Answers to Written Lab

Answers to Written Lab

1.True. The authentication methods supported by CiscoSecure 3.0 include Windows NT/2000, Novell Directory Services (NDS), and ACS Databases.

2.False. CS ACS supports token-card servers from CRYPTOCard, ActivCard, Vasco, RSA ACE/Server, Secure Computing SafeWord, and AXENT Defender.

3.True. The none keyword in the command aaa authentication login default tacacs+ none means that if the TACACS+ process is unavailable, no login is required.

4.Sybase, Oracle, and SQL Anywhere are the three relational databases supported by CSU.

5.http://127.0.0.1:2002 is the URL for the default CS ACS web server.

6.To set AAA accounting for all network-related service requests, including PPP, and record the start and stop times of the session against the TACACS+ database, use the command aaa accounting network default start-stop tacacs+.

7.TACACS+ uses TCP as a transport protocol, and RADIUS uses UDP as a transport protocol.

8.The command aaa accounting exec start-stop tacacs+ sets the AAA accounting for EXEC processes on the NAS to record the start and stop times of the session against the TACACS+ database.

9.The CSAccupdate service processes the ODBC import tables and updates the local and remote CiscoSecure ACS installations.

10.An IOS of 11.1 or greater on the NAS is required to support CiscoSecure ACS 3.0.

114 Chapter 3 Configuring CiscoSecure ACS and TACACS+

Answers to Review Questions

1.A, E, F. The authentication methods supported by CiscoSecure 3.0 include Windows NT/2000, Novell Directory Services (NDS), Directory Services (DS), Token Server, ACS Databases, Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP), and Open Database Connectivity (ODBC).

2.B, C. CS ACS supports token-card servers from CRYPTOCard, ActivCard, Vasco, RSA ACE/ Server, Secure Computing SafeWord, and AXENT Defender.

3.B, E. This command specifies to use the default list against the TACACS+ server and specifies that TACACS+ is the default login method for all authentications. The none keyword at the end means that if the TACACS+ process is unavailable, no login is required.

4.A, D, E. CSU supports three relational databases: Sybase, Oracle, and SQL Anywhere.

5.B. The CS ACS web server listens on TCP port 2002. The URL listed in option B is the correct syntax to access this service, assuming you are on the console of the machine running CSNT!

6.C, E, F. As when using the start-stop keyword, this command sends both a start and a stop accounting record to the accounting server, a RADIUS server in this example. If you use the wait-start keyword, the requested service cannot start until the acknowledgment has been received from the RADIUS server. A stop accounting record for network service requests is sent to the RADIUS server.

7.C, D, F. The output of this question is from the debug tacacs command and shows that the TACACS+ server at 192.168.254.253 rejected the authentication request.

8.E. The command aaa accounting network default start-stop tacacs+ command sets AAA accounting for all network-related service requests, including PPP, and records the start and stop times of the session against the TACACS+ database.

9.B, F. The debug output used in this question was output from the debug aaa authentication command. The authentication passed.

10.D. Cisco recommends the use of TACACS+ wherever possible.

11.B. The start-stop keyword keeps audit information in the background for authentication without delay using a TACACS+ server.

12.B, C. This command specifies to use the default list against the TACACS+ server and specifies that TACACS+ is the default login method for all authentications. Because the none keyword is not at the end of the command, this means that if the TACACS+ process is unavailable, no access will be permitted.

13.C. The CSAccupdate service processes the ODBC import tables and updates local and remote CiscoSecure ACS installations.

14.C. The tacacs-server key key command specifies a shared secret text string used between the access server and the TACACS+ server. The access server and the TACACS+ server use this text string to encrypt passwords and exchange responses.

15.B. To globally enable AAA on the NAS, use the global configuration command aaa new-model.

16.A, C, D. The external databases supported by CiscoSecure ACS 3.0 are LEAP Proxy RADIUS server, Windows NT/2000, NetWare NDS, LDAP, external ODBC Database, and many token servers: RADIUS, Vasco, ActivCard, AXENT Defender, CryptoCard, SafeWord, and RSA SecurID.

17.B. The NAS should be running IOS version 11.1 or greater to be able to communicate correctly with ACS 3.0.

18.A, B, D. ACS 3.0 supports the following authentication types: ASCII/PAP, CHAP, MS-CHAP, LEAP, EAP-CHAP, EAP-TLS, EAP-MD5, and ARAP.

19.C. The global configuration command radius-server key key is used to set the RADIUS key between the NAS and AAA server.

20.A, D, F. The CiscoSecure ACS 3.0 server allows multiple NAS devices to communicate and authenticate, which is a significant advantage. The ACS server provides database replication, and the CSDBsynch service is used to manage user and group accounts.

By definition, perimeter routers are really the boundary between your network and someone else’s network—or pretty much everyone else’s networks if you’re talking about the Internet. This makes

perimeter routers your first line of defense. If your perimeter router can prevent any nasty things from getting through in the first place, you clearly won’t have to deal with them later.

As I’m sure you can imagine, Internet access into the perimeter router in your network exposes you to some serious security risks. But the Cisco IOS Firewall software is really a very powerful defense. It equips you with some effective security and firewall features that are needed to guard against increasingly sophisticated attacks. Even better, Cisco is working constantly to improve and enhance these features and to develop new ones.

Cisco perimeter routers provide you with your first line of defense for Internet connections. They also define the de-militarized zone (DMZ) and are used to protect the bastion hosts residing there. You can also use perimeter routers to prevent the Private Internet eXchange (PIX) from being vulnerable to a direct attack. They can even provide an alarm system for you if anyone does try to break into your network via a perimeter router.

I’ve listed five different types of attacks you’ll experience that can and do seriously compromise your network security. Unfortunately, it seems these attacks are occurring more and more frequently with each passing day. If your defenses aren’t in order to prevent their success, your network—and probably your job—can be in serious trouble for sure! Consider each of the following problems when you configure your Cisco perimeter router(s). And don’t stop there— understand the solutions for them, too.

Eavesdropping and session replay

Unauthorized access, data manipulation, and malicious destruction

Lack of legal IP addresses

Rerouting attacks

Denial-of-service (DoS) attacks

Some of these attacks should be familiar to you because we talked about them in Chapter 1, “Introduction to Network Security.” But this chapter will look at them again in more detail and explain how you can use the Cisco IOS Firewall to solve these problems.

Okay, let’s move on now and look at specific problems and solutions.