![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU135x1.jpg)
Key Terms |
105 |
Exam Essentials
Remember the ways to get user information onto the CiscoSecure User Database. There are three ways to populate the CiscoSecure User Database: manually, through the Database Replication utility, and through the Database Import utility.
Know how to access the CS ACS web-based administration utility. To bring up the web-based administration tool using a web browser, go to the IP address of the CS ACS server, port 2002.
Remember which third-party user databases CS ACS supports. CiscoSecure ACS supports Microsoft Windows NT, Novell NDS, Directory Services, MCIS LDAP, and ODBC databases.
Remember which relational databases CSU supports. CSU (CiscoSecure ACS 2.3 for Unix) supports Sybase, Oracle, and SQL Anywhere databases.
Know the advantages of TACACS+ over RADIUS. The advantages of TACACS+ include encrypted packets versus encrypted passwords in RADIUS and the use of TCP rather than UDP. TACACS+ also treats authentication, authorization, and accounting as separate roles; RADIUS combines authentication and authorization.
Understand how to set an encryption key on the NAS. To set the encryption key on a TACACS+ server, use the following commands:
Todd(config)#tacacs-server host 192.168.254.253
Todd(config)#tacacs-server key d$y!tR%e
The tacacs-server host hostname | ip address command specifies the IP address or the host name of the remote TACACS+ server host. The tacacs-server key key command specifies a shared secret text string used between the access server and the TACACS+ server. You can use the same commands for a RADIUS server; just exchange the keyword tacacs-server for radius-server.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
access control server (ACS) |
CiscoSecure User Database |
CiscoSecure ACS 2.3 for Unix (CSU) |
CSAccupdate service |
CiscoSecure ACS 3.0 for Windows NT or |
token-card servers |
Windows 2000 |
|
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU136x1.jpg)
106 Chapter 3 Configuring CiscoSecure ACS and TACACS+
Commands Used in This Chapter
Here is the list of commands used in this chapter:
Command |
Meaning |
(config)#username name password |
Creates users on the NAS. |
password |
|
(config)#line con 0 |
Chooses the console line. |
(config-line)#login local |
Tells the router to look in the local line for user |
|
authentication. |
(config)#aaa new-model |
Globally enables the AAA process on the NAS. |
(config)#aaa authentication login |
Sets AAA authentication at login using the |
default tacacs+ |
default list against the TACACS+ server. |
(config)#aaa authentication ppp |
Sets the AAA authentication for PPP to use a |
default tacacs+ |
TACACS+ server. |
(config)#aaa authorization exec |
Sets AAA authorization to determine if the user is |
tacacs+ |
allowed to run an EXEC shell on the NAS against |
|
the TACACS+ database. |
(config)#aaa authorization network |
Sets AAA authorization for all network-related |
tacacs+ |
requests, including SLIP, PPP, PPP NCP, and |
|
ARA protocols, against the TACACS+ database. |
(config)#aaa accounting network |
Sets AAA accounting for all network-related |
start-stop tacacs+ |
server requests, including SLIP, PPP, PPP NCP, |
|
and ARA protocols, to record the start and stop |
|
times of the session against the TACACS+ |
|
database. |
(config)#aaa accounting exec |
Sets AAA accounting for EXEC processes on the |
start-stop tacacs+ |
NAS to record the start and stop times of the |
|
session against the TACACS+ database. |
(config)#tacacs-server host ip_ |
Specifies the CS ACS server that will provide |
address single |
AAA services for the NAS. |
(config)#tacacs-server key key |
Configures the encryption key that is used to |
|
encrypt the data transfer between the NAS and |
|
the CS ACS server. |
(config)#aaa authentication login |
Sets AAA authentication at login to use the |
no_tacacs enable |
enable password for authentication. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU137x1.jpg)
Written Lab |
107 |
Command Meaning
(config-line)#login authentication Specifies that the named AAA authentication list no_tacacs is to be used on the console.
(config)#aaa accounting network Sends both a start and a stop accounting record wait-start radius to the RADIUS accounting server. The requested
service cannot start until the acknowledgment has been received from the RADIUS server.
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.True or False: The authentication methods supported by CiscoSecure 3.0 include Windows NT/2000, Novell Directory Services (NDS), and ACS Databases.
2.True or False: CS ACS supports the following token-card servers from CiscoSecure 3.0: Windows NT/2000, Novell Directory Services (NDS), and ACS Databases.
3.True or False: In the command aaa authentication login default tacacs+ none, the none keyword at the end means that if the TACACS+ process is unavailable, no login is required.
4.What are the three relational databases that CSU supports?
5.The CS ACS web server listens on TCP port 2002. What is the URL for the default CS ACS web server?
6.What command sets AAA accounting for all network-related service requests, including PPP, and records the start and stop times of the session against the TACACS+ database?
7.TACACS+ uses _____ as a transport protocol and RADIUS uses _____ as a transport protocol.
8.What command sets the AAA accounting for EXEC processes on the NAS to record the start and stop times of the session against the TACACS+ database?
9.Which service is used to process the ODBC import tables and updates the local and remote CiscoSecure ACS installations?
10.You must have an IOS of _____ or greater on the NAS to support CiscoSecure ACS 3.0.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU138x1.jpg)
108 Chapter 3 Configuring CiscoSecure ACS and TACACS+
Review Questions
1.CiscoSecure ACS 3.0 for Windows NT or Windows 2000 supports which of the following authentication methods? (Choose all that apply.)
A.Novell Directory Services (NDS)
B.Banyan StreetTalk
C.DNS
D.POP
E.ODBC
F.DS
2.Which of the following token-card servers can be used with CS ACS 3.0? (Choose all that apply.)
A.Microsoft
B.AXENT Defender
C.CRYPTOCard
D.Novell NDS
E.ODBC
3.Which of the following are true with regard to the following command? (Choose all that apply.)
Router(config)#aaa authentication login default tacacs+ none
A.No authentication is required to log in.
B.TACACS+ is the default login method for all authentication.
C.If the TACACS+ process is unavailable, no access is permitted.
D.RADIUS is the default login method for all authentication.
E.If the TACACS+ process is unavailable, no login is required.
F.If the RADIUS process is unavailable, no login is required.
4.CiscoSecure ACS for Unix (CSU) supports which of the following relational databases? (Choose all that apply.)
A.Sybase
B.Informix
C.PIX
D.Oracle
E.SQL Anywhere
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU139x1.jpg)
Review Questions |
109 |
5.You have just finished installing CS ACS and are on the console of the server where you installed the package. Which of the following URLs allow you to access the web-based administration tool to configure CS ACS?
A.http://127.0.0.1
B.http://127.0.0.1:2002
C.http://127.0.0.1/80
D.http://127.0.0.1:80
6.Which of the following is true regarding the following command? (Choose all that apply.)
Router(config)#aaa account network wait-start radius
A.The accounting records are stored on a TACACS+ server.
B.Stop accounting records for network service requests are sent to the TACACS+ server.
C.The accounting records are stored on a RADIUS server.
D.Start accounting records for network service requests are sent to the local database.
E.Stop accounting records for network service requests are sent to the RADIUS server.
F.The requested service cannot start until the acknowledgment has been received from the RADIUS server.
7.Which of the following statements are true regarding this debug output? (Choose all that apply.)
16:43:35: TAC+: Receiving TCP/IP packet number 415842422-6 from192.168.254.253/24
16:43:35: TAC+: (415842422): received authen response status =FAIL 16:43:35: TAC+: Closing TCP/IP connection to 192.168.254.10
A.The request used the RADIUS protocol.
B.The authentication completed.
C.The authentication failed.
D.The request used the TACACS+ protocol.
E.The address of the NAS was 192.168.254.10.
F.The debug tacacs command was used.
8.Which command would you use to cause a start accounting record for PPP to be sent to a TACACS+ server?
A.aaa authentication pppstart tacacs+
B.aaa authorization exec default tacacs+
C.aaa authorization network default tacacs+
D.aaa accounting network default stop-only tacacs+
E.aaa accounting network default start-stop tacacs+
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU140x1.jpg)
110 Chapter 3 Configuring CiscoSecure ACS and TACACS+
9.Which of these statements are true about the following debug output? (Choose all that apply.)
05:06:00: AAA/AUTHEN (3168314283): status = GETPASS 05:06:00: AAA/AUTHEN/CONT (3168314283): Method=ENABLE 05:06:00: AAA/AUTHEN (3168314283): status = PASS
A.The request used the RADIUS protocol.
B.The authentication completed.
C.The authentication failed.
D.The request used the TACACS+ protocol.
E.The debug tacacs command was used.
F.The debug aaa authentication command was used.
10.Which of the following is the recommended security database protocol for use between the NAS and ACS?
A.RADIUS
B.Kerberos
C.PPP
D.TACACS+
11.What does the following command provide?
Router(config)#aaa accounting exec start-stop tacacs+
A.It allows the executive users group to use a TACACS+ server for local authentication.
B.It documents the start and stop of a session. Audit information is sent in the background, and TACACS+ is enabled.
C.It allows the administration group to use a TACACS+ server for local authentication.
D.It deletes the start and stop of a session information from the TACACS+ server.
12.Which of these statements are true regarding the following command? (Choose all that apply.)
Router(config)#aaa authentication login default tacacs+
A.No authentication is required to log in.
B.TACACS is the default login method for all authentication.
C.If the TACACS process is unavailable, no access is permitted.
D.RADIUS is the default login method for all authentication.
E.If the TACACS process is unavailable, no login is required.
F.If the RADIUS process is unavailable, no login is required.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU141x1.jpg)
Review Questions |
111 |
13.You want to import ODBC tables and update local and remote CiscoSecure ACS installations. What service will you use?
A.CSAdmin
B.CSAimporter
C.CSAccupdate
D.CSACSupdate
14.What does the following command provide?
Router(config)#tacacs-server key key
A.It specifies a shared secret text string used between the access server and the RADIUS server.
B.It specifies a shared secret text string used between the access server and the local ACS server database.
C.It specifies a shared secret text string used between the access server and the TACACS+ server.
D.It specifies an open secret text string used between the access server and the TACACS+ server.
15.Which of the following commands is used to start the AAA process on the NAS?
A.aaa newmodel
B.aaa new-model
C.aaa new model
D.aaa open
E.aaa config
16.Which external databases are supported by CiscoSecure ACS for Windows? (Choose all that apply.)
A.NetWare NDS
B.Oracle
C.Windows NT/2000
D.Token Server
E.SQL-Linux
F.AAA
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU142x1.jpg)
112 Chapter 3 Configuring CiscoSecure ACS and TACACS+
17.You are installing ACS 3.0. What version of IOS must be installed on the NAS?
A.11.0 or greater
B.11.1 or greater
C.12.0 or greater
D.12.2 or greater
18.Which of the following are valid types of authentication supported by CiscoSecure ACS 3.0.1? (Choose all that apply.)
A.LEAP
B.EAP-MD5
C.HDLC
D.EAP-TLS
E.DH-1
F.AAA
19.Which command do you use to set the key for RADIUS communications between a router and the AAA server?
A.radius-server host ip_address
B.radius server host ip_address
C.radius-server key key
D.radius server key key
20.Which of the following statements regarding the CiscoSecure ACS are true? (Choose all that apply.)
A.Multiple NAS devices can access a single CiscoSecure ACS 3.0 for Windows.
B.The CiscoSecure ACS for Windows server can only log on to external servers.
C.The CiscoSecure ACS for Windows server supports only TACACS+.
D.Database replication is supported by the CiscoSecure ACS for Windows server.
E.The service used for authentication and authorization on a CiscoSecure ACS for Windows server is called CSAdmin.
F.The CiscoSecure ACS for Windows servers uses the CSDBsynch service to manage the user and group accounts.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |