![](/user_photo/1438_p9ksI.png)
- •Table of Contents
- •Cisco Network Security Little Black Book
- •Introduction
- •Is this Book for You?
- •How to Use this Book
- •The Little Black Book Philosophy
- •Chapter 1: Securing the Infrastructure
- •In Brief
- •Enterprise Security Problems
- •Types of Threats
- •Enterprise Security Challenges
- •Enterprise Security Policy
- •Securing the Enterprise
- •Immediate Solutions
- •Configuring Console Security
- •Configuring Telnet Security
- •Configuring Enable Mode Security
- •Disabling Password Recovery
- •Configuring Privilege Levels for Users
- •Configuring Password Encryption
- •Configuring Banner Messages
- •Configuring SNMP Security
- •Configuring RIP Authentication
- •Configuring EIGRP Authentication
- •Configuring OSPF Authentication
- •Configuring Route Filters
- •Suppressing Route Advertisements
- •Chapter 2: AAA Security Technologies
- •In Brief
- •Access Control Security
- •Cisco Secure Access Control Server
- •Immediate Solutions
- •Configuring TACACS+ Globally
- •Configuring TACACS+ Individually
- •Configuring RADIUS Globally
- •Configuring RADIUS Individually
- •Configuring Authentication
- •Configuring Authorization
- •Configuring Accounting
- •Installing and Configuring Cisco Secure NT
- •Chapter 3: Perimeter Router Security
- •In Brief
- •Defining Networks
- •Cisco Express Forwarding
- •Unicast Reverse Path Forwarding
- •TCP Intercept
- •Network Address Translation
- •Committed Access Rate
- •Logging
- •Immediate Solutions
- •Configuring Cisco Express Forwarding
- •Configuring Unicast Reverse Path Forwarding
- •Configuring TCP Intercept
- •Configuring Network Address Translation (NAT)
- •Configuring Committed Access Rate (CAR)
- •Configuring Logging
- •Chapter 4: IOS Firewall Feature Set
- •In Brief
- •Port Application Mapping
- •IOS Firewall Intrusion Detection
- •Immediate Solutions
- •Configuring Port Application Mapping
- •Configuring IOS Firewall Intrusion Detection
- •Chapter 5: Cisco Encryption Technology
- •In Brief
- •Cryptography
- •Benefits of Encryption
- •Symmetric and Asymmetric Key Encryption
- •Digital Signature Standard
- •Cisco Encryption Technology Overview
- •Immediate Solutions
- •Configuring Cisco Encryption Technology
- •Chapter 6: Internet Protocol Security
- •In Brief
- •IPSec Packet Types
- •IPSec Modes of Operation
- •Key Management
- •Encryption
- •IPSec Implementations
- •Immediate Solutions
- •Configuring IPSec Using Manual Keys
- •Configuring Tunnel EndPoint Discovery
- •Chapter 7: Additional Access List Features
- •In Brief
- •Wildcard Masks
- •Standard Access Lists
- •Extended Access Lists
- •Reflexive Access Lists
- •Dynamic Access Lists
- •Additional Access List Features
- •Immediate Solutions
- •Configuring Standard IP Access Lists
- •Configuring Extended IP Access Lists
- •Configuring Extended TCP Access Lists
- •Configuring Named Access Lists
- •Configuring Commented Access Lists
- •Configuring Dynamic Access Lists
- •Configuring Reflexive Access Lists
- •Appendix A: IOS Firewall IDS Signature List
- •Appendix B: Securing Ethernet Switches
- •Configuring Management Access
- •Configuring Port Security
- •Configuring Permit Lists
- •Configuring AAA Support
- •List of Figures
- •List of Tables
- •List of Listings
![](/html/1438/356/html_izDWsvDLr7.LMPw/htmlconvd-FAuByQ44x1.jpg)
Router−B#show ip route
......
D 10.10.12.0 [90/409600] via 192.168.10.1, Serial0/0 C 10.10.13.0 is directly connected, Loopback0
C 10.10.14.0 is directly connected, Loopback1
C 10.10.15.0 is directly connected, FastEthernet0/0 Router−B#
Router A is only advertising the 10.10.12.0 network to Router B; thus, Router B only knows about the 10.10.12.0 network. Now Router B must be configured such that Router A only learns the 10.10.15.0 network. Listing 1.27 displays the configuration that is needed on Router B.
Listing 1.27: Router B configured with an outbound route filter.
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
!
router eigrp 50 network 10.0.0.0 network 192.168.10.0
distribute−list 3 out Serial0/0 no auto−summary
!
access−list 4 permit 10.10.15.0
Router B is configured with access list 4, which permits only the 10.10.15.0 network and has an outbound distribute−list applied to the EIGRP routing process. The next step is to check the route table of Router A to determine if the required results have been met. Listing 1.28 displays the route table of Router A.
Listing 1.28: Route table of Router A after applying an outbound route filter on Router B.
Router−A#sh ip route
......
C10.10.10.0 is directly connected, Loopback0
C10.10.11.0 is directly connected, Loopback1
C10.10.12.0 is directly connected, Ethernet0/0
D10.10.15.0 [90/409600] via 192.168.10.2, Serial0/0 Router−A#
After viewing the route table of Router A, you can determine that Router B is advertising only the 10.10.15.0 network to Router A; thus, Router A only knows about the 10.10.15.0 network.
Suppressing Route Advertisements
To prevent other routers on a network from learning about routes dynamically, you can prevent routing update messages from being sent out a router interface. To accomplish this, use the passive−interface <interface> routing process configuration command. This command can be used on all IP−based routing protocols except for the Exterior Gateway Protocol (EGP) and Border Gateway Protocol (BGP). When an interface is configured to be in a passive state, the router disables the passing of routing protocol advertisements out of the interface; however, the interface still listens and accepts any route advertisement that is received into the interface. Configuring this on a router essentially makes the router a silent host over the interfaces that were specified. To
40
configure an interface as passive, use the passive−interface <interface> command under routing protocol configuration mode; this command is all that is needed to make an interface no longer advertise networks.
Here is an example of configuring an interface as passive:
interface FastEthernet0/0
ip address 10.10.15.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
!
router eigrp 50
passive−interface FastEthernet0/0 passive−interface Serial0/0
!
Configuring HTTP Access
Cisco routers include an HTTP server, which makes configuration and administration easier, especially for someone who does not have a lot of experience with the command−line interface. The HTTP server function is disabled by default and must be manually enabled. Follow these steps to enable the HTTP server functionality (only the first step is mandatory):
1.To enable the HTTP server, use the ip http server global configuration command.
2.You can specify the authentication method the router should use to authenticate users who attempt a connection to the server with the following global configuration command:
ip http authentication {aaa|enable|local|tacacs}
3.You can control which hosts can access the HTTP server using this global configuration command:
ip http access−class {access list number|access list name}
4.By default, the HTTP server listens for connection attempts on port 80. This can be changed using the ip http port <number> global configuration command.
Figure 1.6 displays a host named Jeff at IP address 192.168.10.100 who uses his Web browser to administer the router. Jeff accesses the HTTP server on the router on port 8080 and uses the local method of authentication. The following example configuration displays the HTTP server configuration that is needed so that Jeff can access the router.
41
![](/html/1438/356/html_izDWsvDLr7.LMPw/htmlconvd-FAuByQ46x1.jpg)
Figure 1.6: User Jeff needs HTTP access to the router.
SecureRouter#show running−config
......
username Jeff privilege 10 password 0 NewUser
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
!
ip http server ip http port 8080 ip http access−class 20 ip http authentication local
!
access−list 20 permit 192.168.10.100
!
WarningIf the HTTP server is enabled and local authentication is used, it is possible, under some circumstances, to bypass the authentication and execute any command on the device. F o r f u r t h e r i n f o r m a t i o n , p l e a s e s e e t h e f o l l o w i n g W e b p a g e : http://www.cisco.com/warp/public/707/IOS−httplevel−pub.html.
42