Intrusion Detection System

Intrusion detection systems (IDS) are designed to detect and thwart network attacks. Based on their location, they can be either of the following Network IDS Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature. Host IDS Examines operating system information such as logs or system process, against a base line. When the system deviates from the normal values because of an attack, alarms are generated. Chapter 6 defines...

Address Resolution Protocol ARP

ARP determines a host's MAC address when the IP address is known. For example, to ping one device from another, the Layer 2 MAC fields require a destination MAC address. Because this is the first such request, a broadcast packet is sent across the wire to discover the remote host's MAC address. Figure 2-11 displays a scenario where PC1 wants to ping Host PC2. When PC1 sends a ping request to PC2 using the known IP address 1.1.1.2 (Layer 3), a broadcast Layer 2 frame is sent to the destination...

CCIE Security Written Exam Blueprint

This section includes the entire CCIE Security written exam blueprint (exam objectives) from the Cisco website and indicates the corresponding chapters in this book that cover those objectives. Table 1-1 lists the CCIE Security written exam blueprint and where you can find the material covered in this book. As you can see, the blueprint places the objectives into eight categories. Table 1-1 CCIE Security Written Exam Blueprint (Exam Objectives) Table 1-1 lists the CCIE Security written exam...

Study Tips for CCIE Security Examinations

This appendix describes some study tips and options for you to consider while preparing for the CCIE Security written and lab examinations. CCIE is regarded as the most sought-after certification in the industry today more and more vendors are devising their own certification programs and trying to catch up to the industry-leading Cisco Systems. Working in the CCIE program, I have seen many changes and challenges facing potential CCIEs every day for the past two years. As of August 22, 2002,...

Steps Required to Achieve CCIE Security Certification

The CCIE Security certification requires a candidate to pass two exams A 2-hour, computer-based written exam ( 350-018) consisting of 100 questions. The pass mark is approximately 70 percent, but varies according to statistics and could float between 65 and 75 percent. This book is designed to help prepare you for this written exam. An 8-hour lab examination. The passing score is set at 80 percent. Historically, the lab examination was a full 2-day lab that changed October 1, 2001. All CCIE lab...

CCIE Security Self Study

Chapter 9 is designed to assist you in your final preparation for CCIE Security exam. Developed by one former (Sydney CCIE lab) and current CCIE proctor (Brussels CCIE lab) from the CCIE team, this chapter contains a sample CCIE security lab with full working solutions to ensure that you are fully prepared for the final hurdle, the CCIE laboratory examination. This lab is intended to challenge your practical application of the knowledge covered in the book, and it should give you a good sense...

Do I Know This Already Quiz

Answers to these questions can be found in Appendix A, Answers to Quiz Questions. 1 What are the three components of AAA (Choose the three best answers.) 2 What IOS command must be issued to start AAA on a Cisco router 3 What algorithm initiates and encrypts a session between two routers' exchange keys between two encryption devices d. The stac compression algorithm 4 Can you configure RADIUS and TACACS+ concurrently on a Cisco IOS router b. Yes, provided you have the same lists names applied...

Standards Bodies and Incident Response Teams

A number of standards bodies today help a network administrator design a sound security policy. The two main entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT CC) and the various newsgroups that enable you to share valuable security information with other network administrators. The CERT CC is a U.S. federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the infamous worm incident (a virus...

Encryption Technology Overview

When prominent Internet sites, such as www.cnn.com, are exposed to security threats, the news reaches all parts of the globe. Ensuring that data across any IP network is secure and not prone to vulnerable threats is one of today's most challenging topics in the IP storage arena (so much so that Cisco released an entirely new CCIE certification track). Major problems for network administrators include the following Packet snooping (eavesdropping) When intruders capture and decode traffic...

Vulnerabilities Attacks and Common Exploits

This section covers some of the vulnerabilities in TCP IP and the tools used to exploit IP networks. TCP IP is an open standard protocol, which means that both network administrators and intruders are aware of the TCP IP architecture and vulnerabilities. NOTE There are a number of network vulnerabilities, such as password protection, lack of authentication mechanism, use of unprotected routing protocols, and firewall holes. This section concentrates on TCP IP vulnerabilities. Network intruders...

Multiple OSPF Areas

An OSPF area is a logical grouping of routers and links by a network administrator. OSPF routers in any area share the same topological view (also known as the OSPF or database) of the network. OSPF is configured in multiple areas to reduce routing table sizes, which in return, reduces the topological database and CPU memory requirements on a router. Routing tables become very large even with just 50 routers. Cisco recommends no more than 50 routers per area. The OSPF database is exchanged in...

SNMP Notifications

SNMP's key feature is the ability to generate notifications from SNMP agents. Cisco routers can be configured to send SNMP traps or informed requests to a Network Management System (NMS) where a network administrator can view the data. Figure 3-6 displays the typical communication between an SNMP manager and the SNMP agent (for example, a Cisco-enabled SNMP router). Unsolicited notifications can be generated as traps or inform requests. Traps are messages alerting the SNMP manager to a...

Do I Know This Already Quiz Answers

1 RFC 1700 defines what well-known ports for DNS DNS is permitted by RFC 1700 to use both TCP UDP port 53. Typically UDP is vendor-configured for UDP port 53. a. A default username password pairing DNS has no form of security, so any device can request name-to-IP address mappings. 3 What IOS command will stop a Cisco router from querying a DNS server when an invalid IOS command is entered on the EXEC or PRIV prompt To disable DNS query lookup, the IOS command in global configuration mode is no...

Net Sonar Cisco Secure Scanner

NetSonar is a Cisco Systems-developed product, now named Cisco Secure Scanner. NetSonar is a software tool designed to investigate vulnerable systems within a network and report the vulnerabilities to the network administrator. NetSonar scans the network to uncover systems that might be vulnerable to security threats by performing a number of predefined steps Network mapping NetSonar compiles an electronic inventory of all host devices on the network. Security assessment NetSonar identifies...

Kerberos Configuration Task List

To configure Kerberos support on a Cisco router, complete the following tasks Step 1 Define the default realm for the router Step 2 Specify to the router which KDC to use in a given Kerberos realm and, optionally, the port number that the KDC is monitoring. (The default port number is 88.) kerberos server kerberos-realm hostname I ip-address port-number Step 3 Map a host name or DNS domain to a Kerberos realm (optional) kerberos realm dns-domain I host kerberos-realm NOTE The kerberos...

Scenario 31 Configuring Dns Tftp Ntp and SNMP

This scenario uses a configuration taken from a working Cisco IOS router and tests your skills with DNS, TFTP, NTP, and SNMP. Example 3-12 displays the configuration of a Cisco router named R1. Example 3-12 R1 Running Configuration ip address 131.108.255.1 255.255.255.252 Scenario 3-1 Configuring DNS, TFTP, NTP, and SNMP 141 1 What happens when a network administrator types the host name Router1 at the router prompt (Select the best two answers.) a. DNS queries are disabled nothing will be...

Common Windows DOS Commands

The following are some of the most widely used DOS operating commands in Windows environments along with sample displays ipconfig Displays IP address and subnet mask Ethernet adapter Local Area Connection cisco.com 150.100.1.253 255.255.255.0 150.100.1.240 ipconfig all Displays more detailed information about TCP IP configurations, such as DNS and domain names IP Routing Enabled. . . WINS Proxy Enabled. . . DNS Suffix Search List. Ethernet adapter Local Area Connection Connection-specific DNS...

Asynchronous Communications and Access Devices

An asynchronous (async) communication is a digital signal that is transmitted without precise clocking. The RS-232 session between a router and PC through the console connection is an example of async communications. Such signals generally have different frequencies and phase relationships. Asynchronous transmissions usually encapsulate individual characters in control bits (called start and stop bits) that designate the beginning and the end of each character. For example, the auxiliary port...

Network Address Translation and Port Address Translation

NAT is a router function, which allows it to translate the addresses of hosts behind a firewall. This also helps to overcome IP address shortage. It also provides security by hiding the entire network and their real IP addresses. NAT is typically used for internal IP networks that have unregistered (not globally unique) IP addresses. NAT translates these unregistered addresses into legal addresses on the outside (public) network. PAT provides additional address expansion but is less flexible...

Radius Configuration Task List

A RADIUS server is usually software that runs on a variety of platforms, including Microsoft NT servers or a UNIX host. RADIUS can authenticate router users and vendors, and even To configure RADIUS on your Cisco router or access server, perform the following tasks Step 1 Enable AAA with the aaa new-model global configuration command. AAA must be configured if you plan to use RADIUS. Step 2 Use the aaa authentication global configuration command to define method lists for RADIUS authentication....

Terminal Access Controller Access Control System Plus TACACS

Cisco IOS supports three versions of TACACS TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username password pairing. Cisco has also developed Cisco Secure Access Control Server (CSACS), a flexible family of security servers that supports both RADIUS and TACACS+. You can even run debugging commands on the Cisco Secure ACS software. In UNIX, you can modify files, such as syslog.conf and csu.cfg, to change the output to...

Q A Answers

1 According to RFC 1700, what is the well-known TCP UDP port used by DNS Answer RFC 1700 defines the well-known ports for the whole TCP IP protocol suite. For DNS, the well-known port for TCP UDP is number 53. 2 What does the IOS command no ip domain-lookup accomplish Answer This IOS command disables DNS queries for network administrators connected to a Cisco console or vty line. 3 What is the correct IOS syntax to specify local host mapping on a Cisco router Answer Local host mappings to IP...

Trivial File Transfer Protocol

Trivial File Transfer Protocol (TFTP) is a protocol that allows data files to be transferred from one device to another using the connectionless protocol, UDP. TFTP uses UDP port number 69. TFTP is typically used in environments where bandwidth is not a major concern and IP packets that are lost can be resent by the higher layers (typically the application layer). TFTP has little security. In fact, the only security available to TFTP transfer is defining the directory on the host TFTP device...

CCIE Security Certification

At this stage, you have decided to pursue CCIE Security certification, which requires you to pass a two-hour, 100-question, written qualification exam ( 350-018) and a one-day lab. NOTE In addition to the CCIE Security certification, there are CCIE certifications for Routing and Switching and for Communications and Services. For information on these other CCIE certifications, see level_home.html. After you successfully complete the written examination, you can take the one-day lab. You must...

EIGRP Configuration Example

Configure a two-router EIGRP network with two Frame Relay links between two routers to demonstrate the redundancy mechanism with the EIGRP DUAL algorithm. Figure 2-15 displays a two-router topology using the same addressing as the RIP example in Figure 2-14. Figure 2-15 EIGRP Configuration Example R1's Loopbacks Loopback0 131.108.4.1 24 Loopback1 131.108.5.1 24 Loopback2 131.108.6.1 24 R2's Loopbacks Loopback0 131.108.7.1 24 Loopback1 131.108.8.1 24 Loopback2 131.108.9.1 24 Routers R1 and R2...

NAT Operation on Cisco Routers

When a packet leaves the inside network, NAT translates the inside address to a unique InterNIC address for use on the outside network, as shown in Figure 7-2. The R1 router in Figure 7-2 will be configured for an address translation and will maintain a NAT table. When an IP packet returns from the outside network, the NAT router will then perform an address translation from the valid InterNIC address to the original local inside address. Look at the steps required to configure Dynamic NAT on a...

Network Time Protocol

Network Time Protocol (NTP) is used for accurate time keeping and can reference atomic clocks that are present on the Internet, for example. NTP is capable of synchronizing clocks within milliseconds and is a useful protocol when reporting error logs (for instance, from Cisco routers). For NTP, the defined ports are UDP port 123 and TCP 123. NTP can support a connection-orientated server (TCP guarantees delivery) or connectionless (UDP for non-critical applications). An NTP network usually gets...

How to Prepare for the CCIE Security Written Exam Using This Book

This book provides several tools designed to prepare you for the CCIE Security written exam. Each chapter helps you evaluate your comprehension of the exam objectives from the blueprint (see Table 1-1). In addition, this book includes a CD-ROM with a bank of over 300 sample exam questions you can use to take practice exams. The CD-ROM contains a good mixture of easy and difficult questions to mimic the content and questions asked in the real examination. NOTE For more information about the CCIE...

VPDN Configuration Task List

To configure VPDNs on the home gateway router, complete the following steps Step 1 Create a virtual template interface, and enter the interface configuration mode Step 2 Identify the virtual template interface type and number on the LAN Step 3 Enable PPP encapsulation on the virtual template interface Step 4 Enable PPP authentication on the virtual template interface Step 5 Enable the global configuration command to allow virtual private networking on the NAS and home gateway routers Step 6...

Routing Protocols

This section covers four main routing protocols Before discussing the characteristic of each protocol, this section covers how routers (Cisco routers, in particular) generally route IP packets. Routing is a process whereby a path to a destination host is selected by either a dynamic or static routing protocol. A routing protocol is an algorithm that routes data across the network. Each router makes routing decisions from host to destination based on specific metrics used by the operating...

IKE Phase II Message Types

IKE phase II negotiates the SA and the keys that will be used to protect the user data. IKE phase II messages occur more frequently and typically every few minutes, where IKE phase I messages might occur once a day. IP datagrams that exchange IKE messages use UDP (connectionless) destination port 500. Phase II negotiations occur in a mode called Oakley quick mode and have three different message exchanges. Quick mode can be the following Without key exchange No PFS enabled. With Key exchange...

CCIE Security Written Exam

The CCIE Security written exam uses the typical certification test format of asking multiple-choice questions with one or more correct answers per question. What makes some of the questions more difficult is that more than five answer choices are listed on some questions. This reduces the power of eliminating answers and choosing from those remaining. However, the number of required answers is given for each question. You might be required to give only one answer or select a couple of correct...

CCIE Security Lab Exam

NOTE Although the focus of this book is to prepare you for the CCIE Security written exam only, you can find bonus material, such as this section, that helps start your preparation for the lab exam. Passing the written examination is the easier part of the CCIE Security certification journey. For the lab exam, your life needs to change dramatically, and you need to study on routers full time for at least three to six months. The good news is that the format of the lab examination has changed...

Switching and Bridging

This sections covers Layer 2 devices that are used to bridge or switch frames using common techniques to improve network utilization, such as VLANs. The terms switch and bridge are used to mean the same technology. Switching, or bridging, is defined as a process of taking an incoming frame from one interface and delivering it through another interface. Source stations are discovered and placed in a switch address table (called content-addressable memory CAM table in Cisco terms). Routers use...

Protecting Cisco IOS from Intrusion

Now that you have a snapshot of modern security concerns, this section looks at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks. Figure 8-2 displays a typical network scenario. You see how to configure the router, separating the public and private networks so that the private network is not vulnerable. Figure...

Foundation Topics UNIX

The UNIX operating system was developed in 1969 at Bell Laboratories. UNIX has continued to develop since its inception. AT& T, for example, released UNIX 4.0. UNIX was designed to be a multiuser system (more than one user can connect to the host at one time), and it is used usually for multiuser systems and networks. Because most engineers are more familiar with DOS (and Windows NT) than UNIX, this section presents some analogies to demonstrate the UNIX command structure. The operating...

Hot Standby Router Protocol

HSRP allows networks with more than one gateway to provide redundancy in case of interface or router failure on any given router. HSRP allows router redundancy in a network. It is a Cisco proprietary solution from before the IETF defined Virtual Router Redundancy Protocol (VRRP). To illustrate HSRP, Figure 2-12 displays a six-router network with clients on segments on Ethernet networks, Sydney and San Jose. NOTE Cisco exams typically test Cisco proprietary protocols more heavily than industry...

CCIE Security Self Study Lab 391

CCIE Security Self-Study Lab Part I Goals 392 CCIE Security Self-Study Lab Part II Goals 393 General Lab Guidelines and Setup 393 Communications Server 396 CCIE Security Self-Study Lab Part I Basic Network Connectivity (4 Hours) 397 Basic Frame Relay Setup 397 Physical Connectivity 403 Catalyst Ethernet Switch Setup I 403 Catalyst Ethernet Switch Setup II 408 IP Host Lookup and Disable DNS 414 PIX Configuration 414 IGP Routing 419 Basic ISDN Configuration 432 DHCP Configuration 438 BGP Routing...

Using This Book to Prepare for the CCIE Security Written Exam

Cisco Systems offers many different varieties and levels of career certifications, including the three current CCIE certification tracks. This book helps prepare you for the written exam ( 350-018) for the CCIE Security certification. The CCIE program has existed for almost 10 years. The relative complexity of the CCIE examinations prompted Cisco to introduce associate and professional levels of certification to provide candidates a way to progress through the various levels of certification....