- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
188Chapter 10: Virtual Private Networks
•Manual IPSec, which requires you to manually configure each peer. This method is not recommended by Cisco, because it does not allow for key exchanges and therefore would be rather easy to decrypt, given enough time and traffic. Obviously, manual IPSec is not a scalable solution.
•IKE, which dynamically negotiates your SA using preshared keys or digital certificates. Preshared keys still require you to manually enter a preshared key into each IPSec peer.
•IKE with digital certificates is the most dynamic solution that lets IKE negotiate your IPSec SA and a CA server authenticating each peer. This system is completely dynamic, very secure, and very scalable.
PPPoE Support
Cisco PIX Firewall software version 6.2 supports Point-to-Point Protocol over Ethernet (PPPoE). PPPoE provides a standard method of using PPP authentication over an Ethernet network and is used by many Internet service providers (ISPs) to grant client machine access to their networks, commonly through DSL. PPPoE is supported only on the outside interfaces of the PIX 501 and PIX 506/506E.
Foundation Summary 189
Foundation Summary
There are three different VPN types: access, intranet, and extranet. Access VPNs are used for remote users and normally require client software. Intranet and extranet VPNs are configured as site-to-site VPNs.
VPN peers need to authenticate each other and negotiate the IPSec SA. The negotiation is completed automatically using IKE. The authentication is completed using preshared keys, RSA signatures (certificates), or RSA nonces. To configure IKE on the PIX, you use the following commands:
•isakmp policy:
—Configures the authentication type.
—Configures the message encryption algorithm.
—Configures the message integrity algorithm.
—Configures the key exchange parameters.
—Defines the SA lifetime (reinitiates the Diffie-Hellman key exchange).
•isakmp enable—Applies the ISAKMP policy to an interface, allowing that interface to receive UDP500 traffic.
•isakmp identity—Identifies the local peer by IP address or host name.
•isakmp key—If you’re using a preshared key, define the key and the peer (by IP address or host name).
After you configure IKE, you are ready to configure IPSec. Follow these steps:
Configure access-list so that the PIX knows what traffic should be encrypted.
Create transform-sets to define the encryption and integrity to be used for the session.
Define ipsec security-association lifetime (optional) to reduce the opportunity of others to crack your encryption.
Configure crypto-map:
—Define SA negotiation (manual or IKE).
—Apply access-list to crypto-map.
—Apply transform-set to crypto-map.
—Identify the SA peer by IP address or host name.
—Apply crypto-map to an interface.
190 Chapter 10: Virtual Private Networks
Three commands (and many options for each) are available to troubleshoot VPN connectivity:
•show—Displays the current configuration or current SA status.
•clear—Removes the current configuration or setting (usually used to regenerate the connection).
•debug—Allows you to see ongoing sessions and key negotiations.
Cisco VPN Client is used to connect remote users to internal resources via an encrypted tunnel. The package handles all the negotiation and encryption and can operate using any connection to the Internet.
To develop a scalable VPN solution, you must implement a dynamic means of authentication. The most effective and scalable method today is the use of IKE and certification authorities.
Q&A 191
Q&A
The questions in this section are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix A.
1What is the default lifetime if not defined in isakmp policy?
2Do your transform sets have to match exactly on each peer?
3True or false: The X509v3 standard applies to the ESP header’s format.
4What is the difference between the isakmp lifetime and the crypto-map lifetime?
5What command do you use to delete any active SAs?
6What is the command for defining a preshared key?
7What is the first thing you should check if you are unable to establish a VPN?
8What is the function of the access list with regard to VPNs?
9What PIX firewalls support PPPoE?