A use guard root and bpdu guard

Q2) Explain how VLAN configuration can mitigate VLAN hopping attacks. (Source Mitigating Layer 2 Attacks) Q3) What is the effect of using the guard root and bpdu-guard enhancement commands (Source Mitigating Layer 2 Attacks) Q4) Match each of the mitigation techniques with the type of attack that it will mitigate by putting the letter of the technique in the space provided beside each type of attack. (Source Mitigating Layer 2 Attacks) 3-86 Securing Cisco Network Devices (SND) v2.0 2006 Cisco...

A VACL provides granular control for limited access within a VLAN or subnet

VACLs, also known as VLAN maps, can be used to filter VLAN traffic. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces, VACLs are applied to any VLAN. When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. The list of commands here shows how to define and apply a VLAN access map. In this example, IP traffic matching ACL 100 is forwarded, and all other IP packets are dropped because of the default...

ACL name Cisco IOS Releases 112 and later You provide the name of the ACL

- Names contain alphanumeric characters. - Names cannot contain spaces or punctuation and must begin with an alphabetic character. - You can add or delete entries within the ACL. Prior to Cisco IOS Release 11.2, you had to assign a number to each ACL as you created it. Since then, either a number or a name can identify Cisco ACLs and the protocols that they filter. Using numbered ACLs is an effective method on smaller networks with more homogeneously defined traffic. Because each ACL type is...

ACLs can control access on a portbyport basis

The figure shows how a DDoS attack occurs, as described here Behind a client is a person who launches the attack. A handler is a compromised host running the attacker program. Each handler is capable of controlling multiple agents. An agent is a compromised host that is running the attacker program. Each agent is responsible for generating a stream of packets it directs toward the intended victim. Routers can help reduce the number of DDoS attacks by using ACLs to filter known attack ports....

Adaptive Solution with Converged Bestof Breed Security Services

Packet inspection Protocol validation Accurate enforcement Robust resiliency Attack detection Granular packet inspection Application control Dynamic response Attack detection Granular packet inspection Application control Dynamic response VPN SSL VPN IPsec VPN User-based security Group-based management Clustering VPN SSL VPN IPsec VPN User-based security Group-based management Clustering Access Breaches, Session Abuse, Port Scans, Malformed Packets Application Misuse, DoS and Hacking, Known...

Application inspection firewalls

Are aware of the Layer 5 state of a connection Check the conformity of application commands on Layer 5 Are able to check and affect Layer 7 (for example, Java applet or peer-to-peer filtering) Prevent more kinds of attacks than stateful firewalls Application inspection firewalls ensure the security of applications and services. Some applications require special handling by the firewall application inspection function. Applications that require special application inspection functions are those...

Application Layer Firewall

Application layer firewalls, also called proxy firewalls or application gateways, provide a higher level of security than circuit level firewalls because they allow the greatest level of control. Application level proxy servers work up on Layer 1 to Layer 7 of the OSI model. Most application layer firewalls include specialized application software and proxy servers. A proxy is an application that does work on behalf of something else. Proxy services are specialpurpose programs that manage...

Application Layer Proxy Firewall

An application layer firewall operates on OSI Layers 3, 4, 5, and 7. Advantages of application layer proxy firewalls - This firewall authenticates individuals, not devices. - Hackers have a harder time with spoofing and implementing DoS attacks. - This firewall can monitor and filter application data. - This firewall can provide detailed logging. Application layer firewalls filter information at Layers 3, 4, 5, and 7 of the OSI reference model. Because application layer firewalls process...

Applying ACLs to Interfaces

Tulsa(config) interface e0 1 Tulsa(config-if) ip access-group 2 in Tulsa(config-if) exit Tulsa(config) interface e0 2 Tulsa(config-if) ip access-group mailblock out Tulsa(config-if) end Before applying a packet filtering ACL to a router interface, make sure you know in which direction it will filter. Apply ACLs to router interfaces using the ip access-group command in interface configuration mode, as shown in the figure. The syntax for the ip access-group command is as follows ip access-group...

Authentication dictionary attacks

These attacks are described in Security of the WEP Algorithm Passive attacks to decrypt traffic based on statistical analysis Active attacks to inject new traffic from unauthorized mobile stations, based on known plain text Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attacks, which, after analysis of traffic for about a day, allow real-time automated decryption of all traffic Passive or Weak Initialization Vector Attack An initialization vector (IV)...

Basic 80211 Security Issues

- Checks for devices that do not possess key - Hardware theft may be an issue One-way authentication No integration with existing network authentication methods - May render either client or network vulnerable - Important to two-way (mutually) authenticate user and network Basic 802.11 WEP security is designed to guard against the threat to network security from unauthorized 802.11 devices outside the LAN. Any device with a valid WEP key is considered a legitimate and authorized user. If the...

CAM has learned MAC B is on Port

MAC A host A MAC B host B MAC C host C MAC C does not see traffic to MAC B anymore. Now, any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. The key to understanding how CAM overflow attacks work is to know that CAM tables are limited in size. MAC flooding makes use of this limitation to bombard the switch with fake source MAC addresses until the switch CAM table is full. The switch then enters into what is known as a...

CAM Learns Mac B Is on Port

MAC A host A MAC B host B MAC C host C Host C drops the packet addressed to host B. Host B receives the frame and sends a reply to host A. The switch then learns that the MAC address for host B is located on port 2 and writes that information into the CAM table. Host C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame. 3-30 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Choose the Cisco IOS Firewall when you need

A one-box solution with powerful security, QoS, multiprotocol routing, integrated WAN interfaces, and voice application support To leverage network infrastructure for security Extensive VPN support integrated with a firewall in a single device Cisco 800 Series, 1700 Series, and 1800 Series Routers Cisco 2600 and 3600 Series Multiservice Platforms and Cisco 2800 Series Integrated Services Routers, Cisco 3700 Series Multiservice Access Routers, and 3800 Series Integrated Services Routers VPN and...

Choosing an Interface for Terminating IPsec

Easy VPN Server Wizard -10 Complete Easy VPN Server Wizard -10 Complete Please select the interface on which the Easy VPN Server should be configured. EasyVPH clients will connect to the serverthrough this interface. Select the method used for authenticating VPN clients connecting to this Easy VPN Server. Please select the interface on which the Easy VPN Server should be configured. EasyVPH clients will connect to the serverthrough this interface. Select the method used for authenticating VPN...

Choosing the Type of Firewall You Need

Choose the Cisco IOS Firewall that meets your network security needs basic or advanced. Choose the Cisco IOS Firewall that meets your network security needs basic or advanced. The figure shows the top part of the Cisco IOS Firewall configuration screen. You can choose either a basic firewall or an advanced firewall. Once you choose the firewall that you want, the Use Case Scenario figure appears for each selection. The two firewalls differ in these ways Basic Firewall A basic firewall is a...

Cisco ASA 5500 Series Adaptive Security Appliances

VPN Technology Cisco VPN 3000 Series Concentrator Network Intelligence Cisco Network Services VPN Technology Cisco VPN 3000 Series Concentrator Network Intelligence Cisco Network Services Adaptive Threat Defense and Secure Connectivity Secure Connectivity IPsec and SSL VPN Adaptive Threat Defense and Secure Connectivity Application Inspection, Use Enforcement, Web Control, Application Security Traffic-Admission Control, Proactive Response, Network Containment and Control Secure Connectivity...

Cisco IOS Firewall Features

The Cisco IOS Firewall combines the functions of packet inspection and proxy firewalls to provide an optimal security solution on one chassis. This topic describes the features of the Cisco IOS Firewall. Application and protocol inspection and control Dynamic, per-user authentication and authorization Administrative access control with AAA Extensive multimedia support, including streaming video, streaming audio, and voice applications The Cisco IOS Firewall is a stateful inspection firewall...

Cisco Ios Ips Signature Features

Regular expression string pattern matching Enables the creation of string patterns using regular expressions Enables the sensor to take an action when the signature is triggered Enables the sensor to aggregate alarms does this to limit the number of times an alarm is sent when the signature is triggered Enables a signature to be tuned to perform optimally in a network Enables a signature to defeat evasive techniques used by an attacker The table in the figure describes the features of Cisco IOS...

Cisco Ios Vpn Enabled Routers

With Cisco routers running Cisco IOS software, organizations can easily deploy and scale site-to-site VPNs of any topology from hub-and-spoke VPNs to the more complex, fully meshed VPNs. In addition, the Cisco IOS security features combine the VPN feature set with firewall, intrusion prevention, and extensive Cisco IOS capabilities, including quality of service (QoS), multiprotocol, multicast, and advanced routing support. The Cisco IOS feature sets incorporate these VPN features Voice and...

Cisco PIX 500 Series Security Appliances Hardware acceleration

Here are more details on the Cisco VPN product family Cisco VPN-enabled routers and switches Cisco VPN security routers and switches represent the best options for customers of all sizes looking to take advantage of their existing network infrastructures to deploy VPNs and security while integrating all services in a single device with the widest selection of WAN and LAN interfaces. Cisco VPN 3000 Series Concentrators Cisco VPN 3000 Series Concentrators are the most feature-rich remote-access...

Cisco Unified Wireless Network

Unified built-in support of leading-edge applications not an afterthought Cisco Wireless Location Appliance, Cisco WCS, SDN, NAC, Wi-Fi phones, and RF firewalls World-class NMS that visualizes and helps secure your air space WCS Seamless network infrastructure across a range of platforms Cisco 2000 and 4400 Wireless LAN Controllers future Cisco Catalyst 6500 Series WiSM, ISR, and 3750 integration APs dynamically configured and managed through LWAPP. Cisco AironetAccess Points 1500, 1300,...

Cisco VPN 3000 Series Concentrators

Customized application access Fully clientless Citrix support Integrated web-based management Clustering and load-balancing capabilities Broad user authentication support Cisco VPN 3000 Series Concentrators are ideal for organizations that require advanced and flexible remote-access VPN technology and that prefer the operational simplicity and management segregation of a focused-function VPN device. Here are some of the features of the Cisco VPN 3000 Series Concentrator platform Customized...

Cisco VPN Product Family

Site-to-Site VPN and Firewall Routers Cisco PIX 500 Series Security Appliance and Cisco ASA 5500 Series Adaptive Security Appliance The portfolio of the Cisco VPN product family includes remote and site-to-site Cisco IOS VPN and firewall security routers, Cisco Catalyst 6500 Series Switches with VPN service modules (not shown), Cisco PIX security appliances, and Cisco ASA 5500 Series Adaptive Security Appliances. 2006 Cisco Systems, Inc. Building IPsec VPNs 6-91

Cisco VPN Product Positioning Cont

Cisco VPN 3060 and 3080 Concentrators Cisco Catalyst 6500, 7600 Series Switches Series Routers Cisco VPN 3060 and 3080 Concentrators Small business or remote office with branch office Cisco VPN 3005 and 3015 Concentrators Cisco VPN software and hardware Client Cisco Catalyst 6500, 7600 Series Switches Series Routers 3700 Multiserivice Access Routers, 3800 Series Integrated Service Routers, 7000 Series Routers 1700, 1800 2600 Series Multiservice Access Routers, 2800 Integrated Service Routers...

Client requests are filtered on the basis of Layer 5 and Layer 7 information

The topology in the figure represents a typical proxy server deployment. An application layer firewall usually has two network interfaces one interface is used for the client connections, and a second interface is used for accessing the website from the Internet. Application proxies separate the trusted and untrusted networks either physically or logically. The example in the figure shows a client inside the network requesting access to a website. The client browser uses a proxy server for all...

Combining Access Functions

9.2.1.1 9.1.1.1 16.2.0.10 24 16.1.1.1 e0 0 e0 1 Remote Access LAN 16.2.1.0 24 Public Web Mail Admin Server Server Server This is an example of a possible configuration for router R2 in the reference network. This partial configuration file contains several ACLs that contain most of the ACL features already explained in this lesson. View this partial configuration as an example of how to integrate multiple ACL policies into a few main router ACLs. The partial configuration file that follows...

Comparing HIPS and Network IPS

Application-level encryption protection Not visible on the network Operating system independent Lower level network events seen Does not understand context of an attack The table compares HIPS and network IPS advantages and disadvantages. 5-22 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Configure host address service and service type

The advanced firewall configuration allows you to secure your private network by applying access and inspection rules to inside (trusted), outside (untrusted), and DMZ interfaces. A DMZ network is a buffer zone used to isolate traffic that comes from an untrusted network. If you have a DMZ network, choose the interface that connects to it when using an advanced firewall. The Cisco SDM Firewall Wizard will guide you through the steps to complete these tasks Define inside and outside interfaces...

Configure restrict or shutdown violation rules

A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords, or configuration information about the systems on the...

Configuring a Group Policy Configuration Location External Location via RADIUS

Easy VPN Server Wizard - 50 Complete Easy VPN Server Wizard - 50 Complete An ISAKMP client consame authentication on this router, an exte authenticate VPN clie Seiectthe servers or - -1 policy that defines thi RADIUS server will be used for group authorization. An ISAKMP client consame authentication on this router, an exte authenticate VPN clie Seiectthe servers or - -1 policy that defines thi RADIUS server will be used for group authorization. The screen captures show the configuration steps...

Configuring a Local User Database User Authentication

Easy VPN Server Wizard - 65 Complete Easy VPN Server Wizard - 65 Complete User authentication CrAcith after lire device has under orally on mis router, on at I* Enable User Anther Select the servers that wi AAA policy that defines the Select an e isling AAA method list Local database will he used for user authentication User authentication CrAcith after lire device has under orally on mis router, on at I* Enable User Anther Select the servers that wi AAA policy that defines the Select an e...

Configuring Cisco Ios Ips Using Cisco SDM

This topic explains how to configure Cisco IOS IPS using the Cisco SDM GUI. Using Cisco SDM to Configure Cisco IOS IPS 2. Launch the IPS Rules Wizard. 3. Choose a router interface to apply the IPS rule. 4. Choose the traffic flow direction to be inspected by the IPS rules. 5. Specify where the router will find the SDFs. 6. Confirm status of interfaces and signature files. 7. Configure signature alarm severity, event actions, and parameters. 8. Save the Cisco IPS configuration to the router. The...

Configuring Global Settings

Configured SDF Locations i Add Sf Edit fl Delete Move Up -f- Move Down Reload Signatures Configured SDF Locations i Add Sf Edit fl Delete Move Up -f- Move Down Reload Signatures The screen capture shows the global features that you can configure using the Cisco SDM GUI. To access and configure a particular global feature, choose the item name and click the Edit button. 2006 Cisco Systems, Inc. Securing Networks with Cisco IOS IPS 5-59

Configuring IPsec Transform Sets

Easy VPN Server Wizard - 35 Complete Atransform set specifies the encryption and authentication s data in the VPN tunnel. W Dala integrity and encryption ESP I ntegritj Algorithm ESP_SHA_HMAC Atransform set specifies the encryption and authentication s data in the VPN tunnel. W Dala integrity and encryption ESP I ntegritj Algorithm ESP_SHA_HMAC Click the Add button to add a new transform set and the Edit Encryption Algorithm ESP_AES_256 3 Data and address integrity without encryption (AH) Click...

Configuring Local Group Policies

SND v2.0 6-14 rights reserved. SND v2.0 6-14 The screen capture shows where to configure the group policies. From this page, you can add a new group, edit an exiting group, copy (clone) a group, or delete an existing group. To edit a group policy, choose the desired group policy then click the Edit button. 2006 Cisco Systems, Inc. Building IPSec VPNs 6-71 Configuring Local Group Policy Parameters General DNSiWINS Split Tunneling Client Settings XAuth Options Group Information...

Configuring NAT with Cisco SDM

Choose the NAT wizard on the task bar. You can use the Cisco Router and Security Device Manager (SDM) NAT wizard to guide you in creating a NAT rule. Choose the Basic NAT wizard if you want to connect your network to the Internet (or the outside) and your network has hosts but no servers. If your network is made up only of PCs that require access to the Internet, choose Basic NAT and click the Launch the Selected Task button. Choose the Advanced NAT wizard if you want to connect your network to...

Confirming Configuration Settings

SND v2.0 6-16 rights reserved. SND v2.0 6-16 At the end of configuration, the wizard will present a summary of all the configured parameters. You can go back to correct the configuration if you have made a mistake. 6-74 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Testing the Cisco Easy VPN Server Configuration

Cut Through Proxy Firewall Communication Process

Step 1 Authentication Inbound Step 2 Add Filtering Rule Step 1 Authentication Inbound Step 2 Add Filtering Rule Cisco's firewall technology performs dramatically better than competing firewalls. A proprietary process called cut-through proxy is the fastest way for a firewall to authenticate a user. Using the cut-through proxy feature of the Cisco PIX Security Appliance or Cisco IOS Firewall helps alleviate performance issues inherent in proxy server design. Firewalls using a cut-through proxy...

DoS Attack Mitigation Trin00

R2(config) access-list 190 deny tcp any R2(config) access-list 190 deny tcp any R2(config) access-list 190 deny udp any R2(config) access-list 190 deny udp any R2(config) access-list 190 permit ip any any R2(config-if) ip access-group 190 in R2(config-if) ip access-group 190 in Trin00 is a distributed SYN DoS attack. The attack method is a UDP flood. The Trin00 attack sets up communications between clients, handlers, and agents using these ports

Defending Your Network with Cisco Ios Ips

Regular expression string pattern matching Enables the creation of string patterns using regular expressions Enables the sensor to take an action when the signature is triggered Enables the sensor to aggregate alarms, to limit the number of times an alarm is sent when the signature is triggered Enables a signature to be tuned to perform optimally in a network Enables a signature to defeat evasive techniques used by an attacker 5-90 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems,...

Do not change the SA lifetimes or to enable PFS unless the sensitivity of the data mandates it

IPsec provides numerous security features. Here are IPsec best practices Cisco highly recommends using both encryption and integrity. Cisco recommends that you do not use DES for data encryption. Cisco recommends the use of 3DES. Cisco recommends the use of Secure Hash Algorithm (SHA) because the increased security outweighs the slight cost of increased processor use. SHA is sometimes faster than Message Digest 5 (MD5) in certain hardware implementations. Note The use of strong encryption...

Do not use enable secret passwords for anything else on the switch

Use these guidelines for creating a strong password Passwords should be at least 10 characters long and not based on words. Include at least one character from each of the sets of letters, numbers, and special characters. Special characters include the following . Do not use a number for the first character of the password. The U.S. National Security Agency (NSA) recommends that administrators ensure that these policies are implemented Change passwords at least once every 90 days Use a unique...

ESP and AH Header

ESP allows encryption and authenticates the original packet. AH authenticates the whole packet and does not allow encryption. Here is a description of the two IP protocols used in the IPsec standard, the ESP and AH protocols The ESP header (IP protocol 50) forms the core of the IPsec protocol. The ESP protocol used in conjunction with an encryption method or transform set makes the data flow difficult to decrypt. The diagram shows how the ESP protocol protects the data portion of the packet...

Evolution of WLAN Security

Strong, user-based authentication (e.g., LEAP, PEAP, EAP-FAST) Identify and protect against attacks, DoS WLANs, which were at one time openly accessible, now have an array of security options available that can make them very secure. The language used to describe this array of security options can be confusing. For example, what is the difference between WEP and Wi-Fi Protected Access (WPA) Or perhaps your company has a WLAN and you connect through Cisco Lightweight Extensible Authentication...

Examining Signature Micro Engine and SDF Build Failures

Signature micro-engine build failure Unsupported signature or signature parameter There are times when building a signature micro-engine it will fail. The signature micro-engine can fail for reasons such as attempting to load a corrupted SDF file or the signature micro-engine exceeding memory limitations of the router. The Signature Micro-Engine Failure Types table lists types of SDF and signature micro-engine failures, the default sensor responses, and a description of suggested responses and...

Example You can prevent internal defacing of a web page by choosing HTTP Header Options to block put commands and send

As an alternative to accepting the SDM default settings, click the Action button (Add Delete Clone) and create your own custom policies. You simply need to clone the policy and save it under a new name. The example shown in the figure refers to a policy that prevents defacing a web page by internal users. Choose HTTP > Header Options to make the changes. Click the Apply Changes button to complete this task. 4-92 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Execution space

Securing Networks with Cisco IOS IPS 5-75 The CSA can be installed, configured, and be on line with default policies quickly and allows easy configuration of custom policies. The CSA eases administration because there is no need for a constant review of logs the CSA proactive defense approach minimizes the need for constant administrator involvement. There are no updates, and the CSA is always analyzing and interpreting traffic flows for malicious activity. When there...

Features and uses are as follows

Typically used for site-to-site VPNs Restricts access to network resources Implemented at the physical perimeter between customer intranet and the intranet of the other company. Determines whether traffic crossing in either direction is authorized Contains limited intrusion detection system capability Provides a dedicated hardware appliance Has little or no impact on network performance Globally networked businesses rely on their networks to communicate with employees, customers, partners, and...

Filtering ICMP Messages Outbound

E0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 e0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 These ICMP messages are required for proper network operation and you should allow them outbound Echo Allows users to ping external hosts Parameter problem Informs the host of packet header problems Packet too big Required for packet maximum transmission unit (MTU) discovery Source quench Throttles down traffic when necessary As a rule, you should block all other ICMP message types outbound. The ACL shown in...

Filtering UDP Traceroute Messages

E0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 R2(config) access-list 120 deny udp any any range 33400 34400 log R2(config) access-list 120 permit ip any any R2(config-if) ip access-group 120 in R2(config) access-list 121 permit udp 16.2.1.0 0.0.0.255 any range 33400 34400 log R2(config) interface e0 1 R2(config-if) ip access-group 121 in R2(config-if) end R2(config) interface e0 0 R2(config-if) ip access-group 121 out R2(config-if) end The traceroute feature uses some of the ICMP message types to...

Guideline 1Base your ACLs on your security policy Unless you anchor the ACL in a

Comprehensive security policy, you cannot be certain that it will effectively control access in the way that access needs to be controlled. Guideline 2 Write it out Never sit down at a router and start to develop an ACL without first spending some time in design. The best ACL developers suggest that you write out a list of things that you want the ACL to accomplish. Starting with something as simple as, This ACL must block all Simple Network Management Protocol (SNMP) access to the router...

HIPS and Network IPS Monitoring

Application-level encryption protection Policy enhancement (resource control) Web application protection Buffer overflow Network attack and reconnaissance prevention DoS prevention The figure shows the range of features of a blended HIPS and network IPS implementation. HIPS and network IPS implementations complement one another. A host-based monitoring system examines information at the local host or operating system. Network-based monitoring systems examine packets that are traveling through...

HIPS is behaviorbased

Recall that HIPS operates by detecting attacks occurring on a host on which it is installed. HIPS works by intercepting operating system and application calls, securing the operating system and application configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious activity. HIPS uses rules based on a combination of known attack signatures and a detailed knowledge of the operating system and specific applications running on the host. These...

Host B

Host A sends interesting traffic to Host B. 2. Routers A and B negotiate an IKE Phase 1 session. 3. Routers A and B negotiate an IKE Phase 2 session. 4. Information is exchanged via IPsec tunnel. IPsec VPN negotiation can be broken down into five steps, including Phase 1 and Phase 2 of Step 1 An IPsec tunnel is initiated by interesting traffic when host A sends interesting traffic to host B. Traffic is considered interesting when it travels between the IPsec peers. Step 2 In IKE Phase 1, the...

Identity Based Networking Services

With Cisco enhancements, the network grants privileges based on user login information, regardless of the user location or device. The benefits of IBNS are as follows - Allows different people to use the same PC and have different capabilities - Ensures that users get only their designated privileges, no matter how they are logged into the network Otherwise, there is no way to control who gets on the network and where they can go. Using 802.1x with Cisco enhancements allows you to limit access...

IDS and IPS Operational Differences

The figure shows a sensor deployed in IDS mode and a sensor deployed in IPS mode. In Step 1, an attack is launched on a network with a sensor deployed in IDS mode and the Cisco switch sends copies of all packets to the IDS sensor (configured in promiscuous mode) to analyze the packets. At the same time, the target machine experiences the malicious attack. In Step 2, the IDS sensor, using a signature, matches the malicious traffic to the signature and, in this example, sends the switch a command...

IDS and IPS technologies look for these patterns of misuse

IDS and IPS technologies share these characteristics IDS and IPS technologies are deployed as sensors. An IDS or an IPS sensor can be any of these devices A router configured with Cisco IPS An appliance specifically designed to provide dedicated IDS or IPS services A network module installed in an adaptive security appliance, switch, or router IDS and IPS technologies typically monitor for malicious activities in these two spots Malicious activity is monitored at the network detecting attacks...

IKE Communication Negotiation Phases

IKE uses these phases to secure a communication channel between two peers IKE Phase 1 Transform sets, hash methods, and other parameters are determined. IKE Phase 1.5 (optional) XAUTH protocol can be used to provide user authentication of IPsec tunnels within the IKE protocol to provide additional authentication of the VPN clients. IKE Phase 2 SAs are negotiated by ISAKMP, where quick mode is used. In this phase, the IPsec SAs are unidirectional. To establish a secure communication channel...

Importing Signature Definition Files

g5 Signatures t3WICateaoriesl g5 Signatures t3WICateaoriesl 0 home,shtml 3 home, tar 3 libiconv-2.dll SDMJP5_Users_Guide.pdf sdmconfig-38x 0 home,shtml 3 home, tar 3 libiconv-2.dll SDMJP5_Users_Guide.pdf sdmconfig-38x This series of screen captures shows how to update the IPS signatures with the latest SDF. To update an SDF from a PC, follow these steps Step 1 Navigate to the Edit IPS > Signatures form and click the Import menu button and choose the From PC menu item. Step 2 The Import...

Info

Before firewalls had the advanced capabilities of the Cisco PIX Security Appliance and Cisco IOS Firewall, all firewalls inspected network traffic using one of four architectural models defined by the information that they examine to make security-relevant decisions. The initial four firewall technologies are as follows Static packet filtering firewalls A packet filter firewall is first-generation firewall technology that analyzes network traffic at the transport protocol layer. Each IP network...

Inspection rules allow returning traffic that would otherwise be blocked

Choose the rule name from the Inspection Rule Name list. The inspection rule entries appear in a separate dialog box. Choose the rule name from the Inspection Rule Name list and click Edit. Then edit the rule in the Inspection Rule Information window. Choose the rule name from the Inspection Rule Name list, click New, and create the rule in the Inspection Rule Information window. Access rules in the firewall may deny return traffic on sessions started inside the firewall because of the type of...

Introducing IDS and IPS

Distract and confuse attackers Slow down and avert attacks Traffic profile must be constant Q5) The summary should touch on these points HIPS operates by detecting attacks occurring on a host that it is installed on. HIPS works by intercepting operating system and application calls, securing the operating system and application configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious activity. Network IPS involves the deployment of...

Introducing IDS and IPS Cont

An alarm is triggered by normal traffic or a benign action. A signature is not fired when offending traffic is detected. A signature is correctly fired when offending traffic is detected and an alarm is generated. A signature is not fired when nonoffending traffic is captured and analyzed. Q8) The figure identifies and describes the enhanced Cisco IOS IPS signature features.

Introducing the Cisco Sdm Vpn Wizard Interface

Chose the desired VPN wizard (VPN type). 4. Chose the VPN implementation subtype. 1. Enter the configuration page. 3. Chose the desired VPN wizard (VPN type). 4. Chose the VPN implementation subtype. To select and start a VPN wizard, follow these steps Step 1 Click the Configure icon in the top horizontal navigation bar to enter the configuration page. Step 2 Click the VPN icon in the left vertical navigation bar to open the VPN page. Step 3 Choose the Site to...

Introducing the Cisco Security Appliance Product Family

This topic describes the main components of the Cisco security appliance product family. The Cisco security appliances family includes these products Cisco IOS Firewall The Cisco IOS Firewall provides robust, integrated firewall and intrusion detection functionality for every perimeter of the network. The Cisco IOS Firewall is available for a wide range of Cisco IOS software-based routers and offers sophisticated security and policy enforcement for connections within an organization (intranet)...

IPS Signature Characteristics Cont

There are four types of signatures The type of signature used depends on these factors The number of signatures available depends on the IPS sensor platform type. Here are the four categories of signatures Exploit Exploit-specific signatures seek to identify network activity or upper-layer protocol transactions that are unique to a specific exploit or attack tool. Consequently, each new exploit may require its own signature. Because a successful exploit can be created by slightly modifying the...

Launching the Siteto Site VPN Wizard Cont

Quick setup uses predefined IKE and IPsec policies. b. Step-by-step setup includes IKE and IPsec policy configuration steps. 3. Proceed to the configuration of parameters. a. Quick setup uses predefined IKE and IPsec policies. b. Step-by-step setup includes IKE and IPsec policy configuration steps. 3. Proceed to the configuration of parameters. Step 2 A window will pop up asking you which wizard mode to use The Quick setup option uses Cisco SDM-default IKE policies and IPsec transform sets....

Layer 2 Best Practices

Restrict management access to the switch so that parties on nontrusted networks cannot exploit management interfaces and protocols such as SNMP. Avoid using clear text management protocols on a hostile network. Turn off unused and unneeded network services. Use port security mechanisms to limit the number of allowed MAC addresses to provide protection against a MAC flooding attack. Use a dedicated native VLAN ID for all trunk ports. Shut down unused ports in the VLAN. Prevent denial-of-service...

Lists active IPsec security associations

The Show Commands table lists two of the most useful show commands to determine the status of IPsec VPN connections. To display all current IKE Security Associations (SAs), use the show crypto isakmp sa command in EXEC mode. Qm_IDLE status indicates an active IKE SA. To display the settings used by the current SAs, use the show crypto ipsec sa command in EXEC mode. Nonzero encryption and decryption statistics can indicate a working set of IPsec SAs. This subtopic explains troubleshooting and...

MAC Address Spoofing Attack

Switch Port Table Switch Port Table Spoofed Switch Port Table Updated Switch Port Table In a MAC spoofing attack, the network attacker uses a known MAC address to attempt to make the targeted switch forward frames destined for the remote host to the network attacker. By sending a single frame with the source Ethernet address of another host, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. From then on, the...

MAC B is unknown so the switch will flood the frame

The CAM table in a switch contains the MAC addresses available on a given physical port of a switch and the associated VLAN parameters for each. When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination MAC address. If an entry exists for the MAC address in the CAM table, the switch forwards the frame to the MAC address port designated in the CAM table. If the MAC address does not exist in the CAM table, the switch acts like a hub...

Maintain your installation

Combine firewall technologies Do not rely on packet filtering alone. Use stateful inspection, protocol inspection, and application inspection, as applicable. Use firewalls as part of a comprehensive security solution Do not depend entirely on firewalls they are an adjunct to other security devices. Integrate firewalls with other technologies including these possibilities Network intrusion detection system (IDS) and IPS E-mail and web content filtering software Third-party authentication...

Management Encryption

Management encryption works as follows - Keeps hackers from reading usernames, passwords, and other information on intercepted network management packets - Prevents hackers from stealing usernames and passwords to access switches Otherwise, snoopers can break into switches and bring down the network. Password and management traffic encryption is important if there are sophisticated users who also have malicious or mischievous intent using the network. Catalyst switches support the use of SSHv2...

Managing Cisco Easy VPN Server Connections

This topic describes how to manage Cisco Easy VPN Server connections using Cisco SDM. Managing Cisco Easy VPN Server Connections The screen captures show the Cisco SDM GUI used to view, add, edit, or delete Cisco Easy VPN Server connections. 6-76 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Managing Cisco Easy VPN Server Connections (Cont.) When you click the Add or Edit buttons, the options you can change are the same options that you used to create a Cisco Easy VPN...

Memory Requirements of Pre Built SDFs

The number of signatures that can go on a router is completely dependent on memory. Cisco has developed some recommendations for choosing SDFs. The table in the figure shows the amount of memory required for a recommended SDF and the approximate number of signatures that can be supported by that amount of memory. 2006 Cisco Systems, Inc. Securing Networks with Cisco IOS IPS 5-31 Distributed Threat Mitigation with Intrusion Prevention System Cisco IPS 4200 Series Sensor, IDM, or NM-CIDS* Cisco...

Module Self Check

Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) Which firewall technology uses a special piece of software designed to relay application layer requests and responses between endpoints (Source Introducing Firewall Technologies) Q2) Which firewall technology defines sets of rules and ACLs that determine which traffic is permitted or denied from being routed across a firewall by examining...

Module Summary

Cisco firewall technology is built on generations of technology development and experience. Cisco firewall technology is a key component of every network security solution. Static packet filtering with Cisco ACLs provides a first line of defence against a wide range of security threats. Cisco SDM can be used to complete basic firewall configurations that can then be tailored to meet specific needs. Cisco provides a wide range of advanced security appliance products to meet all network needs. A...

Network Address Translation

NAT translates the source address of a device inside a network to a public source address (SA in the figure). NAT allows a host on your private network that does not have a valid registered IP address to communicate with other hosts through the Internet. There are three types of NAT to consider Static NAT In static NAT, a private IP address is mapped to a public IP address, where the public address is always the same IP address (that is, a static address). A static address allows an internal...

Network edge inside firewall

By placing an IDS sensor, shown in the topology as an appliance-based sensor, the alarms that are generated detect firewall misconfigurations. The IDS sensor is detecting the malicious traffic that the firewall configuration has let in to the network. Note Cisco platforms such as Cisco ASA 5500 Series Adaptive Security Appliances with the Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP SSM) can act as an IDS and an IPS sensor. The appliance-based sensor placed inside...

Network implementation

Network IPS gives security managers real-time security insight into their networks regardless of network growth. Network growth can occur by adding either additional hosts or new networks. Additional hosts added to protected networks are covered without adding any new sensors. Additional sensors can easily be deployed to protect the new networks. Some of the factors that influence the addition of sensors are as follows Exceeded traffic capacity For example, the addition of a new gigabit network...

Notification of Intrusions

MAC address notification allows you to monitor MAC addresses, at the module and port level, added by the switch or removed from the CAM table. SNMP trap sent to NMS when MAC-X appears on Ethernet port 2 1 SNMP trap sent to NMS when MAC-X appears on Ethernet port 2 1 Network managers need a way to monitor who is using the network and where they are. MAC address notification allows the network administrator to monitor the MAC addresses that are learned by the switch and the MAC addresses that are...

One CA can automatically grant certificate requests while another CA can require only manually granted certificate

A PKI can be set up in a hierarchical framework to support multiple CAs. At the top of the hierarchy is a root CA, which holds a self-signed certificate. The trust within the entire hierarchy is derived from the RSA key pair of the root CA. The subordinate CAs within the hierarchy can be enrolled with either the root CA or with another subordinate CA. Using these enrollment options, multiple tiers of CAs can be configured. If the peers within a hierarchical PKI share a trusted root CA...

Option 2 Using an ACL

fers (FTP and e-mail (SMTP) that will be prelected by this t unprotected to the remote device. You can protect all traffic jbnet, oi specify an IPSec rule lhat defines the traffic lypes to Select an existing rule (ACL), Create a new rule(ACL) and sele None (dear rule as fers (FTP and e-mail (SMTP) that will be prelected by this t unprotected to the remote device. You can protect all traffic jbnet, oi specify an IPSec rule lhat defines the traffic lypes to Select an existing rule (ACL), Create...

Option 2 Using an ACL Cont

Choose an action and add a description. 2. Define source and destination networks or addresses. 3. (Optional) Define the protocol and port numbers. Follow these steps to configure a new rule entry Step 1 Choose an action and write a description of the rule entry. Step 2 Each rule entry defines one pair of source and destination addresses or networks. Note You must use wildcard bits instead of subnet masks. Step 3 Optionally, you can provide protection for individual Open Systems Interconnection...

Overview

The Cisco Router and Security Device Manager (SDM) virtual private network (VPN) GUI interface makes the task of building and managing VPN servers and VPN remote clients straightforward. This lesson describes the Cisco Easy VPN Server and Cisco Easy VPN Remote client and explains how to configure and manage them. Upon completing this lesson, you will be able to describe how to configure Cisco Easy VPN Server and Cisco Easy VPN Remote solutions. This ability includes being able to meet these...

Performance and Limitations of Cisco ASA 5500 Series Platforms

ASA Performance with the Security Service Module Cisco ASA 5500 Series Adaptive Security Appliance The table in the figure shows the performance and interface limitations of the Cisco ASA 5500 Series Adaptive Security Appliance platform. Refer to the Cisco ASA 5500 Series Adaptive Security Appliance Platform and Module Datasheet for an in-depth discussion on the performance metrics. This datasheet can be found at Note The Cisco AIP SSM-10 can also run on the Cisco ASA 5520 Adaptive Security...

Port Security Configuration Script

Enable port security on Fast Ethernet port 1 Set the maximum number of secure addresses to 50 Set violation mode to default No static secure MAC addresses needed Switch(config) interface fastethernet0 1 Switch(config-if) switchport mode access Switch(config-if) switchport port-security Switch(config-if) switchport port-security maximum 50 Switch(config-if) switchport port-security mac-address sticky Switch(config-if) switchport port-security aging time 20 Switch(config-if) end MAC addresses...

Private VLANs

This topic describes the function and benefit of the PVLAN feature embedded in Cisco Catalyst switches. PVLANs work as follows Default Gateway - A common subnet is subdivided into multiple PVLANs. Hosts on a given PVLAN can communicate only with default the gateway and not with other hosts on the network using the isolated port. The advantage to using PVLANs is that traffic management is simplified while conserving IP address space. PVLANs work by limiting which ports within a VLAN can...

Proceed to the next task

The second task in the step-by-step wizard is configuring IKE proposals. Follow these steps Step 1 You can use the IKE proposal predefined by Cisco SDM. Step 2 If you want to use a custom IKE proposal, define it by clicking the Add button and specifying these required parameters Step 3 When you are finished with adding IKE policies, click the Next button to proceed to the next task. 6-46 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Protocol analysisbased

Cisco Systems has implemented IPS functions into its internetwork operating system, Cisco IOS software. Cisco IOS ISP combines existing Cisco intrusion detection system (IDS) and IPS product features with three different intrusion detection techniques. Cisco IOS ISP uses a blend of Cisco IDS and IPS products. Cisco IOS IPS uses technology from Cisco IDS and IPS sensor product lines, including Cisco IPS 4200 Series Sensors, Cisco Catalyst 6500 Intrusion Detection System Services Module, and...

Quick mode

IPsec implements a VPN solution using an encryption process that involves the periodic changing of encryption keys. IPsec uses the IKE protocol to authenticate a peer computer and to generate encryption keys. IKE negotiates a Security Association (SA), which is an agreement between two peers engaging in an IPsec exchange, and consists of all required parameters necessary to establish successful communication. IPsec uses the IKE protocol to provide these functions Negotiation of SA...

Quick Setup

Configure all parameters on one page. The quick setup includes these parameters Preshared keys (specify the secret) Digital certificates (choose a certificate that should have been created beforehand) Coming from IP subnet configured on the selected source interface Going to defined remote IP subnet 2006 Cisco Systems, Inc. Building IPSec VPNs 6-43 The step-by-step wizard requires multiple steps to configure the VPN connection.

Recommended approaches to implementing multiple IDS management consoles

- Hierarchical monitoring structure Event monitoring and management can be divided into the need for real-time event monitoring and management and the need to perform analysis based on archived information (reporting). These functions can be handled by a single server, or the functions can be placed on separate servers to scale deployment. The number of sensors that should be forwarding alarms to a single IDS management console is a function of the aggregate number of alarms per second...

Reference Network Topology

Server File Server 16.2.1.2 16.2.1.4 e0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 Public Web Mail Admin Server Server Server User 16.2.2.3 16.2.2.4 16.2.2.5 16226 This figure shows the network topology referenced in the remainder of this lesson. For the sake of clarity, the next lesson topics depict ACLs as individual ACLs. Generally, you would not build a succession on small ACLs, as this lesson does. Most likely, you would build at least one ACL for the outside router interface, one for the...

Relative Positioning of Cisco IPS Sensors

10 100 10 100-TX 10 100 10 100 1000-TX 10 100 1000-TX 1000-TX 1000-SX 1000-TX The diagram shows the relative positioning of some of the Cisco IDS and IPS sensors. Use this chart as a guide to select the Cisco IDS and IPS sensor platform with the correct performance and media support for your application. Note For the complete line of Cisco IPS 4200 Series Sensors refer to 2006 Cisco Systems, Inc. Securing Networks with Cisco IOS IPS 5-69

Remote Access

Cisco ASA 5500 Series Adaptive Security Appliance Cisco VPN Software Client with Firewall Small and Home I Office VPN with Firewall The type of VPN required is an important factor when deciding what kind of device best fits the needs of the VPN deployment. Here are the two applications for Cisco VPN-enabled devices Site-to-site VPN Site-to-site VPNs allow businesses to extend their network resources to branch offices, home offices, and business partner sites. All traffic sent between the sites...

Remote Site

Site-to-site VPNs can be used to connect corporate sites. With Internet access, leased lines and Frame Relay lines can be replaced with site-to-site VPNs for network connection. VPN can support company intranets and business partner extranets. A site-to-site VPN is an extension of the classic WAN. 2006 Cisco Systems, Inc. Building IPsec VPNs 6-87 Remote-access VPNs are targeted to mobile users and home telecommuters. In the past, corporations supported remote users via dial-in networks, and...

Review the Generated Configuration

Click Back to modify the configuration. Click Finish to complete the configuration. At the end of the configuration, the wizard will present a summary of all the configured parameters. You can go back to modify the configuration in case you have made a mistake. Click the Finish button to complete the configuration. 6-52 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Testing the Tunnel Configuration and Operation This subtopic explains how to see the status of the...

Reviewing and completing the configuration

The step-by-step wizard includes these parameters Connection settings Outside interface, peer address, and authentication credentials IKE proposals IKE proposal priority, encryption algorithm (Data Encryption Standard DES , Triple-DES 3DES , Advanced Encryption Standard AES , or Software Encryption Algorithm SEAL ), Hashed Message Authentication Code (HMAC), Secure Hash Algorithm 1 (SHA-1) or Message Digest 5 (MD5), IKE authentication method (preshared secrets or digital certificates),...