![](/user_photo/1438_p9ksI.png)
- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi371x1.jpg)
348 Chapter 7: Security Technologies
Public Key Infrastructure
In the new digital environment, a Public Key Infrastructure (PKI) ensures that sensitive electronic communications are private and protected from tampering. It provides assurances of the identities of the participants in those transactions, and prevents them from later denying participation in the transaction.
PKI provides the following assurances:
•Protects privacy by ensuring the data is not read but can’t stop someone from intercepting it (If you can’t read something, what’s the use of that data?)
•Assures the integrity of electronic communications by ensuring that they are not altered during transmission
•Verifies the identity of the parties involved in an electronic transmission
•Ensures that no party involved in an electronic transaction can deny involvement in the transaction
Before you send data over the public Internet, you want to make sure that the data, no matter how sensitive, won’t be read by the wrong source. PKI enables data to be sent encrypted by use of a public key, cryptography, and digital signatures.
Public key cryptography ensures the confidentiality of sensitive information or messages using a mathematical algorithm, or key, to scramble (encrypt) data, and a related mathematical key to unscramble (decrypt) it. In public key cryptography, authorized users receive special encryption software and a pair of keys, one an accessible public key, and the other a private key, which the user must keep secret.
A digital signature (DSS) is an electronic identifier comparable to a traditional, paper-based signature—it is unique and verifiable, and only the signer can initiate it.
Before any communication can take place, both parties involved in the data communication must obtain a Certificate of Authority from a Certification Authority (CA), a trusted third party responsible for issuing digital certificates and managing them throughout their lifetime.
Consider the following example: a user named Simon wants to communicate with a user named Sharon. Simon already has his digital certificate but Sharon has yet to obtain one. Sharon must identify herself to the CA to obtain a certificate. This is analogous to a passport when you travel the world. When Sharon obtains her digital certificate, it contains a copy of her public key, the certificate’s expiration date, and the CA’s digital signature. Each of these details is public.
Sharon also receives a private key, which is not shared with anyone. Now that both parties have a DSS, they can communicate and encrypt data using their public key, but they can decrypt only the data using their respective private keys. Pretty Good Privacy (application layer tool) is an excellent example of this type of communication. I suggest you install the software (free demonstration version) and try PKI for yourself. You can find the free software at www.pgp.com.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi372x1.jpg)
Virtual Private Networks 349
Virtual Private Networks
A virtual private network (VPN) enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses “tunneling” to encrypt all information at the IP level.
VPN is very loosely defined as a network in which a customer or end user connects to one or more sites through a public infrastructure, such as the Internet or World Wide Web.
We have already discussed dialup VPNs or Virtual Private Dialup Network (VPDN) in Chapter 5, “Security Protocols.”
VPNs are typically set up permanently between two or more sites. Figure 7-6 displays a typical VPN design.
Figure 7-6 VPN Model
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Private |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Address |
|
|
|
|
|
|
|
|
|
|
|
Beta |
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Remote |
|
|
|
|
VPN Tunnels |
Public Address Space |
|
|
|
|
Site |
||||
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
131.108.1.0/30 |
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Alpha |
|
|
|
|
|
|
|
|
|
Remote |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Site |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Central Site |
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||||
Private |
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
Internet or Current Service |
|
|
|
|
Remote |
||||
Address |
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
Provider Infrastructure |
|
|
|
|
Site |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Figure 7-6 displays a typical hub (central site) to spoke (remote site) model, where all existing public infrastructure transports data. IP generic routing encapsulation (GRE) tunnels can be set up between the hub and spoke routers, and any protocol can run over the IP tunnel.
Consider an example where the router, Alpha, needs to communicate with the remote site, Router Beta.
At no time should the private address space be advertised to any public domain. Assuming that IP routing is enabled and configured, we can configure an IP GRE tunnel between Alpha and Beta.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi373x1.jpg)
350 Chapter 7: Security Technologies
Assume that you have a client who wants to create a VPN across your network. The client’s main network is attached via Alpha over the Internet IP cloud. The client has a group of employees in their own IP space on the Ethernet interface. The client has a classless interdomain routing (CIDR) block of 192.1.64.0/20 for the network attached to the Alpha router, and the CIDR block 141.108.32.0/20 to the network attached to the Beta router. The network 131.108.1.0/30 is assigned between the routers and is pingable.
Example 7-9 configures Alpha with a GRE tunnel pointing to the remote IP address 131.108.1.2/30 (Beta’s Serial IP address) and uses 131.108.1.5 for the loopback interface.
Example 7-9 Alpha GRE Tunnel
hostname Alpha
!
interface Loopback0
ip address 131.108.1.1 255.255.255.255 ! IP GRE tunnel configuration follows interface Tunnel0
ip address 192.1.64.1 255.255.255.0 tunnel source Loopback0
tunnel destination 131.108.1.2
!
interface Ethernet0/0
ip address 192.1.65.1 255.255.248.0
!
interface Serial0
Description Link to Beta via Internet Cloud ip address 131.108.1.1 255.255.255.252
!
router ospf 1
network 192.1.64.0.0 0.0.240.255 area 0
End
Example 7-10 configures Beta with a GRE tunnel pointing to the remote IP address 131.108.1.1/30 and 131.108.1.6/32 for loopback use.
Example 7-10 Beta GRE Tunnel
hostname Beta
!
interface Loopback0
ip address 131.108.1.2 255.255.255.255 ! IP GRE tunnel configuration follows interface Tunnel0
ip address 192.1.64.2 255.255.255.0 tunnel source Loopback0
tunnel destination 131.108.1.1
!
interface Ethernet0/0
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi374x1.jpg)
Virtual Private Networks 351
Example 7-10 Beta GRE Tunnel (Continued)
ip address 141.108.32.1 255.255.240.0
!
router ospf 1
network 141.108.0.0 0.0.255.255 area 0 interface Serial0
Description Link to Alapha via Internet Cloud ip address 131.108.1.2 255.255.255.252
!
End
The IP GRE tunnel is now configured between the routers Alpha and Beta. While using public address space for the source and destination of the VPN tunnel, the reserved CIDR block 192.1.64.0/20 will not be advertised or routable over the public domain. The private traffic can now flow between both hub site and remote site securely. You can also transport other non-IP protocols over the VPN tunnel, such as Internetwork Packet Exchange (IPX) or AppleTalk. IP GRE tunnels support only IPX or AppleTalk.