Accessing the Cisco Router CLI

Table 4-4 describes the three connection methods used for management of the router and the command used to enter the line configuration mode to configure each access method. Direct connection from a computer to the router using a console cable. Dialup connection. The receiving modem is connected to the router auxiliary port. Connection across the network, accessing the router via the network interface.

Authentication Proxy Configuration Examples

The steps required to configure authentication proxy were listed and defined in the preceding section. In this section, authentication proxy is configured for both inbound and outbound connections through the Cisco IOS firewall. Figure 15-5 depicts the environment used for the configuration of authentication proxy on the 3640 Cisco IOS firewall. Figure 15-5 Network Diagram of Authentication Proxy Source and Destination (External Host) Figure 15-5 Network Diagram of Authentication Proxy Source...

Authentication Proxy Configuration Steps

A number of steps are required to configure authentication proxy on the Cisco IOS firewall. Authentication proxy requires the firewall to communicate with many different systems, and each of these systems must be put into the firewall configuration. This section describes the configuration steps and individual commands used to configure the authentication proxy. There are examples of these configuration commands in the section titled Authentication Proxy Configuration Examples. It is important...

Basic Router Management

The Cisco IOS router and Cisco IOS firewall are actually the same hardware. The difference is a low-cost, advanced firewall feature set that was integrated into Cisco Internet Operating System (Cisco IOS). All the basic functionality of Cisco IOS Software remains on the IOS firewall with additional features added, called the firewall feature set. The Cisco IOS router is commonly referred to as the IOS firewall if any of the firewall feature set components are used. This chapter discusses access...

Book Content Updates

Because Cisco Systems will occasionally update exam objectives without notice, Cisco Press may post additional preparatory content on the web page associated with this book at http www.ciscopress.com 1587200899. It's a good idea to check the website a couple of weeks before taking your exam, to review any updated content that may be posted online. We also recommend that you periodically check back to this page on the Cisco Press website to view any errata or supporting book files that may be...

Change All Administrative Access on All the Routers

The first task is to secure all the routers at each location. As part of this task, you replace the weak administrative access passwords on all the site routers with passwords that are relatively strong. Step 1 Reconfigure the console port user-level password. Console password access to New York NewYork(config) line console 0 NewYork(config-line) password NY conaccess Console password access to Atlanta Atlanta(config) line console 0 Atlanta(config-line) password ATL conaccess Console password...

Cisco IOS Firewall Features

Table 4-4 lists the features that differentiate the Cisco router from the Cisco IOS firewall. It is important to note that all of these features are software based and are available in the current version of Cisco IOS Software. Standard and extended access lists are used for static filtering of traffic passing through the firewall. Dynamic access lists are used to temporarily open ports to allow specific traffic through the firewall. These ports are closed as soon as the session is completed....

Cisco IOS Firewall IDS Features

Cisco IOS Software-based intrusion detection was developed as part of the Cisco IOS firewall feature set for mid-range and high-end routers and has since been adapted to the smaller small office home office (SOHO) and remote office home office (ROHO) models. It allows the firewall to act as an in-line IDS. The Cisco IOS firewall IDS scans packets that flow through the firewall looking for any traffic that matches specific signatures that indicate malicious traffic. If the IDS finds traffic that...

Cisco Security Specialist in the Real World

Cisco has one of the most recognized names on the Internet. You cannot go into a data center or server room without seeing some Cisco equipment. Cisco-certified security specialists are able to bring quite a bit of knowledge to the table due to their deep understanding of the relationship between networking and network security. This is why the Cisco certification carries such clout. Cisco certifications demonstrate to potential employers and contract holders a certain professionalism and the...

Components Used for Defense in Depth

The number and combination of different components used to secure today's networks changes continuously as new threats and threat-mitigation techniques arise. The following list identifies some of the many components used for a defense in-depth strategy Security policy An effective security policy is the centerpiece of any organization's security implementation. As described in Chapter 1, Network Security Essentials, and Chapter 2, Attack Threats Defined and Detailed, the security policy...

Concepts of the Router MC

To understand the Router MC, you must first understand the basic concepts used in its development and operation. The basic concepts are listed here with a brief explanation. For further information on these concepts, see Using Management Center for VPN Routers. You can find this document through a search at Cisco.com. Hub-and-spoke topology The hub-and-spoke topology is commonly used when connecting branch offices to the main office. A central Cisco IOS router located at the main office acts as...

Configure the IKE Parameters

Now that the configuration options for each location have been selected, it's time to begin configuring each router. The first step is to verify connectivity between each location. The simplest way to confirm connectivity is to ping the peer router. You must also verify that any upstream devices are not filtering the traffic that is required to build the VPN. Having verified connectivity, you now begin to configure the routers at each location. You should begin by configuring IKE on each...

Configure the RSA Keys

As with any VPN configuration, management of RSA keys is not a difficult task, but it can be a complex undertaking. It is important to completely plan your implementation before you begin to configure the peers. To configure and generate your public keys and enter the public keys of your peer, follow these six steps Plan the implementation using RSA keys. Configure the router host name and domain name. Each of these steps is discussed in detail in the following sections. Plan the Implementation...

Configuring AAA Accounting

Enabling AAA accounting feature of AAA helps you log user activity, including network resource utilization, which could be used for billing and auditing. Like authentication and authorization, the AAA accounting feature has method lists. The two methods used by the AAA accounting feature The following six types of accounting can be configured on the Cisco IOS Software Network Provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts. EXEC Provides information...

Configuring Authentication Proxy on the Cisco IOS Firewall

Authentication proxy enables users to connect through the firewall to a resource only after their credentials have been verified by a AAA server. After the authentication is complete, the Cisco IOS firewall receives authorization information from the AAA server in the form of a dynamic access list. It is always a good idea to ensure that all traffic is properly flowing through the Cisco IOS firewall prior to implementing authentication proxy. Access lists applied to the Cisco IOS firewall...

Configuring Multiple Privilege Levels

To configure a new privilege level for users and associate commands with a privilege level, use the privilege command syntax as follows privilege mode all level level reset command-string Table 5-3 shows the different options that the privilege command provides. (Optional) Changes the privilege level for all the suboptions to the same level. Specifies the privilege level you are configuring for the specified command or commands. The level argument must be a number from 0 to 15. Resets the...

Configuring Tacacs on Cisco IOS

To configure the Cisco access server to support TACACS+, you must perform the following steps Step 1 Enable AAA. Use the aaa new-model command to enable AAA. Step 2 Identify the TACACS+ server. Use the tacacs-server host command to specify the IP address or name of one or more TACACS+ servers. Step 3 Configure AAA services. Use the aaa authentication command to define method lists that use TACACS+ for authentication. Step 4 Apply the method lists to the interfaces. Use line and interface...

Configuring the Easy VPN Server

Remember the Easy VPN Server configuration is the most important because it is the central location where the other VPN client connections terminate. To configure Easy VPN Server on your Cisco IOS 12.2(8)T or later router, follow these steps Step 1 Prepare the router for Easy VPN Server. Step 2 Configure the group policy lookup. Step 3 Create the ISAKMP policy for the remote VPN clients. Step 4 Define a group policy for a mode configuration push. Step 5 Create the transform set. Step 6 Create...

Contents

Foreword xxiii Introduction xxiv Part I An Overview of Network Security 2 Chapter 1 Network Security Essentials 5 Do I Know This Already Quiz 5 Foundation Topics 9 Balancing Business Need with Security Requirement 9 Security Policy Goals 12 Security Guidelines 13 Management Must Support the Policy 13 The Policy Must Be Technically Feasible 14 The Policy Should Not Be Written as a Technical Document 14 The Policy Must Be Implemented Globally Throughout the Organization 14 The Policy Must Clearly...

Controlling Interactive Access Through a Browser

Administrative access support via a browser is supported by Cisco IOS Software Release 11.0(6) and later. This feature is disabled by default but can be enabled by the ip http server command. However, the use of HTTP to manage a router presents some inherent vulnerabilities. The Cisco IOS HTTP server provides authentication, but not encryption, for client connections. The data that the client and server transmit to each other is not encrypted. This leaves communication between clients and...

Create and Apply Crypto Maps

The crypto map is used to apply the ACLs, define the addresses for the local and remote peers, and define how the IPSec SA is established and maintained. Each crypto map is given a sequence number and a name. For this exercise, the name crypto-map is used after the peer location. Configure the crypto maps on the New York router. NewYork(config) crypto map MCNS 10 ipsec-isakmp NewYork(config) match address 110 NewYork(config) set peer 192.168.20.1 NewYork(config) set pfs group2 NewYork(config)...

Define an Inspection Rule

The inspection rule defines the IP traffic monitored by CBAC. The ip inspect name command enables you to define a set of inspection rules. Table 14-3 shows the ip inspect command parameters. ip inspect name inspection-name protocol alert on off audit-trail on off timeout seconds no ip inspect name inspection-name protocol Table 14-3 The ip inspect name Command Parameters Table 14-3 The ip inspect name Command Parameters Names the set of inspection rules. If you want to add a protocol to an...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 11-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 1-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions...

Explain the Issues Regarding Configuring IPSec Manually and Using RSA Encrypted Nonces

The only additional process required for implementing IPSec using RSA nonces is the key generation and exchange process. The following steps are required to generate and exchange RSA keys Plan the implementation using RSA keys. Configure the router host name and domain name. As mentioned in the section, How to Use This Book, in the Introduction to this book, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your SECUR exam, a well-prepared candidate should at a minimum know all the details in each Foundation Summary before going to take the exam. In today's very dynamic environment, it is not enough just to secure the network perimeter. With the increasing use of intranets, extranets, remote users, and wireless technology,...

How CBAC Works

A CBAC inspection rule is created to specify which protocols you want to be inspected. You then apply the rule to the desired interface and specify the direction (in or out). Only specified protocols are inspected by CBAC. Packets entering the Cisco IOS firewall are inspected by CBAC only if they first pass the inbound ACL at the interface. If a packet is denied by the ACL, the packet is just dropped and not inspected by CBAC. CBAC creates temporary openings in ACLs at Cisco IOS firewall...

How IPSec Works

Five specific steps are required to create and terminate an IPSec VPN tunnel. The endpoints perform different functions to establish the encrypted connection at each step. Figure 17-3 provides a description of the steps required to create and terminate the IPSec tunnel. Figure 17-3 Creating a IPSec VPN Tunnel Figure 17-3 Creating a IPSec VPN Tunnel Step 1 The user at the source computer in Boston initiates a connection to the destination system in New York. The router in Boston recognizes the...

How to Prepare for an Exam

The best way to prepare for any certification exam is to use a combination of the preparation resources, labs, and practice tests. This guide has integrated some practice questions and labs to help you better prepare. If possible, you want to get some hands-on time with the Cisco IOS routers. There is no substitute for experience, and it is much easier to understand the commands and concepts when you can actually work with the Cisco IOS router. If you do not have access to a Cisco IOS router,...

How to Use This Book

Each chapter tends to build upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations. The chapters of the book cover the following topics Chapter 1, Network Security Essentials Chapter 1 is an overview of network security in general terms. This chapter defines the scope of network security and discusses the delicate balancing act required to ensure that you fulfill the...

Implement ACLs for Antispoofing Purposes

Add antispoofing protection by denying traffic with a source address matching a host on the Ethernet interface for each site (RFC 2827, RFC 3330). NOTE You would need to configure RFC 1918 in a production network. This scenario uses the 10.x.x.x and 192.168.x.x, and therefore RFC 1918 has not been implemented NewYork(config) access-list 107 permit ip 10.10.30.0 0.0.0.255 any NewYork(config) access-list 107 permit ip 10.10.20.0 0.0.0.255 any NewYork(config) access-list 107 deny ip 10.10.10.0...

Installation and Login to Router MC

The Router MC is installed on the CiscoWorks 2000 server from the Router MC CD-ROM. If you are installing the Router MC on a Windows server, you can use the Installation Wizard and follow the default settings. The Router MC defaults to the CiscoWorks common services folder (C Program Files CSCOpx ) and automatically creates its database as part of the installation process. The Installation Wizard will show an Installation Complete window upon successful installation, prompting you to click...

Installing Cisco Secure ACS

After confirming your system requirements for Cisco Secure ACS for Windows, run the setup program to install the software. Figure 10-1 shows a checklist window that comes up during the first part of the installation process. Figure 10-1 Checklist Window That Appears During the Installation Process for Cisco ACS 3.2 BEFDRE YOU BEGIN, the following items must be complete f End-user clients can successfully connect to AAA clients P This Windows Server can ping the AAA clients P Any Cisco I0S AAA...

Intruding for Curiosity

Sometimes people are just curious regarding the data contained in a system or network. One incident typical of this type is a 14-year-old boy who broke into a credit card company's system to look around. When asked the reason for breaking into the system, he replied that simple curiosity was the motivation. Sometimes an employee, for example, may attempt to break into a payroll system just to see whether he or she is receiving pay in accordance with coworkers. Alternatively, an employee may be...

Logging and Audit Trail

Real-time alerts send syslog error messages to central management consoles upon the detection of suspicious activity. Enhanced audit trail features use syslog to track all transactions and to record timestamps, source host, destination host, ports used, session duration, and the total number of transmitted bytes for advanced, session-based reporting, which is from http www.cisco.com en To enable logging and send messages to a syslog server, use the following commands Firewall(config) logging on...

Management Center for VPN Routers Router MC

Router MC is a web-based application designed for management of enterprise VPN and firewall configurations on Cisco IOS routers. Router MC allows for remote management and monitoring of both firewall and VPN features on the Cisco router. The Router MC is installed on either a CiscoWorks 2000 or CiscoWorks VMS server and can be accessed from client machines using a web browser and a Secure Sockets Layer (SSL) connection. The Router MC allows for a centralized configuration of Internet Key...

Managing Enterprise VPN Routers

Obviously, the management of any enterprise network is a very complex task. The management of VPN routers on the enterprise can add an additional level of complexity due to the strict configuration requirements for each device to maintain VPN connectivity. It is imperative that the configurations of both VPN endpoints include enough matching components to allow the VPN to come up. If the configuration is changed on either end and no longer matches its peer, the systems cannot create the VPN and...

Overview of Cisco Router CA Support

The advantage of using CA support is that peers no longer have to manually exchange preshared keys or nonces. When two peers begin the IKE negotiation, they just exchange public keys, which are then authenticated by the CA. This process greatly improves manageability because there is no requirement to track keys. As a result, this solution is very easy to scale. Cisco IOS Software supports the following CA standards RSA keys RSA is an asymmetric public key cryptography system. RSA keys come in...

Overview of Defense in Depth

The term internetworking refers to the task of connecting different networks so they can communicate, share resources, and so on. Many organizations consider their perimeter to be the connection to the Internet however, with the liberal use of intranet, extranet, and remote user connections, the true perimeter has faded and is difficult to determine. This issue is further complicated by the organizations on the far end of your intranet, extranet, and remote user connections. It is no longer...

PAP and CHAP Authentication

Traditionally, remote users dial in to an access server to initiate a PPP session. PPP is the standard encapsulation protocol for the transport of different network protocols across ISDN, serial, or Public Switched Telephone Network (PSTN) connections. PPP currently supports two authentication protocols PAP and CHAP. Both are specified in RFC 1334 and are supported on synchronous and asynchronous interfaces. Authentication via PAP or CHAP is equivalent to typing in a username and password when...

PortToApplication Mapping

Port-to-application mapping (PAM) enables you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. PAM enables CBAC-supported applications to be run on nonstandard ports. Using PAM, network administrators can customize access control for specific applications and services to meet the distinct...

Qa

As mentioned in the section, How to Use this Book, in the Introduction to this book, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in the appendix. For more practice with exam-like...

Reconnaissance Attacks

The term reconnaissance attack is misleading. The goal of this type of attack is actually to perform reconnaissance of a computer or network, and the goal of the reconnaissance is to determine the makeup of the targeted computer or network and to search for and map any vulnerabilities. A reconnaissance attack can be an indicator of the potential for other more invasive attacks. Many reconnaissance attacks have been written into scripts that enable novice hackers or script kiddies to launch...

Router Configuration Modes

Before jumping into the command-line interface (CLI) of the Cisco router, it is important to understand the different command modes available. Consider the command mode to be a level where you are able to perform specific functions. If you are not at the correct level, you cannot perform the correct function (to configure the router). This is a very simplified explanation but will make more sense as each mode is discussed. The following are command modes on a Cisco router ROM monitor mode The...

Router MC Workflow

After connecting to the Router MC, you will want to begin your VPN router configurations. The workflow for this task is as follows 1. Create the activity. As discussed earlier in this chapter, the activity is defined as the virtual context, in which tasks are performed. You must create the activity to create the devices, groups, and tasks that you want to perform. At this point, the activity is in editable status and can be changed by any other user who has the correct permissions. If an...

Rules of the Road

We have always found it very confusing when different addresses are used in the examples throughout a technical publication. For this reason we are going to use the address space depicted in Figure I-2 when assigning network segments in this book. Note that the address space we have selected is all reserved space per RFC 1918. We understand that these addresses are not routable across the Internet and are not normally used on outside interfaces. Even with the millions of IP addresses available...

Securing Console Access

The console administrative interface is primarily accessed by attaching a terminal (for instance, a laptop) directly to a router. Physical security has to be put in place for the router to prevent unauthorized users from gaining access to routers the console interface. You also have to configure the router to require a password when users try to access it via the console port. The router or switch can authenticate users locally or via a remote security database such as Cisco Secure Access...

Self Imposed Vulnerabilities

All networks contain a combination of public and private data. A properly implemented security scheme protects all of the data on the network yet allows some data to be accessed from outside entities, usually without the ability to change that data. One example of this may be the corporate website. Other data, such as payroll information, should not be made available to the public and should be restricted to only specific users within the organization. Network security, properly implemented,...

Small Server Services

TCP and UDP small servers are services that run in the router and are useful for diagnostics. These include the following Echo (UDP, TCP) This simple port just echoes whatever is sent to it. Chargen (UDP, TCP) Generates a stream of characters (TCP) or a packet containing characters (UDP). Daytime (TCP) Responds with the current time of day. The protocol specification doesn't clearly define the format of the data returned, so every machine responds in a slightly different format. This can be...

Step 1 Complete the Network Configuration

To complete the network configuration, connect to the CSACS using your browser and click the Network Configuration icon on the left border. Figure 15-7 depicts the Network Configuration page of the CSACS. Figure 15-7 CSACS Network Configuration Page L,ijyjnjjiumi nijjBf Figure 15-7 CSACS Network Configuration Page L,ijyjnjjiumi nijjBf Ensure that the Cisco IOS firewall is listed as a AAA client. The IP address should be the address of the interface that faces the AAA server, and the...

Step 2 Configure IKE

Now that you understand the importance of planning the configuration beforehand, refer to Figure 17-7 for the configuration settings for task 2. Figure 17-7 IKE Configuration Settings Figure 17-7 IKE Configuration Settings Figure 17-7 shows all the information needed to configure IKE on both peers. This section shows the configuration of the router in New York for the VPN between New York and Boston. Configuration steps and commands are very common for the Cisco certification exams. This...

Step 3 Configure IPSec

Just like the IKE configuration, it is important that the IPSec configuration matches on both peers for them to negotiate the IPSec SA. Refer to Figure 17-8 for the configuration settings for task 3. Figure 17-8 IPSec Configuration Settings Figure 17-8 IPSec Configuration Settings Figure 17-8 shows all the information needed to configure IPSec on both peers. This exercise configures only the router in New York. To configure IPSec on the router, follow these five steps Each of these steps is...

Step 4 Test and Verify the IPSec Configuration

Once again, it is best to verify your configuration beforehand instead of having to troubleshoot the connection if it is not working. A variety of show and debug commands enable you to check the current configuration, including the following show crypto isakmp policy This command displays the configured IKE policies. show crypto ipsec transform-set This command displays the configured transform sets. show crypto ipsec sa This command displays the current state of your IPSec SAs. show crypto map...

Tacacs Accounting Example

Example 8-3 shows a sample TACACS+ configuration to be used for PPP authentication using the Example 8-3 Sample Configuration for AAA Authentication and Accounting with TACACS+ Security Server NAS(config) aaa authentication ppp default if-needed tacacs+ local NAS(config) aaa accounting network stop-only tacacs+ NAS(config) tacacs-server host 192.168.1.15 Example 8-3 Sample Configuration for AAA Authentication and Accounting with TACACS+ Security Server (Continued) NAS(config) tacacs-server key...

Taking the Secur Certification Exam

As with any Cisco certification exam, it is best to be thoroughly prepared before taking the exam. There is no way to determine exactly what questions are on the exam, so the best way to prepare is to have a good working knowledge of all subjects covered on the exam. Schedule yourself for the exam and be sure to be rested and ready to focus when taking the exam. The best place to find out the latest available Cisco training and certifications is http

The Certification Exam and This Preparation Guide

The questions for each certification exam are a closely guarded secret. The truth is that if you had the questions and could only pass the exam, you would be in for quite an embarrassment as soon as you arrived at your first job that required these skills. The point is to know the material, not just to successfully pass the exam. We do know what topics you must know to successfully complete this exam because they are published by Cisco. Coincidently, these are the same topics required for you...

Troubleshooting AAA

After AAA services are configured, you must test and monitor your configuration. The debug command is a very useful command to troubleshoot and test your AAA configuration. The following debug commands enable you to troubleshoot and test your AAA configuration Example 7-5 provides sample output of the debug aaa authentication command. A single EXEC login that uses the default method list and the first method, TACACS+, is displayed. The TACACS+ server sends a GETUSER request to prompt for the...

Types of Attacks

There are three major types of network attacks, each with its own specific goal Reconnaissance attacks An attack designed to gather information about a system or a network. The goal is to map the network, identify the systems and services, and to identify vulnerabilities that can be exploited at a later time. Access attacks An attack designed to exploit a vulnerability and to gain access to a system on a network. After access has been gained, the user can do the following Retrieve, alter, or...

Types of IP ACLs

Cisco IOS Software supports the following types of ACLs for IP Standard IP ACLs Use source addresses for matching operations. Extended IP ACLs Use source and destination addresses for matching operations and optional protocol type information for finer granularity of control. Reflexive ACLs Allow IP packets to be filtered based on session information. Reflexive ACLs contain temporary entries and are nested within an extended, named IP ACLs. Time-based ACLs Time-based ACLs, as the name...

Warning and Disclaimer

This book is designed to provide information about selected topics for the Cisco SECUR exam for the CCSP certification. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this...

What Are Access Lists

ACLs are rules that deny or permit packets coming in or out of an interface. An ACL typically consists of multiple ACL entries (ACEs), organized internally by the router. When a packet is subjected to access control, the router searches this linked list in order from top to bottom to find a matching element. The matching element is then examined to determine whether the packet is allowed or denied. Figure 12-1 shows the behavior of a router that has an ACL configured on its interfaces. Figure...

What Authentication Proxy Looks Like

When the user initiates the HTTP connection, the Cisco IOS firewall checks to see whether the user has already been authenticated. If the user has not been previously authenticated, the firewall responds with a HTTP login page. Figure 15-3 depicts the authentication proxy login page. The user must fill in the correct username and password to successfully authenticate and connect to the desired resource. Figure 15-2 External Host Connection to Internal Destination Figure 15-2 External Host...

Configuring CLI Access

A new router is delivered without passwords. You must configure passwords for the access method that you intend to use and disable the methods that you do not intend to use. There are different ways to complete the initial configuration of a router. The autoinstall feature installs a configuration on the router that is sufficient to get the router on the network and allow telnet connections to complete the configuration. The other configuration methods usually require a physical connection to...

Configuring AAA Authorization

You can restrict the type of operation users can perform or the network resources they can access by using the AAA authorization service. After AAA authorization is enabled and configured, user profiles are stored on the local database or in a remote security server. From information in these profiles, users' sessions are configured after they have been authenticated. AAA supports five different methods of authorization TACACS+ User profile information is stored on a remote security server that...

Step 1 Select the IKE and IPSec Parameters

The process for configuring a router for an IPSec VPN is not a difficult one. It is, however, a very complex process with multiple tasks and subtasks and requires significant attention to detail. The first task involves selecting the initial configuration parameters for the VPN connection and determining which configuration is most appropriate. If all of the configuration decisions are taken prior to configuring either device, the risk of a configuration error on either peer can be greatly...

Radius Authentication Authorization and Accounting Example

Example 8-8 is a general configuration using RADIUS with the AAA command set. This configuration is shown in Figure 8-2. Figure 8-2 General Configuration Using RADIUS Figure 8-2 General Configuration Using RADIUS Example 8-8 Sample RADIUS Configuration NAS(config) radius-server host 192.168.100.15 NAS(config) radius-server key ladyhawk NAS(config) username meron password k0nj0 NAS(config) aaa authentication ppp test1 radius local NAS(config) aaa authorization network radius local NAS(config)...

Implement the Cisco IOS Firewall IDS

Configuring the Cisco IOS firewall IDS as the border router for each location enables you to determine what type of traffic is attempting to access the network. Much of this information can be derived from the Cisco IOS firewall logs however, the Cisco IOS firewall IDS generates specific alerts and can perform other actions to drop or reset the connection. It is important to establish a network baseline so that you can identify normal traffic and reduce the number of false positive alerts. For...

Cisco Works 2000

CiscoWorks 2000 is a family of bundled advanced network management tools that can run on either a Windows platform or Sun Solaris. CiscoWorks is a client server-based product that allows for easy access and management of Cisco AVVID architecture components. CiscoWorks 2000 provides the following network administration and management functionality Management and monitoring of Cisco PIX firewalls Management and monitoring of CSIDSs Management and monitoring of Cisco HIDS A web-based interface for...

Initialize the Cisco IOS Firewall IDS on the Router

Initializing the Cisco IOS firewall IDS includes four subtasks needed to configure the Cisco IOS firewall IDS to respond to malicious traffic. The initialization tasks include configuring the notification type, configuring the Cisco IOS firewall IDS and central management post office parameters, defining the protected network, and configuring the router maximum queue for alarms. Each is discussed in more detail in the following sections. Use the ip audit notify to configure the Cisco IOS...

Easy VPN Server Functionality

Easy VPN Server came about with Cisco IOS Software Release 12.2(8)T. It is the first Cisco IOS Software version to provide server support for Cisco VPN client 3.x and the Cisco VPN 3002 hardware clients. The Easy VPN Server manages all IPSec policies centrally and pushes the policy out to the client. This design minimizes the configuration required on the client end. The following functionality is integrated into the Cisco IOS Software 12.2(8)T with Easy VPN Split tunneling control Split...

Configuring AAA Authentication

Administrative and remote LAN network access to routers and network access servers can be secured using AAA. To configure AAA authentication, perform the following steps Step 1 Activate AAA by using the aaa new-model command. Step 2 Create a list name or use default. A list name is alphanumeric and can have one to four authentication methods. Step 3 Specify the authentication method lists for the aaa authentication command. You may specify up to four. Step 4 Apply the method list to an...

Cisco ACS for UNIX

Cisco Secure ACS for UNIX incorporates a multiuser, web-based Java configuration and management tool that simplifies server administration. Security services can be managed by several system administrators located in multiple location simultaneously. Cisco Secure ACS for UNIX supports Sybase and Oracle relational databases. The Cisco Secure ACS includes SQLAnywhere from Sybase. Although this version of the database does not have client server support, it is optimized to perform the essential...

Configuring the Cisco Router for IPSec VPNs Using CA Support

To configure the router for IPSec VPNs using CA support, you must complete five tasks. Each task contains several subtasks. As always, the most important component is thorough planning and meticulous implementation. Because of the complexity of this process, any error can prevent the VPN from functioning properly. The five tasks are as follows 1. Select the IKE and IPSec parameters. 2. Configure the router CA support. 3. Configure IKE using RSA signatures. 4. Configure IPSec using RSA...

Verifying the Cisco IOS Firewall IDS Configuration

It is important to ensure that your system is properly configured. You can use three commands to verify the configuration of the Cisco IOS firewall IDS show The show command is entered in the privileged EXEC mode and is used to see the current Cisco IOS firewall IDS configuration. Table 16-4 lists the show commands with a brief description of each. This command displays the number of packets audited and the number of alarms sent. These numbers can be reset using the clear ip audit statistics...