
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary

174 Chapter 5 Context-Based Access Control Configuration
Answers to Written Lab
1.When CBAC starts deleting half-open connections, there must be 400 per minute before CBAC stops.
2.The command no ip inspect audit-trail disables all auditing.
3.The valid monitoring commands for CBAC are show ip inspect interfaces and show ip inspect config.
4.To disable all CBAC functions on the router, use the command no ip inspect.
5.CBAC can dynamically modify the IP extended type of ACLs.
6.You can use either show ip port-map or show ip port-map http to check which port(s) CBAC thinks HTTP is running on.
7.True. You can inspect application protocols, generic TCP, and generic UDP all together when configuring inspection rules.
8.CBAC provides stateful inspection, can effectively respond to DoS attacks, and adapts to user requests and network conditions. It is neither free with IOS, nor is it static.
9.You need to have a Syslog server if you want to enable alerts and audit trails.
10.The six steps recommended by Cisco to configure CBAC are, in order: set audit trails and alerts, set global timeouts and thresholds, define Port-to-Application Mapping (PAM), define inspection rules, apply inspection rules and ACLs to interfaces, and test and verify CBAC.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Answers to Review Questions |
175 |
Answers to Review Questions
1. E. The ip inspect tcp max-incomplete host 100 command sets the maximum number of half-open TCP connections to a single host to 100.
2.C. CBAC defines a half-open connection as any connection that fails to reach an established state.
3.C. The ip inspect max-incomplete high 1000 command sets the maximum number of total (regardless of the destination host) half-open TCP connections to a single host to 1000.
4.A. The no ip inspect command in global configuration mode disables all CBAC.
5.E. CBAC will wait 1 hour, or 3600 seconds, before deleting idle TCP connections.
6.A. The ip inspect tcp synwait-time 60 command sets the time CBAC will wait on halfopen TCP connections to 60 seconds.
7.C. CBAC, by default, starts deleting half-open connections once there are 500. This is configured using the ip inspect max-incomplete high parameter.
8.B. Once CBAC starts deleting half-open connections, by default, it will not stop until there are 400 (or fewer). This is configured using the ip inspect-max-incomplete low parameter.
9.C. CBAC, by default, starts deleting half-open connections once there are 500 per minute. This is configured using the ip inspect one-minute high parameter.
10.B. Once CBAC starts deleting half-open connections, by default, it will not stop until there are 400 per minute (or fewer). This is configured using the ip inspect one-minute low parameter.
11.B. The no ip inspect audit-trail command disables the auditing.
12.A, C, D. The three components of the IOS Firewall are CBAC, Authentication Proxy, and IDS.
13.B, C. Both the show ip inspect interfaces and config commands display information about CBAC configuration. The other commands are all invalid.
14.C. The no ip inspect command in global configuration mode disables all CBAC.
15.B. CBAC can only modify IP extended access lists to allow responses back through the firewall.
16.A, E. The show ip port-map and show ip port-map http commands display the ports configured or mapped to HTTP. The show ip port-map port 80 command displays only port 80 information.
17.D. You can inspect independent protocols, generic TCP, and UDP traffic.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

176 Chapter 5 Context-Based Access Control Configuration
18.A, C, D. CBAC provides stateful inspection, can effectively respond to DoS attacks, and adapts to user requests and network conditions. It is neither free with IOS, nor is it static.
19.C. When you enable audit trails and alerts, you must have a Syslog server configured to receive the alerts and audit logs.
20.C. The six steps recommended by Cisco to configure CBAC are, in order: set audit trails and alerts, set global timeouts and thresholds, define Port-to-Application Mapping (PAM), define inspection rules, apply inspection rules and ACLs to interfaces, and test and verify CBAC.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Chapter
6
Cisco IOS Firewall
Authentication and
Intrusion Detection
THE FOLLOWING SECUR EXAM TOPICS ARE COVERED IN THIS CHAPTER:
Understanding the Cisco IOS Firewall Authentication Proxy
Configuring the AAA server
Configuring AAA
Configuring the Authentication Proxy
Verifying the Cisco IOS Firewall
Understanding IOS Firewall IDS
Initializing Cisco IOS Firewall IDS
Configuring, disabling, and excluding signatures
Creating and applying audit rules
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Picture this…You’re the networking/security guru working for a company located in the trendiest part of town—you know, where all the old, industrial brick buildings have been converted to cool
lofts and chic, pricey offices with gourmet shops, martini bars, and art galleries at street level? Nice! Congrats—only, there’s a catch. Though snappy and stylish, that edgy design house aesthetic spawned an office environment without cubes, doors, or privacy, where all the desks are out in one big open, collaborative, synergetic “space.” Said another way, every PC is physically accessible to every user who simply waits for the office to empty out at lunch or after work to do whatever they please on someone else’s computer.
And of course you have many different levels of employees in this office, and each one requires specific kinds of access to external networks, including the Internet. Assuming that you can’t just give everyone full access to all external resources, how do you deal with this nightmare and configure (implement) access controls?
Well, you could sit down, figure out who sits where, and scribble out some access control lists (ACLs). And it’ll take what, a half-nanosecond, for your users to realize: “@#%&! I can’t get to the Web from my PC. But if I wait for someone whose machine can get to the Internet to leave, voila! I’ve got web access!”
So what’s your next move? Password-protect the machines? Implement policies about locking screensavers? Those strategies might help a bit, but do you think you’ll really be able to get Mr. Know-It-All-VP, who doesn’t know diddly about computers, to buy in? And what about shared machines—especially when users sharing the same machine have different security policies? Can you solve that one with an ACL?
All of this highlights a critical issue that you didn’t have a very effective solution for in the past. Tying ACLs to devices (IP addresses) was pretty much it, except doing that didn’t help a whole lot because what you really need to control are organic life forms, plus other Darwinian wonders known as users. How would you like to be able to attach an ACL to the user rather than to the resource? Well, now you can—that’s the objective of the IOS Firewall Authentication Proxy, and it’s what we’ll be covering in the first part of this chapter.
But the Authentication Proxy is only a partial solution, because once you’ve got your users squared away, you’ve still got to keep out spam e-mail, viruses, worms, hackers, and the deranged former employee seeking to sabotage the company’s business processes! While it’s pretty idealistic to think that you can protect yourself from everyone or everything bent on seriously messing with your system, there is a truly powerful tool that can really help. The IOS Firewall Intrusion Detection System (IDS) gives you more bang for your buck by allowing your IOS router to act as a Cisco
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |