- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
Exam Essentials 163
Summary
By now, I’m sure you can see that CBAC offers you way tighter security than you can hope to get through the use of ACLs. It can operate like a stateful firewall, keeping track of sessions and dynamically changing access lists to allow the passage of appropriate traffic.
The six steps that Cisco has defined to help you configure CBAC are:
1.Set audit trails and alerts.
2.Set global timeouts and thresholds.
3.Define Port-to-Application Mapping (PAM).
4.Define inspection rules.
5.Apply inspection rules and ACLs to interfaces.
6.Test and verify CBAC.
By using these steps as outlined in this chapter, you can create and maintain a secure and cost-effective internetwork.
Because CBAC is so versatile, it can also be used to prevent certain types of DoS attacks, and it offers you many fine-tuning options, as well as lots of settings for values and timeouts to use to determine appropriate thresholds for your networks. Typically, you’d have to buy more hardware to provide these services, but not with CBAC.
Another example of CBAC’s versatility is Port-to-Application Mapping (PAM), which allows you to modify the default values of well-known ports and teach CBAC how to recognize these applications.
And if you need it to, CBAC can generate real-time alerts and audit trails through the use of a Syslog server. This allows you to monitor all enterprise alerts and audit trails at a single, centralized location.
To test and verify the operation of CBAC, use the command show ip inspect config to enable the session audit trail and the command show ip inspect interfaces to see the CBAC interface configuration.
Exam Essentials
Make sure you know the six steps for configuring CBAC. Cisco has outlined six steps for CBAC configuration:
1.Set audit trails and alerts.
2.Set global timeouts and thresholds.
3.Define Port-to-Application Mapping (PAM).
4.Define inspection rules.
5.Apply inspection rules and ACLs to interfaces.
6.Test and verify CBAC.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
164 Chapter 5 Context-Based Access Control Configuration
Be sure to know the global timeouts and thresholds and the commands for changing them.
You need to know the commands for changing the global timeouts and thresholds, as well as the default values. Refer to Table 5.1 for a listing of all global timeouts and thresholds and how to change them.
Make sure to know the rules for applying ACLs in conjunction with CBAC. Know that CBAC needs an extended ACL to modify for return traffic. Here is what else you must know:
On the interface where traffic initiates (in the corporate network example, the dirty DMZ), apply an ACL inward that permits only wanted traffic and apply the CBAC inspection rule in the inward direction that inspects wanted traffic.
On all other interfaces, apply an ACL in the inward direction that denies all other traffic except for traffic types not inspected by CBAC such as ICMP.
Be sure to review the commands to test CBAC, and know the command to disable it. There are three show ip inspect commands:
The show ip inspect config command displays information about the entire global timeouts and thresholds configuration for CBAC as well as the inspection rule configuration, excluding interface information.
The show ip inspect interfaces command displays information about the interface configuration.
The show ip inspect name command displays information about the inspection rule configuration.
The no ip inspect command in global configuration mode disables all CBAC.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
access control lists (ACLs) |
Intrusion Detection System (IDS) |
Cisco IOS Firewall |
Port-to-Application Mapping (PAM) |
Context-Based Access Control (CBAC) |
signatures |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Written Lab |
165 |
Commands Used in This Chapter
Here is the list of commands used in this chapter:
Command |
Meaning |
(config)#logging on |
Enables logging. |
(config)#logging ip_address |
Logs to the listed IP address. |
(config)#ip inspect audit-trail |
Enables the audit trail. |
(config)#no ip inspect alert-off |
Enables the alerts. |
(config)#ip inspect tcp synwait-time |
Sets how long CBAC will wait for a TCP |
time |
session to be established before dropping |
|
the session. The default is 30 seconds. |
(config)#ip port-map http port port_ |
Modifies the default port-mapping |
number |
of HTTP. |
#show ip port-map |
Displays the current PAM settings. |
(config)#ip inspect name |
Creates an inspection rule. The inspection |
|
rule defines the applications and traffic |
|
types to be inspected. |
#show ip inspect config |
Displays the inspection rule configuration. |
#show ip inspect interfaces |
Displays the inspection rule interface |
|
configuration. |
#show ip inspect name name |
Provides audit-trail timers for the |
|
specified name. |
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.When CBAC starts deleting half-open connections, how many must there be per minute before it stops?
2.Which command disables all auditing?
3.Which commands are valid monitoring commands for CBAC?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
166 Chapter 5 Context-Based Access Control Configuration
4.Which command do you use to disable all CBAC functions on the router?
5.Which types of ACLs can CBAC dynamically modify?
6.Which command would you use if you needed to check and see which port(s) CBAC thinks HTTP is running on?
7.True or False: When configuring inspection rules, you can inspect application protocols, generic TCP, and generic UDP all together.
8._____ provides stateful inspection, can effectively respond to DoS attacks, and adapts to user requests and network conditions. It is neither free with IOS, nor is it static.
9.What type of server do you need to have if you want to enable alerts and audit trails?
10.What are the six steps recommended by Cisco to configure CBAC (in order)?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |