- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
358 Chapter 7: Security Technologies
Scenario
Scenario 7-1: Configuring a Cisco PIX for NAT
The following configuration is installed on a PIX 520. Users from the inside network 10.0.0.0/8 report to you that they cannot browse the Internet. What is the problem, and what command or commands will rectify the problem?
pix# write terminal
nameif ethernet0 outside security0 nameif ethernet1 inside security100
hostname pix
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 logging timestamp
no logging standby logging console debugging no logging monitor logging buffered debugging no logging trap
logging facility 20 logging queue 512 interface ethernet0 10full interface ethernet1 10full mtu outside 1500
mtu inside 1500
ip address inside 201.201.201.1 255.255.255. ip address outside 131.108.1.1 255.255.255.0 route inside 10.0.0.0 255.0.0.0 201.201.201.2 route outside 0.0.0.0 0.0.0.0 131.018.1.2
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400
global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224 no rip outside passive
no rip outside default no rip inside passive no rip inside default
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:00:00 absolute no snmp-server location
no snmp-server contact snmp-server community public no snmp-server enable traps telnet timeout 5
terminal width 80 : end
Scenario 7-1 Solution 359
Scenario Answer
Scenario 7-1 Solution
Cisco PIX Firewalls need to NAT any nonregistered IP address space. In particular, the Class A 10.0.0.0/8 is not routable in the Internet, so you must use NAT to permit access, or you could re-address your entire network, which clearly is not an exercise you will do often.
The following command will NAT all inside addresses:
nat (inside) 1 0.0.0.0 0.0.0.0
Before you can access the Internet, you must also tell the PIX (remember the PIX is not as intelligent as a router; RIP can be configured by the network administrator), and you must route IP data with the command shown here:
route outside 0.0.0.0 0.0.0.0 <default-gateway>
This command installs a default route where IP datagrams will be sent, typically, the perimeter router or ISP router.
Exam Topics in This Chapter
52Policies
53Standards Bodies
54Incident Response Teams
55Vulnerability Discussions
56Attacks and Common Exploits
57Intrusion Detection
C H A P T E R 8
Network Security Policies,
Vulnerabilities, and Protection
This chapter reviews today’s most common Cisco security policies and mechanisms available to the Internet community to combat cyber attacks. The standard security body, CERT/CC, is covered along with descriptions of Cisco IOS-based security methods that ensure that all attacks are reported and acted upon. Cisco Security applications, such as Intrusion Detection System, are covered to lay the foundations you need to master the topics in the CCIE Security written exam.
This chapter covers the following topics:
•Network security policies—Standard security policies that should be deployed in any IP network.
•Standards bodies and incident response teams—Some of the standard bodies designed to help the Internet community tackle intrusion; the forums and e-mail aliases that can help a network security architect.
•Vulnerabilities, Attacks, and Common Exploits—Some of the vulnerabilities and methods that exploit IP networks; some common attacks that exploit data and how that data is retrieved and modified.
•Intrusion Detection System (IDS)—How IDS (Cisco IDS strategies, in particular) can be implemented to help deter intruders from gaining access to secure data.
•Protecting Cisco IOS from Intrusion—Some of the standard configurations that every IOS-enabled router connected to the Internet should consider to avoid intruders gaining access to unauthorized material.
“Do I Know This Already?” Quiz
The purpose of this assessment quiz is to help you determine how to spend your limited study time. If you can answer most or all these questions, you might want to skim the “Foundation Topics” section and return to it later, as necessary. Review the “Foundation Summary” section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, you should read through the entire “Foundation Topics” section and review it until you feel comfortable with your ability to answer all these and the “Q & A” questions at the end of the chapter.
362 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Answers to these questions can be found in Appendix A, “Answers to Quiz Questions.”
1A remote user tries logging into a remote network but fails after three additional tries and is disconnected. What useful information should the network administrator gather? (Select the best two answers.)
a.Username
b.Invalid password
c.Invalid username
d.Valid username
2What is the first step that should be implemented in securing any network?
a.Create a database of secure passwords.
b.Create the IP address scheme.
c.Run NetRanger or NetSonar.
d.Define a security policy.
e.Configure access lists on all routers.
3What primary security method can be designed and deployed to secure and protect any IP network after an attack has been documented?
a.Security policy
b.IP policy
c.Countermeasures
d.Measurement
e.Logging passwords
4A security administrator notices that a log file stored on a local router has increased in size from 32 k to 64 k in a matter of seconds. What should the network administrator do?
a.Increase the buffer to 64 k.
b.Decrease the buffer to 16 k.
c.Log the event as suspicious and notify the incident response team.
d.Nothing, this is normal.
e.Both a and b are correct.
“Do I Know This Already?” Quiz 363
5What is the primary responsibility of CERT/CC?
a.Define access lists for use on routers
b.Set security standards
c.Coordinate attacks on secure networks
d.Maintain a security standard for networks
e.Nothing to do with security
6Who can use network scanners and probes? (Select the best two answers.)
a.Intruders
b.Security managers
c.End users
d.Cable service providers
7What is a bastion host?
a.Firewall device supported by Cisco only
b.Network’s last line of defense
c.Network’s first line of defense
d.IP host device designed to route IP packets
8A TCP SYN attack is what type of attack?
a.ICMP
b.DoS
c.Telnet/Kerberos attack
d.Ping attack only
9When an intruder sends a large amount of ICMP echo (ping) traffic using IP broadcasts, this type of DoS attack is known as what?
a.Bastion
b.Land.C
c.Man in the middle
d.Smurf
e.Ping of death
364 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
10What kind of attack sends a large ICMP echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash?
a.Ping of death
b.Smurf
c.Land.C
d.Man in the middle
e.Birthday attack
11In the context of intrusion detection, what is an exploit signature?
a.DoS attack
b.An attack that is recognized and detected on the network
c.The same as a Smurf attack
d.The same as a man in the middle attack
12To stop spam e-mail from overwhelming an e-mail server, what step can you take?
a.Ask the ISP for help.
b.Nothing, because spam e-mail is too difficult to stop to be worth the effort.
c.Install an intrusion detection system that has a signature for spam e-mail.
d.Nothing, because the client software takes care of this.
e.Change the IOS code.
f.Configure the bastion host to stop spam e-mail.