A use guard root and bpdu guard

Q2) Explain how VLAN configuration can mitigate VLAN hopping attacks. (Source Mitigating Layer 2 Attacks) Q3) What is the effect of using the guard root and bpdu-guard enhancement commands (Source Mitigating Layer 2 Attacks) Q4) Match each of the mitigation techniques with the type of attack that it will mitigate by putting the letter of the technique in the space provided beside each type of attack. (Source Mitigating Layer 2 Attacks) 3-86 Securing Cisco Network Devices (SND) v2.0 2006 Cisco...

A VACL provides granular control for limited access within a VLAN or subnet

VACLs, also known as VLAN maps, can be used to filter VLAN traffic. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces, VACLs are applied to any VLAN. When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. The list of commands here shows how to define and apply a VLAN access map. In this example, IP traffic matching ACL 100 is forwarded, and all other IP packets are dropped because of the default...

ACL name Cisco IOS Releases 112 and later You provide the name of the ACL

- Names contain alphanumeric characters. - Names cannot contain spaces or punctuation and must begin with an alphabetic character. - You can add or delete entries within the ACL. Prior to Cisco IOS Release 11.2, you had to assign a number to each ACL as you created it. Since then, either a number or a name can identify Cisco ACLs and the protocols that they filter. Using numbered ACLs is an effective method on smaller networks with more homogeneously defined traffic. Because each ACL type is...

Adaptive Solution with Converged Bestof Breed Security Services

Packet inspection Protocol validation Accurate enforcement Robust resiliency Attack detection Granular packet inspection Application control Dynamic response Attack detection Granular packet inspection Application control Dynamic response VPN SSL VPN IPsec VPN User-based security Group-based management Clustering VPN SSL VPN IPsec VPN User-based security Group-based management Clustering Access Breaches, Session Abuse, Port Scans, Malformed Packets Application Misuse, DoS and Hacking, Known...

Application inspection firewalls

Are aware of the Layer 5 state of a connection Check the conformity of application commands on Layer 5 Are able to check and affect Layer 7 (for example, Java applet or peer-to-peer filtering) Prevent more kinds of attacks than stateful firewalls Application inspection firewalls ensure the security of applications and services. Some applications require special handling by the firewall application inspection function. Applications that require special application inspection functions are those...

Application Layer Firewall

Application layer firewalls, also called proxy firewalls or application gateways, provide a higher level of security than circuit level firewalls because they allow the greatest level of control. Application level proxy servers work up on Layer 1 to Layer 7 of the OSI model. Most application layer firewalls include specialized application software and proxy servers. A proxy is an application that does work on behalf of something else. Proxy services are specialpurpose programs that manage...

Application Layer Proxy Firewall

An application layer firewall operates on OSI Layers 3, 4, 5, and 7. Advantages of application layer proxy firewalls - This firewall authenticates individuals, not devices. - Hackers have a harder time with spoofing and implementing DoS attacks. - This firewall can monitor and filter application data. - This firewall can provide detailed logging. Application layer firewalls filter information at Layers 3, 4, 5, and 7 of the OSI reference model. Because application layer firewalls process...

Applying ACLs to Interfaces

Tulsa(config) interface e0 1 Tulsa(config-if) ip access-group 2 in Tulsa(config-if) exit Tulsa(config) interface e0 2 Tulsa(config-if) ip access-group mailblock out Tulsa(config-if) end Before applying a packet filtering ACL to a router interface, make sure you know in which direction it will filter. Apply ACLs to router interfaces using the ip access-group command in interface configuration mode, as shown in the figure. The syntax for the ip access-group command is as follows ip access-group...

Authentication dictionary attacks

These attacks are described in Security of the WEP Algorithm Passive attacks to decrypt traffic based on statistical analysis Active attacks to inject new traffic from unauthorized mobile stations, based on known plain text Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attacks, which, after analysis of traffic for about a day, allow real-time automated decryption of all traffic Passive or Weak Initialization Vector Attack An initialization vector (IV)...

Basic 80211 Security Issues

- Checks for devices that do not possess key - Hardware theft may be an issue One-way authentication No integration with existing network authentication methods - May render either client or network vulnerable - Important to two-way (mutually) authenticate user and network Basic 802.11 WEP security is designed to guard against the threat to network security from unauthorized 802.11 devices outside the LAN. Any device with a valid WEP key is considered a legitimate and authorized user. If the...

CAM has learned MAC B is on Port

MAC A host A MAC B host B MAC C host C MAC C does not see traffic to MAC B anymore. Now, any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. The key to understanding how CAM overflow attacks work is to know that CAM tables are limited in size. MAC flooding makes use of this limitation to bombard the switch with fake source MAC addresses until the switch CAM table is full. The switch then enters into what is known as a...

CAM Learns Mac B Is on Port

MAC A host A MAC B host B MAC C host C Host C drops the packet addressed to host B. Host B receives the frame and sends a reply to host A. The switch then learns that the MAC address for host B is located on port 2 and writes that information into the CAM table. Host C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame. 3-30 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Choose the Cisco IOS Firewall when you need

A one-box solution with powerful security, QoS, multiprotocol routing, integrated WAN interfaces, and voice application support To leverage network infrastructure for security Extensive VPN support integrated with a firewall in a single device Cisco 800 Series, 1700 Series, and 1800 Series Routers Cisco 2600 and 3600 Series Multiservice Platforms and Cisco 2800 Series Integrated Services Routers, Cisco 3700 Series Multiservice Access Routers, and 3800 Series Integrated Services Routers VPN and...

Choosing an Interface for Terminating IPsec

Easy VPN Server Wizard -10 Complete Easy VPN Server Wizard -10 Complete Please select the interface on which the Easy VPN Server should be configured. EasyVPH clients will connect to the serverthrough this interface. Select the method used for authenticating VPN clients connecting to this Easy VPN Server. Please select the interface on which the Easy VPN Server should be configured. EasyVPH clients will connect to the serverthrough this interface. Select the method used for authenticating VPN...

Choosing the Type of Firewall You Need

Choose the Cisco IOS Firewall that meets your network security needs basic or advanced. Choose the Cisco IOS Firewall that meets your network security needs basic or advanced. The figure shows the top part of the Cisco IOS Firewall configuration screen. You can choose either a basic firewall or an advanced firewall. Once you choose the firewall that you want, the Use Case Scenario figure appears for each selection. The two firewalls differ in these ways Basic Firewall A basic firewall is a...

Cisco ASA 5500 Series Adaptive Security Appliances

VPN Technology Cisco VPN 3000 Series Concentrator Network Intelligence Cisco Network Services VPN Technology Cisco VPN 3000 Series Concentrator Network Intelligence Cisco Network Services Adaptive Threat Defense and Secure Connectivity Secure Connectivity IPsec and SSL VPN Adaptive Threat Defense and Secure Connectivity Application Inspection, Use Enforcement, Web Control, Application Security Traffic-Admission Control, Proactive Response, Network Containment and Control Secure Connectivity...

Cisco IOS Firewall Features

The Cisco IOS Firewall combines the functions of packet inspection and proxy firewalls to provide an optimal security solution on one chassis. This topic describes the features of the Cisco IOS Firewall. Application and protocol inspection and control Dynamic, per-user authentication and authorization Administrative access control with AAA Extensive multimedia support, including streaming video, streaming audio, and voice applications The Cisco IOS Firewall is a stateful inspection firewall...

Cisco Ios Ips Signature Features

Regular expression string pattern matching Enables the creation of string patterns using regular expressions Enables the sensor to take an action when the signature is triggered Enables the sensor to aggregate alarms does this to limit the number of times an alarm is sent when the signature is triggered Enables a signature to be tuned to perform optimally in a network Enables a signature to defeat evasive techniques used by an attacker The table in the figure describes the features of Cisco IOS...

Cisco Ios Vpn Enabled Routers

With Cisco routers running Cisco IOS software, organizations can easily deploy and scale site-to-site VPNs of any topology from hub-and-spoke VPNs to the more complex, fully meshed VPNs. In addition, the Cisco IOS security features combine the VPN feature set with firewall, intrusion prevention, and extensive Cisco IOS capabilities, including quality of service (QoS), multiprotocol, multicast, and advanced routing support. The Cisco IOS feature sets incorporate these VPN features Voice and...

Cisco Unified Wireless Network

Unified built-in support of leading-edge applications not an afterthought Cisco Wireless Location Appliance, Cisco WCS, SDN, NAC, Wi-Fi phones, and RF firewalls World-class NMS that visualizes and helps secure your air space WCS Seamless network infrastructure across a range of platforms Cisco 2000 and 4400 Wireless LAN Controllers future Cisco Catalyst 6500 Series WiSM, ISR, and 3750 integration APs dynamically configured and managed through LWAPP. Cisco AironetAccess Points 1500, 1300,...

Cisco VPN 3000 Series Concentrators

Customized application access Fully clientless Citrix support Integrated web-based management Clustering and load-balancing capabilities Broad user authentication support Cisco VPN 3000 Series Concentrators are ideal for organizations that require advanced and flexible remote-access VPN technology and that prefer the operational simplicity and management segregation of a focused-function VPN device. Here are some of the features of the Cisco VPN 3000 Series Concentrator platform Customized...

Cisco VPN Product Family

Site-to-Site VPN and Firewall Routers Cisco PIX 500 Series Security Appliance and Cisco ASA 5500 Series Adaptive Security Appliance The portfolio of the Cisco VPN product family includes remote and site-to-site Cisco IOS VPN and firewall security routers, Cisco Catalyst 6500 Series Switches with VPN service modules (not shown), Cisco PIX security appliances, and Cisco ASA 5500 Series Adaptive Security Appliances. 2006 Cisco Systems, Inc. Building IPsec VPNs 6-91

Cisco VPN Product Positioning Cont

Cisco VPN 3060 and 3080 Concentrators Cisco Catalyst 6500, 7600 Series Switches Series Routers Cisco VPN 3060 and 3080 Concentrators Small business or remote office with branch office Cisco VPN 3005 and 3015 Concentrators Cisco VPN software and hardware Client Cisco Catalyst 6500, 7600 Series Switches Series Routers 3700 Multiserivice Access Routers, 3800 Series Integrated Service Routers, 7000 Series Routers 1700, 1800 2600 Series Multiservice Access Routers, 2800 Integrated Service Routers...

Combining Access Functions

9.2.1.1 9.1.1.1 16.2.0.10 24 16.1.1.1 e0 0 e0 1 Remote Access LAN 16.2.1.0 24 Public Web Mail Admin Server Server Server This is an example of a possible configuration for router R2 in the reference network. This partial configuration file contains several ACLs that contain most of the ACL features already explained in this lesson. View this partial configuration as an example of how to integrate multiple ACL policies into a few main router ACLs. The partial configuration file that follows...

Comparing HIPS and Network IPS

Application-level encryption protection Not visible on the network Operating system independent Lower level network events seen Does not understand context of an attack The table compares HIPS and network IPS advantages and disadvantages. 5-22 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Configure host address service and service type

The advanced firewall configuration allows you to secure your private network by applying access and inspection rules to inside (trusted), outside (untrusted), and DMZ interfaces. A DMZ network is a buffer zone used to isolate traffic that comes from an untrusted network. If you have a DMZ network, choose the interface that connects to it when using an advanced firewall. The Cisco SDM Firewall Wizard will guide you through the steps to complete these tasks Define inside and outside interfaces...

Configure restrict or shutdown violation rules

A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords, or configuration information about the systems on the...

Configuring a Group Policy Configuration Location External Location via RADIUS

Easy VPN Server Wizard - 50 Complete Easy VPN Server Wizard - 50 Complete An ISAKMP client consame authentication on this router, an exte authenticate VPN clie Seiectthe servers or - -1 policy that defines thi RADIUS server will be used for group authorization. An ISAKMP client consame authentication on this router, an exte authenticate VPN clie Seiectthe servers or - -1 policy that defines thi RADIUS server will be used for group authorization. The screen captures show the configuration steps...

Configuring a Local User Database User Authentication

Easy VPN Server Wizard - 65 Complete Easy VPN Server Wizard - 65 Complete User authentication CrAcith after lire device has under orally on mis router, on at I* Enable User Anther Select the servers that wi AAA policy that defines the Select an e isling AAA method list Local database will he used for user authentication User authentication CrAcith after lire device has under orally on mis router, on at I* Enable User Anther Select the servers that wi AAA policy that defines the Select an e...

Configuring Global Settings

Configured SDF Locations i Add Sf Edit fl Delete Move Up -f- Move Down Reload Signatures Configured SDF Locations i Add Sf Edit fl Delete Move Up -f- Move Down Reload Signatures The screen capture shows the global features that you can configure using the Cisco SDM GUI. To access and configure a particular global feature, choose the item name and click the Edit button. 2006 Cisco Systems, Inc. Securing Networks with Cisco IOS IPS 5-59

Configuring IPsec Transform Sets

Easy VPN Server Wizard - 35 Complete Atransform set specifies the encryption and authentication s data in the VPN tunnel. W Dala integrity and encryption ESP I ntegritj Algorithm ESP_SHA_HMAC Atransform set specifies the encryption and authentication s data in the VPN tunnel. W Dala integrity and encryption ESP I ntegritj Algorithm ESP_SHA_HMAC Click the Add button to add a new transform set and the Edit Encryption Algorithm ESP_AES_256 3 Data and address integrity without encryption (AH) Click...

Configuring Local Group Policies

SND v2.0 6-14 rights reserved. SND v2.0 6-14 The screen capture shows where to configure the group policies. From this page, you can add a new group, edit an exiting group, copy (clone) a group, or delete an existing group. To edit a group policy, choose the desired group policy then click the Edit button. 2006 Cisco Systems, Inc. Building IPSec VPNs 6-71 Configuring Local Group Policy Parameters General DNSiWINS Split Tunneling Client Settings XAuth Options Group Information...

Configuring NAT with Cisco SDM

Choose the NAT wizard on the task bar. You can use the Cisco Router and Security Device Manager (SDM) NAT wizard to guide you in creating a NAT rule. Choose the Basic NAT wizard if you want to connect your network to the Internet (or the outside) and your network has hosts but no servers. If your network is made up only of PCs that require access to the Internet, choose Basic NAT and click the Launch the Selected Task button. Choose the Advanced NAT wizard if you want to connect your network to...

Confirming Configuration Settings

SND v2.0 6-16 rights reserved. SND v2.0 6-16 At the end of configuration, the wizard will present a summary of all the configured parameters. You can go back to correct the configuration if you have made a mistake. 6-74 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Testing the Cisco Easy VPN Server Configuration

Cut Through Proxy Firewall Communication Process

Step 1 Authentication Inbound Step 2 Add Filtering Rule Step 1 Authentication Inbound Step 2 Add Filtering Rule Cisco's firewall technology performs dramatically better than competing firewalls. A proprietary process called cut-through proxy is the fastest way for a firewall to authenticate a user. Using the cut-through proxy feature of the Cisco PIX Security Appliance or Cisco IOS Firewall helps alleviate performance issues inherent in proxy server design. Firewalls using a cut-through proxy...

DoS Attack Mitigation Trin00

R2(config) access-list 190 deny tcp any R2(config) access-list 190 deny tcp any R2(config) access-list 190 deny udp any R2(config) access-list 190 deny udp any R2(config) access-list 190 permit ip any any R2(config-if) ip access-group 190 in R2(config-if) ip access-group 190 in Trin00 is a distributed SYN DoS attack. The attack method is a UDP flood. The Trin00 attack sets up communications between clients, handlers, and agents using these ports

Defending Your Network with Cisco Ios Ips

Regular expression string pattern matching Enables the creation of string patterns using regular expressions Enables the sensor to take an action when the signature is triggered Enables the sensor to aggregate alarms, to limit the number of times an alarm is sent when the signature is triggered Enables a signature to be tuned to perform optimally in a network Enables a signature to defeat evasive techniques used by an attacker 5-90 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems,...

Do not change the SA lifetimes or to enable PFS unless the sensitivity of the data mandates it

IPsec provides numerous security features. Here are IPsec best practices Cisco highly recommends using both encryption and integrity. Cisco recommends that you do not use DES for data encryption. Cisco recommends the use of 3DES. Cisco recommends the use of Secure Hash Algorithm (SHA) because the increased security outweighs the slight cost of increased processor use. SHA is sometimes faster than Message Digest 5 (MD5) in certain hardware implementations. Note The use of strong encryption...

Do not use enable secret passwords for anything else on the switch

Use these guidelines for creating a strong password Passwords should be at least 10 characters long and not based on words. Include at least one character from each of the sets of letters, numbers, and special characters. Special characters include the following . Do not use a number for the first character of the password. The U.S. National Security Agency (NSA) recommends that administrators ensure that these policies are implemented Change passwords at least once every 90 days Use a unique...

Evolution of WLAN Security

Strong, user-based authentication (e.g., LEAP, PEAP, EAP-FAST) Identify and protect against attacks, DoS WLANs, which were at one time openly accessible, now have an array of security options available that can make them very secure. The language used to describe this array of security options can be confusing. For example, what is the difference between WEP and Wi-Fi Protected Access (WPA) Or perhaps your company has a WLAN and you connect through Cisco Lightweight Extensible Authentication...

Examining Signature Micro Engine and SDF Build Failures

Signature micro-engine build failure Unsupported signature or signature parameter There are times when building a signature micro-engine it will fail. The signature micro-engine can fail for reasons such as attempting to load a corrupted SDF file or the signature micro-engine exceeding memory limitations of the router. The Signature Micro-Engine Failure Types table lists types of SDF and signature micro-engine failures, the default sensor responses, and a description of suggested responses and...

Example You can prevent internal defacing of a web page by choosing HTTP Header Options to block put commands and send

As an alternative to accepting the SDM default settings, click the Action button (Add Delete Clone) and create your own custom policies. You simply need to clone the policy and save it under a new name. The example shown in the figure refers to a policy that prevents defacing a web page by internal users. Choose HTTP > Header Options to make the changes. Click the Apply Changes button to complete this task. 4-92 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Execution space

Securing Networks with Cisco IOS IPS 5-75 The CSA can be installed, configured, and be on line with default policies quickly and allows easy configuration of custom policies. The CSA eases administration because there is no need for a constant review of logs the CSA proactive defense approach minimizes the need for constant administrator involvement. There are no updates, and the CSA is always analyzing and interpreting traffic flows for malicious activity. When there...

Features and uses are as follows

Typically used for site-to-site VPNs Restricts access to network resources Implemented at the physical perimeter between customer intranet and the intranet of the other company. Determines whether traffic crossing in either direction is authorized Contains limited intrusion detection system capability Provides a dedicated hardware appliance Has little or no impact on network performance Globally networked businesses rely on their networks to communicate with employees, customers, partners, and...

Filtering ICMP Messages Outbound

E0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 e0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 These ICMP messages are required for proper network operation and you should allow them outbound Echo Allows users to ping external hosts Parameter problem Informs the host of packet header problems Packet too big Required for packet maximum transmission unit (MTU) discovery Source quench Throttles down traffic when necessary As a rule, you should block all other ICMP message types outbound. The ACL shown in...

Filtering UDP Traceroute Messages

E0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 R2(config) access-list 120 deny udp any any range 33400 34400 log R2(config) access-list 120 permit ip any any R2(config-if) ip access-group 120 in R2(config) access-list 121 permit udp 16.2.1.0 0.0.0.255 any range 33400 34400 log R2(config) interface e0 1 R2(config-if) ip access-group 121 in R2(config-if) end R2(config) interface e0 0 R2(config-if) ip access-group 121 out R2(config-if) end The traceroute feature uses some of the ICMP message types to...

HIPS and Network IPS Monitoring

Application-level encryption protection Policy enhancement (resource control) Web application protection Buffer overflow Network attack and reconnaissance prevention DoS prevention The figure shows the range of features of a blended HIPS and network IPS implementation. HIPS and network IPS implementations complement one another. A host-based monitoring system examines information at the local host or operating system. Network-based monitoring systems examine packets that are traveling through...

HIPS is behaviorbased

Recall that HIPS operates by detecting attacks occurring on a host on which it is installed. HIPS works by intercepting operating system and application calls, securing the operating system and application configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious activity. HIPS uses rules based on a combination of known attack signatures and a detailed knowledge of the operating system and specific applications running on the host. These...

Identity Based Networking Services

With Cisco enhancements, the network grants privileges based on user login information, regardless of the user location or device. The benefits of IBNS are as follows - Allows different people to use the same PC and have different capabilities - Ensures that users get only their designated privileges, no matter how they are logged into the network Otherwise, there is no way to control who gets on the network and where they can go. Using 802.1x with Cisco enhancements allows you to limit access...

IDS and IPS Operational Differences

The figure shows a sensor deployed in IDS mode and a sensor deployed in IPS mode. In Step 1, an attack is launched on a network with a sensor deployed in IDS mode and the Cisco switch sends copies of all packets to the IDS sensor (configured in promiscuous mode) to analyze the packets. At the same time, the target machine experiences the malicious attack. In Step 2, the IDS sensor, using a signature, matches the malicious traffic to the signature and, in this example, sends the switch a command...

IDS and IPS technologies look for these patterns of misuse

IDS and IPS technologies share these characteristics IDS and IPS technologies are deployed as sensors. An IDS or an IPS sensor can be any of these devices A router configured with Cisco IPS An appliance specifically designed to provide dedicated IDS or IPS services A network module installed in an adaptive security appliance, switch, or router IDS and IPS technologies typically monitor for malicious activities in these two spots Malicious activity is monitored at the network detecting attacks...

IKE Communication Negotiation Phases

IKE uses these phases to secure a communication channel between two peers IKE Phase 1 Transform sets, hash methods, and other parameters are determined. IKE Phase 1.5 (optional) XAUTH protocol can be used to provide user authentication of IPsec tunnels within the IKE protocol to provide additional authentication of the VPN clients. IKE Phase 2 SAs are negotiated by ISAKMP, where quick mode is used. In this phase, the IPsec SAs are unidirectional. To establish a secure communication channel...

Importing Signature Definition Files

g5 Signatures t3WICateaoriesl g5 Signatures t3WICateaoriesl 0 home,shtml 3 home, tar 3 libiconv-2.dll SDMJP5_Users_Guide.pdf sdmconfig-38x 0 home,shtml 3 home, tar 3 libiconv-2.dll SDMJP5_Users_Guide.pdf sdmconfig-38x This series of screen captures shows how to update the IPS signatures with the latest SDF. To update an SDF from a PC, follow these steps Step 1 Navigate to the Edit IPS > Signatures form and click the Import menu button and choose the From PC menu item. Step 2 The Import...

Info

Before firewalls had the advanced capabilities of the Cisco PIX Security Appliance and Cisco IOS Firewall, all firewalls inspected network traffic using one of four architectural models defined by the information that they examine to make security-relevant decisions. The initial four firewall technologies are as follows Static packet filtering firewalls A packet filter firewall is first-generation firewall technology that analyzes network traffic at the transport protocol layer. Each IP network...

Inspection rules allow returning traffic that would otherwise be blocked

Choose the rule name from the Inspection Rule Name list. The inspection rule entries appear in a separate dialog box. Choose the rule name from the Inspection Rule Name list and click Edit. Then edit the rule in the Inspection Rule Information window. Choose the rule name from the Inspection Rule Name list, click New, and create the rule in the Inspection Rule Information window. Access rules in the firewall may deny return traffic on sessions started inside the firewall because of the type of...

Introducing IDS and IPS

Distract and confuse attackers Slow down and avert attacks Traffic profile must be constant Q5) The summary should touch on these points HIPS operates by detecting attacks occurring on a host that it is installed on. HIPS works by intercepting operating system and application calls, securing the operating system and application configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious activity. Network IPS involves the deployment of...

Introducing IDS and IPS Cont

An alarm is triggered by normal traffic or a benign action. A signature is not fired when offending traffic is detected. A signature is correctly fired when offending traffic is detected and an alarm is generated. A signature is not fired when nonoffending traffic is captured and analyzed. Q8) The figure identifies and describes the enhanced Cisco IOS IPS signature features.

Introducing the Cisco Sdm Vpn Wizard Interface

Chose the desired VPN wizard (VPN type). 4. Chose the VPN implementation subtype. 1. Enter the configuration page. 3. Chose the desired VPN wizard (VPN type). 4. Chose the VPN implementation subtype. To select and start a VPN wizard, follow these steps Step 1 Click the Configure icon in the top horizontal navigation bar to enter the configuration page. Step 2 Click the VPN icon in the left vertical navigation bar to open the VPN page. Step 3 Choose the Site to...

Introducing the Cisco Security Appliance Product Family

This topic describes the main components of the Cisco security appliance product family. The Cisco security appliances family includes these products Cisco IOS Firewall The Cisco IOS Firewall provides robust, integrated firewall and intrusion detection functionality for every perimeter of the network. The Cisco IOS Firewall is available for a wide range of Cisco IOS software-based routers and offers sophisticated security and policy enforcement for connections within an organization (intranet)...

IPS Signature Characteristics Cont

There are four types of signatures The type of signature used depends on these factors The number of signatures available depends on the IPS sensor platform type. Here are the four categories of signatures Exploit Exploit-specific signatures seek to identify network activity or upper-layer protocol transactions that are unique to a specific exploit or attack tool. Consequently, each new exploit may require its own signature. Because a successful exploit can be created by slightly modifying the...

Launching the Siteto Site VPN Wizard Cont

Quick setup uses predefined IKE and IPsec policies. b. Step-by-step setup includes IKE and IPsec policy configuration steps. 3. Proceed to the configuration of parameters. a. Quick setup uses predefined IKE and IPsec policies. b. Step-by-step setup includes IKE and IPsec policy configuration steps. 3. Proceed to the configuration of parameters. Step 2 A window will pop up asking you which wizard mode to use The Quick setup option uses Cisco SDM-default IKE policies and IPsec transform sets....

Lists active IPsec security associations

The Show Commands table lists two of the most useful show commands to determine the status of IPsec VPN connections. To display all current IKE Security Associations (SAs), use the show crypto isakmp sa command in EXEC mode. Qm_IDLE status indicates an active IKE SA. To display the settings used by the current SAs, use the show crypto ipsec sa command in EXEC mode. Nonzero encryption and decryption statistics can indicate a working set of IPsec SAs. This subtopic explains troubleshooting and...

MAC Address Spoofing Attack

Switch Port Table Switch Port Table Spoofed Switch Port Table Updated Switch Port Table In a MAC spoofing attack, the network attacker uses a known MAC address to attempt to make the targeted switch forward frames destined for the remote host to the network attacker. By sending a single frame with the source Ethernet address of another host, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. From then on, the...

MAC B is unknown so the switch will flood the frame

The CAM table in a switch contains the MAC addresses available on a given physical port of a switch and the associated VLAN parameters for each. When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination MAC address. If an entry exists for the MAC address in the CAM table, the switch forwards the frame to the MAC address port designated in the CAM table. If the MAC address does not exist in the CAM table, the switch acts like a hub...

Managing Cisco Easy VPN Server Connections

This topic describes how to manage Cisco Easy VPN Server connections using Cisco SDM. Managing Cisco Easy VPN Server Connections The screen captures show the Cisco SDM GUI used to view, add, edit, or delete Cisco Easy VPN Server connections. 6-76 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Managing Cisco Easy VPN Server Connections (Cont.) When you click the Add or Edit buttons, the options you can change are the same options that you used to create a Cisco Easy VPN...

Memory Requirements of Pre Built SDFs

The number of signatures that can go on a router is completely dependent on memory. Cisco has developed some recommendations for choosing SDFs. The table in the figure shows the amount of memory required for a recommended SDF and the approximate number of signatures that can be supported by that amount of memory. 2006 Cisco Systems, Inc. Securing Networks with Cisco IOS IPS 5-31 Distributed Threat Mitigation with Intrusion Prevention System Cisco IPS 4200 Series Sensor, IDM, or NM-CIDS* Cisco...

Module Self Check

Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) Which firewall technology uses a special piece of software designed to relay application layer requests and responses between endpoints (Source Introducing Firewall Technologies) Q2) Which firewall technology defines sets of rules and ACLs that determine which traffic is permitted or denied from being routed across a firewall by examining...

Network Address Translation

NAT translates the source address of a device inside a network to a public source address (SA in the figure). NAT allows a host on your private network that does not have a valid registered IP address to communicate with other hosts through the Internet. There are three types of NAT to consider Static NAT In static NAT, a private IP address is mapped to a public IP address, where the public address is always the same IP address (that is, a static address). A static address allows an internal...

Network edge inside firewall

By placing an IDS sensor, shown in the topology as an appliance-based sensor, the alarms that are generated detect firewall misconfigurations. The IDS sensor is detecting the malicious traffic that the firewall configuration has let in to the network. Note Cisco platforms such as Cisco ASA 5500 Series Adaptive Security Appliances with the Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP SSM) can act as an IDS and an IPS sensor. The appliance-based sensor placed inside...

Network implementation

Network IPS gives security managers real-time security insight into their networks regardless of network growth. Network growth can occur by adding either additional hosts or new networks. Additional hosts added to protected networks are covered without adding any new sensors. Additional sensors can easily be deployed to protect the new networks. Some of the factors that influence the addition of sensors are as follows Exceeded traffic capacity For example, the addition of a new gigabit network...

New sensors can be easily added to new networks

Network IPS involves the deployment of monitoring devices, or sensors, throughout the network to capture and analyze the traffic. Sensors detect malicious and unauthorized activity in real time and can take action when required. Sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring, regardless of the location of the attack target. Network IPS sensors are usually tuned for intrusion detection analysis. The underlying...

Notification of Intrusions

MAC address notification allows you to monitor MAC addresses, at the module and port level, added by the switch or removed from the CAM table. SNMP trap sent to NMS when MAC-X appears on Ethernet port 2 1 SNMP trap sent to NMS when MAC-X appears on Ethernet port 2 1 Network managers need a way to monitor who is using the network and where they are. MAC address notification allows the network administrator to monitor the MAC addresses that are learned by the switch and the MAC addresses that are...

One CA can automatically grant certificate requests while another CA can require only manually granted certificate

A PKI can be set up in a hierarchical framework to support multiple CAs. At the top of the hierarchy is a root CA, which holds a self-signed certificate. The trust within the entire hierarchy is derived from the RSA key pair of the root CA. The subordinate CAs within the hierarchy can be enrolled with either the root CA or with another subordinate CA. Using these enrollment options, multiple tiers of CAs can be configured. If the peers within a hierarchical PKI share a trusted root CA...

Option 2 Using an ACL

fers (FTP and e-mail (SMTP) that will be prelected by this t unprotected to the remote device. You can protect all traffic jbnet, oi specify an IPSec rule lhat defines the traffic lypes to Select an existing rule (ACL), Create a new rule(ACL) and sele None (dear rule as fers (FTP and e-mail (SMTP) that will be prelected by this t unprotected to the remote device. You can protect all traffic jbnet, oi specify an IPSec rule lhat defines the traffic lypes to Select an existing rule (ACL), Create...

Option 2 Using an ACL Cont

Choose an action and add a description. 2. Define source and destination networks or addresses. 3. (Optional) Define the protocol and port numbers. Follow these steps to configure a new rule entry Step 1 Choose an action and write a description of the rule entry. Step 2 Each rule entry defines one pair of source and destination addresses or networks. Note You must use wildcard bits instead of subnet masks. Step 3 Optionally, you can provide protection for individual Open Systems Interconnection...

Overview

When you need to defend your network, the Cisco Intrusion Prevention System (IPS) product family provides a comprehensive suite of routers, switches, and appliance and network modules from which to choose. In this lesson, you will learn about the relative positioning of Cisco IDS and IPS sensor platforms and modules. The Cisco host IPS (HIPS) solution feature of Cisco Security Agent (CSA) will be examined, as will how the complementary Cisco Guard Distributed Denial of Service (DDoS) Mitigation...

Performance and Limitations of Cisco ASA 5500 Series Platforms

ASA Performance with the Security Service Module Cisco ASA 5500 Series Adaptive Security Appliance The table in the figure shows the performance and interface limitations of the Cisco ASA 5500 Series Adaptive Security Appliance platform. Refer to the Cisco ASA 5500 Series Adaptive Security Appliance Platform and Module Datasheet for an in-depth discussion on the performance metrics. This datasheet can be found at Note The Cisco AIP SSM-10 can also run on the Cisco ASA 5520 Adaptive Security...

Port Security Configuration Script

Enable port security on Fast Ethernet port 1 Set the maximum number of secure addresses to 50 Set violation mode to default No static secure MAC addresses needed Switch(config) interface fastethernet0 1 Switch(config-if) switchport mode access Switch(config-if) switchport port-security Switch(config-if) switchport port-security maximum 50 Switch(config-if) switchport port-security mac-address sticky Switch(config-if) switchport port-security aging time 20 Switch(config-if) end MAC addresses...

Private VLANs

This topic describes the function and benefit of the PVLAN feature embedded in Cisco Catalyst switches. PVLANs work as follows Default Gateway - A common subnet is subdivided into multiple PVLANs. Hosts on a given PVLAN can communicate only with default the gateway and not with other hosts on the network using the isolated port. The advantage to using PVLANs is that traffic management is simplified while conserving IP address space. PVLANs work by limiting which ports within a VLAN can...

Protocol analysisbased

Cisco Systems has implemented IPS functions into its internetwork operating system, Cisco IOS software. Cisco IOS ISP combines existing Cisco intrusion detection system (IDS) and IPS product features with three different intrusion detection techniques. Cisco IOS ISP uses a blend of Cisco IDS and IPS products. Cisco IOS IPS uses technology from Cisco IDS and IPS sensor product lines, including Cisco IPS 4200 Series Sensors, Cisco Catalyst 6500 Intrusion Detection System Services Module, and...

Recommended approaches to implementing multiple IDS management consoles

- Hierarchical monitoring structure Event monitoring and management can be divided into the need for real-time event monitoring and management and the need to perform analysis based on archived information (reporting). These functions can be handled by a single server, or the functions can be placed on separate servers to scale deployment. The number of sensors that should be forwarding alarms to a single IDS management console is a function of the aggregate number of alarms per second...

Relative Positioning of Cisco IPS Sensors

10 100 10 100-TX 10 100 10 100 1000-TX 10 100 1000-TX 1000-TX 1000-SX 1000-TX The diagram shows the relative positioning of some of the Cisco IDS and IPS sensors. Use this chart as a guide to select the Cisco IDS and IPS sensor platform with the correct performance and media support for your application. Note For the complete line of Cisco IPS 4200 Series Sensors refer to 2006 Cisco Systems, Inc. Securing Networks with Cisco IOS IPS 5-69

Remote Access

Cisco ASA 5500 Series Adaptive Security Appliance Cisco VPN Software Client with Firewall Small and Home I Office VPN with Firewall The type of VPN required is an important factor when deciding what kind of device best fits the needs of the VPN deployment. Here are the two applications for Cisco VPN-enabled devices Site-to-site VPN Site-to-site VPNs allow businesses to extend their network resources to branch offices, home offices, and business partner sites. All traffic sent between the sites...

Review the Generated Configuration

Click Back to modify the configuration. Click Finish to complete the configuration. At the end of the configuration, the wizard will present a summary of all the configured parameters. You can go back to modify the configuration in case you have made a mistake. Click the Finish button to complete the configuration. 6-52 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Testing the Tunnel Configuration and Operation This subtopic explains how to see the status of the...

Reviewing and completing the configuration

The step-by-step wizard includes these parameters Connection settings Outside interface, peer address, and authentication credentials IKE proposals IKE proposal priority, encryption algorithm (Data Encryption Standard DES , Triple-DES 3DES , Advanced Encryption Standard AES , or Software Encryption Algorithm SEAL ), Hashed Message Authentication Code (HMAC), Secure Hash Algorithm 1 (SHA-1) or Message Digest 5 (MD5), IKE authentication method (preshared secrets or digital certificates),...

RIPv2 Route Filtering

R1(config) access-list 12 deny 16.2.2.0 0.0.0.255 R1(config) access-list 12 permit any R1(config) router rip R1(config-router) distribute-list 12 out R1(config-router) version 2 R1(config-router) no auto-summary R1(config-router) end Cisco routers share routing table update information to provide directions on where to route traffic. Use ACLs to limit which routes a router accepts (takes in) or advertises (sends out) to its counterparts. The example in the figure shows a standard IP ACL applied...

Rogue Trunk Port

An attacker tricks a network switch into believing that it is a legitimate switch on the network needing trunking. Auto trunking allows the rogue station to become a member of all VLANs. Note There is no way to execute switch spoofing attacks unless the switch is misconfigured. VLAN architecture simplifies network maintenance and improves performance. However, VLAN operation opens the door to abuse. VLAN hopping allows traffic from one VLAN to be seen by another VLAN without first crossing a...

Saving the Cisco Ios Ips Configuration

The figure shows two menu selections found in the File menu option. Once you have configured Cisco IPS on a router or security device, you can either write the new IPS configuration to the starting configuration of the router or save the running configuration to the PC to use later. 5-60 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Securing Network Access to Layer 2 LAN Switches

This topic describes the basic steps in securing network access to Layer 2 LAN switches. The first steps in defending against Layer 2 attacks are to ensure that you configure every switch in the network with basic security in mind. Using the Cisco Catalyst switch security features will be covered in the Using Cisco Catalyst Switch Security Features lesson. 3-8 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Protecting Administrative Access to Switches This topic describes how...

Security Appliance Based VPN Solutions

A firewall-based VPN solution is based on the capabilities of existing firewalls that can support both remote-access and site-to-site VPN requirements. Firewall-based VPN solutions are based more on management issues than on technical issues. The difference in the solution is in who manages the VPN network (either the owner or the ISP. If corporate security manages the VPN network, a firewall-based VPN may be the VPN solution of choice. Corporations can enhance their existing firewall systems...

Siteto Site IPsec Configuration Interface Access List

This topic describes the configuration to apply to the interface access list. This topic describes the configuration to apply to the interface access list. Finally, if you are using only IPsec VPN on a router interface, you need to block all unwanted traffic and allow the traffic that you want. To block unwanted traffic, define an access list and apply it to all incoming packets on your IPsec interface. To do this, enable the IPsec protocol (protocol 50 for Encapsulating Security Payload ESP or...

Siteto Site IPsec Configuration Phase

Crypto isakmp key SeCrEt address 172.16.172.10 netmask 255.255.255.255 The first part of site-to-site IPsec configuration is to configure the ISAKMP parameters. In the topology, router 1 and router 2 are configured with a policy, policy 1, which employs preshared authentication using the Secure Hash Algorithm (SHA) hash function and Advanced Encryption Standard (AES) 128-bit encryption. In the example, you see that preshared authentication is used with the secret SeCrEt to the IPsec peer. 6-32...

Siteto Site VPN Components Cont

- Group Policies for Cisco Easy VPN Server functionality - Public Key Infrastructure for IKE authentication using digital certificates Individual IPsec Components Used to Build VPNs Individual IPsec Components Used to Build VPNs The figure illustrates the VPN navigation bar, which contains two major sections. These VPN wizards at the top These individual IPsec components below Group Policies (for easy VPN server functionality) Public Key Infrastructure (for IKE authentication using digital...

Some signatures have subsignatures Configuring a subsignature changes only that subsignature

A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks. Similar signatures are grouped together into SDFs, and a signature micro-engine is used to implement the signatures. SDFs and signature micro-engines are discussed in the Examining SDFs and Signature Micro-Engines topic. Signatures are easily installed using IDS and IPS management software such as the Cisco IDS Device Manager (IDM). Sensors allow you to modify existing signatures...

Specifies an additional layer of security over the enable password command

Using strong passwords is one of the first steps in defending switch configurations. Unfortunately, user passwords in Cisco IOS configuration files are encrypted using a scheme that is very weak by modern cryptographic standards. For that reason, the enable password command should no longer be used. Use the enable secret command for better security. The only instance in which the enable password command might be tested is when the device is running in a boot mode that does not support the...

Specify a single source host or network

Note 1 - n is one-to-many Note 1 - n is one-to-many Cisco SDM will protect the LAN with a default firewall when you choose the basic firewall option. The Cisco SDM Firewall Wizard will guide you through the steps of defining inside and outside interfaces. Outside (untrusted) interface Choose the router interface connected to the Internet or to your WAN. Allow secure SDM access from the outside interfaces Creating a firewall policy can block SDM access to the router from the outside interface....

Spoofing the DHCP Server

An attacker activates a DHCP server on a network segment. 2. The client broadcasts a request for DHCP configuration information. 3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. 4. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. One way that an attacker can gain access to network traffic is to spoof responses that...

Starting the Cisco Easy VPN Server Wizard

Lo I H ow Do I Configu re a B a c ku p for an Easy VPN Romote cc Site-to-Site VPN Easy VPN Remote jEasy VPN Serverl Dynamic Multipoint VPN VPN Components lo I H ow Do I Configu re a B a c ku p for an Easy VPN Romote cc The screen capture shows the Cisco SDM VPN configuration GUI. To launch the Cisco SDM Easy VPN Server Wizard, first choose the Easy VPN Server VPN type and then click the Launch Easy VPN Server Wizard button. Note Authentication, authorization, and accounting (AAA) must be...

Stateful firewalls do not support user authentication of connections

Use stateful packet filtering firewalls in these applications As a primary means of defense In most situations, a stateful firewall is used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic. As an intelligent first line of defense Networks use routing devices supporting a stateful function as a primary line of defense or as an additional security boost on perimeter routers. As a means of strengthening packet filtering Stateful filtering provides more...

Stepby Step Help Screens

Cisco Router and Security Device Manager Online Help Home Search Using Help Glossary View PDF Cisco Router and Security Device Manager Online Help Home Search Using Help Glossary View PDF When you choose one of the How do I. . . tasks from the drop-down menu, a step-by-step help screen for that question appears, as shown in the figure. You can also view and print a PDF version of the help screen. 4-78 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.