Answers to Written Lab

Answers to Written Lab

1.The three TACACS+ servers supported by the IOS Firewall Authentication Proxy are CSACS for Windows NT/2000, CSACS for UNIX, and freeware TACACS+.

2.Memory usage, performance impact, and signature coverage are issues you should consider when implementing the IOS Firewall IDS.

3.The command clear ip auth-proxy cache * clears the cache of all entries when running the IOS Firewall Authorization Proxy.

4.The order in which modules are evaluated when a packet is evaluated by the IOS Firewall IDS is IP, ICMP, TCP/UDP, and application-level protocol.

5.The command aaa new-model enables AAA on the router.

6.To change the default idle time for the IOS Firewall Authentication Proxy to 30 minutes, use the command ip auth-proxy auth-cache-time 30.

7.Alarm, reset, and drop are the actions that the IOS Firewall IDS can take when a signature is matched.

8.The four RADIUS servers supported by the IOS Firewall Authentication Proxy are CSACS for Windows NT/2000, CSACS for UNIX, Lucent, and other standard RADIUS servers.

9.Info atomic, info compound, attack atomic, and attack compound are the four signaturetype combinations in the IOS Firewall IOS.

10.To specify a TACACS+ server on a router, use the tacacs-server host ip-address command.

214 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection

Answers to Review Questions

1.A, B. Both memory usage and signature coverage are issues to consider when planning an IOS Firewall IDS implementation. Performance impact was the third item mentioned in the text.

2.A. Atomic signatures trigger based on a single packet.

3.A. The default action for attack signatures is to alert.

4.C. Info signatures are informative in nature.

5.B. The default idle timeout period for the IOS Authentication Proxy is 60 minutes.

6.B. IP is evaluated first when packets enter an IOS Firewall IDS.

7.D. The application-level protocol is evaluated last when packets enter an IOS Firewall IDS.

8.B, E, F. There are three supported RADIUS servers: CSACS for NT/200, CSACS for Unix, and the Lucent server.

9.A. The IOS Firewall Authentication Proxy provides dynamic per-user authentication and authorization via TACACS+ and/or RADIUS. While CiscoSecure ACS is a valid server, it is not the only server.

10.B. The correct command to tell a router that a Syslog server is available is logging 10.1.1.2.

11.D. Attack signatures indicate malicious patterns of traffic.

12.D. The list must end by setting the privilege level to 15.

13.B, D, F. The three supported TACACS+ servers are CSACS for NT/2000, CSACS for Unix, and freeware TACACS+ servers.

14.D. The no aaa new-model command is the correct choice to remove all AAA processing from the router.

15.B, D, E. The three actions that IOS Firewall IDS can take are to alarm, drop, and reset.

16.C. The clear ip auth-proxy cache * command is the correct choice.

17.A. The default action for info signatures is to alert.

18.B. Compound signatures evaluate multiple packets.

19.D. The command ip auth-proxy auth-cache-time 30 is the correct syntax to change the default idle timer. While the syntax of answer B is also correct, 60 minutes is the default, and thus answer B will not change the default timeout value.

20.D. The clear ip audit configuration command is entered in global configuration mode.

Technology changes things—the way you live, work, communicate— your very needs. The standard 9-to-5 job, with everyone at one location, needed a type of network that is now for the most part obsolete

because of current trends such as telecommuting and video conferencing. These business requirements have exponentially increased the demand for users to access secure communications over public networks. Companies now need communications technology such as distributed and virtual private networks to stay competitive—if they want to stay in business now and in the future, that is!

This chapter introduces you to the concept of virtual private networks and describes the solutions you need to meet your company’s off-site network access needs. You’ll get an in-depth look at how these networks utilize IP Security (IPSec) to provide secure communications over a public network such as the Internet. The chapter concludes with a discussion of the devices that Cisco provides to implement these solutions and an introduction to the Cisco IOS Cryptosystem.

Okay, grab a double latte. This chapter is very theory intensive. If you feel lost after reading a section, take a moment to go back and review the material. Don’t rush or skim over sections you don’t really understand. You need a thorough knowledge of this content to provide the best service to your employer or clients.

Chapter 8, “Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support,” will demonstrate how to implement the solutions discussed in this chapter. So, let’s begin the introduction to virtual private networks.

What is a Virtual Private Network?

I’d be pretty willing to bet you’ve heard the term VPN more than once before. Maybe you even know what one is, but just in case you don’t, a virtual private network (VPN) allows for the creation of private networks across the Internet, enabling privacy and tunneling of non–TCP/IP protocols. VPNs are used daily to give remote users and disjointed networks connectivity over a public medium such as the Internet instead of using more expensive permanent means.

The types of VPNs are named based on the role they play in a business environment. There are three different categories of VPNs:

Remote access VPNs Remote access VPNs allow remote users like telecommuters to securely access the corporate network whenever and from wherever they need to.

Site-to-site VPNs A site-to-site VPN, also called an intranet VPN, allows a company to connect its remote sites to the corporate backbone securely over a public medium such as the Internet instead of requiring more expensive WAN connections like Frame Relay.