- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
26 Chapter 1 Introduction to Network Security
Answers to Written Lab
1.Network snooping and packet sniffing are two common terms for eavesdropping.
2.Policy, technology, and configuration weaknesses are the three typical security weaknesses in a network implementation.
3.Improper change control and no disaster recovery plan demonstrate policy weaknesses.
4.A masquerade attack is when an attacker tries to steal an IP address.
5.Unsecured user accounts are an example of configuration weakness.
6.TCP/IP weaknesses, operating system weaknesses, and network equipment weaknesses are three technology weaknesses that can affect security.
7.No disaster recovery plan and high turnover in the technical support department are examples of policy weaknesses.
8.Session replaying, SNMP, and SMTP are examples of TCP/IP weaknesses.
9.Cisco Lock-and-Key, CHAP, and TACACS+ are three options for countering an unauthorized access attempt.
10.The TCP Intercept feature protects a server from TCP SYN-flooding attacks.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Answers to Review Questions |
27 |
Answers to Review Questions
1.D, E. Cisco describes the absence of a disaster recovery plan and a high turnover rate in the technical support department as policy weaknesses.
2.A, B, D. Policy, technology, and configuration weaknesses are the three typical weaknesses in a network implementation.
3.C, E, F. There are many problems with the IP stack, especially in Microsoft products. Session replaying is a weakness that is found in TCP. Both SNMP and SMTP are identified by Cisco as inherently insecure protocols in the TCP/IP stack.
4.B. The TCP Intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.
5.B, E, G. By using the Cisco Lock-and-Key along with CHAP and TACACS+, you can create a more secure network and help prevent unauthorized access.
6.A, D, F. The security challenge facing enterprises today is one of sorting through a wide range of solutions and choosing the right combination. A vast quantity of security technologies exist. It is not the lack of technology that makes securing the network difficult; the problem is choosing among the many different selections available and adopting those that satisfy your unique network and business requirements.
7.C. Network snooping and packet sniffing are common terms for eavesdropping.
8.A, F. Misconfigured network equipment is a configuration weakness. However, that is the first answer most people would pick for this question. A consistent security policy is not a weakness, and IP spoofing and masquerade attacks are not security policy weaknesses.
9.C. IP spoofing is fairly easy to stop once you understand the way spoofing takes place. An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted computer by using an IP address that is within the range of IP addresses for your network. The attacker wants to steal an IP address from a trusted source so they can use it to gain access to network resources.
10.B, D. Taking the time to create a security policy is worth the time, money, and effort. For this question, the proper answers are that a security policy provides a process to audit existing network security and defines which behavior is and is not allowed.
11.B, C. Possible configuration weaknesses in a corporate network include unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment.
12.A, C, D. Possible policy weaknesses include the absence of a security policy; organization politics; lack of business continuity; the inability of the organization to implement policy evenly; improper change controls; logical access controls not being applied; lax security administration, including monitoring and auditing; software and hardware installation and changes that don’t follow the stated installation policy; and the absence of a disaster recovery plan.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
28 Chapter 1 Introduction to Network Security
13.B, C, D. TCP/IP protocol weaknesses, operating system weaknesses, and network equipment weaknesses are identified by Cisco as the three technology weaknesses.
14.A, C, D. Passwords, firewalls, and authentication, as well as routing protocols, should have policies in place before any network equipment is configured and installed.
15.B. Possible configuration weaknesses in a corporate network include unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment.
16.C. Possible policy weaknesses include the absence of a security policy; organization politics; lack of business continuity; inability of the organization to implement policy evenly; improper change controls; logical access controls not being applied; lax security administration, including monitoring and auditing; software and hardware installation and changes that don’t follow the stated installation policy; and the absence of a disaster recovery plan.
17.A. TCP/IP protocol weaknesses, operating system weaknesses, and network equipment weaknesses are identified by Cisco as the three technology weaknesses.
18.C. Possible policy weaknesses include the absence of a security policy; organization politics; lack of business continuity; inability of the organization to implement policy evenly; improper change controls; logical access controls not being applied; lax security administration, including monitoring and auditing; software and hardware installation and changes that don’t follow the stated installation policy; and the absence of a disaster recovery plan.
19.C. Possible policy weaknesses include the absence of a security policy; organization politics; lack of business continuity; inability of the organization to implement policy evenly; improper change controls; logical access controls not being applied; lax security administration, including monitoring and auditing; software and hardware installation and changes that don’t follow the stated installation policy; and the absence of a disaster recovery plan.
20.C. Possible policy weaknesses include the absence of a security policy; organization politics; lack of business continuity; inability of the organization to implement policy evenly; improper change controls; logical access controls not being applied; lax security administration, including monitoring and auditing; software and hardware installation and changes that don’t follow the stated installation policy; and the absence of a disaster recovery plan.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Chapter |
Introduction to AAA |
2 |
Security |
|
|
THE FOLLOWING SECUR EXAM TOPICS ARE |
|
|
COVERED IN THIS CHAPTER: |
|
Securing network access using AAA |
|
Authentication methods |
|
Configuring local AAA |
|
Verifying AAA |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
In only a few short years, network security has grown from a consideration into a vital and critically important essential for network administrators. In an age of increasing dependence on and
use of the Internet, nearly everyone—from individuals and small businesses to huge corporations, institutions, and worldwide organizations—is now a potential victim of hackers and E-crime. Although the defense techniques continue to improve with time, so does the sophistication and weaponry used by the bad guys. Today’s tightest security will be laughably transparent three years from now, making it seriously necessary for an administrator to keep current with the industry’s quickly evolving security trends.
Solid security hasn’t just become a valuable requirement; it’s also becoming increasingly complex and multi-tiered. Cisco continues to develop and extend its features to meet these demands by providing you with sharp tools like the Network Access Server (NAS). The NAS isn’t a real physical server; it’s actually a platform created to connect an interface between the packet world and the circuit world.
Authentication, Authorization, and Accounting (AAA) services are part of the Cisco NAS interface. This technology gives you substantial control over users and what those users are permitted to do inside of your networks. And there are more tools in the shed; RADIUS and TACACS+ security servers help you implement a centralized security plan by recording network events to the security server or to a Syslog server via logging.
I know this sounds pretty complicated, and, truthfully, it is. But that’s why I’m devoting an entire chapter to explaining these things to you!
I’ll start with a brief introduction to Cisco NAS and AAA security. And because it’s so important to understand how to properly authenticate users on a network, I’m going to discuss the various ways—good and bad—to do that. Then I’m going to cover the ins and outs (pun intended, sorry) of granting permissions and recording activity. And finally, I’ll get you into the real goods— describing the more advanced aspects of Cisco NAS and AAA, including how to configure them.
Understanding Network Access Server
and Cisco AAA
Before I explain AAA, it’s really important that you understand and remember that Cisco’s NAS is not an actual physical server. It’s actually a router with a database; the server is configured and exists within that router’s database. It’s this feature—this configuration—that gives you the
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Understanding Network Access Server and Cisco AAA |
31 |
ability to add authentication, authorization, and accounting services to your router so you can provide and apply security where and how you need it—nice! Okay, great. You’re asking, “So how do you configure NAS commands on a Cisco router, and when are you going to show me?” Right now! I’ll explain how to do this and show you how to provide local (AAA) security for an NAS router. Let’s get started.
One of the things that’s so sweet about AAA architecture is that it enables systematic access security both locally and remotely! AAA technologies work within the remote client system, the NAS, and the security server to secure dial-up access. Here’s a definition of each of the As in AAA:
Authentication Authentication requires users to prove that they are who they say they are in one of these three ways:
Name and password
Challenge and response
Token cards
Authorization Authorization takes place only after authentication has validated the user. Authorization provides the needed resources specifically allowed to the user and permits the operations that the user is allowed to perform.
Accounting AAA’s accounting and auditing function records what the users actually do on the network and which resources they access. It also keeps track of how much time they spend using network resources for accounting and auditing purposes.
The most common form of router authentication is known as line authentication, also known as character-mode access. Line authentication uses different passwords to authenticate users, depending on the line the user is connecting through.
You can protect character-mode access to network equipment through a Cisco router as described in Table 2.1.
T A B L E 2 . 1 |
Local Line Types |
|
|
Line Type |
Description |
|
|
AUX |
Auxiliary EIA/TIA-232 DTE port on Cisco routers and Ethernet switches. |
|
Used for modem-supported remote control and asynchronous routing up |
|
to 38.4Kbps. |
Console |
Console EIA/TIA-232 DCE port on Cisco routers and Ethernet switches. |
|
Used for asynchronous access to device configuration modes. |
TTY |
Standard EIA/TIA-232 DTE asynchronous line on an NAS. |
VTY |
Virtual terminal line and interface terminating incoming character streams |
|
that do not have a physical connection to the access server or the router. |
|
|
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |