- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
Foundation Summary 381
Foundation Summary
The Foundation Summary is a condensed collection of material for a convenient review of key concepts in this chapter. If you are already comfortable with the topics in this chapter and decided to skip most of the Foundation Topics material, the “Foundation Summary” section can help you recall a few details. If you just read the “Foundation Topics” section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the “Foundation Summary” section offers a convenient way to do a quick final review.
Table 8-2 summarizes the key reasons that networks should be secured.
Table 8-2 |
Security Policies |
|
|
|
|
|
Policy Reason |
Meaning |
|
|
|
|
Inherent technology |
All network devices and operating systems have inherent |
|
weaknesses |
vulnerabilities. |
|
|
|
|
Configuration weaknesses |
Common configurations mistakes can be exploited to open |
|
|
weaknesses. |
|
|
|
|
Network policy vulnerabilities |
The lack of network policies can lead to vulnerabilities such as |
|
|
password security. |
|
|
|
|
Outside/inside intruders |
There are always internal and external people wanting to exploit |
|
|
network resources and retrieve sensitive data. |
|
|
|
Table 8-3 summarizes the key motivation factors behind intruders attacking secure and unsecured networks.
Table 8-3 |
Intruder/Hackers Motivations |
|
|
|
|
|
Intruder/Hackers Motivation |
Explanation |
|
|
|
|
Cash profit |
To make money from attacks, such as by transferring funds |
|
|
|
|
Revenge |
To get back at employers or individuals |
|
|
|
|
Vandalism |
To cause damage for personal satisfaction |
|
|
|
|
Cyber terrorism |
To gain an advantage or notoriety for an organization’s ideology |
|
|
|
|
For a challenge |
Peer pressure or challenges set by other hackers to gain notoriety |
|
|
|
|
Curiosity |
Learning the tools of trade, possibly to gain experience for bigger |
|
|
challenges |
|
|
|
382 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Table 8-4 summarizes the actions taken by incident response teams.
Table 8-4 |
Incident Response Team Actions |
|
|
|
|
|
|
|
Step |
|
Explanation |
|
|
|
|
|
1 |
Verify the incident. |
Verify and gather details on the incident. |
|
|
|
|
|
2 |
Determine the magnitude of the problem. |
Verify hosts and how they might have been |
|
|
|
affected. |
|
|
|
|
|
3 |
Assess the damage. |
Determine what data has been manipulated. |
|
|
|
|
|
4 |
Gather and protect the evidence. |
Restore the data and any software patches. |
|
|
|
|
Table 8-5 summarizes the methods used in common network attacks.
Table 8-5 |
Network Attacks |
|
|
|
|
|
Attack |
Meaning |
|
|
|
|
Ping of death |
Attack that sends an improperly large ICMP echo request packet with the |
|
|
intent of overflowing the destination machine’s input buffers and causing it |
|
|
to crash. The IP protocol header field is set to 1, the last fragment bit is set, |
|
|
and the data length is greater than 65,535, greater than the maximum |
|
|
allowable IP packet size. |
|
|
|
|
TCP SYN Flood attacks |
This DoS attack randomly opens a number of TCP ports ensuring that |
|
|
network devices are using CPU cycles for bogus requests and denying |
|
|
other legitimate users access. |
|
|
|
|
Teardrop |
Exploits an overlapping IP fragment implementation bug in various |
|
|
operating systems. The bug causes the TCP/IP fragmentation re-assembly |
|
|
code to improperly handle overlapping IP fragments, causing the host to |
|
|
hang or crash. |
|
|
|
|
Land.C attacks |
A program designed to send TCP SYN packets (remember TCP SYN is |
|
|
used in the TCP connection phase) that specifies the target’s host address |
|
|
as both source and destination. This program can use TCP port 113 or 139 |
|
|
(source/destination), which can also cause a system to stop functioning. |
|
|
|
|
DNS poisoning |
The attacker exploits the DNS server, causing the server to return a false IP |
|
|
address to a domain name query. |
|
|
|
|
UDP Bomb |
Sends illegal length field in the packet header, causing Kernel panic and |
|
|
crash. |
|
|
|
|
E-mail attacks |
This DoS attack sends a random number of e-mails to a host. |
|
|
|
|
CPU-Intensive attacks |
This DoS attack ties up systems resources by using programs, such as |
|
|
TROJAN (a program designed to capture username or passwords from a |
|
|
network) or enables viruses to disable remote systems. |
|
|
|
|
Chargen attacks |
Establishes UDP services by producing a high character input. This can |
|
|
cause congestion on a network. |
|
|
|
|
|
|
|
Foundation Summary 383 |
|
|
|
|
|
Table 8-5 |
Network Attacks (Continued) |
|
||
|
|
|
|
|
|
Attack |
|
Meaning |
|
|
|
|
|
|
|
Attacks via dialup (out of |
|
Applications, such as Windows 95, have built-in vulnerabilities on data |
|
|
band) |
|
port 139 (known as WinNuke), if the intruders can ascertain the IP address. |
|
|
|
|
|
|
|
Distributed Denial of |
|
A DDoS attack is a DoS attack run by multiple hosts. The attacker first |
|
|
Service |
|
compromises vulnerable hosts using various tools and techniques. Then, |
|
|
|
|
the actual DoS attack on a target is run from the pool of all these |
|
|
|
|
compromised hosts. |
|
|
|
|
|
|
|
Table 8-6 summarizes some of the critical IOS commands used to protect IOS-enabled routers. |
|||
Table 8-6 |
Protecting Cisco IOS Routers |
|
||
|
|
|
|
|
|
IOS Command |
|
Meaning |
|
|
|
|
|
|
|
service nagle |
|
Enables the Nagle algorithm. |
|
|
|
|
||
|
no service udp-small-servers and |
By default, the TCP/UDP servers for Echo, Discard, Chargen, |
||
|
no service tcp-small-servers |
and Daytime services are disabled. |
||
|
|
|
||
|
service password-encryption |
Ensures that all passwords are encrypted and not viewable when |
||
|
|
|
|
viewing the IOS configuration file. |
|
|
|
|
|
|
service timestamps debug |
|
Enables the router to log any debug output and define each entry |
|
|
service timestamps log |
|
with a timestamp. |
|
|
|
|
||
|
|
|
||
|
service sequence-numbers |
Allows the syslog entries to be numbered to ensure that they are |
||
|
|
|
|
not tampered with. |
|
|
|
|
|
384 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Q & A
The Q & A questions are designed to help you assess your readiness for the topics covered on the CCIE Security written exam and those topics presented in this chapter. This format is intended to help you assess your retention of the material. A strong understanding of the answers to these questions can help you on the CCIE Security written exam. You can also look over the questions at the beginning of the chapter again for additional review. As an additional study aid, use the CD-ROM provided with this book to take simulated exams, which draw from a database of over 300 multiple-choice questions—all different from those presented in the book.
Select the best answer. Answers to these questions can be found in Appendix A, “Answers to Quiz Questions.”
1Define four reasons networks should be secured.
2What is the function of the CERT/CC organization, and what are its primary objectives?
3What are the primary steps completed by incident response teams?
4Name common methods used by intruders to disrupt a secure network.
5In security, what is session hijacking?
Q & A 385
6In security terms, what is a man in the middle attack?
7What is a Signature Engine?
8What is social engineering?
9Describe a ping of death attack.
10What is a Land.C attack?
11What does the following IOS code accomplish on a Cisco IOS router?
no service udp-small-servers
no service tcp-small-servers
386 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
12 What is the secret password for the following IOS configuration?
enable secret %$@$%&^$@*$^*@$^*
enable pass cisco
13 What is the purpose of the command service sequence-numbers?