- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
18 Chapter 1 Introduction to Network Security
The Corporate Security Policy
Whew! You made it through the introduction to network security! Great—so now that you understand all the problems associated with equipment, networks, and people, what do you do with all this information? The first step is to begin protecting your corporate network by creating and deploying a security policy that includes each and every way that you and everyone else in the company is going to guard your oh-so-sensitive data!
RFC 2196 states that a security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide. A corporate security policy is basically a document that summarizes how the company will use and protect its computing and network resources.
When you are creating a security policy, it is important to be ever mindful of that fine balancing act between ease of use and the level of security actually needed to adequately protect corporate network services. You do a disservice to the client by locking everything down as tightly as possible and/or spending too much money on a network that really doesn’t need 007-level security.
A security policy defines the following criteria:
What’s important to the enterprise
What the company is willing to spend (in terms of dollars, personnel, and time) to protect what it has deemed important
What level of risk it’s willing to tolerate
Sounds good, but do you really need to bother with a security policy? Is creating a security policy actually worth the time, money, and effort required? Absolutely! Here’s a short list of why Cisco says doing so is such a good idea. A corporate security policy
Provides a process to audit existing network security.
Defines which behavior is and is not allowed.
Provides a general security framework for implementing network security.
Often determines which tools and procedures are needed for the organization.
Communicates consensus among a group of key decision-makers and defines the responsibilities of users and administrators.
Defines a process for handling network security incidents.
Enables global security implementation and enforcement. Computer security is now an enterprise-wide issue, and computing sites are expected to conform to the network security policy.
Creates a basis for legal action if necessary.
Now that you know the basics of creating and implementing a formal security policy in your company, where do you get the rest of the information you need so that you can implement it properly? Good question. This book will seriously strengthen your security grip by showing you how to configure Cisco hardware—a crucial capability you just can’t do without today.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Exam Essentials |
19 |
For an in-depth description of those all-important security policies, refer to www.sybex.com for information about Sybex’s Study Guides on the CCSP exams. They will provide you with everything you need to create your own tailor-made and tight policy.
Summary
A corporate security policy is a declaration of the systems and rules needed to have a secure IT structure. Various weaknesses, holes, and chinks are typically found in the armor of security policies and in the network’s security itself. These vulnerabilities fall into three major categories: technology weaknesses, configuration weaknesses, and policy weaknesses.
It’s very important to understand the fundamentals and characteristics of all the different weaknesses inherent to a security policy. There are specific protocols for dealing with each special type of weakness, so you should develop solid solutions to secure your system from those vulnerabilities.
Creating a corporate security policy is not easy, and implementing one is even harder. However, a solid security policy is something your organization cannot live without. There are many different types of attacks that hackers have in their arsenal; eavesdropping and denial-of-service attacks are just two of the most popular types of attacks for people who want to steal from your network and cause problems for your organization.
You can develop and implement strategies to guard against these attacks with a PIX firewall or the Cisco IOS Firewall Feature Set, which is what the rest of this book is about. By combining this understanding with your newfound appreciation of corporate security policies, you will be empowered to create and maintain a sturdy, intelligent, and cost-effective policy that’s tailormade to meet the needs of your company and its network.
In the next chapter, you’ll learn how to configure Authentication, Authorization, and Accounting (AAA) services as part of the Cisco NAS interface.
Exam Essentials
Understand the three typical types of weaknesses in any network implementation. The three typical types of weaknesses found in a network implementation are technology, configuration, and policy weaknesses.
Know which attacks can occur because of TCP/IP’s weaknesses. There are many attacks that can occur because of TCP/IP’s inherent weaknesses. The most important attacks to remember are IP spoofing, man-in-the-middle, and session replaying.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
20 Chapter 1 Introduction to Network Security
Remember the different problems described as configuration weaknesses. Understand the difference between configuration weaknesses and policy weaknesses. Configuration weaknesses include problems such as unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment.
Understand what types of issues are considered policy weaknesses. Policy weaknesses involve problems with the corporate security policy such as the absence of a written security policy, organization politics, lack of business continuity, lax security administration, software and hardware that’s installed without following the stated installation policy, and the absence of a disaster recovery plan.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
access control list (ACL) |
replaying |
Application-layer attack |
repudiation |
Challenge Handshake Authentication |
rerouting attack |
Protocol (CHAP) |
|
configuration weaknesses |
security policy |
denial-of-service (DoS) attacks |
session hijacking |
eavesdropping |
smurf attack |
HTML attacks |
software weaknesses |
man-in-the-middle attack |
TCP/IP weaknesses |
masquerading |
technology weaknesses |
network equipment weaknesses |
Terminal Access Controller Access Control |
|
System (TACACS+) |
operating system weaknesses |
Trojan horse |
private IP addresses |
WareZ |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Written Lab |
21 |
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.What two common terms are used to describe eavesdropping?
2.Most network implementations have three typical security weaknesses. What are they?
3.Improper change control and no disaster recovery plan demonstrate what type of weakness?
4.An attacker tries to steal an IP address in which type of attack?
5.Unsecured user accounts are what type of weakness?
6.What are the three technology weaknesses that can affect security?
7.No disaster recovery plan and high turnover in the technical support department are examples of which type of weakness?
8.Session replaying, SNMP, and SMTP are examples of what type of weakness?
9.List three options for countering an unauthorized access attempt.
10.Which feature protects a server from TCP SYN-flooding attacks?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |