- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
Review Questions |
167 |
Review Questions
1.Which of the following commands would you use to change the maximum number of half-open TCP connections per host to 100?
A.ip inspect tcp synwait-time 100
B.ip inspect tcp idle-time 100
C.ip inspect max-incomplete high 100
D.ip inspect one-minute high 100
E.ip inspect tcp max-incomplete host 100
2.Which of the following best describes a half-open connection?
A.The TCP three-way handshake was completed.
B.The connection was denied.
C.The connection failed to reach an established state.
D.The connection timed out.
3.Which of the following commands would you use to change the maximum total number of halfopen TCP connections to 1000?
A.ip inspect tcp synwait-time 1000
B.ip inspect tcp idle-time 1000
C.ip inspect max-incomplete high 1000
D.ip inspect one-minute high 1000
E.ip inspect tcp max-incomplete host 1000
4.Which of the following commands disables all CBAC on the IOS Firewall?
A.Router(config)#no ip inspect
B.Router(config-if)#no ip inspect
C.Router(config)#no ip cbac
D.Router(config-if)#no ip cbac
5.What is the default time CBAC will wait before closing idle TCP connections?
A.10 seconds
B.30 seconds
C.60 seconds
D.600 seconds
E.3600 seconds
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
168 Chapter 5 Context-Based Access Control Configuration
6.Which of the following commands would you use to change the length of time CBAC will wait for half-open TCP connections to complete before dropping them to 60 seconds?
A.ip inspect tcp synwait-time 60
B.ip inspect tcp idle-time 60
C.ip inspect max-incomplete high 60
D.ip inspect one-minute high 60
E.ip inspect tcp max-incomplete host 60
7.What is the default number of half-open connections that causes CBAC to start deleting them?
A.100
B.400
C.500
D.600
E.3600
8.Once CBAC starts deleting half-open connections, how many must there be before it stops?
A.100
B.400
C.500
D.600
E.3600
9.What is the default number of half-open connections per minute that causes CBAC to start deleting them?
A.100
B.400
C.500
D.600
E.3600
10.Once CBAC starts deleting half-open connections, how many must there be per minute before it stops?
A.100
B.400
C.500
D.600
E.3600
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Review Questions |
169 |
11.Which of the following commands disables all auditing?
A.ip inspect audit-trail
B.no ip inspect audit-trail
C.ip inspect alert off
D.no ip inspect alert off
12.Which of the following are components of the IOS Firewall? (Choose all that apply.)
A.Context-Based Access Control (CBAC)
B.Contextless Access Control (CAC)
C.Authentication Proxy
D.Intrusion Detection System (IDS)
E.Stateful firewall
13.Which of the following commands are valid monitoring commands for CBAC? (Choose all that apply.)
A.ip inspect show
B.show ip inspect interfaces
C.show ip inspect config
D.display ip inspect config
E.inspect ip global-parameters
14.Suppose that you need to disable all CBAC functions on the router. Which of the following commands would you choose?
A.Router(config)#ip inspect none
B.Router(config-if)#no ip inspect
C.Router(config)#no ip inspect
D.Router(config-if)#no ip cbac
15.Which types of ACL can CBAC dynamically modify?
A.IP standard
B.IP extended
C.Any IP access list
D.Any access list
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
170 Chapter 5 Context-Based Access Control Configuration
16.You need to check and see which port(s) CBAC thinks HTTP is running on. Which of the following commands gives you this information? (Choose all that apply.)
A.show ip port-map
B.show ip port 80 port-map
C.show ip http port-map
D.show ip port-map port 80
E.show ip port-map http
17.When configuring inspection rules, which of the following best describes how protocols can be configured?
A.You can inspect TCP or UDP, but not both.
B.You can inspect TCP and UDP, but nothing else.
C.You can inspect application protocols or TCP.
D.You can inspect application protocols, generic TCP, and generic UDP all together.
E.None of the above.
18.Which of the following are properties of CBAC? (Choose all that apply.)
A.Stateful inspection
B.Static
C.Can be used to effectively respond to DoS attacks
D.Adapts to user requests and network conditions
E.Free with standard IOS
19.You need to enable alerts and audit trails. Which of the following must you have in order to do this?
A.CiscoSecure ACS
B.Windows 2000
C.Syslog server
D.TACACS server
E.RADIUS server
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Review Questions |
171 |
20.What are the six steps recommended by Cisco to configure CBAC (in order)?
1.Define inspection rules.
2.Test and verify CBAC.
3.Set global timeouts and thresholds.
4.Apply inspection rules and ACLs to interfaces.
5.Set audit trails and alerts.
6.Define Port-to-Application Mapping (PAM).
A.1, 2, 3, 4, 5, 6
B.3, 6, 5, 2, 1, 4
C.5, 3, 6, 1, 4, 2
D.2, 4, 3, 5, 6, 1
E.4, 6, 2, 3, 1, 5
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |