List of Figures
Chapter 1: Securing the Infrastructure
Figure 1.1: Using privilege levels to create administrative levels. Figure 1.2: Router A configured for SNMP.
Figure 1.3: Router A and Router B configured for RIP authentication. Figure 1.4: Router A and Router B configured for OSPF authentication. Figure 1.5: Router B configured with an inbound route filter.
Figure 1.6: User Jeff needs HTTP access to the router.
Chapter 2: AAA Security Technologies
Figure 2.1: One−way PAP authentication.
Figure 2.2: Three−way CHAP authentication.
Figure 2.3: TACACS+ packet header.
Figure 2.4: TACACS+ authentication.
Figure 2.5: TACACS+ authorization.
Figure 2.6: RADIUS authentication process.
Figure 2.7: RADIUS accounting process.
Figure 2.8: Single TACACS+ server.
Figure 2.9: Multiple TACACS+ servers.
Figure 2.10: Remote client PPP connection.
Figure 2.11: Cisco Secure ACS server interface
Figure 2.12: Console of the Cisco Secure ACS server
Chapter 3: Perimeter Router Security
Figure 3.1: ICP three−way handshake.
Figure 3.2: Example of CEF network.
Figure 3.3: Unicast RPF.
Figure 3.4: An example TCP Intercept network.
Figure 3.5: Static NAT.
Figure 3.6: Example static NAT and route map network.
Figure 3.7: Dynamic NAT network example.
Figure 3.8: Router 1 Dynamic NAT with route map.
Figure 3.9: Rate−limiting Denial of Service.
Figure 3.10: A network design with logging defined.
Chapter 4: IOS Firewall Feature Set
Figure 4.1: Basic operation of CBAC. Figure 4.2: Sample CBAC network.
Figure 4.3: Network configured for Java blocking.
Figure 4.4: Router 3 configured for CBAC with three interfaces. Figure 4.5: CBAC and NAT network design.
Figure 4.6: Network layout for PAM.
Figure 4.7: Host that needs PAM configuration. Figure 4.8: Simple firewall IDS network design.
Chapter 5: Cisco Encryption Technology
281
Figure 5.1: An Example of the Scytale cipher.
Figure 5.2: Example of symmetric key encryption.
Figure 5.3: Example of asymmetric key encryption.
Figure 5.4: Verbal authentication process.
Figure 5.5: CET network topology.
Chapter 6: Internet Protocol Security
Figure 6.1: IP packet.
Figure 6.2: AH in transport mode.
Figure 6.3: ESP in transport mode.
Figure 6.4: AH in tunnel mode.
Figure 6.5: ESP in tunnel mode.
Figure 6.6: Basic network using IPSec.
Figure 6.7: Full mesh IPSec network
Figure 6.8: Network using manual IPSec Keys
Figure 6.9: Tunnel EndPoint Discovery
Chapter 7: Additional Access List Features
Figure 7.1: Truth table for Boolean operations.
Figure 7.2: Example of traffic initiated on an internal network with reflexive access lists configured.
Figure 7.3: Example of Host B accessing Host A through Router A configured with dynamic access lists.
Figure 7.4: Standard access list network.
Figure 7.5: Two routers configured for extended access lists. Figure 7.6: TCP access list for Router C.
Figure 7.7: Router C permitting and denying traffic. Figure 7.8: Dynamic access list security.
Figure 7.9: Reflexive access list network. Figure 7.10: External reflexive access list.
Appendix B: Securing Ethernet Switches
Figure B.1: Catalyst switch using IP permit lists.
282
List of Tables
Chapter 2: AAA Security Technologies
Table 2.1: Authorization command parameters.
Table 2.2: Accounting command parameters.
Chapter 3: Perimeter Router Security
Table 3.1: Logging messages and severity level.
Chapter 4: IOS Firewall Feature Set
Table 4.1: System−defined port application services.
Chapter 5: Cisco Encryption Technology
Table 5.1: Flag field messages.
Chapter 6: Internet Protocol Security
Table 6.1: Transform combinations.
Table 6.2: Security association states.
Chapter 7: Additional Access List Features
Table 7.1: Access list type and numbers.
Table 7.2: Protocols available with extended access lists. Table 7.3: Precedence values for extended access lists. Table 7.4: Type−of−service values for extended access lists.
Appendix A: IOS Firewall IDS Signature List
Table A.1: IOS Firewall Network Security Database signatures.
283
List of Listings
Chapter 1: Securing the Infrastructure
Listing 1.1: Router A's configuration with MD5 authentication. Listing 1.2: Router B's configuration with MD5 authentication.
Listing 1.3: The output of the command debug ip rip displays how Router A receives RIP routing updates from Router B.
Listing 1.4: The output of the command debug ip rip displays how Router B receives RIP routing updates from Router A.
Listing 1.5: Router A's configuration with MD5 authentication. Listing 1.6: Router B's configuration with MD5 authentication.
Listing 1.7: Route table of Router A with correct authentication configured. Listing 1.8: Route table of Router A with incorrect authentication configured. Listing 1.9: Router A configured to authenticate OSPF packets using plain text authentication.
Listing 1.10: Router B configured to authenticate OSPF packets using plain text authentication.
Listing 1.11: Router A configured for MD5 authentication. Listing 1.12: Router B configured for MD5 authentication.
Listing 1.13: Router A configured with multiple keys and passwords. Listing 1.14: Router B configured with multiple keys and passwords. Listing 1.15: Router A configuration.
Listing 1.16: Router B configuration. Listing 1.17: Router B's route table.
Listing 1.18: Router B configured with an inbound route filter.
Listing 1.19: Router B's route table with inbound route filter permitting only one network. Listing 1.20: Route table of Router A.
Listing 1.21: Router A configured with an inbound route filter.
Listing 1.22: Router A's route table with inbound route filter permitting only one network. Listing 1.23: Router A's configuration.
Listing 1.24: Router B's configuration.
Listing 1.25: Router A configured with an outbound route filter.
Listing 1.26: Route table of Router B after applying an outbound route filter on Router A. Listing 1.27: Router B configured with an outbound route filter.
Listing 1.28: Route table of Router A after applying an outbound route filter on Router B.
Chapter 2: AAA Security Technologies
Listing 2.1: Debugging TACACS+ events output.
Listing 2.2: Router Seminole authentication configuration.
Listing 2.3: Successful login authentication output.
Listing 2.4: Failed login authentication output.
Listing 2.5: Authentication debug output.
Listing 2.6: PPP network access server.
Listing 2.7: Remote authentication using TACACS+.
Listing 2.8: Authorization configuration.
Listing 2.9: Authorization process.
Listing 2.10: Accounting configuration.
Listing 2.11: Accounting process.
Listing 2.12: Output of the Users.txt file.
Listing 2.13: Output of the dump.txt file.
284
Chapter 3: Perimeter Router Security
Listing 3.1: The adjacency table of Router B. Listing 3.2: An example CEF table for Router B.
Listing 3.3: An example of the show cef interface command. Listing 3.4: An example Unicast RPF logging configuration. Listing 3.5: TCP Intercept configuration of Router B.
Listing 3.6: The output of show tcp intercept statistics.
Listing 3.7: Example of show TCP intercept connections output. Listing 3.8: Example output from debug ip tcp intercept.
Listing 3.9: Example Intercept aggressive mode configuration. Listing 3.10: Final TCP Intercept configuration.
Listing 3.11: Static NAT configuration.
Listing 3.12: Router 1 static NAT with route map configuration. Listing 3.13: Dynamic NAT configuration.
Listing 3.14: Display of NAT translations. Listing 3.15: Display of NAT statistics.
Listing 3.16: Router 1 Dynamic NAT with route map configuration. Listing 3.17: PAT configuration example.
Listing 3.18: Router A configured for rate−limiting. Listing 3.19: Rate limit configuration of Router A. Listing 3.20: Verifying the operation of CAR.
Listing 3.21: Router B configuration.
Listing 3.22: Multiple rate−limiting policies configuration. Listing 3.23: Router B's logging configuration.
Listing 3.24: Show logging output.
Listing 3.25: Show logging history output. Listing 3.26: Show logging history.
Chapter 4: IOS Firewall Feature Set
Listing 4.1: Example configuration of Router 3 for CBAC. Listing 4.2: Output of the show ip inspect command. Listing 4.3: Audit trail messages on Router 3.
Listing 4.4: Updated output from the show ip inspect command. Listing 4.5: Configuring Router 3 for Java blocking.
Listing 4.6: Debug output of Java blocking.
Listing 4.7: CBAC configuration of Router 3 with three interfaces. Listing 4.8: Router 3 configured for CBAC and NAT.
Listing 4.9: PAM configuration for Router 3. Listing 4.10: Port mapping table on Router 3. Listing 4.11: Default PAM table of Router 3.
Listing 4.12: Attempt to map over a system−defined entry. Listing 4.13: Creating host−defined entries on Router 3. Listing 4.14: Display of the host−defined PAM table entries. Listing 4.15: Subnet−defined PAM configuration.
Listing 4.16: Output of the PAM table on Router 3.
Listing 4.17: Router 3 configured to override system−defined entries. Listing 4.18: Display of PAM table on Router 3.
Listing 4.19: Configuration of mapping different hosts to the same port. Listing 4.20: Final configuration of Router 3.
Listing 4.21: Complete PAM table for Router 3.
285
Listing 4.22: IDS configuration of Router 3.
Listing 4.23: Output of the show ip audit statistics command. Listing 4.24: Router 3 audit configuration.
Listing 4.25: Denying devices from inspection. Listing 4.26: Access list configuration.
Listing 4.27: Verification of disabled attack signatures. Listing 4.28: Disabling attack signatures on a per−host basis. Listing 4.29: Complete intrusion detection configuration.
Chapter 5: Cisco Encryption Technology
Listing 5.1: Initial configuration of Router A. Listing 5.2: Initial configuration of Router B.
Listing 5.3: Layer 3 connectivity verified on Router A. Listing 5.4: Layer 3 communication verified on Router B. Listing 5.5: Generating Router A's key.
Listing 5.6: Generating Router B's key.
Listing 5.7: Router A saving private key to NVRAM. Listing 5.8: Router B saving private key to NVRAM. Listing 5.9: Viewing Router A's public key.
Listing 5.10: Viewing Router B's public key.
Listing 5.11: Router B enabling DSS key exchange. Listing 5.12: Router A enabling DSS key exchange.
Listing 5.13: Router B asking to accept Router A's public key. Listing 5.14: Router B asks to send Router A its public key. Listing 5.15: Router A receives Router B's public key.
Listing 5.16: Router A viewing Router B's public key. Listing 5.17: Router B viewing Router A's public key.
Listing 5.18: Router A's configuration after exchanging keys. Listing 5.19: Router B's configuration after exchanging keys. Listing 5.20: Configuring a global encryption policy on Router A. Listing 5.21: Configuring a global encryption policy on Router B. Listing 5.22: Viewing encryption algorithms in use on Router A. Listing 5.23: Viewing encryption algorithms in use on Router B. Listing 5.24: Encryption access list configuration on Router A. Listing 5.25: Encryption access list configuration on Router B. Listing 5.26: Access list configuration of Router A.
Listing 5.27: Access list configuration of Router B. Listing 5.28: Crypto map configuration of Router A. Listing 5.29: Crypto map configuration of Router B.
Listing 5.30: Viewing the crypto map configuration of Router A. Listing 5.31: Viewing the crypto map configuration of Router B. Listing 5.32: Applying the crypto map to Router A.
Listing 5.33: Applying the crypto map to Router B. Listing 5.34: The ping command issued on Router A.
Listing 5.35: DEBUG output from the ping command on Router A. Listing 5.36: Output of show commands on Router A.
Listing 5.37: Final CET configuration of Router A. Listing 5.38: Final CET configuration of Router B.
Chapter 6: Internet Protocol Security
286
Listing 6.1: IPSec configuration of Router A. Listing 6.2: IPSec configuration of Router B.
Listing 6.3: Enabling the debug commands and the Ping request. Listing 6.4: Security association request.
Listing 6.5: IKE verification process. Listing 6.6: IKE negotiation.
Listing 6.7: Completion of security association setup process. Listing 6.8: Security association database on Router B. Listing 6.9: IKE security association database.
Listing 6.10: IPSec configuration of Router A. Listing 6.11: IPSec configuration of Router B. Listing 6.12: IPSec configuration of Router C.
Listing 6.13: Manual AH configuration of Router 1. Listing 6.14: Manual AH configuration of Router 2. Listing 6.15: Manual security associations on Router 2. Listing 6.16: Security association process on Router 2.
Listing 6.17: Manual AH and ESP configuration of Router 1. Listing 6.18: Manual AH and ESP configuration of Router 2. Listing 6.19: Manual security associations on Router 1.
Listing 6.20: Changing keys on Router 2.
Listing 6.21: Router 2 deleting security associations.
Listing 6.22: Router 2’s failed attempt to set a security association. Listing 6.23: Tunnel EndPoint Discovery configuration of Router A. Listing 6.24: Tunnel EndPoint Discovery configuration of Router B. Listing 6.25: Complete Tunnel EndPoint process for Router A.
Chapter 7: Additional Access List Features
Listing 7.1: Raul's numbered access list configuration. Listing 7.2: Chris's numbered access list configuration. Listing 7.3: Issuing the ping command on Raul.
Listing 7.4: Results of the debug IP packet command. Listing 7.5: Issuing the ping command again on Raul.
Listing 7.6: Results of the debug IP packet command on Raul. Listing 7.7: Extended access list configuration of Raul.
Listing 7.8: Extended access list configuration of Chris.
Listing 7.9: Ping attempt to 192.168.50.50 from 192.168.30.31. Listing 7.10: Output of the debug IP packet command on Raul. Listing 7.11: Ping attempt to 192.168.50.50 from 192.168.30.30. Listing 7.12: Output of the debug IP packet command on Raul. Listing 7.13: TCP established configuration of Router C.
Listing 7.14: Established TCP connection output. Listing 7.15: Named access list configuration of Raul. Listing 7.16: Named access list configuration of Chris.
Listing 7.17: Output of the show IP interface command on Chris. Listing 7.18: Commented named access list on Router C.
Listing 7.19: Commented numbered access list on Router C. Listing 7.20: Configuration of Router 1 for dynamic access lists. Listing 7.21: Configuration of Router 2 for dynamic access lists. Listing 7.22: Temporary access list entries on Router 1.
Listing 7.23: Show logging on Router 1. Listing 7.24: New configuration of Router 1.
287
Listing 7.25: Reflexive access list configuration of Router 2. Listing 7.26: Display of the access lists defined on Router 2. Listing 7.27: Displaying the reflexive access list on Router 2. Listing 7.28: External reflexive access list on Router 2.
Listing 7.29: Timed access list using numbered access list. Listing 7.30: Timed access list using named access list.
288