
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary

320 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN
Answers to Written Lab
1.Cisco Easy VPN supports DH groups 2 and 5.
2.To remove user prompts when installing the Cisco VPN 3.5 Client, you modify the oem.ini file.
3.The Cisco Easy VPN Server supports the DES and 3DES encryption algorithms.
4.A Cisco IOS router, a Cisco PIX Firewall, or a Cisco VPN Concentrator can be an Easy VPN Server.
5.Tunnel mode is the IPSec protocol supported by the Cisco Easy VPN Server.
6.You modify the *.pcf files, one per connection, when installing the Cisco VPN 3.5 Client.
7.The IPSec protocol identifiers supported by the Cisco Easy VPN Server are ESP and IPCOMP-LZS.
8.Transport mode is the IPSec protocol mode not supported by the Cisco Easy VPN Server.
9.The operating systems supported by the Cisco VPN 3.5 Client Software are Solaris (Ultra-Sparc 32-bit), Mac OS X, Windows, and Linux (Intel).
10.IPSec AH is not supported by the Cisco Easy VPN Server.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Answers to Review Questions |
321 |
Answers to Review Questions
1.A, B. Pre-shared keys and RSA digital signatures are supported authentication types. DSS is not supported. DES and 3DES are encryption algorithms, not authentication types.
2.C. You must have at least 12.2(8)T to run the IOS Easy VPN Server.
3.C, F. DH groups 2 and 5 are supported. DSS, DH1, PFS, and manual keys are not supported.
4.B, C, D. An IOS router, PIX Firewall, or VPN Concentrator can act as a Cisco Easy VPN Server. The VPN 3.5 Client Software cannot.
5.A, C, D. DES, 3DES, and NULL are the three types of IPSec encryption supported by the Cisco Easy VPN.
6.C. Split Tunneling enables remote user traffic destined for the Internet to go directly to the Internet and not across the VPN tunnel.
7.B. The oem.ini file is used to remove all user prompts and force the PC to reboot when the installation is finished.
8.E. Enabling policy lookup via AAA is the first configuration task for the Easy VPN Server.
9.B, E. DH groups 2 and 5 are supported by the Cisco Easy VPN Server.
10.D. You would configure and add one .pcf file for each connection you wish to add to the VPN 3.5 Client.
11.A. Tunnel mode is supported by the Cisco Easy VPN Server; transport mode is not.
12.D. Initial contact allows Cisco VPN devices to clear existing connections when devices attempt to establish new connections.
13.C. You would modify the vpnclient.ini file to pre-configure global profiles.
14.A. DH group 1 (DH1) is not supported by the Cisco Easy VPN Server.
15.E. Any of these can be used as Cisco Easy VPN Remotes.
16.C, D, F, G. The Cisco VPN 3.5 Client Software is available for Linux (Intel), Mac OS X, Windows, and Solaris (Ultra-Sparc 32-bit).
17.C. The oem.ini, vpnclient.ini, and .pcf files are placed in the same directory as the setup.exe file.
18.A, B, E. The VPN 3.5 Client supports DH groups 1, 2, and 5.
19.B. DPD (Dead Peer Detection) allows Cisco VPN devices to identify connections where the communications peer has “died” and to recover the allocated resources.
20.C, D. ESP and IPCOMP-LZS are the IPSec protocol identifiers supported by the Cisco Easy VPN Server. IPSec AH is not supported. DH2 and DES are not IPSec protocol identifiers.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

Appendix Introduction to the
PIX Firewall
A
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |

This appendix is by no means meant to be a comprehensive guide to the installation and configuration of PIX Firewalls. Instead, it gives you an introduction to the information covered in the CCSP
PIX exam, including the features and basic configuration of PIX Firewalls. (Please go to www
.sybex.com for information about Sybex’s Study Guides on the CCSP exams.) Here are some of the topics covered in this appendix:
The advantages of using a PIX Firewall to protect your network
How a firewall passes traffic from one interface to another and the rules that traffic must follow
The basics of configuring a PIX Firewall: how to navigate the different modes, how to configure interfaces, and how to save configurations
How you can influence the traffic between interfaces, that is, how you can control exactly which traffic crosses the firewall
How to enable AAA on PIX Firewalls
Some of the advanced features available on the PIX Firewall
Be prepared—there are a lot of configuration details, and many new commands and syntax will be introduced.
The Cisco Packet Internet eXchange (PIX)
Firewall
The PIX Firewall is a tool used to prevent unauthorized access between any two (or more) networks. The PIX Firewall uses a secure, real-time, embedded operating system.
Many other competing firewalls run on top of another operating system such as Unix or Windows NT. The problem with this is that Unix and Windows NT (or even Cisco’s IOS) have wellknown security issues. This means that potential intruders can attack the operating system of the box your firewall is running using commonly available information! So much for the firewall….
Since the PIX Firewall uses a proprietary operating system (called Finesse), it is much more difficult to attack. There is no source code floating around that a potential hacker might use to break into your PIX Firewall.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |