- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
50 |
Chapter 2 Introduction to AAA Security |
|
T A B L E |
2 . 3 AAA Authorization Commands |
|
|
|
|
Command |
Description |
|
|
|
|
aaa authorization commands level 15 |
Allows all exec commands at the specified |
|
|
|
level (0–15). In this example, this is level 15, |
|
|
which is regarded as full authorization and is |
|
|
normally associated with enable mode. |
aaa authorization config-commands |
Uses AAA authorization for configuration-mode |
|
|
|
commands. |
aaa authorization configuration |
Allows you to download the configuration from |
|
|
|
an AAA server. |
aaa authorization exec |
Authorizes the exec process with AAA. |
|
aaa authorization ipmobile |
Allows you to configure Mobile IP services. |
|
aaa authorization network |
Performs authorization security on all network |
|
|
|
services, including SLIP, PPP, and ARAP. |
aaa authorization reverse-access |
Uses AAA authorization for reverse Telnet |
|
|
|
connections. |
|
|
|
Accounting Configuration on the NAS
AAA’s accounting function records who did what and for how long. The accounting function relies on the authentication process to provide part of the audit trail. This is why it’s a good idea to establish accounts with easily identified usernames—typically a last-name, first-initial configuration.
The configuration of accounting in AAA is fairly simple, but you do have a few choices to consider:
Todd(config)#aaa accounting ?
commands |
For exec (shell) commands. |
connection |
For outbound connections. (telnet, rlogin) |
exec |
For starting an exec (shell). |
nested |
When starting PPP from EXEC, generate NETWORK records before |
|
EXEC-STOP record. |
network |
For network services. (PPP, SLIP, ARAP) |
send |
Send records to accounting server. |
suppress |
Do not generate accounting records for a specific type of user. |
system |
For System events. |
update |
Enable accounting update records. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring the NAS for AAA |
51 |
The preceding output lists the current AAA accounting commands available from global configuration mode. This section will focus on the network command for now.
The aaa accounting network command allows you to configure either a named list or the default:
Todd(config)#aaa accounting network ?
WORD Named Accounting list. default The default accounting list.
Todd(config)#aaa accounting network default ?
none |
No accounting. |
start-stop |
Record start and stop without waiting. |
stop-only |
Record stop when service terminates. |
wait-start |
Same as start-stop but wait for start-record commit. |
Todd(config)#aaa accounting network default start-stop ? radius Use RADIUS for Accounting.
tacacs+ Use TACACS+.
The default keyword lets you record the start and stop times of a user’s session on the network. But you’ve got to have a RADIUS or TACACS+ server for that, so you’ll learn more about this configuration in Chapter 3.
For now, check out Table 2.4. It lists the more commonly used commands for configuring AAA accounting. The trick for deciding which command to use is to balance your need for obtaining complete accounting records against the overhead incurred by recording those records.
T A B L E 2 . 4 AAA Accounting Commands
Command |
Description |
|
|
aaa accounting commands level |
Audits all commands. If specified, only commands at |
|
the specified privilege level (0–15) are included. |
aaa accounting connection |
Audits all outbound connections, including Telnet and |
|
rlogin. |
aaa accounting exec |
Audits the exec process. |
aaa accouting nested |
Used when PPP authentication is used to record activity |
|
before the start-stop times are recorded. |
aaa accounting network |
Audits network service requests, including SLIP, PPP, |
|
and ARAP requests. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
52 |
Chapter 2 Introduction to AAA Security |
|
T A B L E |
2 . 4 AAA Accounting Commands (continued) |
|
|
|
|
Command |
Description |
|
|
|
|
aaa accounting system |
Audits system-level events. This includes reload, for |
|
|
|
example. Because a router reload is one of the ultimate |
|
|
DoS attacks, it would be useful to know the user identi- |
|
|
fication that issues the command. |
aaa accounting send |
Documents the start and stop of a session. Audit infor- |
|
|
|
mation is sent in the background, so there is no delay |
|
|
for the user. |
aaa accounting suppress |
Sends a stop accounting notice at the end of a user |
|
|
|
process. |
aaa accounting system |
Similar to aaa accounting start-stop, this command |
|
|
|
documents the start of a session. However, the user is |
|
|
not permitted to continue until the accounting server |
|
|
acknowledges the log entry. This can delay user access. |
aaa accounting update |
Enables TACACS+ or RADIUS accounting. |
|
|
|
|
One area in which AAA accounting transcends security is charge-back. If accurate start and stop times are well recorded, a company could charge users for their time spent on the system to offset the costs of running the system. ISPs have long considered this as an alternative to the flat-rate model currently used in the United States.
Verifying the NAS Configuration
The following output is from the configuration file of the Todd NAS router. It highlights the commands used for the AAA authentication and authorization configuration:
Todd#sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime service timestamps log uptime
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring the NAS for AAA |
53 |
no service password-encryption
!
hostname Todd
!
aaa new-model
aaa authentication login default local aaa authentication login dial-in local aaa authentication ppp dial-in local aaa authorization commands 1 begin local aaa authorization commands 15 end local
aaa authorization network admin local none enable secret 5 $1$Qrnt$AmoVOSoe/ImPuv6jN9PeL. enable password 7 06140034584B1B0A0C1A
!
username todd password 0 lammle ip subnet-zero
!
isdn switch-type basic-ni
!
[output cut]
The preceding output starts the AAA service and establishes authentication services for both the login default and the dial-in processes. The aaa authorization commands provide level 1 and level 15 access to network resources. You’ll learn about the accounting commands in Chapter 3.
Troubleshooting AAA on the Cisco NAS
Everything’s gone well so far, but for the darker days, let’s look at some commands that help you with troubleshooting AAA configurations. These three debugging commands can be used to trace AAA packets and monitor their activities:
debug aaa authentication
debug aaa authorization
debug aaa accounting
The following output results from executing the debug aaa authentication command. You can use this information to troubleshoot console logins:
Todd#debug aaa authentication
Todd#exit
01:41:50: AAA/AUTHEN: free_user (0x81420624) user='todd' ruser='' port='tty0' rem_addr='async/' authen_type=ASCII service=LOGIN priv=1
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
54 Chapter 2 Introduction to AAA Security
01:41:51: AAA: parse name=tty0 idb type=-1 tty=-1
01:41:51: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
01:41:51: AAA/AUTHEN: create_user (0x81420624) user='' ruser='' port='tty0' rem_ addr='async/' authen_type=ASCII service=LOGIN priv=1
01:41:51: AAA/AUTHEN/START (864264997): port='tty0' list='' action=LOGIN service=LOGIN
01:41:51: AAA/AUTHEN/START (864264997): using "default" list 01:41:51: AAA/AUTHEN/START (864264997): Method=LOCAL 01:41:51: AAA/AUTHEN (864264997): status = GETUSER
User Access Verification username:todd
Password: (not shown)
Todd>
01:42:12: AAA/AUTHEN/CONT (864264997): continue_login (user='(undef)') 01:42:12: AAA/AUTHEN (864264997): status = GETUSER
01:42:12: AAA/AUTHEN/CONT (864264997): Method=LOCAL 01:42:12: AAA/AUTHEN (864264997): status = GETPASS
01:42:14: AAA/AUTHEN/CONT (864264997): continue_login (user='todd') 01:42:14: AAA/AUTHEN (864264997): status = GETPASS
01:42:14: AAA/AUTHEN/CONT (864264997): Method=LOCAL 01:42:14: AAA/AUTHEN (864264997): status = PASS
The preceding output shows the user-mode access on the NAS (priv=1), that the username is todd, and that the method is local authentication. The following output is the enable access, which is shown as priv=15, meaning level 15 access.
Todd>enable
Password: (not shown)
01:42:46: AAA/AUTHEN: dup_user (0x8147DFC4) user='todd' ruser='' port='tty0' rem _addr='async/' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable' 01:42:46: AAA/AUTHEN/START (3721425915): port='tty0' list='' action=LOGIN service =ENABLE
01:42:46: AAA/AUTHEN/START (3721425915): console enable - default to enable pass word (if any)
01:42:46: AAA/AUTHEN/START (3721425915): Method=ENABLE 01:42:46: AAA/AUTHEN (3721425915): status = GETPASS Todd#
01:42:50: AAA/AUTHEN/CONT (3721425915): continue_login (user='(undef)') 01:42:50: AAA/AUTHEN (3721425915): status = GETPASS
01:42:50: AAA/AUTHEN/CONT (3721425915): Method=ENABLE 01:42:50: AAA/AUTHEN (3721425915): status = PASS
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring the NAS for AAA |
55 |
01:42:50: AAA/AUTHEN: free_user (0x8147DFC4) user='' ruser='' port='tty0' rem_ addr='async/' authen_type=ASCII service=ENABLE priv=15
Use the no debug aaa authentication form of the command to disable this debug mode, as follows:
Todd#no debug aaa authentication
AAA Authentication debugging is off
Todd#
The next output shows a successful AAA authorization:
Todd# debug aaa authorization
1:21:23: AAA/AUTHOR (0): user='Todd'
1:21:23: AAA/AUTHOR (0): send AV service=shell 1:21:23: AAA/AUTHOR (0): send AV cmd* 1:21:23: AAA/AUTHOR (342885561): Method=Local
1:21:23: AAA/AUTHOR/TAC+ (342885561): user=Todd
1:21:23: AAA/AUTHOR/TAC+ (342885561): send AV service=shell 1:21:23: AAA/AUTHOR/TAC+ (342885561): send AV cmd*
1:21:23: AAA/AUTHOR (342885561): Post authorization status = PASS
You can see here that the username is Todd. The second and third lines show that the attribute value (AV) pairs are authorized. The next line shows the method used for authorizing, and the final line gives you the status of the authorization.
The following output shows output from the debug aaa accounting command, which displays information on accountable events as they occur. Chapter 3 covers this topic more thoroughly.
Todd# debug aaa accounting
1:09:41: AAA/ACCT: EXEC acct start, line 10
1:09:52: AAA/ACCT: Connect start, line 10, glare
1:09:07: AAA/ACCT: Connection acct stop:
task_id=60 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
Remember that the protocol used to transfer the accounting information to a server is independent of the information displayed. In addition to the debug aaa accounting command, you can use the debug tacacs and debug radius commands to examine the specific protocol information. Again, Chapter 3 provides more detail on these commands.
If you are configured for AAA accounting, you can use the show accounting command to see all the active sessions and to print accounting records. It’s also useful to know that if you activate the debug aaa accounting command, the show accounting command displays additional data on the internal state of the AAA security system.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |