Cisco Network Security Little Black Book
Table of Contents |
|
Cisco Network Security Little Black Book...................................................................................... |
1 |
Introduction........................................................................................................................................ |
4 |
Is this Book for You?................................................................................................................ |
4 |
How to Use this Book............................................................................................................... |
4 |
The Little Black Book Philosophy............................................................................................. |
6 |
Chapter 1: Securing the Infrastructure............................................................................................ |
7 |
In Brief...................................................................................................................................... |
7 |
Enterprise Security Problems............................................................................................. |
7 |
Types of Threats................................................................................................................ |
8 |
Enterprise Security Challenges.......................................................................................... |
8 |
Enterprise Security Policy.................................................................................................. |
9 |
Securing the Enterprise.................................................................................................... |
10 |
Immediate Solutions.............................................................................................................. |
14 |
Configuring Console Security........................................................................................... |
14 |
Configuring Telnet Security.............................................................................................. |
16 |
Configuring Enable Mode Security................................................................................... |
17 |
Disabling Password Recovery......................................................................................... |
18 |
Configuring Privilege Levels for Users............................................................................. |
20 |
Configuring Password Encryption.................................................................................... |
21 |
Configuring Banner Messages......................................................................................... |
22 |
Configuring SNMP Security............................................................................................. |
24 |
Configuring RIP Authentication........................................................................................ |
25 |
Configuring EIGRP Authentication................................................................................... |
27 |
Configuring OSPF Authentication.................................................................................... |
31 |
Configuring Route Filters................................................................................................. |
35 |
Suppressing Route Advertisements................................................................................. |
40 |
Chapter 2: AAA Security Technologies......................................................................................... |
43 |
In Brief.................................................................................................................................... |
43 |
Access Control Security................................................................................................... |
43 |
AAA Protocols.................................................................................................................. |
48 |
Cisco Secure Access Control Server............................................................................... |
53 |
Immediate Solutions.............................................................................................................. |
56 |
Configuring TACACS+ Globally....................................................................................... |
56 |
Configuring TACACS+ Individually.................................................................................. |
58 |
Configuring RADIUS Globally.......................................................................................... |
61 |
Configuring RADIUS Individually..................................................................................... |
62 |
Configuring Authentication............................................................................................... |
64 |
Configuring Authorization................................................................................................. |
72 |
Configuring Accounting.................................................................................................... |
75 |
Installing and Configuring Cisco Secure NT.................................................................... |
78 |
Chapter 3: Perimeter Router Security............................................................................................ |
85 |
In Brief.................................................................................................................................... |
85 |
Defining Networks............................................................................................................ |
85 |
Cisco Express Forwarding............................................................................................... |
86 |
Unicast Reverse Path Forwarding................................................................................... |
87 |
TCP Intercept................................................................................................................... |
87 |
i |
|
Table of Contents |
|
Chapter 3: Perimeter Router Security |
|
Network Address Translation........................................................................................... |
89 |
Committed Access Rate................................................................................................... |
90 |
Logging............................................................................................................................ |
92 |
Immediate Solutions.............................................................................................................. |
93 |
Configuring Cisco Express Forwarding............................................................................ |
93 |
Configuring Unicast Reverse Path Forwarding................................................................ |
95 |
Configuring TCP Intercept................................................................................................ |
98 |
Configuring Network Address Translation (NAT)........................................................... |
103 |
Configuring Committed Access Rate (CAR).................................................................. |
116 |
Configuring Logging....................................................................................................... |
119 |
Chapter 4: IOS Firewall Feature Set............................................................................................. |
123 |
In Brief.................................................................................................................................. |
123 |
Context−Based Access Control..................................................................................... |
123 |
Port Application Mapping............................................................................................... |
127 |
IOS Firewall Intrusion Detection..................................................................................... |
129 |
Immediate Solutions............................................................................................................ |
131 |
Configuring Context−Based Access Control.................................................................. |
131 |
Configuring Port Application Mapping............................................................................ |
143 |
Configuring IOS Firewall Intrusion Detection................................................................. |
149 |
Chapter 5: Cisco Encryption Technology................................................................................... |
156 |
In Brief.................................................................................................................................. |
156 |
Cryptography.................................................................................................................. |
156 |
Benefits of Encryption.................................................................................................... |
160 |
Symmetric and Asymmetric Key Encryption.................................................................. |
160 |
Digital Signature Standard............................................................................................. |
166 |
Cisco Encryption Technology Overview......................................................................... |
167 |
Immediate Solutions............................................................................................................ |
168 |
Configuring Cisco Encryption Technology..................................................................... |
168 |
Chapter 6: Internet Protocol Security.......................................................................................... |
189 |
In Brief.................................................................................................................................. |
189 |
IPSec Packet Types....................................................................................................... |
190 |
IPSec Modes of Operation............................................................................................. |
191 |
Key Management........................................................................................................... |
193 |
Encryption...................................................................................................................... |
196 |
IPSec Implementations.................................................................................................. |
197 |
Immediate Solutions............................................................................................................ |
197 |
Configuring IPSec Using Pre−Shared Keys................................................................... |
198 |
Configuring IPSec Using Manual Keys.......................................................................... |
214 |
Configuring Tunnel EndPoint Discovery........................................................................ |
224 |
Chapter 7: Additional Access List Features............................................................................... |
231 |
In Brief.................................................................................................................................. |
231 |
Wildcard Masks.............................................................................................................. |
233 |
Standard Access Lists.................................................................................................... |
234 |
Extended Access Lists................................................................................................... |
234 |
Reflexive Access Lists................................................................................................... |
235 |
ii |
|
Table of Contents |
|
Chapter 7: Additional Access List Features |
|
Dynamic Access Lists.................................................................................................... |
236 |
Additional Access List Features..................................................................................... |
238 |
Immediate Solutions............................................................................................................ |
239 |
Configuring Standard IP Access Lists............................................................................ |
239 |
Configuring Extended IP Access Lists........................................................................... |
242 |
Configuring Extended TCP Access Lists....................................................................... |
247 |
Configuring Named Access Lists................................................................................... |
250 |
Configuring Commented Access Lists........................................................................... |
252 |
Configuring Dynamic Access Lists................................................................................. |
254 |
Configuring Reflexive Access Lists................................................................................ |
260 |
Configuring Time−Based Access Lists.......................................................................... |
263 |
Appendix A: IOS Firewall IDS Signature List.............................................................................. |
266 |
Appendix B: Securing Ethernet Switches................................................................................... |
272 |
Configuring Management Access........................................................................................ |
272 |
Configuring Port Security..................................................................................................... |
273 |
Configuring Permit Lists....................................................................................................... |
275 |
Configuring AAA Support..................................................................................................... |
276 |
List of Figures................................................................................................................................ |
281 |
List of Tables.................................................................................................................................. |
283 |
List of Listings............................................................................................................................... |
284 |
iii
Cisco Network Security Little Black Book
Joe Harris
CORIOLIS
President and CEO
Roland Elgey
Publisher
Al Valvano
Associate Publisher
Katherine R. Hartlove
Acquisitions Editor
Katherine R. Hartlove
Development Editor
Jessica Choi
Product Marketing Manager
Jeff Johnson
Project Editor
Greg Balas
Technical Reviewer
Sheldon Barry
Production Coordinator
Peggy Cantrell
Cover Designer
Laura Wellander
Cisco ™ Network Security Little Black Book Title
Copyright © 2002 The Coriolis Group, LLC
All rights reserved.
This book may not be duplicated in any way without the express written consent of the publisher, except in the form of brief excerpts or quotations for the purposes of review. The information contained herein is for the personal use of the reader and may not be incorporated in any commercial programs, other books, databases, or any kind of software without written consent of the publisher. Making copies of this book or any portion for any purpose other than your own is a violation of United States copyright laws.
Limits of Liability and Disclaimer of Warranty
The author and publisher of this book have used their best efforts in preparing the book and the programs contained in it. These efforts include the development, research, and testing of the
1
theories and programs to determine their effectiveness. The author and publisher make no warranty of any kind, expressed or implied, with regard to these programs or the documentation contained in this book.
The author and publisher shall not be liable in the event of incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of the programs, associated instructions, and/or claims of productivity gains.
Trademarks
Trademarked names appear throughout this book. Rather than list the names and entities that own the trademarks or insert a trademark symbol with each mention of the trademarked name, the publisher states that it is using the names for editorial purposes only and to the benefit of the trademark owner, with no intention of infringing upon that trademark.
The Coriolis Group, LLC
14455 North Hayden Road
Suite 220
Scottsdale, Arizona 85260
(480) 483−0192 FAX (480) 483−0193
http://www.coriolis.com/
Library of Congress Cataloging−in−Publication Data Harris, Joe, 1974−
Cisco network security little black book / Joe Harris p. cm.
Includes index.
1−93211−165−4
1. Computer networks−−Security measures. I. Title.
TK5105.59 .H367 2002 005.8−−dc21 2002019668
10 9 8 7 6 5 4 3 2 1
I dedicate this book to my wife, Krystal, to whom I fall in love with all over again every day. I love you, I always have, I always will. To my son, Cameron, I cannot begin to put into words how much I love you. You are my world—my purpose in life. To my mother, Ann, thank you for your love and support, and for always being there for me—you will always be my hero. To my father, Joe Sr., thank you for all the sacrifices you had to make, so that I wouldn't have to—they didn't go unnoticed. Also, thanks for helping to make me the man that I am today—I love you.
—Joe Harris
2
About the Author
Joe Harris, CCIE# 6200, is the Principal Systems Engineer for a large financial firm based in Houston, Texas. He has more than eight years of experience with data communications and protocols. His work is focused on designing and implementing large−scale, LAN−switched, and routed networks for customers needing secure methods of communication.
Joe is involved daily in the design and implementation of complex secure systems, providing comprehensive security services for the financial industry. He earned his Bachelors of Science degree in Management Information Systems from Louisiana Tech University, and holds his Cisco Security Specialization.
Acknowledgments
There are many people I would like to thank for contributing either directly or indirectly to this book. Being an avid reader of technology books myself, I have always taken the acknowledgments and dedication sections lightly. Having now been through the book writing process, I can assure you that this will never again be the case. Writing a book about a technology sector like security, that changes so rapidly, is a demanding process, and as such, it warrants many "thanks yous" to a number of people.
First, I would like thank God for giving me the ability, gifts, strength, and privilege to be working in such an exciting, challenging, and wonderful career. As stated in the book of Philippians, Chapter 4, Verse 13: "I can do all things through Christ which strengtheneth me." I would also like to thank The Coriolis Group team, which made this book possible. You guys are a great group of people to work with, and I encourage other authors to check them out. I would like to extend a special thanks to Jessica Choi, my development editor. In addition, I would also like to thank my acquisitions editors, Charlotte Carpentier and Katherine Hartlove, and my project editor, Greg Balas. It was a pleasure to work with people who exemplify such professionalism, and to the rest of the Coriolis team— Jeff Johnson, my product marketing manager, Peggy Cantrell, my production coordinator, and Laura Wallander, my cover designer—thank you all!
In addition, I would like to thank Judy Flynn for copyediting and Christine Sherk for proofreading the book, respectively, and to Emily Glossbrenner for indexing the book. A big thanks also to Sheldon Barry for serving as the tech reviewer on the book!
Special thanks to my friend, Joel Cochran, for being a great friend and mentor, and for repeatedly amazing me with your uncanny ability to remember every little detail about a vast array of technologies, and for also taking me under your wing and helping me to "learn the ropes" of this industry. Also thanks to Greg Wallin for the late night discussions and your keen insights into networking, and for your unique methods of communicating them in a manner that consistently challenges me to greater professional heights.
Finally, I would like to thank Jeff Lee, Steven Campbell, Raul Rodriguez, Jose Aguinagua, Kenneth Avans, Walter Hallows, Chris Dunbar, Bill Ulrich, Dodd Lede, Bruce Sebecke, Michael Nelson, James Focke, Ward Hillyer, Loi Ngo, Will Miles, Dale Booth, Clyde Dardar, Barry Meche, Bill Pinson, and all those I have missed in this listing for their insight and inspiration.
And last, but certainly not least, I would like to thank my wife, Krystal, for her love, support, and patience with me during this project. To my son, Cameron, thank you for being daddy's inspiration.
3