
- •Table of Contents
- •Cisco Network Security Little Black Book
- •Introduction
- •Is this Book for You?
- •How to Use this Book
- •The Little Black Book Philosophy
- •Chapter 1: Securing the Infrastructure
- •In Brief
- •Enterprise Security Problems
- •Types of Threats
- •Enterprise Security Challenges
- •Enterprise Security Policy
- •Securing the Enterprise
- •Immediate Solutions
- •Configuring Console Security
- •Configuring Telnet Security
- •Configuring Enable Mode Security
- •Disabling Password Recovery
- •Configuring Privilege Levels for Users
- •Configuring Password Encryption
- •Configuring Banner Messages
- •Configuring SNMP Security
- •Configuring RIP Authentication
- •Configuring EIGRP Authentication
- •Configuring OSPF Authentication
- •Configuring Route Filters
- •Suppressing Route Advertisements
- •Chapter 2: AAA Security Technologies
- •In Brief
- •Access Control Security
- •Cisco Secure Access Control Server
- •Immediate Solutions
- •Configuring TACACS+ Globally
- •Configuring TACACS+ Individually
- •Configuring RADIUS Globally
- •Configuring RADIUS Individually
- •Configuring Authentication
- •Configuring Authorization
- •Configuring Accounting
- •Installing and Configuring Cisco Secure NT
- •Chapter 3: Perimeter Router Security
- •In Brief
- •Defining Networks
- •Cisco Express Forwarding
- •Unicast Reverse Path Forwarding
- •TCP Intercept
- •Network Address Translation
- •Committed Access Rate
- •Logging
- •Immediate Solutions
- •Configuring Cisco Express Forwarding
- •Configuring Unicast Reverse Path Forwarding
- •Configuring TCP Intercept
- •Configuring Network Address Translation (NAT)
- •Configuring Committed Access Rate (CAR)
- •Configuring Logging
- •Chapter 4: IOS Firewall Feature Set
- •In Brief
- •Port Application Mapping
- •IOS Firewall Intrusion Detection
- •Immediate Solutions
- •Configuring Port Application Mapping
- •Configuring IOS Firewall Intrusion Detection
- •Chapter 5: Cisco Encryption Technology
- •In Brief
- •Cryptography
- •Benefits of Encryption
- •Symmetric and Asymmetric Key Encryption
- •Digital Signature Standard
- •Cisco Encryption Technology Overview
- •Immediate Solutions
- •Configuring Cisco Encryption Technology
- •Chapter 6: Internet Protocol Security
- •In Brief
- •IPSec Packet Types
- •IPSec Modes of Operation
- •Key Management
- •Encryption
- •IPSec Implementations
- •Immediate Solutions
- •Configuring IPSec Using Manual Keys
- •Configuring Tunnel EndPoint Discovery
- •Chapter 7: Additional Access List Features
- •In Brief
- •Wildcard Masks
- •Standard Access Lists
- •Extended Access Lists
- •Reflexive Access Lists
- •Dynamic Access Lists
- •Additional Access List Features
- •Immediate Solutions
- •Configuring Standard IP Access Lists
- •Configuring Extended IP Access Lists
- •Configuring Extended TCP Access Lists
- •Configuring Named Access Lists
- •Configuring Commented Access Lists
- •Configuring Dynamic Access Lists
- •Configuring Reflexive Access Lists
- •Appendix A: IOS Firewall IDS Signature List
- •Appendix B: Securing Ethernet Switches
- •Configuring Management Access
- •Configuring Port Security
- •Configuring Permit Lists
- •Configuring AAA Support
- •List of Figures
- •List of Tables
- •List of Listings

|
ahp |
Authentication Header Protocol |
|
|
|
|
|
|
eigrp |
Cisco Systems Enhanced Interior Gateway Routing Protocol |
|
|
|
|
|
|
esp |
Encapsulated Security Payload |
|
|
|
|
|
|
gre |
Cisco Systems Generic Route Encapsulation Tunneling |
|
|
|
|
|
|
icmp |
Internet Control Message Protocol |
|
|
|
|
|
|
igmp |
Internet Gateway Message Protocol |
|
|
|
|
|
|
igrp |
Cisco Systems Interior Gateway Routing Protocol |
|
|
|
|
|
|
ip |
Any Internet Protocol |
|
|
|
|
|
|
ipinip |
IP in IP Tunneling |
|
|
|
|
|
|
nos |
KA9Q NOS Compatible IP over IP Tunneling |
|
|
|
|
|
|
ospf |
Open Shortest Path First Routing Protocol |
|
|
|
|
|
|
pcp |
Payload Compression Protocol |
|
|
|
|
|
|
pim |
Protocol Independent Multicast |
|
|
|
|
|
|
tcp |
Transmission Control Protocol |
|
|
|
|
|
|
udp |
User Datagram Protocol |
|
|
|
|
|
Extended access lists should be placed as close to the source as possible, in part because of their capability to filter packets using a finer granularity of controls. This also prevents wasting unnecessary bandwidth and processing power on packets that are to be dropped anyway.
Reflexive Access Lists
For another form of security, you can use reflexive access lists. Based on session parameters, they permit IP packets for sessions that originate from within a network but deny packets that originate from outside your network.
Using reflexive access lists is commonly referred to as session filtering. Reflexive access lists are
235

most often configured on routers, which border between two different networks. They provide a certain level of security against spoofing and denial−of−service (DoS) attacks. You would typically implement reflexive access lists on a customer edge Internet router or firewall router.
Reflexive access lists share many of the features that normal access lists possess. Rules are created and evaluated in a sequential order until a match occurs, at which time no further entry evaluation takes place. There are also some differences between a reflexive access list and a normal access list. Reflexive access lists use a feature referred to as "nesting," meaning you can place them within another named extended access list. Reflexive access lists do not have an implicit deny any statement at the end of the list configuration, and the access list entries are created on a temporary basis.
Fundamentals of Reflexive Access Lists
Reflexive access lists are triggered when an IP packet is sent from within the inside secure network to an external destination network. If this packet is the first in the session, a temporary access list entry is created. This entry will permit or deny traffic to enter back into the network if the traffic received on the interface is deemed to be part of the original session created from within the inside network; it will deny all other traffic that is not part of the original session. Figure 7.2 details the operation of reflexive access lists.
Figure 7.2: Example of traffic initiated on an internal network with reflexive access lists configured. After the session has completed, the temporary access list entry is removed. If the session was opened with a TCP packet, two methods are used to tear it down. The first method will tear down the session 5 seconds after two set FIN bits are detected within the packet or the detection of a RST bit being set within the packet. The second method tears down the session if no packets for that session have been detected within a configurable timeout period. Because UDP is a connectionless−oriented protocol that does not maintain session services, if the session was opened with a UDP packet or other protocols with similar characteristics, the session is torn down when no packets for the session have been detected within a configurable timeout period. Reflexive access lists can be configured on internal interfaces or external interfaces.
Dynamic Access Lists
Dynamic access lists, commonly referred to as Lock and Key security, are a form of traffic filtering that can dynamically allow external users IP traffic that would normally be blocked by a router, to gain temporary access through the router such that it can reach its final destination. In order for this to happen, a user must first telnet to the router. The dynamic access list will then attempt to authenticate the user. If the credentials the user supplies during the authentication phase are
236

correct, the user will be disconnected from her Telnet session and the access list will dynamically reconfigure the existing access list on the interface such that the user is allowed temporary access through the router. After a specified timeout period—either an idle timeout period or an absolute timeout period—the access list reconfigures the interface such that it returns to its original state.
Note After the user passes the authentication phase, the dynamic access list creates a temporary opening in the router by reconfiguring the interface to allow access through the router. This can potentially allow a user to spoof the source address of the legitimate user and gain unauthorized access into the internal network. IPSec termination at the router performing Lock and Key security is recommended.
Typically, you would configure dynamic access lists when you want a specific remote host or a subset of remote hosts to be allowed access to a host or a subset of hosts within your network. This can take place via the Internet or through dedicated circuits between your network and the remote network. Dynamic access lists are also configured when you want a host or a subset of hosts within your network to gain access to a remote host or subset of remote hosts protected with a firewall.
As mentioned earlier, in order for the user to gain access through the router, she first must pass the authentication phase. Authentication can take many forms, but the most commonly used are maintaining a local user database within the router or performing authentication from a central security server such as a TACACS+ or RADIUS server. The central security server method of authentication is recommended. Dynamic access lists make use of the autocommand and the access−enable commands; these commands allow the creation of the temporary access list. There are some caveats to configuring dynamic access lists:
∙You can configure only one dynamic access list for each access list.
∙You cannot associate a dynamic access list to more than one access list.
∙An idle timeout or an absolute timeout must be configured. The idle timeout is defined within the autocommand command, and the absolute timeout is configured within the access−list command. If neither is configured, the temporary access entry will remain indefinitely and must be cleared manually. The idle timeout value must be less than the absolute timeout value.
Fundamentals of Lock and Key Security
Figure 7.3 details the steps involved when a host on an outside network would like to gain authorized access to a host behind a router configured with Lock and Key security. Host B would like to access Host A behind the perimeter router, Router A, but first must be authenticated using Lock and Key Security. The steps are as follows:
237
Figure 7.3: Example of Host B accessing Host A through Router A configured with dynamic access lists.
1.Host B opens a Telnet session to the virtual terminal port of Router A.
2.Router A receives the Telnet request and opens a Telnet session with Host B.
3.Depending on the authentication method Router A is configured to perform, Router A asks Host B to provide the proper authentication credentials (configured on a security access server or within the local authentication database).
4.After Host B passes the authentication phase, Router A logs Host B out of the Telnet session. At this time Router A creates a temporary access list entry within the dynamic access list.
5.Host B now has a dynamic access list entry within Router A, allowing access to Host A.
6.Finally, Router A will delete the temporary access entry after the configured idle timeout period or absolute timeout period is reached.
Additional Access List Features
Prior to Cisco IOS 11.2 code, IP access list configuration was somewhat limited. However, many enhancements have since been added within the IOS. Named access lists, time−based access lists, and access lists comments are just a few.
Named Access Lists
Typical numbered access lists have a finite number of lists that can be created. As of Cisco IOS 11.2 you can identify IP access lists with an alphanumeric string rather than a number. When you use named access lists, you can configure more IP access lists in a router than you could if you were to use numbered access lists. Another advantage to using a named access list is that descriptive names can make large numbers of access lists more manageable. If you identify your access list with a name rather than a number, the mode and command syntax is slightly different. Keep a few things in mind when configuring named access lists: Not all access lists that accept a number will accept a name, and a standard access list and an extended access list cannot have the same name.
Time−Based Access Lists
Cisco IOS 12.0(1) introduced timed−based access lists, which are implemented based on the time range specified within the list configuration. Prior to the introduction of this feature, access lists that were defined were in effect for an infinite period of time or until they were deleted by the administrator. With time−based access list configured, administrators can control traffic according to service provider rates (which might vary during certain times of the day) and have finer granularity of control when permitting or denying certain traffic within their network.
Note The time−based access list feature is dependant on a reliable clock source. It is therefore recommended that the router be configured to utilize the features of the Network Time Protocol (NTP).
Commented Access Lists
Commented access lists give security administrators the opportunity to configure a remark within the access list. This feature allows for ease of identification when defining an access list. The commented access list feature is configurable within both named and numbered access lists. Commented remarks within the access list are limited to 100 characters.
238