![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU158x1.jpg)
Turning Off and Configuring Network Services |
129 |
Turning Off the X.25 PAD Service
Packet assembler/disassembler (PAD) connects asynchronous devices such as terminals, IC-card readers, and computers to public/private X.25 networks. Since every computer in the world is pretty much IP savvy, and X.25 has gone the way of the dodo bird, there is no reason to leave this service running. Use the following command to disable the PAD service:
Lab_B(config)#no service pad
Enabling the Nagle TCP Congestion Algorithm
The Nagle TCP congestion algorithm is useful for small-packet congestion, but if you’re using a higher setting than the default MTU of 1500 bytes, it can create an above-average traffic load. To enable this service, use the following command:
Lab_B(config)#service nagle
It is important to understand that the Nagle congestion service can break XWindow connections to an Xserver, so don’t use it if you’re using XWindow.
Logging Every Event
Using the Cisco ACS server as a Syslog server can log events for you to verify. Use the logging trap debugging command and the logging ip_address command to turn this feature on:
Lab_B(config)#logging trap debugging
Lab_B(config)#logging 192.168.254.251
Lab_B(config)#exit
Lab_B#sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 15 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Trap logging: level debugging, 19 message lines logged
Logging to 192.168.254.251, 1 message lines logged
The show logging command provides you with statistics of the log on the router.
Disabling Cisco Discovery Protocol
Cisco Discovery Protocol (CDP) does just that—it’s a Cisco proprietary protocol that discovers Cisco devices on the network. But because it’s a Data Link–layer protocol, it can’t find Cisco devices on the other side of a router. Plus, by default, Cisco switches don’t forward CDP packets, so you can’t see Cisco devices attached to any other port on a switch.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU159x1.jpg)
130 Chapter 4 Cisco Perimeter Router Problems and Solutions
When you are bringing up your network for the first time, CDP can be a really helpful protocol for verifying your network. But because you’re going to be thorough and document your network, you don’t need the CDP after that. And because CDP does discover Cisco routers and switches on your network, you should disable it. You do that in global configuration mode, which turns off CDP completely for your router or switch:
Lab_B(config)#no cdp run
Or you can turn off CDP on each individual interface using the following command:
Lab_B(config-if)#no cdp enable
Disabling the Default Forwarded UDP Protocols
When you use the ip helper-address command as follows on an interface, your router will forward UDP broadcasts to the listed server or servers:
Lab_B(config)#interface f0/0
Lab_B(config-if)#ip helper-address 192.168.254.251
You would generally use the ip helper-address command when you want to forward DHCP client requests to a DHCP server. The problem is that not only does this forward port 67 (BOOTP server request), it forwards seven other ports as well. To disable the unused ports, use the following commands:
Lab_B(config)#no ip forward-protocol udp 69
Lab_B(config)#no ip forward-protocol udp 53
Lab_B(config)#no ip forward-protocol udp 37
Lab_B(config)#no ip forward-protocol udp 137
Lab_B(config)#no ip forward-protocol udp 138
Lab_B(config)#no ip forward-protocol udp 68
Lab_B(config)#no ip forward-protocol udp 49
Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port, say TACACS+, use the following command:
Lab_B(config)#ip forward-protocol udp 49
Here’s a list of available ports that you can opt to forward from the router, as well as the ports that are forwarded by default if you use the ip helper-address command:
Port or Protocol |
Meaning |
On by Default |
<0–65535> |
Port number (create your own) |
|
biff |
Biff (mail notification, comsat, 512) |
|
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU160x1.jpg)
Turning Off and Configuring Network Services |
131 |
Port or Protocol |
Meaning |
On by Default |
bootpc |
Bootstrap Protocol (BOOTP) client (68) |
X |
bootps |
Bootstrap Protocol (BOOTP) server (67) |
X |
discard |
Discard (9) |
|
dnsix |
DNSIX security protocol auditing (195) |
|
domain |
Domain Name Service (DNS) (53) |
X |
echo |
Echo (7) |
|
isakmp |
Internet Security Association and Key |
|
|
Management Protocol (500) |
|
mobile-ip |
Mobile IP registration (434) |
|
nameserver |
IEN116 name service (obsolete, 42) |
|
netbios-dgm |
NetBios datagram service (138) |
X |
netbios-ns |
NetBios name service (137) |
X |
netbios-ss |
NetBios session service (139) |
|
ntp |
Network Time Protocol (123) |
|
pim-auto-rp |
PIM Auto-RP (496) |
|
rip |
Routing Information Protocol (router, |
|
|
in.routed, 520) |
|
snmp |
Simple Network Management Protocol |
|
|
(SNMP) (161) |
|
snmptrap |
SNMP traps (162) |
|
sunrpc |
Sun Remote Procedure Call (111) |
|
syslog |
System Logger (514) |
|
tacacs |
TAC access control system (49) |
X |
talk |
Talk (517) |
|
tftp |
Trivial File Transfer Protocol (TFTP) (69) |
X |
time |
Time (37) |
X |
who |
Who service (rwho, 513) |
|
xdmcp |
X Display Manager Control Protocol (177) |
|
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |