for billing, security audits, and report generation. You can generate the following types of accounting...

Add the Cisco IOS Firewall IDS to the Centralized Management

This step requires you to add the Cisco IOS firewall IDS to the Cisco Director, CSPM, IDS MC, or Event Viewer. As stated earlier in this chapter, the Cisco Director has reached product end-of-life. The IDS Management Console is a CiscoWorks component, and the CSPM and Event Viewer are both applications written to run on a Wintel platform. The individual commands for each centralized manager are different, but each of these systems uses a GUI interface and is relatively simple to navigate. The...

Administration Issues

Table 10-3 details how to approach some of the problems that may arise in a Cisco Secure ACS installation. Table 10-3 CS ACS Installation Troubleshooting Table 10-3 CS ACS Installation Troubleshooting Remote administrator cannot bring up the Cisco Secure ACS HTML interface in a browser or receives a warning that access is not permitted. Ping Cisco Secure ACS to confirm connectivity. Verify that the remote administrator is using a valid administrator name and password that has already been added...

Advanced IPSec VPNs Using Cisco Routers and CAs

Although configuring the connection to a CA server is complex, once correctly configured the functionality is very scalable and easy to manage. The main focus of this chapter has been the configuration and enrollment process. Cisco IOS Software supports the following CA products using CA interoperability Windows 2000 Certificate Server 5.0 Multiple tasks are required to configure the router for CA support Configure the router host name and domain name. Set the router date, time, time zone, and...

Alerts and Audit Trails

CBAC also generates real-time alerts and audit trails. Enhanced audit trail features use syslog to track all network transactions recording timestamps, source host, destination host, ports used, and the total number of transmitted bytes for advanced, session-based reporting. Real-time alerts send syslog error messages to central management consoles upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol...

Assessing Exam Readiness

After completing a number of certification exams, I have found that you don't really know if you're adequately prepared for the exam until you have completed about 30 percent of the questions. At this point, if you aren't prepared it's too late. The best way to determine your readiness is to work through the Do I Know This Already portions of the book, the review questions in the Q& A sections at the end of each chapter, and the case studies scenarios. It is best to work your way through the...

Authentication

Authentication provides the method for verifying the identity of users and administrators who are requesting access to network resources, through username and password dialog boxes, challenge and response, token cards, and other methods. Various types of authentication methods are available today. They range from the simple username and password databases to stronger implementation of token cards and one-time passwords (OTPs). Table 6-2 lists the authentication methods, from the strongest and...

Authentication Problems

If there are entries of authentication failure in the Failed Attempts Report and you are authenticating against a Windows 2000 user database, check the following items Verify whether Cisco Secure ACS is configured to authenticate to the Windows 2000 user database. Verify whether the correct username and password is being used. Confirm the existence of the username. Check whether the user account has User Must Change Password at Next Login selected. If this option is selected, deselect it....

Authentication Proxy

When configuring authentication proxy, a direction at the interface is not assigned because it is always inbound. Authentication proxy intercepts the packet before it reaches the inbound ACL. Consequently, an inbound ACL can block all traffic, except for the special servers or devices that need to communicate with the Cisco IOS firewall. Authentication proxy dynamically opens connections on the inbound ACL of the input interface where the proxy is enabled, as well as on the outbound ACL of the...

Authentication Proxy and the Cisco IOS Firewall

Authentication proxy is a function that enables users to authenticate via the firewall when accessing specific resources. The Cisco IOS firewall is designed to interface with AAA servers using standard authentication protocols to perform this function. This functionality enables administrators to create a very granular and dynamic per-user security policy. This chapter discusses authentication proxy and how it is used to authenticate both inbound and outbound connections. The Cisco IOS firewall...

Authentication Proxy Configuration Examples

The steps required to configure authentication proxy were listed and defined in the preceding section. In this section, authentication proxy is configured for both inbound and outbound connections through the Cisco IOS firewall. Figure 15-5 depicts the environment used for the configuration of authentication proxy on the 3640 Cisco IOS firewall. Figure 15-5 Network Diagram of Authentication Proxy Source and Destination (External Host) Figure 15-5 Network Diagram of Authentication Proxy Source...

Authentication Proxy Configuration Steps

A number of steps are required to configure authentication proxy on the Cisco IOS firewall. Authentication proxy requires the firewall to communicate with many different systems, and each of these systems must be put into the firewall configuration. This section describes the configuration steps and individual commands used to configure the authentication proxy. There are examples of these configuration commands in the section titled Authentication Proxy Configuration Examples. It is important...

Authorization

Authorization determines which resources the user is permitted to access and which operations the user is permitted to perform after being successfully authenticated. Just like AAA authentication, authorization information for each user is either stored locally on the routers or remotely on TACACS+ RADIUS security servers. AAA authorization works by comparing attributes that describe the authorization of the user to information stored in the database. Like AAA authentication method lists,...

Basic Deployment Factors for Cisco Secure ACS

Generally, the ease in deploying Cisco Secure ACS is directly related to the complexity of the implementation planned and the degree to which you have defined your policies and requirements. Deployment factors include the following The following factors are just a few things to consider when deploying Cisco Secure ACS. In addition, minimum hardware and operating system requirements apply when you are installing Cisco Secure ACS. The following sections detail these specifications.

Basic Router Management

The Cisco IOS router and Cisco IOS firewall are actually the same hardware. The difference is a low-cost, advanced firewall feature set that was integrated into Cisco Internet Operating System (Cisco IOS). All the basic functionality of Cisco IOS Software remains on the IOS firewall with additional features added, called the firewall feature set. The Cisco IOS router is commonly referred to as the IOS firewall if any of the firewall feature set components are used. This chapter discusses access...

Book Content Updates

Because Cisco Systems will occasionally update exam objectives without notice, Cisco Press may post additional preparatory content on the web page associated with this book at http www.ciscopress.com 1587200899. It's a good idea to check the website a couple of weeks before taking your exam, to review any updated content that may be posted online. We also recommend that you periodically check back to this page on the Cisco Press website to view any errata or supporting book files that may be...

Browser Compatibility

Your Cisco Secure ACS server must have a compatible browser installed. Cisco Secure ACS 3.2 has been tested with English language versions of the following browsers on Microsoft Windows operating systems Microsoft Internet Explorer Version 6.0 Netscape Communicator Version 7.0 To use a web browser to access the Cisco Secure ACS HTML interface, you must enable both Java and JavaScript in the browser. Also, the web browser must not be configured to use a proxy server. If the browser used for an...

Building a VPN Using IPSec

Prior to the creation of VPN technology, the only way to secure communications between two locations was to purchase a dedicated circuit. To secure communications across an enterprise would be tremendously expensive, and securing communications with remote users was just cost prohibitive. VPN technology provides the ability to secure communications that travel across the Internet. VPN technology allows organizations to interconnect their different locations without having to purchase dedicated...

CBAC Configuration Example

For this example, CBAC is being configured to inspect inbound. As shown in Figure 14-3, interface EthernetO is the protected network and interface Seriall is the unprotected network. The security policy for the protected site uses ACLs to restrict inbound traffic on the unprotected interface to specific ICMP protocol traffic, denying inbound access for TCP and UDP protocol traffic. Inbound access for specific protocol traffic is provided through dynamic ACLs, which are generated according to...

CBAC Restrictions

CBAC has the following restrictions Packets with the firewall as the source or destination address are not inspected by CBAC. If you reconfigure your ACLs when you configure CBAC, be aware that if your ACLs block TFTP traffic into an interface, you will not be able to netboot over that interface. (This is not a CBAC-specific limitation but is part of existing ACL functionality.) CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as...

Ccsp Secur Exam Certification Guide

Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library...

Change All Administrative Access on All the Routers

The first task is to secure all the routers at each location. As part of this task, you replace the weak administrative access passwords on all the site routers with passwords that are relatively strong. Step 1 Reconfigure the console port user-level password. Console password access to New York NewYork(config) line console 0 NewYork(config-line) password NY conaccess Console password access to Atlanta Atlanta(config) line console 0 Atlanta(config-line) password ATL conaccess Console password...

Cisco IOS Firewall Features

As mentioned in the beginning of this chapter, the Cisco IOS firewall feature is an enhancement to the Cisco IOS Software that incorporates additional security-related features. The Cisco IOS firewall provides an additional level of security for the network without the expense of purchasing dedicated hardware. The Cisco IOS firewall feature set was first introduced as CiscoSecure Integrated Software (CSIS). The Cisco IOS firewall overview lists the following features Standard and extended...

Cisco IOS Firewall IDS Configuration

Specific tasks are required to configure the Cisco IOS firewall IDS. These steps should be completed in the following order to ensure that the IDS is implemented correctly 1. Initialize the Cisco IOS firewall IDS on the router. 2. Configure information and attack signatures. 3. Create and apply audit rules. 4. Add the Cisco IOS firewall IDS to the centralized management. These addresses for the Cisco IOS firewall IDS and the CSPM are used in the configuration examples for this section CSPM...

Cisco IOS Firewall IDS Deployment Strategies

As discussed earlier in this chapter, the primary advantage with the Cisco IOS firewall IDS is that it provides an additional level of security to administrators by enabling them to automatically respond to specific threats on internal and external networks. The Cisco IOS firewall IDS features can be deployed with other Cisco IOS firewall features and tailored as necessary for the network environment. The Cisco IOS firewall IDS is the perfect solution for network segments that do not require,...

Cisco IOS Firewall IDS Features

Cisco IOS Software-based intrusion detection was developed as part of the Cisco IOS firewall feature set for mid-range and high-end routers and has since been adapted to the smaller small office home office (SOHO) and remote office home office (ROHO) models. It allows the firewall to act as an in-line IDS. The Cisco IOS firewall IDS scans packets that flow through the firewall looking for any traffic that matches specific signatures that indicate malicious traffic. If the IDS finds traffic that...

Cisco IOS Software Commands

A firewall or router is not normally something to play with. That is to say that once you have it properly configured, you will tend to leave it alone until there is a problem or you need to make some other configuration change. This is the reason that the question mark ( ) is probably the most widely used Cisco IOS Software command. Unless you have constant exposure to this equipment it can be difficult to remember the numerous commands required to configure devices and troubleshoot problems....

Cisco Secure ACS for Windows

Cisco Secure ACS is a highly scalable, access control server that operates as a centralized RADIUS server or TACACS+ server system and controls the authentication, authorization, and accounting (AAA) of users who access corporate resources through a network. Cisco Secure ACS for Windows provides authentication, authorization, and accounting services to network devices that function as AAA clients, such as a network access servers, PIX firewalls, and routers. The AAA client in Figure 9-1...

Cisco Secure ACS for Windows Architecture

Cisco Secure ACS is modular and flexible to fit the needs of both simple and large networks. Cisco Secure ACS for Windows operates as a set of Windows 2000 services and controls the authentication, authorization, and accounting of users accessing networks. When you install Cisco Secure ACS on your server, the installation adds several Windows services. These services provide the core of the Cisco Secure ACS functionality and are as follows CSAdmin Provides the HTML interface for administration...

Cisco Security Specialist in the Real World

Cisco has one of the most recognized names on the Internet. You cannot go into a data center or server room without seeing some Cisco equipment. Cisco-certified security specialists are able to bring quite a bit of knowledge to the table due to their deep understanding of the relationship between networking and network security. This is why the Cisco certification carries such clout. Cisco certifications demonstrate to potential employers and contract holders a certain professionalism and the...

Compatibility with the CSIDS

The Cisco IOS firewall IDS is completely compatible with the CSIDS. The CSIDS is designed to detect and react to unauthorized activity in real time on enterprise networks. The CSIDS is a group of products that are centrally managed and provide host-based or network-based protection. The network-based portion of the CSIDS monitors and analyzes the content of the network traffic and matches it against signatures looking for patterns that indicate suspicious or malicious traffic. Host-based IDS...

Components Used for Defense in Depth

The number and combination of different components used to secure today's networks changes continuously as new threats and threat-mitigation techniques arise. The following list identifies some of the many components used for a defense in-depth strategy Security policy An effective security policy is the centerpiece of any organization's security implementation. As described in Chapter 1, Network Security Essentials, and Chapter 2, Attack Threats Defined and Detailed, the security policy...

Concepts of the Router MC

To understand the Router MC, you must first understand the basic concepts used in its development and operation. The basic concepts are listed here with a brief explanation. For further information on these concepts, see Using Management Center for VPN Routers. You can find this document through a search at Cisco.com. Hub-and-spoke topology The hub-and-spoke topology is commonly used when connecting branch offices to the main office. A central Cisco IOS router located at the main office acts as...

Configure a Cisco Router for IPSec Using Preshared Keys

Several tasks and subtasks are required to configure the router for an IPSec VPN using preshared keys 1. Select the IKE and IPSec parameters. a. Define the IKE (phase 1) policy. Define the key distribution method. Define the authentication method. Identify the IKE SA peer by IP address or host name. Define the IKE phase 1 policy. Encryption algorithm (DES, 3DES) Hash algorithm (SHA-1, MD5) Select the IPSec protocol (AH, ESP). Configure transforms and transform sets. Define the IPSec peer by...

Configure a Secure Method for Remote Access of the Routers

The current use of telnet to remotely access the routers is not a secure method of access. Configure SSH and disable telnet. To enable SSH support on the routers, follow these four steps 1. Verify that you have a host name 2. Configure the router DNS domain. 3. Generate the SSH key to be used. 4. Enable SSH transport support for the vtys. Each individual step is discussed below. You can verify that the router has a host name configured by looking at the command prompt in any configuration mode....

Configure ACLs

Crypto ACLs are used to identify interesting traffic to the router. Interesting traffic is traffic that must be encrypted when leaving the router or traffic that must be encrypted when it arrives at the router (from the peer). Obviously the router encrypts the outbound interesting traffic en route to the peer. If the router receives traffic from the peer that should be encrypted but is not, the traffic is dropped. The configuration for this enterprise network is referred to as a full-mesh VPN...

Configure Global Timeouts and Thresholds

Global timeouts and thresholds help CBAC determine how long to manage state information for a session and when to drop sessions that do not become fully established. All the available CBAC timeouts and thresholds are listed in Table 14-2 along with the corresponding command and default value. Table 14-2 Default Timeout and Threshold Values for CBAC Inspections Table 14-2 Default Timeout and Threshold Values for CBAC Inspections Timeout or Threshold Value to Change The length of time the...

Configure Host Name and Domain Name

Configure each of the routers to connect with the CA. You must first configure the domain name on the router, define the CA, and generate the RSA keys. Configure CA support on the New York router. NewYork(config) ip domain-name example-secur.com NewYork(config) ip host CA-Server 192.168.242.42 NewYork(config) crypto key generate rsa 1024 NewYork(config) crypto ca identity CA_Server NewYork(cfg-ca-id) enrollment mode ra NewYork(cfg-ca-id) enrollment url NewYork(cfg-ca-id) crl optional...

Configure Info and Attack Signatures

The Cisco IOS firewall compares network traffic to specific signatures to determine malicious traffic. There are two different categories of signatures and two types of signatures in each category. The signature categories are separated by activity Info This category includes activity that is normally associated with network reconnaissance. This includes network scans or port scans. Attack Attack signatures detect attacks against the network or specific host on the network. The two signature...

Configure IP ACLs at the Interface

Configuring your ACL correctly is critical for CBAC to work properly. Follow these two general rules when evaluating your IP ACLs at the Cisco IOS firewall Permit CBAC traffic leaving the network through the Cisco IOS firewall. Use extended ACLs to deny traffic entering the network (from the external interface) through the Cisco IOS firewall. All ACLs that evaluate traffic leaving the protected network should permit traffic that will be inspected by CBAC. If telnet will be inspected by CBAC,...

Configure Local Database Authentication Using AAA

By requiring two tokens, a username and a password, rather than just a password, you can make the routers more secure. To do so, configure a local username and password on the router and configure AAA authentication. Step 1 Configure AAA authentication for console access. NewYork(config) aaa authentication login con-access local NewYork(config) username nyadmin password conxss4NY NewYork(Config-line) login authentication con-access Atlanta(config) aaa authentication login con-access local...

Configure NTP

Configuring NTP on the routers ensures that all routers maintain time from the same source. This can greatly assist you with troubleshooting because activities that occur at different locations have the same time in both system log files. In addition, the correct time is necessary to ensure that there is no time difference between the routers and the CA server. In this exercise, you to use a single NTP source however, you should also use a backup NTP source. Configure NTP on the New York...

Configure the IKE Parameters

Now that the configuration options for each location have been selected, it's time to begin configuring each router. The first step is to verify connectivity between each location. The simplest way to confirm connectivity is to ping the peer router. You must also verify that any upstream devices are not filtering the traffic that is required to build the VPN. Having verified connectivity, you now begin to configure the routers at each location. You should begin by configuring IKE on each...

Configure the IPSec Parameters

Remember that IKE establishes the secure connection used to negotiate the IPSec SA. You must correctly configure the IPSec parameters for the VPN to work. For IPSec, you must configure multiple parameters. This section deals with the configuration of the IPSec transform sets and IPSec SA lifetimes. The crypto ipsec transform-set command is used to create the transform sets, and the crypto ipsec security-association lifetime command is used to define the IPSec SA lifetime. Because there are...

Configure the RSA Keys

As with any VPN configuration, management of RSA keys is not a difficult task, but it can be a complex undertaking. It is important to completely plan your implementation before you begin to configure the peers. To configure and generate your public keys and enter the public keys of your peer, follow these six steps Plan the implementation using RSA keys. Configure the router host name and domain name. Each of these steps is discussed in detail in the following sections. Plan the Implementation...

Configuring AAA Accounting

Enabling AAA accounting feature of AAA helps you log user activity, including network resource utilization, which could be used for billing and auditing. Like authentication and authorization, the AAA accounting feature has method lists. The two methods used by the AAA accounting feature The following six types of accounting can be configured on the Cisco IOS Software Network Provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts. EXEC Provides information...

Configuring AAA Services

AAA configuration includes four mandatory steps and two optional steps. It involves enabling AAA, providing security server information, defining the method list, and then applying the method list to the interface of interest. The following steps describe the configuration process Step 1 Activate AAA services by using the aaa new-model command. Step 2 Select the type of security protocols (for instance, RADIUS, TACACS+, or Kerberos). Step 3 Define the method list's authentication by using an...

Configuring ACLs on a Router

When creating an ACL, you define criteria that is applied to each packet processed by the router the router decides whether to forward or block each packet based on whether the packet matches the criteria. Typical criteria you define in ACLs includes packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined. For a single ACL, you can define multiple criteria in multiple, separate...

Configuring Authentication Proxy on the Cisco IOS Firewall

Authentication proxy enables users to connect through the firewall to a resource only after their credentials have been verified by a AAA server. After the authentication is complete, the Cisco IOS firewall receives authorization information from the AAA server in the form of a dynamic access list. It is always a good idea to ensure that all traffic is properly flowing through the Cisco IOS firewall prior to implementing authentication proxy. Access lists applied to the Cisco IOS firewall...

Configuring IPSec Using RSA Encrypted Nonces

As discussed earlier in this chapter, an RSA nonce is a random value generated by the peer that is encrypted using RSA encryption. It provides a very strong method of authentication using Diffie-Hellman key exchange. RSA nonces require that peers possess each other's public key without the use of a CA. It is important that the encrypted nonces are initially exchanged via a secure source. There are two drawbacks to using RSA encrypted nonces Initial key exchange If you are using RSA-encrypted...

Configuring Line Password Authentication

You can provide access control on a terminal line by entering the password and establishing password checking. To do so, use the following commands in line configuration mode Router(config) line console 0 Router(config-line) password password The password checker is case-sensitive and can include spaces for example, the password Secret is different from the password secret, and you can use two words for an acceptable password. You can disable line password verification by disabling password...

Configuring Manual IPSec

It is possible to manually configure your IPSec connection from the crypto-map configuration mode. When you manually configure the IPSec parameters, you manually input all the keys necessary to create the connection. This configuration removes the functionality that allows the peers to renegotiate and constantly change the connection parameters and greatly reduces the security of the connection. The commands for configuring manual IPSec are set session-key inbound outbound ah esp spi...

Configuring Multiple Privilege Levels

To configure a new privilege level for users and associate commands with a privilege level, use the privilege command syntax as follows privilege mode all level level reset command-string Table 5-3 shows the different options that the privilege command provides. (Optional) Changes the privilege level for all the suboptions to the same level. Specifies the privilege level you are configuring for the specified command or commands. The level argument must be a number from 0 to 15. Resets the...

Configuring Port Security

Consider the following when configuring port security You cannot configure port security on a trunk port. You cannot enable port security on a SPAN destination port and vice versa. You cannot configure dynamic, static, or permanent CAM entries on a secure port. When you enable port security on a port, any static or dynamic CAM entries associated with the port are cleared any currently configured permanent CAM entries are treated as secure. NOTE The following port security configuration is for...

Configuring Radius on Cisco IOS

To configure RADIUS on your Cisco router or access server, you must perform the following steps Step 1 Enable AAA. Use the aaa new-model global configuration command to enable AAA. Step 2 Identify the RADIUS server. Use the radius-server host command to specify the IP address. Use the radius-server key command to specify an encryption key that will be used to encrypt all exchanges between the network access server and the RADIUS server. Step 3 Configure AAA services. Use the aaa authentication...

Configuring Remote Access Using Easy VPN

Cisco Easy VPN is a client server application that allows for VPN security parameters to be pushed out to the remote locations that connect using Cisco SOHO ROHO products. The server portion is a component of Cisco IOS Software Release 12.2(8)T, and the client portion is available for the 800 to 1700 series routers, PIX 501 Firewall, 3002 VPN hardware client, and Easy Remote VPN software client 3.x. NOTE For a complete listing of products that support Cisco Easy VPN, check the products listing...

Configuring Tacacs on Cisco IOS

To configure the Cisco access server to support TACACS+, you must perform the following steps Step 1 Enable AAA. Use the aaa new-model command to enable AAA. Step 2 Identify the TACACS+ server. Use the tacacs-server host command to specify the IP address or name of one or more TACACS+ servers. Step 3 Configure AAA services. Use the aaa authentication command to define method lists that use TACACS+ for authentication. Step 4 Apply the method lists to the interfaces. Use line and interface...

Configuring the Easy VPN Server

Remember the Easy VPN Server configuration is the most important because it is the central location where the other VPN client connections terminate. To configure Easy VPN Server on your Cisco IOS 12.2(8)T or later router, follow these steps Step 1 Prepare the router for Easy VPN Server. Step 2 Configure the group policy lookup. Step 3 Create the ISAKMP policy for the remote VPN clients. Step 4 Define a group policy for a mode configuration push. Step 5 Create the transform set. Step 6 Create...

Configuring the Enable Password

To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. enable password level level password encryption-type encrypted-password Table 5-2 shows the different options that the enable command has. Level for which the password applies. You can specify up to 15 privilege levels, using numbers 1 through 15. This is an optional parameter that provides not only authentication but also authorization. Password users type this...

Configuring Username Authentication

You can create a username-based authentication system, in which a user is prompted for a username and password when attempting to access the network access server (NAS) or router. The username and password database is stored locally on the Cisco NAS device. To establish username authentication, use the following commands in global configuration mode Router(config) username name nopassword password password password encryption-type encrypted-password The following example shows the creation of a...

Content Based Access Control

A context-based access control (CBAC) engine provides secure, per-application access control across network perimeters. CBAC lets the router maintain a persistent state, based on information from inspected packets, and use that information to decide which traffic should be forwarded. CBAC is the centerpiece of the firewall feature set, and the other features in the set build on CBAC. CBAC features include the following DoS detection and prevention Generates real-time alerts and audit trails...

Contents

Foreword xxiii Introduction xxiv Part I An Overview of Network Security 2 Chapter 1 Network Security Essentials 5 Do I Know This Already Quiz 5 Foundation Topics 9 Balancing Business Need with Security Requirement 9 Security Policy Goals 12 Security Guidelines 13 Management Must Support the Policy 13 The Policy Must Be Technically Feasible 14 The Policy Should Not Be Written as a Technical Document 14 The Policy Must Be Implemented Globally Throughout the Organization 14 The Policy Must Clearly...

Contents at a Glance

Attack Threats Defined and Detailed 23 Authentication, Authorization, and Accounting (AAA) Authentication, Authorization, and Accounting 115 Configuring RADIUS and TACACS+ on Cisco IOS Software 137 Cisco Secure Access Control Server 157 Administration of Cisco Secure Access Control Server The Cisco IOS Firewall Feature Set 188 Securing the Network with a Cisco Router 191 Context-Based Access Control (CBAC) 231 Authentication Proxy and the Cisco IOS Firewall 251 Intrusion Detection and the Cisco...

Controlling Interactive Access Through a Browser

Administrative access support via a browser is supported by Cisco IOS Software Release 11.0(6) and later. This feature is disabled by default but can be enabled by the ip http server command. However, the use of HTTP to manage a router presents some inherent vulnerabilities. The Cisco IOS HTTP server provides authentication, but not encryption, for client connections. The data that the client and server transmit to each other is not encrypted. This leaves communication between clients and...

Create and Apply Audit Rules

The next task requires you to create the audit rules and apply them to the correct interface of the Cisco IOS firewall. It is possible to create an audit rule that excludes specific hosts or networks and apply that rule to the interface. Creating and applying the audit rules is a four-step process. You must configure the IDS to respond to information and attack signatures. The response can be one or more of the of three actions alarm This command sends an alarm to the syslog server or the...

Create and Apply Crypto Maps

The crypto map is used to apply the ACLs, define the addresses for the local and remote peers, and define how the IPSec SA is established and maintained. Each crypto map is given a sequence number and a name. For this exercise, the name crypto-map is used after the peer location. Configure the crypto maps on the New York router. NewYork(config) crypto map MCNS 10 ipsec-isakmp NewYork(config) match address 110 NewYork(config) set peer 192.168.20.1 NewYork(config) set pfs group2 NewYork(config)...

CSAdmin

CSAdmin provides the web server for the Cisco Secure ACS HTML interface. After Cisco Secure ACS is installed, you must configure it from its HTML interface therefore, CSAdmin must be running when you configure Cisco Secure ACS. Cisco Secure ACS has a built-in web server for ACS administration. The web server uses port 2002 rather than the standard port 80 usually associated with HTTP traffic. CSAdmin is multithreaded, which enables several Cisco Secure ACS administrators to access it at the...

Debugging Context Based Access Control

The following three types of debug commands are available for debugging CBAC Transport level debug commands Application protocol debug commands To assist CBAC debugging, you can turn on audit trail messages that will be displayed on the console after each CBAC session closes. To turn on audit trail messages, use the following global configuration command You can use the following generic debug commands listed in Table 14-5. Display messages about software functions called by CBAC. Display...

Define an Inspection Rule

The inspection rule defines the IP traffic monitored by CBAC. The ip inspect name command enables you to define a set of inspection rules. Table 14-3 shows the ip inspect command parameters. ip inspect name inspection-name protocol alert on off audit-trail on off timeout seconds no ip inspect name inspection-name protocol Table 14-3 The ip inspect name Command Parameters Table 14-3 The ip inspect name Command Parameters Names the set of inspection rules. If you want to add a protocol to an...

Define VPN Configuration Parameters

Now that you have selected the method for securing communications among the three corporate locations, the next step is to define the VPN parameters. Before you can configure the VPN, you must first determine which parameters are to be used for each connection. Remember that Chapter 17, Building a VPN Using IPSec, emphasized the importance of completely planning your VPN connectivity before you begin the implementation (because of the complexity of the configuration and zero margin for error)....

Describe the Easy VPN Server

As mentioned in the beginning of this chapter, Easy VPN is a client server product that allows for simplified VPN connectivity with branch offices, remote offices, and remote users. The server portion of this product is called Cisco Easy VPN Server and is a component of Cisco IOS Software Release 12.2(8)T. The client component installs on Cisco routers designed for remote office home office (ROHO) use, Cisco PIX 501 Firewall, the 3002 hardware VPN client, and the Cisco VPN client software...

Disable Unnecessary Services

Ensuring that all services that are not required on the network are disabled reduces the vulnerability of the routers to security breaches. Disabling the HTTP service greatly reduces exposure of the router to threats on a commonly used port (TCP port 80). Disabling small servers for UDP and TCP protects against Smurf attacks and IP spoofing. The following services on all three routers are turned off Disable the IP HTTP server. Disable Cisco Discovery Protocol on all externally facing...

Disabling Cisco Discovery Protocol CDP

CDP is a Cisco proprietary Layer 2 protocol that is media and protocol independent and runs on all Cisco-manufactured equipment, including routers, access servers, and switches. CDP is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses. The information provided by CDP can potentially be used by an attacker to compromise the neighboring device and...

Disabling Directed Broadcasts

On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. When a packet is sent to that IP broadcast address from a machine outside of the local network, it is broadcast to all machines on the target network. IP broadcast addresses are usually network addresses with the host portion of the address having all 1...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 11-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 1-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions...

DoS Attacks

A DoS attack is designed to deny user access to computers or networks. These attacks usually target specific services and attempt to overwhelm them by making numerous requests concurrently. If a system is not protected and cannot react to a DoS attack, it can be very easy to overwhelm that system by running scripts that generate multiple requests. It is possible to greatly increase the magnitude of a DoS attack by launching the attack from multiple systems against a single target. This practice...

DoS Detection and Protection

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's ACLs to allow return traffic and additional data connections for permissible sessions. Inspecting packets at the application layer, and maintaining TCP and UDP session information, provides CBAC with the capability to detect and prevent certain types of network attacks such as SYN flooding. TCP...

Easy VPN Modes of Operation

The Easy VPN can use two different remote phase II modes for VPN connectivity, which mainly affect how the remote user is addressed when connected to the destination network. Both configurations support split tunneling. The two modes are as follows Client mode This mode allows whatever changes necessary to connect the client to the destination network via the VPN connection. In the client mode, the client is automatically configured with NAT PAT and the access lists needed to create the VPN...

Enable secret

The enable secret command provides better security by storing the enable secret password using a nonreversible cryptographic function. The added layer of security encryption provides proves useful in environments where the password crosses the network or is stored on a TFTP server. enable secret level level password encryption-type encrypted-password You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password...

Enroll with the CA

For the moment the perimeter routers only need to enroll with the CA. The VPN connections may be converted over to the CA solution after the company merger is completed and the networks converge. NewYork(config) crypto ca enroll CA_Server Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved on the configuration. Please make a note of it. Password New-York...

Exam Registration

The SECUR exam is a computer-based exam, with multiple-choice, fill-in-the-blank, list-in-order, and simulation-based questions.You can take the exam at any Pearson VUE (http www.pearsonvue.com) or Prometric (http www.2test.com) testing center. Your testing center can tell you the exact length of the exam. Be aware that when you register for the exam, you might be told to allow a certain amount of time to take the exam that is longer than the testing time indicated by the testing software when...

Explain the Issues Regarding Configuring IPSec Manually and Using RSA Encrypted Nonces

The only additional process required for implementing IPSec using RSA nonces is the key generation and exchange process. The following steps are required to generate and exchange RSA keys Plan the implementation using RSA keys. Configure the router host name and domain name. As mentioned in the section, How to Use This Book, in the Introduction to this book, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Final Scenarios

Your team of consultants has been hired by the MCNS Financial Group. This organization has a medium-sized network with headquarters in New York City and branch offices in Atlanta and Los Angeles. They also have approximately 20 sales personnel who need remote connectivity. The organization contracted your services after their network was breached and they narrowly averted a public relations nightmare. They currently have all locations connected to the Internet via T1 connections purchased from...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your SECUR exam, a well-prepared candidate should at a minimum know all the details in each Foundation Summary before going to take the exam. In today's very dynamic environment, it is not enough just to secure the network perimeter. With the increasing use of intranets, extranets, remote users, and wireless technology,...

Foundation Topics

Computer systems have become a fundamental component of nearly every organization today. Large corporations and government organizations devote a tremendous amount of their assets to maintaining their networks, and even the smallest organization is likely to use a computer for maintaining their records and financial information. Because these systems are able to perform functions rapidly and accurately and because they make it very easy to facilitate communication between organizations,...

How Authentication Proxy Works

Unlike many Cisco IOS firewall functions, authentication proxy is not a service that is transparent to the user. On the contrary, it requires user interaction. The authentication proxy is triggered when the user initiates an HTTP session through the Cisco IOS firewall. The firewall checks to see whether the user has already been authenticated. If the user has previously authenticated, it allows the connection. If the user has not previously authenticated, the firewall prompts the user for a...

How CBAC Works

A CBAC inspection rule is created to specify which protocols you want to be inspected. You then apply the rule to the desired interface and specify the direction (in or out). Only specified protocols are inspected by CBAC. Packets entering the Cisco IOS firewall are inspected by CBAC only if they first pass the inbound ACL at the interface. If a packet is denied by the ACL, the packet is just dropped and not inspected by CBAC. CBAC creates temporary openings in ACLs at Cisco IOS firewall...

How IPSec Works

Five specific steps are required to create and terminate an IPSec VPN tunnel. The endpoints perform different functions to establish the encrypted connection at each step. Figure 17-3 provides a description of the steps required to create and terminate the IPSec tunnel. Figure 17-3 Creating a IPSec VPN Tunnel Figure 17-3 Creating a IPSec VPN Tunnel Step 1 The user at the source computer in Boston initiates a connection to the destination system in New York. The router in Boston recognizes the...

How to Prepare for an Exam

The best way to prepare for any certification exam is to use a combination of the preparation resources, labs, and practice tests. This guide has integrated some practice questions and labs to help you better prepare. If possible, you want to get some hands-on time with the Cisco IOS routers. There is no substitute for experience, and it is much easier to understand the commands and concepts when you can actually work with the Cisco IOS router. If you do not have access to a Cisco IOS router,...

How to Use This Book

Each chapter tends to build upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations. The chapters of the book cover the following topics Chapter 1, Network Security Essentials Chapter 1 is an overview of network security in general terms. This chapter defines the scope of network security and discusses the delicate balancing act required to ensure that you fulfill the...

Implement ACLs for Antispoofing Purposes

Add antispoofing protection by denying traffic with a source address matching a host on the Ethernet interface for each site (RFC 2827, RFC 3330). NOTE You would need to configure RFC 1918 in a production network. This scenario uses the 10.x.x.x and 192.168.x.x, and therefore RFC 1918 has not been implemented NewYork(config) access-list 107 permit ip 10.10.30.0 0.0.0.255 any NewYork(config) access-list 107 permit ip 10.10.20.0 0.0.0.255 any NewYork(config) access-list 107 deny ip 10.10.10.0...

Implement Authentication Proxy

MCNS maintains a DMZ segment in New York and hosts an application that needs to be available to their business partners. This example configures the Cisco IOS firewall to perform authentication proxy inbound without CBAC or NAT for any source attempting to access this application by the destination address 172.16.10.101. Configuration of the authentication proxy requires the following three steps 3. Configure the authentication proxy. Figure 21-4 show the location of the AAA server and partner...

Implement CBAC

Configure an inspection rule called examineNY, examineATL, and examineLA for the New York, Atlanta, and Los Angeles routers, respectively. Apply the rule on the Ethernet interface so that inbound traffic (which is exiting the network) is inspected return traffic is only permitted back through the firewall if part of a session, which begins from within the network. New York router CBAC configuration Define the CBAC rule. NewYork(config) ip inspect name examineNY ftp timeout 3600 NewYork(config)...

Installation and Login to Router MC

The Router MC is installed on the CiscoWorks 2000 server from the Router MC CD-ROM. If you are installing the Router MC on a Windows server, you can use the Installation Wizard and follow the default settings. The Router MC defaults to the CiscoWorks common services folder (C Program Files CSCOpx ) and automatically creates its database as part of the installation process. The Installation Wizard will show an Installation Complete window upon successful installation, prompting you to click...

Installing Cisco Secure ACS

After confirming your system requirements for Cisco Secure ACS for Windows, run the setup program to install the software. Figure 10-1 shows a checklist window that comes up during the first part of the installation process. Figure 10-1 Checklist Window That Appears During the Installation Process for Cisco ACS 3.2 BEFDRE YOU BEGIN, the following items must be complete f End-user clients can successfully connect to AAA clients P This Windows Server can ping the AAA clients P Any Cisco I0S AAA...