Auto Initiate Connection

Connection Entries Status Certificates Log Connection Entries Certificates Log 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 8-11 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 8-11 When the Software Client detects the PC resides on one of the networks in the auto-initiation network list, it automatically tries to establish a VPN connection using the linked profile for that network. The Software Client informs you when the VPN connection is auto initiating and at various...

Sepsepe

DSP-based hardware encryption 1,500 to 5,000 simultaneous sessions SEP Provides DES and 3DES hardware-based encryption SEP-E Provides DES, 3DES, and AES hardware-based encryption 2003, Cisco Systems, Inc. All rights reserved. The Scalable Encryption Processor (SEP SEP-E) hardware-based encryption module enables you to offload processor-intensive DES, 3DES, and AES encryption tasks to hardware. The following features are supported SEP SEP-E is based on the Analog Devices DSP encryption engine....

Task 9Use the Stateful Firewall Always On Feature

Complete the following steps to enable the Cisco Integrated Client Stateful Firewall (Always On) feature Step 1 Ensure that the Cisco Systems VPN Client window is open. If it is not open, choose Start> Programs> Cisco Systems VPN Client> VPN Client from the main menu. Step 2 Click Options. A popup menu opens. Step 3 Enable the Stateful Firewall (Always On) option (is selected). Step 4 Disconnect the Cisco VPN Client. Now that the Cisco VPN Client connection has been terminated, you will...

Task 2Configure the Cisco VPN 3002 Hardware Client Auto Update Feature

Complete the following steps to configure the Hardware Client auto-update feature Note This procedure assumes that Windows 2000 is already running on the student PC. Step 1 Launch Internet Explorer by double-clicking the desktop icon. Step 2 Enter a Concentrator's public interface IP address of 192.168.P.5 in the Internet Explorer Address field (where P pod number). The Connection Login Status window opens. Step 3 Click Connect Now to connect the IPSec tunnel. Step 4 Complete the following...

Public Interface IPSec Fragmentation

1 Configuration Interfaces Ethernet 2 tiring Ethernet Interface 2 (Public). Select to obtain the IP Address, Subnet Mask and Default Gateway via DHCP. Select to configure the IP Address and Subnet Mask. Enter the IP A ddre s s and Subnet M ask for this interf& c e. Check to make this interface a public interface. Select the filter for this interface. Select the speed for this interface. Select the duplex mode for this interface. Enter the Maximum Transmit Unit for this interface (68 - 1500)....

Configuring Group Options on Client Config

On this tab, you can set client configuration parameters separately for Cisco clients, Microsoft clients, and for clients common to Microsoft and Cisco. Configuring Group Options on Client Config Tab The following table lists the components of Cisco Clients Parameters that are on the Client Config tab. Select this check box to allow IPSec clients to store their login passwords on their local client systems. If you do not allow password storage (the default), IPSec users must enter their...

Task 7Configure the Cisco VPN 3000 Series Concentrator for Individual User Authentication

With user authentication, each user behind the Hardware Client must be individually authenticated before they are allowed to use the IPSec tunnel. Each user behind the Hardware Client is prompted for a username and password. By default, the individual user authentication feature is disabled. Complete the following steps to enable individual user authentication on the Concentrator Step 1 If the Cisco VPN 3000 Concentrator Series Manager is not visible, enter the Concentrator's public interface...

LANtoLan Nat Summary

PC A S 10.10.10.4 D 30.30.30.14 Ciseo.com Server B S 20.20.20.4 -D 10.10.10.14 PC A S 10.10.10.4 D 30.30.30.14 S 20.20.20.4 D 30.30.30.14 NAT Rule A S 20.20.20.4 D 30.30.30.14-> NAT Rule B S 30.30.30.14 < -D 20.20.20.4 NAT Rule A S 30.30.30.14 D 20.20.20.4 NAT Rule B 2003, Cisco Systems, Inc. All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. This figure summarizes the LAN-to-LAN Network Address Translations (NATs) taking place in the network. The top section displays the...

IP Spoofing

* IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. * Two general techniques are used during IP spoofing - A hacker uses an IP address that is within the range of trusted IP addresses. - A hacker uses an authorized external IP address that is trusted. * Uses for IP spoofing include the following - IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. - If a hacker changes...

Test AAA Server Communications

All rights reserved. When the test window opens, enter your username and password. Click OK. After a short delay, the Concentrator returns an authenticated window. It is now safe to log out of the Concentrator and log back in using your TACAS+ login username and password. However, if the Authentication Error window opens, do not log out of the Concentrator. If you do, you are locked out of the GUI. The only way to access the GUI again is to fix the communication...

Packet Sniffer Mitigation

The following techniques and tools can be used to mitigate sniffers Authentication A first option for defense against packet sniffers is to use strong authentication, such as one-time passwords. Switched infrastructure Deploy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tools Use these tools to employ software and hardware designed to detect the use of sniffers on a network. Cryptography The most effective method for countering packet sniffers...

Confidentiality Encryption

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. The good news is that the Internet is a public network. The bad news is that the Internet is a public network. Clear text data transported over the public Internet can be intercepted and read. In order to keep the data private, the data can be encrypted. By digitally scrambling, the data is rendered unreadable. Pay to Terry Smith 100.00 One Hundred and xx 100 Dollars Pay to Terry Smith 100.00 One...

CSVPN 3002 Hardware ClienttoLAN Lab Visual Objective

Hardware Client 192.168.1PP.0 E a.1PP .150 172.26.26.0 2003, Cisco Systems, Inc. All rights reserved. CSVPN LAN-to-LAN Lab Visual Objective 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 1-17 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 1-17 In this lab exercise each pair of students will be assigned a pod. In general, you will be setting up VPNs between your pod (Pod P) and your assigned peer pod (Pod Q). Note The P in a command indicates your pod number. The Q in a...

Network Reconnaissance Mitigation

* Network reconnaissance cannot be prevented entirely. * IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way. 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 2-41 If ICMP echo and echo-reply is turned off on edge routers (for example, ping sweeps can be stopped, but at the expense of network diagnostic data), port scans can still be run without full ping sweeps They simply...

HMAC Algorithms

All rights reserved. There are two common Hashed Message Authentication Codes (HMAC) algorithms HMAC-MD5 Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end. HMAC-SHA-1 HMAC-SHA-1 uses a 160-bit secret key. The variable length message and the 160-bit shared secret...

Objectives

Your task in this lab exercise is to install and configure the Cisco Virtual Private Network (VPN) Client and configure the Cisco VPN 3000 Series Concentrator to enable VPN encrypted tunnels using integrated firewall features. Work with your lab exercise partner to complete the following tasks Complete the lab exercise setup. Configure the Concentrator user group for split tunneling. Configure the Concentrator user group firewall for the AYT feature. Test AYT with firewall required. Configure...

SCEPBased Enrollment

All rights reserved. CSVPN 4.0 17-5 Public key technology is becoming more widely deployed. With the use of public key certificates in network security protocols, comes the need for a certificate management protocol that Public Key Infrastructure (PKI) clients and CA servers can use to support automated certificate enrollment. The goal of the Simple Certificate Enrollment Protocol (SCEP) is to support the secure issuance of certificates to network devices in a...

IP Interfaces

Ethernet 1 (private IP address) Ethernet 2 (public IP address) 10.0.P.5 192.168.P.5 Ethernet 1 (private IP address) Ethernet 2 (public IP address) 10.0.P.5 192.168.P.5 Configure YPN 3000 Concentrator interfaces. Ethernet 1 (Private) the interface to your private network (interna LAN). Ethernet 2 (Public) the interface to the public network. Ethernet 3 (External) the interface to an additional LAN. < If you modify the interface that you are currently using to connect to this device, you will...

Trust Exploitation Mitigation

SystemB Compromised by a hacker User psmith Pat Smith SystemB Compromised by a hacker User psmith Pat Smith Systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall. Such trust should be limited to specific protocols and should be validated by something other than an IP address where possible. 2003, Cisco Systems, Inc. All rights reserved. You can mitigate trust and exploitation-based attacks through tight constraints on trust levels within...

How the AYT Feature Works

The Zone Labs ZoneAlarm Cy firewall is operational. The Zone Labs ZoneAlarm Cy firewall is operational. 2003, Cisco Systems, Inc. All rights reserved. The administrator configures the Concentrator to require a particular firewall to be present on the remote Software Client's PC. At the Software Client connection time, the following steps occur Step 1 The Software Client polls the firewall. Step 2 The Software Client reports the presence of a specific firewall to the Concentrator via ModeCFG...

Task 9Configure the Concentrator Using the Cisco VPN 3000 Series Concentrator Manager

Earlier you configured both the private and public interfaces using the CLI feature of the Concentrator. Complete the following steps to finish the Concentrator configuration using the Cisco VPN 3000 Series Concentrator Manager Note This procedure assumes that Windows 2000 is already running on the student PC. Launch Internet Explorer by double-clicking the desktop icon. Enter a Concentrator public interface IP address in the Internet Explorer Address field 192.168.P.5 (where P pod number)....

Menus Options

Connection Entries 5tatus Certificates Log Options Help p l I Windows Logon Properties,,. Connect New Import Iv. Connection Entries 1 Certificates Log ** -ta' e' u ',e 'ia s On) 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 5-60 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 5-60 Use the Options menu to perform actions such as launching an application. The following commands are available Application Launcher Start an application before connecting to a VPN device. Windows...

Trust Exploitation

Leverages existing trust relationships SystemA Trusts SystemB SystemB Trusts Everyone SystemA Trusts Everyone SystemA Trusts SystemB SystemB Trusts Everyone SystemA Trusts Everyone SystemB - Compromised by hacker User psmith Pat Smith SystemB - Compromised by hacker User psmith Pat Smith 2003, Cisco Systems, Inc. All rights reserved. While not an attack in and of itself, trust exploitation refers to an attack where an individual takes advantage of a trust relationship within a network. The...

Backup LANtoLANs

A backup LAN-to-LAN configuration has two sides a central side and a remote side. The central side is the endpoint of the connection where the backup VPN Concentrators reside. (If the backup VPN Concentrators reside in different geographic places, there may be more than one central side.) The endpoint of the backup VPN Concentrator's LAN-to-LAN peer is the remote side. The remote-side VPN Concentrator has a peer list of all (up to ten) of the central-side VPN Concentrators. The peers appear on...

IPSec Protocol

R Entire certificate chain Identity certificate only Name Enter remote server address host name. Check to enable IPSec over TCP. Enter IPSec over TCP port (1 - 65535). Click to use the instated certificate. Choose how to send the digital certificate to the se Password Verify r Entire certificate chain Identity certificate only Name Enter remote server address host name. Check to enable IPSec over TCP. Enter IPSec over TCP port (1 - 65535). Click to use the instated certificate. Choose how to...

Task 13Load the Root Certificate Into the Concentrator

Complete the following steps to load the Root certificate into the Concentrator Step 1 Enter the Concentrator's public interface IP address in the Internet Explorer address field 192.168.P.5 (where P pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator Series Manager. Step 2 Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account Step 3 Drill down to Certificate Management from the Administration menu tree. Select Click here to install a CA...

Enrollment Form

All rights reserved. Before you can build a certificate request, the administrator must supply some enrollment information. There are eight fields in the enrollment form Common Name The unique name used for this certificate. This field is required. It will become the name of the certificate (for example, studentl). Dept The name of the department to which you belong (for example, training). This field correlates to the OU. For example, the OU is the same as the group...

Hardware Client Configuration Options

Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright (C) 1998-2000 Cisco Systems, Inc. 2003, Cisco Systems, Inc. All rights reserved. When the Hardware Client physical hardware is connected, the administrator must gain access to the Hardware Client manager. The Hardware Client comes from the factory with a private interface IP address of 192.168.10.1. Hook up a PC to the private port and configure the PC's TCP IP address. To gain access to the Hardware Client, point the...

Objectives Of Virtual Private Network

Your task in this lab exercise is to configure one end of a LAN-to-LAN Virtual Private Network (VPN) while another team completes the same tasks at a remote site. Work with your lab partner to complete the following tasks on your side of the LAN-to-LAN VPN Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN connectivity. Configure the LAN-to-LAN NAT rules. Configure network lists. Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN connectivity. Create and monitor a LAN-to-LAN NAT...

DoS Mitigation

The threat of DoS attacks can be reduced through the following three methods Antispoof features Proper configuration of antispoof features on your routers and firewalls Anti-DoS features Proper configuration of anti-DoS features on routers and firewalls Traffic rate limiting Implement traffic rate limiting with the networks ISP 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0 2-31 When involving specific network server applications, such as a HTTP server or a File Transfer Protocol...

Monitoring the Cisco VPN 3002 Hardware Client Software Auto Update Feature

When the update notification is sent, the administrator can monitor the status of the upgrade on the Hardware Client. Client IP Address 0.0.0.0 Direction I Old est to Newest I > I W I GetLog ClearLog Client IP Address 0.0.0.0 Direction I Old est to Newest I > I W I GetLog ClearLog 18 03 05 2002 13 15 33.750 SEV 4 AUTOUPDATE 5 RPT 1 18 03 05 2002 13 15 33.750 SEV 4 AUTOUPDATE 5 RPT 1 2003, Cisco Systems, Inc. All rights reserve) In the Monitoring> Filterable Event Log window, the...

Configuration Parameters

OnList LocLab,RMTLab nEnable l onRetryinterval 1 mai n Autolnit Autoinlf Autoinif log. ike LogLevel 15 log.CM LogLevel 3 LOG.PPP LogLevel 3 log.dialer LogLevel 3 LOG.CVPND LogLevel 3 LOG.xauth LogLevel 3 log.cert LogLevel 3 log. i ps ec LogLevel 3 log.cli LogLevel 3 log.firewall LogLevel 3 LocLab Network 172.26.0.0 Mask 25 5. 25 5. 0.0 ConnectionEntry studentl RMTLab Network 172. 27.0.0 Mask 255.255.0.0 connect onEntry 5tudentl 2003, Cisco Systems, Inc. All rights reserved. Groups of...

Task 2Verify the Cisco VPN 3000 Series Concentrator LANtoLAN Connectivity

Before configuring the LAN-to-LAN NAT rules, verify a tunnel can be established between Concentrators. Complete the following steps to verify the LAN-to-LAN tunnel connections Step 1 Launch Internet Explorer by double-clicking the desktop icon. Step 2 Enter a Concentrator private interface IP address of 10.0.P.5 in the Internet Explorer Address field where P pod number . Internet Explorer connects to the Cisco VPN 3000 Concentrator Series Manager. Step 3 Log into the Cisco VPN 3000 Concentrator...