![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU100x1.jpg)
Answers to Written Lab |
69 |
Answers to Written Lab
1.Async, group-async BRI, and serial (PRI) are all considered packet-mode access methods.
2.TTY, VTY, AUX, and CTY are considered character-mode access methods.
3.The least secure authentication method is no username or password.
4.Token cards/soft tokens are the most secure type of authentication.
5.The aaa new-model command enables AAA globally on the NAS.
6.Authentication, authorization, and accounting are the three AAA components.
7.The authorization component controls user privileges.
8.False. Authentication servers cannot be used to authenticate users remotely.
9.The authentication component identifies users.
10.The authorization component limits a user’s ability on a network.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU101x1.jpg)
70 Chapter 2 Introduction to AAA Security
Answers to Review Questions
1.B. Token cards/soft tokens are the most secure type of authentication.
2.B. The tacacs local keywords at the end of the command say to authenticate via TACACS+, and if that is not available, then use local username authentication.
3.B. To start the AAA on an NAS, use the global configuration command aaa new-model.
4.C. Authentication identifies a user, including login, password, messaging, and encryption.
5.B, D. TACACS+ and RADIUS provide authentication for users.
6.B. Authorization determines what a user is permitted to do after logging on.
7.B, C. Interface bri0/0 is the incoming interface being challenged by CHAP.
8.A, B, D. As in start-stop, the radius command sends both a start and a stop accounting record to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.
9.A, C, D. The output shows an AAA authentication, which makes answer D correct. The third line says it is a local method of authentication, and the fourth line says it passed (successful). The user is Todd, not a member of the group Todd.
10.A, B, F. Async, group-async BRI, and serial (PRI) are all considered packet-mode access methods. TTY, VTY, AUX, and CTY are considered character-mode access methods.
11.A, E, G. Async, group-async BRI, and serial (PRI) are all considered packet-mode access methods. TTY, VTY, AUX, and CTY are considered character-mode access methods.
12.C. CHAP protects against playback hacking (resending the packet as part of an attack) by using a hash value that is valid only for that transaction.
13.C. CHAP periodically verifies the identity of the peer using a three-way handshake. The handshake is done upon initial link establishment and may be repeated any time after the link has been established.
14.B. TACACS+ was developed by Cisco and is specifically designed to interact with Cisco’s AAA services.
15.C. Kerberos was developed at MIT and was designed to provide strong security using the DES cryptographic algorithm.
16.C. One-time passwords (OTP) provide the most secure username/password authentication method. Most OTP systems are based on a secret pass-phrase, which is used to generate a list of passwords. An OTP is good only for one login and is therefore not useful to anyone who manages to eavesdrop and capture it.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU102x1.jpg)
Answers to Review Questions |
71 |
17.C, D. The text after AAA/ACCT means that this is from the accounting component of AAA. protocol=telnet means that the user has gained access via the Telnet protocol.
18.C, D. The text after AAA/AUTHEN means that this is from the authentication component of
AAA.Method=LOCAL means that the local line will be used for authentication.
19.A, B. The text after AAA/AUTHOR means that this is from the authorization component of AAA. The username is Todd.
20.A, B, D. The debug commands debug aaa authentication, debug aaa authorization, and debug aaa accounting can be used to help you trace AAA packets and monitor the
AAAactivities on the NAS.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU103x1.jpg)
Chapter
3
Configuring
CiscoSecure ACS
and TACACS+
THE FOLLOWING SECUR EXAM TOPICS ARE COVERED IN THIS CHAPTER:
CiscoSecure ACS for Windows NT or Windows 2000
Installing CiscoSecure ACS 3.0 for Windows NT or Windows 2000
Configuring CiscoSecure ACS for Windows 2000
Administering and troubleshooting CiscoSecure ACS for Windows NT or Windows 2000
CiscoSecure ACS 2.3 for Unix (Solaris)
Understanding and configuring TACACS+
Verifying TACACS+
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |