Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
CCIE Self Study CCIE Security Exam Certification Guide - Cisco press.pdf
10.23 Mб

358 Chapter 7: Security Technologies


Scenario 7-1: Configuring a Cisco PIX for NAT

The following configuration is installed on a PIX 520. Users from the inside network report to you that they cannot browse the Internet. What is the problem, and what command or commands will rectify the problem?

pix# write terminal

nameif ethernet0 outside security0 nameif ethernet1 inside security100

hostname pix

fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 logging timestamp

no logging standby logging console debugging no logging monitor logging buffered debugging no logging trap

logging facility 20 logging queue 512 interface ethernet0 10full interface ethernet1 10full mtu outside 1500

mtu inside 1500

ip address inside 255.255.255. ip address outside route inside route outside

no failover

failover timeout 0:00:00

failover ip address outside failover ip address inside arp timeout 14400

global (outside) 1 netmask no rip outside passive

no rip outside default no rip inside passive no rip inside default

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:00:00 absolute no snmp-server location

no snmp-server contact snmp-server community public no snmp-server enable traps telnet timeout 5

terminal width 80 : end

Scenario 7-1 Solution 359

Scenario Answer

Scenario 7-1 Solution

Cisco PIX Firewalls need to NAT any nonregistered IP address space. In particular, the Class A is not routable in the Internet, so you must use NAT to permit access, or you could re-address your entire network, which clearly is not an exercise you will do often.

The following command will NAT all inside addresses:

nat (inside) 1

Before you can access the Internet, you must also tell the PIX (remember the PIX is not as intelligent as a router; RIP can be configured by the network administrator), and you must route IP data with the command shown here:

route outside <default-gateway>

This command installs a default route where IP datagrams will be sent, typically, the perimeter router or ISP router.

Exam Topics in This Chapter


53Standards Bodies

54Incident Response Teams

55Vulnerability Discussions

56Attacks and Common Exploits

57Intrusion Detection

C H A P T E R 8

Network Security Policies,

Vulnerabilities, and Protection

This chapter reviews today’s most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The standard security body, CERT/CC, is covered along with descriptions of Cisco IOS-based security methods that ensure that all attacks are reported and acted upon. Cisco Security applications, such as Intrusion Detection System, are covered to lay the foundations you need to master the topics in the CCIE Security written exam.

This chapter covers the following topics:

Network security policies—Standard security policies that should be deployed in any IP network.

Standards bodies and incident response teams—Some of the standard bodies designed to help the Internet community tackle intrusion; the forums and e-mail aliases that can help a network security architect.

Vulnerabilities, Attacks, and Common Exploits—Some of the vulnerabilities and methods that exploit IP networks; some common attacks that exploit data and how that data is retrieved and modified.

Intrusion Detection System (IDS)—How IDS (Cisco IDS strategies, in particular) can be implemented to help deter intruders from gaining access to secure data.

Protecting Cisco IOS from Intrusion—Some of the standard configurations that every IOS-enabled router connected to the Internet should consider to avoid intruders gaining access to unauthorized material.

“Do I Know This Already?” Quiz

The purpose of this assessment quiz is to help you determine how to spend your limited study time. If you can answer most or all these questions, you might want to skim the “Foundation Topics” section and return to it later, as necessary. Review the “Foundation Summary” section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, you should read through the entire “Foundation Topics” section and review it until you feel comfortable with your ability to answer all these and the “Q & A” questions at the end of the chapter.

362 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

Answers to these questions can be found in Appendix A, “Answers to Quiz Questions.”

1A remote user tries logging into a remote network but fails after three additional tries and is disconnected. What useful information should the network administrator gather? (Select the best two answers.)


b.Invalid password

c.Invalid username

d.Valid username

2What is the first step that should be implemented in securing any network?

a.Create a database of secure passwords.

b.Create the IP address scheme.

c.Run NetRanger or NetSonar.

d.Define a security policy.

e.Configure access lists on all routers.

3What primary security method can be designed and deployed to secure and protect any IP network after an attack has been documented?

a.Security policy

b.IP policy



e.Logging passwords

4A security administrator notices that a log file stored on a local router has increased in size from 32 k to 64 k in a matter of seconds. What should the network administrator do?

a.Increase the buffer to 64 k.

b.Decrease the buffer to 16 k.

c.Log the event as suspicious and notify the incident response team.

d.Nothing, this is normal.

e.Both a and b are correct.

“Do I Know This Already?” Quiz 363

5What is the primary responsibility of CERT/CC?

a.Define access lists for use on routers

b.Set security standards

c.Coordinate attacks on secure networks

d.Maintain a security standard for networks

e.Nothing to do with security

6Who can use network scanners and probes? (Select the best two answers.)


b.Security managers

c.End users

d.Cable service providers

7What is a bastion host?

a.Firewall device supported by Cisco only

b.Network’s last line of defense

c.Network’s first line of defense

d.IP host device designed to route IP packets

8A TCP SYN attack is what type of attack?



c.Telnet/Kerberos attack

d.Ping attack only

9When an intruder sends a large amount of ICMP echo (ping) traffic using IP broadcasts, this type of DoS attack is known as what?



c.Man in the middle


e.Ping of death

364 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

10What kind of attack sends a large ICMP echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash?

a.Ping of death



d.Man in the middle

e.Birthday attack

11In the context of intrusion detection, what is an exploit signature?

a.DoS attack

b.An attack that is recognized and detected on the network

c.The same as a Smurf attack

d.The same as a man in the middle attack

12To stop spam e-mail from overwhelming an e-mail server, what step can you take?

a.Ask the ISP for help.

b.Nothing, because spam e-mail is too difficult to stop to be worth the effort.

c.Install an intrusion detection system that has a signature for spam e-mail.

d.Nothing, because the client software takes care of this.

e.Change the IOS code.

f.Configure the bastion host to stop spam e-mail.

Соседние файлы в предмете Сети и Телекоммуникации