- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
Configuring the NAS for AAA |
41 |
Sometimes people call bastions sacrificial hosts because the odds are so good that they’ll be attacked. If you’re thinking that it might be a good idea to offer the bastion host a little backup, you’re on the right track. Because they have only one network interface card (NIC), bastion hosts are vulnerable to IP spoofing attacks. But if you put a bastion host between two routers, you can configure it so that one router filters requests from untrusted networks, while the other router filters requests coming in from trusted networks, thus preventing spoofed packets from reaching your bastion host at all. Your routers verify that any network traffic traveling between them is addressed only to the bastion host. Most of the time, you’ll find all-purpose operating systems such as Windows NT, Unix, or VMS running on a bastion host.
Here’s another term—the dirty DMZ. Sounds really cool, huh? It’s basically just a LAN inside your network that uses real Internet IP addresses. Don’t confuse a dirty DMZ with a protected DMZ LAN. A DMZ LAN is connected to the inside of the Private Internet eXchange (PIX) and uses private IP addresses instead.
I know it’s different, but in the example in the preceding graphic, the dirty DMZ has private IP addresses. That’s only because it makes illustrating this configuration easier for the purposes of this book. Just know that your real-world dirty DMZ would have real IP addresses and would be much more vulnerable to attacks than a protected DMZ would be.
Configuring the NAS for AAA
Okay, keeping in mind all you’ve learned so far, it’s time to show you how to configure the NAS to perform AAA using a local database. If you consider that every router is a target, then you must also understand that all interfaces on the NAS are at risk.
Here are the steps you must take to configure the NAS for AAA:
Secure access to the exec mode with your character-mode passwords.
Enable AAA locally on the NAS.
Configure authentication on the NAS.
Configure authorization on the NAS.
Configure accounting on the NAS.
Verify your NAS configuration.
Troubleshoot AAA on the Cisco NAS.
Securing Access to the Exec Mode
To secure access to the exec modes, set your character-mode passwords first. Keep in mind that there are two access modes to consider when configuring the NAS: character-mode access and
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
42 Chapter 2 Introduction to AAA Security
packet-mode access. Table 2.2 lists the different access modes, the port types, and the AAA commands.
T A B L E 2 . 2 NAS Character and Packet Modes
|
|
Network Access |
AAA Command |
Access Type |
Modes |
Server Port |
Element |
|
|
|
|
Remote management |
Character mode (line/ |
TTY, VTY, AUX, |
login, exec NASI |
|
exec mode) |
and CTY |
connection, ARAP, |
|
|
|
and enable |
Remote network access |
Packet mode |
Async, group-async |
PPP, network, |
|
(interface mode) |
BRI, and serial (PRI) |
and ARAP |
|
|
|
|
Earlier in this chapter, you learned how to set your line passwords on the console, VTY, and AUX ports, but you still need to set your enable password. This is done using the following commands:
Todd#config t
Enter configuration commands, one per line. End with CNTL/Z. Todd(config)#enable secret globalnet
Todd(config)#enable password globalnet
The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password. Todd(config)#enable password routersim
Todd(config)#
The best command for this task is the enable secret command because it automatically encrypts the password and supercedes the enable password. The two passwords cannot be the same.
Password Encryption
Because the enable password isn’t encrypted by default, it’s best to just use the enable secret command. By default, those line passwords aren’t encrypted either.
So use the following command to encrypt your router passwords:
Todd(config)#service password-encryption
Todd(config)#^Z (Ctrl+Z)
Todd#show running-config
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring the NAS for AAA |
43 |
Current configuration:
!
hostname Todd
!
enable secret 5 $1$Qrnt$AmoVOSoe/ImPuv6jN9PeL. enable password 7 06140034584B1B0A0C1A
!
[output cut] line con 0
password 7 104D000A0618 login
transport input none line aux 0
password 7 0958410D1D login
line vty 0 4
password 7 082D4D43041500 login
Once you’ve turned this command on, you need to exit from the global configuration mode and enter the show running-config command to see that the passwords are now encrypted.
At this point, turn off the service password-encryption command by using the no servicepassword encryption command as follows because the service password-encryption command is still running in the background, and no one needs any extra threads taking up CPU cycles:
Todd#config t
Enter configuration commands, one per line. End with CNTL/Z.
Todd(config)#no service password-encryption
Todd(config)#^Z
Todd#
In addition to adding the character-mode passwords, you can set a username and password for each user by using the username command as follows:
Todd(config)#username todd password lammle
Todd(config)#line con 0
Todd(config-line)#login local
Todd(config-line)#line aux 0
Todd(config-line)#login local
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
44 Chapter 2 Introduction to AAA Security
Todd(config-line)#line vty 0 4
Todd(config-line)#login local
The router will now prompt for a username and password when a login attempt is made:
Todd con0 is now available
Press RETURN to get started.
User Access Verification
Username: todd
Password: (not displayed)
Todd>en
Password: (not displayed)
Todd#
You can now set up access for each user individually and define different levels of access for each user.
Enable AAA Locally on the NAS
You can also set up authorization, authentication, and accounting (AAA) on the router, which we’ll call an NAS from here on out. After you set the character-mode passwords to secure access to the exec mode, you then need to enable AAA globally on the NAS. It’s a pretty simple process:
Todd#config t
Enter configuration commands, one per line. End with CNTL/Z. Todd(config)#aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD commands.)
Todd(config)#aaa new-model
Todd(config)#aaa ?
accounting |
Accounting configurations parameters. |
authentication |
Authentication configurations parameters. |
authorization |
Authorization configurations parameters. |
configuration |
Authorization configuration parameters. |
dnis |
Associate certain AAA parameters to a specific DNIS number |
nas |
NAS specific configuration |
new-model |
Enable NEW access control commands and functions.(Disables OLD |
|
commands.) |
processes |
Configure AAA background processes |
route |
Static route downloading |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |