358 Chapter 7: Security Technologies

Scenario

Scenario 7-1: Configuring a Cisco PIX for NAT

The following configuration is installed on a PIX 520. Users from the inside network 10.0.0.0/8 report to you that they cannot browse the Internet. What is the problem, and what command or commands will rectify the problem?

pix# write terminal

nameif ethernet0 outside security0 nameif ethernet1 inside security100

hostname pix

fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 logging timestamp

no logging standby logging console debugging no logging monitor logging buffered debugging no logging trap

logging facility 20 logging queue 512 interface ethernet0 10full interface ethernet1 10full mtu outside 1500

mtu inside 1500

ip address inside 201.201.201.1 255.255.255. ip address outside 131.108.1.1 255.255.255.0 route inside 10.0.0.0 255.0.0.0 201.201.201.2 route outside 0.0.0.0 0.0.0.0 131.018.1.2

no failover

failover timeout 0:00:00

failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400

global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224 no rip outside passive

no rip outside default no rip inside passive no rip inside default

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:00:00 absolute no snmp-server location

no snmp-server contact snmp-server community public no snmp-server enable traps telnet timeout 5

terminal width 80 : end

Scenario 7-1 Solution 359

Scenario Answer

Scenario 7-1 Solution

Cisco PIX Firewalls need to NAT any nonregistered IP address space. In particular, the Class A 10.0.0.0/8 is not routable in the Internet, so you must use NAT to permit access, or you could re-address your entire network, which clearly is not an exercise you will do often.

The following command will NAT all inside addresses:

nat (inside) 1 0.0.0.0 0.0.0.0

Before you can access the Internet, you must also tell the PIX (remember the PIX is not as intelligent as a router; RIP can be configured by the network administrator), and you must route IP data with the command shown here:

route outside 0.0.0.0 0.0.0.0 <default-gateway>

This command installs a default route where IP datagrams will be sent, typically, the perimeter router or ISP router.

C H A P T E R 8

Network Security Policies,

Vulnerabilities, and Protection

This chapter reviews today’s most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The standard security body, CERT/CC, is covered along with descriptions of Cisco IOS-based security methods that ensure that all attacks are reported and acted upon. Cisco Security applications, such as Intrusion Detection System, are covered to lay the foundations you need to master the topics in the CCIE Security written exam.

This chapter covers the following topics:

•Network security policies—Standard security policies that should be deployed in any IP network.

•Standards bodies and incident response teams—Some of the standard bodies designed to help the Internet community tackle intrusion; the forums and e-mail aliases that can help a network security architect.

•Vulnerabilities, Attacks, and Common Exploits—Some of the vulnerabilities and methods that exploit IP networks; some common attacks that exploit data and how that data is retrieved and modified.

•Intrusion Detection System (IDS)—How IDS (Cisco IDS strategies, in particular) can be implemented to help deter intruders from gaining access to secure data.

•Protecting Cisco IOS from Intrusion—Some of the standard configurations that every IOS-enabled router connected to the Internet should consider to avoid intruders gaining access to unauthorized material.

“Do I Know This Already?” Quiz

The purpose of this assessment quiz is to help you determine how to spend your limited study time. If you can answer most or all these questions, you might want to skim the “Foundation Topics” section and return to it later, as necessary. Review the “Foundation Summary” section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, you should read through the entire “Foundation Topics” section and review it until you feel comfortable with your ability to answer all these and the “Q & A” questions at the end of the chapter.

“Do I Know This Already?” Quiz 363

5What is the primary responsibility of CERT/CC?

a.Define access lists for use on routers

b.Set security standards

c.Coordinate attacks on secure networks

d.Maintain a security standard for networks

e.Nothing to do with security

6Who can use network scanners and probes? (Select the best two answers.)

a.Intruders

b.Security managers

c.End users

d.Cable service providers

7What is a bastion host?

a.Firewall device supported by Cisco only

b.Network’s last line of defense

c.Network’s first line of defense

d.IP host device designed to route IP packets

8A TCP SYN attack is what type of attack?

a.ICMP

b.DoS

c.Telnet/Kerberos attack

d.Ping attack only

9When an intruder sends a large amount of ICMP echo (ping) traffic using IP broadcasts, this type of DoS attack is known as what?

a.Bastion

b.Land.C

c.Man in the middle

d.Smurf

e.Ping of death