![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU117x1.jpg)
Administering CiscoSecure ACS |
87 |
E X E R C I S E 3 . 1 ( c o n t i n u e d )
It can’t get much easier than that! Did you notice that the Setup Complete screen tells you how to get into the ACS admin screen through a browser, http://127.0.0.1:2002? The 127.0.0.1 address is considered the loopback or diagnostic IP address of the local machine. You use this to verify that IP is running properly on a host. In this case, the IP address 127.0.0.1 also tells the browser that you mean “this host.”
In a minute, I’ll go through the configuration of the NAS, but first let’s take a look at the ACS configuration. (If you want, this is a great time to take a short break and digest what you’ve just done before moving on.)
Administering CiscoSecure ACS
The CS ACS web browser interface makes the administration of AAA features pretty easy. The installation places an ACS Admin icon on the desktop of the server, and when you double-click it, you end up on the ACS Administration page, as illustrated in Figure 3.2.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU118x1.jpg)
88 Chapter 3 Configuring CiscoSecure ACS and TACACS+
F I G U R E 3 . 2 ACS administration session
Each button on the navigation bar represents a particular area or function that you can configure. You typically don’t need to configure all of the areas; nevertheless, you’ll go through them all in Exercise 3.2.
If you’re studying for the exam, you don’t have to memorize the fields in this area. Just use this information for documentation purposes.
In this exercise, you’ll go through the ACS administration process step by step in the Windows environment. Then, I’ll explain what the Unix administration is like.
E X E R C I S E 3 . 2
CiscoSecure ACS for Windows Administration
This exercise will provide you with step-by-step instructions on how to use the CiscoSecure Administration tool.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU119x1.jpg)
Administering CiscoSecure ACS |
89 |
E X E R C I S E 3 . 2 ( c o n t i n u e d )
1.Select the User Setup button to begin configuring the CiscoSecure software. This is where you add, edit, or delete user accounts and list users in databases.
2.When you’re done setting up individual users, click the Group Setup button in the left-hand margin. The Group Setup screen allows you to create, edit, and rename groups and list all users in a group.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU120x1.jpg)
90 Chapter 3 Configuring CiscoSecure ACS and TACACS+
E X E R C I S E 3 . 2 ( c o n t i n u e d )
3.Next, the Shared Profile Components screen allows you to configure command authorization sets, which are configurable sets of authorization rules for device commands.
4.The Network Configuration button takes you to a screen where you configure and edit network access server parameters, add and delete network access servers, and configure AAA server distribution parameters.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU121x1.jpg)
Administering CiscoSecure ACS |
91 |
E X E R C I S E 3 . 2 ( c o n t i n u e d )
5.In the System Configuration screen, you can start and stop CS ACS services, configure logging, control database replication, and control RDBMS synchronization.
6.The Interface Configuration button takes you to a screen where you can configure userdefined fields that will be recorded in accounting logs, configure TACACS+ and RADIUS options, and control the display of options in the user interface.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU122x1.jpg)
92 Chapter 3 Configuring CiscoSecure ACS and TACACS+
E X E R C I S E 3 . 2 ( c o n t i n u e d )
7.The Administration Control screen allows you to control the administration of CS ACS from any workstation on the network so you don’t have to run all over the building. If you think you need the exercise, don’t configure it!
8.The External User Databases button gives you access to two screens where you configure the unknown user policy, configure authorization privileges for unknown users, and configure external database types.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU123x1.jpg)
Administering CiscoSecure ACS |
93 |
E X E R C I S E 3 . 2 ( c o n t i n u e d )
9.Clicking the Reports and Activity button displays the following screen:
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU124x1.jpg)
94 Chapter 3 Configuring CiscoSecure ACS and TACACS+
E X E R C I S E 3 . 2 ( c o n t i n u e d )
On the Reports and Activity screen, you can view the following information:
TACACS+ Accounting Reports: These reports record when sessions stop and start, record network access server messages with usernames, provide caller line identification information, and record the duration of each session.
RADIUS Accounting Reports: These reports record when sessions stop and start, record network access server messages with usernames, provide caller line identification information, and record the duration of each session.
Failed Attempts Report: This report lists authentication and authorization failures with an indication of the cause.
List Logged-in Users: This report lists all users currently receiving services for a single network access server or all network access servers with access to CS ACS.
List Disabled Accounts: This report lists all user accounts that are currently disabled.
Admin Accounting Reports: These reports list the configuration commands entered on a TACACS+ (Cisco) network access server.
You can import these files into most database and spreadsheet applications. This information is invaluable in helping you profile potentially problematic users by monitoring unusual activity. After you see these reports often enough, you’ll spot potential bad guys in a snap. Of course, for that to happen, you or someone on your security team actually needs to review these reports on a regular basis.
I’m going to say this again: You can have top-of-the-line products and great people on your team, but if your security policies aren’t tight, your security won’t be either. If you’ve got the goods, make sure that policies are in place that guarantee the best use of the technology and personnel that you’ve invested in.
10.Lastly, the Online Documentation button provides more detailed information about the configuration, operation, and concepts of CS ACS.
Maybe you’re not using Windows. Maybe you’ve got a Unix server set up. CiscoSecure ACS 2.3 for Unix (CSU) offers the same basic functions as CiscoSecure ACS for Windows discussed previously in Exercise 3.2:
CSU accepts user access requests from an NAS using TACACS+ or RADIUS.
CSU can be used as a centralized database for AAA, working with NASs from a variety of vendors.
CSU has a web-based administration tool.
CSU offers relational database support for three databases: Sybase, Oracle, and SQL Anywhere (included).
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |