Conclusion

Having many Cisco certifications myself, the joy and success I have achieved has significantly changed my life and that of my family. There are always challenges facing network engineers and, no doubt, becoming a certified Cisco professional meeting those challenges will drive you into acquiring skills you thought you never knew you could master. I sincerely hope you enjoy your time spent with this book it took over six months and long nights to complete to ensure you have the perfect companion...

Access Lists on Cisco Routers

By default, a Cisco router permits all IP and TCP traffic unless an access list is defined and applied to the appropriate interface. Figure 4-4 illustrates the steps taken if an access list is configured on a Cisco router. Figure 4-4 Access List Decision Taken by a Cisco Router If an incoming IP packet is received on a router and no access list is defined, the packet is forwarded to the IP routing software. If an access list is defined and applied, the packet is checked against the access list,...

Border Gateway Protocol

Border Gateway Protocol (BGP) is an exterior routing protocol used widely in the Internet. It is commonly referred to as BGP4 (version 4). BGP4 is defined in RFC 1771. BGP allows you to create an IP network free of routing loops between different autonomous systems. An autonomous system (AS) is a set of routers under the same administrative control. BGP is called a path vector protocol because it carries a sequence of AS numbers that indicates the path taken to a remote network. This...

CBAC Configuration Task List

Configuring CBAC requires the following tasks Picking an interface internal or external Configuring IP access lists at the interface Configuring global timeouts and thresholds Defining an inspection rule Applying the inspection rule to an interface Configuring logging and audit trail Other guidelines for configuring a firewall Example 7-5 shows a router named R1 with two Ethernet interfaces, one defined as the inside interface (EthernetO) and one as the outside interface (Ethernetl). For this...

General Networking Topics

Chapter 2 covers general networking technologies, including an overview of the OSI model, switching concepts, and routing protocols. The TCP IP model is presented and explained with common applications used in today's IP networks. Routing protocols and sample configurations are presented to ensure that you have a good understanding of how Cisco IOS routes IP datagrams. Concluding this chapter is a discussion of some of today's most widely used WAN protocols, including PPP, ISDN, and Frame...

Q A Answers

1 What are the seven layers of the OSI model Answer The seven layers of the OSI model are as follows 2 What layer of the OSI model is responsible for ensuring that IP packets are routed from one location to another Answer The network layer is primarily responsible for routing IP packets from one destination to another. 3 What mechanism is used in Ethernet to guarantee packet delivery over the wire Answer Carrier Sense Multiple Access Collision Detection (CSMA CD) is the Ethernet mechanism used...

Operating Systems and Cisco Security Applications 279

Do I Know This Already Quiz 279 UNIX Command Structure 285 UNIX Permissions 288 UNIX File Systems 289 Browsing and Windows Names Resolution 291 Scaling Issues in Windows NT 292 Login and Permissions 293 Windows NT Users and Groups 294 Windows NT Domain Trust 294 Cisco Secure for Windows and UNIX 297 Cisco Secure Intrusion Detection System and Cisco Secure Scanner 299 NetRanger (Cisco Secure Intrusion Detection System) 300 NetSonar (Cisco Secure Scanner) 302 Cisco Security Wheel 304 Foundation...

Network Security Policies Vulnerabilities and Protection

Chapter 8 reviews today's most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The standard security body, CERT CC, is covered along with descriptions of Cisco IOS-based security methods used to ensure that all attacks are reported and acted upon. Cisco Security applications, such as Intrusion Detection System, are covered to lay the fundamental foundations you need to master the topics covered on the CCIE Security written examination.

Cisco Ios Ipsec Configuration

To enable IPSec between Cisco IOS routers, the following steps are required Step 1 Enable ISAKMP with the IOS command crypto isakmp enable. This step globally enables or disables ISAKMP at your peer router. ISAKMP is enabled by default (optionally, define what interesting traffic will be encrypted using defined access lists). Step 2 Define an ISAKMP policy, a set of parameters used during ISAKMP negotiation crypto isakmp policy priority You will enter config-isakmp command mode. Options...

Cisco IOS Specifics and Security

This chapter covers the CCIE IOS Specifics blueprint. Unfortunately, the blueprint does not detail the exact requirements, and IOS in general could mean the entire range of topics. We cover topics that are actually possible topics in the written exam and common to the Routing and Switching blueprint. This chapter covers the following topics Cisco Hardware This section covers the hardware components on a Cisco router, namely the System Flash, nonvolatile RAM (NVRAM), and how files are saved to...

Configuring BGP

To start the BGP process on a Cisco router requires the following command To define networks to be advertised, apply the following command network network-number mask network-mask You must be aware that the network command is not used the same way you apply networks in OSPF or EIGRP. With BGP, the network command advertises networks that are originated from the router and should be advertised via BGP. For more Cisco IOS examples of BGP, please visit Chapter 9, CCIE Security Self-Study Lab. To...

Debugging Cisco Routers

The debug command is one of the best set of tools you will encounter on Cisco routers. The debug command is available only from privilege mode. Cisco IOS router's debugging includes hardware and software to aid in troubleshooting internal problems and problems with other hosts on the network. The debug privileged EXEC mode commands start the console display of several classes of network events. For debug output to display on a console port, you must ensure that debugging to the console has not...

Do I Know This Already Quiz

This assessment quiz will help you determine how to spend your limited study time. If you can answer most or all these questions, you might want to skim the Foundation Topics section and return to it later as necessary. Review the Foundation Summary section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these...

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is defined in RFC 1531 (latest RFC 2131) and provides a comprehensive method of allocating IP addresses, subnet mask, gateway address, DNS server, WINS servers, and many more parameters for IP devices. DHCP clients send messages to the server on UDP 67, and servers send messages to the client on UDP 68. Cisco routers can also be configured for DHCP. Example 2-3 configures a Cisco IOS router to allocate the entire range 131.108.1.0 24, with a gateway...

E

EBGP (external BGP), 78 EIGRP (Enhanced IGRP), 62-63 example configuration, 64-66 election process (DRs), disabling, 75 e-mail attacks, 371 SMTP, 127-128 enable passwords, setting, 180 enabling DNS lookup on Cisco routers, 112 FastEther Channel, 31 Nagle algorithm, 376 portfast on Cisco switches, 31 sequence numbering, 378 TCP intercept, 379 encapsulation, 26 HDLC, 80 LCP, 82 PPP, 81 encrypting passwords, 181 encryption technologies, 235 3DES, 238 DES, 237-238 Diffie-Hellman, 240-241 DSS,...

EIGRP Terminology

EIGRP has a number of terms that must be understood by a candidate for the CCIE Security written exam. Table 2-10 defines some of the common terminology used in EIGRP. A router in the same autonomous system (AS) running EIGRP. EIGRP maintains a table with all adjacent routers. To view the EIGRP neighbors, use the IOS command show ip eigrp neighbors. EIGRP maintains a topology table for all remote destinations discovered by neighboring routers. To view the topology table, the IOS command is show...

Example of Peerto Peer Communication

Each layer of the OSI or TCP model has its own functions and interacts with the layer above and below it. Furthermore, the communication between each layer's end devices also establishes peer-to-peer communication this means that each layer of the OSI model communicates with the corresponding peer. Consider the normal communication that occurs between two IP hosts over a wide-area network (WAN) running Frame Relay, as displayed in Figure 2-3. Figure 2-3 Peer-to-Peer Communication Example...

Extended Access Lists

Extended access lists range from 100 through 199 and 2000 through 2699. Alternatively, you can use a named access list with IOS release 12.0 or later. As mentioned earlier in this chapter, extended access lists can be applied to both source and destination addresses, as well as filter protocol types and port numbers. Look at some examples of extended access lists that allow you to filter several different types of traffic. For Internet Control Message Protocol (ICMP), use the syntax shown in...

Fast Ether Channel

FastEther Channel (FEC) is a Cisco method that bundles 100 Mbps FAST ETHERNET ports into a logical link. Because any redundant paths between two switches mean some ports will be in a blocking state and bandwidth will be reduced, Cisco developed FEC to maximize bandwidth use. Figure 2-4 displays a switched network with two 100-Mbps connections between them. Because of STP, the link will be in a blocking state after the election of a root bridge, Switch A, in this case. Switch B will block one of...

File Transfer Protocol

File Transfer Protocol (FTP), an application layer protocol of the TCP IP protocol suite of applications, allows users to transfer files from one host to another. Two ports are required for FTP one port is used to open the connection (port 21), and the other port is used to transfer data (20). FTP runs over TCP and is a connection-oriented protocol. To provide security, FTP allows usernames and passwords to be exchanged before any data can be transferred, adding some form of security...

Foundation Summary

The Foundation Summary is a condensed collection of material for a convenient review of key concepts in this chapter. If you are already comfortable with the topics in this chapter and decided to skip most of the Foundation Topics material, the Foundation Summary will help you recall a few details. If you just read the Foundation Topics section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the Foundation Summary offers a...

Foundation Topics Advanced Security Concepts

A wealth of security concepts have been covered and now some of the techniques used in areas of your network will be covered that are vulnerable to attacks, in particular, the Demilitarized Zone (DMZ). The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet. Figure 7-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense or hosts that can be scarified in case...

Foundation Topics Domain Name System

This section covers Domain Name System (DNS) and sample configurations used on Cisco IOS routers. DNS's primary use is to manage Internet names across the World Wide Web. For users or clients to use names instead of 32-bit IP addresses, the TCP IP model designers developed DNS to translate names into IP addresses. DNS uses TCP and UDP port number 53. In a large IP environment, network users need an easier way to connect to hosts without having to remember 32-bit IP addresses that's where DNS...

Foundation Topics Networking Basics The OSI Reference Model

This section covers the Open Systems Interconnection (OSI) seven layer model theory and common examples. CCIE candidates must fully understand and appreciate the model because almost every routed protocol in use today is based on the architecture of the seven layer model. The OSI model was developed by a standards body called the International Organization for Standardization (ISO) to provide software developers a standard architecture to develop protocols (such as IP). For example, the OSI...

Hypertext Transfer Protocol

Hypertext Transfer Protocol (HTTP), used by web browsers and web servers, transfers files, such as text and graphic files. HTTP can also authenticate users with username and password verification between client and web servers. Cisco IOS routers can be configured from a browser client. By default, Cisco routers are disabled for HTTP server (HTTP is enabled by default on a few Cisco 1000 models, namely the Cisco 1003,1004, and 1005 model routers), and there have been issues with users entering...

IKE Phase I Messages Types

IKE phase I completes the following tasks Negotiates IKE policy (message types 1 and 2). Information exchanges in these message types include IP addresses. Proposals, such as Diffie-Hellman group number and encryption algorithm, are also exchanged here. All messages are carried in UDP packets with a destination UDP port number of 500. The UDP payload comprises a header, an SA payload, and one or more proposals. Message type 1 offers many proposals, and message type 2 contains a single proposal....

Internet Control Message Protocol

Internet Control Message Protocol (ICMP) is a network layer (Layer 3) Internet protocol that reports errors and provides other information relevant to IP packet processing. ICMP is fully documented in RFC 792. ICMP's purpose is to report error and control messages. ICMP provides a number of useful services supported by the TCP IP protocol, including ping requests and replies. Ping requests and replies enable an administrator to test connectivity with a remote device. Be aware that ICMP runs...

Internet Protocol

Internet Protocol (IP) is a widely used networking term that describes a network layer protocol that logically defines a distinct host or end system, such as a PC or router, with an IP address. An IP address is configured on end systems to allow communication between hosts over wide geographic locations. An IP address is 32 bits in length, with the network mask or subnet mask (also 32 bits in length) defining the host and subnet portion. Figure 2-6 displays the IP packet header frame format in...

IP Multicast

This section briefly covers the IP multicast areas of interest for the CCIE written test. The multicasting protocol was designed to reduce the high bandwidth requirements of technologies, such as video on demand, to a single stream of information to more than one device. Applications include electronic learning, company share meetings (video on demand), and software distribution. Multicasting can be defined as unicast (one to one), multicast (one to many), and broadcast (one to all)....

IP Security IPSec

IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. RFC 2401 for IP IPSec is a defined encryption standard that encrypts the upper layers of the OSI model by adding a new predefined set of headers. A number of RFCs defined IPSec. IPSec is a mandatory requirement for IP version 6. (IPV6 is not covered in...

Layer 3 The Network Layer

The network layer determines the best path to a destination. Device addressing, packet fragmentation, and routing all occur at the network layer. Information being processed at this layer is commonly known as packets. Examples of network layer protocols include the following Open Shortest Path First (OSPF) Cisco's EIGRP routing protocol Routing protocols (OSPF, EIGRP, and BGP, for example) provide the information required to determine the topology of the internetwork and the best path to a...

Microsoft NT Systems

This section briefly covers Windows NT 4.0. Cisco Systems requires you to have no more than a conceptual overview on Windows NT systems, so the detail in the next section is only provided to give you the required foundations to pass the CCIE Security written exam. Windows NT allows clients and servers to be grouped into domains or workgroups. A domain is typically a large group of devices under a common administration. A workgroup usually describes a smaller group of Windows devices or any...

Organization of this Book

Each chapter starts by testing your current knowledge with a Do I Know this already quiz. This quiz is aimed at helping you decide whether you need to cover the entire chapter, whether you need to read only parts of the chapter, or if you can skip the chapter. See Chapter 1 and the introduction to each Do I Know this already quiz for more details. Each chapter then contains a Foundation Topics section with extensive coverage of the CCIE Security exam topics covered in that chapter. A Foundation...

OSPF Configuration Example

Figure 2-17 demonstrates a two-router topology. Figure 2-17 displays three OSPF areas with Area 2 partitioned from the backbone, necessitating a virtual link. Figure 2-17 Typical Cisco IOS OSPF topology Figure 2-17 Typical Cisco IOS OSPF topology R1's Loopbacks in Area 0 Loopback0 131.108.2.1 24 Loopback1 131.108.3.1 24 Loopback2 131.108.4.1 24 Loopback3 131.108.5.1 24 Loopback4 131.108.6.1 24 Loopback5 131.108.7.1 24 R2's Loopbacks in Area 1 Loopback0 131.108.9.1 24 Loopback1 131.108.10.1 24...

OSPF in a Single Area

When configuring any OSPF router, you must establish what area assignment the interface will be enabled for. OSPF has some basic rules when it comes to area assignment. OSPF must be configured with areas. The backbone area 0, or 0.0.0.0, must be configured if you use more than one area assignment. If your OSPF design has only one area, it can have any number. Exchanged by the routers for neighbor discovery and forming adjacency, neighbor keep-alive, and DR BDR election. Information is shared...

Password Recovery

Sometimes, the Cisco-enable or secret password is unknown and you must use password recovery to attain or change the enable secret password. Password recovery allows the network administrator to recover a lost or unknown password on a Cisco router. For password recovery, an administrator must have physical access to the router through the console or auxiliary port. When an EXEC user enters an incorrect enable password, the user receives an error message similar to the message shown in Example...

Public Key Infrastructure

In the new digital environment, a Public Key Infrastructure (PKI) ensures that sensitive electronic communications are private and protected from tampering. It provides assurances of the identities of the participants in those transactions, and prevents them from later denying participation in the transaction. PKI provides the following assurances Protects privacy by ensuring the data is not read but can't stop someone from intercepting it (If you can't read something, what's the use of that...

Q A

The Q & A questions are designed to help you assess your readiness for the topics covered on the CCIE Security written exam and those topics presented in this chapter. This format helps you assess your retention of the material. A strong understanding of the answers to these questions will help you on the CCIE Security written exam. You can also look over the questions at the beginning of the chapter again for further review. As an additional study aid, use the CD-ROM provided with this book...

R

131.108.100.0 24 access-list 100 permit ip < 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255 131.108.200.0 24 -> access-list 100 permit ip 131.108.200.0 0.0.0.255 131.108.100.0 0.0.0.255 To start, configure IKE on Router R1. Example 5-15 displays the IKE configuration on R1. Remember that IKE policies define a set of parameters to be used during IKE negotiation. crypto isakmp key CCIE address 131.10 R1 is configured to use the MD5 algorithm, and the authentication method is defined as...

Random Access Memory RAM

Routers use random-access memory (RAM) to store the current configuration file and other important data collected by the router. This data includes the IP routing table and buffer information. Buffers temporarily store packets before they are processed. All IOS processes, such as routing algorithms (OSPF or BGP, for example), also run in RAM. RAM information is lost if the router power cycles (when a router loses and regains power) or is restarted by an administrator. To view a router's current...

Remote Authentication DialIn User Service RADIUS

RADIUS is a client server-based system that secures a Cisco network against intruders. Implemented in IOS, RADIUS sends authentication requests to a RADIUS server. Radius was created by Livingston Enterprises and is now defined in RFC 2138 2139. A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users when using Cisco IOS routers. When a RADUIS server authenticates a...

Requirements for Fast Ether Channel

All ports part of FEC must be set to the same speed. All ports must belong to the same VLAN. Duplex must be the same (half or full), not a mixture. Up to eight ports can be bundled together. To set FastEther channel on a switch, the CatOS syntax is set port channel. To set FastEther channel on a router, the IOS syntax is channel-group under the Fast Ethernet interface. Table 2-19 The States of Spanning Tree Table 2-19 The States of Spanning Tree The port is not participating in spanning tree...

Routing Information Protocol

Routing Information Protocol (RIP) is one the oldest routing protocols in use today. RIP is a distance vector protocol. Table 2-9 defines the characteristics of a distance vector protocol. Table 2-9 Distance Vector Protocol Characteristics Table 2-9 Distance Vector Protocol Characteristics Periodic updates are sent at a set interval for IP RIP, this interval is 30 seconds. Updates are sent to the broadcast address 255.255.255.255. Only devices running routing algorithms will listen to these...

Scenario 41 Configuring Cisco Routers for Passwords and Access Lists

Figure 4-6 displays a simple one-router network with two Ethernet LAN interfaces connecting users on subnet 131.108.1.0 24 to the server IP network, 131.108.2.0 24. Figure 4-6 Scenario Physical Topology 131.108.1.100 24 Example 4-40 displays the working configuration file on R1 numbered from line 1 to 25. Example 4-40 R1's Full Configuration 2. no service password-encryption 4. no logging console debugging 5. enable secret 5 1 TBUV od27CrEfa4UVICBtwvqol 6. enable password ciscO 7.interface...

Scenario 81 Defining IOS Commands to View DoS Attacks in Real Time

Figure 8-3 displays a typical two-router topology with an external connection to the Internet via R1. Figure 8-3 Two-Router Network Attacked by External Intruder ICMP TCP UDP attack Administrator is not sure ICMP TCP UDP attack Administrator is not sure In this scenario, a Cisco IOS router is subjected to ICMP, TCP, or UDP IP packets. The network administrator is not sure of what type but notices the log file that is buffered to the Router R2 has just increased from 1 MB to 2.5 MB in less than...

Scenario 81 Solution

The network administrator can quickly configure an extended access list permitting all ICMP, UDP, or TCP, as shown in Example 8-12, applying the access list to the inbound interface on R2, Serial 0 0. (The configuration is truncated to focus on the critical configuration.) Example 8-12 Access List Configuration on R2 interface Serial0 0 ip address 131.108.255.2 255.255.255.252 ip access-group 100 in access-list 100 permit icmp any any log-input access-list 100 permit tcp any any log-input...

Secure Shell

Secure Shell (SSH) is a protocol that provides a secure connection to a router. Cisco IOS supports version 1 of SSH, which enables clients to make a secure and encrypted connection to a Cisco router. Before SSH was implemented, the only form of security available when accessing devices such as routers was Telnet username password authentication, which is clearly visible with a network sniffer. Telnet is insecure because a protocol analyzer can view the information in clear text form. Figure 3-8...

Secure Socket Layer

Secure Socket Layer (SSL) is an encryption technology for web host devices used to provide secure transactions. For example, a secure transaction is required when clients enter their credit card numbers for e-commerce via their browser. When the end user enters a web address via an Internet browser, such as Internet Explorer, instead of entering HTTP web address in the address window, the end user enters HTTPS web address. Secure Hypertext Transfer Protocol secure site, or HTTPS, transports...

Security Technologies

This chapter covers some of today's most widely used technologies that enable Network administrators to ensure that sensitive data is secured from unauthorized sources. Cisco's support for security is also covered, as are all the fundamental foundation topics you will need to master the security CCIE written exam. This chapter covers the following topics Advanced security concepts This section covers some the of the advanced security policies in demilitarized zones (DMZs). Packet filtering,...

Show Commands

The best method to appreciate the use of show commands is to display sample output from a Cisco IOS router. Example 4-6 displays a list of truncated show commands available from the CLI on a Cisco router in PRIV EXEC mode. List access expression List access lists Accounting data for active sessions Adjacent nodes Display alias commands ARP table Information on terminal lines used as router Bridge Forwarding Filtering Database verbose Buffer pool statistics Display information about dialup...

Tacacs Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks Step 1 Use the aaa new-model global configuration command to enable AAA, which must be configured if you plan to use TACACS+. For more information about using the aaa new-model command, refer to the link, www.cisco.com univercd Step 2 Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons. The command is as follows tacacs-server host hostname single-connection port integer...

UNIX Command Structure

UNIX servers and hosts are managed using files. To manage the files, you need to be aware of the UNIX command structure. A UNIX command contains three basic parts Figure 6-1 displays the parts of a UNIX command. Figure 6-1 Three Parts of a UNIX Command Figure 6-1 displays the copy request command (cp). Notice that most UNIX commands are abbreviations of English words. For example, the copy command is defined by cp. The first part of any UNIX command tells the device to run a specific program or...

Virtual Links

All OSPF areas must be connected to the backbone area (Area 0). Figure 2-16 demonstrates a topology where an area (Area 100) is not directly connected to the backbone. Virtual Link or New WAN circuit required Virtual Link or New WAN circuit required To ensure that Area 100 is reachable by the backbone, a virtual link can be configured over the transit area (200), and IP connectivity will be maintained. Virtual links are typically used in a transition phase (for example, when one company buys...

Virtual Private Networks

A virtual private network (VPN) enables IP traffic to travel securely over a public TCP IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level. VPN is very loosely defined as a network in which a customer or end user connects to one or more sites through a public infrastructure, such as the Internet or World Wide Web. We have already discussed dialup VPNs or Virtual Private Dialup Network (VPDN) in Chapter 5, Security...

Warning and Disclaimer

This book is designed to provide information about the CCIE Security written exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or...

Foreword

The CCIE program is designed to help individuals, companies, industries, and countries succeed in the networked world by distinguishing the top echelon of internetworking experts. In particular, the CCIE Security Certification is designed to identify network security experts. The first step along the CCIE Security path is for individuals to take a challenging written exam designed to assess their knowledge across a range of technologies. If their scores indicate expert-level knowledge,...

Virtual Private DialUp Networks VPDN

A VPDN is a network that extends remote access dialup clients to a private network. VPDN tunnels use either Layer 2 forwarding (L2F) or Layer 2 Tunnel Protocol (L2TP). Cisco introduced L2F in RFC 2341. It is also used to forward PPP sessions for Multichassis Multilink PPP. L2TP, introduced in RFC 2661, combines the best of the Cisco L2F protocol and Microsoft Point-to-Point Tunneling Protocol (PPTP). Moreover, L2F supports only dial-in VPDN, while L2TP supports both dial-in and dial-out VPDN....

Kerberos

Kerberos is a trusted third-party authentication application layer service (Layer 7 of the OSI model). Kerberos is a secret-key network authentication protocol developed at the Massachusetts Institute of Technology (MIT) that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC). Figure 5-4 displays the Kerberos authentication process when a remote client...

Net Ranger Cisco Secure Intrusion Detection System

NetRanger is an enterprise intrusion detection system designed to detect, report, and, in the event of unauthorized access, terminate data sessions between users and host devices. NetRanger is an application designed to detect unauthorized access. Users are not aware that NetRanger is watching data across the network it is transparent to all systems. NetRanger Sensor High-speed device that analyzes the contents of data being transported across a network and determines whether that traffic is...

Cisco Private Internet Exchange PIX

Cisco Private Internet Exchange (PIX) and Cisco IOS feature sets are designed to further enhance a network's security. The Private Internet Exchange (PIX) Firewall prevents unauthorized connections between two or more networks. The latest versions of Cisco code for the PIX Firewall also perform many advanced security features, such as AAA services, access lists, VPN Configuration (IPSec), FTP logging, and Cisco IOS-like interface commands. In addition, the PIX Firewall can support multiple...

Intrusion Detection System

Intrusion detection systems (IDS) are designed to detect and thwart network attacks. Based on their location, they can be either of the following Network IDS Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature. Host IDS Examines operating system information such as logs or system process, against a base line. When the system deviates from the normal values because of an attack, alarms are generated. Chapter 6 defines...

Address Resolution Protocol ARP

ARP determines a host's MAC address when the IP address is known. For example, to ping one device from another, the Layer 2 MAC fields require a destination MAC address. Because this is the first such request, a broadcast packet is sent across the wire to discover the remote host's MAC address. Figure 2-11 displays a scenario where PC1 wants to ping Host PC2. When PC1 sends a ping request to PC2 using the known IP address 1.1.1.2 (Layer 3), a broadcast Layer 2 frame is sent to the destination...

CCIE Security Written Exam Blueprint

This section includes the entire CCIE Security written exam blueprint (exam objectives) from the Cisco website and indicates the corresponding chapters in this book that cover those objectives. Table 1-1 lists the CCIE Security written exam blueprint and where you can find the material covered in this book. As you can see, the blueprint places the objectives into eight categories. Table 1-1 CCIE Security Written Exam Blueprint (Exam Objectives) Table 1-1 lists the CCIE Security written exam...

Study Tips for CCIE Security Examinations

This appendix describes some study tips and options for you to consider while preparing for the CCIE Security written and lab examinations. CCIE is regarded as the most sought-after certification in the industry today more and more vendors are devising their own certification programs and trying to catch up to the industry-leading Cisco Systems. Working in the CCIE program, I have seen many changes and challenges facing potential CCIEs every day for the past two years. As of August 22, 2002,...

Steps Required to Achieve CCIE Security Certification

The CCIE Security certification requires a candidate to pass two exams A 2-hour, computer-based written exam ( 350-018) consisting of 100 questions. The pass mark is approximately 70 percent, but varies according to statistics and could float between 65 and 75 percent. This book is designed to help prepare you for this written exam. An 8-hour lab examination. The passing score is set at 80 percent. Historically, the lab examination was a full 2-day lab that changed October 1, 2001. All CCIE lab...

CCIE Security Self Study

Chapter 9 is designed to assist you in your final preparation for CCIE Security exam. Developed by one former (Sydney CCIE lab) and current CCIE proctor (Brussels CCIE lab) from the CCIE team, this chapter contains a sample CCIE security lab with full working solutions to ensure that you are fully prepared for the final hurdle, the CCIE laboratory examination. This lab is intended to challenge your practical application of the knowledge covered in the book, and it should give you a good sense...

Standards Bodies and Incident Response Teams

A number of standards bodies today help a network administrator design a sound security policy. The two main entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT CC) and the various newsgroups that enable you to share valuable security information with other network administrators. The CERT CC is a U.S. federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the infamous worm incident (a virus...

Encryption Technology Overview

When prominent Internet sites, such as www.cnn.com, are exposed to security threats, the news reaches all parts of the globe. Ensuring that data across any IP network is secure and not prone to vulnerable threats is one of today's most challenging topics in the IP storage arena (so much so that Cisco released an entirely new CCIE certification track). Major problems for network administrators include the following Packet snooping (eavesdropping) When intruders capture and decode traffic...

Vulnerabilities Attacks and Common Exploits

This section covers some of the vulnerabilities in TCP IP and the tools used to exploit IP networks. TCP IP is an open standard protocol, which means that both network administrators and intruders are aware of the TCP IP architecture and vulnerabilities. NOTE There are a number of network vulnerabilities, such as password protection, lack of authentication mechanism, use of unprotected routing protocols, and firewall holes. This section concentrates on TCP IP vulnerabilities. Network intruders...

Multiple OSPF Areas

An OSPF area is a logical grouping of routers and links by a network administrator. OSPF routers in any area share the same topological view (also known as the OSPF or database) of the network. OSPF is configured in multiple areas to reduce routing table sizes, which in return, reduces the topological database and CPU memory requirements on a router. Routing tables become very large even with just 50 routers. Cisco recommends no more than 50 routers per area. The OSPF database is exchanged in...

SNMP Notifications

SNMP's key feature is the ability to generate notifications from SNMP agents. Cisco routers can be configured to send SNMP traps or informed requests to a Network Management System (NMS) where a network administrator can view the data. Figure 3-6 displays the typical communication between an SNMP manager and the SNMP agent (for example, a Cisco-enabled SNMP router). Unsolicited notifications can be generated as traps or inform requests. Traps are messages alerting the SNMP manager to a...

Do I Know This Already Quiz Answers

1 RFC 1700 defines what well-known ports for DNS DNS is permitted by RFC 1700 to use both TCP UDP port 53. Typically UDP is vendor-configured for UDP port 53. a. A default username password pairing DNS has no form of security, so any device can request name-to-IP address mappings. 3 What IOS command will stop a Cisco router from querying a DNS server when an invalid IOS command is entered on the EXEC or PRIV prompt To disable DNS query lookup, the IOS command in global configuration mode is no...

Net Sonar Cisco Secure Scanner

NetSonar is a Cisco Systems-developed product, now named Cisco Secure Scanner. NetSonar is a software tool designed to investigate vulnerable systems within a network and report the vulnerabilities to the network administrator. NetSonar scans the network to uncover systems that might be vulnerable to security threats by performing a number of predefined steps Network mapping NetSonar compiles an electronic inventory of all host devices on the network. Security assessment NetSonar identifies...

Scenario 31 Configuring Dns Tftp Ntp and SNMP

This scenario uses a configuration taken from a working Cisco IOS router and tests your skills with DNS, TFTP, NTP, and SNMP. Example 3-12 displays the configuration of a Cisco router named R1. Example 3-12 R1 Running Configuration ip address 131.108.255.1 255.255.255.252 Scenario 3-1 Configuring DNS, TFTP, NTP, and SNMP 141 1 What happens when a network administrator types the host name Router1 at the router prompt (Select the best two answers.) a. DNS queries are disabled nothing will be...

Common Windows DOS Commands

The following are some of the most widely used DOS operating commands in Windows environments along with sample displays ipconfig Displays IP address and subnet mask Ethernet adapter Local Area Connection cisco.com 150.100.1.253 255.255.255.0 150.100.1.240 ipconfig all Displays more detailed information about TCP IP configurations, such as DNS and domain names IP Routing Enabled. . . WINS Proxy Enabled. . . DNS Suffix Search List. Ethernet adapter Local Area Connection Connection-specific DNS...

Asynchronous Communications and Access Devices

An asynchronous (async) communication is a digital signal that is transmitted without precise clocking. The RS-232 session between a router and PC through the console connection is an example of async communications. Such signals generally have different frequencies and phase relationships. Asynchronous transmissions usually encapsulate individual characters in control bits (called start and stop bits) that designate the beginning and the end of each character. For example, the auxiliary port...

Network Address Translation and Port Address Translation

NAT is a router function, which allows it to translate the addresses of hosts behind a firewall. This also helps to overcome IP address shortage. It also provides security by hiding the entire network and their real IP addresses. NAT is typically used for internal IP networks that have unregistered (not globally unique) IP addresses. NAT translates these unregistered addresses into legal addresses on the outside (public) network. PAT provides additional address expansion but is less flexible...

Radius Configuration Task List

A RADIUS server is usually software that runs on a variety of platforms, including Microsoft NT servers or a UNIX host. RADIUS can authenticate router users and vendors, and even To configure RADIUS on your Cisco router or access server, perform the following tasks Step 1 Enable AAA with the aaa new-model global configuration command. AAA must be configured if you plan to use RADIUS. Step 2 Use the aaa authentication global configuration command to define method lists for RADIUS authentication....

Terminal Access Controller Access Control System Plus TACACS

Cisco IOS supports three versions of TACACS TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username password pairing. Cisco has also developed Cisco Secure Access Control Server (CSACS), a flexible family of security servers that supports both RADIUS and TACACS+. You can even run debugging commands on the Cisco Secure ACS software. In UNIX, you can modify files, such as syslog.conf and csu.cfg, to change the output to...

Trivial File Transfer Protocol

Trivial File Transfer Protocol (TFTP) is a protocol that allows data files to be transferred from one device to another using the connectionless protocol, UDP. TFTP uses UDP port number 69. TFTP is typically used in environments where bandwidth is not a major concern and IP packets that are lost can be resent by the higher layers (typically the application layer). TFTP has little security. In fact, the only security available to TFTP transfer is defining the directory on the host TFTP device...

CCIE Security Certification

At this stage, you have decided to pursue CCIE Security certification, which requires you to pass a two-hour, 100-question, written qualification exam ( 350-018) and a one-day lab. NOTE In addition to the CCIE Security certification, there are CCIE certifications for Routing and Switching and for Communications and Services. For information on these other CCIE certifications, see level_home.html. After you successfully complete the written examination, you can take the one-day lab. You must...

EIGRP Configuration Example

Configure a two-router EIGRP network with two Frame Relay links between two routers to demonstrate the redundancy mechanism with the EIGRP DUAL algorithm. Figure 2-15 displays a two-router topology using the same addressing as the RIP example in Figure 2-14. Figure 2-15 EIGRP Configuration Example R1's Loopbacks Loopback0 131.108.4.1 24 Loopback1 131.108.5.1 24 Loopback2 131.108.6.1 24 R2's Loopbacks Loopback0 131.108.7.1 24 Loopback1 131.108.8.1 24 Loopback2 131.108.9.1 24 Routers R1 and R2...

NAT Operation on Cisco Routers

When a packet leaves the inside network, NAT translates the inside address to a unique InterNIC address for use on the outside network, as shown in Figure 7-2. The R1 router in Figure 7-2 will be configured for an address translation and will maintain a NAT table. When an IP packet returns from the outside network, the NAT router will then perform an address translation from the valid InterNIC address to the original local inside address. Look at the steps required to configure Dynamic NAT on a...

Network Time Protocol

Network Time Protocol (NTP) is used for accurate time keeping and can reference atomic clocks that are present on the Internet, for example. NTP is capable of synchronizing clocks within milliseconds and is a useful protocol when reporting error logs (for instance, from Cisco routers). For NTP, the defined ports are UDP port 123 and TCP 123. NTP can support a connection-orientated server (TCP guarantees delivery) or connectionless (UDP for non-critical applications). An NTP network usually gets...

How to Prepare for the CCIE Security Written Exam Using This Book

This book provides several tools designed to prepare you for the CCIE Security written exam. Each chapter helps you evaluate your comprehension of the exam objectives from the blueprint (see Table 1-1). In addition, this book includes a CD-ROM with a bank of over 300 sample exam questions you can use to take practice exams. The CD-ROM contains a good mixture of easy and difficult questions to mimic the content and questions asked in the real examination. NOTE For more information about the CCIE...

VPDN Configuration Task List

To configure VPDNs on the home gateway router, complete the following steps Step 1 Create a virtual template interface, and enter the interface configuration mode Step 2 Identify the virtual template interface type and number on the LAN Step 3 Enable PPP encapsulation on the virtual template interface Step 4 Enable PPP authentication on the virtual template interface Step 5 Enable the global configuration command to allow virtual private networking on the NAS and home gateway routers Step 6...

Routing Protocols

This section covers four main routing protocols Before discussing the characteristic of each protocol, this section covers how routers (Cisco routers, in particular) generally route IP packets. Routing is a process whereby a path to a destination host is selected by either a dynamic or static routing protocol. A routing protocol is an algorithm that routes data across the network. Each router makes routing decisions from host to destination based on specific metrics used by the operating...

IKE Phase II Message Types

IKE phase II negotiates the SA and the keys that will be used to protect the user data. IKE phase II messages occur more frequently and typically every few minutes, where IKE phase I messages might occur once a day. IP datagrams that exchange IKE messages use UDP (connectionless) destination port 500. Phase II negotiations occur in a mode called Oakley quick mode and have three different message exchanges. Quick mode can be the following Without key exchange No PFS enabled. With Key exchange...

CCIE Security Written Exam

The CCIE Security written exam uses the typical certification test format of asking multiple-choice questions with one or more correct answers per question. What makes some of the questions more difficult is that more than five answer choices are listed on some questions. This reduces the power of eliminating answers and choosing from those remaining. However, the number of required answers is given for each question. You might be required to give only one answer or select a couple of correct...

CCIE Security Lab Exam

NOTE Although the focus of this book is to prepare you for the CCIE Security written exam only, you can find bonus material, such as this section, that helps start your preparation for the lab exam. Passing the written examination is the easier part of the CCIE Security certification journey. For the lab exam, your life needs to change dramatically, and you need to study on routers full time for at least three to six months. The good news is that the format of the lab examination has changed...

Switching and Bridging

This sections covers Layer 2 devices that are used to bridge or switch frames using common techniques to improve network utilization, such as VLANs. The terms switch and bridge are used to mean the same technology. Switching, or bridging, is defined as a process of taking an incoming frame from one interface and delivering it through another interface. Source stations are discovered and placed in a switch address table (called content-addressable memory CAM table in Cisco terms). Routers use...

Protecting Cisco IOS from Intrusion

Now that you have a snapshot of modern security concerns, this section looks at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks. Figure 8-2 displays a typical network scenario. You see how to configure the router, separating the public and private networks so that the private network is not vulnerable. Figure...

Foundation Topics UNIX

The UNIX operating system was developed in 1969 at Bell Laboratories. UNIX has continued to develop since its inception. AT& T, for example, released UNIX 4.0. UNIX was designed to be a multiuser system (more than one user can connect to the host at one time), and it is used usually for multiuser systems and networks. Because most engineers are more familiar with DOS (and Windows NT) than UNIX, this section presents some analogies to demonstrate the UNIX command structure. The operating...

Hot Standby Router Protocol

HSRP allows networks with more than one gateway to provide redundancy in case of interface or router failure on any given router. HSRP allows router redundancy in a network. It is a Cisco proprietary solution from before the IETF defined Virtual Router Redundancy Protocol (VRRP). To illustrate HSRP, Figure 2-12 displays a six-router network with clients on segments on Ethernet networks, Sydney and San Jose. NOTE Cisco exams typically test Cisco proprietary protocols more heavily than industry...

CCIE Security Self Study Lab 391

CCIE Security Self-Study Lab Part I Goals 392 CCIE Security Self-Study Lab Part II Goals 393 General Lab Guidelines and Setup 393 Communications Server 396 CCIE Security Self-Study Lab Part I Basic Network Connectivity (4 Hours) 397 Basic Frame Relay Setup 397 Physical Connectivity 403 Catalyst Ethernet Switch Setup I 403 Catalyst Ethernet Switch Setup II 408 IP Host Lookup and Disable DNS 414 PIX Configuration 414 IGP Routing 419 Basic ISDN Configuration 432 DHCP Configuration 438 BGP Routing...

Using This Book to Prepare for the CCIE Security Written Exam

Cisco Systems offers many different varieties and levels of career certifications, including the three current CCIE certification tracks. This book helps prepare you for the written exam ( 350-018) for the CCIE Security certification. The CCIE program has existed for almost 10 years. The relative complexity of the CCIE examinations prompted Cisco to introduce associate and professional levels of certification to provide candidates a way to progress through the various levels of certification....