Conclusion

Having many Cisco certifications myself, the joy and success I have achieved has significantly changed my life and that of my family. There are always challenges facing network engineers and, no doubt, becoming a certified Cisco professional meeting those challenges will drive you into acquiring skills you thought you never knew you could master. I sincerely hope you enjoy your time spent with this book it took over six months and long nights to complete to ensure you have the perfect companion...

Access Lists on Cisco Routers

By default, a Cisco router permits all IP and TCP traffic unless an access list is defined and applied to the appropriate interface. Figure 4-4 illustrates the steps taken if an access list is configured on a Cisco router. Figure 4-4 Access List Decision Taken by a Cisco Router If an incoming IP packet is received on a router and no access list is defined, the packet is forwarded to the IP routing software. If an access list is defined and applied, the packet is checked against the access list,...

Accounting

Accounting occurs after authentication and authorization have been completed. Accounting allows administrators to collect information about users. Specifically, administrators can track which user logged into which router, which IOS commands a user issued, and how many bytes were transferred during a user's session. For example, accounting enables administrators to monitor which routers have had their configurations changed. Accounting information can be collected by a router or by a remote...

Acknowledgments

I would like to thank the folks at Cisco Press for helping me and introducing me to this challenging project. Brett Bartow, you are an amazing individual. Thank you for your wonderful insight and complete trust in me. Andrew Cupp, or Drew, as you are known to many of us, no bones about it, you are one of a kind your editing and technical ability really astounded me, and without you, this book would not be the quality product it is now. No book on the market is as good as this one, thanks mate....

Application Protocols

This chapter covers some of today's most widely used application protocols. This chapter covers the following topics Domain Name System (DNS) Topics in this section include how DNS is configured on Cisco routers and what port numbers are used when delivered across an IP network. Trivial File Transfer Protocol (TFTP) This section covers TFTP's common uses, particularly on Cisco IOS-enabled routers. The process used to copy files to and from TFTP server is described. File Transfer Protocol (FTP)...

B

Backup domain controllers, 290 bastion hosts, 370 notification), 83 BGP (Border Gateway Protocol), 76 attributes, 77-78 characteristics, 77 configuring, 79 messages, 76 BPDUs (Bridge Protocol Data Units), 31 port states, 31 transparent, 30 broadcast domains, 30 broadcasting, 292 browsing, 291

Basic Rate and Primary Rate Interfaces

ISDN can be supplied by a carrier in two main forms Basic Rate Interface (BRI) and Primary Rate Interface (PRI). An ISDN BRI consists of two 64-kbps services (B channels) and one 16-kbps signaling channel (D channel). An ISDN PRI consists of 23 B or 30 B channels, depending on the country. In North America and Japan, a PRI service consists of 23 B channels. In Europe and Australia, a PRI service consists of 30 B channels. A signaling channel (or D channel) is used in a PRI service and is a...

Basic Security on Cisco Routers

You can access a Cisco router in a number of ways. You can physically access a router through the console port, or you can access a router remotely through a modem via the auxiliary port. You can also access a router through a network or virtual terminal ports (VTY lines), which allow remote Telnet access. If you do not have physical access to a router either through a console port or an auxiliary port via dialup you can access a router through the software interface, called the virtual...

Border Gateway Protocol

Border Gateway Protocol (BGP) is an exterior routing protocol used widely in the Internet. It is commonly referred to as BGP4 (version 4). BGP4 is defined in RFC 1771. BGP allows you to create an IP network free of routing loops between different autonomous systems. An autonomous system (AS) is a set of routers under the same administrative control. BGP is called a path vector protocol because it carries a sequence of AS numbers that indicates the path taken to a remote network. This...

Bridge Port States

Every bridge and associated port is in one of the following spanning tree states Disabled The port is not participating in spanning tree and is not active. Listening The port has received data from the interface and will listen for frames. In this state, the bridge receives only data and does not forward any frames to the interface or to other ports. Learning In this state, the bridge still discards incoming frames. The source address associated with the port is added to the CAM table. BPDUs...

Browsing and Windows Names Resolution

Network Neighborhood, Windows NT's browsing service, provides end users with a list of all devices available in their network. Before a user's PC can browse the network or Network Neighborhood, the Windows-based PC must register its name periodically by sending a broadcast to the master browser. The master browser contains a list of all devices available on the network. This service, called browsing, is supported by three methods NetBEUI, NWLink, and NetBT. In addition to accessing the Network...

C

Calculating hosts per subnet, 37-38 CAM tables, 29 CBAC (Content-Based Access Control), 345 audit trail messages, enabling, 451 configuring, 346-347 cd command (DOS), 284 cd command (UNIX), 284 CERT CC (Computer Emergency Response Team Coordination Center), 366 certification exam objectives, 4-7 preparing for, 3, 7-8 characteristics of RIP, 57-58 of RIPv1, 58 of RIPv2, 59 chargen attacks, 371 chkdsk command (DOS), 284 chmod command (UNIX), 289 CIDR (classless interdomain routing), 39 Cisco IDS...

CBAC Configuration Task List

Configuring CBAC requires the following tasks Picking an interface internal or external Configuring IP access lists at the interface Configuring global timeouts and thresholds Defining an inspection rule Applying the inspection rule to an interface Configuring logging and audit trail Other guidelines for configuring a firewall Example 7-5 shows a router named R1 with two Ethernet interfaces, one defined as the inside interface (EthernetO) and one as the outside interface (Ethernetl). For this...

CCIE Security Exam Certification Guide

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library of Congress Cataloging-in-Publication Number 2002104850 ISBN 1-58720-065-1

Central Processing Unit

The central processing unit (CPU) is the heart of a router, and every Cisco router has a CPU. A CPU manages all the router's processes, such as IP routing, and new routing entries, such as remote IP networks learned through a dynamic routing protocol. To view a CPU's status, use the show process IOS command. Example 4-2 shows a sample display taken from a Cisco IOS router. Example 4-2 (Truncated) show process Command CPU utilization for five seconds 9 7 five minutes 10 PID QTy PC Runtime (ms)...

Certificate Enrollment Protocol CEP

CEP is a protocol jointly developed by Cisco and Verisign, Inc. CEP is an early implementation of Certificate Request Syntax (CRS), a proposed standard to the IETF. CEP specifies how a device communicates with the CA, how to retrieve the CA's public key, and how to enroll a device with the CA. CEP uses Public Key Cryptography Standards (PKCS). CEP uses HTTP as a transport mechanism and uses the same TCP port (80) used by HTTP. To declare the CA that a Cisco IOS router should use, use the crypto...

General Networking Topics

Chapter 2 covers general networking technologies, including an overview of the OSI model, switching concepts, and routing protocols. The TCP IP model is presented and explained with common applications used in today's IP networks. Routing protocols and sample configurations are presented to ensure that you have a good understanding of how Cisco IOS routes IP datagrams. Concluding this chapter is a discussion of some of today's most widely used WAN protocols, including PPP, ISDN, and Frame...

Q A Answers

1 What are the seven layers of the OSI model Answer The seven layers of the OSI model are as follows 2 What layer of the OSI model is responsible for ensuring that IP packets are routed from one location to another Answer The network layer is primarily responsible for routing IP packets from one destination to another. 3 What mechanism is used in Ethernet to guarantee packet delivery over the wire Answer Carrier Sense Multiple Access Collision Detection (CSMA CD) is the Ethernet mechanism used...

Application Protocols 103

Do I Know This Already Quiz 103 Foundation Topics 110 Domain Name System 110 File Transfer Protocol 115 Active FTP 116 Passive FTP 117 Simple Network Management Protocol 121 SNMP Notifications 122 SNMP Examples 126 Simple Mail Transfer Protocol 127 Network Time Protocol 128 Secure Shell 132 Foundation Summary 134 Q & A 136 Scenario 140 Scenario 3-1 Configuring DNS, TFTP, NTP, and SNMP 140 Scenario Answers 142 Scenario 3-1 Solutions 142

Cisco IOS Specifics and Security

Chapter 4 covers the more advanced topics available to Cisco IOS routers. It covers in detail the hardware components of a Cisco router and how to manage Cisco routers. Common Cisco device operation commands are described and examples show how to manage Cisco IOS in today's large IP networks. Cisco password recovery techniques and basic password security are detailed to ensure you have a solid grasp of Cisco device operation. Coverage of standard and extended access lists and examples conclude...

Cisco IOS Specifics and Security 145

Do I Know This Already Quiz 145 Random-Access Memory (RAM) 151 Nonvolatile RAM (NVRAM) 151 System Flash 151 Central Processing Unit 152 Read-Only Memory 153 Configuration Registers 154 Cisco Interfaces 156 Saving and Loading Files 158 show and debug Commands 159 Router CLI 159 show Commands 159 Debugging Cisco Routers 168 Access Lists on Cisco Routers 182 Extended Access Lists 187 Scenario 4-1 Configuring Cisco Routers for Passwords and Access Lists 195

Security Protocols 199

Do I Know This Already Quiz 199 Authentication, Authorization, and Accounting (AAA) 208 Authentication 210 Authorization 210 Accounting 211 Remote Authentication Dial-In User Service (RADIUS) 212 RADIUS Configuration Task List 215 Terminal Access Controller Access Control System Plus (TACACS+) 218 TACACS+ Configuration Task List 220 TACACS+ Versus RADIUS 224 Kerberos Configuration Task List 228 Virtual Private Dial-Up Networks (VPDN) 229 VPDN Configuration Task List 232 Data Encryption Standard...

Operating Systems and Cisco Security Applications 279

Do I Know This Already Quiz 279 UNIX Command Structure 285 UNIX Permissions 288 UNIX File Systems 289 Browsing and Windows Names Resolution 291 Scaling Issues in Windows NT 292 Login and Permissions 293 Windows NT Users and Groups 294 Windows NT Domain Trust 294 Cisco Secure for Windows and UNIX 297 Cisco Secure Intrusion Detection System and Cisco Secure Scanner 299 NetRanger (Cisco Secure Intrusion Detection System) 300 NetSonar (Cisco Secure Scanner) 302 Cisco Security Wheel 304 Foundation...

Do I Know This Already Quiz Answers

2 When defining an extended access list, what TCP port numbers can you use a. Only predefined Cisco keywords TCP port numbers from 0 to -65,535 devices such as PCs go from 1025 to 65535. 3 When defining an extended access list, what UDP port numbers can you use a. Only predefined Cisco keywords 4 Which of the following is not a TCP service 5 Which of the following is not a UDP service 6 For how many translations does PAT allow you to use one IP address Port Address Translation (PAT) occurs when...

Security Technologies

Chapter 7 describes the basic security methods and evolution of the new secure networks, including packet filtering and proxies. The IP address depletion rates with IPv4 have led to NAT PAT becoming increasingly popular this chapter covers these topics along with sample IOS configurations. The Cisco PIX is Cisco's trademark security device, and this chapter teaches you the architecture and configuration of these unique security devices. The IOS feature set and VPNs are covered to conclude this...

Security Technologies 315

Do I Know This Already Quiz 315 Foundation Topics 320 Advanced Security Concepts 320 Network Address Translation and Port Address Translation 324 NAT Operation on Cisco Routers 326 Cisco Private Internet Exchange (PIX) 328 Configuring a PIX 332 Cisco PIX Firewall Software Features 342 Cisco IOS Firewall Security Feature Set 344 CBAC Configuration Task List 346 Scenario 7-1 Configuring a Cisco PIX for NAT 358 Scenario Answer 359 Scenario 7-1 Solution 359

Network Security Policies Vulnerabilities and Protection

Chapter 8 reviews today's most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The standard security body, CERT CC, is covered along with descriptions of Cisco IOS-based security methods used to ensure that all attacks are reported and acted upon. Cisco Security applications, such as Intrusion Detection System, are covered to lay the fundamental foundations you need to master the topics covered on the CCIE Security written examination.

Network Security Policies Vulnerabilities and Protection 361

Do I Know This Already Quiz 361 Standards Bodies and Incident Response Teams 366 Incident Response Teams 367 Internet Newsgroups 368 Vulnerabilities, Attacks, and Common Exploits 369 Protecting Cisco IOS from Intrusion 375 Scenario 8-1 Defining IOS Commands to View DoS Attacks in Real Time 387 Scenario Answer 388 Scenario 8-1 Solution 388

Cisco Hardware

Cisco routers consist of many hardware components. The main components of a Cisco router include the following Figure 4-1 illustrates the hardware components on Cisco routers. Figure 4-1 Components of a Cisco Router Figure 4-1 illustrates the hardware components on Cisco routers. Read-Only Nonvolatile RAM Memory (ROM) (NVRAM) Each hardware component is vital for Cisco routers to operate properly. To help you prepare for the CCIE Security written exam, the next few sections present the main...

Cisco Interfaces

Interfaces provide connections to a network. Interfaces include LANs, WANs, and management ports (that is, console and auxiliary ports). To view the current LAN or WAN interface, issue the show interface command. The show interface command displays all LAN and WAN interfaces. To display information regarding console or auxiliary ports, use the show line command. Figure 4-2 summarizes the available IOS commands that administrators can use to view a router's current configuration. Now that you...

Cisco IOS Firewall Security Feature

Cisco systems software has developed a version of IOS with security-specific features integrated in current IOS software. It is available only on some Cisco IOS devices. NOTE The need to provide firewall functionally in existing router models led Cisco down a path of enabling IOS to be security aware. Not many folks think of Cisco as a software company but, in fact, they sell more software than hardware. The Cisco IOS features set consists of the following Context-based Access Control (CBAC)...

Cisco Ios Ipsec Configuration

To enable IPSec between Cisco IOS routers, the following steps are required Step 1 Enable ISAKMP with the IOS command crypto isakmp enable. This step globally enables or disables ISAKMP at your peer router. ISAKMP is enabled by default (optionally, define what interesting traffic will be encrypted using defined access lists). Step 2 Define an ISAKMP policy, a set of parameters used during ISAKMP negotiation crypto isakmp policy priority You will enter config-isakmp command mode. Options...

Cisco PIX Firewall Software Features

A list of the current features of the Cisco PIX Firewall product follows State-of-the-art Adaptive Security Algorithm (ASA) and stateful inspection firewalling. Cut-through proxy authenticates and authorizes connections, while enhancing performance. Easy-to-use web-based interface for managing PIX Firewalls remotely the web-based interface is not a suggested practice by Cisco for medium to large networks. Support for up to 10 Ethernet interfaces ranging from 10-BaseT, 10 100 Fast Ethernet to...

Cisco Secure for Windows and UNIX

Cisco Systems has developed a number of scalable security software products to help protect and ensure a secured network in relation to Cisco products. Cisco Secure Access Control Server (ACS), commonly referred to as Cisco Secure, provides additional network security when managing IP networks designed with Cisco devices. Cisco Secure can run on Windows NT 2000 and UNIX platforms. Three versions of Cisco Secure are listed here Cisco Secure ACS for NT This powerful ACS application for NT servers...

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM) provides a scalable and comprehensive security management system for Cisco Secure PIX Firewalls and Cisco Secure Integrated Systems. Cisco Secure Policy Manager, formerly known as the Cisco Security Manager, is a policy-based security management system for Cisco security technologies and network devices. Policy-based management allows a network administrator to define a set of high-level rules that control the deployment of and access to services, such as FTP...

Classless Interdomain Routing

Classless interdomain routing (CIDR) is a technique supported by BGP4 and based on route aggregation. CIDR allows routers to group routes together to reduce the quantity of routing information carried by the core routers. With CIDR, several IP networks appear to networks outside the group as a single, larger entity. With CIDR, IP addresses and their subnet masks are written as four octets, separated by periods, and followed by a forward slash and a two-digit number that represents the subnet...

Configuration Registers

The configuration register is a 16-bit number that defines how a router operates on a power cycle. These options include if the IOS will be loaded from Flash or ROM. Configuration registers advise the CPU to load the configuration file from the NVRAM or to ignore the configuration file stored in memory, for example. The default configuration register is displayed as 0x2102. Table 4-1 displays the binary conversion from 0x2102. The bits are numbered from right to left. In the preceding example,...

Configuring BGP

To start the BGP process on a Cisco router requires the following command To define networks to be advertised, apply the following command network network-number mask network-mask You must be aware that the network command is not used the same way you apply networks in OSPF or EIGRP. With BGP, the network command advertises networks that are originated from the router and should be advertised via BGP. For more Cisco IOS examples of BGP, please visit Chapter 9, CCIE Security Self-Study Lab. To...

D

DATA command (SMTP), 128 data encryption 3DES, 238 DES, 237-238 Diffie-Hellman, 240-241 DSS, 238-239 IPSec, 242 AH, 244-246 ESP, 243-244 MD5, 239-240 principles of, 235-237 data link layer (OSI model), 22 data manipulation, 369 DDOS (Distributed Denial Of Service) attacks, 371 debug all command, 171 debug commands, 168-174 options, 169-170 debugging, turning off, 163 default services, disabling, 378 defining HTTP port number, 120 IP address names, 110 TFTP download directory, 114 del erase...

Data Encryption Standard DES and Triple Data Encryption Standard 3DES

DES is one of the most widely used encryption methods. DES turns clear text data into cipher text with an encryption algorithm. The receiving station will decrypt the data from cipher text into clear text. The encryption key is a shared secret key used to encrypt and decrypt messages. Figure 5-8 demonstrates DES encryption. Figure 5-8 DES Encryption Methodologies Data is encrypted using mathematical formulae to scramble data with the shared private key. Data is encrypted using mathematical...

Debugging Cisco Routers

The debug command is one of the best set of tools you will encounter on Cisco routers. The debug command is available only from privilege mode. Cisco IOS router's debugging includes hardware and software to aid in troubleshooting internal problems and problems with other hosts on the network. The debug privileged EXEC mode commands start the console display of several classes of network events. For debug output to display on a console port, you must ensure that debugging to the console has not...

Dedication

This book is solely dedicated to two wonderful individuals whom I've had the pleasure of meeting on two occasions in my life. Without their inspiration and love for all humanity, I would not be here writing this book. I dedicate this book to His Excellency Monsignor, Claudio Gatti, and Marisa Rossi. I thank God for you. I am the Mother of the Eucharist. Know Jesus' word. Love Jesus, the Eucharist. Our Lady, Mary, Mother of the Eucharist Questo libro e dedicato esclusivamente a due persone...

Diffie Hellman

The Diffie-Hellman protocol allows two parties to establish a shared secret over insecure channels, such as the Internet. This protocol allows a secure shared key interchange over the public network, such as the World Wide Web, before any secure session and data transfer is initiated. The Diffie-Hellman ensures that by exchanging just the public portions of the key, both devices can generate a session and ensure data is encrypted and decrypted by valid sources only. Only public keys (clear...

Digital Signature Standard DSS

Hashing data is one method used to ensure that data has not been tampered with. Hashing involves taking a variable length of data and producing a fixed output. A HASH is defined as a one-way mathematical summary of a message (data) such that the hash value cannot be easily reconstructed into the original message. DSS is a mechanism that protects data from an undetected change while traversing the network. DSS verifies the identity of the person sending the data just as you verify your signature...

Do I Know This Already Quiz

This assessment quiz will help you determine how to spend your limited study time. If you can answer most or all these questions, you might want to skim the Foundation Topics section and return to it later as necessary. Review the Foundation Summary section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these...

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is defined in RFC 1531 (latest RFC 2131) and provides a comprehensive method of allocating IP addresses, subnet mask, gateway address, DNS server, WINS servers, and many more parameters for IP devices. DHCP clients send messages to the server on UDP 67, and servers send messages to the client on UDP 68. Cisco routers can also be configured for DHCP. Example 2-3 configures a Cisco IOS router to allocate the entire range 131.108.1.0 24, with a gateway...

E

EBGP (external BGP), 78 EIGRP (Enhanced IGRP), 62-63 example configuration, 64-66 election process (DRs), disabling, 75 e-mail attacks, 371 SMTP, 127-128 enable passwords, setting, 180 enabling DNS lookup on Cisco routers, 112 FastEther Channel, 31 Nagle algorithm, 376 portfast on Cisco switches, 31 sequence numbering, 378 TCP intercept, 379 encapsulation, 26 HDLC, 80 LCP, 82 PPP, 81 encrypting passwords, 181 encryption technologies, 235 3DES, 238 DES, 237-238 Diffie-Hellman, 240-241 DSS,...

EIGRP Terminology

EIGRP has a number of terms that must be understood by a candidate for the CCIE Security written exam. Table 2-10 defines some of the common terminology used in EIGRP. A router in the same autonomous system (AS) running EIGRP. EIGRP maintains a table with all adjacent routers. To view the EIGRP neighbors, use the IOS command show ip eigrp neighbors. EIGRP maintains a topology table for all remote destinations discovered by neighboring routers. To view the topology table, the IOS command is show...

Ethernet Overview

Ethernet networks are based on a development made by Xerox, Digital, and Intel. The two versions of Ethernet are commonly referred to as Ethernet I and Ethernet II (or version 2). Ethernet uses Carrier Sense Multiple Access Collision Detection (CSMA CD) to transmit frames on the wire. In an Ethernet environment, all hosts can transmit as long as no other devices are transmitting. CSMA CD is used to detect and warn other devices of any collisions, and colliding stations will use a back off...

Exam Topics in This Chapter

1 Remote Authentication Dial-In User Service (RADIUS) 2 Terminal Access Controller Access Control System Plus (TACACS+) 4 Virtual Private Dial-up Networks (VPDN Virtual Profiles) 5 Data Encryption Standard (DES) 9 Certificate Enrollment Protocol (CEP) 10 Point-to-Point Tunneling Protocol (PPTP) 11 Layer 2 Tunneling Protocol (L2TP)

Example of Peerto Peer Communication

Each layer of the OSI or TCP model has its own functions and interacts with the layer above and below it. Furthermore, the communication between each layer's end devices also establishes peer-to-peer communication this means that each layer of the OSI model communicates with the corresponding peer. Consider the normal communication that occurs between two IP hosts over a wide-area network (WAN) running Frame Relay, as displayed in Figure 2-3. Figure 2-3 Peer-to-Peer Communication Example...

Extended Access Lists

Extended access lists range from 100 through 199 and 2000 through 2699. Alternatively, you can use a named access list with IOS release 12.0 or later. As mentioned earlier in this chapter, extended access lists can be applied to both source and destination addresses, as well as filter protocol types and port numbers. Look at some examples of extended access lists that allow you to filter several different types of traffic. For Internet Control Message Protocol (ICMP), use the syntax shown in...

F

FAQs regarding exam, 576-580 FC (feasibility condition), 63 feasible distance, 63 features of RADIUS, 215 of TACACAS+ servers, 220 FEC (FastEther Channel), 31 FECN (forward explicit congestion notification), 83 fields of IP packets, 34-35 of show ip route command output, 56 of TCP packets, 41-42 file systems NTFS, 293 UNIX, 289 directories, 289-290 file attributes, modifying, 285 filtering TCP services, 322-324 firewalls, 320 Cisco IOS features, 344-345 CSPM, 299 PIX, 328 commands, 339-341...

Fast Ether Channel

FastEther Channel (FEC) is a Cisco method that bundles 100 Mbps FAST ETHERNET ports into a logical link. Because any redundant paths between two switches mean some ports will be in a blocking state and bandwidth will be reduced, Cisco developed FEC to maximize bandwidth use. Figure 2-4 displays a switched network with two 100-Mbps connections between them. Because of STP, the link will be in a blocking state after the election of a root bridge, Switch A, in this case. Switch B will block one of...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

File Transfer Protocol

File Transfer Protocol (FTP), an application layer protocol of the TCP IP protocol suite of applications, allows users to transfer files from one host to another. Two ports are required for FTP one port is used to open the connection (port 21), and the other port is used to transfer data (20). FTP runs over TCP and is a connection-oriented protocol. To provide security, FTP allows usernames and passwords to be exchanged before any data can be transferred, adding some form of security...

File Transfer Protocol and Trivial File Transfer Protocol

File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) are application layer protocols (part of the TCP IP protocol suite of applications). FTP is a connection-oriented protocol running over TCP. FTP uses two connections to maintain connectivity between two IP hosts port 20 is used for server applications and port 21 for data transfer. TFTP runs over UDP port 69 and is a connectionless-based protocol. TFTP commonly uploads IOS and configurations to a TFTP server. TFTP is...

Foundation Summary

The Foundation Summary is a condensed collection of material for a convenient review of key concepts in this chapter. If you are already comfortable with the topics in this chapter and decided to skip most of the Foundation Topics material, the Foundation Summary will help you recall a few details. If you just read the Foundation Topics section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the Foundation Summary offers a...

Foundation Topics Advanced Security Concepts

A wealth of security concepts have been covered and now some of the techniques used in areas of your network will be covered that are vulnerable to attacks, in particular, the Demilitarized Zone (DMZ). The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet. Figure 7-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense or hosts that can be scarified in case...

Foundation Topics Authentication Authorization and Accounting AAA

Authentication, authorization, and accounting, (pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices. AAA provides a method to identify which users are logged into a router and each user's authority level. AAA also provides the capability to monitor user activity and provide accounting information. In today's IP networks, access to network data is available in a variety of methods, including the following...

Foundation Topics Domain Name System

This section covers Domain Name System (DNS) and sample configurations used on Cisco IOS routers. DNS's primary use is to manage Internet names across the World Wide Web. For users or clients to use names instead of 32-bit IP addresses, the TCP IP model designers developed DNS to translate names into IP addresses. DNS uses TCP and UDP port number 53. In a large IP environment, network users need an easier way to connect to hosts without having to remember 32-bit IP addresses that's where DNS...

Foundation Topics Network Security Policies

IP networks are susceptible to unsecured intruders using a number of different methods. Through the campus, by dialup, and through the Internet, an intruder can view IP data and attack vulnerable network devices. IP networks must provide network security for the following reasons Inherent technology weaknesses All network devices and operating systems have inherent vulnerabilities. Configuration weaknesses Common configuration mistakes can be exploited to open up weaknesses. Network policy The...

Foundation Topics Networking Basics The OSI Reference Model

This section covers the Open Systems Interconnection (OSI) seven layer model theory and common examples. CCIE candidates must fully understand and appreciate the model because almost every routed protocol in use today is based on the architecture of the seven layer model. The OSI model was developed by a standards body called the International Organization for Standardization (ISO) to provide software developers a standard architecture to develop protocols (such as IP). For example, the OSI...

H

Hashing algorithms, 238-239 MD5, 239-240 SHA, 239-240 HDLC, (High Level Data Link Control) 80 Hello packets EIGRP, 63 OSPF, 67 HELO command (SMTP), 127 help command (DOS), 284 hiding secret passwords, 181 hijacking, 369 holdtime, 63 host IDSs, 372 hosts per subnet, calculating, 37-38 HSRP (Hot Standby Routing Protocol), 47 configuring, 50-51 enabling, 49 HTTP (Hypertext Transfer Protocol), 118 defining port number, 120 security, SSL, 121 user authentication, 119 hybrid routing protocols, EIGRP,...

Hdlc

High-level data link control is a WAN protocol encapsulation method that allows point-to-point connections between two remote sites. Typically, HDLC is used in a leased-line setup. HDLC is a connectionless protocol that relies on upper layers to recover any frames that have encountered errors across a WAN link. HDLC is the default encapsulation on Cisco serial interfaces. Cisco routers use HDLC encapsulation, which is proprietary. Cisco added an address field in the HDLC frame, which is not...

Hypertext Transfer Protocol

Hypertext Transfer Protocol (HTTP), used by web browsers and web servers, transfers files, such as text and graphic files. HTTP can also authenticate users with username and password verification between client and web servers. Cisco IOS routers can be configured from a browser client. By default, Cisco routers are disabled for HTTP server (HTTP is enabled by default on a few Cisco 1000 models, namely the Cisco 1003,1004, and 1005 model routers), and there have been issues with users entering...

IKE Phase I Messages Types

IKE phase I completes the following tasks Negotiates IKE policy (message types 1 and 2). Information exchanges in these message types include IP addresses. Proposals, such as Diffie-Hellman group number and encryption algorithm, are also exchanged here. All messages are carried in UDP packets with a destination UDP port number of 500. The UDP payload comprises a header, an SA payload, and one or more proposals. Message type 1 offers many proposals, and message type 2 contains a single proposal....

Info

Router responds with its own sequence number, and acknowledges the segment by increasing the PC sequence number by one. Flags U A P R S F 0 1 0 0 0 0 Source port is 23. Ack is 14810533. Its own sequence is 3646346918. Note It takes 3 or 4 TCP segments to open a Telnet session and 4 TCP segments to close it. The following steps are then taken by TCP Step 1 A user on the PC initiates a Telnet session to the router. The PC sends a request with the SYN bit sent to 1. The destination port number is...

Internet Control Message Protocol

Internet Control Message Protocol (ICMP) is a network layer (Layer 3) Internet protocol that reports errors and provides other information relevant to IP packet processing. ICMP is fully documented in RFC 792. ICMP's purpose is to report error and control messages. ICMP provides a number of useful services supported by the TCP IP protocol, including ping requests and replies. Ping requests and replies enable an administrator to test connectivity with a remote device. Be aware that ICMP runs...

Internet Protocol

Internet Protocol (IP) is a widely used networking term that describes a network layer protocol that logically defines a distinct host or end system, such as a PC or router, with an IP address. An IP address is configured on end systems to allow communication between hosts over wide geographic locations. An IP address is 32 bits in length, with the network mask or subnet mask (also 32 bits in length) defining the host and subnet portion. Figure 2-6 displays the IP packet header frame format in...

IP Multicast

This section briefly covers the IP multicast areas of interest for the CCIE written test. The multicasting protocol was designed to reduce the high bandwidth requirements of technologies, such as video on demand, to a single stream of information to more than one device. Applications include electronic learning, company share meetings (video on demand), and software distribution. Multicasting can be defined as unicast (one to one), multicast (one to many), and broadcast (one to all)....

IP Security IPSec

IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. RFC 2401 for IP IPSec is a defined encryption standard that encrypts the upper layers of the OSI model by adding a new predefined set of headers. A number of RFCs defined IPSec. IPSec is a mandatory requirement for IP version 6. (IPV6 is not covered in...

L

VPDNs, 231 L2TP (Layer 2 Tunneling Protocol), 229 VPDNs, 231 lab exam, 577-578 FAQs, 578-580 sample, 583-597 Land.C attacks, 371 lastlog file (UNIX), 290 layers of OSI reference model application layer, 25 data link layer, 22 network layer, 23 IP, 33-37 spanning tree, 30 switching, 28-30 physical layer, 21 presentation layer, 24 session layer, 24 transport layer, 24 LCP (link control protocol), 82 LDAP (Lightweight Directory Access Protocol), 133 learning state (spanning tree), 31 leases...

Layer 2 The Data Link Layer

The data link layer focuses on getting data reliably across any particular kind of link. Flow control and error notifications are also functions of the data link layer. The data link layer applies to all access methods, whether they are LAN or WAN methods. Information being processed at this layer is commonly known as frames. The IEEE further complicated matters by subdividing the data link layer into to sublayers the Logical Link Control (LLC) sublayer and the MAC sublayer. Figure 2-1 displays...

Layer 3 The Network Layer

The network layer determines the best path to a destination. Device addressing, packet fragmentation, and routing all occur at the network layer. Information being processed at this layer is commonly known as packets. Examples of network layer protocols include the following Open Shortest Path First (OSPF) Cisco's EIGRP routing protocol Routing protocols (OSPF, EIGRP, and BGP, for example) provide the information required to determine the topology of the internetwork and the best path to a...

Layer 4 The Transport Layer

The transport layer is responsible for segmenting upper-layer applications and establishing end-to-end connections between devices. Other transport layer functions include providing data reliability and error-free delivery mechanisms. Information being processed at this layer is commonly known as segments. Examples of transport layer protocols include the following Transmission Control Protocol (TCP) Real-time transport protocol (RTP) User Datagram Protocol (UDP)

Message Digest 5 MD5 and Secure Hash Algorithm SHA

Several hashing algorithms are available. The two discussed here are MD5 and SHA (sometimes called SHA-1). Message hashing is an encryption technique that ensures a message or data has not be tampered with or modified. MD5 Message hashing is supported on Cisco IOS routers. A variable-length message is taken, the MD5 algorithm is performed (for example, the enable secret passwords command), and a final fixed-length hashed output message is produced. MD5 is defined in RFC 1321. Figure 5-10...

Microsoft NT Systems

This section briefly covers Windows NT 4.0. Cisco Systems requires you to have no more than a conceptual overview on Windows NT systems, so the detail in the next section is only provided to give you the required foundations to pass the CCIE Security written exam. Windows NT allows clients and servers to be grouped into domains or workgroups. A domain is typically a large group of devices under a common administration. A workgroup usually describes a smaller group of Windows devices or any...

N

Nagle algorithm, preventing Cisco IOS from attacks, 375-376 name resolution DNS, 110-111 enabling lookup on Cisco routers, 112 on Windows NT, 292 NAT (Network Address Translation), 324 deploying, 325 Dynamic NAT, configuring, 326 monitoring, 327 operation on Cisco routers, 326 NCP (Network Control Protocol), 82 NetBEUI (NetBIOS Extended User Interface), 290 NetBIOS (Network Basic Input Output NetRanger, 300 Director, 302 sensors, 300 supporting platforms, 301 typical network placement, 300...

Nonvolatile Ram Nvram

Nonvolatile RAM (NVRAM) stores a copy of the router's configuration file. The NVRAM storage area is retained by the router in the event of a power cycle. When the router powers up from a power cycle or a reboot (reload command), the IOS copies the stored configuration file from the NVRAM to RAM. To view the configuration file stored in NVRAM, issue the show startup-config command. In earlier versions of IOS (before version 10.3), the show config command was used to view the configuration file...

Operating Systems and Cisco Security Applications

This chapter reviews two of today's most common end user applications, UNIX and Windows NT systems. Cisco security applications are also covered. This chapter covers the following topics UNIX The UNIX operating system and some of the most widely used operating commands. The section looks at the files that are manipulated in UNIX to monitor and maintain usernames and passwords. Microsoft NT Systems Windows NT 4.0 and some of the concepts used to manage users and domains. Cisco Secure for Windows...

Organization of this Book

Each chapter starts by testing your current knowledge with a Do I Know this already quiz. This quiz is aimed at helping you decide whether you need to cover the entire chapter, whether you need to read only parts of the chapter, or if you can skip the chapter. See Chapter 1 and the introduction to each Do I Know this already quiz for more details. Each chapter then contains a Foundation Topics section with extensive coverage of the CCIE Security exam topics covered in that chapter. A Foundation...

OSPF Configuration Example

Figure 2-17 demonstrates a two-router topology. Figure 2-17 displays three OSPF areas with Area 2 partitioned from the backbone, necessitating a virtual link. Figure 2-17 Typical Cisco IOS OSPF topology Figure 2-17 Typical Cisco IOS OSPF topology R1's Loopbacks in Area 0 Loopback0 131.108.2.1 24 Loopback1 131.108.3.1 24 Loopback2 131.108.4.1 24 Loopback3 131.108.5.1 24 Loopback4 131.108.6.1 24 Loopback5 131.108.7.1 24 R2's Loopbacks in Area 1 Loopback0 131.108.9.1 24 Loopback1 131.108.10.1 24...

OSPF in a Single Area

When configuring any OSPF router, you must establish what area assignment the interface will be enabled for. OSPF has some basic rules when it comes to area assignment. OSPF must be configured with areas. The backbone area 0, or 0.0.0.0, must be configured if you use more than one area assignment. If your OSPF design has only one area, it can have any number. Exchanged by the routers for neighbor discovery and forming adjacency, neighbor keep-alive, and DR BDR election. Information is shared...

Passive FTP

Passive FTP still requires a connection for the initial FTP control connection, which is initiated by the FTP client to the server. However, the second connection for the FTP data connection is also initiated from the client to the server (the reverse of active FTP). Figure 3-3 displays a typical FTP mode of operation between a client PC and FTP server in passive mode. The following steps are completed before data can be transferred 1 The FTP client opens a control channel on TCP port 21 to the...

Password Recovery

Sometimes, the Cisco-enable or secret password is unknown and you must use password recovery to attain or change the enable secret password. Password recovery allows the network administrator to recover a lost or unknown password on a Cisco router. For password recovery, an administrator must have physical access to the router through the console or auxiliary port. When an EXEC user enters an incorrect enable password, the user receives an error message similar to the message shown in Example...

Pointto Point Protocol PPP

PPP was designed to transport user information between two WAN devices (also referred to as point-to-point links). PPP was designed as an improvement over Serial Line Internet Protocol (SLIP). When PPP encapsulation is configured on a Cisco WAN interface, the network administrator can carry protocols such as IP and IPX, as well as many others. Cisco routers support PPP over asynchronous lines, High-Speed Serial Interfaces (HSSIs), ISDN lines, and synchronous serial ports. PPP has the added...

Public Key Infrastructure

In the new digital environment, a Public Key Infrastructure (PKI) ensures that sensitive electronic communications are private and protected from tampering. It provides assurances of the identities of the participants in those transactions, and prevents them from later denying participation in the transaction. PKI provides the following assurances Protects privacy by ensuring the data is not read but can't stop someone from intercepting it (If you can't read something, what's the use of that...

Q A

The Q & A questions are designed to help you assess your readiness for the topics covered on the CCIE Security written exam and those topics presented in this chapter. This format helps you assess your retention of the material. A strong understanding of the answers to these questions will help you on the CCIE Security written exam. You can also look over the questions at the beginning of the chapter again for further review. As an additional study aid, use the CD-ROM provided with this book...

R

131.108.100.0 24 access-list 100 permit ip < 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255 131.108.200.0 24 -> access-list 100 permit ip 131.108.200.0 0.0.0.255 131.108.100.0 0.0.0.255 To start, configure IKE on Router R1. Example 5-15 displays the IKE configuration on R1. Remember that IKE policies define a set of parameters to be used during IKE negotiation. crypto isakmp key CCIE address 131.10 R1 is configured to use the MD5 algorithm, and the authentication method is defined as...

Random Access Memory RAM

Routers use random-access memory (RAM) to store the current configuration file and other important data collected by the router. This data includes the IP routing table and buffer information. Buffers temporarily store packets before they are processed. All IOS processes, such as routing algorithms (OSPF or BGP, for example), also run in RAM. RAM information is lost if the router power cycles (when a router loses and regains power) or is restarted by an administrator. To view a router's current...

Read Only Memory

Read-only memory (ROM) stores a scaled-down version of a router's IOS in the event that the Flash system becomes corrupted or no current IOS image is stored in Flash. ROM also contains the bootstrap program (sometimes referred to as the rxboot image in Cisco documentation) and a device's power up diagnostics. You can perform only a software upgrade (that is, perform a software image upgrade on the ROM) by replacing ROM chips because the ROM is not programmable. The bootstrap program enables you...

Remote Authentication DialIn User Service RADIUS

RADIUS is a client server-based system that secures a Cisco network against intruders. Implemented in IOS, RADIUS sends authentication requests to a RADIUS server. Radius was created by Livingston Enterprises and is now defined in RFC 2138 2139. A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users when using Cisco IOS routers. When a RADUIS server authenticates a...

Requirements for Fast Ether Channel

All ports part of FEC must be set to the same speed. All ports must belong to the same VLAN. Duplex must be the same (half or full), not a mixture. Up to eight ports can be bundled together. To set FastEther channel on a switch, the CatOS syntax is set port channel. To set FastEther channel on a router, the IOS syntax is channel-group under the Fast Ethernet interface. Table 2-19 The States of Spanning Tree Table 2-19 The States of Spanning Tree The port is not participating in spanning tree...

Router CLI

Cisco IOS routers allow network administrators access to a wide range of show and debug commands. The show command displays various information about the router's state of play, such as the Ethernet collisions on a particular interface or a router's configuration file. Only a subset of show commands is available when in User EXEC mode. The full range is available when in privilege EXEC mode (PRIV EXEC mode). The debug command is a more advanced IOS command that allows the administrator to view...

Routing Information Protocol

Routing Information Protocol (RIP) is one the oldest routing protocols in use today. RIP is a distance vector protocol. Table 2-9 defines the characteristics of a distance vector protocol. Table 2-9 Distance Vector Protocol Characteristics Table 2-9 Distance Vector Protocol Characteristics Periodic updates are sent at a set interval for IP RIP, this interval is 30 seconds. Updates are sent to the broadcast address 255.255.255.255. Only devices running routing algorithms will listen to these...

S

SA (Security Association), 242 sacrificial hosts, 370 SAM (Security Accounts Manager), 293 SAML command (SMTP), 128 sample lab exam, 583-597 saving configuration files, 158 scalability, Windows NT, 292 secret passwords, hiding, 181 security, 321 accounting, 211-212 authentication, 210 authorization, 210-211 CBAC, configuring, 346-347 encryption technologies, 235 3DES, 238 DES, 237-238 Diffie-Hellman, 240-241 DSS, 238-239 IPSec, 242-246 MD5, 239-240 principles of, 235-237 firewalls, 320 Cisco...

Saving and Loading Files

The configuration file can reside on the router's NVRAM, RAM, or on a TFTP server. When a router boots with the default configuration register (0x2102), the configuration file is copied from NVRAM to RAM. Network administrators typically save the configuration files to a TFTP server as a backup, in case of a router failure. To save a configuration file from RAM to NVRAM (after configuration changes are made), the IOS command is copy running-config startup-config. The write terminal command will...

Scaling Issues in Windows NT

In larger Windows NT environments, you can have many domains. Windows NT allows information sharing between domains with the use of trusted domains. A trusted domain grants or denies access to clients without having to manage each user individually. Each domain can exchange information and form a trust relationship. Based on these trust relationships, end users from each domain can be allowed or denied access. Creating trust relationships allows secure data to flow between different domains and...

Scenario 21 Answers Routing IP on Cisco Routers

Cisco IOS routers will route between directly connected interfaces and, because PC1 cannot ping PC2 on another subnet, the PC1 gateway address must not be configured correctly. 2 Answer d. The first request will fail because of the ARP broadcast. The subsequent pings (five in total one for an ARP request and four successful replies) will reply successfully. 3 Answer b. show ip arp displays the correct ARP address table for the devices in Figure 2-21.