A

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, could be captured by a third party. The RADIUS server supports a variety of methods to authenticate a user. When it is provided with the username and original password given by the user, it can support PPP, PAP, CHAP, UNIX login, and other authentication mechanisms. RADIUS combines...

AAA Overview

Access control is the cornerstone in ensuring the integrity, confidentiality, and availability of a network and its resources. Enforcing identification and verification of users, permitting, and then reporting or auditing their activity provides a solid framework for security. You can think of it as accessing some secure buildings today. When you first walk in front door, you are asked to provide your identification. Your name is logged in and then you are permitted to go beyond the lobby into...

Access Attacks

As the name implies, the goal of an access attack is to gain access to a computer or a network. Having gained access, the user can perform many different functions. These functions can be broken into three distinct categories Interception If the unauthorized user is able to capture traffic going from the source to the destination, that user can store that data for later use. The data could be anything that is crossing the network segment that is connected to the sniffer and could include...

Accessing the Cisco Router CLI

You can access the Cisco router CLI via any of three methods Console The console connection requires a direct connection to the console port of the router using a rollover cable normally from the serial interface of a computer. This is considered to be the most secure method for administration of the router because it requires a physical connection to the router. This method can be very impractical for enterprise networks. Auxiliary The auxiliary connection is normally a remote dialup...

Add the Cisco IOS Firewall IDS to the Centralized Management

This step requires you to add the Cisco IOS firewall IDS to the Cisco Director, CSPM, IDS MC, or Event Viewer. As stated earlier in this chapter, the Cisco Director has reached product end-of-life. The IDS Management Console is a CiscoWorks component, and the CSPM and Event Viewer are both applications written to run on a Wintel platform. The individual commands for each centralized manager are different, but each of these systems uses a GUI interface and is relatively simple to navigate. The...

Administration Issues

Table 10-3 details how to approach some of the problems that may arise in a Cisco Secure ACS installation. Table 10-3 CS ACS Installation Troubleshooting Table 10-3 CS ACS Installation Troubleshooting Remote administrator cannot bring up the Cisco Secure ACS HTML interface in a browser or receives a warning that access is not permitted. Ping Cisco Secure ACS to confirm connectivity. Verify that the remote administrator is using a valid administrator name and password that has already been added...

Authentication Proxy

When configuring authentication proxy, a direction at the interface is not assigned because it is always inbound. Authentication proxy intercepts the packet before it reaches the inbound ACL. Consequently, an inbound ACL can block all traffic, except for the special servers or devices that need to communicate with the Cisco IOS firewall. Authentication proxy dynamically opens connections on the inbound ACL of the input interface where the proxy is enabled, as well as on the outbound ACL of the...

Authentication Proxy Configuration Examples

The steps required to configure authentication proxy were listed and defined in the preceding section. In this section, authentication proxy is configured for both inbound and outbound connections through the Cisco IOS firewall. Figure 15-5 depicts the environment used for the configuration of authentication proxy on the 3640 Cisco IOS firewall. Figure 15-5 Network Diagram of Authentication Proxy Source and Destination (External Host) Figure 15-5 Network Diagram of Authentication Proxy Source...

Authentication Proxy Configuration Steps

A number of steps are required to configure authentication proxy on the Cisco IOS firewall. Authentication proxy requires the firewall to communicate with many different systems, and each of these systems must be put into the firewall configuration. This section describes the configuration steps and individual commands used to configure the authentication proxy. There are examples of these configuration commands in the section titled Authentication Proxy Configuration Examples. It is important...

Basic Router Management

The Cisco IOS router and Cisco IOS firewall are actually the same hardware. The difference is a low-cost, advanced firewall feature set that was integrated into Cisco Internet Operating System (Cisco IOS). All the basic functionality of Cisco IOS Software remains on the IOS firewall with additional features added, called the firewall feature set. The Cisco IOS router is commonly referred to as the IOS firewall if any of the firewall feature set components are used. This chapter discusses access...

Book Content Updates

Because Cisco Systems will occasionally update exam objectives without notice, Cisco Press may post additional preparatory content on the web page associated with this book at http www.ciscopress.com 1587200899. It's a good idea to check the website a couple of weeks before taking your exam, to review any updated content that may be posted online. We also recommend that you periodically check back to this page on the Cisco Press website to view any errata or supporting book files that may be...

Browser Compatibility

Your Cisco Secure ACS server must have a compatible browser installed. Cisco Secure ACS 3.2 has been tested with English language versions of the following browsers on Microsoft Windows operating systems Microsoft Internet Explorer Version 6.0 Netscape Communicator Version 7.0 To use a web browser to access the Cisco Secure ACS HTML interface, you must enable both Java and JavaScript in the browser. Also, the web browser must not be configured to use a proxy server. If the browser used for an...

CBAC Configuration Example

For this example, CBAC is being configured to inspect inbound. As shown in Figure 14-3, interface EthernetO is the protected network and interface Seriall is the unprotected network. The security policy for the protected site uses ACLs to restrict inbound traffic on the unprotected interface to specific ICMP protocol traffic, denying inbound access for TCP and UDP protocol traffic. Inbound access for specific protocol traffic is provided through dynamic ACLs, which are generated according to...

Change All Administrative Access on All the Routers

The first task is to secure all the routers at each location. As part of this task, you replace the weak administrative access passwords on all the site routers with passwords that are relatively strong. Step 1 Reconfigure the console port user-level password. Console password access to New York NewYork(config) line console 0 NewYork(config-line) password NY conaccess Console password access to Atlanta Atlanta(config) line console 0 Atlanta(config-line) password ATL conaccess Console password...

Cisco IOS Firewall Features

As mentioned in the beginning of this chapter, the Cisco IOS firewall feature is an enhancement to the Cisco IOS Software that incorporates additional security-related features. The Cisco IOS firewall provides an additional level of security for the network without the expense of purchasing dedicated hardware. The Cisco IOS firewall feature set was first introduced as CiscoSecure Integrated Software (CSIS). The Cisco IOS firewall overview lists the following features Standard and extended...

Cisco IOS Firewall IDS Features

Cisco IOS Software-based intrusion detection was developed as part of the Cisco IOS firewall feature set for mid-range and high-end routers and has since been adapted to the smaller small office home office (SOHO) and remote office home office (ROHO) models. It allows the firewall to act as an in-line IDS. The Cisco IOS firewall IDS scans packets that flow through the firewall looking for any traffic that matches specific signatures that indicate malicious traffic. If the IDS finds traffic that...

Cisco IOS Software Commands

A firewall or router is not normally something to play with. That is to say that once you have it properly configured, you will tend to leave it alone until there is a problem or you need to make some other configuration change. This is the reason that the question mark ( ) is probably the most widely used Cisco IOS Software command. Unless you have constant exposure to this equipment it can be difficult to remember the numerous commands required to configure devices and troubleshoot problems....

Cisco Secure ACS for Windows

Cisco Secure ACS is a highly scalable, access control server that operates as a centralized RADIUS server or TACACS+ server system and controls the authentication, authorization, and accounting (AAA) of users who access corporate resources through a network. Cisco Secure ACS for Windows provides authentication, authorization, and accounting services to network devices that function as AAA clients, such as a network access servers, PIX firewalls, and routers. The AAA client in Figure 9-1...

Cisco Secure ACS for Windows Architecture

Cisco Secure ACS is modular and flexible to fit the needs of both simple and large networks. Cisco Secure ACS for Windows operates as a set of Windows 2000 services and controls the authentication, authorization, and accounting of users accessing networks. When you install Cisco Secure ACS on your server, the installation adds several Windows services. These services provide the core of the Cisco Secure ACS functionality and are as follows CSAdmin Provides the HTML interface for administration...

Cisco Security Specialist in the Real World

Cisco has one of the most recognized names on the Internet. You cannot go into a data center or server room without seeing some Cisco equipment. Cisco-certified security specialists are able to bring quite a bit of knowledge to the table due to their deep understanding of the relationship between networking and network security. This is why the Cisco certification carries such clout. Cisco certifications demonstrate to potential employers and contract holders a certain professionalism and the...

Compatibility with the CSIDS

The Cisco IOS firewall IDS is completely compatible with the CSIDS. The CSIDS is designed to detect and react to unauthorized activity in real time on enterprise networks. The CSIDS is a group of products that are centrally managed and provide host-based or network-based protection. The network-based portion of the CSIDS monitors and analyzes the content of the network traffic and matches it against signatures looking for patterns that indicate suspicious or malicious traffic. Host-based IDS...

Components Used for Defense in Depth

The number and combination of different components used to secure today's networks changes continuously as new threats and threat-mitigation techniques arise. The following list identifies some of the many components used for a defense in-depth strategy Security policy An effective security policy is the centerpiece of any organization's security implementation. As described in Chapter 1, Network Security Essentials, and Chapter 2, Attack Threats Defined and Detailed, the security policy...

Concepts of the Router MC

To understand the Router MC, you must first understand the basic concepts used in its development and operation. The basic concepts are listed here with a brief explanation. For further information on these concepts, see Using Management Center for VPN Routers. You can find this document through a search at Cisco.com. Hub-and-spoke topology The hub-and-spoke topology is commonly used when connecting branch offices to the main office. A central Cisco IOS router located at the main office acts as...

Configure a Cisco Router for IPSec Using Preshared Keys

Several tasks and subtasks are required to configure the router for an IPSec VPN using preshared keys 1. Select the IKE and IPSec parameters. a. Define the IKE (phase 1) policy. Define the key distribution method. Define the authentication method. Identify the IKE SA peer by IP address or host name. Define the IKE phase 1 policy. Encryption algorithm (DES, 3DES) Hash algorithm (SHA-1, MD5) Select the IPSec protocol (AH, ESP). Configure transforms and transform sets. Define the IPSec peer by...

Configure a Secure Method for Remote Access of the Routers

The current use of telnet to remotely access the routers is not a secure method of access. Configure SSH and disable telnet. To enable SSH support on the routers, follow these four steps 1. Verify that you have a host name 2. Configure the router DNS domain. 3. Generate the SSH key to be used. 4. Enable SSH transport support for the vtys. Each individual step is discussed below. You can verify that the router has a host name configured by looking at the command prompt in any configuration mode....

Configure Global Timeouts and Thresholds

Global timeouts and thresholds help CBAC determine how long to manage state information for a session and when to drop sessions that do not become fully established. All the available CBAC timeouts and thresholds are listed in Table 14-2 along with the corresponding command and default value. Table 14-2 Default Timeout and Threshold Values for CBAC Inspections Table 14-2 Default Timeout and Threshold Values for CBAC Inspections Timeout or Threshold Value to Change The length of time the...

Configure Host Name and Domain Name

Configure each of the routers to connect with the CA. You must first configure the domain name on the router, define the CA, and generate the RSA keys. Configure CA support on the New York router. NewYork(config) ip domain-name example-secur.com NewYork(config) ip host CA-Server 192.168.242.42 NewYork(config) crypto key generate rsa 1024 NewYork(config) crypto ca identity CA_Server NewYork(cfg-ca-id) enrollment mode ra NewYork(cfg-ca-id) enrollment url NewYork(cfg-ca-id) crl optional...

Configure Info and Attack Signatures

The Cisco IOS firewall compares network traffic to specific signatures to determine malicious traffic. There are two different categories of signatures and two types of signatures in each category. The signature categories are separated by activity Info This category includes activity that is normally associated with network reconnaissance. This includes network scans or port scans. Attack Attack signatures detect attacks against the network or specific host on the network. The two signature...

Configure Local Database Authentication Using AAA

By requiring two tokens, a username and a password, rather than just a password, you can make the routers more secure. To do so, configure a local username and password on the router and configure AAA authentication. Step 1 Configure AAA authentication for console access. NewYork(config) aaa authentication login con-access local NewYork(config) username nyadmin password conxss4NY NewYork(Config-line) login authentication con-access Atlanta(config) aaa authentication login con-access local...

Configure NTP

Configuring NTP on the routers ensures that all routers maintain time from the same source. This can greatly assist you with troubleshooting because activities that occur at different locations have the same time in both system log files. In addition, the correct time is necessary to ensure that there is no time difference between the routers and the CA server. In this exercise, you to use a single NTP source however, you should also use a backup NTP source. Configure NTP on the New York...

Configure the IKE Parameters

Now that the configuration options for each location have been selected, it's time to begin configuring each router. The first step is to verify connectivity between each location. The simplest way to confirm connectivity is to ping the peer router. You must also verify that any upstream devices are not filtering the traffic that is required to build the VPN. Having verified connectivity, you now begin to configure the routers at each location. You should begin by configuring IKE on each...

Configure the RSA Keys

As with any VPN configuration, management of RSA keys is not a difficult task, but it can be a complex undertaking. It is important to completely plan your implementation before you begin to configure the peers. To configure and generate your public keys and enter the public keys of your peer, follow these six steps Plan the implementation using RSA keys. Configure the router host name and domain name. Each of these steps is discussed in detail in the following sections. Plan the Implementation...

Configuring AAA Accounting

Enabling AAA accounting feature of AAA helps you log user activity, including network resource utilization, which could be used for billing and auditing. Like authentication and authorization, the AAA accounting feature has method lists. The two methods used by the AAA accounting feature The following six types of accounting can be configured on the Cisco IOS Software Network Provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts. EXEC Provides information...

Configuring ACLs on a Router

When creating an ACL, you define criteria that is applied to each packet processed by the router the router decides whether to forward or block each packet based on whether the packet matches the criteria. Typical criteria you define in ACLs includes packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined. For a single ACL, you can define multiple criteria in multiple, separate...

Configuring Authentication Proxy on the Cisco IOS Firewall

Authentication proxy enables users to connect through the firewall to a resource only after their credentials have been verified by a AAA server. After the authentication is complete, the Cisco IOS firewall receives authorization information from the AAA server in the form of a dynamic access list. It is always a good idea to ensure that all traffic is properly flowing through the Cisco IOS firewall prior to implementing authentication proxy. Access lists applied to the Cisco IOS firewall...

Configuring Multiple Privilege Levels

To configure a new privilege level for users and associate commands with a privilege level, use the privilege command syntax as follows privilege mode all level level reset command-string Table 5-3 shows the different options that the privilege command provides. (Optional) Changes the privilege level for all the suboptions to the same level. Specifies the privilege level you are configuring for the specified command or commands. The level argument must be a number from 0 to 15. Resets the...

Configuring Port Security

Consider the following when configuring port security You cannot configure port security on a trunk port. You cannot enable port security on a SPAN destination port and vice versa. You cannot configure dynamic, static, or permanent CAM entries on a secure port. When you enable port security on a port, any static or dynamic CAM entries associated with the port are cleared any currently configured permanent CAM entries are treated as secure. NOTE The following port security configuration is for...

Configuring Radius on Cisco IOS

To configure RADIUS on your Cisco router or access server, you must perform the following steps Step 1 Enable AAA. Use the aaa new-model global configuration command to enable AAA. Step 2 Identify the RADIUS server. Use the radius-server host command to specify the IP address. Use the radius-server key command to specify an encryption key that will be used to encrypt all exchanges between the network access server and the RADIUS server. Step 3 Configure AAA services. Use the aaa authentication...

Configuring Tacacs on Cisco IOS

To configure the Cisco access server to support TACACS+, you must perform the following steps Step 1 Enable AAA. Use the aaa new-model command to enable AAA. Step 2 Identify the TACACS+ server. Use the tacacs-server host command to specify the IP address or name of one or more TACACS+ servers. Step 3 Configure AAA services. Use the aaa authentication command to define method lists that use TACACS+ for authentication. Step 4 Apply the method lists to the interfaces. Use line and interface...

Configuring the Easy VPN Server

Remember the Easy VPN Server configuration is the most important because it is the central location where the other VPN client connections terminate. To configure Easy VPN Server on your Cisco IOS 12.2(8)T or later router, follow these steps Step 1 Prepare the router for Easy VPN Server. Step 2 Configure the group policy lookup. Step 3 Create the ISAKMP policy for the remote VPN clients. Step 4 Define a group policy for a mode configuration push. Step 5 Create the transform set. Step 6 Create...

Configuring the Enable Password

To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. enable password level level password encryption-type encrypted-password Table 5-2 shows the different options that the enable command has. Level for which the password applies. You can specify up to 15 privilege levels, using numbers 1 through 15. This is an optional parameter that provides not only authentication but also authorization. Password users type this...

Configuring Username Authentication

You can create a username-based authentication system, in which a user is prompted for a username and password when attempting to access the network access server (NAS) or router. The username and password database is stored locally on the Cisco NAS device. To establish username authentication, use the following commands in global configuration mode Router(config) username name nopassword password password password encryption-type encrypted-password The following example shows the creation of a...

Contents

Foreword xxiii Introduction xxiv Part I An Overview of Network Security 2 Chapter 1 Network Security Essentials 5 Do I Know This Already Quiz 5 Foundation Topics 9 Balancing Business Need with Security Requirement 9 Security Policy Goals 12 Security Guidelines 13 Management Must Support the Policy 13 The Policy Must Be Technically Feasible 14 The Policy Should Not Be Written as a Technical Document 14 The Policy Must Be Implemented Globally Throughout the Organization 14 The Policy Must Clearly...

Contents at a Glance

Attack Threats Defined and Detailed 23 Authentication, Authorization, and Accounting (AAA) Authentication, Authorization, and Accounting 115 Configuring RADIUS and TACACS+ on Cisco IOS Software 137 Cisco Secure Access Control Server 157 Administration of Cisco Secure Access Control Server The Cisco IOS Firewall Feature Set 188 Securing the Network with a Cisco Router 191 Context-Based Access Control (CBAC) 231 Authentication Proxy and the Cisco IOS Firewall 251 Intrusion Detection and the Cisco...

Controlling Interactive Access Through a Browser

Administrative access support via a browser is supported by Cisco IOS Software Release 11.0(6) and later. This feature is disabled by default but can be enabled by the ip http server command. However, the use of HTTP to manage a router presents some inherent vulnerabilities. The Cisco IOS HTTP server provides authentication, but not encryption, for client connections. The data that the client and server transmit to each other is not encrypted. This leaves communication between clients and...

Create and Apply Audit Rules

The next task requires you to create the audit rules and apply them to the correct interface of the Cisco IOS firewall. It is possible to create an audit rule that excludes specific hosts or networks and apply that rule to the interface. Creating and applying the audit rules is a four-step process. You must configure the IDS to respond to information and attack signatures. The response can be one or more of the of three actions alarm This command sends an alarm to the syslog server or the...

Create and Apply Crypto Maps

The crypto map is used to apply the ACLs, define the addresses for the local and remote peers, and define how the IPSec SA is established and maintained. Each crypto map is given a sequence number and a name. For this exercise, the name crypto-map is used after the peer location. Configure the crypto maps on the New York router. NewYork(config) crypto map MCNS 10 ipsec-isakmp NewYork(config) match address 110 NewYork(config) set peer 192.168.20.1 NewYork(config) set pfs group2 NewYork(config)...

Debugging Context Based Access Control

The following three types of debug commands are available for debugging CBAC Transport level debug commands Application protocol debug commands To assist CBAC debugging, you can turn on audit trail messages that will be displayed on the console after each CBAC session closes. To turn on audit trail messages, use the following global configuration command You can use the following generic debug commands listed in Table 14-5. Display messages about software functions called by CBAC. Display...

Define an Inspection Rule

The inspection rule defines the IP traffic monitored by CBAC. The ip inspect name command enables you to define a set of inspection rules. Table 14-3 shows the ip inspect command parameters. ip inspect name inspection-name protocol alert on off audit-trail on off timeout seconds no ip inspect name inspection-name protocol Table 14-3 The ip inspect name Command Parameters Table 14-3 The ip inspect name Command Parameters Names the set of inspection rules. If you want to add a protocol to an...

Define VPN Configuration Parameters

Now that you have selected the method for securing communications among the three corporate locations, the next step is to define the VPN parameters. Before you can configure the VPN, you must first determine which parameters are to be used for each connection. Remember that Chapter 17, Building a VPN Using IPSec, emphasized the importance of completely planning your VPN connectivity before you begin the implementation (because of the complexity of the configuration and zero margin for error)....

Describe the Easy VPN Server

As mentioned in the beginning of this chapter, Easy VPN is a client server product that allows for simplified VPN connectivity with branch offices, remote offices, and remote users. The server portion of this product is called Cisco Easy VPN Server and is a component of Cisco IOS Software Release 12.2(8)T. The client component installs on Cisco routers designed for remote office home office (ROHO) use, Cisco PIX 501 Firewall, the 3002 hardware VPN client, and the Cisco VPN client software...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 11-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 1-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions...

Enroll with the CA

For the moment the perimeter routers only need to enroll with the CA. The VPN connections may be converted over to the CA solution after the company merger is completed and the networks converge. NewYork(config) crypto ca enroll CA_Server Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved on the configuration. Please make a note of it. Password New-York...

Exam Registration

The SECUR exam is a computer-based exam, with multiple-choice, fill-in-the-blank, list-in-order, and simulation-based questions.You can take the exam at any Pearson VUE (http www.pearsonvue.com) or Prometric (http www.2test.com) testing center. Your testing center can tell you the exact length of the exam. Be aware that when you register for the exam, you might be told to allow a certain amount of time to take the exam that is longer than the testing time indicated by the testing software when...

Explain the Issues Regarding Configuring IPSec Manually and Using RSA Encrypted Nonces

The only additional process required for implementing IPSec using RSA nonces is the key generation and exchange process. The following steps are required to generate and exchange RSA keys Plan the implementation using RSA keys. Configure the router host name and domain name. As mentioned in the section, How to Use This Book, in the Introduction to this book, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Final Scenarios

Your team of consultants has been hired by the MCNS Financial Group. This organization has a medium-sized network with headquarters in New York City and branch offices in Atlanta and Los Angeles. They also have approximately 20 sales personnel who need remote connectivity. The organization contracted your services after their network was breached and they narrowly averted a public relations nightmare. They currently have all locations connected to the Internet via T1 connections purchased from...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your SECUR exam, a well-prepared candidate should at a minimum know all the details in each Foundation Summary before going to take the exam. In today's very dynamic environment, it is not enough just to secure the network perimeter. With the increasing use of intranets, extranets, remote users, and wireless technology,...

Foundation Topics

One of the important elements to securing the network is preventing unauthorized users from gaining access to router and switch administrative access interfaces. If an intruder were to gain console or terminal access into a networking device, such as a router, switch, or network access server, that person could do significant damage to your network perhaps by reconfiguring the device, or even by just viewing the device's configuration information. Typically, you want administrators to have...

How Authentication Proxy Works

Unlike many Cisco IOS firewall functions, authentication proxy is not a service that is transparent to the user. On the contrary, it requires user interaction. The authentication proxy is triggered when the user initiates an HTTP session through the Cisco IOS firewall. The firewall checks to see whether the user has already been authenticated. If the user has previously authenticated, it allows the connection. If the user has not previously authenticated, the firewall prompts the user for a...

How CBAC Works

A CBAC inspection rule is created to specify which protocols you want to be inspected. You then apply the rule to the desired interface and specify the direction (in or out). Only specified protocols are inspected by CBAC. Packets entering the Cisco IOS firewall are inspected by CBAC only if they first pass the inbound ACL at the interface. If a packet is denied by the ACL, the packet is just dropped and not inspected by CBAC. CBAC creates temporary openings in ACLs at Cisco IOS firewall...

How IPSec Works

Five specific steps are required to create and terminate an IPSec VPN tunnel. The endpoints perform different functions to establish the encrypted connection at each step. Figure 17-3 provides a description of the steps required to create and terminate the IPSec tunnel. Figure 17-3 Creating a IPSec VPN Tunnel Figure 17-3 Creating a IPSec VPN Tunnel Step 1 The user at the source computer in Boston initiates a connection to the destination system in New York. The router in Boston recognizes the...

How to Prepare for an Exam

The best way to prepare for any certification exam is to use a combination of the preparation resources, labs, and practice tests. This guide has integrated some practice questions and labs to help you better prepare. If possible, you want to get some hands-on time with the Cisco IOS routers. There is no substitute for experience, and it is much easier to understand the commands and concepts when you can actually work with the Cisco IOS router. If you do not have access to a Cisco IOS router,...

How to Use This Book

Each chapter tends to build upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations. The chapters of the book cover the following topics Chapter 1, Network Security Essentials Chapter 1 is an overview of network security in general terms. This chapter defines the scope of network security and discusses the delicate balancing act required to ensure that you fulfill the...

Implement Authentication Proxy

MCNS maintains a DMZ segment in New York and hosts an application that needs to be available to their business partners. This example configures the Cisco IOS firewall to perform authentication proxy inbound without CBAC or NAT for any source attempting to access this application by the destination address 172.16.10.101. Configuration of the authentication proxy requires the following three steps 3. Configure the authentication proxy. Figure 21-4 show the location of the AAA server and partner...

Installation and Login to Router MC

The Router MC is installed on the CiscoWorks 2000 server from the Router MC CD-ROM. If you are installing the Router MC on a Windows server, you can use the Installation Wizard and follow the default settings. The Router MC defaults to the CiscoWorks common services folder (C Program Files CSCOpx ) and automatically creates its database as part of the installation process. The Installation Wizard will show an Installation Complete window upon successful installation, prompting you to click...

Installing Cisco Secure ACS

After confirming your system requirements for Cisco Secure ACS for Windows, run the setup program to install the software. Figure 10-1 shows a checklist window that comes up during the first part of the installation process. Figure 10-1 Checklist Window That Appears During the Installation Process for Cisco ACS 3.2 BEFDRE YOU BEGIN, the following items must be complete f End-user clients can successfully connect to AAA clients P This Windows Server can ping the AAA clients P Any Cisco I0S AAA...

Intruder Motivation

Several motivations prompt someone to intrude on another's network. Although no text can list all the reasons that someone would choose to steal or corrupt data, some common themes become evident when looking at the motivations of previous intruders. To refine the discussion of intruder motivations, it is first necessary to define some terms. In the context of this chapter, the word intruder can be defined as someone who attempts to gain access to a network or computer system without...

Intruding for Curiosity

Sometimes people are just curious regarding the data contained in a system or network. One incident typical of this type is a 14-year-old boy who broke into a credit card company's system to look around. When asked the reason for breaking into the system, he replied that simple curiosity was the motivation. Sometimes an employee, for example, may attempt to break into a payroll system just to see whether he or she is receiving pay in accordance with coworkers. Alternatively, an employee may be...

Intruding for Political Purposes

The fact that economies depend largely upon electronic transactions makes those economies vulnerable to disruptions by an attacker. Cyber-warfare does exist and can pose a real threat to any economy. If disruption of an economy is desired, doing so through electronic means may become the chosen method due to a number of factors. Among these factors are the ability to launch an attack from virtually any location, low equipment cost, low cost of connectivity, and a lack of sufficient protection....

Intruding for Profit

Profit is another powerful motivator for breaking into systems. Credit card information, unauthorized bank transfers, and manipulation of billing information can be extremely profitable if successful. However, not all intrusions for profit are based on money. In November 2002, a prominent news agency was accused of breaking into a Swedish company's computer system to steal data related to financial performance. The news agency was accused of obtaining this information to release it before the...

Logging and Audit Trail

Real-time alerts send syslog error messages to central management consoles upon the detection of suspicious activity. Enhanced audit trail features use syslog to track all transactions and to record timestamps, source host, destination host, ports used, session duration, and the total number of transmitted bytes for advanced, session-based reporting, which is from http www.cisco.com en To enable logging and send messages to a syslog server, use the following commands Firewall(config) logging on...

Management Center for VPN Routers Router MC

Router MC is a web-based application designed for management of enterprise VPN and firewall configurations on Cisco IOS routers. Router MC allows for remote management and monitoring of both firewall and VPN features on the Cisco router. The Router MC is installed on either a CiscoWorks 2000 or CiscoWorks VMS server and can be accessed from client machines using a web browser and a Secure Sockets Layer (SSL) connection. The Router MC allows for a centralized configuration of Internet Key...

Managing Enterprise VPN Routers

Obviously, the management of any enterprise network is a very complex task. The management of VPN routers on the enterprise can add an additional level of complexity due to the strict configuration requirements for each device to maintain VPN connectivity. It is imperative that the configurations of both VPN endpoints include enough matching components to allow the VPN to come up. If the configuration is changed on either end and no longer matches its peer, the systems cannot create the VPN and...

Network Security as a Process

The security wheel demonstrates the ongoing process to ensure that networks are secured and remain secure. The driving force at the center of the SPA is the security policy. The security policy states how often testing and monitoring must occur, what areas are tested, and how new security initiatives are implemented. Four steps must considered while implementing a security policy. Keep in mind that this is not a single process that is completed after one round. This is an ongoing process that...

Overview of Cisco Router CA Support

The advantage of using CA support is that peers no longer have to manually exchange preshared keys or nonces. When two peers begin the IKE negotiation, they just exchange public keys, which are then authenticated by the CA. This process greatly improves manageability because there is no requirement to track keys. As a result, this solution is very easy to scale. Cisco IOS Software supports the following CA standards RSA keys RSA is an asymmetric public key cryptography system. RSA keys come in...

Overview of Defense in Depth

The term internetworking refers to the task of connecting different networks so they can communicate, share resources, and so on. Many organizations consider their perimeter to be the connection to the Internet however, with the liberal use of intranet, extranet, and remote user connections, the true perimeter has faded and is difficult to determine. This issue is further complicated by the organizations on the far end of your intranet, extranet, and remote user connections. It is no longer...

PAP and CHAP Authentication

Traditionally, remote users dial in to an access server to initiate a PPP session. PPP is the standard encapsulation protocol for the transport of different network protocols across ISDN, serial, or Public Switched Telephone Network (PSTN) connections. PPP currently supports two authentication protocols PAP and CHAP. Both are specified in RFC 1334 and are supported on synchronous and asynchronous interfaces. Authentication via PAP or CHAP is equivalent to typing in a username and password when...

An Overview of Network Security

Chapter 1 Network Security Essentials Chapter 2 Attack Threats Defined and Detailed Chapter 3 Defense in Depth Although Cisco has not defined specific exam objectives that apply to this part of the book, it is imperative that you have an in-depth understanding of network security principles. This part is designed to give you the foundation you need to fully grasp the topics covered remaining parts of the book.

Authentication Authorization and Accounting AAA

Chapter 7 Authentication, Authorization, and Accounting Chapter 8 Configuring RADIUS and TACACS+ on Cisco IOS Software Chapter 9 Cisco Secure Access Control Server Chapter 10 Administration of Cisco Secure Access Control Server This part of the book addresses the following exam objectives as posted at Cisco.com Describe the components of a basic AAA implementation Test the perimeter router AAA implementation using applicable debug commands Describe the features and architecture of CSACS 3.0 for...

The Cisco IOS Firewall Feature

1 Securing the Network with a Cisco Router 4 Context-Based Access Control (CBAC) 5 Authentication Proxy and the Cisco IOS Firewall 6 Intrusion Detection and the Cisco IOS Firewall This part of the book addresses the following exam objectives as posted at Cisco.com Secure administrative access for Cisco routers Disable unused router services and interfaces Use access lists to mitigate common router security threats Define the Cisco IOS Firewall and CBAC Describe how authentication proxy...

Virtual Private Networks

Chapter 17 Building a VPN Using IPSec Chapter 18 Scaling a VPN Using IPSec with a Certificate Authority Chapter 19 Configuring Remote Access Using Easy VPN Chapter 20 Scaling Management of an Enterprise VPN Environment This part of the book addresses the following exam objectives as posted at Cisco.com Configure a Cisco router for IPSec using preshared keys Verify the IKE and IPSec configuration Explain the issues regarding configuring IPSec manually and using RSA encrypted nonces Advanced...

Port Security for Ethernet Switches

The port security feature enables you to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port. This also is referred to as MAC address lockdown. The global resource for the system is 1024 MAC addresses. In addition to this global resource space, there is space for one default MAC address per port to be secured. The total number of MAC addresses that...

PortToApplication Mapping

Port-to-application mapping (PAM) enables you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. PAM enables CBAC-supported applications to be run on nonstandard ports. Using PAM, network administrators can customize access control for specific applications and services to meet the distinct...

Qa

As mentioned in the section, How to Use this Book, in the Introduction to this book, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in the appendix. For more practice with exam-like...

Reconnaissance Attacks

The term reconnaissance attack is misleading. The goal of this type of attack is actually to perform reconnaissance of a computer or network, and the goal of the reconnaissance is to determine the makeup of the targeted computer or network and to search for and map any vulnerabilities. A reconnaissance attack can be an indicator of the potential for other more invasive attacks. Many reconnaissance attacks have been written into scripts that enable novice hackers or script kiddies to launch...

Remote Security Servers

A remote security database provides uniform remote-access security policies throughout the enterprise. It centrally manages all remote user profiles. Cisco network devices support the following three primary security server protocols Terminal Access Controller Access Control System (TACACS) provides a way to centrally validate all users individually before they can gain access to a router or access server. TACACS was derived from the United States Department of Defense and is described in RFC...

Router Configuration Modes

Before jumping into the command-line interface (CLI) of the Cisco router, it is important to understand the different command modes available. Consider the command mode to be a level where you are able to perform specific functions. If you are not at the correct level, you cannot perform the correct function (to configure the router). This is a very simplified explanation but will make more sense as each mode is discussed. The following are command modes on a Cisco router ROM monitor mode The...

Router MC Integration with Cisco Works Common Services

CiscoWorks common services provide the core server-side components required to facilitate communication with the Router MC. Although many of the core administrative functions are not performed within the Router MC, many are performed within CiscoWorks. The tasks performed by CiscoWorks common services include the following Data backup and restoration Integration with other CiscoWorks packages such as Cisco Secure Access Control Server Database administration and service control Logging of...

Router MC Workflow

After connecting to the Router MC, you will want to begin your VPN router configurations. The workflow for this task is as follows 1. Create the activity. As discussed earlier in this chapter, the activity is defined as the virtual context, in which tasks are performed. You must create the activity to create the devices, groups, and tasks that you want to perform. At this point, the activity is in editable status and can be changed by any other user who has the correct permissions. If an...

Rules of the Road

We have always found it very confusing when different addresses are used in the examples throughout a technical publication. For this reason we are going to use the address space depicted in Figure I-2 when assigning network segments in this book. Note that the address space we have selected is all reserved space per RFC 1918. We understand that these addresses are not routable across the Internet and are not normally used on outside interfaces. Even with the millions of IP addresses available...

Securing Console Access

The console administrative interface is primarily accessed by attaching a terminal (for instance, a laptop) directly to a router. Physical security has to be put in place for the router to prevent unauthorized users from gaining access to routers the console interface. You also have to configure the router to require a password when users try to access it via the console port. The router or switch can authenticate users locally or via a remote security database such as Cisco Secure Access...

Securing vty Access

Any vty should be configured to accept connections only with the protocols actually needed. You can do this with the transport input command. A vty expected to receive only telnet sessions could be configured with transport input telnet, for example, whereas a vty permitting both telnet and SSH sessions would have transport input telnet ssh. Not configuring a transport input for vty access is also an option if you want to disable the service. One way to reduce this exposure is to configure an...

Security Policies

Security policies are created based upon the security philosophy of the organization. The technical team uses the security policy to design and implement the corporate security structure. The corporate security policy is a formal statement that specifies a set of rules users must follow while accessing the corporate network. The security policy is not a technical document it is a business document that lays out the permitted and prohibited activities as well as the efforts and responsibilities...

Self Imposed Vulnerabilities

All networks contain a combination of public and private data. A properly implemented security scheme protects all of the data on the network yet allows some data to be accessed from outside entities, usually without the ability to change that data. One example of this may be the corporate website. Other data, such as payroll information, should not be made available to the public and should be restricted to only specific users within the organization. Network security, properly implemented,...

Service passwordencryption

The service password-encryption command stores passwords in an encrypted manner in router configuration. Router(config) service password-encryption The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. This command is...

Setting Up a Cisco IOS Router or Switch as an SSH Client

Before you start with the SSH configuration, download the required image on your router. The SSH server requires you to have an IPSec (DES or 3DES) encryption software image from Cisco IOS Software Release 12.1(1)T downloaded on your router. The SSH client requires you to have an IPSec (DES or 3DES) encryption software image from Cisco IOS Software Release 12.1(3)T downloaded on your router. To enable SSH support on a Cisco IOS router, follow these four steps Step 1 Configure the hostname...

Small Server Services

TCP and UDP small servers are services that run in the router and are useful for diagnostics. These include the following Echo (UDP, TCP) This simple port just echoes whatever is sent to it. Chargen (UDP, TCP) Generates a stream of characters (TCP) or a packet containing characters (UDP). Daytime (TCP) Responds with the current time of day. The protocol specification doesn't clearly define the format of the data returned, so every machine responds in a slightly different format. This can be...

Step 1 Complete the Network Configuration

To complete the network configuration, connect to the CSACS using your browser and click the Network Configuration icon on the left border. Figure 15-7 depicts the Network Configuration page of the CSACS. Figure 15-7 CSACS Network Configuration Page L,ijyjnjjiumi nijjBf Figure 15-7 CSACS Network Configuration Page L,ijyjnjjiumi nijjBf Ensure that the Cisco IOS firewall is listed as a AAA client. The IP address should be the address of the interface that faces the AAA server, and the...

Step 2 Complete the Interface Configuration

The next step is to complete the interface configuration. Select the Interface Configuration icon on the left border and scroll down in the Edit window until you get to the TACACS+ Services configuration box. Figure 15-9 depicts this area. In Figure 15-9, you can see that TACACS+ services can be assigned to either users or groups. In the New Services block, check the Group box and list the service as auth-proxy. Figure 15-9 Interface Configuration Window Figure 15-9 Interface Configuration...