- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
250 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
lifetime: |
86400 seconds, no volume limit |
Lab_A# |
|
Lab_B#show crypto isakmp policy |
|
Protection suite of priority |
2 |
encryption algorithm: |
3DES--Triple Data Encryption Standard |
hash algorithm: |
Message Digest 5 |
authentication method: |
Pre-Shared Key |
Diffie-Hellman group: |
#1 (768 bit) |
lifetime: |
86400 seconds, no volume limit |
Default protection suite |
|
encryption algorithm: |
DES--Data Encryption Standard |
hash algorithm: |
Secure Hash Standard |
authentication method: |
Rivest-Shamir-Adleman Signature |
Diffie-Hellman group: |
#1 (768 bit) |
lifetime: |
86400 seconds, no volume limit |
Lab_B# |
|
Sweet—everything looks great! Now that you’ve verified that your IKE policies are actually configured on each device, you’re ready to move on and configure IPSec.
Configuring IPSec
Just like pre-shared keys, there are important steps that you should keep in mind when configuring IPSec on your routers. Configuring IPSec on each device is a five-step process:
1.Create the transform set.
2.Set the IPSec SA lifetime.
3.Create the access list that specifies the traffic to encrypt.
4.Create the crypto map.
5.Apply the crypto map to an interface.
Creating the Transform Set
A transform set is your tool for protecting the data flow. It’s made up of payload authentication, payload encryption, and an IPSec mode. For devices to peer, the transform set must match on each device, except (obviously) for their names. Also, in order for a transform set to be valid, it must have a unique name on the device and at least one transform. To configure a transform set, enter the following command in global configuration mode:
crypto ipsec transform-set transform-set-name {[transform1] [transform2]
[transform3]}
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site |
251 |
The variables for the preceding command are as follows:
transform-set-name: This should be a unique name for the transform set.
transform1: This can be ah-md5-hmac or ah-sha-hmac.
transform2: This can be esp-des, esp-3des, or esp-null.
transform3: This can be esp-md5-hmac or esp-sha-hmac.
After you’ve issued the preceding command, the device enters transform set configuration mode, in which the IPSec mode for the transform set can be configured. The default IPSec mode is tunnel. To change the IPSec mode, enter the following command:
mode {tunnel | transport}
When you’re configuring transform sets, it’s really important to make sure that both the transforms and the IPSec mode are the same on the device you want to peer.
Setting the IPSec SA Lifetime
To make sure you’re clear on this, an IPSec SA lifetime is what you use to determine how long IPSec SAs remain valid until they need to be renegotiated. There are two ways in which you can configure the IPSec SA. The first is globally, and the second is per crypto map sequence. When you go with the configured-globally option, the IPSec SA lifetime is applied to each and every crypto map that exists on the device. And it’s important to know that a global IPSec SA lifetime can be overridden by configuring a crypto map–specific IPSec SA lifetime. For now, I’m going to stick with global IPSec SA lifetimes. You’ll learn about the crypto map–specific IPSec SA lifetimes later in this chapter.
There are two types of global IPSec SA lifetimes that exist on a device: seconds and kilobytes. The seconds global IPSec SA lifetime specifies the number of seconds that an IPSec SA remains active before it expires. The kilobytes global IPSec SA lifetime specifies the amount of traffic that can be transmitted between peers for a given IPSec SA before the SA expires.
To change the seconds global IPSec SA from its default of 3600 seconds, enter the following command in global configuration mode, where seconds is a value between 120 and 86,400:
crypto ipsec security-association lifetime seconds seconds
To change the kilobytes global IPSec SA from its default of 4,608,000 kilobytes, enter the following command, where kilobytes represents a value between 2560 and 4,608,000:
crypto ipsec security-association lifetime kilobytes kilobytes
Remember that both the kilobytes and seconds global IPSec SA lifetimes exist on a device at the same time.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
252 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Creating the Access List
So far you’ve created the transform set and set the global IPSec lifetimes. But what good is IPSec if you haven’t specified any traffic to protect? That’s where access lists come into play.
IPSec uses extended access lists to perform the following tasks:
Choose the outbound traffic to protect.
Process inbound traffic for selecting IPSec traffic.
Process inbound traffic for filtering out traffic that should have been protected.
When processing IKE negotiations, they determine whether to accept requests for IPSec SAs.
I’m not going to explain how to create extended access lists here. If you need more information on extended access lists, they’re covered in detail in the CCNA Study Guide (Sybex, 2002).
Cisco recommends using symmetrical access lists for IPSec because doing so causes both outbound and inbound traffic to be compared against the same access list.
Creating the Crypto Map
IPSec SAs are established through the use of a crypto map, which is basically a combination of one or more sequences where each sequence represents an IPSec SA.
Each crypto map sequence specifies the following:
What traffic to protect
The remote peer the protected traffic should be sent to
The transforms to use to protect the traffic
Whether the IPSec SA will be established via IKE or manually
Other parameters such as a description and a crypto map IPSec SA lifetime
All sequences of a crypto map are tied together by the name of the respective crypto map. Each sequence can be one of the following types:
Cisco This sequence specifies that Cisco Encryption Technology will be used to protect traffic instead of IPSec.
IPSec-manual The IPSec-manual sequence specifies that IKE will not be used to establish IPSec SA. This type of sequence is discussed in more detail later in this chapter.
IPSec-isakmp This sequence specifies that IKE will be used to establish IPSec SAs.
Dynamic The dynamic sequence specifies that this sequence references a pre-existing crypto map. This book does not cover dynamic crypto maps because they are beyond the scope of the SECUR exam.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site |
253 |
To create a crypto map sequence that utilizes IKE, enter the following command in global configuration mode, where map-name is the name of the crypto map and seq-num is the sequence number of the crypto map sequence, which is a value between 1 and 65,535:
crypto map map-name seq-num ipsec-isakmp
Logically, the sequence number is what you use to specify the order that traffic is compared to the crypto map; the lowest sequence number is compared first. So it’s a very good idea to give the sequences that will be matched most often a lower sequence number—they’ll process through more quickly that way.
When Would You Need More Than One Sequence?
Because an interface can have only one crypto map applied to it, you can run into a bit of trouble when you need more than one IPSec tunnel to form over an interface. The following graphic illustrates a network that would need two IPSec tunnels over the same interface:
HQ
SO/O
Internet
SO |
SO |
Site_1 |
Site_2 |
Company XYZ is made up of three sites: HQ, Site_1, and Site_2. All of the sites are connected to the Internet for WAN connectivity. The HQ site needs to have one IPSec tunnel connection to Site_1 and one IPSec tunnel connection to Site_2. How do you do this when you already know that an interface can have only one crypto map applied to it? All you need to do is create a crypto map with two sequences—one for the connection to Site_1 and the other for the connection to Site_2.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
254 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Once you’ve created the sequence with the crypto map command, the device enters crypto map configuration mode. This is where you get to configure the specific parameters of the sequence. Table 8.1 lists the commands you can enter in crypto map configuration mode for a sequence using IKE.
T A B L E 8 . 1 Crypto Map Configuration Mode Commands
Command |
Purpose |
|
|
match address {access-list-number | name} |
A mandatory command that specifies the |
|
extended access list to use for defining the |
|
traffic to protect |
set peer {peer-address | peer-hostname} |
A mandatory command that specifies the |
|
IPSec peer |
set transform-set transform-set-name |
A mandatory command that specifies a |
[transform-set-name2…transform-set-name6] |
list of transform sets, in order of priority, |
|
to use for protecting traffic. |
description text |
An optional command that can be used to |
|
provide a description for a crypto map |
|
sequence |
set security-association lifetime seconds |
An optional command that can be used to |
seconds |
override the seconds global IPSec SA life- |
|
time for the sequence |
set security-association lifetime kilobytes |
An optional command that can be used to |
kilobytes |
override the kilobytes global IPSec SA life- |
|
time for the sequence |
set pfs {group1 | group2} |
An optional command that can be used to |
|
specify the Diffie-Hellman group to use |
|
when requesting new security associa- |
|
tions for this sequence |
set security-association level per-host |
An optional command that can be used to |
|
specify that separate IPSec SAs should |
|
be requested for each source/destination |
|
host pair |
|
|
You can configure multiple peers for each sequence—very cool when you want to set a backup path for the IPSec tunnel in case the primary path goes down. When multiple peers are set for a sequence, the device begins with the first one entered and proceeds down the list until an IPSec SA is set up.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site |
255 |
Once you’ve created your crypto map, you need to apply it to an interface.
Applying the Crypto Map
When you create IPSec tunnels without using GRE tunnels, the crypto map has to be applied to the outgoing interface. If you use GRE tunnels instead, you need to apply the crypto map to both the tunnel interface and the egress interfaces. The egress interfaces are any that may be used to form the GRE tunnel. You can have more than one GRE interface.
To apply a crypto map to an interface, enter the following command in interface configuration mode, where map-name is the name of the crypto map being applied to the interface:
crypto map map-name
For redundancy, you could apply the same crypto map set to more than one interface. The default behavior is as follows:
Each interface will have its own piece of the security association database.
The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface.
If you decide to apply the same crypto map set to multiple interfaces, you need to specify an identifying interface. Doing this causes the following:
The per-interface portion of the IPSec security association database (SAD) will be established one time and shared for traffic through all the interfaces that share the same crypto map.
The IP address of the identifying interface will be used as the local address for IPSec traffic originating from or destined to those interfaces sharing the same crypto map set.
To designate the identifying interface, enter the following command in global configuration mode, where map-name is the name of the crypto map and local-id is the IP address of the identifying interface:
crypto map map-name local-address local-id
You must use this crypto map command if you are applying a crypto map to a GRE tunnel because the crypto map will be applied to both the tunnel interface and the egress interface.
When you specify an identifying interface, you must use the IP address of that interface whenever you configure the peer statements on the remote peers.
Before you move on to the final step in the process of configuring IPSec for pre-shared keys— testing and verifying IPSec—let’s run through a sample IPSec configuration.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
256 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
In Exercise 8.2, you’ll build upon the configuration you began in the IKE section of this chapter. For a refresher, the following graphic illustrates the network you began configuring:
Lab_A |
HostA HostB
172.16.2.0/24
|
Perimeter |
WWW Server |
DNS Server |
|
10.1.1.0/24 |
Router |
172.16.1.2/24 |
172.16.1.3/24 |
|
Internet |
|
|
|
|
|
Lab_B |
|
|
|
|
|
|
172.16.1.0/24 |
|
|
F0/0 |
"Dirty DMZ" |
|
|
172.16.1.254/24 |
|
|||
|
|
|
||
Protected DMZ |
|
|
|
|
|
PIX |
|
Bastion Host |
|
|
|
|
F0/0 |
|
|
|
192.168.254.254/24 |
|
|
Bastion Host |
|
|
|
|
NAS |
|
|
|
|
|
F0/0 |
|
|
|
192.168.254.252/24 |
|
|
|
|
|
CiscoSecure ACS 3.0 |
Management Station |
||
|
192.168.254.253/24 |
192.168.254.251/24 |
But before you jump into configuring IPSec, let’s take another look at how the devices have been configured so far:
Lab_A#conf t
Enter configuration commands, one per line. End with CNTL/Z. Lab_A(config)#crypto isakmp enable
Lab_A(config)#crypto isakmp policy 2
Lab_A(config-isakmp)#encryption 3des
Lab_A(config-isakmp)#hash md5
Lab_A(config-isakmp)#authentication pre-share
Lab_A(config-isakmp)#exit
Lab_A(config)#crypto isakmp key cisco address 10.1.1.2
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site |
257 |
Lab_A(config)#^Z
Lab_A#
Lab_B#conf t
Enter configuration commands, one per line. End with CNTL/Z. Lab_B(config)#crypto isakmp enable
Lab_B(config)#crypto isakmp policy 2
Lab_B(config-isakmp)#encryption 3des
Lab_B(config-isakmp)#hash md5
Lab_B(config-isakmp)#authentication pre-share
Lab_B(config-isakmp)#exit
Lab_B(config)#crypto isakmp key cisco address 10.1.1.1
Lab_B(config)#^Z
Lab_B#
E X E R C I S E 8 . 2
Configuring IPSec on Our Sample Corporate Network
Now you’re ready to configure IPSec. You need to add IPSec to your currently configured network with IKE using the following steps:
1.Create a transform set on each device named test using esp-des and tunnel mode.
2.Leave the global IPSec SA lifetimes set to their defaults.
3.Create a symmetrical extended access list on each device that will permit traffic from networks 172.16.2.0 /24 and 172.16.1.0 /24.
4.Create a crypto map on each device using the name test1 and sequence number 100. Each sequence should use the transform set test and the extended access list just created, and set the peer to the IP address of the outgoing interface of the remote device.
5.Apply the crypto map to each device’s outgoing interface.
6.Use the following commands to configure the Lab_A router:
Lab_A#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Lab_A(config)#crypto ipsec tramsform-set test esp-des
Lab_A(cfg-crypto-trans)#exit
Lab_A(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
258 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
E X E R C I S E 8 . 2 ( c o n t i n u e d )
Lab_A(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
Lab_A(config)#cryto map test1 100 ipsec-isakmp
Lab_A(config-crypto-map)#match address 100
Lab_A(config-crypto-map)#set transform-set test
Lab_A(config-crypto-map)#set peer 10.1.1.2
Lab_A(config-crypto-map)#exit
Lab_A(config)#interface s0/0
Lab_A(config-if)#crypto map test1
Lab_A(config-if)#^Z
Lab_A#
Lab_B#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Lab_B(config)#crypto ipsec tramsform-set test esp-des
Lab_B(cfg-crypto-trans)#exit
Lab_B(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
Lab_B(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
Lab_B(config)#cryto map test1 100 ipsec-isakmp
Lab_B(config-crypto-map)#match address 100
Lab_B(config-crypto-map)#set transform-set test
Lab_B(config-crypto-map)#set peer 10.1.1.1
Lab_B(config-crypto-map)#exit
Lab_B(config)#interface s1/0
Lab_B(config-if)#crypto map test1
Lab_B(config-if)#^Z
Lab_B#
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |