- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
238 Chapter 7 Understanding Cisco IOS IPSec Support
Answers to Written Lab
1.IKE phase 1 and IKE phase 2 are the two phases of IKE.
2.The Cisco devices available for IPSec are Cisco routers, CiscoSecure VPN Concentrators, and PIX Firewalls.
3.DES and 3DES are the two symmetric encryption algorithms that provide confidentiality for ESP.
4.Two IPSec SAs are required for a peering session.
5.Remote access, site-to-site, and extranet are the three categories of VPNs.
6.The Cisco IOS Cryptosystem is made up of DES, MD5, DSS, and DH.
7.XAuth provides a method in which IKE can use AAA to authenticate the user after IKE has authenticated the device.
8.L2TP replaced L2F and PPTP.
9.An IPSec transform is a single security protocol with the corresponding security algorithm.
10.A nonce is a pseudo-random number.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Answers to Review Questions |
239 |
Answers to Review Questions
1.A, B, D. The Cisco IOS Cryptosystem consists of DES, MD5, DSS, and DH.
2.A. During IKE phase 1, DH is used to create the private keys, Xa and Xb, and the public keys, Ya and Yb. DH then uses these keys to create the shared secret key ZZ, which is used to encrypt the DES and MD5 keys.
3.B. The first step in using RSA-encrypted nonces requires the user to manually generate the keys. The user must then manually enter the public key created on each device into the device they wish to peer with.
4.C. 3DES is a stronger version of DES that uses three different keys for encrypting data before it is sent to the peer.
5.D. When tunnel mode encapsulation is used, the original IP header is not used to transport the packet. Instead, a new IP header is created using the IP addresses of the IPSec peers as the source and destination of the packet. This mode is great when you are creating a VPN across the Internet because the addresses of the originating devices can be private.
6.D. In Cisco’s Cryptosystem, DES is used to encrypt data, MD5 is used to create a message hash, DSS is used to verify peers by exchanging public keys, and Diffie-Hellman is used to establish private and public keys that will be used to encrypt the keys used by DES and MD5.
7.C. RSA signatures utilize a CA server to issue a device a signed digital certificate. This digital certificate is then exchanged with devices they wish to peer with.
8.A. The CiscoSecure VPN Concentrator allows for remote access users, such as telecommuters, to be securely connected into a corporate network.
9.A. HMAC-MD5 is a hashing algorithm that creates a 128-bit secret key. HMAC-MD5 produces a 128-bit authentication value that is truncated using the first 96 bits. This truncated value is then inserted into the authenticator field of AH or ESP and sent to the peer.
10.A. IPSec functions at Layer 3, the Network layer, of the OSI model.
11.A, C, D. There are three types of VPNs: remote access, site-to-site (a.k.a. intranet), and extranet. Answer B is wrong because there isn’t an externet VPN type.
12.A. Site-to-site VPN solutions allow a company to connect its remote sites to the corporate backbone securely over a public medium such as the Internet, instead of having to use more expensive WAN connections such as Frame Relay.
13.D. IKE mode configuration allows IKE to scale an IPSec policy out to remote users. This is accomplished by allowing a gateway to download an IP address and other network-level configuration to a client during IKE negotiation. This address is then used as the inner IP address to be encapsulated under IPSec.
14.C. During IKE phase 2, IPSec SAs are negotiated, resulting in the formation of an IPSec tunnel.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
240 Chapter 7 Understanding Cisco IOS IPSec Support
15.B. L2TP was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the functionality of L2F and PPTP into one tunneling protocol. L2TP is backward compatible with L2F.
16.B, D. Each SA has a unique triple identity consisting of a Security Parameter Index (SPI), an IP destination address, and a security protocol (AH or ESP) identifier. So the only correct answers are B and D.
17.C. Remote access VPNs allow remote users, such as telecommuters, to securely access the corporate network whenever and from wherever the need may arise.
18.B. The Cisco IOS Cryptosystem uses DES for the encryption of data.
19.B. L2TP was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the functionality of L2F and PPTP into one tunneling protocol.
20.B, C, D. AH provides an integrity check on the whole packet, and anti-replay AH doesn’t offer any encryption services. So answers B, C, and D are correct.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Chapter
8
Cisco IOS IPSec
Pre-Shared Keys and
Certificate Authority
Support
THE FOLLOWING SECUR EXAM TOPICS ARE COVERED IN THIS CHAPTER:
Configuring IPSec encryption tasks
Preparing for IKE and IPSec
Configuring IKE
Configuring IPSec
Configuring transform set suites
Configuring global IPSec Security Association (SA) lifetimes
Creating crypto ACLs
Creating crypto maps
Applying crypto maps to interfaces
Testing and verifying IPSec
Configuring IPSec manually
Configuring IPSec for RSA-encrypted nonces
Configuring CA support tasks
Understanding CA support
Configuring CA support
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |