- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
132 Chapter 4 Cisco Perimeter Router Problems and Solutions
Summary
You’re now familiar with the Cisco IOS Firewall software and some of its features, and you’re aware of the dangers lurking at the perimeter of your network. You also learned about ways to keep your network and its data safe using features built into the Cisco IOS Firewall.
By matching each problem with a specific solution, you’re now equipped with strategies that you can use against those attacks. Remember that the solution for eavesdropping and session replay is using encryption schemes such as IPSec. To stop unauthorized users from accessing your network, some simple access control lists work just fine. To provide relief from an IP address shortage, use NAT on the perimeter router to conserve subnets. The best solution for rerouting attacks is to configure MD5 authentication on your router. And finally, the solution for DoS attacks is to use the TCP Intercept feature.
If you brilliantly configure these features at the perimeter of your network, you’re good and safe to go. And a router running the Cisco IOS Firewall software can do all of this for you.
Exam Essentials
Know the solution to eavesdropping. To prevent eavesdropping, use IPSec encryption.
Know the commands to stop a chargen attack. The following two commands can stop a chargen attack:
Lab_B(config)#no service tcp-small-servers
Lab_B(config)#no service udp-small-servers
Know how to prevent unauthorized access, data manipulation, and malicious destruction.
To prevent certain inbound and outbound packets, use ACLs.
Know the solution to the lack of legal IP addresses problem. If you do not have enough legal IP addresses, use NAT and PAT.
Know how to prevent rerouting attacks. To secure your network against rerouting attacks, enable MD5 authentication.
Know how to prevent DoS attacks. To prevent DoS attacks, enable TCP Intercept.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Commands Used in This Chapter 133
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
Cisco IOS Firewall |
perimeter routers |
denial-of-service (DoS) attacks |
rerouting attack |
eavesdropping |
session replay |
encryption |
SYN flood attack |
IPSec |
TCP Intercept |
MD5 authentication |
|
Commands Used in This Chapter
Here is the list of commands used in this chapter:
Command |
Meaning |
(config)#access-list number deny udp |
Disables SNMP packets. |
any any eq snmp |
|
(config-if)#access-group 110 in |
Configures the specified access list on your |
|
interface. |
(config)#no service tcp-small-servers |
Disables the default TCP diagnostic services. |
(config)#no service udp-small-servers |
Disables the default UDP diagnostic services. |
(config)#no service finger |
Disables the Finger service. |
(config)#no ip boot server |
Disables the boot server service. |
(config)#no service config |
Disables the auto-config feature on a router. |
(config)#no ip http server |
Disables the HTTP service. |
(config)#no ip source-route |
Disable source-route packets. |
(config-if)#no ip proxy-arp |
Disables proxy ARP on an interface. |
(config-if)#no ip redirects |
Disables IP redirects on an interface. |
(config-if)#no ip unreachables |
Disables IP unreachable messages from being |
|
sent out an interface. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
134 Chapter 4 Cisco Perimeter Router Problems and Solutions
Command |
Meaning |
(config-if)#no ip mroute-cache |
Disables the multicast route cache. |
(config-if)#no mop enabled |
Disable the DECnet MOP service. |
(config)#no service pad |
Disables the X.25 PAD service. |
(config)#service nagle |
Enables the Nagle service. |
(config)#logging trap debugging |
Enables logging to a Syslog server. |
(config)#logging ip_address |
Logs messages to the specified Syslog server. |
sh logging |
Shows the login router memory. |
(config)#no cdp run |
Disables CDP on a Cisco device. |
(config-if)#no cdp enable |
Disables CDP on a Cisco device interface. |
Lab_B(config-if)#ip helper-address |
Forwards UDP packets to the specified IP |
ip_address |
address. |
Lab_B(config)#no ip forward-protocol |
Disables forwarding a specific UDP port. |
udp port |
|
(config)#ip forward-protocol udp port
(config)#access-list number deny ip ip_address wildcard any
(config)#access-list 110 deny tcp any any established
Lab_B(config)#access-list 110 permit tcp any any
(config)#router eigrp AS
(config-router)#network network_ number
(config-if)#ip authentication mode eigrp AS md5
(config-if)#ip authentication key-chain eigrp AS key_name
(config)#key chain key_name
Forwards the specified UDP port.
Denies the specified source address to any destination.
Sets up TCP Established on a router.
Permits all TCP packets.
Chooses the specified EIGRP process.
Configures EIGRP to advertise the specified network.
Enables MD5 authentication in IP EIGRP packets.
Enables authentication of IP EIGRP packets.
Identifies a key chain.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Written Lab |
135 |
Command |
Meaning |
(config-key)#key key_number |
In the key chain configuration mode, |
|
identifies the key number. |
(config-key)#key-string number |
In the key chain key configuration mode, |
|
identifies the key string. |
(config)#access-list number permit tcp |
Creates the designated access list to permit |
any host ip_address |
any source to the specified destination. |
(config)#ip tcp intercept list list_ |
Creates TCP Intercept to use the specified list. |
number |
|
(config)#ip tcp intercept mode |
Sets the TCP Intercept mode to intercept. |
intercept |
|
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the MCNS exam.
1.Which TCP Intercept mode will proxy-answer incoming SYN requests and not notify the server until the originating host is verified?
2.Which command would you configure on the perimeter router if you do not want it to announce to external hosts which subnets are not configured?
3.You want to disable Finger replies on a perimeter router. Which command do you want to use?
4.Which two commands would you use on your router to prevent a chargen attack?
5.___________ can be used to encrypt data between two networks, which prevents eavesdropping.
6.In a rerouting attack, the ___________ table is modified or prevented from being updated.
7.Which command disables Cisco Discovery Protocol on a perimeter router?
8.What command is used to enable an HTTP server on a router for AAA?
9.Which command disables Cisco Discovery Protocol on a perimeter router interface?
10.What command will disable proxy ARP on a perimeter router?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |