PartI Introduction to Network Security
Chapter I Understanding Network Security Threats
Identify the Need for Network Security
Identify the Causes of Network Security Problems
Technology Weakness
Policy Weakness
Configuration Weakness
The Four Primary Types of Network Threats
Unstructured Threats
Structured Threats
Internal Threats
Extemal Threats
The Four Primary Types of Network Attack
Reconnaissance Attacks
Access Attacks
Denial of Service (DOS) Attacks
Data Manipulation Attacks
Cisco AVVID and SAFE Strategies
AVVID
SAFE
Cisco Security Wheel
Network Security Policy
Why Create a Network Security Policy
The Balancing Act
A Security Policy Is to Be Shared
Who Should Help Create the Security Policy?
Assets and Threats
Evaluating a Network Security Policy
Example of a Network Security Policy
Securing the Network
Wireless Communication Policy
Monitoring Network Security
Improving Network Security
Chapter Review
Questions
Answers
Chapter 2 Securing the Network
Secure Network Design Example
Inside Network
Outside Network
Demilitarized Zone (DMZ)
Securing Network Devices
Physically Secure the Devices
Securing Administrative Access
Using Access Control Lists to Secure the Network
Standard ACLs
Extended Access Lists
Named Access Lists
Time-Based Access Lists
Chapter Review
Questions
Answers
Part II Securing the Network Perimeter
Chapter 3 Cisco AAA Security Technology
The Cisco AAA Model
NAS Servers
Why Authenticate?
AAA Benefits
TACACS+, RADIUS, and Kerberos Support
AAA System Components
AAA as Facilitator
Authentication
Authorization
Accounting
Testing AAA Configuration
The show Commands
The debug Commands
Chapter Review
Questions
Answers
Chapter 4 Cisco Secure ACS and TACACS+/RADIUS Technologies
Describe Cisco Secure ACS
CiscoSecure ACS for Windows and UNIX
Features and Architecture of Cisco Secure ACS for Windows
Features and Benefits
Cisco Secure ACS Benefits
Cisco Secure ACS for Windows Internal Architecture
System Performance
Features of CiscoSecure ACS for UNIX
Features and Benefits
Preparing to Install UNIX ACS
Installing Cisco Secure ACS 3.0 for Windows
Hardware Requirements
Operating System Requirements
Third-Party Software Requirements
NAS.Minimum lOS Requirements
Network Requirements
Back Up Server Data
Gathering Information Required During Installation
Administering and Troubleshooting Cisco Secure ACS for Windows
Navigation Bar
Configuration Area
Display Area
Accessing the HTML Interface
Suggested Configuration Sequence
TACACS+ Overview
Configuring Cisco Secure ACS and TACACS+
Configure NAS to TACACS+ Server Communication
Verifying TACACS+
The show Commands
The debug Commands
Configure NAS to RADIUS Server Communication
Chapter Review
Questions
Answers
Chapter 5 Securing Cisco Perimeter Routers
Perimeter Router Terms and Concepts
Simple Secure Network Design
Eavesdropping
Router Solutions
Hub and Switch Issues
Limit Unneeded TCP/IP and Other Services
TCP and UDP "Small Services"
Finger
NTP
CDP
Denial of Service Attacks
Controlling Directed Broadcasts
Flood Management
Antispoofing with RPF Checks
Unauthorized Access
Address Filtering
Dynamic (Lock-and-Key) Access Lists
Reflexive Access Lists
Lack of Legal IP Addresses
NAT Technology and Terminology
Static NAT
Dynamic NAT
Dynamic NAT with Overloading (PAT)
Rerouting Attacks
Event Logging on Perimeter Routers
Access List Violation Logs
Chapter Review
Questions
Answers
Chapter 6 lOS Firewall Feature Set—BAC
Introduction to Cisco IOS Firewall
Router-Based Firewall Functionality
Integration with Cisco IOS Software
Feature Summary
Context-Based Access Control (CBAC)
Quick Access List Review
CBAC Advantages
CBAC Limitations
CBAC Process
Configuring CBAC
IOS Firewall Management
Command Line Interface
ConfigMaker
Chapter Review
Questions
Answers
Chapter 7 lOS Firewall--lntrusion Detection System
Intrusion Detection System (IDS)
IOS Firewall Intrusion Detection System
Devices Supporting the lOS Firewall IDS Feature
Cisco IDS Attack Signatures
Cisco Secure IDS Director Support
Performance Implications
IOS IDS vs. Cisco Secure IDS
Cisco lOS Firewall IDS Configuration Task List
Initializing the IOS Firewall IDS
The ip audit smtp spam Command
The ip audit po max-events Command
Initializing the Post Office
The ip audit notify Command
The ip audit po local Command
The ip audit po remote Command
Creating and Applying Audit Rules
Creating an Audit Rule
Apply the Audit Rule to the Interface(s)
Verifying the IDS Configuration
The show ip audit statistics Command
The show ip audit configuration Command
The show ip audit interface Command
The show ip audit all Command
Chapter Review
Questions
Answers
Chapter 8 lOS Firewall--Authentication Proxy
Cisco lOS Firewall Authentication Proxy
How the Authentication Proxy Works
Applying the Authentication Proxy
Comparison with the Lock-and-Key Feature
Compatibility with Other Features
Security Vulnerability Issues
Before Configuring Authentication Proxy
Authentication Proxy Configuration Task List
AAA Server Configuration
AAA Router Configuration
Enable AAA
Define the Security Server
Define Login Authentication Methods List
Enable Authorization Proxy (auth-proxy) for AAA
Activate Authentication Proxy Accounting
ACL Entry for Return Traffic from the AAA Server
Configuring the HTTP Server
Authentication Proxy Configuration on the Router
The ip auth-proxy auth-cache-time Command
The ip auth-proxy auth-proxy-banner Command
The ip auth-proxy name Command
The auth-proxy Interface Configuration
Verify Authentication Proxy Configuration
The auth-proxy Cache
The debug Commands
CBAC Configuration
Chapter Review
Questions
Answers
Part III Virtual Private Networks (VPNs)
Chapter 9 Cisco lOS IPSec Introduction
virtual Private Networks
Remote-Access
Site-to-Site
Layer 2 VPNs
Layer 3 VPNs
Other VPN Implementations
Why Use VPNs?
VPN Analogy
Tunneling Protocols
Layer Two Forwarding (L2F) Protocol
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE)
How IPSec Works
Cisco IOS IPSec Technologies
IPSec Security Overview
Transport and Tunnel Mode
IPSec Transforms and Transform Sets
Cisco IOS Cryptosystem Components
How Encryption Works
Cryptography Types
Encryption Ahematives
Hashing
Diffie-Hellman Key Agreement (DH)
Security Association (SA)
IKE SAs versus IPSec SAs
Five Steps of IPSec Revisited
Step 1--Determine Interesting Traffic
Step 2--IKE Phase One
Step 3--IKE Phase Two
Step 4--IPSec Data Transfer
Step 5--Session Termination
IPSec Support in Cisco Systems Products
Chapter Review
Questions
Answers
Chapter 10 Cisco lOS IPSec for Presharecl Keys
Configure IPSec Encryption Tasks
Task 1 Prepare for IKE and IPSec
Task 2 Configure IKE
Task 3 Configure IPSec
Task 4 Test and Verify IPSec
Configuring IPSec Manually
Configuring IPSec Manually Is Not Recommended
Chapter Review
Questions
Answers
Chapter I I Cisco lOS IPSec Certificate Authority Support
CA Support Overview
Digital Certificates
Certificate Distribution
IPSec with CAs
How CA Certs Are Hsed by IPSec Peers
Cisco IOS CA Standards
Simple Certificate Enrollment Protocol (SCEP)
CA Servers Interoperable with Cisco Routers
Enroll a Device with a CA
Configure CA Support Tasks
Task 1--Prepare for IKE and IPSec
Task 2--Configure CA Support
Task 3--Configure IKE
Task 4--Configure IPSec
Task 5--Test and Verify IPSec
RSA Encrypted Nonces Overview
Task 2--Configure RSA Keys
Chapter Review
Questions
Answers
Chapter 12 Cisco lOS Remote Access Using Cisco Easy VPN
Introduction to Cisco Easy VPN
Cisco Easy VPN Server
Client Connection Process
Cisco Easy VPN Remote
Split Tunneling
Cisco VPN 3.6 Client
How the VPN Client Works
Connection Technologies
Easy VPN Server Configuration Tasks
Preconfiguring the Cisco VPN 3.6 Client
Creating a New Connection Entry
Trying Out the New Connection
Customizing the Connection
Management Center for VPN Routers
Features and Benefits
Router MC Server Requirements
Router MC Client Requirements
Router MC User Permissions
Easy VPN Remote Phase Two
Supported VPN Servers
Phase Two Features
Cisco VPN Firewall Feature for VPN Client
Overview of Software Client Firewall Feature
Defining a Client Firewall Policy
The Are You There Feature
The Central Policy Protection Feature
Client/Server Feature
Client Firewall Statistics
Chapter Review
Questions
Answers
Chapter 13 Cisco VPN Hardware Overview
Cisco Products Enable a Secure VPN
What's Newt
Cisco VPN 3002 Client Devices
Cisco VPN 3002 Client Models
Client and Network Extension Modes
Standards Supported
Cisco VPN 3002 Hardware Client Features
Cisco VPN 3000 Concentrator Devices
Cisco VPN 3000 Concentrator Models
Standards Supported
Cisco VPN 3000 Concentrator Features
VPN 3000 Concentrator Client Support
Chapter Review
Questions
Answers
Chapter 14 Cisco VPN 3000 Remote Access Networks
VPN Concentrator User Interfaces and Startup
Quick Configuration
Command-Line Interface (CLI) Basics
Concentrator Manager (Web Interface)
VPN Concentrators in IPSec VPN Implementations
Remote Access Networks
LAN-tu-LAN Networks
Remote Access VPNs with Preshared Keys
Preshared Keys
Initial Configuration
Setting the Public Interface
Defining the Default Gateway (Optional)
Adding the Static Routes
General System Information
Define Inside Address Assignment Method
Define Inside Address Pool for Remote Users
Configuring Groups and Users
Other Configuration Options
Digital Certificates
Certificate Types
VPN Concentrator and Certificates
Enrolling and Installing Certificates
Using SCEP to Manage Certificates
Using the Certificates
Configure Cisco VPN Client Support
VPN Client Autoinitiation Feature
The vpndient.ini File
Preparation
Configuration
VPN 3000 Configuration
Administer and Monitor Remote Access Networks
Administration
Monitoring
Chapter Review
Questions
Answers
Chapter 15 Configuring Cisco VPN 3002 Remote Clients
The VPN 3002 in the Network
VPN Modes
IPSec VPNs
Configuring the 3002 Device
Command-Line Interface (CH)
The Hardware Client Manager (Web Interface)
Common Configuration Tasks
Upgrading the Software
Quick Configuration
System Status
PPPoE Support
Basic Configuration for the VPN 3002
Set the System Time, Date, and Time Zone
Optional--Upload an Existing Configuration File
Configure the Private Interface
Configure the Public Interface
Configure the IPSec
Choose Client (PAT) Mode or Network Extension Mode
Configure DNS
Configure Static Routes
Change the Admin Password
Modifying Options
Other VPN 3002 Software Features
Interactive Hardware Client Authentication
Individual User Authentication
LEAP Bypass
IPSec Backup Servers
IPSec Server Load Balancing
H.323 Support in PAT Mode
Simple Certificate Enrollment Protocol (SCEP)
XML Management
Reverse Route Injection (RILl)
AES Support and Diffie-Hellman Group 5
Push Banner to VPN 3002
Delete with Reason
Auto-Update Feature
VPN 3002 Hardware Clients
Cisco VPN Software Clients
Configuring Auto-Update
Chapter Review
Questions
Answers
Chapter 16 Cisco VPN 3000 LAN-to-LAN Networks
The VPN Concentrators in LAN-to-LAN VPNs
Chapter Scenario
LAN-to-LAN Networks with Preshared Keys
Configure Network Lists
Define the IKE Proposals (Optional)
Create the Tunnel
LAN-to-LAN Networks with Digital Certificates
NAT Issues
NAT Transparency
IPSec over TCP
IPSec over NAT-T
IPSec over LIDP
LAN-to-LAN VPN with Overlapping Network Addresses
LAN-to-LAN Routing
Default Gateways
Reverse Route Injection
Virtual Router Redundancy Protocol
Chapter Review
Questions
Answers
PartIV PIX Firewalls
Chapter 17 CiscoSecure PIX Firewalls
Firewall and Firewall Security Systems
Packet Filter
Proxy Filter
Stateful Packet Filter
CiscoSecure PIX Firewall Technology
PIX Adaptive Security Algorithm
The PIX Firewall Family
Tested and Certified
VPN Support
PIX Management Options
Cisco Mobile Office Support
Cisco Catalyst 6500 Implementation
Basic PIX Firewall Configuration
PIC Command-Line Interface
The nameif Command
The interface Command
The ip address Command
The nat Command
The global Command
The route Command
Chapter Review
Questions
Answers
Chapter 18 Getting Started with the Cisco PiX Firewall
Basic PIX Firewall Configuration
Verifying Configuration and Traffic
ICMP Traffic to the Firewall
The show icmp Command
The debug icmp trace Command
Time Setting and NTP Support
How NTP Works
NTP and PIX Firewalls
Syslog Configuration
The logging Commands
Fri' and URL Logging
Verifying and Monitoring Logging
DHCP Server Configuration
Configuring the DHCP Server Feature
DHCP Client
Using NAT/PAT with DHCP Client
Firewalls as a DHCP Client and Server
Chapter Review
Questions
Answers
Chapter 19 Access Through the PIX Firewall
Adaptive Security Algorithm
Security Levels
Stateful System
Translations
Connections
Translations and Connections
Transport Protocols
Static Translations
Network Address Translation
Port Address Translations (PAT)
Using NAT and PAT Together
Names and Name Commands
Configuring DNS Support
Access Control Lists (ACLs)
Using Access Lists
Access-Group Statement
Basic ACL Statements
ICMP ACL Statements
TurboACL
Downloadable ACLs
Content Filtering
ActiveX Blocking
Java Blocking
Websense Filtering
Object Grouping
Overview of Object Grouping
Getting Started with Group Objects
Configuring Object Groups with ACLs
Nested Object Groups
Conduit Statements
Configuring Conduits
PIX Routing Configuration
The Route Command
Routing Options
Multicast Traffic
Chapter Review
Questions
Answers
Chapter 20 Advanced PIX Firewall Features
Remote Access
Telnet Access
HTTP Access
Secure Shell (SSH) Access
AAA Support for Telnet, HTTP, and SSH Sessions
AAA on the PIX Firewall
Defining the AAA Server
Local User Database
Configuring AAA Features
Access Lists with AAA
Command-Level Authorization
Firewall Privilege Levels
Configuring Cisco Secure ACS for Windows
Advanced Protocol Handling
Application Inspection
The tm'up protocol Command
Supported Applications and Protocols
Fixup Protocol Examples
Other Supported Protocols and Applications
Attack Guards
DNS Control
Flood Defender
FragGuara and Virtual Reassembly
TCP Intercept
Unicast Reverse Path Forwarding
ActiveX Blocking, Java Filtering, and URL Filtering
Intrusion Detection
Define Default Audit Actions
Disabling Individual Signatures
Create Named Audit Rules
Apply the Audit Rule to the Interface(s)
PIX Firewall IDS Syslog Messages
Shunning
Managing SNMP Services
PIX Firewall SNMP Support
SNMP Contact and Location
SNMP Management Station
SNMP Community Key
Enabling SNMP Traps
Verify SNMP Configuration
Logging to the SNMP Management Station
Chapter Review
Questions
Answers
Chapter 21 Firewalls and VPN Features
Pix Firewall Enables a Secure VPN
IPSec VPN Establishment
Five Steps of IPSec
IPSec Configuration Tasks
Task 1: Prepare to Configure VPN Support
Task 2: Configure IKE Parameters
Task 3: Configure IPSec. Parameters
Task 4: Test and Verify VPN Configuration
Cisco VPN Client
Client Mode
Network Extension Mode
Establishing Preliminary Connectivity
Easy VPN Remote Configuration
Scale PIX Firewall VPNs
Network Management Options
PPPoE and the PIX Firewall
Chapter Review
Configuring IPSec
Configuring IPSec for RSA Encrypted Nonces
Configuring CA Support Tasks
Questions
Answers
Chapter 22 Managing and Maintaining the PIX Firewall
PDM Overview
Versions and Device Support
PDM Operating Requirements
PIX Firewall Requirements
Workstation Requirements
Cisco Secure Policy Manager Considerations
Web Browser Considerations
Prepare for PDM
Installing PDM on a PIX Firewall
Minimum PIX Configuration
Starting PDM
Using the PDM Startup Wizard
Using PDM to Configure the PIX Firewall
Using PDM to Create a Site-to-Site VPN
Using PDM to Create a Remote Access VPN
CiscoWorks Management Center for PIX Firewalls (PIX MC)
System Requirements
PIX Failover Feature
Hnderstanding Failover
Failover Configuration with Failover Cable
LAN-Based Failover Configuration
Verifying Failover Configuration
Password Recovery
Before Getting Started
PIX Devices with a Floppy Drive
PIX Devices Without a Floppy Drive
Upgrading the PIX OS
Older Upgrade Methods
Chapter Review
Questions
Answers
Par V Intrusion Detection Systems (IDS)
Chapter 23 Intrusion Detection System Overview
Security Threats
Internal Threats
Extemal Threats
Unstructured Threats
Structured Threats
The Attack Types and Phases
Attack Types
Attack Phases
Intrusion Detection Systems Overview
Host- and Network*Based IDSs
IDS Triggers
Summary
Questions
Answers
Chapter 24 Cisco Secure Intrusion Detection System
CIDS Operations and Functionality
Monitoring
Analyzing
Communications
Centralized Alarm Display and Management
Sensor Response
CIDS Architecture
CIDS Software Architecture
CIDS Commands
CIDS Directory Structure
CIDS Log Files
Chapter Review
Questions
Answers
Chapter 25 Sensor Installation and Configuration
Sensor Deployment Considerations
Network Entry Points
Network Size and Complexity
The Amount and Type of Traffic
Sensor Installation
Connecting to Your Network Sensor Appliance
Sensor Bootstrap
IDS Device Manager
Connecting to the IDS Device Manager
IDS Device Manager GUI Interface
Device Area Configuration
Configuration Area
Monitoring Area
Administration Area
Chapter Review
Questions
Answers
Chapter 26 Signature and Alarm Management
CIDS Signatures
Signature Series
Signature Implementations
Signature Structure
Signature Classes
Signature Types
Signature Severity
Event Viewer
Managing Alarms
Event Viewer Customization
Preference Settings
Chapter Review
Review Questions
Answers
Part VI Cisco SAFE Implementation
Chapter 27 Cisco SAFE Implementation
Preparation Documents
Exam Topics
Security Fundamentals
Architectural Overview
Cisco Security Portfolio
SAFE Small Network Design
SAFE Medium Network Design
SAFE Remote-User Network Implementation
Skills Required for the Exam
Chapter Review
Questions
Answers
Appendix A Access Control Lists
Access List Basics
Two-Step Process
Numbered ACL Common Characteristics
The Numbers Matter
Standard Access Lists
Building a Standard ACL
Verifying ACLs
Show Run Command
Show Access-Lists Command
Show IP Interfaces Command
Extended Access Lists
Creating an Extended Access List
Named Access Lists
Appendix B About the CD
System Requirements
LeamKey Online Training
Installing and Running MasterExam
MasterExam
Electronic Book
Lab Exercises
Help
Removing Installation(s)
Technical Support
LearnKey Technical Support
Index