![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU310x1.jpg)
Exam Essentials 281
Summary
Do you feel as though you’ve run a marathon? Has your sanity been compromised by this gauntlet? Do you now have weird little twitches or find yourself staring at absolutely nothing for untold periods of time? No worries; it’ll pass, I promise—really! Yup, this chapter was a long puppy, packed with tons of stuff to remember.
It is imperative that you can configure IPSec, starting with how to configure IPSec utilizing pre-shared keys. In addition, you need to know how to create IKE policies and configure preshared keys. Configuring IPSec without IKE is created using the IPSec-manual crypto map. Manually configuring IPSec requires you to specify the inbound and outbound keys used for establishing IPSec peers.
In addition to IPSec with IKE, you can use RSA-encrypted nonces with IPSec. These require you to manually generate RSA keys and then manually input the public key into all the devices you intend to peer with. However, don’t try this with large networks!
Configuring IPSec can also be accomplished using CA—the most scalable of all the implementation types. CAs allow a device to request a certificate from a CA server and use that certificate in all of its peering attempts.
Yes, indeed. You certainly covered a tremendous amount of material in this chapter, so don’t feel bad if you didn’t get it all on your first read through. Go ahead—take however much time you need to go back and review any areas you feel a bit shaky about. But not yet—you’ve accomplished a ton—it’s reward time. Take a break, have that party, and go to Vegas—whatever—you truly deserve it! Congratulations! Chapter 9, “Cisco IOS Remote Access Using Cisco Easy VPN,” will be ready and waiting when you can think and form coherent sentences again. The best news about Chapter 9 is that it is short and sweet and it covers Easy VPN. Sounds nice, doesn’t it? Oh, and did I mention it’s the last chapter in this book? Sweet.
Exam Essentials
Understand the tasks required for IPSec utilizing pre-shared keys. Configuring IPSec with pre-shared keys requires the following four tasks, in this order:
1.Prepare for IKE and IPSec.
2.Configure IKE.
3.Configure IPSec.
4.Test and verify IPSec.
You must be able to perform each of these four tasks.
Implement an IKE policy. Given the need for IKE, you must be able to create an IKE policy. Once the IKE policy is created, you must be able to implement it on the devices you wish to peer.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU311x1.jpg)
282 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Implement IPSec with IKE. You must be able to implement IPSec once you have configured IKE. This requires you to configure global IPSec SA lifetimes, transform sets, extended access lists, crypto maps, and then apply the crypto map to an interface.
Implement IPSec without IKE. You must be able to implement IPSec without the use of IKE. This requires you to manually configure the appropriate inbound and outbound session keys.
Implement RSA-encrypted nonces. Given a scenario that requires the use of RSA-encrypted nonces, you must be able to implement it. This requires generating RSA public/private keys, manually entering the public key on devices you wish to peer with, configuring IKE using RSAencrypted nonces, and configuring IPSec.
Understand the tasks required for IPSec with CA. Configuring IPSec with CA requires the following five tasks:
1.Prepare for IKE and IPSec.
2.Configure CA support.
3.Configure IKE.
4.Configure IPSec.
5.Test and verify IPSec.
You must be able to perform each of these five tasks.
Implement IPSec with CA. Given a scenario that requires the use of CA servers, you must be able to implement it. This requires you to generate RSA public/private keys, declare a CA server, configure trusted root servers, authenticate the CA servers, request a certificate, configure IKE using RSA signatures, and configure IPSec.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
certificate revocation lists (CRL) |
IPSec SA lifetime |
crypto map set |
registration authority (RA) |
general-usage keys |
Simple Certificate Enrollment Protocol (SCEP) |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU312x1.jpg)
Commands Used in This Chapter 283
Commands Used in This Chapter
Here is the list of commands used in this chapter:
Command
(config-pubkey-chain)#addressed-key key-address {encryption | signature}
(config-isakmp)#authentication
{rsa-sig | rsa-encr | pre-share}
#clear crypto isakmp conn-id
#clear crypto isakmp *
#clear crypto sa
#clear crypto sa peer {ip-address | peer-name}
#clear crypto sa map map-name
#clear crypto sa entry destinationaddress protocol spi
#clear crypto sa counters
Purpose
Specifies that the entered RSA public key is an addressed key.
Configures the authentication method for an IKE policy.
Used to reset an IKE SA.
Used to reset all IKE SAs on a device.
Resets all IPSec SAs on a device.
Resets the IPSec SA for the specified peer.
Resets the IPSec SA for the specified crypto map.
Resets the IPSec SA for the specified address, protocol, and SPI.
Resets the IPSec traffic counters for all IPSec SAs on the device.
(ca-identity)#crl optional |
Allows a device to accept IPSec peering |
|
without the use of a CRL. |
(ca-identity)#crl query ldap-url |
Specifies that a device use LDAP when |
|
querying for CRLs. |
<config>#crypto ca authenticate name |
Used to authenticate a CA server. |
<config>#crypto ca certificate query |
Disables the local storing of certificates on a |
|
device. |
<config>#crypto ca enroll name |
Used to request a certificate from the CA |
|
server. |
<config>#crypto ca identity name |
Specifies a name for referring to a CA server. |
<config>#crypto ca trusted-root name |
Specifies a name for referring to a trusted root |
|
CA server. |
<config>#crypto key pubkey-chain rsa |
Places a device in public key chain |
|
configuration mode. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU313x1.jpg)
284 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Command |
Purpose |
<config>#crypto ipsec security- |
A global lifetime command that specifies the |
association lifetime seconds seconds |
number of seconds an IPSec SA will remain |
|
active before it expires. |
<config>#crypto ipsec securityassociation lifetime kilobytes kilobytes
<config>#crypto ipsec transform-set transform-set-name {[transform1] [transform2] [transform3]}
A global lifetime command that specifies the number of kilobytes an IPSec SA can transmit before it expires.
Configures a transform set on a device.
<config>#crypto isakmp enable |
Enables IKE. |
<config>#crypto isakmp identity |
Specifies whether IKE will use an IP address or |
{address | hostname} |
the device’s hostname as its IKE identity. |
<config>#crypto isakmp key keystring |
Creates a pre-shared key on a device. |
{address peer-address | hostname |
|
peer-hostname} |
|
<config-if>#crypto map map-name |
Applies a crypto map to an interface. |
<config>#crypto map map-name |
Used to specify the identifying interface for a |
local-address local-id |
crypto map. |
<config>#crypto map map-name |
Creates a crypto map sequence that utilizes IKE. |
seq-num ipsec-isakmp |
|
<config>#crypto map map-name |
Creates a crypto map sequence that doesn’t |
seq-num ipsec-manual |
use IKE. |
<config>#crypto isakmp policy priority |
Creates an IKE policy. |
#debug crypto ipsec |
Provides detailed information about the |
|
current operation of IPSec. |
#debug crypto isakmp |
Provides detailed information about the |
|
current operation of IKE. |
(config-crypto-map)#description text |
An optional command for configuring |
|
manual IPSec and IPSec with IKE that can be |
|
used to provide a description for a crypto map |
|
sequence. |
(config-isakmp)#encryption {des | 3des} |
Configures the message-encryption algorithm |
|
for an IKE policy. |
(ca-identity)#enrollment mode ra |
Enables a device for RA support. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU314x1.jpg)
Commands Used in This Chapter 285
Command |
Purpose |
(ca-identity)#enrollment retry count |
Specifies the maximum number of times a |
number |
device will attempt to request a certificate. |
(ca-identity)#enrollment retry period |
Specifies the amount of a time a device will |
minutes |
wait in between sending certificate requests. |
(ca-identity)#enrollment url url |
Specifies the URL for a device to send |
|
certificate queries to. |
<config>#crypto key generate rsa |
Generates the RSA public/private key pairs. |
[usage-keys] |
|
(config-isakmp)#group {1 | 2} |
Configures the Diffie-Hellman group for an |
|
IKE policy. |
(config-isakmp)#hash {sha | md5} |
Configures the message hash for an IKE policy. |
<config>#hostname hostname |
Specifies the hostname of a device. |
<config>#ip domain-name domain-name |
Specifies the domain name of a device. |
<config>#ip host name [tcp-port- |
Creates a static IP address-to-hostname |
number] address1 [address2…address8] |
mapping. |
(config-pubkey-key)#key-string |
Allows you to enter the public key of a remote |
|
device into your local device. |
(config-isakmp)#lifetime seconds |
Configures the IKE SA lifetime for an IKE |
|
policy. |
(config-crypto-map)#match address |
A mandatory command for configuring |
{access-list-number | name} |
manual IPSec and IPSec with IKE that specifies |
|
the extended access list to use for defining the |
|
traffic to protect. |
(cfg-crypto-trans)#mode |
Configures the IPSec mode to be used. |
{tunnel | transport} |
|
(config-pubkey-chain)#named-key |
Specifies that the entered RSA public key is a |
key-name {encryption | signature} |
named key. |
#no crypto isakmp enable |
Disables IKE. |
(ca-identity)#query url url |
Specifies an LDAP URL to query for certificates. |
(ca-identity)#root CEP url |
Specifies that SCEP will be used for querying a |
|
trusted root CA server. |
(ca-identity)#root TFTP url |
Specifies that TFTP will be used for querying |
|
a trusted root CA server. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU315x1.jpg)
286 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Command |
Purpose |
(ca-identity)#root PROXY url |
Specifies the URL of the HTTP proxy server |
|
the trusted root is using. |
(config-crypto-map)#set peer |
A mandatory command for configuring |
{peer-address | peer-hostname} |
manual IPSec and IPSec with IKE that |
|
specifies the IPSec peer. |
(config-crypto-map)#set transformset transform-set-name [transform- set-name2…transform-set-name6]
A mandatory command for configuring manual IPSec and IPSec with IKE that specifies a list of transform sets, in order of priority, to use for protecting traffic.
(config-crypto-map)#set security- |
An optional command for configuring |
association lifetime seconds seconds |
manual IPSec and IPSec with IKE that can be |
|
used to override the seconds global IPSec SA |
|
lifetime for the sequence. |
(config-crypto-map)#set securityassociation lifetime kilobytes kilobytes
(config-crypto-map)#set pfs
{group1 | group2}
(config-crypto-map)#set securityassociation level per-host
(config-crypto-map)#set session-key inbound ah spi hex-key-string
(config-crypto-map)#set session-key outbound ah spi hex-key-string
An optional command for configuring manual IPSec and IPSec with IKE that can be used to override the kilobytes global IPSec SA lifetime for the sequence.
An optional command for configuring manual IPSec and IPSec with IKE that can be used to specify the Diffie-Hellman group to use when requesting new SAs for this sequence.
An optional command for configuring manual IPSec and IPSec with IKE that can be used
to specify that separate IPSec SAs should be requested for each source/destination host pair.
A mandatory command for configuring manual IPSec that specifies the inbound key to use for AH.
A mandatory command for configuring manual IPSec that specifies the outbound key to use for AH.
(config-crypto-map)#set session-key inbound esp spi cipher hex-key-string
[authenticator hex-key-string]
(config-crypto-map)#set session-key outbound esp spi cipher hex-key- string [authenticator hex-key-string]
A mandatory command for configuring manual IPSec that specifies the inbound key to use for ESP.
A mandatory command for configuring manual IPSec that specifies the outbound key to use for ESP.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |