AAA Servers

In many circumstances, AAA uses security protocols to administer its security functions. If your router, concentrator, or even PIX is acting as an NAS, AAA is the means through which you establish communication between your NAS and your TACACS+, RADIUS, or Kerberos security server. Cisco IOS supports three versions of TACACS TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username and password pairing. This section...

Access Lists

On a router, access lists are used as packet filters to decide which packets can go across a certain interface. Packets that are allowed on an interface are called permitted packets and packets that are not allowed are called denied packets. Access lists can consist of one or more statements that determine what data is permitted and denied on an interface. The statements are known as Access Control Entries (ACE). It is important to use well-written access lists to restrict access because Cisco...

Accounting

Accounting occurs after the authentication and authorization steps have been completed. Accounting allows administrators to collect information about users. More specifically, administrators can track which user logged in to which router, which CISCO IOS commands a user issued, and how many bytes were transferred during a user's session. Accounting information can be collected by a router or by a remote security server. For simplicity's sake, the output of the router command is displayed. The...

Acknowledgments

This book is the result of the efforts and dedication of many people. First, thanks to Brett Bartow, executive editor, for his dedication and guidance and lots of patience with us during the development of this book. Chris Cleveland, thank you for your wonderful insight with special attention to detail, which significantly improved this book. Betsey Henkels, thank you for completing all our chapters with your wonderful touches. Your editing ability really astounded us, and without you, this...

Active Response Shunning or Blocking

After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS can shut the attacker out of the network, usually by setting access control rules on a border device such as a router or firewall. Figure 10-14 illustrates the IP blocking capability of the network IDSs. Figure 10-14. Network-Based IDS Active Response (Shunning or Blocking) Figure 10-14. Network-Based IDS Active Response (Shunning or Blocking) In Figure 10-14, the sensor...

Active ResponseTCP Resets

After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS may terminate the Layer 4 session by sending a TCP RST packet to the attacked server and the host. Figure 10-13 illustrates the TCP reset capability of the network IDSs. Figure 10-13. Network-Based IDS Active Response (TCP Response) Figure 10-13. Network-Based IDS Active Response (TCP Response) The TCP Reset is initiated from the data-capturing port to both the server and...

Address Resolution Protocol Spoofing

The Address Resolution Protocol (ARP) provides a mechanism to resolve, or map, a known IP address to a MAC sublayer address. In Figure 2-two hosts are attempting to start a conversation across a multiaccess medium such as Ethernet. Host A wants to initiate the conversation with Host B but requires both the IP address and the MAC address. During the conversation setup, Host A is aware only of Hosts B's IP address, 132.12.25.2. To determine a destination MAC address for a datagram, the ARP cache...

Administrative Access

This section describes how to configure secure administrative access to Cisco routers. Configuring this access is an extremely important security task. Otherwise, an unauthorized person could alter the routing parameters, change access lists, and gain access to other systems in the network. To perform basic router configuration tasks, access via a console is required. A console is a terminal that is connected to a router console port and can be either a dumb terminal or a PC running terminal...

Aes

For a number of years, specialists have recognized that DES would eventually reach the end of its useful life. In 1997, the AES initiative was announced, and the public was invited to propose candidate encryption schemes, one of which could be chosen as the encryption standard to replace DES. On October 2, 2000, The U.S. National Institute of Standards and Technology (NIST) announced the selection of the Rijndael cipher as the AES algorithm. This cipher, developed by Joan Daemen and Vincent...

Anomaly Based IDS

The anomaly-based IDS looks for traffic that deviates from the normal, but the definition of what is a normal network traffic pattern is the tricky part. Once the definition is in place, the anomaly-based IDS can monitor the system or network and trigger an alarm if an event outside known normal behavior is detected. An example of abnormal behavior is the detection of specific data packets (routing updates) that originate from a user device rather than from a network router. This technique is...

Antivirus Software

A computer virus can be best described as a small program or piece of code that penetrates into the operating system, causing unexpected and negative events to occur. A well-known example is a virus, SoBig. Computer viruses reside in the active memory of the host and try to duplicate themselves by different means. This duplication mechanism can vary from copying files and broadcasting data on local-area network (LAN) segments to sending copies via e-mail or an Internet relay chat (IRC)....

Appendix A Safe Blueprint

Cisco has developed a design guideline called the SAFE blueprint. This appendix introduces the SAFE blueprint and supplies an overview of its architecture. Much of the material in this appendix is quoted directly from the relevant websites that are listed at the end of the appendix. The principle goal of the Cisco secure blueprint is to provide best-practice information to interested parties on designing and implementing secure networks. This blueprint serves as a guide to network designers...

Appendix B Sans Policies

This appendix briefly introduces the SANS Institute, what it is and what it does. The appendix also explains the Security Policy Project and gives examples of security policies. Much of the material of this appendix is quoted directly from the SANS Institute website. The SANS Institute was established in 1989 as a cooperative research and education organization. SysAdmin, Audit, Network, and Security (SANS) is by far the largest source for information on security training and certification in...

Auditing and Analyzing an Existing Network

Network audit tools help you to generate specific reports on certain parts of your network and to analyze how these segments of the network are performing. The network audit process should provide detailed recommendations to address the challenges, opportunities, and problems identified in the audit. The audit also help the network-engineering team proactively identify and resolve potential network troubles before major problems are encountered. Following is a list of reports that are often...

Authorization

Authorization is the second step in the AAA process. Authorization allows administrators to control the level of access users have after they have successfully gained access to a device. For the sake of simplicity, this section focuses on accessing a router. Cisco IOS allows certain access levels (also called privilege levels) that control which Cisco IOS commands the user can issue. These levels range from 0 to 15. For example, a user with a privilege level of 0 cannot issue any Cisco IOS...

Basic Router Security

If you talk about basic router security, you discuss how to protect the router itself from being accessed by unauthorized persons. For example, a router could be configured to protect the network behind it, but an intruder could access the router easily because of the weak passwords that were used or some services the administrator forgot to turn off. In this case, the network behind that router is no longer safe because the intruder can easily change the router's configuration to gain access...

Biometrics

Biometrics is the science of measuring a unique physical characteristic about an individual as an identification mechanism. A number of widely used biometric technologies and techniques exist. These techniques are deployed in new network design to secure the network environment even better. The most common biometric technologies are fingerprint scanning and voice recognition. This section briefly touches on other technologies such as face recognition (iris and retina), typing biometrics, and...

Browsers

We all use browsers these days, and most of us run third-party plug-ins. This is not necessarily dangerous, but it is always better to keep in mind that malicious people can write plug-ins, too. The most popular scripting languages used for writing plug-ins today are the following Be very careful when installing plug-ins, just as you should be when downloading any software program from the Internet. Security Zones Because most people using the Internet today use Microsoft Internet Explorer to...

Buffer Overflow Mechanisms

Buffer overflow vulnerabilities exist in different types. But the overall goal for all buffer overflow attacks is to take over the control of a privileged program and, if possible, the host. The attacker has two tasks to achieve this goal. First, the dirty code needs to be available in the program's code address space. Second, the privileged program should jump to that particular part of the code, which ensures that the proper parameters are loaded into memory. The program code, or shell code,...

Case Study

The case study of this chapter gives you an example of how you can tighten the security of an operating system. Imagine that you have bought a new web server. All users logged in to that web server have Full Control over that system. To change this, you need to create two additional groups. One is used to authorize the web users, and the other is for web developers. To create these groups, you need to open the Computer Management window. In that window, select Users and Groups, as shown in...

Case Study Adding Wireless Solutions to a Secure Network

This case study covers the placement and configuration of a wireless access point in a real scenario. The setup and configuration of the wireless stations are covered, and there are screenshots of both the access point and the station. Figure 14-11 illustrates the Company XYZ network diagram for this scenario. Figure 14-11. Company XYZ Top-Level Network Layout Figure 14-11. Company XYZ Top-Level Network Layout The CIO of Company XYZ has decided to integrate wireless technology throughout the...

Case Study Configuring Secure Remote Access

The remote access case study covers the configuration of the AAA server (CiscoSecure ACS) in a real scenario. The setup and configuration of a corporate router are covered using some screenshots of the AAA server. Figure 11-9 illustrates the network diagram of Company XYZ for this scenario. Figure 11-9. Company XYZ Top-Level Network Layout Figure 11-9. Company XYZ Top-Level Network Layout

Case Study Remote Access VPN

This case study translates some of the material covered in this chapter into a real-life scenario. The same Company XYZ is used for this scenario as in previous chapters, and the topology of that company is shown in Figure 12-15. The whole topology from Figure 12-15 is not used in this scenarioonly a small part. The part that is useful for this case study is shown in Figure 12-16. In Figure 12-16, you can see a telecommuter who is connecting to the corporate backbone via a VPN client on a PC....

Network Security Overview

On completing this chapter, you will be able to Define trust both in general terms and in terms of network resources Differentiate between the internal and external weaknesses and vulnerabilities of your security system Explain the difference between a hacker and a cracker Describe how responsibility for network security is commonly delegated within an organization Explain the CIA security model List some typical costs related to a network security system With the rapid growth of interest in...

Intrusion Detection System Concepts

On completing this chapter, you will be able to Explain the main differences between the various IDSs Describe host-based IDSs in detail Describe network-based IDSs in detail Explain how IDS management communication works Explain how IDS maintenance works This chapter builds on the introductory discussions of intrusion detection systems (IDSs) presented in Chapter 3, Understanding Defenses. This chapter delves into IDS concepts, uses, applications, and limitations. After the introduction to...

Remote Access

On completing this chapter, you will be able to Describe various AAA servers Explain how the lock-and-key feature works Describe two-factor identification This chapter describes how to configure, test, and use remote access techniques. The overall goal of remote access is to grant trusted access for telecommuters, salespeople, and road warriors to the corporate network over an untrusted network such as the Internet. The concluding case study is a practical example of how organizations can...

Virtual Private Networks

On completing this chapter, you will be able to Describe the difference between transport mode and tunnel mode Understand the difference between ESP and AH Describe antireplay protection A virtual private network (VPN) is a service that offers a secure, reliable connection over a shared public infrastructure such as the Internet. Cisco defines a VPN as an encrypted connection between private networks over a public network. To date, there are three types of VPNs The remote access VPN solution is...

Public Key Infrastructure

On completing this chapter, you will be able to Describe the exchange of keys in a PKI Explain the concept of a trusted third party Compare the topologies of hierarchical and cross-certified CAs Outline the procedure of adding a PKI user to a PKI Describe the function of a certificate revocation list This chapter provides an overview of the Public Key Infrastructure (PKI) technologies that are widely used in today's computing and networking. PKI can be used as a framework for security services...

Wireless Security

On completing this chapter, you will be able to Explain the different WLAN configurations Describe the risks of open wireless ports Describe SAFE WLAN design techniques This chapter covers wireless securitywhat it is, how it works, how it is configured, what threatens it, and what policies can be designed to secure it. Wireless networking has limitations, involves some risks, and requires defense techniques, as you learn in this chapter. All network architectures, including the wireless...

Logging and Auditing

On completing this chapter, you will be able to Describe the different tools available for logging and auditing Explain how to configure SNMP Define a Service Assurance Agent (SAA) This chapter presents a brief overview of some of the logging and auditing tools that are available today. Tools and protocols such as SYSLOG, SNMP, RMON, and SAA may sound foreign to you for the moment, but they will hold no secrets by the end this chapter. If you have a large or midsize network, it is always...

Understanding Vulnerabilities The Need for Security

On completing this chapter, you will be able to Explain the weaknesses of the TCP IP protocol suite Describe various types of attacks that exploit weaknesses in the TCP IP protocol suite Explain how attackers cause buffers to overflow Describe how attackers use spoofing techniques State how attackers use social engineering techniques to capture passwords On completing this chapter, you will better understand what makes computer systems inherently weak. The chapter covers various vulnerabilities...

Understanding Defenses

On completing this chapter, you will be able to Explain how digital IDs can protect a network Describe intrusion protection and intrusion prevention techniques Explain how PC cardbased solutions can counter network weaknesses Explain how different encryption techniques protect a network environment Describe physical security of a site that uses access control and biometric techniques Explain how antivirus software is used List the basic functions of a firewall Immense numbers of tools,...

Cryptography

On completing this chapter, you will be able to Present a brief history of cryptography Describe the difference between symmetric and asymmetric algorithms Explain how DES, 3DES, and AES work Describe how hashing algorithms are built This chapter covers some basic building blocks you need to understand before moving on to more complex security technologies. All secure communication these days relies on cryptography. After a brief history of cryptography, the chapter presents a closer look at...

Security Policies

On completing this chapter, you will be able to Explain the purpose of a security policy Write your own security policies Describe the importance of a security policy If a company wants to adequately protect its network, it must implement a security policy. It is important to establish a good balance between the level of security and the ability of users to get to the information they need. The most secure PC is the one that is not connected to a network, but the problem with this approach is...

Secure Design

On completing this chapter, you will be able to Explain network design principles Explain network design methodology Describe Return On Investment in regard to network design Explain physical security issues Describe the strategy of defense in depth The goal of network security is to protect networks (including equipment, servers, content, and applications) against attacks, with the intent of ensuring data and system availability, confidentiality, and integrity. This chapter briefly covers the...

QA

1 What is the difference between a right and a permission Al Answer A right applies to actions that involve accessing the resources of the operating system itself, such as shutting down the system. A permission applies to accessing the file system's resources, such as reading and writing files. 2 What can be done on a web server to make it more secure against intruders A2 Answer Six options make a web server more secure Remove or disable unnecessary services. 3 What is DAC A3 Answer...

Web Security

On completing this chapter, you will be able to Explain how to harden your file system Describe how to restrict access on a web server List the steps necessary to log on to a web server Describe the four types of security zones Is web security a worrisome topic You bet it is. The many things to worry about include security risks to the operating systems, risks to the web servers, and even blunders by innocent users of web browsers. There are also access problems who is authorized to access...

Router Security

On completing this chapter, you will be able to Explain the weaknesses of a router Use and configure access lists Describe Context-Based Access Control (CBAC) This chapter covers router security, a subject that spans a broad spectrum in networkingnot only protection of the network, but also basic router security such as administrative access and services. The chapter also discusses advanced techniques such as Context-Based Access Control (CBAC). The case study at the end of the chapter is...

Firewalls

On completing this chapter, you will be able to Explain the basics of firewalls Describe the different types of firewalls Describe some firewall enhancements Explain firewall placement in a network This chapter covers a variety of types of firewalls, including devices such as PIX, software solutions such as Check Point, and personal firewalls. The chapter defines firewalls and explores their purpose and use in today's large-scale IP-based networks, where attacks can occur from within and from...

Check Point Software Firewalls

As most, hardware firewalls provide effective access control, many are not designed to detect and thwart attacks specifically targeted at the application level. Tackling these types of attacks is most effective with software firewalls. Check Point is a major vendor in the software firewall marketplace today. Software firewalls allow networks and, more specifically, network applications to be protected from untrusted sources such as the Internet. The fact that millions, if not billions, of...

Cisco Secure Agent

The Cisco Secure Agent is a software package that runs on each individual server or workstation to protect these hosts against attacks. The Cisco IDS sensor (based on Entercept Security technology) provides real-time analysis and reaction to intrusion attempts. The host sensor processes and analyzes each and every request to the operating system and application programming interface (API) and proactively protects the host if necessary. The next generation Cisco Secure Agents (based on Okena's...

Cisco Secure Agent Manager

The Cisco Secure Agent Manager is responsible for managing the Cisco Secure Agent and communication with the agent. The Cisco Secure Agent Manager provides all management functions for all agents in a centralized manner. It also has components that notify security personnel in case of an attack and that generate reports. This management session should use data encryption technologies to be robust, private, and secure. The Cisco Secure Agent Manager has three main components the graphical user...

Cisco Systems

or 350 Series is Associated to ap3E0-3c7sdf Figure 14-15 shows the link status meter. Sigfial Quality -100 Link GHJSiity to Access Point AP350-2c7edf F Address 1S2.168 0 4 MAC Address 00 09 7C 2C 7E DF EXCELLENT At the bottom of the screen shown in Figure 14-15, notice that the signal strength and signal quality are excellent. Furthermore, Host 1 is associated with access point 192.168.0.4, which is the branch office access point. Figure 14-16 gives the overall status of the wireless...

Closing a Connection by FIN

These types of attacks can be best described as connection-killing attacks. In normal operation, the sender sets the TCP FIN flag indicating that no more data will be transmitted and the connection can be closed down. This is a four-way handshake mechanism, with both sender and receiver expected to send an acknowledgement on a received FIN packet. During an attack that is trying to kill connections, a spoofed FIN packet is constructed. This packet also has the correct sequence number, so the...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values....

Conclusion

Network security is an important concern that must be seriously deliberated. This chapter explained digital IDs and how they can protect the network. Intrusion protection and intrusion prevention techniques, as well as PC cardbased solutions, can counter weaknesses with different encryption techniques to protect the network environment. Physical security of the site can be achieved using access control and biometric techniques. Antivirus software and firewalls are other technologies used to...

Configure SNMP Server Users

To configure a new user to an SNMP group, use the following command in global configuration mode Router(config) snmp-server user username gioupname remote udp-port poit Tvl I v2c I v3 encrypted auth md5 I sha auth-passwoid access access-list To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID using the command snmp-server...

Content Filters

With content filtering (also known as URL filtering), an organization designs a policy defining which websites are permitted to be accessed by local resources and which are not. Content filters can monitor, manage, and provide restricted access to the Internet. This means that employees do not tie up valuable and expensive WAN connections to the Internet for nonbusiness matters. You might, for example, allow access to www.cisco.com but deny employees access to music websites that permit large...

Cookies

As you might already know, HTTP is a stateless protocol. Every time you visit a website, it looks as if that visit to the website is your first because HTTP does not keep track of your web history. To simulate a stateful environment, the HTTP protocol includes features such as cookies. There are two types of cookies Session cookie This cookie is created to keep track of what you buy when, for example, you visit an e-commerce website where you use a shopping cart. After you check out from that...

Copyright

Cisco Press logo is a trademark of Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the...

Countermeasures

As a network administrator, it is important to understand the vulnerabilities that exist in your network in order to implement effective countermeasures. TCP IP vulnerabilities are nothing new, but the number of TCP IP attacks is increasing considerably with the growth of the Internet. Subsequent chapters in this book refer to these TCP IP vulnerability issues, and more prevention and protection methods are discussed.

Create or Modify Access Control for an SNMP Community

To define the relationship between an SNMP manager and the agent, you have to use an SNMP community string. The string acts like a password to get access to the agent on the router. You can configure some optional parameters such as the following An access list of the SNMP managers that are permitted to use the community string to gain access Read and write or read-only access The command to configure all this in global configuration mode is as follows Router(config) snmp-server community...

Credits

Editorial Assistant Cover Designer Composition Indexer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA 800 553-NETS (6387) Fax 408 526-4100 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-7660 Fax 408 527-0883 Cisco Systems, Inc. Capital Tower 168 Robinson Road 22-01 to 29-01 Singapore 068912 www.cisco.com Tel +65 6317 7777 Fax +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions....

Cryptography versus Cryptanalysis

Cryptanalysis is the flip side of cryptography. It is the science of cracking codes, decoding secrets, and in general, breaking cryptographic protocols. To design a robust encryption algorithm, one should use cryptanalysis to find and correct any weaknesses. The various techniques in cryptanalysis that attempt to compromise cryptosystems are called attacks. A cryptanalyst starts from the decoded message. The cryptanalyst then tries to get this message back into its original form without knowing...

Data Encryption Standard

The Data Encryption Standard (DES) has been the worldwide encryption standard for a long time. IBM developed DES in 1975, and it has held up remarkably well against years of cryptanalysis. DES is a symmetric encryption algorithm with a fixed key length of 56 bits. The algorithm is still good, but because of the short key length, it is susceptible to brute-force attacks that have sufficient resources. DES usually operates in block mode, whereby it encrypts data in 64-bit blocks. The same...

Dedications

I want to dedicate this book to my lovely wife, Isabelle, for her endless encouragement and support and for allowing me to spend the many weekends and the long nights that were required working on this project. To my friends, for their support during a challenging period of my life. I want to dedicate this book to all my friends and especially to my wife, Hilde, for her continuous support and encouragement during the course of this project. To my two lovely daughters, Julie and Elien, who make...

Defense in Depth

As the risks and challenges related to network security grow, organizations should take a systematic and multitiered approach to planning and deploying secure network infrastructures. Defense in depth is a practical strategy for achieving efficient security solutions by establishing multiple overlapping layers and countermeasures. This strategy ensures that even when an intruder or attacker is able to penetrate a company's network, other security systems (the second line of defense) detect and...

Defining a Security Policy

A security policy can be as simple as an acceptable use policy for the network resources, or it can be several hundred pages in length and detail every element of connectivity and associated policies. According to the Site Security Handbook (RFC 2196), A security policy is a formal statement of rules by which people who are given access to an organization's technology and information assets must abide. It further states, A security policy is essentially a document summarizing how the...

Defining Trust

What is trust in general terms Before categorizing people and resources, trust must be defined. Trust is the likelihood that people will act the way you expect them to act. Trust is often based on past experiences. You could also say that trust can exist only between two individuals who know each other. You can never trust a total stranger, but you can start to trust one over a certain period of time. An exception to this rule exists in the context of networking. You might be willing to trust a...

Definitions

In this security policy, the following definitions apply VPN concentrator A device in which VPN connections are terminated. This device is sometimes also called the IPSec concentrator. InfoSec A term used to refer to the team of people responsible for network and information security. Split tunneling The term used to describe a multiple-branch networking path. A tunnel is split when some network traffic is sent to the VPN concentrator and other traffic is sent directly to the remote location...

Deploying Host Based Intrusion Detection in the Network

The deployment of host-based IDSs throughout the organization's network requires a very well-thought-out design. A few design and deployment considerations are discussed in this section, but details on deploying host-based IDSs are far beyond the scope of this book. Based on what is defined in the organization's security policy, the network designer is responsible for identifying and deciding which systems to protect. A clear objective during the design phase is defining the different system...

Deploying Network Based Intrusion Detection in the Network

Network IDSs are developed so that when deployment is carefully planned at designated network points, the network administrator or security personnel can monitor the data (network activity). When the monitoring takes place, the data is traveling only on the network. Therefore, the administrator has the opportunity to take proper action without needing to know what the exact target of the attack is because the IDS monitors the complete segment. A number of steps or tasks need to be considered...

Design Activities Tools and Techniques

During the network-design process, tools are available to facilitate some of the activities. Some of the activities supported by tools include network auditing, traffic analysis, and network simulation. The choice of tools is determined by the value of the network investment and the consequences of network failure. This section discusses some of the tools and techniques used in today's network-design process for auditing networks and analyzing and simulating network traffic. Having tools...

Design Phase

After completing the planning stage, you have enough information to develop a network design. If a network is already in place, use this phase to review and validate the network design as it is currently implemented. At this stage, you choose products, protocols, and features based on criteria defined in the planning stage. You develop network diagrams to illustrate what changes will occur in the network to achieve the desired results. The more detailed the network diagram and plan, the better...

Development Process

All sites should have a comprehensive security plan. This plan should be at a higher level than more specific policies such as the one discussed in the example at the end of this chapter. The security plan should be crafted as a framework of broad guidelines into which specific policies fit. It is important to have this framework in place so that individual policies are consistent with the overall site security architecture. Having a strong policy on corporate access from home but weak...

Different WLAN Configurations

As you will see in the case study at the end of the chapter, wireless network connectivity is not limited to corporate enterprise buildings. WLANs also offer connectivity outside the traditional office environment. Numerous wireless Internet service providers are appearing in airports (hotspots), trains, hotels, and conference and convention centers. As with most technologies, the early wireless networks were nonstandard, and only vendor-proprietary technologies existed. This caused...

Diffie Hellman

Whitfield Diffie and Martin Hellman developed the Diffie-Hellman algorithm in 1976. Its security stems from the difficulty of calculating the discrete logarithms of huge numbers. The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. The protocol has two system parameters, p and g. They are both public and may be used by everybody. Parameter p is a prime number, and parameter g (usually called a generator) is an integer that is smaller than p,...

Digital Certificates

Key management is often considered the most difficult task in designing and implementing cryptographic systems. Businesses can simplify some of the deployment and management issues that are encountered with secured data communications by employing a Public Key Infrastructure (PKI). Because corporations often move security-sensitive communications across the Internet, an effective mechanism must be implemented to protect sensitive information from the threats presented on the Internet. The three...

Digital IDs

A digital identity, or digital ID, is a means of proving your identity or that you have been granted permission to access information on network devices or services. The system or method behind digital IDs is similar to nonelectronic means of identification. For instance, entering a private dancing club requires an ID check of a membership card to validate your claim to have the right to enter the venue. Using a photo ID on the card prevents others from abusing the card and impersonating valid...

Disaster Recovery Plans

Even for the most protected and secure areas, a decent disaster-recovery plan needs to be defined. A disaster-recovery plan spells out measures that limit losses that can be incurred by disasters such as hurricanes, floods, and electrical failure. Disaster-recovery plans also outline how business practices are to be resumed after disaster. The possibility of things going wrong needs to be addressed upfront. For instance, uninterruptible power supplies (UPSs) are the de facto standard for...

Domain Name Service Spoofing

Domain Name Service (DNS) is used for network clients who need an IP address of a remote system based on their names. The host sends a request to a DNS server including the remote system's name, and the DNS server responds with the corresponding IP address. DNS spoofing is the method whereby the hacker convinces the target machine that the system it wants to connect to is the machine of the cracker. The cracker modifies some records so that name entries of hosts correspond to the attacker's IP...

Dynamic Access Lists

Dynamic access lists, also known as lock-and-key, create specific, temporary openings in response to user authentication. It is highly recommended to use a TACACS+ server for the authentication of the user. TACACS+ provides authentication, authorization, and accounting services and is discussed in more detail in Chapter 11. In the example illustrated in Figure 8-2, no TACACS+ server has been included for authentication for the sake of simplicity. Figure 8-2 shows a user connected to the...

Economic Constraints

Economic constraints play a major role for all network designers. Doing more with less is a common requirement, partially enabled by advances in semiconductor technology. Even when there is a mandate to achieve the best possible service at the lowest possible cost, there are design consequences. Common areas of design compromise for minimizing network acquisition and operations costs include wide area network (WAN) bandwidth, quality-of-service (QoS) guarantees, availability, security, and...

Encrypted Files

Another technique that can be used to protect and preserve the integrity of the data locally on your workstation is file encryption. The file encryption feature encrypts your data when it is written to the disk. This data encryption process happens on-the-fly when data is saved and goes unnoticed by the users. File encryption was introduced with NT File System for Windows NT (NTFS). Compared with FAT and FAT32, NTFS has a strong focus on security because an encryption file system (EFS) was one...

Enrollment Procedure

PKI enrollment is the procedure of adding a PKI user to the PKI. A PKI user can be a person, a router, a firewall, or any entity that will be a future certificate holder. The certificate enrollment procedure involves three steps Step 1. The user obtains the CA certificate with the CA's public key. This public key is used to verify the digital signature on other Step 2. The user sends identity information and the public key to the CA. Step 3. The CA authenticates the user, signs the submitted...

Evasion and Antievasion Techniques

Network IDSs have a fundamental problem whereby a skilled attacker can evade the detection mechanism by exploiting ambiguities in the traffic patterns, network topology, and the IDS architecture. Network IDS evasion enables the attacker to use techniques that challenge the detection mechanisms and therefore allow certain attacks to pass unnoticed. If the attacker suspects that a network IDS may be monitoring the network, he may start using alternative techniques to try and avoid detection. The...

Example 102 Campus Routerl Configuration

CampusRouter1 write terminal Building configuration Current configuration 1310 bytes service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname CampusRouter1 logging queue-limit 100 enable password cisco < snip> interface FastEthernet0 C ip address 10.100.2.1 255.255.255.0 duplex autc speed auto ip address 168.17.40.1 2 55.255.255.0 encapsulation frame-relay frame-relay lmi-type ansi line con 0 exec-timeout 0 0 password cisco login...

Example 111 AAA vs Router Configured Without AAA

User Access Verification Password xxxxxxxx nonAAA router> Trying AAA_router (10.1.1.1) Username Gert Password xxxxxxxx AAA router> As you can see in Example 11-1, the user must enter a valid username and password to access a AAA-configured Cisco router. Both username and password are set to Gert in this case. Typically, a database contains the valid usernames that reside on a remote AAA server. Cisco IOS can also create a local database on the router, but this is not a scalable solution....

Example 112 Local AAA Database Configured on Cisco IOS Router

AAA_router(config) username Gert password Gert Building configuration Current configuration 13 91 bytes service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption logging queue-limit 10 0 enable password cisco username Gert password 0 Gert memory-size iomem 15 aaa new-model username Gert password 0 Gert memory-size iomem 15 aaa new-model

Example 156 snmpserver Command Options

Chassis-id String to uniquely identify this chassis community Enable SNMP set community string and access privs contact Text for mib object sysContact enable Enable SNMP Traps or Informs enginelD Configure a local or remote SNMPv3 enginelD group Define a User Security Model group host Specify hosts to receive SNMP notifications ifindex Enable ifindex persistence inform Configure SNMP Informs options location Text for mib object sysLocation manager Modify SNMP manager parameters packetsize...

Example 1S3 Caption PathEcho Entry

Enter configuration commands, one per line. End with CNTL Z. RouterB(config) rtr 2 RouterB(config-rtr) type pathEcho protocol ipIcmpEcho 10.1.1.1 RouterB(config-rtr) frequency 10 RouterB(config-rtr) lives-of-history-kept 2 RouterB(config-rtr) buckets-of-history-kept 1 RouterB(config-rtr) filter-for-history all To execute this operation, the following commands must be used RouterB(config) rtr schedule 2 start-time now life 25 This command indicates that operation 2 starts immediately and that it...

Example 1SS show rtr history Command

Point by point History Entry Entry Number All other commands can be found in the command reference at the following URL r ffrprt3 frf017.htm. All commands referenced at that URL are specific to Cisco IOS version 12.2. The commands might be slightly different in another Cisco IOS version. This case study is, like all the other case studies, based on the topology of Company XYZ. This topology is shown in Figure 15-7.

Example 811 Example of Commands Needed for New Router Configuration

enable secret 5 1 HOIZ YAIIAwsD8Vo7rXAIUMf6D The following are configuration changes made to secure the router Configure an enable secret. Set a password for all lines (Con, Aux, VTY). Turn on the service password-encryption to prevent the passwords from being easily read in the configuration file. Set the exec-timeout for all lines to 2 minutes. With this setting, after 2 minutes of inactivity, the connection is terminated. Configure the no ip domain-lookup to prevent the router from looking...

Example 82 VTY Configuration

Brussels telnet 10.10.10.1 Trying 10.10.10.1 Open Connection to 10.10.10.1 closed by foreign host Brussels To configure a VTY password, the following commands can be used Tokyo(config) line vty 0 4 Tokyo(config-line) password cisco Tokyo(config-line) login Notice that in the sample configuration, the passwords are configured for all the VTY lines as a whole. They can also be configured line by line, but that is not recommended. There is always a chance that you might forget to configure one...

Example 83 Configuration of All Passwords

Enter configuration commands, one per line. End with CNTL Z. Enter configuration commands, one per line. End with CNTL Z. By default, an administrative interface stays active for 10 minutes after the last session activity. After that, the interface times out and logs out. It is recommended that you fine-tune these timers. They can be configured by using the exec-timeout command in line configuration mode for each of the line types used. You can specify how long a user can be inactive by the...

Example 85 Service Password Encryption

Line con 0 exec-timeout 0 0 password 7 121A5 51902 0A5 9 51 login line aux 0 exec-timeout 3 30 password 7 0 94D5B5F0 9 04 42 4 7 login line vty 0 4 exec-timeout 5 0 password 7 0210100A1B075A74 login Another useful feature that can be used is the banner. The banner does not protect the router from intruders, but by using it, you can warn intruders that the device is for authorized people only. To enter a banner in configuration mode, use the following command banner exec incoming login motd...

Example 86 Banner Configuration

Enter configuration commands, one per line. End with CNTL Z. Brussels(config) banner exec Enter TEXT message. End with the character ' '. WARNING You are connected to (hostname) on the XYZ, Incorporated network Brussels(config) banner motd Enter TEXT message. End with the character ' '. This is just a sample message Brussels(config) exit Brussels Tokyo telnet 10.10.10.2 Trying 10.10.10.2 Open WARNING You are connected to Brussels on the XYZ, Incorporated network Brussels>

Example 87 Example Access List

Brussels(config) access-list 1 permit 10.1.4.3 Brussels(config) access-list 1 deny 10.1.0.0 0.0.255.255 Brussels(config) access-list 1 permit 10.0.0.0 0.255.255.255 Network 10.0.0.0 is a class A address whose second octet specifies a subnet the subnet mask is 255.255.0.0. The third and the fourth octets of the 10.0.0.0 address specify a particular host. The access list in Example 8-7 would accept one address from subnet 1 and reject all other addresses from that subnet. The last line indicates...

Example 89 Example of an Reflexive Access List

Interface Serial0 C ip access-group incoming in ip access-group outgoing out ip access-list extended outgoing permit tcp any any reflect tcptraffic ip access-list extended incoming permit eigrp any any deny icmp any any evaluate tcptraffic With this configuration, before any TCP session has been initiated, the show access-lists displays the following Extended IP access list incoming permit eigrp any any deny icmp any any (26 matches) evaluate tcptraffic Extended IP access list outgoing permit...

Example 92 show ip wccp Commands

WCCP Cache-Engine information Web Cache ID Protocol Version State Hash Allotment Packets Redirected Connect Time 4d19h 1C.1C.1C.254 WCCP Cache Engines Visible 1C.1C.1C.3 WCCP Cache Engines NOT Visible -none- Global WCCP information Router information Router Identifier Protocol Version Service Identifier web-cache Number of Cache Engines Number of routers Total Packets Redirected Redirect access-list Total Packets Denied Redirect Total Packets Unassigned Group access-list Total Messages Denied...

Example 93 Content Engine Commands

Ip address 1C.1C.1C.3 2 55.255.255.C exit ip default-gateway 1C.1C.1C.254 primary-interface FastEthernet C C wccp router-list 1 1C.1C.1C.254 wccp web-cache router-list-num 1 wccp version 2 rule action cache ttl days 3C pattern-list 1 protocol http url-filter http good-sites-allow file locall etc goodurl.txt url-filter http custom-message locall msgs no url-filter http websense allowmode enable no url-filter http N2H2 allowmode enable url-filter http good-sites-allow enable The purpose of this...

Example lOl Campus Sensorl System Configuration Screen

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S....

F

A byte is a sequence of 8 bits, which is often represented as a decimal number from 0 to 255. Bytes are used by computer systems to communicate with each other. Multiple bytes characterize a data stream of information. Errors in a data stream are detected by a checksum, which is a mathematic arithmetic sum of a sequence of numbers. This section presents a brief overview of the IP protocol and TCP protocol characteristics and then examines some of the TCP IP weaknesses. Readers should not expect...

Face Recognition

Just as with other recognition techniques, face recognition uses certain parameters and characteristics to reveal an individual's identity. Since September 11, 2001, discussion on the subject of using biometrics has increased, specifically about face recognition at airports to identify known terrorists crossing borders. The U.S. Department of Defense is involved in the development of a facial recognition technology program called FERET. More information can be found at the following link Iris...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Figure 101 Attack That Can Be Prevented Using Signature Based IDS

'aCisco Systems, nc - Microsoft Internet wplorer addiets I * J .(i5 .(gm p gLblnf MtfihWfiJM 3 The Cisco Network Intrusion Detection Sensors keep complete collections of known malicious events in a database called the Network Security Database (NSDB). The NSDB is an HTML-based encyclopedia of network vulnerability information. Figure 10-2 displays the Network Security Vulnerability Index. Figure 10-3 is a typical example of an exploit signature and how it is formatted in the database.

Figure 1010 Network Based IDS Architecture

The network-based IDS sensor runs on Linux and has multiple components (software services), each interconnected and handling different processes. One of the main components is the cidWebServer. The web server uses different servlets to provide IDS services. The cidWebServer communicates with the event server, transaction server, and IP log server servlets using the Remote Data Exchange Protocol (RDEP). RDEP serves as the sensor's communication protocol. Table 10-5 illustrates some of the...

Figure 1017 Remotely Installed Sensor as an Example of Outof Band IDS Management

108 Maragemsm Tratlie Only < ---- 108 Maragemsm Tratlie Only < ---- Out-of-band management offers many significant advantages and becomes more desirable as the managed network grows. In this case, real-time monitoring and access can be performed over a protected channel, which does not impact transport bandwidth availability. In a large network, the costs of provisioning and maintaining the management network are less proportional than in a small network. Out-of-band management is a part of...

Figure 102 Network Security Database

J - _j - -.-i 1'. rii ' lli ' it ffif - fr-Soraf iiwartet wm - iP-SBwf n rtot -iffii - F tlBTtf-RK PK ft RggU i reimr-s-a i swu Komt tiW P Ffayppnt t ip+ - f L DC afro it soute anon i 107 - Ffc 191& tittwH Smmn - Fr mmn Pv tarnte - Pala i OmwiitCM. 12G4 - TP Fragment song wmid Fragment LIQ fO Fragment Too Ma. Cm jqunH I - ftgrt VTI Pilttntffl ZCOE - CM Ti E -ccrdc3 ta-1 Datjqra- . KW - CMr fj'-K' 1 cyjt -' - 0 LUij'-v* a1 ' - MP Tr--ftM i i

Figure 1022 System Information Campus Sensor1

- -t - J J J Seercti J Rmi*H Msii J . r J 3 - j Lrtct Gmta ** FrwWoiweJ - CClEj* tof rvM hei(nWib *e iwtK in.*- SgAftjb tHmJohs * Lrtct Gmta ** FrwWoiweJ - CClEj* tof rvM hei(nWib *e iwtK in.*- SgAftjb tHmJohs * Syrlcrtd Mr-rii*. DfeMUA i di , Vfa ii 4 H3> S rI XOftj WjOJ1 IWIIII) WMMWim 30tt5_00_1l> J 1 IfttRelHH 120 0.1(J11I I D-C& XfiUrmg Lototr 30tt)_0ct_l0_1 > 1 MH ) XCHO.IOE1I 01 1 MSK nwg NtfrMrtAwM fojxtj _11.16 (hmw) K H LI0M1 01 1 iirocnmna TrwMCtaflSevc* WJMJ0J1 QOT-1 I-10T1...