
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary

204 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
atomic signatures |
Intrusion Detection System (IDS) |
attack signatures |
IOS Firewall Authentication Proxy |
audit rule |
IOS Firewall IDS |
compound signatures |
signatures |
info signatures |
|
Commands Used in This Chapter
Here is the list of commands used in this chapter: |
|
Command |
Meaning |
(config)#aaa new-model |
Prepares the router for AAA |
|
configuration. |
(config)#aaa authentication login default |
Enables AAA authentication using |
group tacacs+ |
TACACS+. |
(config)#aaa authorization auth-proxy |
Enables AAA authorization using |
default group tacacs+ |
TACACS+. |
(config)#tacacs-server host ip-address |
Specifies the TACACS+ server at the |
|
designated IP address. |
(config)#tacacs-server key key-name |
Specifies the TACACS+ server key. |
(config)#ip http server |
Enables the router’s HTTP server. |
(config)#ip http server authentication aaa |
Enables AAA authentication for HTTP. |
(config)#ip auth-proxy auth-cache-time time |
Sets the default idle timeout to the |
|
specified interval (in minutes). |
(config)#ip auth-proxy name name http |
Creates an Authentication Proxy rule |
|
with the specified name. |
(config)#clear ip auth-proxy cache * |
Clears all Authentication Proxy cache |
|
entries. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Written Lab |
205 |
Command |
Meaning |
(config)#ip audit notify log |
Configures the IOS Firewall IDS to log |
|
to the Syslog server. |
(config)#logging ip-address |
Specifies the Syslog server at the |
|
designated IP address. |
(config)#ip audit signature signature |
Disables the specified IDS signature; |
disable |
there’s no form to enable. |
(config)#ip audit signature signature |
Excludes hosts and networks in the |
list list |
specified list from the designated |
|
signature. |
(config)#ip audit info action alarm |
Sets the default action for info to alarm. |
(config)#ip audit attack action alarm drop |
Sets the default action for attack to |
reset |
alarm, drop, and reset. |
(config)#ip audit name name info action |
Sets the action for the specified audit |
alarm |
rule type info to alarm. |
(config)#ip audit name name attack action |
Sets the action for the specified audit |
alarm drop reset |
rule type attack to alarm, drop, and |
|
reset. |
(config)#ip audit po protected ip-address to ip-address
Defines the protected network using the specified IP addresses.
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.List three TACACS+ servers supported by the IOS Firewall Authentication Proxy.
2.What are the three issues to consider when implementing the IOS Firewall IDS?
3.What is the command that clears the cache of all entries when running the IOS Firewall Authorization Proxy?
4.What is the order in which modules are evaluated when a packet is evaluated by the IOS Firewall IDS?
5.What is the command that enables AAA on the router?
6.What is the command to change the default idle time for the IOS Firewall Authentication Proxy to 30 minutes?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

206 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection
7.What actions can the IOS Firewall IDS take when a signature is matched?
8.List four RADIUS servers supported by the IOS Firewall Authentication Proxy.
9.List the four signature-type combinations in the IOS Firewall IDS.
10.What is the correct command to specify a TACACS+ server on a router?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Review Questions |
207 |
Review Questions
1.Which of the following are issues to consider when implementing the IOS Firewall IDS? (Choose all that apply.)
A.Memory usage
B.Signature coverage
C.User address space
D.TACACS+ server type
2.In the IOS Firewall IDS, what type of signature triggers on a single packet?
A.Atomic
B.Compound
C.Info
D.Attack
3.What is the default action for attack signatures in the IOS Firewall IDS?
A.Alert
B.Reset
C.Drop
D.Reset and drop
E.Alert, reset, and drop
4.In the IOS Firewall IDS, which types of signatures are informative in nature?
A.Atomic
B.Compound
C.Info
D.Attack
5.What is the default idle timeout period on the IOS Firewall Authentication proxy?
A.60 seconds
B.60 minutes
C.30 seconds
D.30 minutes
E.90 seconds
F.90 minutes
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

208 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection
6.When packets enter an IOS Firewall IDS, which module is evaluated first?
A.ICMP
B.IP
C.TCP/UDP
D.Application-level protocol
7.When packets enter an IOS Firewall IDS, which module is evaluated last?
A.ICMP
B.IP
C.TCP/UDP
D.Application-level protocol
8.What types of RADIUS servers are supported by the IOS Firewall Authentication Proxy? (Choose all that apply.)
A.Active Directory
B.CiscoSecure ACS for Unix
C.NDS
D.Freeware TACACS+
E.Lucent
F.CiscoSecure ACS for Windows NT/2000
9.Which of the following best describes the function of the IOS Firewall Authentication Proxy?
A.Provides dynamic per-user authentication and authorization via TACACS+ and/or RADIUS
B.Provides dynamic per-user authentication and authorization via CiscoSecure ACS
C.Provides dynamic per-user authentication via TACACS+ and/or RADIUS
D.Provides dynamic per-user authorization via TACACS+ and/or RADIUS
E.Provides dynamic per-user authentication via CiscoSecure ACS
10.Which command tells a router that a Syslog server is available at 10.1.1.2?
A.syslog-server 10.1.1.2
B.logging 10.1.1.2
C.ip logging 10.1.1.2
D.ip syslog 10.1.1.2
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Review Questions |
209 |
11.In the IOS Firewall IDS, which types of signatures indicate a potentially malicious problem?
A.Atomic
B.Compound
C.Info
D.Attack
12.When configuring the AAA server for the IOS Firewall Authentication Proxy, what privilege level must you set at the end of each list?
A.1
B.3
C.10
D.15
E.*
13.Which TACACS+ servers are supported by the IOS Firewall Authentication Proxy? (Choose all that apply.)
A.Active Directory
B.CiscoSecure ACS for Unix
C.NDS
D.Freeware TACACS+
E.Lucent
F.CiscoSecure ACS for Windows NT/2000
14.Which command would remove all AAA processing from the router?
A.clear aaa *
B.aaa new-model
C.clear ip auth-proxy cache *
D.no aaa new-model
E.no clear ip auth-proxy cache *
15.When a signature in the IOS Firewall IDS matches a packet or packets, which of the following are valid actions? (Choose all that apply.)
A.Log
B.Alarm
C.Activate CBAC
D.Reset
E.Drop
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

210 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection
16.Which of the following commands will clear all entries of the cache on the IOS Firewall Authentication Proxy?
A.clear ip auth-proxy cache all
B.clear ip auth proxy cache
C.clear ip auth-proxy cache *
D.clear ip cache
E.clear auth-proxy cache *
17.What is the default action for info signatures in the IOS Firewall IDS?
A.Alert
B.Reset
C.Drop
D.Reset and drop
E.Alert, reset, and drop
18.In the IOS Firewall IDS, which type of signature matches based on multiple packets?
A.Atomic
B.Compound
C.Info
D.Attack
19.Which of the following commands successfully changes the default idle timeout of the IOS Firewall Authentication Proxy?
A.ip auth-proxy 30
B.ip auth-proxy auth-cache-time 60
C.ip auth-proxy idle-timeout 30
D.ip auth-proxy auth-cache-time 30
E.ip auth-proxy idle-timeout 60
20.Which command halts all IOS Firewall IDS functions?
A.no aaa new-model
B.clear ip audit-configuration
C.no ip audit configuration
D.clear ip audit configuration
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |