![](/user_photo/1438_p9ksI.png)
- •Table of Contents
- •Cisco Network Security Little Black Book
- •Introduction
- •Is this Book for You?
- •How to Use this Book
- •The Little Black Book Philosophy
- •Chapter 1: Securing the Infrastructure
- •In Brief
- •Enterprise Security Problems
- •Types of Threats
- •Enterprise Security Challenges
- •Enterprise Security Policy
- •Securing the Enterprise
- •Immediate Solutions
- •Configuring Console Security
- •Configuring Telnet Security
- •Configuring Enable Mode Security
- •Disabling Password Recovery
- •Configuring Privilege Levels for Users
- •Configuring Password Encryption
- •Configuring Banner Messages
- •Configuring SNMP Security
- •Configuring RIP Authentication
- •Configuring EIGRP Authentication
- •Configuring OSPF Authentication
- •Configuring Route Filters
- •Suppressing Route Advertisements
- •Chapter 2: AAA Security Technologies
- •In Brief
- •Access Control Security
- •Cisco Secure Access Control Server
- •Immediate Solutions
- •Configuring TACACS+ Globally
- •Configuring TACACS+ Individually
- •Configuring RADIUS Globally
- •Configuring RADIUS Individually
- •Configuring Authentication
- •Configuring Authorization
- •Configuring Accounting
- •Installing and Configuring Cisco Secure NT
- •Chapter 3: Perimeter Router Security
- •In Brief
- •Defining Networks
- •Cisco Express Forwarding
- •Unicast Reverse Path Forwarding
- •TCP Intercept
- •Network Address Translation
- •Committed Access Rate
- •Logging
- •Immediate Solutions
- •Configuring Cisco Express Forwarding
- •Configuring Unicast Reverse Path Forwarding
- •Configuring TCP Intercept
- •Configuring Network Address Translation (NAT)
- •Configuring Committed Access Rate (CAR)
- •Configuring Logging
- •Chapter 4: IOS Firewall Feature Set
- •In Brief
- •Port Application Mapping
- •IOS Firewall Intrusion Detection
- •Immediate Solutions
- •Configuring Port Application Mapping
- •Configuring IOS Firewall Intrusion Detection
- •Chapter 5: Cisco Encryption Technology
- •In Brief
- •Cryptography
- •Benefits of Encryption
- •Symmetric and Asymmetric Key Encryption
- •Digital Signature Standard
- •Cisco Encryption Technology Overview
- •Immediate Solutions
- •Configuring Cisco Encryption Technology
- •Chapter 6: Internet Protocol Security
- •In Brief
- •IPSec Packet Types
- •IPSec Modes of Operation
- •Key Management
- •Encryption
- •IPSec Implementations
- •Immediate Solutions
- •Configuring IPSec Using Manual Keys
- •Configuring Tunnel EndPoint Discovery
- •Chapter 7: Additional Access List Features
- •In Brief
- •Wildcard Masks
- •Standard Access Lists
- •Extended Access Lists
- •Reflexive Access Lists
- •Dynamic Access Lists
- •Additional Access List Features
- •Immediate Solutions
- •Configuring Standard IP Access Lists
- •Configuring Extended IP Access Lists
- •Configuring Extended TCP Access Lists
- •Configuring Named Access Lists
- •Configuring Commented Access Lists
- •Configuring Dynamic Access Lists
- •Configuring Reflexive Access Lists
- •Appendix A: IOS Firewall IDS Signature List
- •Appendix B: Securing Ethernet Switches
- •Configuring Management Access
- •Configuring Port Security
- •Configuring Permit Lists
- •Configuring AAA Support
- •List of Figures
- •List of Tables
- •List of Listings
![](/html/1438/356/html_izDWsvDLr7.LMPw/htmlconvd-FAuByQ8x1.jpg)
Introduction
Thanks for buying Cisco Network Security Little Black Book, the definitive guide for security configurations on Cisco routers.
New business practices and opportunities are driving a multitude of changes in all areas of enterprise networks, and as such, enterprise security is becoming more and more prevalent as enterprises try to understand and manage the risks associated with the rapid development of business applications deployed over the enterprise network. This coupled with the exponential growth of the Internet has presented a daunting security problem to most enterprises: How does the enterprise implement and update security defenses and practices in an attempt to reduce its vulnerability to exposure from security breaches?
In this book, I will attempt to bridge the gap between the theory and practice of network security and place much of its emphasis on securing the enterprise infrastructure, but first let me emphasize that there is no such thing as absolute security. The statement that a network is secure, is more often than not, misunderstood to mean that there is no possibility of a security breach. However, as you will see throughout this book, having a secure network means that the proper security mechanisms have been put in place in an attempt to reduce most of the risks enterprise assets are exposed to. I have tried to include enough detail on the theories and protocols for reasonable comprehension so that the networking professional can make informed choices regarding security technologies. Although the focus of this book is on the Cisco product offering, the principles apply to many other environments as well.
Is this Book for You?
Cisco Network Security Little Black Book was written with the intermediate or advanced user in mind. The following topics are among those that are covered:
∙Internet Protocol Security (IPSec)
∙Network Address Translation (NAT)
∙Authentication, authorization, and accounting (AAA)
∙TCP Intercept
∙Unicast Reverse Path Forwarding (Unicast RPF)
∙Ethernet Switch Security
How to Use this Book
This book is similar in format to a typical book in the Little Black Book series. Each chapter has two main sections: "In Brief," followed by "Immediate Solutions."
"In Brief" introduces the subject matter of the chapter and explains the principles it is based upon. This section does not delve too deeply into details; instead it elaborates only on the points that are most important for understanding the material in "Immediate Solutions." "Immediate Solutions" presents several tasks related to the subject of the chapter and presented in "In Brief." The tasks in "Immediate Solutions" vary from simple to complex. The vast array of task levels provides a broad coverage of the subject.
This book contains seven chapters. The following sections include a brief preview of each one.
4
![](/html/1438/356/html_izDWsvDLr7.LMPw/htmlconvd-FAuByQ9x1.jpg)
Chapter 1: Securing the Infrastructure
Chapter 1 provides insight into enterprise security problems and challenges that face many organizations today in the "Internet Age" and focuses on the configuration of networking devices to ensure restricted and confidential access to them within the enterprise infrastructure.
Chapter 2: AAA Security Technologies
Chapter 2 includes a detailed examination of Cisco's authentication, authorization, and accounting (AAA) architecture, and the technologies that not only use its features, but also provide them. It presents proven concepts useful for implementing AAA security solutions and discusses how to configure networking devices to support the AAA architecture.
Chapter 3: Perimeter Router Security
Chapter 3 describes many of the security issues that arise when connecting an enterprise network to the Internet. It also details the technologies that can be used to minimize the threat of exposure to the enterprise and its assets. The chapter covers features such as TCP Intercept, Unicast Reverse Path Forwarding (Unicast RPF), and Network Address Translation (NAT).
Chapter 4: IOS Firewall Feature Set
Chapter 4 discusses the add−on component to the Cisco IOS that provides routers with many of the features available to the PIX firewall, which extends to routers with similar functionality as that provided from a separate firewall device. It covers features such as ContextBased Access Control (CBAC), Port Application Mapping (PAM), and the IOS Firewall Intrusion Detection System (IDS).
Chapter 5: Cisco Encryption Technology
Chapter 5 presents on overview of encryption algorithms, hashing techniques, symmetric key encryption, asymmetric key encryption, and digital signatures. It discusses how to configure a router to support Cisco Encryption Technologies and presents detailed methods for testing the encryption configuration.
Chapter 6: Internet Protocol Security
Chapter 6 presents an overview of the framework of open standards for ensuring secure private communications over IP networks and IPSec. It discusses how to configure a router for support of the protocols used to create IPSec virtual private networks (VPNs) and details the configuration of preshared keys, manual keys, and certificate authority support.
Chapter 7: Additional Access List Features
Chapter details the use of access lists and the security features they provide. It discusses the use of dynamic and reflexive access lists, as well as standard and extended access lists.
Appendix A: IOS Firewall IDS Signature List
Appendix A provides a detailed list of the 59 intrusion−detection signatures that are included in the Cisco IOS Firewall feature set. The signatures are presented in numerical order with a detailed description of the signature number contained within the Cisco Secure IDS Network Security Database (NSD).
5
![](/html/1438/356/html_izDWsvDLr7.LMPw/htmlconvd-FAuByQ10x1.jpg)
Appendix B: Securing Ethernet Switches
Appendix B presents an overview of methods used to provide security for the Catalyst Ethernet model of switches. This appendix discusses how to configure VLANS, Vlan Access Lists, IP permit lists, port security, SNMP security, and support for the AAA architecture on the Catalyst line of Ethernet switches.
The Little Black Book Philosophy
Written by experienced professionals, Coriolis Little Black Books are terse, easily "thumb−able" question−answerers and problem−solvers. The Little Black Book's unique two−part chapter format—brief technical overviews followed by practical immediate solutions—is structured to help you use your knowledge, solve problems, and quickly master complex technical issues to become an expert. By breaking down complex topics into easily manageable components, this format helps you quickly find what you're looking for, with the diagrams and code you need to make it happen.
The author sincerely believes that this book will provide a more cost−effective and timesaving means for preparing and deploying Cisco security features and services. By using this reference, the reader can focus on the fundamentals of the material, instead of spending time deciding on acquiring numerous expensive texts that may turn out to be, on the whole, inapplicable to the desired subject matter. This book also provides the depth and coverage of the subject matter in an attempt to avoid gaps in security−related technologies that are presented in other "single" reference books. The information security material in this book is presented in an organized, professional manner, that will be a primary source of information for individuals new to the field of security, as well as for practicing security professionals. This book is mostly a practical guide for configuring security−related technologies on Cisco routers, and as such, the chapters may be read in any order.
I welcome your feedback on this book. You can either email The Coriolis Group at ctp@coriolis.com, or email me directly at joefharris@netscape.net. Errata, updates, and more are available at http://www.coriolis.com/.
6