A binding table containing IPaddress and MACaddress associations is dynamically populated using DHCP snooping

When a host sends an ARP request to resolve its own IP address, it is called gratuitous ARP (GARP). In a properly configured network, an ARP reply is not provided for a GARP request. However, if another host in the network appears to be configured with the same IP address as the source host, the source host gets an ARP reply. In this way, a host can determine whether another host is also configured with its IP address. The figure shows a user with an IP address of 10.1.1.2 connected through a...

Cisco K9 image

PKI credentials, such as RSA keys and CA-signed certificates, are typically stored on a router (in NVRAM). There are other places PKI credentials can be stored. Selected Cisco platforms support smartcard technology implemented in hardware as a Universal Serial Bus (USB) key (eToken key). The eToken can securely store any type of file within its 32 KB of storage space. Configuration files that are stored on the eToken can be encrypted and accessed only via a user PIN. The router will not load...

A firewall is a set of related programs located at a network gateway server that protects the resources of a private

By segmenting a network into different physical subnetworks, firewalls can limit the damage that could spread from one subnet to another just like fire doors and firewalls used by firefighters limit the spread of fire. In network security terms, a firewall is a software or hardware barrier between an internal (trusted) network and an external (untrusted) network. In this sense, a firewall is a set of related programs that enforces an access control policy...

A use guard root and bpdu guard

Q2) Explain how VLAN configuration can mitigate VLAN hopping attacks. (Source Mitigating Layer 2 Attacks) Q3) What is the effect of using the guard root and bpdu-guard enhancement commands (Source Mitigating Layer 2 Attacks) Q4) Match each of the mitigation techniques with the type of attack that it will mitigate by putting the letter of the technique in the space provided beside each type of attack. (Source Mitigating Layer 2 Attacks) 3-86 Securing Cisco Network Devices (SND) v2.0 2006 Cisco...

A VACL provides granular control for limited access within a VLAN or subnet

VACLs, also known as VLAN maps, can be used to filter VLAN traffic. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces, VACLs are applied to any VLAN. When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. The list of commands here shows how to define and apply a VLAN access map. In this example, IP traffic matching ACL 100 is forwarded, and all other IP packets are dropped because of the default...

ACL Caveats

You may not see this statement, but it does exist. You may need to create extended ACLs to implement security policies. ACL statements are evaluated from the top down, so always consider the order of the statements. Place more specific ACL statements higher in the access list. Ensure that statements at the top of the ACL do not negate any statements found lower in the list. Always double-check the direction (inbound or outbound) of the data that your ACL is filtering. Here are the caveats that...

ACL name Cisco IOS Releases 112 and later You provide the name of the ACL

- Names contain alphanumeric characters. - Names cannot contain spaces or punctuation and must begin with an alphabetic character. - You can add or delete entries within the ACL. Prior to Cisco IOS Release 11.2, you had to assign a number to each ACL as you created it. Since then, either a number or a name can identify Cisco ACLs and the protocols that they filter. Using numbered ACLs is an effective method on smaller networks with more homogeneously defined traffic. Because each ACL type is...

ACLs can control access on a portbyport basis

The figure shows how a DDoS attack occurs, as described here Behind a client is a person who launches the attack. A handler is a compromised host running the attacker program. Each handler is capable of controlling multiple agents. An agent is a compromised host that is running the attacker program. Each agent is responsible for generating a stream of packets it directs toward the intended victim. Routers can help reduce the number of DDoS attacks by using ACLs to filter known attack ports....

ACLs control traffic in and out of routers and firewalls

ACLs provide packet filtering for routers and firewalls to protect internal networks from the outside world. However, as presented in the Introducing Firewall Technologies lesson, ACLs filter network traffic in both directions by controlling whether to forward or block packets at the router interfaces based on the criteria that you specified within the ACLs. ACL criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other...

Adaptive Solution with Converged Bestof Breed Security Services

Packet inspection Protocol validation Accurate enforcement Robust resiliency Attack detection Granular packet inspection Application control Dynamic response Attack detection Granular packet inspection Application control Dynamic response VPN SSL VPN IPsec VPN User-based security Group-based management Clustering VPN SSL VPN IPsec VPN User-based security Group-based management Clustering Access Breaches, Session Abuse, Port Scans, Malformed Packets Application Misuse, DoS and Hacking, Known...

An address is being used on two secure interfaces in the same VLAN

Ports can be configured with these types of secure MAC addresses Static secure MAC addresses These addresses are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration. Dynamic secure MAC addresses These addresses are dynamically configured, stored only in the address table, and removed when the switch restarts. Sticky secure MAC addresses These addresses are...

Application inspection firewalls

Are aware of the Layer 5 state of a connection Check the conformity of application commands on Layer 5 Are able to check and affect Layer 7 (for example, Java applet or peer-to-peer filtering) Prevent more kinds of attacks than stateful firewalls Application inspection firewalls ensure the security of applications and services. Some applications require special handling by the firewall application inspection function. Applications that require special application inspection functions are those...

Application Layer Firewall

Application layer firewalls, also called proxy firewalls or application gateways, provide a higher level of security than circuit level firewalls because they allow the greatest level of control. Application level proxy servers work up on Layer 1 to Layer 7 of the OSI model. Most application layer firewalls include specialized application software and proxy servers. A proxy is an application that does work on behalf of something else. Proxy services are specialpurpose programs that manage...

Application Layer Proxy Firewall

An application layer firewall operates on OSI Layers 3, 4, 5, and 7. Advantages of application layer proxy firewalls - This firewall authenticates individuals, not devices. - Hackers have a harder time with spoofing and implementing DoS attacks. - This firewall can monitor and filter application data. - This firewall can provide detailed logging. Application layer firewalls filter information at Layers 3, 4, 5, and 7 of the OSI reference model. Because application layer firewalls process...

Applying ACLs to Interfaces

Tulsa(config) interface e0 1 Tulsa(config-if) ip access-group 2 in Tulsa(config-if) exit Tulsa(config) interface e0 2 Tulsa(config-if) ip access-group mailblock out Tulsa(config-if) end Before applying a packet filtering ACL to a router interface, make sure you know in which direction it will filter. Apply ACLs to router interfaces using the ip access-group command in interface configuration mode, as shown in the figure. The syntax for the ip access-group command is as follows ip access-group...

Authentication

IPsec is an Internet Engineering Task Force (IETF) standard (RFC 2401-2412) that defines how a VPN can be set up using the IP addressing protocol. The IPsec protocol determines how the interface on a router appears to the encryption protocol, not which type of encryption is used. IPsec provides these essential security functions Confidentiality IPsec ensures confidentiality by using encryption. Data encryption prevents third parties from reading the data, especially data that is transmitted...

Authentication dictionary attacks

These attacks are described in Security of the WEP Algorithm Passive attacks to decrypt traffic based on statistical analysis Active attacks to inject new traffic from unauthorized mobile stations, based on known plain text Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attacks, which, after analysis of traffic for about a day, allow real-time automated decryption of all traffic Passive or Weak Initialization Vector Attack An initialization vector (IV)...

Basic 80211 Security Issues

- Checks for devices that do not possess key - Hardware theft may be an issue One-way authentication No integration with existing network authentication methods - May render either client or network vulnerable - Important to two-way (mutually) authenticate user and network Basic 802.11 WEP security is designed to guard against the threat to network security from unauthorized 802.11 devices outside the LAN. Any device with a valid WEP key is considered a legitimate and authorized user. If the...

Benefits

Prevents the deliberate or accidental flooding of the network Keeps traffic flowing smoothly Keeps traffic flowing smoothly Rate Limiting for Different Classes of Users Rate Limiting for Different Classes of Users Otherwise, there can be a deliberate or accidental slowdown or freezing of the network. Rate limiting (also referred to as traffic policing) involves creating a policing agent that specifies the upper bandwidth limit for traffic. Packets that exceed the limits are considered to be...

Benefits of DTM with Cisco Ios Ips Software

Attempts to use the resources of the router for IPS only occur when needed. This solution provides (optionally) automated tuning of IPS signatures. Customers that turn on and use the IPS feature on their branch routers will not have to deal with too many (sometimes false) alarms. This solution increases the value of a company investment in network-based intrusion detection products. This solution helps the operator to quickly locate the source of the attacks. The Cisco IOS IPS system evaluates...

CAM has learned MAC B is on Port

MAC A host A MAC B host B MAC C host C MAC C does not see traffic to MAC B anymore. Now, any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. The key to understanding how CAM overflow attacks work is to know that CAM tables are limited in size. MAC flooding makes use of this limitation to bombard the switch with fake source MAC addresses until the switch CAM table is full. The switch then enters into what is known as a...

CAM Learns Mac B Is on Port

MAC A host A MAC B host B MAC C host C Host C drops the packet addressed to host B. Host B receives the frame and sends a reply to host A. The switch then learns that the MAC address for host B is located on port 2 and writes that information into the CAM table. Host C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame. 3-30 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Centralized user and key management

A major advantage of EAP and the 802.1x standards is that they are designed to leverage existing standards. With support for EAP, WLANs can now offer the following Support for RFC 2284, with password authentication. Users are authenticated based on usernames and passwords that are typically already stored in an active directory on the network. This directory is then connected to a certificate server, such as a RADIUS server or the Cisco Secure Access Control Server (ACS). One-time passwords,...

Choose the Cisco IOS Firewall when you need

A one-box solution with powerful security, QoS, multiprotocol routing, integrated WAN interfaces, and voice application support To leverage network infrastructure for security Extensive VPN support integrated with a firewall in a single device Cisco 800 Series, 1700 Series, and 1800 Series Routers Cisco 2600 and 3600 Series Multiservice Platforms and Cisco 2800 Series Integrated Services Routers, Cisco 3700 Series Multiservice Access Routers, and 3800 Series Integrated Services Routers VPN and...

Choosing an Interface for Terminating IPsec

Easy VPN Server Wizard -10 Complete Easy VPN Server Wizard -10 Complete Please select the interface on which the Easy VPN Server should be configured. EasyVPH clients will connect to the serverthrough this interface. Select the method used for authenticating VPN clients connecting to this Easy VPN Server. Please select the interface on which the Easy VPN Server should be configured. EasyVPH clients will connect to the serverthrough this interface. Select the method used for authenticating VPN...

Choosing the Type of Firewall You Need

Choose the Cisco IOS Firewall that meets your network security needs basic or advanced. Choose the Cisco IOS Firewall that meets your network security needs basic or advanced. The figure shows the top part of the Cisco IOS Firewall configuration screen. You can choose either a basic firewall or an advanced firewall. Once you choose the firewall that you want, the Use Case Scenario figure appears for each selection. The two firewalls differ in these ways Basic Firewall A basic firewall is a...

Cisco ACLs

This topic describes the types and formats of ACLs that Cisco IOS Firewall uses to restrict access and filter packets. Cisco routers support two basic types of ACLs Standard ACL Filters IP packets based on the source address only access-list 10 permit 192.168.3.0 0.0.0.255 Extended ACL Filters IP packets based on several attributes, such as - Source and destination IP addresses - Source and destination TCP and UDP ports - Protocol type (IP, ICMP, UDP, TCP, or protocol number) access-list 101...

Cisco ASA 5500 Series Adaptive Security Appliances

VPN Technology Cisco VPN 3000 Series Concentrator Network Intelligence Cisco Network Services VPN Technology Cisco VPN 3000 Series Concentrator Network Intelligence Cisco Network Services Adaptive Threat Defense and Secure Connectivity Secure Connectivity IPsec and SSL VPN Adaptive Threat Defense and Secure Connectivity Application Inspection, Use Enforcement, Web Control, Application Security Traffic-Admission Control, Proactive Response, Network Containment and Control Secure Connectivity...

Cisco IOS Firewall Features

The Cisco IOS Firewall combines the functions of packet inspection and proxy firewalls to provide an optimal security solution on one chassis. This topic describes the features of the Cisco IOS Firewall. Application and protocol inspection and control Dynamic, per-user authentication and authorization Administrative access control with AAA Extensive multimedia support, including streaming video, streaming audio, and voice applications The Cisco IOS Firewall is a stateful inspection firewall...

Cisco Ios Ips Signature Features

Regular expression string pattern matching Enables the creation of string patterns using regular expressions Enables the sensor to take an action when the signature is triggered Enables the sensor to aggregate alarms does this to limit the number of times an alarm is sent when the signature is triggered Enables a signature to be tuned to perform optimally in a network Enables a signature to defeat evasive techniques used by an attacker The table in the figure describes the features of Cisco IOS...

Cisco Ios Vpn Enabled Routers

With Cisco routers running Cisco IOS software, organizations can easily deploy and scale site-to-site VPNs of any topology from hub-and-spoke VPNs to the more complex, fully meshed VPNs. In addition, the Cisco IOS security features combine the VPN feature set with firewall, intrusion prevention, and extensive Cisco IOS capabilities, including quality of service (QoS), multiprotocol, multicast, and advanced routing support. The Cisco IOS feature sets incorporate these VPN features Voice and...

Cisco IPS 4200 Series Sensors

Cisco IPS solutions run on a variety of platforms. Here is a brief description of the available Cisco ASA 5500 Series Adaptive Security Appliances The Cisco ASA 500 Series Adaptive Security Appliances offer a purpose-built, high-performance security solution. These appliances integrate the technologies from Cisco PIX 500 Series Security Appliances, Cisco IPS 4200 Series Sensors, and Cisco VPN 3000 Series Concentrators. The Cisco ASA 5500 Series Adaptive Security Appliances are a key component...

Cisco PIX 500 Series Security Appliances Hardware acceleration

Here are more details on the Cisco VPN product family Cisco VPN-enabled routers and switches Cisco VPN security routers and switches represent the best options for customers of all sizes looking to take advantage of their existing network infrastructures to deploy VPNs and security while integrating all services in a single device with the widest selection of WAN and LAN interfaces. Cisco VPN 3000 Series Concentrators Cisco VPN 3000 Series Concentrators are the most feature-rich remote-access...

Cisco Unified Wireless Network

Unified built-in support of leading-edge applications not an afterthought Cisco Wireless Location Appliance, Cisco WCS, SDN, NAC, Wi-Fi phones, and RF firewalls World-class NMS that visualizes and helps secure your air space WCS Seamless network infrastructure across a range of platforms Cisco 2000 and 4400 Wireless LAN Controllers future Cisco Catalyst 6500 Series WiSM, ISR, and 3750 integration APs dynamically configured and managed through LWAPP. Cisco AironetAccess Points 1500, 1300,...

Cisco VPN 3000 Series Concentrators

Customized application access Fully clientless Citrix support Integrated web-based management Clustering and load-balancing capabilities Broad user authentication support Cisco VPN 3000 Series Concentrators are ideal for organizations that require advanced and flexible remote-access VPN technology and that prefer the operational simplicity and management segregation of a focused-function VPN device. Here are some of the features of the Cisco VPN 3000 Series Concentrator platform Customized...

Cisco VPN Product Family

Site-to-Site VPN and Firewall Routers Cisco PIX 500 Series Security Appliance and Cisco ASA 5500 Series Adaptive Security Appliance The portfolio of the Cisco VPN product family includes remote and site-to-site Cisco IOS VPN and firewall security routers, Cisco Catalyst 6500 Series Switches with VPN service modules (not shown), Cisco PIX security appliances, and Cisco ASA 5500 Series Adaptive Security Appliances. 2006 Cisco Systems, Inc. Building IPsec VPNs 6-91

Cisco VPN Product Positioning Cont

Cisco VPN 3060 and 3080 Concentrators Cisco Catalyst 6500, 7600 Series Switches Series Routers Cisco VPN 3060 and 3080 Concentrators Small business or remote office with branch office Cisco VPN 3005 and 3015 Concentrators Cisco VPN software and hardware Client Cisco Catalyst 6500, 7600 Series Switches Series Routers 3700 Multiserivice Access Routers, 3800 Series Integrated Service Routers, 7000 Series Routers 1700, 1800 2600 Series Multiservice Access Routers, 2800 Integrated Service Routers...

Click the Launch IPS Rule Wizard button

Read about the need for the SDM to obtain Security Device Event Exchange (SDEE) messages and click OK. Choose a router interface to apply the IPS rule. Choose the traffic flow direction to be inspected by the IPS rule. Specify where the router will find the signature definition files (SDFs). The wizard will present you with dialog boxes. One dialog box will show the progress of the configuration tasks, and another will displaying a signature micro-engine build report when the configuration is...

Client requests are filtered on the basis of Layer 5 and Layer 7 information

The topology in the figure represents a typical proxy server deployment. An application layer firewall usually has two network interfaces one interface is used for the client connections, and a second interface is used for accessing the website from the Internet. Application proxies separate the trusted and untrusted networks either physically or logically. The example in the figure shows a client inside the network requesting access to a website. The client browser uses a proxy server for all...

Combining Access Functions

9.2.1.1 9.1.1.1 16.2.0.10 24 16.1.1.1 e0 0 e0 1 Remote Access LAN 16.2.1.0 24 Public Web Mail Admin Server Server Server This is an example of a possible configuration for router R2 in the reference network. This partial configuration file contains several ACLs that contain most of the ACL features already explained in this lesson. View this partial configuration as an example of how to integrate multiple ACL policies into a few main router ACLs. The partial configuration file that follows...

Commands are delivered to the running configuration and are not saved on exit

The final step is to save the configuration to the router running configuration and leave the Click Deliver. SDM saves the configuration changes to the router running configuration. The changes will take effect immediately but will be lost if the router is turned off. Check the Save Running Config. to Router's Startup Config check box. This keeps the configuration from being lost when the router is turned off. If you checked the Preview Commands before Delivering to Router check box in the User...

Comparing HIPS and Network IPS

Application-level encryption protection Not visible on the network Operating system independent Lower level network events seen Does not understand context of an attack The table compares HIPS and network IPS advantages and disadvantages. 5-22 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Configure host address service and service type

The advanced firewall configuration allows you to secure your private network by applying access and inspection rules to inside (trusted), outside (untrusted), and DMZ interfaces. A DMZ network is a buffer zone used to isolate traffic that comes from an untrusted network. If you have a DMZ network, choose the interface that connects to it when using an advanced firewall. The Cisco SDM Firewall Wizard will guide you through the steps to complete these tasks Define inside and outside interfaces...

Configure restrict or shutdown violation rules

A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords, or configuration information about the systems on the...

Configuring a Group Policy Configuration Location External Location via RADIUS

Easy VPN Server Wizard - 50 Complete Easy VPN Server Wizard - 50 Complete An ISAKMP client consame authentication on this router, an exte authenticate VPN clie Seiectthe servers or - -1 policy that defines thi RADIUS server will be used for group authorization. An ISAKMP client consame authentication on this router, an exte authenticate VPN clie Seiectthe servers or - -1 policy that defines thi RADIUS server will be used for group authorization. The screen captures show the configuration steps...

Configuring a Local User Database User Authentication

Easy VPN Server Wizard - 65 Complete Easy VPN Server Wizard - 65 Complete User authentication CrAcith after lire device has under orally on mis router, on at I* Enable User Anther Select the servers that wi AAA policy that defines the Select an e isling AAA method list Local database will he used for user authentication User authentication CrAcith after lire device has under orally on mis router, on at I* Enable User Anther Select the servers that wi AAA policy that defines the Select an e...

Configuring Cisco Ios Ips Using Cisco SDM

This topic explains how to configure Cisco IOS IPS using the Cisco SDM GUI. Using Cisco SDM to Configure Cisco IOS IPS 2. Launch the IPS Rules Wizard. 3. Choose a router interface to apply the IPS rule. 4. Choose the traffic flow direction to be inspected by the IPS rules. 5. Specify where the router will find the SDFs. 6. Confirm status of interfaces and signature files. 7. Configure signature alarm severity, event actions, and parameters. 8. Save the Cisco IPS configuration to the router. The...

Configuring Global Settings

Configured SDF Locations i Add Sf Edit fl Delete Move Up -f- Move Down Reload Signatures Configured SDF Locations i Add Sf Edit fl Delete Move Up -f- Move Down Reload Signatures The screen capture shows the global features that you can configure using the Cisco SDM GUI. To access and configure a particular global feature, choose the item name and click the Edit button. 2006 Cisco Systems, Inc. Securing Networks with Cisco IOS IPS 5-59

Configuring IPsec Transform Sets

Easy VPN Server Wizard - 35 Complete Atransform set specifies the encryption and authentication s data in the VPN tunnel. W Dala integrity and encryption ESP I ntegritj Algorithm ESP_SHA_HMAC Atransform set specifies the encryption and authentication s data in the VPN tunnel. W Dala integrity and encryption ESP I ntegritj Algorithm ESP_SHA_HMAC Click the Add button to add a new transform set and the Edit Encryption Algorithm ESP_AES_256 3 Data and address integrity without encryption (AH) Click...

Configuring Local Group Policies

SND v2.0 6-14 rights reserved. SND v2.0 6-14 The screen capture shows where to configure the group policies. From this page, you can add a new group, edit an exiting group, copy (clone) a group, or delete an existing group. To edit a group policy, choose the desired group policy then click the Edit button. 2006 Cisco Systems, Inc. Building IPSec VPNs 6-71 Configuring Local Group Policy Parameters General DNSiWINS Split Tunneling Client Settings XAuth Options Group Information...

Configuring NAT with Cisco SDM

Choose the NAT wizard on the task bar. You can use the Cisco Router and Security Device Manager (SDM) NAT wizard to guide you in creating a NAT rule. Choose the Basic NAT wizard if you want to connect your network to the Internet (or the outside) and your network has hosts but no servers. If your network is made up only of PCs that require access to the Internet, choose Basic NAT and click the Launch the Selected Task button. Choose the Advanced NAT wizard if you want to connect your network to...

Confirming Configuration Settings

SND v2.0 6-16 rights reserved. SND v2.0 6-16 At the end of configuration, the wizard will present a summary of all the configured parameters. You can go back to correct the configuration if you have made a mistake. 6-74 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Testing the Cisco Easy VPN Server Configuration

Connection Settings

Choose the outside interface toward the IPsec peer over the untrusted network. 2. Specify the IP address of the peer. 3. Choose the authentication method and specify credentials. The first task in the step-by-step wizard is setting the connection settings. Follow these steps Step 1 Choose the outside interface toward the IPsec peer over the untrusted network. Step 2 Specify the IP address of the peer. Step 3 Choose the authentication method and specify credentials. Use long and random preshared...

Consistent user experience

There are many reasons that support a migration from Cisco PIX-based security architectures to a Cisco security appliance-based architecture. The key business divers supporting such an effort Lower total operating expenditures Unified management and monitoring, added to a single platform, decreases complexity and simplifies deployments and ongoing support. Lower capital expenditures The Cisco Technology Migration Program lowers capital expenditures. Leasing promotions further reduce costs and...

Controller

The basic service area (BSA) is the area of RF coverage provided by an access point. The BSA is also referred to as a microcell, or alternatively as just a cell. In the figure, the BSA is called a wireless cell. An access point can be added to extend the BSA or to simply add wireless devices and extend the range of an existing wired system. As the name access point indicates, this unit is the point at which wireless clients can access the network. The access point connects to a controller,...

CSA Interceptors

When intercepting communications between applications and the underlying operating system, CSA combines the functionality of these traditional security approaches Distributed firewall The network interceptor performs the duties of a host firewall. HIPS The network interceptor teams with the execution space interceptor to provide the alerting capability of HIPS with the proactive enforcement of a security policy. Application sandbox An application sandbox is an execution space in which suspect...

Cut Through Proxy Firewall Communication Process

Step 1 Authentication Inbound Step 2 Add Filtering Rule Step 1 Authentication Inbound Step 2 Add Filtering Rule Cisco's firewall technology performs dramatically better than competing firewalls. A proprietary process called cut-through proxy is the fastest way for a firewall to authenticate a user. Using the cut-through proxy feature of the Cisco PIX Security Appliance or Cisco IOS Firewall helps alleviate performance issues inherent in proxy server design. Firewalls using a cut-through proxy...

DoS Attack Mitigation Trin00

R2(config) access-list 190 deny tcp any R2(config) access-list 190 deny tcp any R2(config) access-list 190 deny udp any R2(config) access-list 190 deny udp any R2(config) access-list 190 permit ip any any R2(config-if) ip access-group 190 in R2(config-if) ip access-group 190 in Trin00 is a distributed SYN DoS attack. The attack method is a UDP flood. The Trin00 attack sets up communications between clients, handlers, and agents using these ports

DoS Attack Mitigation Trinity v3

R2(config) access-list 190 deny tcp any any eq 33270 log R2(config) access-list 190 deny tcp any any eq 6667 log R2(config) access-list 190 permit ip any any R2(config-if) ip access-group 190 in R2(config-if) ip access-group 190 in Trinity is capable of launching several types of flooding attacks on a victim site, including UDP, fragment, SYN, RST, ACK, and other floods. Trinity communicates from the handler or intruder to the agent using IRC or ICQ from AOL. Trinity appears to primarily use...

Defending Your Network with Cisco Ios Ips

Regular expression string pattern matching Enables the creation of string patterns using regular expressions Enables the sensor to take an action when the signature is triggered Enables the sensor to aggregate alarms, to limit the number of times an alarm is sent when the signature is triggered Enables a signature to be tuned to perform optimally in a network Enables a signature to defeat evasive techniques used by an attacker 5-90 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems,...

DHCP Snooping

DHCP snooping allows the configuration of ports as trusted or untrusted. - Trusted ports can send DHCP requests and acknowledgements. - Untrusted ports can forward only DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP...

Digital certificates

Digital certificates scale better than unique preshared keys because they allow any device to authenticate to any other device, but digital certificates do not have the security properties of wildcard keys. Digital certificates are not tied to IP addresses instead, they are tied to unique, signed information on the device that is validated by the certificate authority (CA) of the enterprise. Consider using digital certificates if the size of the VPN grows beyond 20 devices, or sooner if there...

Disadvantages

Do not filter fragmented packets well Complex ACLs difficult to implement and maintain correctly Cannot filter certain services Packet filter firewalls (or packet filters) use a simple policy table lookup based on source-ip, destination-ip, source-port, destination-port, SYN-seen yes no permit or deny rule sets. The firewalls are extremely fast because they do little computation. The rules are extremely easy to implement because they require little security expertise. Router manufacturers...

Do not change the SA lifetimes or to enable PFS unless the sensitivity of the data mandates it

IPsec provides numerous security features. Here are IPsec best practices Cisco highly recommends using both encryption and integrity. Cisco recommends that you do not use DES for data encryption. Cisco recommends the use of 3DES. Cisco recommends the use of Secure Hash Algorithm (SHA) because the increased security outweighs the slight cost of increased processor use. SHA is sometimes faster than Message Digest 5 (MD5) in certain hardware implementations. Note The use of strong encryption...

Do not use enable secret passwords for anything else on the switch

Use these guidelines for creating a strong password Passwords should be at least 10 characters long and not based on words. Include at least one character from each of the sets of letters, numbers, and special characters. Special characters include the following . Do not use a number for the first character of the password. The U.S. National Security Agency (NSA) recommends that administrators ensure that these policies are implemented Change passwords at least once every 90 days Use a unique...

Domino Effect

If one layer is hacked, communications are compromised without the other layers Security is only as strong as your weakest link. When it comes to networking, Layer 2 can be a very weak link. 6 Ci,c Sy,,em-' Inc' * r 6 Ci,c Sy,,em-' Inc' * r Layer 2 is the data link layer in the Open Systems Interconnection (OSI) model and is one of seven layers designed to work together but with autonomy. Layer 2 operates above the physical layer, but below the network and transport layers. Layer 2 independence...

Ensure that devices have the correct time of day

In site-to-site and remote-access VPNs today, it is important that devices are identified in a secure and manageable way. In remote-access VPNs, user authentication and device authentication occur. When the remote device is authenticated, some level of access control needs to be in place to permit only permitted traffic over the tunnel. Device authentication uses either a preshared key or digital certificate to provide the identity of a device. The list that follows provides some best practices...

ESP and AH Header

ESP allows encryption and authenticates the original packet. AH authenticates the whole packet and does not allow encryption. Here is a description of the two IP protocols used in the IPsec standard, the ESP and AH protocols The ESP header (IP protocol 50) forms the core of the IPsec protocol. The ESP protocol used in conjunction with an encryption method or transform set makes the data flow difficult to decrypt. The diagram shows how the ESP protocol protects the data portion of the packet...

Evolution of WLAN Security

Strong, user-based authentication (e.g., LEAP, PEAP, EAP-FAST) Identify and protect against attacks, DoS WLANs, which were at one time openly accessible, now have an array of security options available that can make them very secure. The language used to describe this array of security options can be confusing. For example, what is the difference between WEP and Wi-Fi Protected Access (WPA) Or perhaps your company has a WLAN and you connect through Cisco Lightweight Extensible Authentication...

Examining Signature Micro Engine and SDF Build Failures

Signature micro-engine build failure Unsupported signature or signature parameter There are times when building a signature micro-engine it will fail. The signature micro-engine can fail for reasons such as attempting to load a corrupted SDF file or the signature micro-engine exceeding memory limitations of the router. The Signature Micro-Engine Failure Types table lists types of SDF and signature micro-engine failures, the default sensor responses, and a description of suggested responses and...

Example You can prevent internal defacing of a web page by choosing HTTP Header Options to block put commands and send

As an alternative to accepting the SDM default settings, click the Action button (Add Delete Clone) and create your own custom policies. You simply need to clone the policy and save it under a new name. The example shown in the figure refers to a policy that prevents defacing a web page by internal users. Choose HTTP > Header Options to make the changes. Click the Apply Changes button to complete this task. 4-92 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Execution space

Securing Networks with Cisco IOS IPS 5-75 The CSA can be installed, configured, and be on line with default policies quickly and allows easy configuration of custom policies. The CSA eases administration because there is no need for a constant review of logs the CSA proactive defense approach minimizes the need for constant administrator involvement. There are no updates, and the CSA is always analyzing and interpreting traffic flows for malicious activity. When there...

Features and uses are as follows

Typically used for site-to-site VPNs Restricts access to network resources Implemented at the physical perimeter between customer intranet and the intranet of the other company. Determines whether traffic crossing in either direction is authorized Contains limited intrusion detection system capability Provides a dedicated hardware appliance Has little or no impact on network performance Globally networked businesses rely on their networks to communicate with employees, customers, partners, and...

Filtering ICMP Messages Outbound

E0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 e0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 These ICMP messages are required for proper network operation and you should allow them outbound Echo Allows users to ping external hosts Parameter problem Informs the host of packet header problems Packet too big Required for packet maximum transmission unit (MTU) discovery Source quench Throttles down traffic when necessary As a rule, you should block all other ICMP message types outbound. The ACL shown in...

Filtering UDP Traceroute Messages

E0 1 Remote Access LAN 16.2.1.0 24 16.2.1.1 R2(config) access-list 120 deny udp any any range 33400 34400 log R2(config) access-list 120 permit ip any any R2(config-if) ip access-group 120 in R2(config) access-list 121 permit udp 16.2.1.0 0.0.0.255 any range 33400 34400 log R2(config) interface e0 1 R2(config-if) ip access-group 121 in R2(config-if) end R2(config) interface e0 0 R2(config-if) ip access-group 121 out R2(config-if) end The traceroute feature uses some of the ICMP message types to...

Functionality

Cisco PIX 500 Series Security Appliances scale to meet a range of requirements and network sizes and currently consists of these five models The Cisco PIX 501 Security Appliance has an integrated 10 100BASE-T Ethernet port (100BASE-T option available in Cisco IOS Release 6.3) and an integrated four-port 10 100 switch. The Cisco PIX 506E Security Appliance has dual integrated 10 100BASE-T Ethernet ports (100BASE-T option available in Cisco IOS Release 6.3 for the Cisco PIX 506E Security...

Guideline 1Base your ACLs on your security policy Unless you anchor the ACL in a

Comprehensive security policy, you cannot be certain that it will effectively control access in the way that access needs to be controlled. Guideline 2 Write it out Never sit down at a router and start to develop an ACL without first spending some time in design. The best ACL developers suggest that you write out a list of things that you want the ACL to accomplish. Starting with something as simple as, This ACL must block all Simple Network Management Protocol (SNMP) access to the router...

H

In this step in configuring the site-to-site IPsec VPN, the cryptographic map is applied to the outgoing interface of the VPN tunnel. Configure the routing information needed to send packets into the tunnel. All IP traffic passing through the interface where the cryptographic map is applied is evaluated against the applied cryptographic map set. If a cryptographic map entry sees outbound IP traffic that should be protected and the cryptographic map specifies the use of IKE, a SA is negotiated...

HIPS and Network IPS Monitoring

Application-level encryption protection Policy enhancement (resource control) Web application protection Buffer overflow Network attack and reconnaissance prevention DoS prevention The figure shows the range of features of a blended HIPS and network IPS implementation. HIPS and network IPS implementations complement one another. A host-based monitoring system examines information at the local host or operating system. Network-based monitoring systems examine packets that are traveling through...

HIPS is behaviorbased

Recall that HIPS operates by detecting attacks occurring on a host on which it is installed. HIPS works by intercepting operating system and application calls, securing the operating system and application configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious activity. HIPS uses rules based on a combination of known attack signatures and a detailed knowledge of the operating system and specific applications running on the host. These...

Host B

Host A sends interesting traffic to Host B. 2. Routers A and B negotiate an IKE Phase 1 session. 3. Routers A and B negotiate an IKE Phase 2 session. 4. Information is exchanged via IPsec tunnel. IPsec VPN negotiation can be broken down into five steps, including Phase 1 and Phase 2 of Step 1 An IPsec tunnel is initiated by interesting traffic when host A sends interesting traffic to host B. Traffic is considered interesting when it travels between the IPsec peers. Step 2 In IKE Phase 1, the...

Identity Based Networking Services

With Cisco enhancements, the network grants privileges based on user login information, regardless of the user location or device. The benefits of IBNS are as follows - Allows different people to use the same PC and have different capabilities - Ensures that users get only their designated privileges, no matter how they are logged into the network Otherwise, there is no way to control who gets on the network and where they can go. Using 802.1x with Cisco enhancements allows you to limit access...

IDS and IPS Operational Differences

The figure shows a sensor deployed in IDS mode and a sensor deployed in IPS mode. In Step 1, an attack is launched on a network with a sensor deployed in IDS mode and the Cisco switch sends copies of all packets to the IDS sensor (configured in promiscuous mode) to analyze the packets. At the same time, the target machine experiences the malicious attack. In Step 2, the IDS sensor, using a signature, matches the malicious traffic to the signature and, in this example, sends the switch a command...

IDS and IPS technologies look for these patterns of misuse

IDS and IPS technologies share these characteristics IDS and IPS technologies are deployed as sensors. An IDS or an IPS sensor can be any of these devices A router configured with Cisco IPS An appliance specifically designed to provide dedicated IDS or IPS services A network module installed in an adaptive security appliance, switch, or router IDS and IPS technologies typically monitor for malicious activities in these two spots Malicious activity is monitored at the network detecting attacks...

IKE Communication Negotiation Phases

IKE uses these phases to secure a communication channel between two peers IKE Phase 1 Transform sets, hash methods, and other parameters are determined. IKE Phase 1.5 (optional) XAUTH protocol can be used to provide user authentication of IPsec tunnels within the IKE protocol to provide additional authentication of the VPN clients. IKE Phase 2 SAs are negotiated by ISAKMP, where quick mode is used. In this phase, the IPsec SAs are unidirectional. To establish a secure communication channel...

Importing Signature Definition Files

g5 Signatures t3WICateaoriesl g5 Signatures t3WICateaoriesl 0 home,shtml 3 home, tar 3 libiconv-2.dll SDMJP5_Users_Guide.pdf sdmconfig-38x 0 home,shtml 3 home, tar 3 libiconv-2.dll SDMJP5_Users_Guide.pdf sdmconfig-38x This series of screen captures shows how to update the IPS signatures with the latest SDF. To update an SDF from a PC, follow these steps Step 1 Navigate to the Edit IPS > Signatures form and click the Import menu button and choose the From PC menu item. Step 2 The Import...

Info

In the sample PKI message exchange in the figure, when two people (Alice and Bob) want to engage in secure communications using PKI, they must obtain a CA-signed certificate. This is how the enrollment occurs between Alice, the CA, and Bob Step 1 Alice generates an RSA key pair and requests the CA public key. Step 2 The CA sends its public key to Alice. Step 3 Alice generates a certificate request and forwards it to the CA (or the RA, if applicable). The CA receives the certificate enrollment...

Insecure Channel

For message authentication and integrity checking, the IPsec protocol uses a Hashed Message Authentication Code (HMAC). HMAC can be used with any iterative cryptographic hash function in combination with a secret shared key. Examples of an iterative cryptographic hash function include Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1). The cryptographic strength of HMAC depends on the properties of the underlying hash function. However, HMAC also uses a secret key for calculation and...

Inspection rules allow returning traffic that would otherwise be blocked

Choose the rule name from the Inspection Rule Name list. The inspection rule entries appear in a separate dialog box. Choose the rule name from the Inspection Rule Name list and click Edit. Then edit the rule in the Inspection Rule Information window. Choose the rule name from the Inspection Rule Name list, click New, and create the rule in the Inspection Rule Information window. Access rules in the firewall may deny return traffic on sessions started inside the firewall because of the type of...

Integrates smoothly into existing network infrastructure

These attributes describe the primary benefits of the Cisco IOS IPS solution Cisco IOS IPS uses the underlying routing infrastructure to provide an additional layer of security with investment protection. Because Cisco IOS IPS is in line and supported on a broad range of routing platforms, attacks can be effectively mitigated to deny malicious traffic from both inside and outside the network. When used in combination with Cisco IDS, Cisco IOS Firewall, virtual private network (VPN), and Network...

Integrates with the Cisco Trust Agent

Here are the key features of the CSA CSA provides protection in real time before attacks have a chance to enter the network. Real-time correlation at the CSA level and at the enterprise level reduces false positives and allows the CSA to adapt to new threats across an enterprise. Here is a description of the CSA enterprise-level features A CSA can scan a network over multiple systems within a configured time period creating logs during significant events. When a CSA discovers a worm event on...

Interim PhaseWPA

WPA introduced in late 2003 Prestandard implementation of IEEE 802.11 i WLAN security Addresses currently known security problems with WEP Allows software upgrade on already deployed 802.11 equipment to improve security Authenticated key management using 802.1x EAP authentication, and preshared key authentication Unicast and broadcast key management Standardized TKIP per-packet keying and Message Integrity Check protocol Initialization vector space expansion 48-bit initialization vectors...

Introducing IDS and IPS

Distract and confuse attackers Slow down and avert attacks Traffic profile must be constant Q5) The summary should touch on these points HIPS operates by detecting attacks occurring on a host that it is installed on. HIPS works by intercepting operating system and application calls, securing the operating system and application configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious activity. Network IPS involves the deployment of...

Introducing IDS and IPS Cont

An alarm is triggered by normal traffic or a benign action. A signature is not fired when offending traffic is detected. A signature is correctly fired when offending traffic is detected and an alarm is generated. A signature is not fired when nonoffending traffic is captured and analyzed. Q8) The figure identifies and describes the enhanced Cisco IOS IPS signature features.

Introducing the Cisco Sdm Vpn Wizard Interface

Chose the desired VPN wizard (VPN type). 4. Chose the VPN implementation subtype. 1. Enter the configuration page. 3. Chose the desired VPN wizard (VPN type). 4. Chose the VPN implementation subtype. To select and start a VPN wizard, follow these steps Step 1 Click the Configure icon in the top horizontal navigation bar to enter the configuration page. Step 2 Click the VPN icon in the left vertical navigation bar to open the VPN page. Step 3 Choose the Site to...

Introducing the Cisco Security Appliance Product Family

This topic describes the main components of the Cisco security appliance product family. The Cisco security appliances family includes these products Cisco IOS Firewall The Cisco IOS Firewall provides robust, integrated firewall and intrusion detection functionality for every perimeter of the network. The Cisco IOS Firewall is available for a wide range of Cisco IOS software-based routers and offers sophisticated security and policy enforcement for connections within an organization (intranet)...

Introducing WLANs

This topic describes basic 802.11 architecture and components. This topic describes basic 802.11 architecture and components. Wireless LAN (WLAN) as an Extension to a Wired LAN Wireless LAN (WLAN) as an Extension to a Wired LAN Wired LANs require that users locate in one place and stay there. WLANs are an extension to the wired LAN network. WLANs can be an overlay to or a substitute for traditional wired LAN networks. WLANs provide mobile users with these features Free movement around a...

IPS Signature Characteristics Cont

There are four types of signatures The type of signature used depends on these factors The number of signatures available depends on the IPS sensor platform type. Here are the four categories of signatures Exploit Exploit-specific signatures seek to identify network activity or upper-layer protocol transactions that are unique to a specific exploit or attack tool. Consequently, each new exploit may require its own signature. Because a successful exploit can be created by slightly modifying the...

Psec Differences

Use of radio frequency introduces country-specific regulations Radio-frequency physical layer introduces privacy and connectivity issues Both WLAN and LAN devices operate at Layer 2. The basic similarities between the WLAN and the LAN are as follows A WLAN is an 802 LAN. WLAN technology and the WLAN industry date back to the mid-1980s when the U.S. Federal Communications Commission (FCC) first made the radio frequency (RF) spectrum available to industry. Early WLAN technologies were expensive,...

Psec transform set

The Cisco SDM Easy VPN Server Wizard guides the administrator through a set of steps that include the configuration of these parameters Choosing the interface on which to terminate IPsec tunnels Setting these IKE policies Hashed Message Authentication Code (HMAC) Choosing the IPsec transform set (that is, encryption algorithm, HMAC, and operation mode) Choosing local, RADIUS, or TACACS+ for the group policy lookup method Choosing the local or RADIUS user authentication method Setting the local...