1031pt1IX.fm Page 766 Monday, March 3, 2003 4:46 PM · CBAC (Context-Based Access Control), 259 Cisco IOS Firewall, 260–264 conﬁguring, 266–277 memory, 265 performance, 265

1031pt1IX.fm Page 766 Monday, March 3, 2003 4:46 PM

I

N

D

E

X

Symbols

Numerics

3DES (Triple DES) encryption algorithm, 526

A

AAA (authentication, authorization, and accounting) architecture, 111, 157, 408–412

access traffic, 112accounting, 112, 126–127

configuring, 168authentication, 111

CHAP (Challenge Handshake Authentication Protocol), 121–122, 124–125

methods, 114–125PAP (Password Authentication

Protocol), 121–125passwords, 114–117S/Key, 117–120token cards, 120token servers, 120usernames, 114, 116–117

authentication profiles, configuring, 163authorization, 111

configuring, 166character-mode traffic, 113configuring, 205

debugging, 169enabling, 205local security databases, 127NAS (Network Access Server), 158–174

globally enabling, 162privileged EXEC (enable) mode, 160

network accesssecuring, 111–114

packet-mode traffic, 114PIX Firewall, configuring, 401–412remote security databases, 128–130

CiscoSecure ACS, 148Kerberos, 142–151RADIUS, 136–142standards, 130–151TACACS+, 131–136

security servers, 127–151aaa authentication command, 197, 199aaa authentication login command, 147aaa authentication ppp command, 146AAA configuration commands, 199aaa new-model command, 159, 197Acceptable Use Policy, 696–697access

administrative interfaces, console, 70–76HTTP, controlling, 95–96perimeter routers, controlling, 234–237physcial access, securing, 69–70securing, AAA architecture, 111–114SNMP, controlling, 81–86Telnet, controlling, 80–81

access listsconfiguring, 713

verifying, 734–735IP access lists, extended IP access lists,

714–734named IP access lists, 735–737references, 106SNMP, 85

access traffic, AAA architecture, 112access-list command, 552, 716, 722access-list icmp command, 725access-list tcp command, 728access-list udp command, 730accounting, AAA architecture, 112, 126–127,

168Adaptive Security Algorithm.

See

ASA (Adaptive Security Algorithm)

administrationCisco IOS Firewall, 277–279


768

CSNT, 192, 194–195administrative interfaces

banner messages, setting, 79–80console, access security, 70–76password encryption, 73privelege levels, setting multiple, 77–78securing, 70–86SNMP, access control, 81–86Telnet, access control, 80–81

Advanced PIX Firewall, configuring, 443–447AH (Authentication Header) encryption

algorithm, 525, 527IPSec, 527–528

alias command, 359AppleTalk Remote Access Protocol.

See

ARAP (AppleTalk Remote Access Protocol)

application gateways, firewalls, 229application layer encryption, 458applications, encryption, 456apply, 661apply command, 323, 359, 419ARAP (AppleTalk Remote Access Protocol),

114, 180packet-mode traffic, 114

ASA (Adaptive Security Algorithm), 292–296Ascend, RADIUS, 137assumes, 552attacks

initial access, 24password attacks, 24remote-access services, 24secondary access, 24session hijacking, 31session replays, 31

attributes, RADIUS, 140audit trails, Cisco IOS Firewall, 261audits, 46authentication, 111

AAA architecture, 114–125CHAP (Challenge Handsahke

Authentication Protocol), 121–125PAP, 122–125

PAP (Password Authentication Protocol), 121

passwords, 114, 116–117S/Key, 117–120token cards, 120token servers, 120usernames, 114–117

CAs, 658guidelines, 697IPSec

configuring, 565–593RSA-encrypted nonces, 594–603

PPP, Kerberos, 145routing protocols, 86–90

Authentication Header.

See

AH (Authentication Header) encryption

authentication profiles, AAA, configuring, 163authentication proxy, Cisco IOS FIrewall, 260authentication, authorization, and accounting

architecture.

See

AAA (authentication, authorization, and accounting) architecture

authorization, 111AAA architecture, 125–126

Axent token card servers, 188

B-C

Baltimore Technologies, VPNs, 552banner command, 79banner messages, setting, 79–80bastion hosts, perimeter security, 228branch offices, policies, 700ca enroll command, 663CA support

configuring, 648–670planning for, 648

ca zeroize rsa command, 673Campus Access Policy, 698campuses, security, 67–69CAs

authenticating, 658declaring, 654

administration


769

interoperability, managing, 667IPSec, 548–552PIX Firewall, configuring, 645–673routers, configuring, 645–673standards, 550

case studies, network security, 48–60CBAC (Context-Based Access Control), 259

Cisco IOS Firewall, 260–264configuring, 266–277memory, 265performance, 265restrictions, 264–265

debugging, 277global timeouts, configuring, 268–271inspection rules

applying, 276defining, 271–276

interfaces, choosing, 266IP access lists, configuring, 267monitoring, 276testing, 276–277thresholds, configuring, 268–271verifying, 276–277

CBAC (context-based access control)perimeter routers, 226

Certificate Revocation Lists.

See

CRLs (Certificate Revocation Lists)

CET (Cisco Encryption Technology), 241, 453, 471–479

configuration procedures job aid, 512configuring, 479–505, 510crypto engines, 471–473cryptosystems, forming, 460–468data integrity, 453–460designing, 508–509diagnosing, 505–507DSS keys

generating, 480–483sending from passive side, 486

DSS public keysaccepting, 486authenticating, 486exchanging, 483–490

encryptiontesting, 499–505verifying, 499–505

encryption export policy, 511encryption job aid, planning for, 511–512encryption solutions, 453–460exchange connections

enabling from active side, 485enabling from passive side, 484

global encryption policies, defining, 490–493

implementing, 508–510network layer encryption, 459per-session encryption policy, configuring,

493–498references, 469troubleshooting, 505–507

CHAP (Challenge Handshake Authentication Protocol), 114

AAA architecture, 121-125character-mode traffic, AAA architecture, 113circuit-level gateways, firewalls, 229Cisco, 137Cisco ConfigMaker, 259, 278Cisco Encryption Technology.

See

CET (Cisco Encryption Technology)

Cisco IOS crypto engine, 472Cisco IOS Firewall, 259

administration, 277–279audit trails, 261authentication proxy, 260CBAC, 260–264

configuring, 266–277memory, 265performance, 265restrictions, 264–265

configuring, 260–262, 280–284DoS (denial of eervice), 260dynamic port mapping, 261event logging, 261features, 260–261firewalls, managing, 261IDS (Intrusion Detection System), 262

Cisco IOS Firewall


770

intrusion detection, 260IPSec encryption, 261Java applet blocking, 261NAT (network address translation), 261peer router authentication, 261planning, 263–265QoS (Quality of Service), 261real-time alerts, 261security, problems, 259–260time-based access lists, 261VPNs (virtual private networks), 261

Cisco IOS Firewall feature set, 226Cisco IOS firewalls, 230Cisco IOS Security Configuration Guide, 125,

474, 478Cisco PIX firewalls, 230CiscoSecure ACS, CSNT, system

requirements, 185CiscoSecure ACS (Access Control Server), 177

CSNT (CiscoSecure ACS for NT), 178–195

administering, 192–195architecture, 185–188features, 181–185installing, 190–191token card support, 188–189troubleshooting, 192–195

CSUNIX (CiscoSecure ACS 2.3 for UNIX), 195-197

features, 196–197system requirements, 197

operating systems, 177–178RADIUS

configuring, 205–210support, 178testing, 208–210troubleshooting, 208–210

remote security databases, 148TACACS+

configuring, 197–205debugging, 202–204support, 178

CiscoSecure ACS for NT.

See

CSNT (CiscoSecure ACS for NT)

CiscoSecure ACS for UNIX, 150CiscoSecure GRS, 151CiscoSecure Integrated Software.

See

CSIS (CiscoSecure Integrated Software)

CiscoSecure PIX 515, 520, 305–307clear arp command, 326clear commands, 586clear configure primary command, 313clear ip permit command, 99clear xlate command, 391CLI (command-line interface), 311–314command syntax, ICMP, 725commands, 166

aaa authentication, 197, 199aaa authentication login, 147aaa authentication ppp, 146aaa new-model, 159, 197access-list, 552, 716, 722access-list icmp, 725access-list tcp, 728access-list udp, 730alias, 359apply, 323, 359, 419banner, 79ca enroll, 663ca zeroize rsa, 673clear, 586clear arp, 326clear configure primary, 313clear ip permit, 99clear xlate, 391conduit, 298, 359, 362, 364–365, 392–396config-isakmp, keywords, 568configure terminal, 313connect, 147copy rcp, 148copy running-config startup-config, 481crypto ca, 553crypto ca enroll, 661crypto ca identity, 655

Cisco IOS Firewall


771

crypto gen-signature-keys, 481crypto ipsec transform-set, 552crypto isakmp, 553crypto isakmp enable, 567crypto isakmp policy, 553crypto key generate dss, 481crypto key generate rsa, 653crypto key pubkey-chain rsa, 598crypto key zeroize dss, 505crypto key zeroize rsa, 672crypto key-timeout, 497crypto map, 541, 553, 630crypto map local-address, 661crypto pregen-dh-pairs, 498debug, 169, 193, 586debug aaa, 169debug crypto ca, 673debug crypto pki, 672debug icmp trace, 327, 353debug ip icmp, 353debug ip packet, 353debug packet, 327disable, 313enable, 161, 313enable password, 74, 312enable secret, 75, 160encryption, 161esp-md5-hmac, 574esp-sha-hmac, 574established, 354exec-timeout, 76extended IP access lists, 722, 724–725failover active, 433failover reset, 433fixup, 426fixup protocol, 366–367flash, 442global, 310, 320–325, 340, 359, 386–391hostname, 596, 651IKE, 587interface, 310interface type number, 244ip access-group, 713

ip address, 310ip domain-name, 650ip host, 651ip http access-class, 96ip http authentication, 96ip nat inside, 244ip nat outside, 244ip route, 233ip tcp intercept, 240isakmp policy, 638key chain, 88kill, 313link, 435linkpath, 435log, 717logging message, 427logging trap debugging, 247login local, 237login tacacs, 237mailhost, 359MD5, 88nameif, 298, 310, 387, 391nat, 310, 320–325, 342, 359, 386–391nat 0, 344netmask, 341, 388no ca enroll, 663no ca identity, 673no cdp enable, 232no cdp run, 231no crypto ca identity, 672no crypto map, 505no debug all, 277no ip bootp server, 231no ip directed-broadcast, 232no ip domain-lookup, 230no ip identd, 231no ip mroute-cache, 231no ip proxy-arp, 231no ip rcmp rcp-enable, 231no ip redirects, 231no ip route-cache, 231no ip rsh-enable, 231no ip source-route, 231

commands


772

no ip tcp path-mtu-discovery, 231no ip tcp selective-ack, 231no ip unreachable, 231no mop enabled, 231no service finger, 230no service tcp-small-servers, 230no service udp-small-servers, 230norandomseq, 342outbound, 323, 419outside, 342overload, 246password-encryption, 161ping, 14, 327, 365, 566PIX Firewall, 317–325rcp, 21rlogin, 21, 148route, 300route inside, 301rsh, 21, 148serverfarm, 383service, 161service password-encryption, 73service timestamps, 247services password-encryption, 160set enablepass, 97set ip permit disable, 99set ip permit enable, 99set port security, 98show, 391, 566, 586show arp, 326show ca certificate, 672show ca configure, 672show ca identity, 672show ca mypubkey rsa, 672show conn, 391show crypto ca certificates, 671show crypto cisco algorithms, 491show crypto isakmp policy, 566show crypto key mypubkey, 671show crypto key mypubkey dss, 481show crypto map, 555, 566show ip address, 325show isakmp, 555

show isakmp policy, 555show nat, 391show port, 98show running-config, 73, 232show tcp intercept connections, 240show tcp intercept statistics, 240show version, 307show xlate, 391snmp-server, 429snmp-server community, 84standard IP access lists, 716–718static, 298, 300, 340, 356–359, 392–394tacacs-server host, 197tacacs-server key, 197telnet, 148, 384, 388test crypto initiate-session, 499–500tftp, 442timeout xlate, 390traceroute, 300, 388undebug all, 277url-cache, 426write, 310write memory, 391, 434write standby, 434write terminal, 73, 555, 566xlate, 368

community strings, SNMP, 84compliance requirements, 697Computer Oracle and Password System.

See

COPS (Computer Oracle and Password System)

conduit command, 298, 359–365, 392–396conduits, PIX Firewall, inbound access, 296–

303config-isakmp command, keywords, 568ConfigMaker, 278configuration

AAA, 205accounting, 168authntication profiles, 163authorization, 166debugging, 169

access lists, 713

commands


773

verifying, 734–735CA support, 648–670

PIX Firewall, 645–673routers, 645–673

CET (Cisco Encryption Technology), 479–505, 510

per-session encryption policy, 493–498

Cisco IOS Firewall, 260–262, 280–284CBAC, 266–277

dynamic crypto maps, 673dynamic NAT, 244general access lists, 712IKE Mode Configuration, 676

IPSec, 670preshared keys, 567, 613references, 608RSA-encrypted nonces, 602verifying, 618–619

IP access lists, 705–738extended IP access lists, 720–734standard IP access lists, 714–720

IPSecencryption task overview, 554-558PIX Firewall, 619preparing, 566, 594–602preshared keys, 565–593, 603–606references, 608RSA-encrypted nonces, 594–603security association lifetime, 626-628testing, 636–638verification, 636–638verifying, 634–635Xauth (Extended Authentication), 678

NAS AAA, 158–170PAT, 246perimeter routers, 248–254PIX Firewall, 310, 330–335

AAA (authentication, authorization, and accounting) server, 401–407

commands, 391failover, 430–433FTP, 426–428

inside interfaces, 386–391IPSec, 611–638Java applet blocking, 422–423multiple interface access, 381–401multiple interfaces, 408–412NAT 0, 417–418outbound access control, 339–355outside to DMZ, 392–394PPTP (Point-to-Point Tunneling

Protocol), 437–439secured bidirectional communication,

375–378SNMP (Simple Network Management

Protocol), 428–430Syslog Server, 396–400testing, 325–330URL filtering, 423–425URL logging, 426–428user authentication, 401–407VPNs, 434–439

preshared keys, 616–618RADIUS, CiscoSecure ACS, 205–210SNMP agent, 84TACACS+

AAA configuration caommands, 199CiscoSecure ACS, 197–205

transform sets, 624–627VPNs (virtual private networks),

verification, 671–672Configuration Fundamentals Configuration

Guide, 89configuration procedures job aid, CET (Cisco

Encryption Technology), 512configure terminal command, 313connect command, 147connections, PIX Firewall, licensing, 391console, administrative interface, access

security, 70–76Context-Based Access Control.

See

CBAC (Context-Based Access Control)

COPS (Computer Oracle and Password System), 47

copy rcp command, 148

copy rcp command


774

copy running-config startup-config command, 481

credentials, Kerberos, 144CRLs (Certificate Revocation Lists), 551

requesting, 667crypto access lists, creating, 620, 622–624crypto ca command, 553crypto ca enroll command, 661crypto ca identity command, 655crypto engines

CET (Cisco Encryption Technology), 471–473

Cisco IOS, 472ESA (Encryption Service Adapter) crypto

engine, 471VIP2 (Versatile Interface Processor), 471

crypto gen-signature-keys command, 481crypto ipsec transform-set command, 552crypto isakmp command, 553crypto isakmp enable command, 567crypto isakmp policy command, 553crypto key generate dss command, 481crypto key generate rsa command, 653crypto key pubkey-chain rsa command, 598crypto key zeroize dss command, 505crypto key zeroize rsa command, 672crypto key-timeout command, 497crypto map command, 541, 553, 630crypto map local-address command, 661crypto maps

creating, 628–633dynamic crypto maps, configuring, 673interfaces, applying to, 633–634

crypto pregen-dh-pairs command, 498CryptoCard token card server, CSNT, 188–189cryptosystems, forming, 460, 462–468CSIS (CiscoSecure Integrated Software), 259CSNT (CiscoSecure ACS for NT), 178-195

administering, 192–195architecture, 185–188features, 181–185installing, 190–191system requirements, 185

token cards, support, 188–189troubleshooting, 192–195

CSPM (CiscoSecure Policy Manager), PIX Firewall, 439

CSUNIX (CiscoSecure ACS 2.3 for UNIX), 195–197

features, 196–197system requirements, 197

cut-through user authentication, PIX Firewall, 301, 303

D

Data Encryption Standard.

See

DES (Data Encryption Standard)

data integrityCET (Cisco Encryption Technology), 453–

460encryption, 454

data link layer encryption, 459data manipulation threats, 30–32data transfers, IPSec, 527DDoS attacks, preventing, 238debug aaa commands, 169debug command, 193debug commands, 169, 586debug crypto ca command, 673debug crypto pki command, 672debug icmp trace command, 327, 353debug ip icmp command, 353debug ip packet command, 353debug packet command, 327debugging

AAA configuration, 169CBAC, 277TACACS+, 202–204

defining, global encryption policies, CET, 490–493

demilitarized zone.

See

DMZ (demilitarized zone)

Denial of Service.

See

DoS (denial of service)departments

copy running-config startup-config command


775

DES (Data Encryption Standard) encryption algorithm, 462–464, 526, 535

IPSec, 535–537designing, CET (Cisco Encryption

Technology), 508–509device banner messages, setting, 79–80DHCP (Dynamic Host Configuration

Protocol), 52diagnosis, CET (Cisco Encryption

Technology), 505–507dialup access, XYZ Company network

scenario, 688Diffie-Hellman Key agreement, IPSec, 541–

543Diffie-Hellman Key exchange, 467–468Digital Encryption Standard.

See

DES (Digital Encryption Standard)

Digital Signature Standard.

See

DSS (Digital Signature Standard)

disable command, 313disabling IKE, 613DMZ (demilitarized zone), 223, 228

firewalls, 381PIX Firewall, 385

configuring, 392–394DNS (domain name system), references, 389DNS and BIND, 389DNS Guard, PIX Firewall, 370–374DoS (denial of service)

attacks, preventing, 237–240Cisco IOS Firewall, 260PIX FIrewall, 370–374threats, 24–25, 27–29

Double AuthenticationPPP sessions, 210–212prerequisites, 212

DSS (Digital Signature Standard), 465–466, 476

DSS keys, generating, CET, 480–483DSS public keys, exchanging, CET, 483–490dual-homed hosts, 228dynamic crypto maps, configuring, 673Dynamic Host Configuration Protocol, 52

Dynamic NAT, 340configuring, 244

dynamic port mapping, Cisco IOS Firewall, 261

E

eavesdropping, 17ECRA (Export Compliance and Regulatory

Affairs), 511EIGRP, MD5 authentication, 88enable command, 161, 313enable password command, 74, 312enable secret command, 75, 160enabling IKE, 613Encapsulating Security Payload.

See

ESP (Encapsulating Security Payload)

enciphering.

See

encryptionencrypted sessions

establishing, 477terminating, 478

encryptio algorithms, IPSec, 525encryption, 454–456

alternatives, 458application layer encryption, 458applications, 456CET (Cisco Encryption Technology), 471–

479configuration procedures job aid, 512configuring, 479–505, 510crypto engines, 471–473cryptosystems, 460–468designing, 508–509diagnosing, 505–507DSS keys, 480–483DSS public keys, 483–490encryption export policy, 511encryption job aid, 511–512global encryption policies, 490–493implementing, 508–510testing, 499–505

encryption


776

troubleshooting, 505–507verification, 499–505


cryptosystems, forming, 460–468data integrity, 454data link layer encryption, 459data privacy, 454DES (Digital Encryption Standard), 462–

464Diffie-Hellman Key exchange, 467–468DSS (Digital Signature Standard), 465–

466encrypted sessions, 477

terminating, 478MD5 (Message Digest 5), 464network layer encryption, 459, 474nonrepudiation, 455passwords, administrative interfaces, 73planning, 474policies, 700references, 469

encryption command, 161encryption export policy, CET (Cisco

Encryption Technology), 511encryption job aid, CET (Cisco Encryption

Technology), planning for, 511–512encryption task overview (IPSec), configuring,

554–558Entrust Technologies, VPNs, 552equipment security, 699errors, standard IP access lists, 719ESA (Encryption Service Adapter) crypto

engine, 471ESP (Encapsulating Security Payload), 526,

529IPSec, 529–535

ESP HMAC, 529esp-md5-hmac command, 574esp-sha-hmac command, 574established command, 354

Ethernet switchesmanagement access, controlling, 97port security, 97references, 106securing, 97–99

event logging, Cisco IOS Firewall, 261events, perimeter routers, logging, 247exec-timeout command, 76exploitation, 14Extended Authentication.

See

Xauthextended IP access lists

commands, 722–725configuring, 705–738location, 732processing, 721–722

extranets, policies, 700

F

failover, PIX Firewall, configuring, 430–433failover active command, 433failover reset command, 433filtering ICMP messages, PIX Firewall, 395–

396filters

incoming network filters, 93traffic control, 91–92

fine-tuning passwords, line parameters, 76firewalls, 698

application gateways, 229circuit-level gateways, 229Cisco IOS firewalls, 230Cisco PIX firewalls, 230DMZ (demilitarized zone), 381packet filters, 229perimeter security, 229proxy servers, 229

see also

, Cisco IOS Firewall and PIX Firewall

fixup commands, 426fixup protocol command, 366–367

encryption


777

flash command, 442FTP, PIX Firewall, configuring, 426–428

G-H

general access lists, configuring, 712global command, 310, 340–359

inside interfaces, configuring, 386–391global commands, PIX Firewall, 320–325global encryption policies, CET, defining, 490–

493global IPSec security association lifetime,

configuring, 626-628global timeouts, CBAC, configuring, 268–271GRE (Generic Routing Encapsulation), 520Hashed Message Authentication Codes, 543–

545hashes, 88HMACs (Hashed Message Authentication

Codes), 543–545home access, policies, 700hostname command, 596, 651HSRP (Hot Standby Router Protocol), 430HTTP (Hypertext Transport Protocol), access,

controlling, 95–96

I

ibound packet filtering, 234–235ICMP

command syntax, 725messages, names, 725, 727–728

ICMP messages, PIX Firewall, filtering, 395–396

Identification and Authentication Policy, 697IDS (Intrusion Detection System)

Cisco IOS Firewall, 262, 701IETF, RADIUS, 137IKE (Internet Key Exchange), 537, 550

commands, 587configuring

IPSec, 670

preshared keys, 567, 613references, 608RSA-encrypted nonces, 602verifying, 618–619

disabling, 613enabling, 613IOS software, 552–553IPSec, 537–541policies, creating, 613, 615

IKE Mode Configuration, 676IKE Phase 1 (IPSec), 524IKE Phase 2 (IPSec), 525implementation, CET (Cisco Encryption

Technology), 508–510inbound access, PIX Firewall, 296–303inbound access control, PIX Firewall, 351–354Incident Response Procedure, 701incident-handling procedures, 700–703incoming network filters, 93inform requests, SNMP notifications, 83information theft, 17initial access attacks, 24inside global addresses, NAT, 243inside hosts

access control, PIX Firewall, 356–374PIX Firewall

DNS Guard, 370–374DoS (denial of service), 370–374ping access, 369–370static translation, 356–368

inside interfaces, PIX Firewall, 385configuring, 386–391

inside local addresses, NAT, 243inspection rules, CBAC

applying, 276defining, 271–276

installation, CSNT, 190–191intended audiences, security policies, 693interface command, 310interface type number command, 244interfaces, CBAC

choosing, 266commands, PIX Firewall, 317–320

interfaces, CBAC


778

crypto maps, applying, 633–634naming, 383PIX Firewall, 307–309

configuring, 392–394, 408–412DMZ interfaces, 392–394inside interfaces, 386–391security, 314–317

security levels, 384Internet access, XYZ Company network

scenario, 689Internet Access Policy, 698Internet Key Exchange.

See

IKE (Internet Key Exchange)

interoperability, CAs, managing, 667intrusion detection, Cisco IOS Firewall, 260Intrusion Detection Software (Intrusion

Detection Software), 262, 701IOS software

IKE, 552–553IPSec, 552–553

IP access listsCBAC, configuring, 267configuring, 705–738extended IP access lists, configuring, 720–

734standard IP access lists, configuring, 714–

720wildcard masks, 711–712

ip access-group command, 713ip address command, 310IP addresses, managing, perimeter routers,

242–246IP addressing, 706–707

network classes, 707–708subnet addresses, 708–710

ip domain-name command, 650ip host command, 651ip http access-class command, 96ip http authentication command, 96ip nat inside command, 244ip nat outside command, 244ip route command, 233IP spoofing, 31

ip tcp intercept command, 240IPSec, 520–527

AH (Authentication Header), 527–528CAs, 548–552configuring

PIX Firewall, 619preparing, 566, 594–602preshared keys, 565–593, 603–606references, 608RSA-encrypted nonces, 594–603testing, 636–638verification, 634–638

data transfers, 527DES (Data Encryption Standard), 535–537Diffie-Hellman Key agreement, 541–543encryption algorithms, support, 525encryption task overview, configuring,

554-558equipment infrastructure, 522ESP (Encapsulating Security Payload),

529–535features, 520HMACs (Hashed Message Authentication

Codes), 543–545IKE (Internet Key Exchange), 537–541,

670IKE Phase 1, 524IKE Phase 2, 525IOS software, 552–553network-layer encryption, 242PIX Firewall

configuring, 611–638preparing, 612preshared keys, 638–639, 641

PKI (Public Key Infrastructure), 548–552process initiation, 523RSA security, 546–548security association lifetime, configuring,

626-628security associations, 521–522standards, 561technologies, 527–548

interfaces, CBAC


779

testing, 586–588, 590–593tunnel termination, 527verifying, 586–593VPNs, securing, 519–520Xauth (Extended Authentication)

configuring, 678IPSec encryption, Cisco IOS Firewall, 261isakmp policy command, 638isolation LAN.

See

DMZ (demilitarized zone)issues, security, reasons, 6–13

J-K

Java applet blocking, PIX Firewall, configuring, 422–423

KDC (key distribution center), 142–144Kerberized, 144Kerberos

authentication, PPP, 145components, 143credentials, 144features, 143generic authentication, 145KDC (key distribution center), 142–144Kerberized, 144KINIT, 144login authentication, 146operations, 145realms, 144remote security databases, 142–151service credentials, 145terminology, 144TGT (Ticket Granting Ticket), 145

key chain command, 88key distribution center, 142–144keywords, config-isakmp command, 568kill command, 313KINIT, Kerberos, 144

L

L2F (Layer 2 Forwarding), 520L2TP (Layer 2 Tunneling Protocol), 520licensing, PIX Firewall, connections, 391line parameters, passwords, fine-tuning, 76link command, 435linkpath command, 435local authentication, local security databases,

128local security databases

AAA architecture, 127local authentication, 128

locationsextended IP access lists, 732standard IP access lists, 718–719

lock-and-key security, perimeter routers, 235–237

log command, 717logging events, perimeter routers, 247logging message command, 427logging trap debugging command, 247login local command, 237login tacacs command, 237

M

Mail Guard, PIX Firewall, configuring, 366mailhost command, 359Management Information Bases, 81MCNS (Managing Cisco Network Security)

course, 687MD5 (Message Digest 5) encryption

algorithm, 464, 526EIGRP, 88routing protocols, 88

md5 command, 88memory usage, managing, 650messages, ICMP, names, 725, 727–728MIBs (Management Information Bases), 81Microsoft Dial-Up Networking Configuration

Screen, 438

Microsoft Dial-Up Networking Congifuration Screen


780

Microsoft Point-to-Point Encryption, 520Microsoft Windows 2000 Certificate Services

5.0, VPNs, 552mobile computing, policies, 699models, PIX Firewall, 305–307monitoring security, 45MPPE (Microsoft Point-to-Point Encryption),

520multimedia applications, PIX Firewall, 354–

355multiple interfaces, PIX Firewall, access

configuration, 381–401

N

named IP access lists, 735–737nameif command, 298, 310, 387, 391naming interfaces, 383NAS (Network Access Server), 157, 177

AAA (authentication, authorization, and accounting) security, 158–174

globally enabling, 162privileged EXEC (enable) mode, 160

NASI (NetWare Access Server Interface), 114packet-mode traffic, 114

NAT (Network Address Translation), 242, 261, 339

Cisco IOS Firewall, 261configuring

nat 0 configuration, 344–347outbound access control, 341–344

Dynamic NAT, 244, 340IP addresses, managing, 242–246overloading, 245PAT (Port Address Translation), 340, 347–

349PIX Firewall, 340–344Static NAT, 340terminology, 243

nat 0 command, 344, 417-418

nat command, 310, 342, 359NetBIOS, PIX Firewall, 349–350netmask command, 341, 388NetWare Access Server Interface.

See

NASI (NetWare Access Server Interface)

Network Access Server.

See

NAS (Network Access Server)

Network Address Translation.

See

NAT (Network Address Translation)

network classes, IP addressing, 707–708network layer encryption, 459network security policies, analyzing, 42–43network snooping, 17network-layer encryption, 474

IPSec, 242perimeter routers, 241–242

networksaccess, securing, 111–114protecting, importance of, 39–40security, case studies, 48–60suppressing, 92–93

NICs (network interface cards), PIX Firewall, 308–309

no ca enroll command, 663no ca identity command, 673no cdp enable command, 232no cdp run command, 231no crypto ca identity command, 672no crypto map command, 505no debug all command, 277no ip bootp server command, 231no ip directed-broadcast command, 232no ip domain-lookup command, 230no ip identd command, 231no ip mroute-cache command, 231no ip proxy-arp command, 231no ip rcmd rcp-enable command, 231no ip redirects command, 231no ip route-cache command, 231no ip rsh-enable command, 231no ip source-route command, 231no ip tcp path-mtu-discovery command, 231no ip tcp selective-ack command, 231

Microsoft Point-to-Point Encryption


781

no ip unreachable command, 231no mop enabled command, 231no service finger command, 230no service tcp-small-servers command, 230no service udp-small-servers command, 230nonprivileged access, SNMP, 84nonrepudiation, encryption, 455nonvolatile random-access memory, 75norandomseq command, 342notifications, SNMP, 83NVRAM (nonvolatile random-access

memory), 75

O

operating systems, CiscoSecure ACS, 177–178outbound access control, PIX Firewall, 339–

355NAT (Network Address Translation), 341–

344outbound command, 323, 419outbound packet filtering, 235outboung access, PIX Firewall, controlling,

419–422outside command, 342outside global addresses, NAT, 243outside interfaces, PIX Firewall, 385

configuring, 392–394outside local addresses, NAT, 243overload command, 246overloading, NAT, 245

P

packet filteringfirewalls, 229inbound packet filtering, 234–235outbound packet filtering, 235

packet mode traffic, AAA, 114packet sniffing, 17packet-capturing utilities, 17

PAP (Password Authentication Protocol), 52, 114, 180

AAA architecture, 121–125password attacks, 24Password Authentication Protocol.

See

PAP (Password Authentication Protocol)

password-based attacks, 20password-encryption command, 161passwords

authentication, AAA architecture, 114, 116–117

encryption, administrative interfaces, 73line parameters, fine-tuning, 76management guidelines, 697recovering, PIX Firewall, 440

PAT (Port Address Translation), 242, 339configuring, 246IP addresses, managing, 242–246NAT (Network Address Translation), 340,

347–349peer router authentication, Cisco IOS Firewall,

261perimeter routers, 224–228

access, controlling, 234–237CBAC (context-based access control), 226Cisco IOS Firewall feature set, 226configuring, 248, 250, 252–254DMZ (demilitarized zone), 228DoS attacks, preventing, 237–240events, logging, 247features, 225inbound packet filtering, 234–235IP addresses, managing, 242–246lock-and-key security, 235–237network-layer encryption, 241–242outbound packet filtering, 235rerouting attacks, preventing, 232–233route advertisement, controlling, 233route authentication, 233screened subnet architecture, 224static routes, 232

perimeter security, 223–230bastion hosts, 228

perimeter security


782

firewalls, 229perimeter routers, 224–228

per-session encryption policy, CET, configuring, 493–498

physical devices, securing, 69–70ping access, PIX Firewall

inside hosts, 369–370permitting, 395–396

ping command, 14, 327, 365, 566PIX Firewall, 291–292

(Private Internet Exchange)AAA (authentication, authorization, and

accounting) server, configuring, 401–407

ASA (Adaptive Security Algorithm), 292CA support, configuring, 645–673CLI (command-line interface), 311–314components, 303–309conduits, inbound access, 296–303configuring, 310, 330–335

Advanced PIX Firewall, 443–444, 446–447

commands, 391multiple interface access, 381–401multiple interfaces, 408–412outbound access control, 339–355outside to DMZ, 392–394secured bidirectional communication,

375–378testing, 325–330URL logging, 426–428user authentication, 401–407

connections, licensing, 391CSPM (CiscoSecure Policy Manager), 439cut-through user authentication, 301, 303DNS Guard, 370–374DoS (denial of service), 370–374entering, 293–303failover, configuring, 430–433features, 293FTP, configuring, 426–428

global commands, 320–325ICMP messages, filtering, 395–396inbound access control, 351–354inside hosts

access control, 356–374ping access, 369–370static translation, 356–362, 364–368

inside interfaces, configuring, 386–391interface commands, 317–320interfaces

DMZ, 385inside, 385outside, 385security, 314–317

ip address commands, 317–320IPSec

configuring, 611–638overall configuration, 636–638preparing, 612

Java applet blocking, configuring, 422–423

Mail Guard, configuring, 366maintenance, 440–443models, 303–309multimedia applications, 354–355NAT (Network Address Translation), 340–

344nat 0 configuration, 344–347outbound access control, 341–344PAT (Port Address Translation), 347–

349NAT 0, configuring, 417–418nat commands, 320–325NetBIOS translation, 349–350network interfaces, 307–309NICs (network interface cards), 308–309operations, 293outbound access, controlling, 419–422outbound access control, 351–354password recovery, 440ping access, permitting, 395–396PPTP (Point-to-Point Tunneling Protocol)

configuring, 437–439

perimeter security


783

Private Link encryption, 434–437SNMP (Simple Network Management

Protocol), configuring, 428–430software licensing, 308software upgrades, 441–442statics, inbound access, 296–303SYN (synchronize segment) flood attacks,

372–374Syslog Server, configuring, 396–400URL filtering, configuring, 423–425VPNs, configuring, 434–439

PKCS #10 (Public-Key Cryptography Standard #7), 550

PKCS #7 (Public-Key Cryptography Standard #7), 550

PKI (Public Key Infrastructure), 548IPSec, 548–552

plaintext authenticationrouting protocols, 87security, 87

planning encryption, 474points of contact, incident response teams, 702Point-to-Point Protocol.

See

PPP (Point-to-Point Protocol)

Point-to-Point Tunneling Protocol.

See

PPTP (Point-to-Point Tunneling Protocol)

policiesAcceptable Use Policy, 696–697analyzing, 42–43Campus Access Policy, 698Identification and Authentication Policy,

697IKE, creating, 613, 615implementation, 696intended audiences, 693Internet Access Policy, 698Remote Access Policy, 699–700scope, 694stakeholders, 694system administrators, responsibilities,

695user education, 696

Port Address Translation.

See

PAT (Port Address Translation)

postures, improving, 47PPP (Point-to-Point Protocol), 52

authentication, Kerberos, 145Double Authentication, 210–212packet-mode traffic, 114

PPTP (Point-to-Point Tunneling Protocol), 437, 520

PIX Firewall, configuring, 437–439preshared keys

configuring, 616–618IKE, configuring, 567, 613IPSec, configuring, 565–593, 603–606PIX Firewall, configuring for, 638–639,

641preshared keys (IKE), 539Private Internet Exchange Firewall.

See

PIX (Private Internet Exchange)

Private Link encryption, PIX Firewall, 434–437

privilege levels, administrative interfaces, setting multiple, 77–78

privileged access, 21SNMP, 85

processingextended IP access lists, 721–722standard IP access lists, 714–716

protocol analyzers, 17protocols, VPNs, 520proxy servers, firewalls, 229Public Key Infrastructure.

See

PKI (Public Key Infrastructure)

Public-Key Cryptography Standard #10.

See

PKCS #10 (Public-Key Cryptography Standard #10)

Public-Key Cryptography Standard #7.

See

PKCS #7 (Public-Key Cryptography Standard #7)

Public-Key Cryptography Standard #7


784

Q-R

QoSCisco IOS Firewall, 261

RA (Registration Authority), 551RADIUS (Remote Access Dial-In User

Service), 177accounting process, 139attributes, 140authentication process, 138authorization, 138CiscoSecure ACS, 178configuring, CiscoSecure ACS, 205–210features, 137remote security databases, 136–142TACACS+, compared, 141testing, 208–210troubleshooting, 208–210versions, 137

rcp command, 21realms, Kerberos, 144real-time alerts, Cisco IOS Firewall, 261reconnaissance threats, 14–18recovering passwords, PIX Firewall, 440references

AAA (authentication, authorization, and accounting), 413

access lists, 738CET (Cisco Encryption Technology), 515Cisco IOS Firewall, configuring, 286CiscoSecure Policy Manager, 449CiscoSecure Software Center, 449CiscoSecure ACS, 219CLI, 336conduit commands, 379DNS, 389DoS attacks, 379encryption, 469ESA (Encryption Service Adapter), 515Ethernet switches, 106firewall configuration, 285general router configuration, 105hackers, 336

hacking, 336IKE, configuring, 608IPSec, configuration, 608NAT, 336neighbor routing authentication, 106network security, 336PIX Firewall, 379, 413PPTP (Point-to-Point Tunneling Protocol),

448Private Link Encryption, 448security, 34security policy configuration, 218SNMP, 106standard and extended access lists, 106TACACS+/RADIUS, 219TFTP servers, 448token servers, 152URL filtering, 448xlate commands, 379

Registration Authority.

See

RA (Registration Authority)

Remote Access Dial-In User Service.

See

RADIUS (Remote Access Dial-In User Service)

Remote Access Policy, 699–700remote security databases

AAA architecture, 128–130CiscoSecure ACS, 148Kerberos, 142–151RADIUS, 136–142standards, 130–151TACACS+, 131–136

remote-access services, 24rerouting attacks, preventing, 232–233reverse DNS, references, 389rlogin command, 21, 148route advertisement, controlling, 233route authentication, perimeter routers, 233route command, 300route inside command, 301router configuration files, securing, 90–91

QoS


785

routersCA support, configuring, 645–673HTTP access, controlling, 95–96perimeter routers, 224–226, 228

router-to-router communicationsrouter configuration files, securing, 90–91routing protocols, authenticating, 86–90securing, 86–96traffic control, filters, 91–92

routing protocols, authenticating, 86–90RSA, 550RSA key pairs, generating, 652RSA security, IPSec, 546–548RSA signatures (IKE), 539RSA-encrypted nonces, IPSec, configuring,

594, 596–603RSA-encrypted nonces (IKE), 539rsh command, 21, 148

S

S/Key authenticationAAA architecture, 117–120client software, 118hosts, 119users, 119

SafeWord, 188scaling VPNs (virtual private networks), 673–

680SCEP (Simplified Certification Enrollment

Protocol), 551scope, policies, 694screened subnet architecture, perimeter routers,

224secondary access, 21, 24secured bidirectional communication, PIX

Firewall, configuring, 375–378security, 5

AAA (authorization, authentication, and accounting), NAS (Network Access Server), 158, 160–174

administrative interfaces, 70–86access, 70–76banner messages, 79–80password encryption, 73privilege levels, 77–78

campuses, 67–69case studies, 48–60Cisco IOS Firewall, problems, 259–260cost considerations, 39DoS attacks, preventing, 237–240encryption, 454–456

alternatives, 458applications, 456CET (Cisco Encryption Technology),

453–460DES (Digital Encryption Standard),

462–464Diffie-Hellman Key exchange, 467–

468DSS (Digital Signature Standard),

465–466MD5 (Message Digest 5), 464references, 469

Ethernet switches, 97–99importance of, 39–40issues, reasons, 6–13lock-and-key security, 235–237monitoring, 45necessity of, 5–6network-layer encryption, 241–242opportunities, 33perimeter routers, access, 234–237perimeter security, 223–230

perimeter routers, 224–228physical devices, 69–70PIX Firewall, interfaces, 314–317references, 34rerouting attacks, preventing, 232–233router-to-router communications, 86–88,

90–96router configuration files, 90–91routing protocol authentication, 86–

90

router-to-router communications


786

traffic control, 91–92SNMP, access control, 81–86SPA (security posture assessment), 40-47statements of authority and scope, 693–696SYN attacks, preventing, 239TCP/IP, controlling, 230–232Telnet, access, 80–81testing, 46threats

data manipulation threats, 30–32DoS (denial of service) threats, 24–29reconnaissance threats, 14–18types, 13–33unauthorized remote access threats,

18–24trusted access, 24VPNs, IPSec, 519–520Web sites, 35XYZ Company network scenario, 690–691

security association lifetime, IPSec, configuring, 626-628

security associations, IPSec, 521–522security audits, 46Security Configuration Guide and Security

Configuration Command Reference, 510Security Dynamics, Inc., 188security levels, interfaces, 384security policies

Acceptable Use Policy, 696–697analyzing, 42–43Campus Access Policy, 698Identification and Authentication Policy,

697implementation, 696intended audiences, 693Internet Access Policy, 698Remote Access Policy, 699–700scope, 694stakeholders, 694system administrators, responsibilities,

695user education, 696

security posture assessment.

See

SPA (security posture assessment)

security postures, improving, 47security servers, AAA architecture, 127–151sensitivity levels, information, 693–696serverfarm command, 383service command, 161service credentials, Kerberos, 145service password-encryption command, 73,

160service timestamps command, 247session hijacking, 31session replays, 31set enablepass command, 97set ip permit disable command, 99set ip permit enable command, 99set password command, 97set port security command, 98SHA-1 (Secure Hash Algorithm-1) encryption

algorithm, 526show arp command, 326show ca certificate command, 672show ca configure command, 672show ca identity command, 672show ca mypubkey rsa command, 672show commands, 391, 566, 586show conn command, 391show crypto ca certificates command, 671show crypto cisco algorithms command, 491show crypto isakmp policy command, 566show crypto key mypubkey command, 671show crypto key mypubkey dss command, 481show crypto map command, 555, 566show ip address command, 325show isakmp command, 555show isakmp policy command, 555show nat command, 391show port command, 98show running-config command, 73, 232show tcp intercept connections command, 240show tcp intercept statistics command, 240show version command, 307show xlate command, 391

router-to-router communications


787

signatures, 14Simple Network Management Protocol. See

SNMP (Simple Network Management Protocol), 67, 428

Simple WATCHdog, 47Simplified Certification Enrollment Protocol.

See

SCEP (Simplified Certification Enrollment Protocol)

SNMP (Simple Network Management Protocol), 67, 82, 428

access, controlling, 81–86access lists, 85agent, configuring, 84community strings, 84nonprivileged access, 84notifications, 83PIX Firewall, configuring, 428–430privileged access, 85references, 106versions, 83

snmp-server command, 429snmp-server community command, 84software licensing, PIX Firewall, 308software upgrades, PIX Firewall, 441–442SPA (security posture assessment), 40, 42–47stakeholders, policies, 694standard IP access lists

commands, 716–718common errors, 719configuring, 705–738location, 718–719processing, 714–716

standards, remote security databases, 130–151statements of authority and scope, 693–696static command, 298-300, 340, 356–359, 392–

394Static NAT, 340static routes, perimeter routers, 232static translation, PIX Firewall, inside hosts,

356–368statics, PIX Firewall, inbound access, 296–303subnet addresses, IP addressing, 708–710suppressing networks, 92–93

Swatch (Simple WATCHdog), 47switches, Ethernet, securing, 97–99SYN (synchronize segment) flood attacks

attacks, controlling, 239PIX Firewall, 372–374

syntaxTCP, 728UDP, 730

Syslog Server, PIX Firewall, configuring, 396–400

system administrators, policies, responsibilities, 695

system requirementsCSNT, 185CSUNIX, 197

T

TACACS (Terminal Access Controller Access Control System), versions, 131

TACACS+ (Terminal Access Controller Access Control System Plus), 132, 177

accounting process, 135authentication process, 133authorization process, 134CiscoSecure ACS, 178configuring

AAA configuration commands, 199CiscoSecure ACS, 197–205

debugging, 202–204features, 132RADIUS, compared, 141remote security databases, 131–136

tacacs-server host command, 197tacacs-server key command, 197TARA (Tiger Analytical Research Assistant),

47TCP (Transport Control Protocol)

port keywords, 729syntax, 728

TCP intercept, 239TCP/IP, controlling, 230–232

TCP/IP, controlling


788

technologies, IPSec, 527–548TED (Tunnel Endpoint Discovery), 679telecommuters, policies, 700Telnet, access, controlling, 80–81telnet command, 148, 384, 388Terminal Access Controller Access Control

System+.

See

TACACS+ (Terminal Access Controller Access Control System Plus)

terminology, Kerberos, 144test crypto initiate-session command, 499–500testing

CBAC, 276–277CET encryption, 499–505IPSec, 586–593PIX Firewall, configuration, 325–330RADIUS, 208–210security, 46

TFTP (Trivial File Transport Protocol), 67tftp command, 442TGT (Ticket Granting Ticket), 145threats, security

data manipulation threats, 30–32DoS (denial of service) threats, 24–29reconnaissance threats, 14–18types, 13–33unauthorized remote access threats, 18–24

thresholds, CBAC, configuring, 268–271Ticket Granting Ticket, 145Tiger Analytical Research Assistant.

See

TARA (Tiger Analytical Research Assistant)

time-based access lists, Cisco IOS Firewall, 261

timeout xlate command, 390token cards, authentication, AAA architecture,

120token servers

authentication, AAA architecture, 120references, 152

traceroute command, 300, 388traffic, controlling, filters, 91–92transform sets, configuring, 624–627traps, SNMP notifications, 83Triplight, 47

Trivial File Transport Protocol, 67troubleshooting


CSNT, 192–195RADIUS, 208–210

trust relationships, 698trusted access, 24trusted computers, 21Tunnel Endpoint Discovery.

See

TED (Tunnel Endpoint Discovery)

tunnel termination, IPSec, 527

UUDP, syntax, 730unauthorized remote access threats, 18–24undebug all command, 277UNIX, CiscoSecure ACS, 177–178updates, network suppression, 92–93upgrades, PIX Firewall software, 441–442url-cache command, 426URLs

filtering, PIX Firewall, 423–425logging, PIX Firewall, 426–428

user authentication, PIX Firewall, configuring, 401–407

user education, policies, 696usernames, authentication, AAA architecture,

114–117

Vverification

access list configuration, 734–735CET encryption, 499–500, 502–505IKE, configuration, 618–619IPSec, 586–593

configuration, 634–635VPNs, configuration, 671–672

VeriSign, VPNs, 552

technologies, IPSec


789

VIP2 (Versatile Interface Processor) crypto engine, 471

VLANs (virtual local-area networks), 98VPNs (virtual private networks)

Baltimore Technologies, 552Cisco IOS Firewall, 261configuring, verifying, 671–672Entrust Technologies, 552Microsoft Windows 2000 Certificate

Services 2.0, 552PIX Firewall, configuring, 434–439protocols, 520scaling, 673–680securing, IPSec, 519–520VeriSign, 552

vulnerabilities, 14

W-ZWeb sites, security, 35wildcard masks, IP access lists, 711–712Windows NT, CiscoSecure ACS, 177–178write command, 310write memory command, 391, 434write standby command, 434write terminal command, 73, 555-566X.509v3 certificates, 550Xauth (Extended Authentication), 678

IPSec, configuring, 678xlate command, 368XTACACS, 132XYZ Company network scenario, 687–688

departments, 689–690dialup access, 688Internet access, 689security, 690–691

XYZ Company network scenario


Documents

1031pt1IX.fm Page 766 Monday, March 3, 2003 4:46 PM · CBAC (Context-Based Access Control), 259 Cisco IOS Firewall, 260–264 conﬁguring, 266–277 memory, 265 performance, 265