
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary

Written Lab |
287 |
Command |
Purpose |
#show crypto ca certificates |
Displays information about a device’s |
|
certificate, the CA server certificate, and any |
|
RA certificates. |
#show crypto ca roots |
Displays information about the CA roots |
|
configured on the device. |
#show crypto key mypubkey rsa |
Displays the public key generated on a device. |
#show crypto key pubkey-chain rsa |
Displays the public keys manually entered on |
|
a device. |
#show crypto key pubkey-chain rsa |
Displays a specific public key that was |
{address address | name name} |
manually entered on a device. |
#show crypto ipsec sa |
Displays information about all currently |
|
active IPSec SAs on a device. |
#show crypto ipsec transform-set |
Displays the configuration of all transform |
|
sets currently configured on a device. |
#show crypto isakmp policy |
Used to display the IKE policies currently |
|
configured on a device. |
#show crypto isakmp sa |
Used to display information about all current |
|
IKE SAs on a device. |
#show crypto map |
Displays the configuration of all crypto maps |
|
currently configured on a device. |
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.What are the four tasks required for IPSec using pre-shared keys?
2.What are the five tasks required for IPSec using CA?
3.What IKE authentication method would you use for RSA-encrypted nonces?
4.What command must you type before you can manually enter the public key of a remote device into your local device?
5.What is the first configuration step required when configuring IPSec with CA?
6.What command is used to configure a pre-shared key on a device?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

288 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
7.What command can be used to show the configuration of all crypto maps currently configured on a device?
8.What is the default message-encryption algorithm used by IKE?
9.What command would be used to create a crypto map sequence that didn’t use IKE?
10.What IKE authentication method would you use for CA?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Review Questions |
289 |
Review Questions
1.Which of the following statements are true about the crypto ipsec security-association lifetime command? (Choose all that apply.)
A.It configures global IPSec SA lifetime values used when negotiating IPSec SAs.
B.It can configure the global IPSec SA lifetime values based on kilobytes.
C.It defines the outbound traffic to be protected by IPSec.
D.The values can be overridden for a crypto map.
2.Which of the following commands can be used to specify Diffie-Hellman group 1 or group 2 for a crypto map?
A.set peer
B.group
C.set pfs
D.None of the above
3.Which of the following commands would you use to reset all IKE SAs configured on a device?
A.clear crypto sa counters
B.clear crypto isakmp
C.clear crypto isakmp *
D.clear crypto isakmp conn-id
4.Which of the following would be a more secure approach for configuring pre-shared keys between peers?
A.Use the same key on all peers.
B.Use different keys on every device.
C.Use different keys for every pair of peers.
D.Use the same key for every pair of peers.
5.Which of the following commands can be used to provide error messages that occur for IKE events?
A.show crypto isakmp log
B.debug crypto ipsec
C.show crypto ipsec sa
D.debug crypto isakmp
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

290 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
6.When creating more than one crypto map sequence, what does a low sequence number represent?
A.Low priority
B.High priority
C.The total number of interfaces the sequence can be applied to
D.It has no relevance.
7.Why do you need to pay attention when entering peer RSA public keys?
A.Once a key is entered, there is no way to change it.
B.Improperly entered keys can cause IPSec peers to never form.
C.They are long.
D.You don’t enter RSA public keys.
8.Which of the following IKE authentication methods require you to manually generate keys? (Choose all that apply.)
A.pre-shared
B.rsa-sig
C.rsa-encr
D.rsa-ca
9.Which of the following are required to configure RSA keys? (Choose all that apply.)
A.Configure the device’s hostname.
B.Configure the device’s domain name.
C.Configure an encryption method.
D.Manage the keys.
10.Which of the following commands verifies the configuration of IKE policies?
A.show crypto isakmp sa
B.show crypto map
C.show crypto ike policy
D.None of the above
11.Which of the following commands would you use when verifying network connectivity during the preparing for IPSec phase?
A.telnet
B.ping
C.show running-configuration
D.show startup-configuration
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Review Questions |
291 |
12.What command is used to enable IKE?
A.show crypto isakmp policy
B.crypto isakmp key
C.crypto isakmp policy
D.crypto isakmp enable
13.Which of the following commands will display information about all of the certificates on a device?
A.show crypto ca certificates
B.show ca certificate
C.show crypto ca all
D.show crypto ca roots
14.Which of the following steps must be completed in order to support IPSec with CA? (Choose all that apply.)
A.Configure a CA server.
B.Configure CA support.
C.Configure IKE.
D.Configure IPSec.
15.Which of the following commands configures an IP address-to-hostname mapping?
A.ip host
B.hostname
C.ip domain-name
D.ip map host
16.For which of the following must you define a domain name? (Choose all that apply.)
A.IPSec with pre-shared keys
B.IPSec-manual
C.IPSec with RSA-encrypted nonces
D.IPSec with CA
17.When setting the IKE identity of a peer to a hostname, when would you need to specify the IP address of the peer?
A.Always
B.When DNS is working for name resolution
C.When DNS is not working for name resolution
D.Never
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

292 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
18.How many transforms can be associated with a transform set?
A.1
B.2
C.3
D.4
19.Which of the following are steps needed to configure IPSec? (Choose all that apply.)
A.Create an access list.
B.Create a transform set.
C.Create an IKE policy.
D.Apply a crypto map to an interface.
20.Which of the following types of access lists can be used for IPSec? (Choose all that apply).
A.Extended IP access lists
B.Standard IP access lists
C.Extended named IP access lists
D.Standard named IP access lists
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |