Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
CCIE Self Study CCIE Security Exam Certification Guide - Cisco press.pdf
10.23 Mб

320 Chapter 7: Security Technologies

Foundation Topics

Advanced Security Concepts

A wealth of security concepts have been covered and now some of the techniques used in areas of your network will be covered that are vulnerable to attacks, in particular, the Demilitarized Zone (DMZ).

The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet.

Figure 7-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense or hosts that can be scarified in case of a network attack or attacks).

Figure 7-1 DMZ Design

Perimeter or

Bastion Hosts –

Edge Router

FTP Server, HTTP Server,


Proxy Servers






Figure 7-1 displays a typical perimeter network where the DMZ is separated by a firewall. Firewalls are network devices such as Private Internet Exchange (PIX), which are discussed later in this chapter. Firewalls are designed to protect the internal (or private) parts of a network from the public domain.

Advanced Security Concepts 321

The aim of all firewalls is to accomplish the following:

Serve as a traffic point—The traffic from inside and outside the network must pass through the traffic point.

Authorize traffic—Permits only authorized traffic.

Designed to be immune from penetration—Firewalls are designed to be immune from attacks. Firewalls are still often devices that are attacked by outside hosts.

Invisibility—Ensures that the private network is invisible to the outside world.

As shown in Figure 7-1, the perimeter router sits between the DMZ and the public domain. Typically, a high performance router or routers will be located here, performing a number of duties including the following:

Ensuring that access to the Internet Protocol (IP) is restricted using access lists

Restricting Transmission Control Protocol (TCP) services

Preventing attacks on firewall systems

Preventing Denial of Service (DoS) attacks on bastion hosts and the private network

Permitting only authorized traffic to the bastion hosts

Logging all network events to external or internal systems

Performing Address translation (NAT/PAT)

Running static or dynamic routing protocols; Cisco PIX is limited to RIP and static routing.

NOTE Proxy servers are designed to shield internal devices from outside intruders by replacing the internal hosts’ IP addresses with its own IP address. Most new vendors now allow routers to act as proxy servers. Proxy servers have scalability and speed issues, as all packets must be examined and IP headers modified for packet delivery.

Firewalls and perimeter routers have the additional function of packet filtering. A packet filter is a device that inspects all incoming and outgoing packets based on IP source address, destination IP address, and protocol type, such as TCP or UDP. Based on configurable options, the filter decides whether to reject or allow traffic to pass through the device.

Table 7-1 summarizes the main functions of a perimeter and firewall router.

322 Chapter 7: Security Technologies

Table 7-1

Perimeter/Firewall Router Functions





Protection Service






Sniffer or snooping capabilities

Control eavesdropping with the TCP/IP service and network layer



encryption (IPSec).





Control unauthorized access

Use authentication, authorization, accounting (AAA), and Cisco



Secure. Also, access-list filtering and PIX Firewall.





Controlling session replay

Control what TCP/IP sessions are authorized.



Block SNMP, IP source routing, and finger services to outside hosts.





Controlling inbound

Filter internal address as the source from the outside world.



Filter all private addresses.





Filter Bootp, Trivial File Transfer Protocol (TFTP), and trace route






Allow TCP connections established from the inside network.



Permit inbound traffic to DMZ only.





Controlling outbound

Allow only valid IP addresses to the outside world and filter



remaining illegal addresses.





Packet filtering

Use predefined access lists that control the transmission of packets



from any given interface, controlling Virtual Terminal lines, VTY,



and access, and ensuring that routing updates are authenticated.




Cisco IOS routers can filter TCP or UDP protocol types. Example 7-1 displays the number of TCP services you can filter on a Cisco IOS router using extended access lists.

Example 7-1 TCP Services Filtered on Cisco IOS Routers

R1(config)#access-list 100 permit tcp any any eq ?


Port number



Border Gateway Protocol (179)


Character generator



Remote commands (rcmd, 514)


Daytime (13)



Discard (9)



Domain Name Service



Echo (7)



Exec (rsh, 512)



Finger (79)



File Transfer Protocol (21)


FTP data connections (used infrequently, 20)


Gopher (70)



NIC hostname server



Ident Protocol (113)



Internet Relay Chat



Kerberos login (543)



Kerberos shell (544)


Advanced Security Concepts 323

Example 7-1 TCP Services Filtered on Cisco IOS Routers (Continued)


Login (rlogin, 513)


Printer service (515)


Network News Transport Protocol (119)


PIM Auto-RP (496)


Post Office Protocol v2 (109)


Post Office Protocol v3 (110)


Simple Mail Transport Protocol (25)


Sun Remote Procedure Call (111)


Syslog (514)


TAC Access Control System (49)


Talk (517)


Telnet (23)


Time (37)


Unix-to-Unix Copy Program (540)


Nicname (43)


World Wide Web (HTTP, 80)



Example 7-2 displays the extended access list when filtering services based on the UDP protocol suite of services.

Example 7-2 UDP Services Filtered on Cisco IOS Routers

R1(config)#access-list 101 permit udp any any eq ?


Port number


Biff (mail notification, comsat, 512)


Bootstrap Protocol (BOOTP) client (68)


Bootstrap Protocol (BOOTP) server (67)


Discard (9)


DNSIX security protocol auditing (195)


Domain Name Service (DNS, 53)


Echo (7)


Internet Security Association and Key Management Protocol (500)


Mobile IP registration (434)


IEN116 name service (obsolete, 42)


NetBios datagram service (138)


NetBios name service (137)


NetBios session service (139)


Network Time Protocol (123)


PIM Auto-RP (496)


Routing Information Protocol (router, in.routed, 520)


Simple Network Management Protocol (161)


SNMP Traps (162)


Sun Remote Procedure Call (111)


System Logger (514)


TAC Access Control System (49)


Talk (517)


Trivial File Transfer Protocol (69)


Time (37)


Who service (rwho, 513)


X Display Manager Control Protocol (177)

324 Chapter 7: Security Technologies

Examples 7-1 and 7-2 clearly allow a network administrator flexibility when designing perimeter security based on particular port numbers, as defined in RFC 1700.

Network Address Translation and Port Address



NAT is a router function, which allows it to translate the addresses of hosts behind a firewall.


This also helps to overcome IP address shortage. It also provides security by hiding the entire


network and their real IP addresses.


NAT is typically used for internal IP networks that have unregistered (not globally unique)


IP addresses. NAT translates these unregistered addresses into legal addresses on the outside


(public) network.



PAT provides additional address expansion but is less flexible than NAT. With PAT, one IP


address can be used for up to 64,000 hosts by mapping several IP port numbers to one IP


address. PAT is secure because the inside hosts’ source IP addresses are hidden from the outside


world. The perimeter router typically provides the NAT or PAT function.


NAT is defined in RFC 1631, www.ietf.org/rfc/rfc1631.txt. Cisco devices started supporting


NAT in IOS versions 11.2 and higher. NAT basically provides the capability to retain your


network’s original IP addressing scheme while translating that scheme into a valid Internet IP


address to ensure that intruders never view your private address.





IOS 12.0 and higher support full NAT functionality in all images. Version 11.2 and higher need


“PLUS” image for a NAT feature set.





NAT changes the Layer 3 address when the packet is sent out to the Internet. This is a function


no other protocol will do (that is, alter the Layer 3 source address).


For your review to fully prepare you for the exam, Table 7-2 explains some of the terminology


used in a NAT environment.

Table 7-2

NAT Terminology












Inside local address

An IP address that is assigned to a host on the internal network; that is, the logi-



cal address that is not being advertised to the Internet. A local administrator gen-



erally assigns this address. This address is NOT a legitimate Internet address.





Inside global address

A legitimate registered IP address, as assigned by the InterNIC.





Outside local

The IP address of a network’s outside host that is being translated as it appears



to the inside network.





Outside global

The IP address assigned to a host on the outside of the network that is being



translated by the host’s owner.




Network Address Translation and Port Address Translation 325

Figure 7-2 displays a typical scenario where a private address space is deployed that requires Internet access. The Class A is not routable in the Internet.

Figure 7-2 Typical NAT Scenario

Inside or Private Network

Outside Network





NAT Table

InterNic Assigned Address

Inside Address Outside Address

... so on

... and so on

The users in Figure 7-2 are configured with the inside local addresses ranging from to To allow Internet access, NAT (PAT could also be configured if only one IP address was allocated by InterNIC) is configured on Router R1 to permit the inside local addresses access to the Internet. Advantages of using NAT include the following:

You can hide the Class A address space

To view the NAT translation table on the Cisco router, apply the exec command show ip nat translations on the CLI interface.

It gives you the capability to connect a nonroutable network to the Internet.

You can use unregistered address space and NAT to the Internet.

You can use both NAT/PAT on the same router.

You can have 64,000 inside hosts per allocated IP address.

The InterNic is an Internet authority assigned the task of allocating IP address space to the public. In Figure 7-2, assume that the InterNIC assigned the address space for use.

326 Chapter 7: Security Technologies

NOTE Disadvantages of NAT/PAT include the following:

CPU processing power.

Layer 3 header and source address changes.

Voice over IP is not supported yet.

Some Multimedia-intensive applications do not support NAT, especially when the data stream inbound is different from the outbound path (for example, in multicast environments).

NAT Operation on Cisco Routers

When a packet leaves the inside network, NAT translates the inside address to a unique InterNIC address for use on the outside network, as shown in Figure 7-2.

The R1 router in Figure 7-2 will be configured for an address translation and will maintain a NAT table. When an IP packet returns from the outside network, the NAT router will then perform an address translation from the valid InterNIC address to the original local inside address.

Dynamic NAT Configuration Task List

Look at the steps required to configure Dynamic NAT on a Cisco router. Dynamic NAT maps any unregistered IP addresses to a registered IP address from a group of registered IP addresses.

The basic configuration tasks are as follows:

1Determine the network addresses to be translated.

2Configure the inside network with the following IOS command:

ip nat inside

3 Configure the outside network with the following IOS command:

ip nat outside

4 Define a pool of addresses to be translated with the following IOS command:

ip nat pool <pool-name> <start ip address> <end ip address> <mask>

5Define the addresses that are allowed to access the Internet with the following IOS command:

ip nat inside source list <access list number> pool <pool name>

Network Address Translation and Port Address Translation 327

For a more specific illustration, configure NAT on Router R1. In Figure 7-2, the NAT pool name is going to be CCIE. (You can use any name you want.) Assume that the InterNIC has assigned you the Class C address of

Your Internet service provider (ISP) has also supplied you the unique address to use on your serial connection.

Example 7-3 provides a sample NAT configuration for this setup.

Example 7-3 Sample NAT Configuration on R1

hostname R1

ip nat pool CCIE netmask ip nat inside source 1 pool CCIE

interface ethernet0

ip address ip nat inside

interface serial 0

ip address

ip address secondary ip nat outside

access-list 1 permit

It is assumed that you have an IP routing protocol to advertise the IP networks shown in the sample, which are and, to the remote ISP router through R1’s Serial 0 interface.

The configuration shown in Example 7-3 translates the inside addresses into globally unique addresses ranging from to

Monitoring NAT Operations with show Commands

To monitor the operation of NAT, you can use the following commands:

show ip nat translation [verbose] show ip nat statistics

The show ip nat translation command displays the current active transactions. The show ip nat statistics command displays NAT statistics, such as how many translations are currently taking place.

There are four different versions of NAT translations:

Static NAT—Maps an unregistered IP address to a registered IP address on a one-to-one basis. This is particularly useful when a device needs to be accessible from outside the network to an internal unregistered address.

Dynamic NAT—Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.

Соседние файлы в предмете Сети и Телекоммуникации