Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Securing Cisco IOS Networks Study Guide - Carl Timm.pdf
Скачиваний:
73
Добавлен:
24.05.2014
Размер:
9.74 Mб
Скачать

174 Chapter 5 Context-Based Access Control Configuration

Answers to Written Lab

1.When CBAC starts deleting half-open connections, there must be 400 per minute before CBAC stops.

2.The command no ip inspect audit-trail disables all auditing.

3.The valid monitoring commands for CBAC are show ip inspect interfaces and show ip inspect config.

4.To disable all CBAC functions on the router, use the command no ip inspect.

5.CBAC can dynamically modify the IP extended type of ACLs.

6.You can use either show ip port-map or show ip port-map http to check which port(s) CBAC thinks HTTP is running on.

7.True. You can inspect application protocols, generic TCP, and generic UDP all together when configuring inspection rules.

8.CBAC provides stateful inspection, can effectively respond to DoS attacks, and adapts to user requests and network conditions. It is neither free with IOS, nor is it static.

9.You need to have a Syslog server if you want to enable alerts and audit trails.

10.The six steps recommended by Cisco to configure CBAC are, in order: set audit trails and alerts, set global timeouts and thresholds, define Port-to-Application Mapping (PAM), define inspection rules, apply inspection rules and ACLs to interfaces, and test and verify CBAC.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Answers to Review Questions

175

Answers to Review Questions

1. E. The ip inspect tcp max-incomplete host 100 command sets the maximum number of half-open TCP connections to a single host to 100.

2.C. CBAC defines a half-open connection as any connection that fails to reach an established state.

3.C. The ip inspect max-incomplete high 1000 command sets the maximum number of total (regardless of the destination host) half-open TCP connections to a single host to 1000.

4.A. The no ip inspect command in global configuration mode disables all CBAC.

5.E. CBAC will wait 1 hour, or 3600 seconds, before deleting idle TCP connections.

6.A. The ip inspect tcp synwait-time 60 command sets the time CBAC will wait on halfopen TCP connections to 60 seconds.

7.C. CBAC, by default, starts deleting half-open connections once there are 500. This is configured using the ip inspect max-incomplete high parameter.

8.B. Once CBAC starts deleting half-open connections, by default, it will not stop until there are 400 (or fewer). This is configured using the ip inspect-max-incomplete low parameter.

9.C. CBAC, by default, starts deleting half-open connections once there are 500 per minute. This is configured using the ip inspect one-minute high parameter.

10.B. Once CBAC starts deleting half-open connections, by default, it will not stop until there are 400 per minute (or fewer). This is configured using the ip inspect one-minute low parameter.

11.B. The no ip inspect audit-trail command disables the auditing.

12.A, C, D. The three components of the IOS Firewall are CBAC, Authentication Proxy, and IDS.

13.B, C. Both the show ip inspect interfaces and config commands display information about CBAC configuration. The other commands are all invalid.

14.C. The no ip inspect command in global configuration mode disables all CBAC.

15.B. CBAC can only modify IP extended access lists to allow responses back through the firewall.

16.A, E. The show ip port-map and show ip port-map http commands display the ports configured or mapped to HTTP. The show ip port-map port 80 command displays only port 80 information.

17.D. You can inspect independent protocols, generic TCP, and UDP traffic.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

176 Chapter 5 Context-Based Access Control Configuration

18.A, C, D. CBAC provides stateful inspection, can effectively respond to DoS attacks, and adapts to user requests and network conditions. It is neither free with IOS, nor is it static.

19.C. When you enable audit trails and alerts, you must have a Syslog server configured to receive the alerts and audit logs.

20.C. The six steps recommended by Cisco to configure CBAC are, in order: set audit trails and alerts, set global timeouts and thresholds, define Port-to-Application Mapping (PAM), define inspection rules, apply inspection rules and ACLs to interfaces, and test and verify CBAC.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Chapter

6

Cisco IOS Firewall

Authentication and

Intrusion Detection

THE FOLLOWING SECUR EXAM TOPICS ARE COVERED IN THIS CHAPTER:

Understanding the Cisco IOS Firewall Authentication Proxy

Configuring the AAA server

Configuring AAA

Configuring the Authentication Proxy

Verifying the Cisco IOS Firewall

Understanding IOS Firewall IDS

Initializing Cisco IOS Firewall IDS

Configuring, disabling, and excluding signatures

Creating and applying audit rules

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Picture this…You’re the networking/security guru working for a company located in the trendiest part of town—you know, where all the old, industrial brick buildings have been converted to cool

lofts and chic, pricey offices with gourmet shops, martini bars, and art galleries at street level? Nice! Congrats—only, there’s a catch. Though snappy and stylish, that edgy design house aesthetic spawned an office environment without cubes, doors, or privacy, where all the desks are out in one big open, collaborative, synergetic “space.” Said another way, every PC is physically accessible to every user who simply waits for the office to empty out at lunch or after work to do whatever they please on someone else’s computer.

And of course you have many different levels of employees in this office, and each one requires specific kinds of access to external networks, including the Internet. Assuming that you can’t just give everyone full access to all external resources, how do you deal with this nightmare and configure (implement) access controls?

Well, you could sit down, figure out who sits where, and scribble out some access control lists (ACLs). And it’ll take what, a half-nanosecond, for your users to realize: “@#%&! I can’t get to the Web from my PC. But if I wait for someone whose machine can get to the Internet to leave, voila! I’ve got web access!”

So what’s your next move? Password-protect the machines? Implement policies about locking screensavers? Those strategies might help a bit, but do you think you’ll really be able to get Mr. Know-It-All-VP, who doesn’t know diddly about computers, to buy in? And what about shared machines—especially when users sharing the same machine have different security policies? Can you solve that one with an ACL?

All of this highlights a critical issue that you didn’t have a very effective solution for in the past. Tying ACLs to devices (IP addresses) was pretty much it, except doing that didn’t help a whole lot because what you really need to control are organic life forms, plus other Darwinian wonders known as users. How would you like to be able to attach an ACL to the user rather than to the resource? Well, now you can—that’s the objective of the IOS Firewall Authentication Proxy, and it’s what we’ll be covering in the first part of this chapter.

But the Authentication Proxy is only a partial solution, because once you’ve got your users squared away, you’ve still got to keep out spam e-mail, viruses, worms, hackers, and the deranged former employee seeking to sabotage the company’s business processes! While it’s pretty idealistic to think that you can protect yourself from everyone or everything bent on seriously messing with your system, there is a truly powerful tool that can really help. The IOS Firewall Intrusion Detection System (IDS) gives you more bang for your buck by allowing your IOS router to act as a Cisco

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com