352 Chapter 7: Security Technologies
Foundation Summary
The “Foundation Summary” is a condensed collection of material for a convenient review of this chapter’s key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the “Foundation Topics” material, the “Foundation Summary” will help you recall a few details. If you just read the “Foundation Topics” section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the “Foundation Summary” offers a convenient way to do a quick final review.
Table 7-12 Perimeter or Firewall Router Functions
|
To Protect |
|
Method |
|
|
|
|
|
Sniffer or snooping capabilities |
Control eavesdropping with TCP/IP service and network layer |
|
|
|
|
encryption (IPSec). |
|
|
|
|
|
Control unauthorized access |
Use AAA and Cisco Secure. Also, access-list filtering and PIX |
|
|
|
|
Firewall. |
|
|
|
|
|
Controlling session replay |
Control what TCP/IP sessions are authorized. Block SNMP, IP |
|
|
|
|
source routing, and finger services to outside hosts. |
|
|
|
|
|
Controlling inbound |
Filter the internal address as the source from the outside world. |
|
|
connections |
|
Filter all private addresses. |
|
|
|
Filter Bootp, TFTP, and trace route commands. |
|
|
|
Allow TCP connections established from the inside network. |
|
|
|
Permit inbound traffic to DMZs only. |
|
|
|
|
|
Controlling outbound |
Allow only valid IP addresses to the outside world; filter remaining |
|
|
connections |
|
illegal addresses. |
|
|
|
|
|
Packet filtering |
Use predefined access lists that control the transmission of packets |
|
|
|
|
from any given interface, control VTY access, and ensure routing |
|
|
|
updates are authenticated. |
|
|
|
|
Table 7-13 NAT Configuration Steps |
|
||
|
|
|
|
|
Step |
Description |
|
|
|
|
|
|
1 |
Determine the network addresses to be translated. |
|
|
|
|
|
|
2 |
Configure the inside network with the IOS ip nat inside command. |
|
|
|
|
|
|
3 |
Configure the outside network with the IOS ip nat outside command. |
|
|
|
|
|
|
4 |
Define a pool of addresses to be translated with the following IOS command: |
|
|
|
ip nat pool pool-name start ip address end ip address mask |
|
|
|
|
|
|
5 |
Define the addresses allowed to access the Internet with the following IOS command: |
|
|
|
ip nat inside source list access list number pool pool name |
|
|
|
|
|
Foundation Summary 353
Table 7-14 Cisco PIX Model Numbers
PIX 501
PIX 506/506E
PIX 515/515E
PIX 520 (in current CCIE lab)
PIX 525
PIX 535
Table 7-15 PIX Configuration Steps
|
Step |
Description |
||
|
|
|
|
|
|
1 |
Name the inside/outside interfaces and security levels. |
||
|
|
|
|
|
|
2 |
Identify the hardware interfaces and speed/duplex. |
||
|
|
|
|
|
|
3 |
Define the IP address for inside and outside interfaces. |
||
|
|
|
|
|
|
4 |
Define NAT/PAT. |
||
|
|
|
|
|
|
5 |
Define the global pool. |
||
|
|
|
|
|
|
6 |
Define the IP route path. |
||
|
|
|
|
|
|
7 |
Define static/conduits or static/access lists (for outside networks to access inside hosts or |
||
|
|
networks). |
|
|
|
|
|
|
|
Table 7-16 PIX Command Options |
|
|||
|
|
|
|
|
|
Option |
|
|
Description |
|
|
|
|
|
|
ca |
|
|
Configures the PIX Firewall to interoperate with a Certification Authority |
|
|
|
|
(CA). |
|
|
|
|
|
|
clear xlate |
|
|
Clears the contents of the translation slots. |
|
|
|
|
|
|
show xlate |
|
|
Displays NAT translations. The show xlate command displays the contents of |
|
|
|
|
only the translation slots. |
|
|
|
|
|
|
crypto dynamic-map |
|
Create, view, or delete a dynamic crypto map entry with this command. |
|
|
|
|
|
|
|
failover [active] |
|
Use the failover command without an argument after you connect the |
|
|
|
|
|
optional failover cable between your primary firewall and a secondary |
|
|
|
|
firewall. |
|
|
|
|
|
|
fixup protocol |
|
The fixup protocol commands let you view, change, enable, or disable the |
|
|
|
|
|
use of a service or protocol through the PIX Firewall. |
|
|
|
|
|
|
kill |
|
|
Terminate a Telnet session. Telnet sessions to the PIX must be enabled and |
|
|
|
|
are sent as clear text. |
|
|
|
|
|
|
telnet ip_address |
|
Specify the internal host for PIX Firewall console access through Telnet. |
|
|
[netmask] [if_name] |
|
|
|
|
|
|
|
|
354 Chapter 7: Security Technologies
Table 7-17 Cisco IOS Feature Set
Feature |
Function |
|
|
CBAC |
Provides internal users secure, per-application-based access control |
|
for all traffic across perimeters, such as between private enterprise |
|
networks and the Internet. CBAC supports the following: |
|
Telnet |
|
SMNPSNMP-GDL |
|
TFTP |
|
SMTP |
|
Finger |
|
Java Blocking |
|
Oracle SQL |
|
RealAudio |
|
H.323 |
|
|
Java blocking |
Java blocking protects against unidentified, malicious Java applets. |
|
|
Denial-of-service detection |
Defends and protects router resources against common attacks, |
and prevention |
checking packet headers and dropping suspicious packets. |
|
|
Audit trail |
Details transactions, recording time stamp, source host, destination |
|
host, ports, duration, and total number of bytes transmitted. |
|
|
Real-time alerts |
Log alerts in case of denial-of-service attacks or other preconfigured |
|
conditions (intrusion detection). |
|
|
Firewall |
An Internet firewall or part of an Internet firewall. |
|
|
Q & A 355
Q & A
The Q & A questions are designed to help you assess your readiness for the topics covered on the CCIE Security written examination and those topics presented in this chapter. This format helps you assess your retention of the material. A strong understanding of the answers to these questions will help you on the CCIE Security written exam.You can also look over the questions at the beginning of the chapter again for review. As an additional study aid, use the CD-ROM provided with this book to take simulated exams, which draw from a database of over 300 multiple-choice questions—all different from those presented in the book.
Select the best answer. Answers to these questions can be found in Appendix A, “Answers to Quiz Questions.”
1What does the term DMZ refer to?
2What is the perimeter router’s function in a DMZ?
3What two main transport layer protocols do extended access lists filter traffic through?
4Which of the following is not a TCP service?
a.Ident
b.ftp
c.pop3
d.pop2
e.echo
356 Chapter 7: Security Technologies
5Name five UDP services that can be filtered with an extended access-list.
6What RFC defines NAT?
7In NAT, what is the inside local address used for?
8What does the IOS command ip nat inside source list accomplish?
9What are the four possible NAT translations on a Cisco IOS router?
10How many connections can be translated with a PIX Firewall for the following RAM configurations: 16 MB, 32MB, or 128MB?
11When the alias command is applied to a PIX, what does it accomplish?
Q & A 357
12What security features does the Cisco IOS Firewall feature set allow a network administrator to accomplish?
13What does CBAC stand for?
14Name the eight possible steps to take when configuring CBAC.
15What is a virtual private network?