Cisco SAFE Implementation: Student Guide
Cisco SAFE Implementation: Student Guide
Student Guide
Copyright
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Web site at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech
Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary
India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands
New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia
Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine
United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright 2003, Cisco Systems, Inc. All rights reserved. CCIP, the Cisco Powered Network mark, the
Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy,
ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We
Work, Live, Play, and Learn, Discover All Thats Possible, The Fastest Way to Increase Your Internet Quotient, and
iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the
Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast,
StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0203R)
Printed in the USA
Credits
Lead Course Developer
Steve Hanna
Editors
Manager, Documentation
Ed Rivera
Additional Contributors
administration and security of the Security Consulting Services assessment network, which
was used to perform external security assessments of the Cisco customer networks.
Table of Contents
COURSE INTRODUCTION
1-1
Overview
Course Objectives
Lab Topology Overview
1-1
1-2
1-7
SECURITY FUNDAMENTALS
2-1
Overview
Objectives
Need for Network Security
Network Security Policy
The Security Wheel
Network Attack Taxonomy
Management Protocols and Functions
Summary
Lab ExerciseVulnerabilities and Threats
2-1
2-2
2-3
2-10
2-13
2-18
2-58
2-65
Lab 2-1
ARCHITECTURAL OVERVIEW
3-1
Overview
Objectives
SAFE Architectural Overview
Design Fundamentals
Safe Axioms
Summary
3-1
3-2
3-3
3-7
3-13
3-32
4-1
Overview
Objectives
Cisco Security Portfolio Overview
Secure ConnectivityVirtual Private Network Solutions
Secure ConnectivityThe 3000 Concentrator Series
Secure ConnectivityCisco VPN-Optimized Routers
Perimeter Security FirewallsCisco PIX Firewall and Cisco IOS Firewall
Intrusion ProtectionIDS
IdentityAccess Control Solutions
Security ManagementVMS and CSPM
Cisco AVVID
Summary
Copyright
Table of Contents
4-1
4-2
4-3
4-7
4-11
4-17
4-23
4-30
4-36
4-41
4-44
4-48
5-1
Overview
Objectives
Small Network Design Overview
Small Network Corporate Internet Module
Small Network Campus Module
ImplementationISP Router
ImplementationIOS Firewall Features and Configuration
ImplementationPIX Firewall
Summary
Lab ExerciseSAFE Small Network Design Implementation
6-1
Overview
Objectives
Midsize Network Corporate Internet Module
Midsize Network Corporate Internet Module Design Guidelines
Midsize Network Campus Module
Midsize Network Campus Module Design Guidelines
Midsize Network WAN Module
ImplementationISP Router and Edge Router
ImplementationIOS Firewall
ImplementationPIX Firewall
ImplementationNIDS
ImplementationVPN Concentrator
ImplementationLayer 3 Switch
Summary
Lab ExerciseMedium Network Design Implementation
6-1
6-3
6-4
6-11
6-21
6-26
6-30
6-32
6-37
6-42
6-44
6-83
6-91
6-99
Lab 6-1
7-1
Overview
Objectives
Design Overview
Key Devices and Threat Mitigation
Software Access Option
Remote Site Firewall Option
VPN Hardware Client Option
Remote Site Router Option
Summary
Lab ExerciseRemote User Network Design Implementation
Lab ExerciseCase Study
vi
5-1
5-2
5-3
5-4
5-11
5-14
5-18
5-48
5-73
Lab 5-1
Copyright
7-1
7-2
7-3
7-6
7-10
7-21
7-36
7-43
7-61
Lab 7-1
Lab 8-1
Course Introduction
Overview
This chapter includes the following topics:
Course objectives
Course agenda
Participant responsibilities
General administration
Graphic symbols
Participant introductions
Cisco security career certifications
Lab topology overview
Course Objectives
This section introduces the course and the course objectives.
Course Objectives
Upon completion of this course, you will be able to
perform the following tasks:
Describe in detail the four basic types of threats that may
be encountered in todays network environment.
Explain how to provide a framework for implementing
security features in the network infrastructure.
Demonstrate first-hand knowledge of the tools and
techniques used to exploit security vulnerabilities.
Discuss the SAFE design philosophy and how it impacts
the decision-making process.
Recognize why routers, switches, hosts, networks, and
applications are targets.
List the general process for hardening network-attached
devices.
CSI 1.11-3
1-2
CSI 1.11-4
Copyright
Course Agenda
Day 1
Day 2
CSI 1.11-5
Day 4
Lab 8Case Study
Copyright
CSI 1.11-6
Course Introduction
1-3
Participant Responsibilities
Student responsibilities
Complete prerequisites
Participate in lab exercises
Ask questions
Provide feedback
CSI 1.11-7
General Administration
Class-related
Sign-in sheet
Participant materials
Site emergency
procedures
1-4
Facilities-related
Restrooms
Telephones/faxes
CSI 1.11-8
Copyright
Graphic Symbols
IOS Router
PIX Firewall
Network
Access Server
Policy Manager
Hub
Modem
VPN 3000
CA
Server
Ethernet Link
IDS Sensor
Catalyst 6500
with IDS Module
PC
Laptop
Network
Cloud
VPN Tunnel
IOS Firewall
Server
Web, FTP, etc.
Switch
CSI 1.11-9
Participant Introductions
Your name
Your company
Pre-requisites skills
Brief history
Objective
Copyright
CSI 1.11-10
Course Introduction
1-5
Professional
CCSP
Associate
CCNA
Network Security
Required
Exam
9E0-111 or
642-521
9E0-121 or
642-511
640-100 or
642-501
9E0-100 or
642-531
9E0-131 or
642-541
www.cisco.com/go/ccsp
CSI 1.11-11
Required
Exam
640-100 or
642-501
9E0-111 or
642-521
1-6
Required
Exam
640-100 or
642-501
9E0-121 or
642-511
Required
Exam
640-100 or
642-501
9E0-100 or
642-531
www.cisco.com/go/training
CSI 1.11-12
Copyright
172.26.26.P
Pod P (110)
172.26.26.0/24
.150
.10P e0/1
Branch
brP
.1 e0/0
10.2.P.0/24
RBB
.1
10.2.P.11
Branch
.2
.150
172.16.P.0/24
Super
Server
WWW
FTP
PSS
WWW
FTP
.10
e0/1
172.30.P.0/24
e0/0
192.168.P.0/24
rP
.2 e0
priv
.1 e4
.1 e2
.5
.1 e1
.50
.4
DMZ
.5
pP
10.0.P.0 /24
pub
172.18.P.0/24
cP
.100
RTS
sensorP
Student
10.0.P.11
CSI 1.11-14
Copyright
Course Introduction
1-7
172.26.26.P
Pod P (110)
172.26.26.0/24
.10P e0/1
.150
brP
Branch
10.3.P.0/24
RBB
.1 e0/0
pub 10.3.P.5
cP
priv 10.2.P.1
.1
Branch
192.168.P.0/24
10.2.P.11
10.2.P.0/24
172.16.P.0/24
Super
Server
WWW
FTP
PSS
WWW
FTP
.2 e0
.1 e2
.50
.1 e1
.10
pP .1 e4 172.18.P.0/24 .5 e0/1
.1 e5
DMZ
drP
172.19.P.0/24 .5 e0/0
10.0.P.0 /24
.100
RTS
Student
10.0.P.11
CSI 1.11-15
1-8
Copyright
Security Fundamentals
Overview
This chapter describes security fundamentals. It includes the following topics:
Objectives
Need for network security
Network security policy
The security wheel
Network attack taxonomy
Management protocols and functions
Summary
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will be able
to perform the following tasks:
2-2
CSI 1.12-2
Copyright
Remote site
Frame relay
X.25 leased
line
PSTN
CSI 1.12-4
The closed network typically consists of a network designed and implemented in a corporate
environment, and provides connectivity only to known parties and sites without connecting to
public networks. Networks were designed this way in the past and thought to be reasonably
secure because of no outside connectivity.
Copyright
Security Fundamentals
2-3
Internet
Internet-based
intranet (VPN)
PSTN
Remote
site
Internet-based
extranet (VPN)
Partner
site
CSI 1.12-5
Networks of today are designed with availability to the Internet and public networks, which is a
major requirement. Most of todays networks have several access points to other networks both
public and private; therefore, securing these networks has become fundamentally important.
2-4
Copyright
Threat CapabilitiesMore
Dangerous and Easier to Use
Packet forging/
spoofing
High
Stealth diagnostics
Back
doors
Sweepers
Sniffers
Exploiting known
vulnerabilities
Self replicating
code
Hijacking
sessions
Disabling
audits
Technical
knowledge
required
Password
cracking
Password
guessing
Low
1980
Sophistication
of hacker tools
1990
2000
CSI 1.12-6
With the development of large open networks there has been a huge increase in security threats
in the past twenty years. Not only have hackers discovered more vulnerabilities, but the tools
used and technical knowledge required to hack a network have become simpler. There are
downloadable applications available that require little or no hacking knowledge to implement.
There are also inherent applications for troubleshooting a network that when used improperly
can pose severe threats.
Copyright
Security Fundamentals
2-5
CSI 1.12-7
Security has moved to the forefront of network management and implementation. It is necessary
for the survival of many businesses to allow open access to network resources, and ensure that
the data and resources are as secure as possible.
The need for security is becoming more important because of the following:
Required for e-businessThe importance of e-business and the need for private data to
traverse public networks has increased the need for network security.
Required for communicating and doing business safely in potentially unsafe environments
Todays business environment requires communication with many public networks and
systems which increases the need for as much security as is possible when this type of
communication is required.
Networks require development and implementation of a corporate-wide security policy
Establishing a security policy should be the first step in migrating a network to a secure
infrastructure.
2-6
Copyright
Internet
business
value
E-commerce
Supply chain
Workforce
optimization
Internet
access
Corporate
intranet
Customer care
E-learning
Internet
presence
Business security
requirements
Defense-in-depth
Multiple components
Integration into e-business
infrastructure
Comprehensive blueprint
Expanded access
heightened security risks
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.12-8
Copyright
Security Fundamentals
2-7
CSI 1.12-9
The legal ramifications of breaches in data confidentiality and integrity can also be extremely
costly for organizations. The US Government has enacted and is currently developing
regulations to control the privacy of electronic information. The existing and pending regulations
generally stipulate that organizations in violation could face a range of penalties. The following
are some examples:
Gramm-Leach Bliley (GLB) ActIncludes several privacy regulations for US financial
institutions. These institutions could face a range of penalties from termination of their FDIC
insurance to up to US $1 million in monetary penalties.
Government Information Security Reform Act of 2000Agencies must undergo annual selfassessments and independent assessments of their security practices and policies, which are
required for submission.
The Health Insurance Portability and Accountability Act (HIPPA) of 1996 (Public Law 104191)Part of a broad Congressional attempt at incremental healthcare reform. The
administrative simplification aspect of that law requires the United States Department of
Health and Human Services (DHHS) to develop standards and requirements for maintenance
and transmission of health information that identifies individual patients. These standards are
designed to do the following:
2-8
Improve the efficiency and effectiveness of the healthcare system by standardizing the
interchange of electronic data for specified administrative and financial transactions
Protect the security and confidentiality of electronic health information
Copyright
Even if an external hacker is the perpetrator of an attack, the company storing that information
can potentially be found negligent by the courts if the information was not adequately
safeguarded. Furthermore, companies that suffer breaches in data integrity might be required to
defend against lawsuits initiated by customers who are negatively affected by the incorrect or
offensive data and seek monetary or punitive damages.
Copyright
Security Fundamentals
2-9
CSI 1.12-11
According to the Site Security Handbook (RFC 2196), A security policy is a formal statement
of the rules by which people who are given access to an organizations technology and
information assets must abide. It further states, A security policy is essentially a document
summarizing how the corporation will use and protect its computing and network resources.
2-10
Copyright
CSI 1.12-12
Security policies provide many benefits and are worth the time and effort needed to develop
them. Developing a security policy:
Provides a process to audit existing network security.
Provides a general security framework for implementing network security.
Defines which behavior is and is not allowed.
Helps determine which tools and procedures are needed for the organization.
Helps communicate consensus among a group of key decision makers and define
responsibilities of users and administrators.
Defines a process for handling network security incidents.
Enables global security implementation and enforcement. Computer security is now an
enterprise-wide issue and computing sites are expected to conform to the network security
policy.
Creates a basis for legal action if necessary.
Copyright
Security Fundamentals
2-11
CSI 1.12-13
2-12
Copyright
Network Security
Is a Continuous Process
Network security is a
continuous process
built around a security
policy:
Step 1: Secure
Secure
Improve
Security
Policy
Monitor
Step 2: Monitor
Step 3: Test
Step 4: Improve
Test
CSI 1.12-15
Copyright
Security Fundamentals
2-13
Secure
Improve
Security
Policy
Monitor
Test
Firewalls
Vulnerability patching
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.12-16
2-14
Copyright
Monitor Security
Detects violations to
the security policy
Involves system
auditing and
real-time intrusion
detection
Validates the security
implementation in
Step 1
Secure
Improve
Security
Policy
Monitor
Test
CSI 1.12-17
To ensure that a network remains secure, it is important to monitor the state of security
preparation. Network vulnerability scanners can proactively identify areas of weakness, and
IDSs can monitor and respond to security events as they occur. Using security monitoring
solutions, organizations can obtain unprecedented visibility into both the network data stream
and the security posture of the network.
Copyright
Security Fundamentals
2-15
Test Security
Validates
effectiveness of
the security policy
through system
auditing and
vulnerability
scanning
Secure
Improve
Security
Policy
Monitor
Test
CSI 1.12-18
Testing security is as important as monitoring. Without testing the security solutions in place, it
is impossible to know about existing or new attacks. The hacker community is an ever-changing
environment. You can perform this testing yourself or outsource it to a third party such as the
Cisco Security Posture Assessment (SPA) group.
The Cisco SPA is a premium network vulnerability assessment providing comprehensive insight
into the security posture of a customers network. Delivered by highly expert Cisco Network
Security Engineers (NSEs), the Cisco SPA includes an operational, granular analysis of largescale, distributed service provider networks from the perspective of an outside hacker.
2-16
Copyright
Improve Security
Use information from
the monitor and test
phases to make
improvements to the
security
Improve
implementation.
Adjust the security
policy as security
vulnerabilities and risks
are identified.
Secure
Security
Policy
Monitor
Test
CSI 1.12-19
Monitoring and testing provides the data necessary to improve network security. Administrators
and engineers should use the information from the monitor and test phases to make
improvements to the security implementation as well as adjust the security policy as
vulnerabilities and risks are identified.
Copyright
Security Fundamentals
2-17
Variety of Attacks
Internet
Ex
ex tern
p lo al
i ta
ti o
n
Dial-in
exploitation
Internal
exploitation
Compromised
host
CSI 1.12-21
Without proper protection, any part of any network can be susceptible to attacks or unauthorized
activity. Routers, switches, and hosts can all be violated by professional hackers, company
competitors, or even internal employees. In fact, according to several studies, more than half of
all network attacks are waged internally. The Computer Security Institute (CSI) in San Francisco
estimates that between 60 and 80 percent of network misuse comes from inside the enterprises
where the misuse has taken place. To determine the best ways to protect against attacks, IT
managers should understand the many types of attacks that can be instigated and the damage that
these attacks can cause to e-business infrastructures.
2-18
Copyright
CSI 1.12-22
Copyright
Security Fundamentals
2-19
Packet sniffers
IP weaknesses
Password attacks
DoS or DDoS
Man-in-the-middle attacks
Application layer attacks
Trust exploitation
Port redirection
Virus
Trojan horse
Operator error
CSI 1.12-23
There are many common attacks that can occur against a network. Any of the following can be
used to compromise your system:
Packet sniffers
IP weaknesses
Password attacks
Denial of service (DoS) or distributed denial of service (DDoS)
Man-in-the-middle attacks
Application layer attacks
Trust exploitation
Port redirection
Virus
Trojan horse
Operator error
2-20
Copyright
CSI 1.12-24
Copyright
Security Fundamentals
2-21
Packet Sniffers
Host A
Router A
Router B
Host B
CSI 1.12-25
A packet sniffer is a software application that uses a network adapter card in promiscuous mode
(a mode in which the network adapter card sends all packets received on the physical network
wire to an application for processing) to capture all network packets that are sent across a LAN.
Several network applications distribute network packets in clear text; that is, the information sent
across the network is not encrypted. Because the network packets are not encrypted, they can be
processed and understood by any application that can pick them up off the network and process
them.
A network protocol specifies how packets are identified and labeled, which enables a computer
to determine whether a packet is intended for it. Because the specifications for network
protocols, such as TCP/IP, are widely published, a third party can easily interpret the network
packets and develop a packet sniffer. (The real threat today results from the numerous freeware
and shareware packet sniffers that are available, which do not require the user to understand
anything about the underlying protocols.)
2-22
Copyright
CSI 1.12-26
A packet sniffer can provide its user with meaningful and often sensitive information, such as
user account names and passwords. If you use networked databases, a packet sniffer can provide
an attacker with information that is queried from the database, as well as the user account names
and passwords used to access the database. One serious problem with acquiring user account
names and passwords is that users often reuse their login names and passwords across multiple
applications.
In addition, many network administrators use packet sniffers to diagnose and fix network-related
problems. Because in the course of their usual and necessary duties these network administrators
(such as those in a payroll department) work during regular employee hours, they can potentially
examine sensitive information distributed across the network.
Many users employ a single password for access to all accounts and applications. Because
attackers know and use human characteristics (attack methods known collectively as social
engineering attacks), such as using a single password for multiple accounts, they are often
successful in gaining access to sensitive information.
There are two primary types of packet sniffers:
General purpose
Security Fundamentals
2-23
2-24
Typically captures login sessions (File Transfer Protocol [FTP], rlogin, and Telnet)
Copyright
Router A
Router B
Host B
CSI 1.12-27
The following techniques and tools can be used to mitigate packet sniffers:
AuthenticationUsing strong authentication is a first-option for defense against packet
sniffers. Strong authentication can be broadly defined as a method of authenticating users
that cannot easily be circumvented. A common example of strong authentication is one-time
passwords (OTPs).
An OTP is a type of two-factor authentication. Two-factor authentication involves using
something you have combined with something you know. Automated teller machines
(ATMs) use two-factor authentication. A customer needs both an ATM card and a personal
identification number (PIN) to make transactions. With OTPs you need a PIN and your
token card to authenticate to a device or software application. A token card is a hardware or
software device that generates new, seemingly random, passwords at specified intervals
(usually 60 seconds). A user combines that random password with a PIN to create a unique
password that works only for one instance of authentication. If a hacker learns that password
by using a packet sniffer, the information is useless because the password has already
expired. Note that this mitigation technique is effective only against a sniffer implementation
that is designed to grab passwords. Sniffers deployed to learn sensitive information (such as
mail messages) would still be effective.
Switched infrastructureThis can be used to counter the use of packet sniffers in your
network environment. For example, if an entire organization deploys switched Ethernet,
hackers can gain access only to the traffic that flows on the specific port to which they
connect. A switched infrastructure obviously does not eliminate the threat of packet sniffers,
but it can greatly reduce their effectiveness.
Copyright
Security Fundamentals
2-25
Antisniffer toolsEmploying software and hardware designed to detect the use of sniffers
on a network. Such software and hardware does not completely eliminate the threat, but like
many network security tools, they are part of the overall system. These so-called
antisniffers detect changes in the response time of hosts to determine if the hosts are
processing more traffic than their own. One such network security software tool, which is
available from Security Software Technologies, is called AntiSniff.
CryptographyRendering packet sniffers irrelevant, which is the most effective method for
countering packet snifferseven more effective than preventing or detecting packet sniffers.
If a communication channel is cryptographically secure, the only data a packet sniffer will
detect is cipher text (a seemingly random string of bits) and not the original message. The
Cisco deployment of network-level cryptography is based on IPSec, which is a standard
method for networking devices to communicate privately using IP. Other cryptographic
protocols for network management include Secure Shell Protocol (SSH) and Secure Sockets
Layer (SSL).
2-26
Copyright
IP Spoofing
IP spoofing occurs when a hacker inside or outside a network
impersonates the conversations of a trusted computer.
Two general techniques are used during IP spoofing:
A hacker uses an IP address that is within the range of
trusted IP addresses.
A hacker uses an authorized external IP address that is
trusted.
Uses for IP spoofing include the following:
IP spoofing is usually limited to the injection of malicious
data or commands into an existing stream of data.
If a hacker changes the routing tables to point to the spoofed
IP address, then the hacker can receive all the network
packets that are addressed to the spoofed address and reply
just as any trusted user can.
CSI 1.12-28
An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted
computer, either by using an IP address that is within the range of IP addresses for your network
or by using an authorized external IP address that you trust and to which you wish to provide
access to specified resources on your network.
Normally, an IP spoofing attack is limited to the injection of data or commands into an existing
stream of data passed between a client and server application or a peer-to-peer network
connection. To enable bi-directional communication, the attacker must change all routing tables
to point to the spoofed IP address. Another approach the attacker could take is to simply not
worry about receiving any response from the applications. For example, if an attacker is
attempting to get a system to mail him or her a sensitive file, application responses are
unimportant.
However, if an attacker manages to change the routing tables to point to the spoofed IP address,
he can receive all the network packets that are addressed to the spoofed address and reply just as
any trusted user can. Like packet sniffers, IP spoofing is not restricted to people who are external
to the network.
Although not as common, IP spoofing can also gain access to user accounts and passwords, and
it can also be used in other ways. For example, an attacker can emulate one of your internal users
in ways that prove embarrassing for your organization; the attacker could send e-mail messages
to business partners that appear to have originated from someone within your organization. Such
attacks are easier when an attacker has a user account and password, but they are possible by
combining simple spoofing attacks with knowledge of messaging protocols.
Copyright
Security Fundamentals
2-27
IP Spoofing Mitigation
The threat of IP spoofing can be reduced, but not
eliminated, through the following measures:
CSI 1.12-29
The threat of IP spoofing can be reduced, but not eliminated, through the following measures:
Access controlThe most common method for preventing IP spoofing is to properly
configure access control. To reduce the effectiveness of IP spoofing, configure access
control to deny any traffic from the external network that has a source address that should
reside on the internal network. Note that this helps prevent spoofing attacks only if the
internal addresses are the only trusted addresses. If some external addresses are trusted, this
method is not effective.
RFC 2827 filteringYou can prevent users of your network from spoofing other networks
(and be a good Internet citizen at the same time) by preventing any outbound traffic on your
network that does not have a source address in your organization's own IP range.
This filtering denies any traffic that does not have the source address that was expected on a
particular interface. For example, if an ISP is providing a connection to the IP address
15.1.1.0/24, the ISP could filter traffic so that only traffic sourced from address 15.1.1.0/24
can enter the ISP router from that interface. Note that unless all ISPs implement this type of
filtering, its effectiveness is significantly reduced.
Additional AuthenticationThe most effective method for mitigating the threat of IP
spoofing is the same as the most effective method for mitigating the threat of packet sniffers:
namely, eliminating its effectiveness. IP spoofing can function correctly only when devices
use IP address-based authentication; therefore, if you use additional authentication methods,
IP spoofing attacks are irrelevant. Cryptographic authentication is the best form of additional
authentication, but when that is not possible, strong two-factor authentication using OTP can
also be effective.
2-28
Copyright
DoS
DoS attacks focus on making a service
unavailable for normal use. They have the
following characteristics:
CSI 1.12-30
DoS attacks are different from most other attacks because they are not targeted at gaining access
to your network or the information on your network. These attacks focus on making a service
unavailable for normal use, which is typically accomplished by exhausting some resource
limitation on the network or within an operating system or application. These attacks require
little effort to execute because they typically take advantage of protocol weaknesses or the
attacks are carried out using traffic that would normally be allowed into a network. DoS attacks
are among the most difficult to completely eliminate because of the way they use protocol
weaknesses and native traffic to attack a network.
Copyright
Security Fundamentals
2-29
DDoS Example
1. Scan for systems to hack.
4. The client
issues
commands
to handlers
that control
agents in a
mass attack.
Client
system
2. Install software
to scan,
compromise, and
infect agents.
Handler
systems
Agent
systems
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.12-31
DDoS attacks are the next generation of DoS attacks on the Internet. This type of attack is not
newUDP and TCP SYN flooding, Internet Control Message Protocol (ICMP) echo request
floods, and ICMP directed broadcasts (also known as smurf attacks) are similarbut the scope
certainly is new. Victims of DDoS attacks experience packet flooding from many different
sources, possibly spoofed IP source addresses, that bring their network connectivity to a grinding
halt. In the past, the typical DoS attack involved a single attackers attempt to flood a target host
with packets. With DDoS tools, an attacker can conduct the same attack using thousands of
systems.
In the figure the hacker uses their terminal to scan for systems to hack. When the handler
systems are accessed, the hacker then installs software on them to scan for, compromise, and
infect Agent systems. When the Agent systems are accessed the hacker then loads remote control
attack software to carry out the DoS attack.
2-30
Copyright
DoS Mitigation
The threat of DoS attacks can be reduced
through the following three methods:
CSI 1.12-32
When involving specific network server applications, such as a HTTP server or a File Transfer
Protocol (FTP) server, these attacks can focus on acquiring and keeping open all the available
connections supported by that server, effectively locking out valid users of the server or service.
DoS attacks can also be implemented using common Internet protocols, such as TCP and ICMP.
While most DoS attacks exploit a weakness in the overall architecture of the system being
attacked rather than a software bug or security hole, some attacks compromise the performance
of your network by flooding the network with undesired, and often useless, network packets and
by providing false information about the status of network resources.
The threat of DoS attacks can be reduced through the following three methods:
Antispoof featuresProper configuration of antispoof features on your routers and firewalls
can reduce your risk. This configuration includes RFC 2827 filtering at a minimum. If
hackers cannot mask their identities, they might not attack.
Anti-DoS featuresProper configuration of anti-DoS features on routers and firewalls can
help limit the effectiveness of an attack. These features often involve limits on the amount of
half-open connections that a system allows open at any given time.
Traffic rate limitingAn organization can implement traffic rate limiting with its ISP. This
type of filtering limits the amount of nonessential traffic that crosses network segments at a
certain rate. A common example is to limit the amount of ICMP traffic allowed into a
network because it is used only for diagnostic purposes. ICMP-based DDoS attacks are
common.
Copyright
Security Fundamentals
2-31
Password Attacks
Hackers can implement
password attacks using
several different
methods:
Brute-force attacks
Trojan horse programs
IP spoofing
Packet sniffers
CSI 1.12-33
Password attacks can be implemented using several different methods, including brute-force
attacks, Trojan horse programs (discussed later in the chapter), IP spoofing, and packet sniffers.
Although packet sniffers and IP spoofing can yield user accounts and passwords, password
attacks usually refer to repeated attempts to identify a user account, password, or both. These
repeated attempts are called brute-force attacks.
Often a brute-force attack is performed using a program that runs across the network and
attempts to log in to a shared resource, such as a server. When an attacker successfully gains
access to a resource, he or she has the same rights as the user whose account has been
compromised to gain access to that resource. If this account has sufficient privileges, the attacker
can create a back door for future access, without concern for any status and password changes to
the compromised user account.
2-32
Copyright
CSI 1.12-34
Just as with packet sniffers and IP spoofing attacks, a brute-force password attack can provide
access to accounts that can be used to modify critical network files and services. An example
that compromises your networks integrity is an attacker modifying the routing tables for your
network. By doing so, the attacker ensures that all network packets are routed to him or her
before they are transmitted to their final destination. In such a case, an attacker can monitor all
network traffic, effectively becoming a man in the middle.
The following are the two different methods for computing passwords with L0phtCrack:
Dictionary crackingThe password hashes for all of the words in a dictionary file are
computed and compared against all of the password hashes for the users. This method is
extremely fast and finds very simple passwords.
Brute force computationThis method uses a particular character set such as AZ, or AZ
plus 09 and computes the hash for every possible password made up of those characters. It
will always compute the password if it is made up of the character set you have selected to
test. The downside is that time is required for completion of this type of attack.
Copyright
Security Fundamentals
2-33
CSI 1.12-35
2-34
Copyright
Man-in-the-Middle Attacks
Host A
Host B
Router B
CSI 1.12-36
A man-in-the-middle attack requires that the attacker have access to network packets that come
across the networks. Such attacks are often implemented using network packet sniffers and
routing and transport protocols. The possible uses of such attacks are theft of information,
hijacking of an ongoing session to gain access to your internal network resources, traffic analysis
to derive information about your network and its users, denial of service, corruption of
transmitted data, and introduction of new information into network sessions.
An example of a man-in-the-middle attack could be someone who is working for your ISP, who
can gain access to all network packets transferred between your network and any other network.
Copyright
Security Fundamentals
2-35
Man-in-the-Middle Mitigation
A man-in-the-middle attack
can only see cipher text
IPSec tunnel
Host A
Router A
ISP
Host B
Router B
CSI 1.12-37
2-36
Copyright
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Deata link
Physical
CSI 1.12-38
Copyright
Security Fundamentals
2-37
which include Java applets and ActiveX controls, involve passing harmful programs across
the network and loading them through a users browser.
2-38
Copyright
CSI 1.12-39
The following are some measures you can take to reduce your risks for application layer attacks:
Read operating system and network log files or have them analyzedIt is important to
review all logs and take action accordingly.
Subscribe to mailing lists that publicize vulnerabilitiesMost application and operating
system vulnerabilities are published on the Web at various sources.
Keep your operating system and applications current with the latest patchesAlways test
patches and fixes in a non-production environment. This prevents downtime and errors from
being generated unnecessarily.
Intrusion detection systems (IDSs) can scan for known attacks, monitor and log attacks, and
in some cases, prevent attacksThe use of IDSs can be essential to identifying security
threats and mitigating some of those threats, and, in most cases, it can be done automatically.
Copyright
Security Fundamentals
2-39
Network Reconnaissance
CSI 1.12-40
Network Reconnaissance refers to the overall act of learning information about a target network
by using publicly available information and applications. When hackers attempt to penetrate a
particular network, they often need to learn as much information as possible about the network
before launching attacks. Examples include DNS queries, ping sweeps, and port scans:
Domain Name System (DNS) queriesReveals such information as who owns a particular
domain and what addresses have been assigned to that domain.
Ping sweepsPresents a picture of the live hosts in a particular environment.
Port scansCycles through all well known ports to provide a complete list of all services
running on the hosts.
2-40
Copyright
CSI 1.12-41
The figure demonstrates how existing Internet tools can be used for network reconnaissance (for
example, an IP address query or a Domain Name query).
DNS queries can reveal such information as who owns a particular domain and what addresses
have been assigned to that domain. Ping sweeps of the addresses revealed by the DNS queries
can present a picture of the live hosts in a particular environment. After such a list is generated,
port scanning tools can cycle through all well known ports to provide a complete list of all
services running on the hosts discovered by the ping sweep. Finally, the hackers can examine the
characteristics of the applications that are running on the hosts. This can lead to specific
information that is useful when the hacker attempts to compromise that service.
IP address queries can reveal information such as who owns a particular IP address or range of
addresses and what domain is associated to them.
Copyright
Security Fundamentals
2-41
CSI 1.12-42
If ICMP echo and echo-reply is turned off on edge routers (for example, ping sweeps can be
stopped, but at the expense of network diagnostic data), port scans can still be run without full
ping sweeps They simply take longer because they need to scan IP addresses that might not be
live.
IDSs at the network and host levels can usually notify an administrator when a reconnaissance
gathering attack is underway. This allows the administrator to better prepare for the coming
attack or to notify the ISP who is hosting the system that it is launching the reconnaissance
probe.
2-42
Copyright
Trust Exploitation
A hacker
leverages existing
trust relationships
Several trust
models exist
Windows
Domains
Active
directory
Linux and
UNIX
NFS
NIS+
Hacker
gains
access to
SystemA
Hacker
User = psmith; Pat Smithson
CSI 1.12-43
While not an attack in and of itself, trust exploitation refers to an attack where an individual
takes advantage of a trust relationship within a network. The classic example is a perimeter
network connection from a corporation. These network segments often house DNS, SMTP, and
HTTP servers. Because they all reside on the same segment, a compromise of one system can
lead to the compromise of other systems because they might trust other systems attached to their
same network. Another example is a system on the outside of a firewall that has a trust
relationship with a system on the inside of a firewall. When the outside system is compromised,
it can leverage that trust relationship to attack the inside network.
Copyright
Security Fundamentals
2-43
SystemA
User = psmith; Pat Smith
Hacker
blocked
Hacker
User = psmith; Pat Smithson
SystemB
Compromised
by a hacker
User = psmith; Pat
Smith
Systems on the
outside of a firewall
should never be
absolutely trusted by
systems on the inside
of a firewall.
Such trust should be
limited to specific
protocols and should
be validated by
something other than
an IP address where
possible.
CSI 1.12-44
You can mitigate trust and exploitation-based attacks through tight constraints on trust levels
within a network. Systems on the outside of a firewall should never be absolutely trusted by
systems on the inside of a firewall. Such trust should be limited to specific protocols and should
be authenticated by something other than an IP address where possible.
2-44
Copyright
Port Redirection
Port redirection is a type
of trust-exploitation
attack that uses a
compromised host to
pass traffic through a
firewall that would
otherwise be dropped.
It is mitigated primarily
through the use of
proper trust models.
Antivirus software and
host-based IDS can help
detect and prevent a
hacker installing port
redirection utilities on
the host.
Attacker
Source: Attacker
Destination: A
Port: 22
Source: Attacker
Destination: B
Port: 23
Compromised
Host A
Source: A
Destination: B
Port: 23
Host B
CSI 1.12-45
Port redirection attacks are a type of trust exploitation attack that uses a compromised host to
pass traffic through a firewall that would otherwise be dropped. Consider a firewall with three
interfaces and a host on each interface. The host on the outside can reach the host on the public
services segment (commonly referred to as a Demilitarized Zone [DMZ]), but not the host on the
inside. The host on the public services segment can reach the host on both the outside and the
inside. If hackers were able to compromise the public services segment host, they could install
software to redirect traffic from the outside host directly to the inside host. Though neither
communication violates the rules implemented in the firewall, the outside host has now achieved
connectivity to the inside host through the port redirection process on the public services host.
An example of an application that can provide this type of access is netcat.
Port redirection can primarily be mitigated through the use of proper trust models, which are
network specific (as mentioned earlier). Assuming a system under attack, a host-based IDS can
help detect and prevent a hacker installing such utilities on a host.
Copyright
Security Fundamentals
2-45
Unauthorized Access
CSI 1.12-46
While not a specific type of attack, unauthorized access attacks refer to the majority of attacks
executed in networks today. In order for someone to brute-force a Telnet login, they must first
get the Telnet prompt on a system. Upon connection to the Telnet port, the hacker might see the
message authorization required to use this resource. If the hacker continues to attempt access,
the hackers actions become unauthorized. These kinds of attacks can be initiated both on the
outside and inside of a network.
Mitigation techniques for unauthorized access attacks are very simple. They involve reducing or
eliminating the ability of a hacker to gain access to a system using an unauthorized protocol. An
example would be preventing hackers from having access to the Telnet port on a server that
needs to provide web services to the outside. If a hacker cannot reach that port, it is very difficult
to attack it. The primary function of a firewall in a network is to prevent simple unauthorized
access attacks.
2-46
Copyright
CSI 1.12-47
The primary vulnerabilities for end-user workstations are viruses and Trojan horse attacks.
Viruses refer to malicious software that is attached to another program to execute a particular
unwanted function on a users workstation. An example of a virus is a program that is attached
to command.com (the primary interpreter for windows systems), which deletes certain files and
infects any other versions of command.com that it can find.
A Trojan horse is different only in that the entire application was written to look like something
else, when in fact it is an attack tool. An example of a Trojan horse is a software application that
runs a simple game on the users workstation. While the user is occupied with the game, the
Trojan horse mails a copy of itself to every user in the users address book. Then other users
receive the game and play it, thus spreading the Trojan horse.
These kinds of applications can be contained through the effective use of antivirus software at
the user level and potentially at the network level. Antivirus software can detect most viruses
and many Trojan horse applications and prevent them from spreading in the network. Keeping
up-to-date with the latest developments in these sorts of attacks can also lead to a more effective
posture against these attacks. As new virus or Trojan applications are released, enterprises need
to keep up-to-date with the latest antivirus software, and application versions.
Copyright
Security Fundamentals
2-47
A C?
MAC A
Port 2
Destination C is not in
the CAM table. The
switch forwards the
frame out all ports.
MAC B
Port 3
A C?
MAC D
When a layer 2 switch receives a frame, the switch looks in the CAM
table for the destination MAC address. If an entry exists for the MAC
address in the table, the switch forwards the frame according to the
table. If the MAC address does not exist in the table, the switch
forwards the frame out every port on the switch until a response is
received and the table is updated.
An attacker typically floods the switch with invalid MAC addresses
until the CAM table fills up causing the switch to eventually flood all
ports with incoming trafficessentially acting like a hub.
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.12-48
CAM tables are limited in size. If enough entries are entered into the CAM table before other
entries are expired, the CAM table fills up to the point that no new entries can be accepted. Once
that occurs, the switch floods all ports with incoming traffic because it cannot find the port
number for a particular MAC address in the CAM table. The switch, in essence, acts like a hub.
In May of 1999 the tool macof was released. It was written in approximately 100 lines of PERL
code and was later ported to C and incorporated into the dsniff package. This tool floods a
switch with randomly generated MAC addresses. Once the switchs CAM table fills up with the
randomly generated MAC addresses, the switch begins to forward all frames it receives to every
port.
2-48
Copyright
A C?
MAC A
C?
Port 2
Specify the
allowed MAC
addresses
MAC B
Port 3
C?
MAC D
CSI 1.12-49
Configuring port security on the switch can mitigate the CAM table flood attack, so that when an
invalid MAC is detected on the port, the switch can either block the offending MAC address or
shut down the port. This option provides for either of the following:
Specifying the MAC addresses on a particular switch port.
Specifying the number of MAC addresses that can be learned by a switch port.
Note
Copyright
If the attacker does not maintain the flood of invalid source MAC addresses, the switch
eventually times out older MAC address entries from the CAM table and begins to act like a
switch again.
Security Fundamentals
2-49
VLAN Hopping
Double
encapsulation
example
The frame is
encapsulated with
two 802.1q headers
CSI 1.12-50
2-50
Copyright
CSI 1.12-51
Mitigating VLAN hopping attacks requires several modifications to the VLAN configuration.
One of the more important elements is to use dedicated VLAN identities for all trunk ports. You
should also disable all unused switch ports and place them in an unused VLAN, and set all user
ports to non-trunking mode by explicitly setting DTP on those ports to off.
Copyright
Security Fundamentals
2-51
1
ARP (A)
Switch Port
1
2
3
Host
A,B
2
Destination MAC: A
CSI 1.12-52
MAC spoofing attacks involve the use of a known MAC address and IP address of a host on a
remote VLAN in order to try and get the target switch to forward frames from the attacker. By
sending a single frame with the victims source Ethernet address the attacker overwrites the
CAM table entry so that the switch forwards packets destined for the victim to the attacker. Until
the victim sends traffic it will not receive any traffic. When the victim sends out traffic the CAM
table entry is re-written once more so that it moves back to the original port.
The figure shows how ARP poisoning works in detail. In the example, the switch learned
initially that host A is on port 1, host B is on port 2, and host C is on port 3. Host B sends out an
ARP broadcast identifying itself as host As IP address but host Bs MAC address or another
packet with the same IP address/MAC address combination. This traffic causes the frame to
move the location of Host A in its CAM table from port 1 to port 2. Traffic from Host C
destined to Host A is now visible to Host B. In order to correct this situation, Host A must send
out traffic on the switch port in order for the switch to re-learn the location of Host As MAC
address.
2-52
Copyright
1
ARP (A)
Switch port
1
2
3
Host
The associate
MAC address to
a specific port
Destination MAC: A
CSI 1.12-53
Use the port security commands to mitigate MAC spoofing attacks. The port security command
provides the capability to specify the MAC address of the system connected to a particular port.
The command also provides the ability to specify an action to take should a port security
violation occur.
Copyright
Security Fundamentals
2-53
An attacker
attaches his MAC
address to another
stations IP address
The hold-down
timers can mitigate
this attack
192.168.0.1
MAC A
1
B
192.168.0.2
MAC B
192.168.0.1
MAC B
CSI 1.12-54
A similar attack to the ARP/MAC poisoning attack is an ARP spoofing attack where an attacker
that lies within an ARP domain attaches their MAC address to another stations IP address. As
with the ARP/MAC poisoning attack this causes the switch or router to write the new MAC
information into the system ARP table and forward traffic destined for the IP address to the
attacker.
Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing
attacks. The hold-down timer sets the length of time an entry will stay in the ARP cache.
2-54
Copyright
Attacker
MAC: A
IP: 1
SRC: A1 DST: C2
ARP (A)
Target
MAC: B
IP: 2
SRC: A1 DST: B2
SRC: A1 DST: B2
CSI 1.12-55
While PVLANs are a common mechanism to restrict communications between systems on the
same logical IP subnet it is not a full-proof mechanism. Private VLANs work by limiting which
ports within a VLAN can communicate with other ports in the same VLAN. Isolated ports within
a VLAN can communicate only with promiscuous ports. Community ports can communicate
only with other members of the same community and promiscuous ports. Promiscuous ports can
communicate with any port.
In a proxy attack against private VLANs frames are forwarded to a host on the network
connected to a promiscuous port such as a router. This attack allows for only unidirectional
traffic because any attempt by the target to send traffic back will be blocked by the PVLAN
configuration. If both hosts are compromised then static ARP entries could be used to allow bidirectional traffic.
In the previous figure, the attacker sends a packet with the source IP and MAC address of his
machine, a destination IP of the target system, but a destination MAC address of the router. The
switch forwards the frame to the routers switch port. The router, doing its job of routing traffic,
rewrites the destination MAC address as that of the target and sends the packet back out. Now
the packet has the proper format and is forwarded to the target system.
Configure access control lists (ACLs) on the router port in order to mitigate PVLAN attacks.
Virtual ACLs (VACLs) can also be used to help mitigate the effects of PVLAN attacks.
Copyright
Security Fundamentals
2-55
CSI 1.12-56
By attacking the Spanning-Tree Protocol, the network attacker hopes to spoof his or her system
as the root bridge in the topology. To do this the network attacker broadcasts out Spanning-Tree
Protocol Configuration/Topology Change Bridge Protocol Data Units (BPDUs) in an attempt to
force spanning-tree recalculations. The BPDUs sent out by the network attackers system
announce that the attacking system has a lower bridge priority. If successful, the network
attacker can see a variety of frames. By transmitting spoofed Spanning-Tree Protocol packets,
the network attacker causes the switches to initiate Spanning-Tree recalculations. This causes the
two connections to the network attackers system to forward packets. To mitigate Spanning-Tree
Protocol manipulation, use the root guard and the BPDU guard enhancement commands to
enforce the placement of the root bridge in the network as well as enforce the Spanning-Tree
Protocol domain borders.
The Cisco Discovery Protocol (CDP) runs at layer 2 and enables Cisco devices to identify
themselves to other Cisco devices. However, the information sent through CDP is transmitted in
clear text and unauthenticated. CDP is necessary for management applications and cannot be
disabled without impairing some network management applications. However, CDP can be
selectively disabled on interfaces where management is not being performed. When disabling
CDP on the router it is important to disable it globally and for each interface.
A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses.
If enough requests are sent the attacker can exhaust the address space available to the DHCP
servers for a period of time. The attacker can then set up a rogue DHCP server on their system
and respond to new DHCP requests from clients on the network. Because DHCP responses
typically include default gateway and DNS server information, the attacker can supply his own
system as the default gateway and DNS server resulting in a man-in-the-middle attack.
The techniques that mitigate CAM table flooding also mitigate DHCP starvation by limiting the
number of MAC addresses on a switch port. As implementation of RFC 3118 (Authentication
2-56
Copyright
for DHCP Messages) increases, DHCP starvation attacks will become more difficult. Finally,
DHCP option 82 (DHCP Relay Agent Information Option) helps to mitigate this attack by
enabling a DHCP relay agent to include information about itself when forwarding clientoriginated DHCP packets to a DHCP server. The server can use this information to implement IP
address or other parameter-assignment policies.
Copyright
Security Fundamentals
2-57
Configuration Management
Configuration management protocols include SSH, SSL,
and Telnet.
Telnet issues include the following:
The data within a Telnet session is sent as clear text,
and may be intercepted by anyone with a packet sniffer
located along the data path between the device and the
management server.
The data may include sensitive information, such as
the configuration of the device itself, passwords, and
so on.
CSI 1.12-58
If the managed device does not support any of the recommended protocols, such as SSH and
SSL, Telnet may have to be used (although this protocol is not highly recommended). The
network administrator should recognize that the data within a Telnet session is sent as clear text,
and may be intercepted by anyone with a packet sniffer located along the data path between the
managed device and the management server. The clear text may include important information,
such as the configuration of the device itself, passwords, and other sensitive data.
2-58
Copyright
Configuration Management
Recommendations
When possible, the following practices are
advised:
CSI 1.12-59
Regardless of whether SSH, SSL, or Telnet is used for remote access to the managed device,
access control lists (ACLs) should be configured to allow only management servers to connect to
the device. All attempts from other IP addresses should be denied and logged. RFC 2827
filtering at the ingress router should also be implemented to mitigate the chance of an attacker
from outside the network spoofing the addresses of the management hosts.
Copyright
Security Fundamentals
2-59
SNMP
SNMP is a network management protocol that can be used to retrieve
information from a network device. The TCP and UDP ports SNMP
uses are 161 and 162.
The following are SNMP issues:
SNMP uses passwords, called community strings, within each
message as a very simple form of security. Most implementations
of SNMP on networking devices today send the community string
in clear text.
SNMP messages may be intercepted by anyone with a packet
sniffer located along the data path between the device and the
management server, and the community string may be
compromised.
An attacker could reconfigure the device if read-write access via
SNMP is allowed.
The following are SNMP recommendations:
Configure SNMP with only read-only community strings.
Set up access control on the device you wish to manage via SNMP
to allow only the appropriate management hosts access.
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.12-60
SNMP is a network management protocol that can be used to retrieve information from a
network device (commonly referred to as read-only access) or to remotely configure parameters
on the device (commonly referred to as read-write access). SNMP uses passwords, called
community strings, within each message as a very simple form of security. Unfortunately, most
implementations of SNMP on networking devices today send the community string in clear text
along with the message. Therefore, SNMP messages may be intercepted by anyone with a packet
sniffer located along the data path between the device and the management server, and the
community string may be compromised.
When the community string is compromised, an attacker could reconfigure the device if readwrite access via SNMP is allowed. Therefore, it is recommended that you configure SNMP with
only read-only community strings. You can further protect yourself by setting up access control
on the device you wish to manage via SNMP to allow only the appropriate management hosts
access.
2-60
Copyright
Logging
Logging issues include the following:
CSI 1.12-61
Syslog, which is information generated by a device that has been configured for logging, is sent
as clear text between the managed device and the management host. Syslog has no packet-level
integrity checking to ensure that the packet contents have not been altered in transit. An attacker
may alter Syslog data in order to confuse a network administrator during an attack.
Copyright
Security Fundamentals
2-61
Logging Recommendations
When possible, the following practices are
advised:
Encrypt Syslog traffic within an IPSec tunnel.
When allowing Syslog access from devices on the
outside of a firewall, you should implement RFC 2827
filtering at the perimeter router.
ACLs should also be implemented on the firewall in order
to allow Syslog data from only the managed devices
themselves to reach the management hosts.
CSI 1.12-62
Where possible, Syslog traffic may be encrypted within an IPSec tunnel in order to mitigate the
chance of its being altered in transit. Where the Syslog data cannot be encrypted within an IPSec
tunnel because of cost or the capabilities of the device itself, the network administrator should
note that there is a potential for the Syslog data to be falsified by an attacker.
When allowing Syslog access from devices on the outside of a firewall, RFC 2827 filtering at the
egress router should be implemented. This scenario will mitigate the chance of an attacker from
outside the network spoofing the address of the managed device, and sending false Syslog data
to the management hosts.
ACLs should also be implemented on the firewall in order to allow Syslog data from only the
managed devices themselves to reach the management hosts. This scenario prevents an attacker
from sending large amounts of false Syslog data to a management server in order to confuse the
network administrator during an attack.
2-62
Copyright
TFTP
Many network devices use TFTP for transferring
configuration or system files across the network. TFTP
uses port 69 for both TCP and UDP.
The following are TFTP issues:
TFTP uses UDP for the data stream between the device
and the TFTP server.
TFTP sends data in clear text. The network
administrator should recognize that the data within a
TFTP session may be intercepted by anyone with a
packet sniffer located along the data path between the
requesting host and the TFTP server.
When possible, TFTP traffic should be encrypted within
an IPSec tunnel in order to mitigate the chance of its
being intercepted.
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.12-63
Many network devices use TFTP for transferring configuration or system files across the
network. TFTP uses UDP for the data stream between the requesting host and the TFTP server.
As with other management protocols that send data in clear text, the network administrator
should recognize that the data within a TFTP session might be intercepted by anyone with a
packet sniffer located along the data path between the device and the management server. Where
possible, TFTP traffic should be encrypted within an IPSec tunnel in order to mitigate the chance
of its being intercepted.
Copyright
Security Fundamentals
2-63
NTP
NTP is used to synchronize the clocks of various devices across a network. It
is critical for digital certificates, and for correct interpretation of events within
Syslog data. NTP uses port 123 for both UDP and TCP connections.
The following are NTP issues:
An attacker could attempt a DoS attack on a network by sending bogus NTP
data across the Internet in an attempt to change the clocks on network
devices in such a manner that digital certificates are considered invalid.
An attacker could attempt to confuse a network administrator during an
attack by disrupting the clocks on network devices.
Many NTP servers on the Internet do not require any authentication of
peers.
The following are NTP recommendations:
Implement your own master clock for the private network synchronization.
Use NTP Version 3 or above as these versions support a cryptographic
authentication mechanism between peers.
Use ACLs that specify which network devices are allowed to synchronize
with other network devices.
CSI 1.12-64
Network Time Protocol (NTP) is used to synchronize the clocks of various devices across a
network. Synchronization of the clocks within a network is critical for digital certificates, and for
correct interpretation of events within Syslog data.
A secure method of providing clocking for the network is for the network administrator to
implement their own master clock for the private network synchronized to Coordinated
Universal Time (UTC) via satellite or radio. However, clock sources are available to synchronize
to via the Internet, if the network administrator does not wish to implement their own master
clock because of costs or other reasons.
An attacker could attempt a DoS attack on a network by sending bogus NTP data across the
Internet in an attempt to change the clocks on network devices in such a manner that digital
certificates are considered invalid. Further, an attacker could attempt to confuse a network
administrator during an attack by disrupting the clocks on network devices. This scenario would
make it difficult for the network administrator to determine the order of Syslog events on
multiple devices.
Version 3 and above of NTP supports a cryptographic authentication mechanism between peers.
The use of the authentication mechanism as well as ACLs that specify which network devices
are allowed to synchronize with other network devices is recommended to help mitigate against
such a scenario. The network administrator should weigh the cost benefits of pulling clock
information from the Internet with the possible risk of doing so and allowing it through the
firewall. Many NTP servers on the Internet do not require any authentication of peers. Therefore,
the network administrator must trust that the clock itself is reliable, valid, and secure.
2-64
Copyright
Summary
This section summarizes the information you learned in this chapter.
Summary
The need for network security has increased as networks have
become more complex and interconnected.
The following are the components of a complete
security policy:
Statement of authority and scope
Acceptable use policy
Identification and authentication policy
Internet use policy
Campus access policy
Remote access policy
Incident handling procedure
The Security Wheel details the view that security is an ongoing
process.
The Security Wheel includes four phases: secure, monitor, test,
and improve.
2003, Cisco Systems, Inc. All rights reserved.
Copyright
CSI 1.12-66
Security Fundamentals
2-65
Summary (cont.)
The following are the four types of security threats:
Structured
Unstructured
Internal
External
The following are common attack methods and techniques
used by hackers:
Packet sniffers
IP weaknesses
Password attacks
DoS or DDoS
Man-in-the-middle attacks
Application layer attacks
Trust exploitation
Port redirection
2-66
CSI 1.12-67
Copyright
Summary (cont.)
Virus
Trojan horse
Operator error
CAM table overflow
VLAN hopping
MAC spoofing
ARP spoofing
Private VLAN attacks
Spanning Tree protocol manipulation
CDP attacks
DHCP Starvation
Management protocols can in themselves be a source of
vulnerability
2003, Cisco Systems, Inc. All rights reserved.
Copyright
CSI 1.12-68
Security Fundamentals
2-67
2-68
Copyright
Objectives
In this lab exercise you will complete the following tasks:
Port scan a host using a command line utility.
Scan a network using a vulnerability scanner to discover network services and
vulnerabilities.
Analyze network traffic with Ethereal.
Copyright
Visual Objectives
The following figure displays the configuration you will complete in this lab exercise.
172.26.26.P
Pod P (110)
172.26.26.0/24
brP
.1 e0/0
10.2.P.0/24
.150
.10P e0/1
Branch
RBB
10.2.P.11
Branch
PSS,
WWW,
and FTP
172.16.P.0/24
.10
Super server,
WWW, and FTP
.1
.2
e0/1
172.30.P.0/24
.150
e0/0
192.168.P.0/24
rP
.2 e0
pP
.1 e4
.1 e2
private
.5
.1 e1
.50
.4
DMZ
.5
10.0.P.0 /24
public
172.18.P.0/24
cP
.100
RTS
sensorP
Student
Remote: 10.1.P.11
Local: 10.0.P.11
CSI 1.12-1
Launch the netcat icon on the Student PC. A DOS command prompt window opens.
Step 2
Obtain the netcat usage information. The usage information provides you with the various
command line options available.
Step 3
Lab 2-2
Copyright
Step 2
Enter the IP address for the public services segment server in the Start field: 172.16.P.50.
(where P = pod number)
Step 3
Enter the IP address for the public services segment server in the End field: 172.16.P.50.
(where P = pod number)
Step 4
Click the Show List button. The Ports to Scan window opens.
Step 5
Click the Check All button on the right side of the window.
Step 6
Step 7
Ensure that the Scan ports from list check box is selected.
Step 8
Step 9
When the scan has completed, view the results in the main window.
Step 2
Step 3
Step 4
Click STOP when told to by the instructor. The Ethereal window is populated with the network
traffic that has been captured. Examine the traffic to see what type of information is available.
Copyright
Lab 2-4
Copyright
Architectural Overview
Overview
This chapter introduces and gives an overview of the SAFE Extending the Security Blueprint to
Small, Midsize, and Remote-User Networks (SAFE SMR) architecture. It includes the following
topics:
Objectives
SAFE architectural overview
Design fundamentals
Safe axioms
Summary
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will be
able to perform the following tasks:
Discuss the SAFE design philosophy and how it
impacts the decision making process.
Recognize why routers, switches, hosts,
networks, and applications are targets.
List the general guidelines for securing these
devices.
3-2
CSI 1.13-2
Copyright
CSI 1.13-4
SAFE serves as a guide to network designers considering the security requirements of their
network. SAFE takes a defense-in-depth approach to network security design. This type of
design focuses on the expected threats and their methods of mitigation, rather than on Put the
firewall here, put the intrusion detection system there. This strategy results in a layered
approach to security where the failure of one security system is not likely to lead to the
compromise of network resources. SAFE is based on Cisco products and those of Cisco partners.
SAFE SMR focuses heavily on threats encountered in networks today. Network designers who
understand these threats can better decide where and how to deploy mitigation technologies.
Without a full understanding of the threats involved in network security, deployments tend to be
incorrectly configured, are too focused on security devices, or lack threat response options. By
taking the threat-mitigation approach, SAFE SMR should provide network designers with
information for making sound network security choices.
Copyright
Architectural Overview
3-3
Key Components of a
SAFE Network
Identity
Authentication,
digital certificates
Perimeter
security
ACLs, Firewalls
Secure
connectivity
Security
monitoring
VPN Tunneling,
encryption
Intrusion detection,
scanning
Security
management
Policy management,
device management
Internet
CSI 1.13-5
The key components of a SAFE network are fundamental to the success of an implementation.
These key components are broken down as follows:
IdentityAuthentication and digital certificates
Perimeter securityAccess Control Lists (ACLs) and firewalls
Secure connectivityVPN tunneling and encryption
Security monitoringIntrusion detection and scanning
Security managementPolicy management, device management, and directory services
The SAFE Blueprint identifies these components as fundamental in protecting all networks
including small, midsize, and remote access networks.
3-4
Copyright
PSTN
module
Medium network/
branch edge
Corporate Internet module
Medium network/
branch campus
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Internet
Frame or
ATM
module
FR/ATM
Public
services
WAN module
Corporate
servers
CSI 1.13-6
SAFE SMR principles were developed to take the same principles of SAFE Enterprise and size
them appropriately for smaller networks. This includes branches of larger enterprises as well as
standalone, small-to-midsize security deployments. It also includes information on remote user
networks, such as teleworkers and mobile workers. For further information on SAFE Enterprise,
please refer to SAFE: A Security Blueprint for Enterprise Networks, which can be found on the
Cisco website.
The principles are not necessarily device-specific; however, the design considerations used for
this course are based on Cisco products and those of its partners.
Copyright
Architectural Overview
3-5
SP edge
PSTN module
PSTN
Corporate
users
ISP edge
module
Public
services
Internet
Frame or ATM
module
WAN module
Corporate
servers
FR/ATM
CSI 1.13-7
Staying up-to-date on the latest developments in the hacker and security communities
3-6
Copyright
Design Fundamentals
Implementation decisions vary, depending on the network functionality required. This section
covers the SAFE SMR design objectives that guide the decision making process.
CSI 1.13-9
SAFE SMR uses the following objectives, which are based on the SAFE SMR Blueprint:
Security and attack mitigation is based on policyA properly implemented security policy
without proper security practices can be less effective at mitigating the threat to enterprise
resources than a comprehensive security product implementation without an associated
policy. Cisco assumes that a security policy has been developed and implemented
appropriately.
Security implementation must be throughout the infrastructureIt is important to
understand that network security extends far beyond a simple perimeter. It is necessary to
take an overall approach to network security, including all types of threats.
Deployment must be cost-effectiveAt many points in the network design process, you
need to choose between using integrated functionality in a network device and using a
specialized functional appliance. Integrated functionality is a major consideration in the
implementation of a SAFE SMR network for cost-effectiveness.
Management and reporting must be secureCisco recommends that management of devices
inside the private network use out-of-band management whenever necessary. Other
circumstances such as location, budget, and so on affect this decision, as well as when
Copyright
Architectural Overview
3-7
devices outside the network require management and reporting. In these cases in-band
management may be necessary.
Users and administrators of critical network resources must be authenticated and
authorizedIts always necessary to ensure users and administrators are accessing network
resources with appropriate authentication and authorization such as Digital Certificates,
TACACS+ and Key Exchange.
Intrusion detection must be used for critical resources and subnetsDeployment of intrusion
detection is necessary to mitigate many of the expected threats discussed in this course.
3-8
Copyright
Router
Internal IP
Threat
Personal
firewall
HIDS on PCs
WAN
Critical
Critical
resources
IDS Sensors
Second line of
defense
Wireless threat
CSI 1.13-10
First and foremost SAFE SMR is a security architecture. SAFE SMR must prevent most attacks
from successfully affecting valuable network resources. However, in being secure, the network
must continue to provide critical services that users expect.
The following guidelines are used when developing the architecture:
If the first line of defense is compromised, the attack must be detected and contained by the
second line of defense.
Proper security and good network functionality must be balanced.
Copyright
Architectural Overview
3-9
SAFE SMR is
designed without
resiliency
resiliency is
covered in SAFE
Enterprise
Remote
access VPN
Site-to-Site
VPN
PSTN
Traditional dial
access servers
CSI 1.13-11
Unlike SAFE Enterprise, SAFE SMR is designed without resiliency. The approach taken for
SAFE SMR is to provide a security architecture without resilient and redundant practices for
both cost savings and ease of integration. Those interested in designing secure networks in a
resilient environment should concentrate on the SAFE Enterprise method of design.
3-10
Copyright
ISP
VPN
Software
Client
with
personal
firewall
Authenticate
remote site,
terminate IPSec,
and personal
firewall and virus
scanning for local
attack mitigation
Software
access option
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.13-12
Architectural Overview
3-11
The architecture
addresses security
relationships between
the various functional
blocks of the network.
Security can be
implemented on a
module-by-module
basis instead of
attempting the entire
architecture in a single
phase.
Modules can and
should be combined
to achieve desired
functionality.
2003, Cisco Systems, Inc. All rights reserved.
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Internet
Frame or ATM
module
Public
services
WAN module
Corporate
servers
FR/ATM
CSI 1.13-13
Although it is true that most networks cannot be easily dissected into clear-cut modules, the
green field or from scratch modular approach provides a guide for implementing different
security functions throughout the network. Engineers are not expected to design their networks
identical to the SAFE implementation, but rather use a combination of the modules described
and integrate them into the existing network. The advantages to the approach taken are as
follows:
The architecture addresses security relationships between the various functional blocks of
the network.
Security can be implemented on a module-by-module basis instead of attempting the entire
architecture in a single phase.
Modules can and should be combined to achieve desired functionality.
The diagram in the figure is an example of a SAFE medium network and its respective modules,
which include the campus module, corporate Internet module, and the various edge modules.
3-12
Copyright
Safe Axioms
This section covers the Axioms used by SAFE SMR.
A Target-Rich Environment
SAFE SMR is based on the following axioms:
CSI 1.13-15
The following are axioms for when identifying appliances and applications that are primary
network targets:
Routers are targetsRouter security is a critical element in any security deployment.
Switches are targetsUnlike routers, not as much information is available about the security
risks in switches and what can be done to mitigate those risks. Most of the risks associated
with routers are applicable to switches as well.
Hosts are targetsA host presents some of the most difficult challenges from a security
perspective and is the most likely target during an attack. There are numerous hardware
platforms, operating systems, and applications, all of which have updates, patches, and fixes
available at different times.
Networks are targetsThe attacks on networks are most difficult because, typically, they
take advantage of an intrinsic characteristic in the way your network operates.
Applications are targetsAttacks on applications can be benign or malignant. It is the
malignant attacks that require the most attention.
Copyright
Architectural Overview
3-13
3-14
Copyright
Routers advertise
networks and filter
who can use them.
Routers are
potentially a
hackers best friend.
Routers provide
access and,
therefore, you
should secure them
to reduce the
likelihood that they
can be directly
compromised.
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Internet
Frame or ATM
module
Public
services
WAN module
Corporate
servers
FR/ATM
CSI 1.13-16
Routers control access from network to network. They advertise networks and filter that can use
them, and they are potentially a hackers best friends. Because of this, router security is a critical
element in any security deployment. It is important for security professionals to be completely
up to date on current router documentation and possible threats to routers. The following URL
can provides the most current Cisco documentation:
http:/www.cisco.com/warp/public/707/21.html.
The figure indicates the location of the routers in the SAFE SMR network example.
Copyright
Architectural Overview
3-15
Public
services
WAN module
CSI 1.13-17
Copyright
Finger
Log at appropriate levelsIt is necessary to log information on the router (for example,
access logs, faults, and warnings).
Authenticate routing updatesIf you are using a dynamic routing protocol that supports
authentication, it is a good idea to enable that authentication. This prevents some malicious
attacks on the routing infrastructure, and can also help to prevent damage caused by
misconfigured rogue devices on the network.
The figure identifies the location of the router in the SAFE SMR network example.
Copyright
Architectural Overview
3-17
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Internet
Frame or ATM
module
Public
services
WAN module
Corporate
servers
FR/ATM
Switches are
targets
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.13-18
Like routers, switches (both Layer 2 and Layer 3) have their own set of security considerations.
Unlike routers, not as much information is available about the security risks in switches and
what can be done to mitigate those risks. Most of the security techniques detailed in the
preceding section, Routers Are Targets, apply to switches.
The figure identifies the location of the switches in the SAFE SMR example.
3-18
Copyright
Public
services
WAN module
CSI 1.13-19
The following guidelines are in addition to router-specific guidelines and apply to both Layer 2
and Layer 3 switches:
Ports without any need to trunk should have trunk settings set to offThis prevents a host
from becoming a trunk port and receiving all traffic that would normally reside on a trunk
port.
If you are using older versions of software for your Ethernet switch, make sure that trunk
ports use VLAN number not used anywhere else in the switchThis prevents packets
tagged with the same VLAN as the trunk port from reaching another VLAN without
crossing a layer 3 device.
Disable all unused ports on a switchThis prevents hackers from plugging in to unused
ports and communicating with the rest of the network.
Avoid using VLANs as the sole method of securing access between two subnetsThe
capability for human error, combined with the understanding that VLANs and VLANtagging protocols were not designed with security in mind, makes their use in sensitive
environments inadvisable.
Private VLANs provide some added security to specific network applications (not available
on most low-end switches)They work by limiting which ports within a VLAN can
communicate with ports in the same VLAN.
The figure identifies the location of the switches in the SAFE SMR example.
Copyright
Architectural Overview
3-19
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Internet
Frame or ATM
module
Public
services
WAN module
Corporate
servers
FR/ATM
Hosts are
targets
CSI 1.13-20
Being the most likely target during an attack, the host presents some of the most difficult
challenges from a security perspective. There are numerous hardware platforms, operating
systems, and applications, all of which have updates, patches, and fixes available at different
times.
Because hosts provide the application services to other hosts that request them, they are
extremely visible within the network. For example, many people have visited
www.whitehouse.gov, which is a host, but few have attempted to access s2-0.whitehouseisp.net,
which is a router. Because of this visibility, hosts are the most frequently attacked devices in any
network intrusion attempt.
In part because of the aforementioned security challenges, hosts are also the most successfully
compromised devices. For example, a given web server on the Internet might run a hardware
platform from one vendor, a network card from another, an operating system from still another
vendor, and a web server that is either open source or from yet another vendor. Additionally, the
same web server might run applications that are freely distributed via the Internet, and might
communicate with a database server that starts the variations all over again. That is not to say
that the security vulnerabilities are specifically caused by the multisource nature of all of this,
but rather that as the complexity of a system increases, so does the likelihood of a failure.
The figure identifies the location of the hosts in the SAFE SMR example.
3-20
Copyright
Public
services
WAN module
CSI 1.13-21
The following are guidelines that can be a major factor in maintaining a secure environment for
hosts:
Pay careful attention to each of the components within the systemThese components
include hardware and software.
Keep any systems up-to-date with the latest patches, fixes, and so onBecause patches and
fixes are being created constantly for software and hardware. It is a good rule to practice
according to your organizations change management policy on affected hosts.
Pay attention to how these patches affect the operation of other system componentsRead
release notes and updates on all changes prior to implementation.
Evaluate all updates on test systems before you implement them in a production
environmentThis practice ensures that changes are successful and also inhibits possible
affects to other components.
The figure identifies the location of the hosts in the SAFE SMR example.
Copyright
Architectural Overview
3-21
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Internet
Frame or ATM
module
Public
services
WAN module
Corporate
servers
FR/ATM
CSI 1.13-22
Network attacks are among the most difficult attacks to deal with because they typically take
advantage of an intrinsic characteristic in the way your network operates. These attacks include:
Address Resolution Protocol (ARP)Identifies network component addresses for further
attack.
Media Access Control (MAC)-based Layer 2 attacksIdentifies the MAC layer address for
further attack.
SniffersA software application that uses a network adapter card in promiscuous mode to
capture all network packets that are sent across a particular collision domain.
Distributed denial of service (DDoS) attacksCauses multiple machines to simultaneously
send spurious data to an IP address. The following are common forms of DDoS attacks:
UDP floods
The figure identifies the location of the networks in the SAFE SMR example.
3-22
Copyright
Public
services
WAN module
CSI 1.13-23
One approach to limiting a network attack is to follow filtering guidelines for networks outlined
in RFC 1918 and RFC 2827:
RFC 1918This RFC provides background on the allocation of IP addresses for private
Internets. It also provides implementation guidelines for companies that want to implement
IP but do not want full connectivity to the Internet.
RFC 2827This RFC provides an effective and straightforward method for using ingress
traffic filtering to prohibit denial of service (DoS) attacks, which use forged IP addresses to
be propagated from behind an ISPs aggregation point. Collectively, if ISPs worldwide were
to implement the guidelines in RFC 2827, source address spoofing would be greatly
diminished. Although this strategy does not directly prevent DDoS attacks, it does prevent
such attacks from masking their source, which makes tracing back to the attacking networks
much easier. Ask your ISP about which DDoS mitigation options they make available to
their customers.
The figure identifies the location of the networks in the SAFE SMR example.
Copyright
Architectural Overview
3-23
Applications are subject to numerous problems that can be benign or malignant. Security issues
involve the following:
How an application makes calls to other applications or the operating system itself
The privilege level at which the application runs
The degree of trust that the application has for the surrounding systems
The method the application uses to transport data across the network
Applications are coded by human beings (mostly) and, as such, are subject to numerous errors.
These errors can be benign (for example, an error that causes your document to print
incorrectly), or malignant (for example, an error that makes the credit card numbers on your
database server available via anonymous FTP). It is the malignant problems that need careful
attention.
The figure identifies the location of the applications in the SAFE SMR example.
3-24
Copyright
Public
services
WAN module
CSI 1.13-25
Care needs to be taken to ensure that commercial and public domain applications are up-to-date
with the latest security fixes. Public domain applications, as well as custom-developed
applications, also require code review to ensure that the applications are not introducing any
security risks caused by poor programming. IDSs can help mitigate some of the attacks launched
against applications and other functions within the network.
With any system or application changes it is necessary to review release notes and
documentation, follow your organizations change management policies, and test in a nonproduction environment prior to implementation.
The figure identifies the location of the applications in the SAFE SMR example.
Copyright
Architectural Overview
3-25
IDSs
IDSs can respond to an
attack in two ways:
Take corrective
action itself
Notify a management
system for actions by
the administrator
There are two types of
IDSs:
Host-based (HIDS)
Often better at
preventing specific
attacks
Network-based
(NIDS)Allows a
perspective of the
overall network
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Public
services
Internet
Frame or ATM
module
Corporate
servers
WAN module
FR/ATM
NIDS
HIDS
CSI 1.13-26
IDSs act like an alarm system in the physical world. When an IDS detects something that it
considers an attack, it can either take corrective action itself or notify a management system for
actions by the administrator. Some systems are more or less equipped to respond to and prevent
such an attack.
Host-based intrusion detection can work by intercepting operating system and application calls
on an individual host. It can also operate by after-the-fact analysis of local log files. The former
approach allows better attack prevention, whereas the latter approach dictates a more passive
attack-response role. Because of the specificity of their role, host-based IDSs (HIDSs) are often
better at preventing specific attacks than network-based IDSs (NIDSs), which usually issue only
an alert upon discovery of an attack.
However, that specificity causes a loss of perspective to the overall network. This is where NIDS
excels. Ideally, Cisco recommends a combination of the two systemsHIDS on critical hosts
and NIDS looking over the whole networkfor a complete IDS.
Several factors need to be considered when choosing between the types of IDSs to implement:
Budget
Number of devices needing to be monitored
Topology of the network
Number of personnel required to respond to attacks
The figure identifies the location of the IDSs in the SAFE SMR example.
3-26
Copyright
IDSsGeneral Guidelines
The following are general
guidelines:
Public
services
WAN module
CSI 1.13-27
The following guidelines can aid an administrator in preventing attacks and unnecessary work:
Tune the implementation to decrease false positivesFalse positives are alarms caused by
legitimate traffic or activity. False negatives are attacks that the IDS fails to see. When the
IDS is tuned, you can configure it more specifically as to its threat-mitigation role.
Generally use shunning only on TCP traffic, as it is more difficult to spoof than UDP
Shunning is the use of access control filters and should be carefully implemented.
Keep the shun length shortKeeping the shun length short eliminates blocking traffic from
a valid address that has been spoofed previously.
Because TCP traffic is more difficult to spoof, you should consider using TCP resets more
often than shunningTCP resets operate only on TCP traffic and terminate an active attack
by sending a TCP reset to both the attacking and attacked host.
Consider outsourcing your IDS management to a third party because of the need for constant
monitoringIT staff are often overworked (particularly in smaller organizations).
The figure identifies the location of the IDSs in the SAFE SMR example.
Copyright
Architectural Overview
3-27
CSI 1.13-28
The following are out-of-band secure management guidelines for the architecture:
Should provide the highest level of security. It should mitigate the risk of passing insecure
management protocols over the production network.
Should keep clocks on hosts and network devices in sync.
Should record changes and archive configurations.
The following are in-band secure management guidelines:
Decide if the device really needs to be managed or monitored.
Use IPSec when possible.
Use SSH or SSL instead of Telnet.
Decide if the management channel needs to be open at all times.
Keep clocks on hosts and network devices in sync.
Record changes and archive configurations.
Even though out-of-band management is recommended for devices in SAFE Enterprise, SAFE
SMR recommends in-band management because the goal is cost-effective security deployment.
In the SAFE SMR architecture, management traffic flows in-band in all cases, and is made as
secure as possible using tunneling protocols and secure variants to insecure management
3-28
Copyright
protocols (for example, Secure Shell Protocol [SSH] is used whenever possible instead of
Telnet). With management traffic flowing in-band across the production network, it becomes
very important to follow more closely the axioms mentioned earlier in the chapter.
To ensure that log messages are time-synchronized to one another, clocks on hosts and network
devices must be in sync. For devices that support it, Network Time Protocol (NTP) provides a
way to ensure that accurate time is kept on all devices. When dealing with attacks, seconds
matter because it is important to identify the order in which a specified attack occurred.
NTP is used to synchronize the clocks of various devices across a network. Synchronization of
the clocks within a network is critical for digital certificates, and for correct interpretation of
events within Syslog data. A secure method of providing clocking for the network is for the
network administrator to implement their own master clock. The private network should then be
synchronized to Coordinated Universal Time (UTC) via satellite or radio. However, clock
sources are available which synchronize via the Internet if the network administrator does not
wish to implement their own master clock because of costs or other reasons.
An attacker could attempt a DoS attack on a network by sending bogus NTP data across the
Internet in an attempt to change the clocks on network devices in such a manner that digital
certificates are considered invalid. Further, an attacker could attempt to confuse a network
administrator during an attack by disrupting the clocks on network devices. This scenario would
make it difficult for the network administrator to determine the order of Syslog events on
multiple devices.
Version 3 and above of NTP supports a cryptographic authentication mechanism between peers.
The use of the authentication mechanism, as well as ACLs that specify which network devices
are allowed to synchronize with other network devices, is recommended to help mitigate against
such a scenario.
The network administrator should weigh the cost benefits of pulling the clock from the Internet,
with the possible risk of doing so and allowing it through the firewall. Many NTP servers on the
Internet do not require any authentication of peers. Therefore, the network administrator must
trust that the clock itself is reliable, valid, and secure. NTP uses UDP port 123.
Copyright
Architectural Overview
3-29
CSI 1.13-29
Logging and reading information from many devices can be very challenging. The following
issues must be considered:
Identify which logs are most important.
Separate important messages from notifications.
Ensure that logs are not tampered with in transit.
Ensure that time stamps match each other when multiple devices report the same alarm.
Identify what information is needed if log data is required for a criminal investigation.
Identify how to deal with the volume of messages that can be generated when a system is
under attack.
Each of these issues are company-specific and require the input of management as well as the
network and security teams to identify the priorities of reporting and monitoring. The
implemented security policy should also play a large role in answering these questions.
From a reporting standpoint, most networking devices can send Syslog data that can be
invaluable when troubleshooting network problems or security threats. You can send this data to
your Syslog analysis host from any devices whose logs you wish to view. This data can be
viewed in real-time or via on-demand, and in scheduled reports. Depending on the device
involved, you can choose various logging levels to ensure that the correct amount of data is sent
to the logging device. You also need to flag device log data within the analysis software to
permit granular viewing and reporting. For example, during an attack the log data provided by
Layer 2 switches might not be as interesting as the data provided by the IDS.
3-30
Copyright
To ensure that log messages are time-synchronized to one another, clocks on hosts and network
devices must be in sync. For devices that support it, NTP provides a way to ensure that accurate
time is kept on all devices. When dealing with attacks, seconds matter because it is important to
identify the order in which a specified attack occurred.
Configuration change management is another issue related to secure management. When a
network is under attack, it is important to know the state of critical network devices and when
the last known modifications occurred. Creating a plan for change management should be a part
of your comprehensive security policy, but, at a minimum, you should record changes using
authentication systems on the devices, and archive configurations via FTP or TFTP.
Copyright
Architectural Overview
3-31
Summary
This section summarizes the information you learned in this chapter.
Summary
SAFE SMR is a design philosophy for
implementing security on a network.
SAFE SMR serves as a guide to network
designers considering the security requirements
of their network.
Routers, switches, hosts, networks, and
applications are targets identified in SAFE SMR.
Each target identified in SAFE SMR should be
hardened using the guidelines provided.
3-32
CSI 1.13-31
Copyright
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will
be able to perform the following tasks:
List the devices that are part of the Cisco
security portfolio.
Understand the basic guidelines to use for
product selection.
Be aware of the Cisco AVVID program.
4-2
CSI 1.14-2
Copyright
VPN
Cisco VPN
Concentrators
Perimeter
security
Intrusion
protection
Identity
Firewalls
Intrusion
detection
scanning
Authentication
Cisco PIX
Firewalls
Cisco PIX
Firewalls
Cisco IOS
VPN
Cisco IDS
Sensors
network-, host-,
and switch-based
Cisco Access
Control Server
Cisco PIX
Firewalls
Cisco IOS
Firewall
Cisco IOS
IDS
Security
management
Policy
CiscoWorks
VPN and
security
management
solution
Cisco Secure
Policy Manager
CSI 1.14-4
Perimeter securityFirewalls
PIX Firewalls
Copyright
4-3
Copyright
Copyright
4-5
Solutions
Secure intranet for
workforce optimization
Ecosystem
Integration partners
Security Associate solutions
Cisco programs and services
Directory
2003, Cisco Systems, Inc. All rights reserved.
Service control
Infrastructure
Appliances or clients
Operations
Applications
Cisco AVVID
system
architecture
CSI 1.14-5
Cisco has opened its Cisco Architecture for Voice, Video, and Integrated Data (AVVID)
architecture and SAFE Blueprint to key third-party vendors to create a security solutions
ecosystem to spur development of best-in-class multiservice applications and products. The
Cisco AVVID architecture and SAFE Blueprint provide interoperability for third-party hardware
and software using standards-based media interfaces, application-programming interfaces
(APIs), and protocols. This ecosystem is offered through the Security and VPN Associate
Program, an interoperability solutions program that provides Cisco customers with tested and
certified, complementary products for securing their businesses. The ecosystem enables
businesses to design and roll out secure networks that best fit their business model and enable
maximum agility.
4-6
Copyright
Secure Connectivity
CSI 1.14-7
Teleworkers
Partner connectivity
Copyright
4-7
4-8
Copyright
OverviewVPNs
Home office
Intranet VPNLow
cost, tunneled
connections with
rich VPN services,
which lead to cost
savings and new
applications
Remote office
POP
Main
office
VPN
POP
Extranet VPN
Extends WANs to
business partners,
which leads to new
applications and
business models
Remote access
VPNCost saving
Business partner
Mobile worker
CSI 1.14-8
Copyright
4-9
VPN SolutionsChoices
Remote access
Site-to-site
Firewall-based
Large enterprise, SP
3060, 3080
Concentrators
Medium enterprise
3030
Concentrator
Small
business/branch
office
SOHO market
3015, 3005
Concentrator
CSI 1.14-9
Cisco provides VPN solutions for all network sizes. The information in the figure indicates the
platforms that can support each size network most effectively. You can use this information as a
starting point to choose what device best fits your environment.
4-10
Copyright
CSI 1.14-11
The following are the features and uses for the Cisco VPN 3000 Concentrator Series:
Primarily used for remote access
Includes a standards-based VPN Client and management GUI
Allows mobile workers and telecommuters broadband connectivity over cable and DSL
Uses Remote Access Dial-In User Service (RADIUS) for authentication
Split tunnelingcorporate and Internet
Implements behind the Internet access router and is parallel to the PIX Firewall
With the Cisco VPN 3000 Series Concentrator, customers can take advantage of the latest VPN
technology to vastly reduce their communications expenditures. It is the only scalable platform
to offer field-swappable and customer-upgradeable components. These components, called
Copyright
4-11
Scalable Encryption Processing (SEP) modules, enable users to easily add capacity and
throughput.
4-12
Copyright
Models
Simultaneous users
Performance (Mbps)
Encrytpion cards
Memory (Mb)
Upgradable
Dual power supply
Redundancy
Site-to-site tunnels
3005
100
4
0
64
No
No
No
100
3015
100
4
0
128
Yes
Optional
Yes
100
3030
1500
50
1
128
Yes
Optional
Yes
500
3060
5000
100
2
256
Yes
Optional
Yes
1,000
3080
10,000
100
4
256
N/A
Yes
Yes
1,000
CSI 1.14-12
The Cisco VPN 3000 Series Concentrator includes models to support a range of enterprise
customers, from small businesses with 100 or fewer remote access users, to large organizations
with up to 10,000 simultaneous remote users. The Cisco VPN Client is provided with all
versions of the Cisco VPN 3000 Series Concentrator, and includes unlimited distribution
licensing. The Cisco VPN 3000 Series Concentrator is available in both non-redundant and
redundant configurations. The table in the figure can assist an engineer in choosing the most
scaleable, cost effective, and redundant solution for their network.
Copyright
4-13
CSI 1.14-13
The Cisco unified VPN Client strategy is a new framework with a specification to enable VPN
connectivity between all desktop, laptop, and personal digital assistant clients and the full range
of Cisco VPN-enabled Concentrators, routers, and firewalls. Using push policy capabilities,
the unified VPN Client framework allows customers to centrally manage security policies, while
easily delivering large-scale VPN connectivity to remote users. All of the Cisco IPSec-based
VPN products for the enterprise and service providers support the unified VPN Client
framework.
4-14
Copyright
Single user
3002
Cable modem
Home office
3002
DSL modem
Small office
Internet
Easy deployment
Centralized policy push
3002
ISDN modem
CSI 1.14-14
Based on the unified VPN Client framework, the Cisco VPN 3002 Hardware Client combines
the best features of a software client, including scalability and ease-of-deployment, with the
stability and independence of a hardware platform. The Cisco VPN 3002 Hardware Client works
with all operating systems and does not interfere with the operation of the PC because it is a
separate hardware appliance.
The Cisco VPN 3002 Hardware Client is a small, highly cost-effective appliance. It is ideal for
organizations where thousands of remote end-users might be tunneling into corporate networks
from large numbers of geographically dispersed branch or home office sites.
Copyright
4-15
Internet
Mobile
Certicom
client
Aironet client
Cisco VPN 3000 Client
Aironet client
CSI 1.14-15
Remote access wireless VPN solutions are available for the VPN Concentrator via the Cisco
AVVID partner program. With release 3.0, all Cisco VPN 3000 Concentrators support Elliptic
Curve Cryptography or ECC. This is a new Diffie-Hellman (DH) group that allows for much
faster processing of keying information by devices with limited processing power such as
Personal Digital Assistants (PDAs) and Smart Phones. Cisco VPN 3000 Concentrators can now
securely terminate tunnels from IP-enabled wireless devices, allowing a whole new class of users
to securely access enterprise information while preserving the investment in VPN termination
equipment in the enterprise data center.
4-16
Copyright
CSI 1.14-17
Site-to-site VPNs are an alternative WAN infrastructure that are used to connect branch offices,
home offices, or business partners sites to all or portions of a companys network. VPNs do not
inherently change private WAN requirements, such as support for multiple protocols, high
reliability, and extensive scalability, but instead meet these requirements more cost-effectively
and with greater flexibility. Site-to-site VPNs use the most pervasive transport technologies
available today, such as the Internet or service providers IP networks, by employing tunneling
and encryption for data privacy and Quality of Service (QoS) for transport reliability.
The following are the Cisco VPN-optimized router features:
Is used for site-to-site VPNs
Includes SOHO, 800 and 7000 series models
Replaces and augments private networks that use
Copyright
A leased line
Frame relay
4-17
ATM
4-18
Copyright
Scalability
Network resiliency
Bandwidth optimization and QoS
Deployment flexibility
CSI 1.14-18
Deployment flexibility
Copyright
4-19
4-20
Copyright
VPN-optimized
router connecting
remote offices at
T1/E1 speeds
Remote
office
Main office
Regional
office
Internet
VPN-optimized routers
connecting branch
and regional offices at
nxT1/E1 speeds
Site-to-Site VPNs are best constructed using a wide variety of Cisco VPN Routers. VPN Routers
provide scalability through optional encryption acceleration. The Cisco VPN Router portfolio
provides solution for small office/home office (SOHO) access through central-site VPN
aggregation, including platforms for fast-emerging cable and digital subscriber line (DSL) access
technologies.
The following provides recommendations for scalability for Site-to-Site VPN solutions:
Remote officeCisco 1700 Series, which is a VPN-optimized router connecting remote
offices at T1/E1 speeds
Regional officeCisco 2600 and 3600 Series, which are VPN-optimized routers connecting
branch and regional offices at nxT1/E1 speeds
Small Office/Home Office (SOHO)Cisco 800 and 900 Series, which are VPN-optimized
routers for ISDN, DSL, and cable connectivity
Main OfficeCisco 7000 Series, dedicated VPN head-end and hybrid private WAN and
VPN connectivity
Copyright
4-21
CSI 1.14-20
The VPN Acceleration Module (VAM) is a single-width acceleration module. It provides highperformance, hardware-assisted tunneling and encryption services suitable for VPN remote
access, site-to-site intranet, and extranet applications. It also provides platform scalability and
security while working with all services necessary for successful VPN deploymentssecurity,
QoS, firewall and intrusion detection, service-level validation, and management. The VAM offloads IPSec processing from the main processor, thus freeing resources on the processor engines
for other tasks.
4-22
Copyright
CSI 1.14-22
4-23
4-24
Copyright
Price
PIX 535-UR
PIX 525-UR
PIX 515E-UR
PIX 506E
Gigabit Ethernet
PIX 501
SOHO
ROBO
SMB
Enterprise
SP
Functionality
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.14-23
The Cisco PIX Firewall series delivers strong security in an easy-to-install, integrated hardware
and software firewall appliance that offers outstanding performance. The PIX Firewall family
spans the entire user application spectrum, from compact, plug-and-play desktop firewalls for
small and home offices to carrier-class gigabit firewalls for the most demanding enterprise and
service provider environments. PIX Firewalls deliver superior performance of up to 500,000
simultaneous connections and nearly 1.7 Gbps aggregate throughput.
Copyright
4-25
VAC
The VAC uses
Large enterprise and
complex, high-traffic
environments
100 Mbps pf 3DES and
SHA
The VAC requires
Version 5.3 or higher
A PIX Firewall 515, 520,
525, or 535 (available as a
PCI slot)
CSI 1.14-24
The VPN Accelerator Card (VAC) for the PIX Firewall series provides high-performance,
tunneling and encryption services suitable for site-to-site and remote access applications. This
hardware-based VPN accelerator is optimized to handle the repetitive but voluminous
mathematical functions required for IPSec. Offloading encryption functions to the card not only
improves IPSec encryption processing, but also maintains high-end firewall performance. As an
integral component of the Cisco virtual VPN solution, the VAC provides platform scalability
and security while working seamlessly with services necessary for successful VPN
deploymentsencryption, tunneling, and firewall.
The VAC, which fits in a PCI slot inside the PIX Firewall chassis, encrypts data using the 56-bit
Data Encryption Standard (DES) or 168-bit Triple-Data Encryption Standard (3DES) algorithms
at speeds up to 100 Mbps. A PIX Firewall equipped with a VAC supports as many as 2,000
encrypted tunnels for concurrent sessions with mobile users or other sites. In addition to
encryption, the card handles a variety of other IPSec-related taskshashing, key exchange, and
storage of security associationsthat free the PIX Firewall main processor and memory to
perform other perimeter security functions. The following are features of the VAC:
EncryptionDES and 3DES encryption are very CPU-intensive, potentially impacting
firewall performance in high-throughput configurations. The VAC makes it possible to send
DES- or 3DES-encrypted data at high speed while still providing the full range of perimeter
security services available from the PIX Firewall.
AuthenticationRivest, Shamir, and Adleman (RSA) and Diffie-Hellman are CPU-intensive
protocols that are used when a new IPSec tunnel is established. RSA authenticates the
remote device while DH exchanges keys that will be used for DES or 3DES encryption. The
VAC implements these protocols in specialized hardware ensuring fast tunnel setup and high
overall encryption throughput.
4-26
Copyright
TunnelingThe PIX Firewall and VAC support IPSec tunneling protocols, which enables
high-performance and flexible network designs for both remote access and site-to-site VPNs.
Site-to-site solutions can be designed with the PIX Firewall, or combinations of PIX
Firewalls with Cisco VPN appliances or VPN-enabled multi-service routers. Remote access
solutions can use the Cisco VPN Client or other third-party clients supporting the IPSec
tunneling protocol.
Copyright
4-27
CSI 1.14-25
4-28
Copyright
IOS FirewallCBAC
The following are the
CBAC features:
Stateful inspection
User
IOS Firewall
using CBAC
CSI 1.14-26
Context-based access control (CBAC) intelligently filters TCP and UDP packets based on
application-layer protocol session information, and can be used for intranets, extranets, and the
Internet. You can configure CBAC to permit specified TCP and UDP traffic through a firewall
only when the connection is initiated from within the network you want to protect (that is,
CBAC can inspect traffic for sessions that originate from the external network). However, while
this example discusses inspecting traffic for sessions that originate from the external network,
CBAC can inspect traffic for sessions that originate from either side of the firewall.
Without CBAC, traffic filtering is limited to access control list (ACL) implementations that
examine packets at the network layer, or at most, the transport layer. However, CBAC examines
not only network layer and transport layer information, but also examines the application-layer
protocol information (such as FTP connection information) to learn about the state of the TCP or
UDP session. This allows support of protocols that involve multiple channels created as a result
of negotiations in the control channel. Most of the multimedia protocols as well as some other
protocols (such as FTP, Remote Procedure Call [RPC], and SQL*Net) involve multiple
channels.
CBAC inspects traffic that travels through the firewall to discover and manage state information
for TCP and UDP sessions. This state information is used to create temporary openings in the
firewalls ACLs to allow return traffic and additional data connections for permissible sessions
(sessions that originated from within the protected internal network).
CBAC also provides the following benefits:
Java blocking
DoS prevention and detection
Copyright
4-29
4-30
Copyright
Intrusion ProtectionIDS
This section provides an overview and product information for the Cisco Intrusion Detection
System (IDS).
OverviewIntrusion Detection
Deployment Scenarios
Business
partner
Extranet IDS
Monitors partner
traffic where
trust is implied
but not assured
Users
Corporate
office
Data
center
NAS
Internet IDS
Complements the
firewall and VPN by
monitoring traffic for
malicious activity
Internet
DMZ
servers
CSI 1.14-28
Copyright
4-31
CSI 1.14-29
4-32
Copyright
Copyright
4-33
The following are the Cisco IDS appliance features and uses:
System flexibility and deployment enhancements focus
Signature definition and distribution enhancements
An active update mechanism
Comprehensive signature language
Alarm summarization
Active response extensions
Shunning with the PIX Firewall
Shunning with Catalyst switches
Secure administration
Enhanced filtering
The complete line of market-leading Cisco IDS 4200 Series appliances delivers performanceoptimized intrusion protection within an integrated, turn-key solution.
4-34
Copyright
The Cisco IDS 4200 Series Sensors are purpose-built, high-performance network security
appliances that protect against unauthorized, malicious activity traversing the network (for
example, attacks by hackers). Cisco IDS Sensors analyze traffic in real time, enabling users to
quickly respond to security breaches.
The IDSM is a switching module that is easy to install and maintain in the Catalyst 6000 family
switch. The IDSM performs network sensingreal-time monitoring of network packets through
packet capture and analysis. The IDSM captures network packets and then reassembles and
compares this data against a rule set indicating typical intrusion activity. Network traffic is either
copied to the IDSM based on security VLAN access control lists (VACLs) in the switch or is
routed to the IDSM via the switchs Switched Port Analyzer (SPAN) port feature. Both methods
allow user-specified kinds of traffic based on switch ports, VLANs, or traffic type to be
inspected. The figure provides a feature overview of the IDS appliances.
Copyright
4-35
1 2 3
4 5 6
7 8 9
0
1 2 3
4 5 6
7 8 9
0
CSI 1.14-34
The features and uses of the Cisco Secure Access Control Server (ACS) are as follows:
Key component used with firewall, dial-up access servers, and routers.
Implement at network access points to authenticate remote or dial-in users.
Implement at WAN extranet connections to audit activities and control authentication and
authorization for business partner connections.
You can leverage the same Cisco Secure ACS access framework to control administrator access
and configuration for all network devices in your network that are enabled by RADIUS and
Terminal Access Controller Access Control System Plus (TACACS+). Advanced features of the
Cisco Secure ACS include the following:
Automatic service monitoring
Database synchronization and importation of tools for large-scale deployments
Lightweight Directory Access Protocol (LDAP) user authentication support
User and administrative access reporting
4-36
Copyright
Copyright
4-37
Cisco Secure Access Control Server (ACS) features include the following:
Easy-to-use GUI
Full RADIUS and TACACS+ user and administrator access control
High performance (500+ authorizations per second)
Supports LDAP, Novell Directory Services (NDS), Open Database Connectivity (ODBC)
datastores
Scalable data replication and redundancy services
Full accounting and user reporting features
4-38
Copyright
The Cisco Secure ACS is a high-performance, highly scalable, centralized user access control
framework. Cisco Secure ACS offers centralized command and control for all user
authentication, authorization, and accounting activities. Cisco Secure ACS also distributes those
controls to hundreds or thousands of access gateways in your network. Authentication verifies
user identity. Authorization configures integrity, such as user access rights. Accounting assists
with auditing by logging user activities.
With Cisco Secure ACS you can manage and administer user access for the following:
Cisco IOS Routers
VPNs
Firewalls, and dial and broadband DSL
Cable access solutions
Voice over IP (VoIP)
Cisco wireless solutions
Cisco Catalyst switches via IEEE 802.1x access control
Network devices enabled by TACACS+
Network devices enabled by RADIUS
The authentication methods employed are:
Static passwords
One time passwords
RADIUS
TACACS+
Copyright
4-39
The goal of security management is to control access to network resources according to local
guidelines so that the network cannot be sabotaged (intentionally or unintentionally) and so that
sensitive information cannot be accessed by those without appropriate authorization. A security
management subsystem, for example, can monitor users logging on to a network resource and
can refuse access to those who enter inappropriate access codes.
Security management subsystems work by partitioning network resources into authorized and
unauthorized areas. For some users, access to any network resource is inappropriate, mostly
because such users are usually company outsiders. For other (internal) network users, access to
information originating from a particular department is inappropriate. Access to Human
Resource files, for example, is inappropriate for most users outside the Human Resources
department.
Security management subsystems perform several functions. They identify sensitive network
resources (including systems, files, and other entities), and determine mappings between
sensitive network resources and user sets. They also monitor access points to sensitive network
resources and log inappropriate access to sensitive network resources.
4-40
Copyright
CSPM is a scalable, powerful, policy-based security management system for Cisco firewalls,
IPSec VPN routers, and Sensors. With CSPM, Cisco customers can define, distribute, enforce,
and audit network-wide security policies from a central location. CSPM streamlines the tasks of
managing complicated network security elements, such as perimeter access control, IDSs,
Network Address Translation (NAT)- and IPSec-based VPNs. As the management cornerstone
of the Cisco end-to-end security product line, CSPM can dramatically simplify firewall, IDS,
and VPN deployment in enterprise and service provider networks.
The CSPM GUI enables administrators to visually define high-level security policies for
multiple Cisco firewalls and VPN routers. These policies can be distributed throughout the
network from a central location, thus completely eliminating the costly, time-consuming practice
of manually implementing security configurations on a command-by-command and device-bydevice basis. CSPM also provides basic system auditing functions, including real-time alarm
notification and a Web-based reporting system.
Copyright
4-41
VPN
Firewall
NIDS
4-42
Copyright
Cisco AVVID
This section discusses Cisco Architecture for Voice, Video, and Integrated Data (AVVID).
Error! Not a valid link.
The Internet is creating tremendous business opportunities for Cisco and Cisco customers.
Internet business solutions such as e-commerce, supply chain management, e-learning, and
customer care are dramatically increasing productivity and efficiency.
Cisco AVVID is the one enterprise architecture that provides the intelligent network
infrastructure for todays Internet business solutions. As the industrys only enterprise-wide,
standards-based network architecture, Cisco AVVID provides the roadmap for combining
customers business and technology strategies into one cohesive model.
Copyright
4-43
Cisco AVVID can be viewed as a framework to describe a network optimized for the support of
Internet business solutions, and as a best practice or roadmap for network implementation. The
following are the different parts of the Cisco AVVID architecture:
Clients
Network platforms
Intelligent network services
Internet middleware layer
Internet business integrators
Internet business solutions
4-44
Copyright
With Cisco AVVID, customers have a comprehensive roadmap for enabling Internet business
solutions and creating a competitive advantage. There are four Cisco AVVID benefits:
IntegrationBy leveraging the Cisco AVVID architecture and applying the network
intelligence inherent in IP, companies can develop comprehensive tools to improve
productivity.
IntelligenceTraffic prioritization and intelligent networking services maximize network
efficiency for optimized application performance.
InnovationCustomers have the ability to adapt quickly in a changing business
environment.
InteroperabilityStandards-based APIs enable open-integration with third-party developers,
providing customers with choice and flexibility.
Copyright
4-45
The Cisco AVVID program changes frequently with new partners and products being introduced
on an ongoing basis. The links in the figure can be used to get the latest information about the
AVVID program and products offered.
4-46
Copyright
Summary
This section summarizes the information you learned in this chapter.
Error! Not a valid link.
Copyright
4-47
Objectives
This section lists the chapters objectives.
Objectives
Identify the functions of modules and the key devices in a
small network.
Understand specific threats and mitigation roles of Cisco
devices.
Implement specific configurations to apply mitigation
roles:
Pix Firewall configuration
Configure IOS Firewall features
Recommend alternative devices.
5-2
CSI 1.15-2
Copyright
SP edge
ISP
Isolated service
network
Small network
or branch campus
Campus module
Management
Server
Public
services
Firewall
Corporate
users
Corporate
servers
CSI 1.15-4
Copyright
5-3
IOS Firewall or
PIX Firewall
Servers
Layer 2
switch
Public
services
ISP
ISP router
To campus
One or the
other
IOS Firewall or
PIX Firewall
CSI 1.15-6
The Corporate Internet Module provides internal users with connectivity to Internet services and
Internet users access to information on public servers. VPN access is also provided to remote
locations and telecommuters. This module is not designed to serve e-commerce type
applications.
The following are key devices in the Corporate Internet Module:
SMTP serverActs as a relay between the Internet and the intranet mail servers.
DNS serverServes as authoritative external DNS server for the small network. It relays
internal requests to the Internet.
FTP or HTTP serverProvides public information about the organization.
Firewall or IOS Firewall routerProvides network-level protection of resources and stateful
filtering of traffic and provides differentiated security for remote access users. It
authenticates trusted remote sites and provides connectivity using IPSec tunnels.
Layer 2 switch (with private VLAN support)Provides Layer 2 connectivity for devices.
HIDS
5-4
Copyright
Expected Threats
and Mitigation Roles
The following threats can be expected:
CSI 1.15-7
There are publicly addressable servers that are the most likely points of attacks. The following
are expected threats to those publicly addressable servers:
Unauthorized accessMitigated through filtering at the firewall
Application layer attacksMitigated through Host-based Intrusion Detection Systems
(HIDSs) on the public servers
Virus and Trojan horse attacksMitigated through virus scanning at the host level
Password attacksLimited services available to brute force (operating systems and IDSs
can detect the threat)
Denial of service (DoS)Use committed access rate (CAR) at the ISP edge and TCP setup
controls at the firewall to limit exposure
From a threat perspective, a small or midsize network is like most networks connected to the
Internet: there are internal users who need access out and external users who need access in.
Several common threats can generate the initial compromise that a hacker needs to further
penetrate the network with secondary exploits.
Copyright
5-5
Expected Threats
and Mitigation Roles (cont.)
IP spoofingRFC 2827 and 1918 filtering at the ISP edge
router and at the firewall in the corporate Internet module
Packet sniffersSwitched infrastructure and an HIDS to
limit exposure
Network reconnaissanceAn HIDS detects recon, and
protocols are filtered to limit effectiveness
Trust exploitationRestrictive trust model and private
VLANs to limit trust-based attacks
Port redirectionRestrictive filtering and an HIDS to limit
attacks
CSI 1.15-8
IP spoofingRFC 2827 and 1918 filtering at the ISP edge and local firewall
Packet sniffersSwitched infrastructure and an HIDS to limit exposure
Network reconnaissanceHIDS detects recon; protocols filtered to limit exposure
Trust exploitationRestrictive trust model and private VLANs to limit
trust-based attacks
Port redirectionRestrictive filtering and an HIDS to limit attacks
Though statistics vary on the percentage, it is an established fact that most attacks come from the
internal network. Disgruntled employees, corporate spies, visiting guests, and inadvertent
bumbling users are all potential sources of such attacks. When designing security, you must be
aware of the potential for internal threats.
There is also the risk of threat to the publicly addressable hosts that are connected to the Internet.
These systems will likely be attacked with application-layer vulnerabilities and DoS attacks.
5-6
Copyright
Private VLANs
ISP
Public
services
One or the
other
To campus
Stateful packet
filtering, basic layer
7 filtering, host DoS
mitigation, and
spoof mitigation
CSI 1.15-9
The attack mitigation roles for each device in the SAFE SMR Small Network Corporate Internet
Module are as follows:
ISP Router
Spoof mitigation
Rate-limiting
Firewall
Spoof mitigation
Private VLANs
HIDS
Copyright
5-7
Mitigation
At the ingress of the firewall, RFC 1918 and RFC 2827 filtering are provided as a verification of
the ISPs filtering. Because of the enormous security threat fragmented packets create, the
firewall is configured to drop most fragmented packets. Any legitimate traffic lost due to
filtering is considered acceptable when compared to the risk of allowing such traffic to traverse
the network. Traffic destined to the firewall from outside the network is limited to IPSec traffic
and necessary routing protocols.
The firewall provides connection-state enforcement and detailed filtering for sessions initiated
through the firewall. From a filtering standpoint, in addition to limiting traffic on the public
services segment to relevant addresses and ports, filtering in the opposite direction also takes
place. If an attack compromises one of the public servers (by circumventing the firewall and
HIDS), that server should not be able to further attack the network. To mitigate this type of
attack, specific filtering prevents any unauthorized requests from being generated by the public
servers to any other location. As an example, the Web server should be filtered so that it cannot
originate requests of its own, but merely respond to requests from clients. This setup helps
prevent a hacker from downloading additional utilities to the compromised device after the
initial attack. It also helps stop unwanted sessions from being triggered by the hacker during the
primary attack. An attack that generates an Xwindows terminal session from the Web server
through the firewall to the hackers machine is an example of such an attack. In addition, private
VLANs on the Demilitarized Zone (DMZ) switch prevent a compromised public server from
attacking other servers on the same segment. This traffic is not even detected by the firewall, a
fact that explains why private VLANs are critical. Finally, publicly addressable servers have
some protection against TCP SYN floods through mechanisms such as the use of half-open
connection limits on the firewall.
From a host perspective, each of the servers on the public services segment has host intrusion
detection software to monitor against any rogue activity at the operating system level, as well as
activity in common server applications (HTTP, FTP, SMTP, and so forth). The DNS host should
be locked down to respond only to desired commands and eliminate any unnecessary responses
that might assist hackers in network reconnaissance. This includes preventing zone transfers
from anywhere except legitimate secondary DNS servers. For mail services, the firewall itself
filters SMTP messages at Layer 7 to allow only necessary commands to the mail server.
Firewalls and firewall routers generally have some limited network-based intrusion detection
system (NIDS) capability within their security functions. This capability affects the performance
of the device, but does provide some additional attack visibility in the event you are under
attack. Remember that you are trading performance for attack visibility. Many of these attacks
can be dropped without the use of an IDS, but the monitoring station will not be aware of the
specific attack being launched.
The VPN connectivity is provided through the firewall or firewall and router. Remote sites
authenticate each other with pre-shared keys, and remote users are authenticated through the
access control server in the Campus Module.
5-8
Copyright
CSI 1.15-10
The SAFE SMR Small Network Design alternatives represent the ultimate in scaled-down,
security-conscious network design, where all the security and VPN services are compressed into
a single device. There are two choices when deciding how to implement this network design:
Use a router with firewall and VPN functionalityThis setup yields the greatest flexibility
for the small network because the router will support all the advanced services (Quality of
Service [QoS], routing, multi-protocol support, and so on) that may be necessary in todays
networks.
Use a dedicated firewall instead of the routerThis setup places some restrictions on the
deployment. First, firewalls are generally Ethernet-only, requiring some conversion to the
appropriate WAN protocol. In todays environments, most cable and Digital Subscriber Line
(DSL) routers and modems are provided by the service provider and can be used to connect
to the firewall over Ethernet. If WAN connectivity on the device is required (such as with a
circuit from a telco provider), then a router must be used. Using a dedicated firewall does
have the advantage of easier configuration of security services, and a dedicated firewall can
provide improved performance when doing firewall functions. Whatever the selection of
device, stateful inspection is used to examine traffic in all directions, ensuring that only
legitimate traffic crosses the firewall. Before the traffic even reaches the firewall, ideally,
some security filtering has already occurred at the ISP. Remember that routers tend to start
out permitting traffic, whereas firewalls tend to deny traffic by default.
Any deviation from the SAFE SMR Small Network Design would be geared toward increasing
the capacity of the network, or separating the various security functions onto distinct devices. In
doing this, the design starts to look more and more like the medium network design discussed
later in this chapter. Instead of adopting the complete medium design, you might consider the
Copyright
5-9
addition of a dedicated remote access Cisco VPN Concentrator to increase the manageability of
the remote-user community.
5-10
Copyright
Management
host
User
workstations
Corporate
servers
To the
corporate
Internet module
Layer 2
switch
CSI 1.15-12
The Campus Module contains end-user workstations, corporate intranet servers, management
servers, and the associated Layer 2 infrastructure required to support the devices. Within the
small network design, this Layer 2 functionality has been combined into a single switch.
The following are key devices for the SAFE SMR Small Network Campus Module:
Layer 2 switch (with private VLAN support)Provides Layer 2 services to user
workstations
Corporate serversProvides e-mail (SMTP and POP3) services to internal users, as well as
delivering file, print, and DNS services to workstations
User workstationsProvides data services to authorized users on the network
Management hostProvides HIDS, Syslog, Terminal Access Control System Plus
(TACACS+) or Remote Access Dial-In User Service (RADIUS), and general configuration
management
Copyright
5-11
Expected Threats
and Mitigation Roles
You can expect the
following threats:
Packet sniffers
Virus and Trojan horse
applications
Unauthorized access
Application layer attacks
Trust exploitation
Port redirection
HIDS local
attack
mitigation
Management
server
To corporate
Internet
module
Host virus
scanning
HIDS local
attack
mitigation
Corporate
users
Corporate
servers
Private
VLANs
CSI 1.15-13
The following are expected threats and mitigation of those threats to the SAFE SMR Small
Network Campus Module:
Packet sniffersA switched infrastructure limits the effectiveness of sniffing
Virus and Trojan horse applicationsHost-based virus scanning prevents most viruses and
many Trojan horses
Unauthorized accessThis type of access is mitigated through the use of host-based
intrusion detection and application access control
Application layer attacksOperating systems, devices, and applications are kept up-to-date
with the latest security fixes, and they are protected by an HIDS
Trust exploitationPrivate VLANs prevent hosts on the same subnet from communicating
unless necessary
Port redirectionAn HIDS prevents port redirection agents from being installed
Attack mitigation roles for the SAFE SMR Small Network Campus Module include the
following:
Private VLANs
HIDS local attack mitigation
5-12
Copyright
Copyright
5-13
CSI 1.15-14
The primary functions of the campus switch are to switch production and management traffic
and to provide connectivity for the corporate and management servers and users. Within the
switch, private VLANs can be enabled to mitigate trust-exploitation attacks between the devices.
For instance, the corporate users might need to be able to talk to the corporate servers but may
not have any requirement to communicate with each other.
Because there are no Layer 3 services within the campus module, it is important to note that the
SAFE SMR Small Network Campus Module Design places an increased emphasis on
application and host security because of the open nature of the internal network. Therefore, an
HIDS was also installed on key systems within the campus, including the corporate servers and
management systems.
Setting a small filtering router or firewall between the management stations and the rest of the
network can improve overall security. This setup allows management traffic to flow only in the
specific direction deemed necessary by the administrators. If the level of trust within the
organization is high, an HIDS can potentially be eliminated, though this is not recommended.
5-14
Copyright
ImplementationISP Router
The following section details the implementation of the ISP router.
ISP Router
Implementation Commands
Spoof mitigation
rate-limiting
Management
Server
ISP
Public
Services
Corporate
Users
Firewall
CSI 1.15-16
The primary function of the customer-edge router in the ISP is to provide connectivity to the
Internet or ISP network. The egress of the ISP router rate limits nonessential traffic that exceeds
pre-specified thresholds in order to mitigate DDoS attacks. At the egress of the ISP router, RFC
1918 and RFC 2827 filtering is configured to mitigate source-address spoofing of local networks
and private address ranges.
Copyright
5-15
Implementation CommandsSpoof
Mitigation and RFC Filtering
router(config)#
--- ---
- -
- - -
- -
The access-list command enables you to specify if an IP address is
permitted or denied access to a port or protocol.
---
router(config-if)#
-- --- ---
The access-group command binds an ACL to an interface.
--
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-17
Cisco provides basic traffic filtering capabilities with access control lists (ACLs). ACLs can be
configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of
those protocols as the packets pass through a router.
You can configure ACLs at your router to control access to a network: ACLs can prevent certain
traffic from entering or exiting a network.
ACLs should be used in IOS Firewall routers, which are often positioned between your internal
network and an external network (for example, the Internet). You can also use ACLs on a router
positioned between two parts of your network, to control traffic entering or exiting a specific
part of your internal network.
To provide the security benefits of ACLs, you should at a minimum configure ACLs on border
routersrouters situated at the edges of your networks. This provides a basic buffer from the
outside network, or from a less controlled area of your own network into a more sensitive area of
your network.
On these routers, you should configure ACLs for each network protocol configured on the router
interfaces. You can configure ACLs so that inbound traffic, outbound traffic, or both are filtered
on an interface.
ACLs must be defined on a per-protocol basis. In other words, you should define ACLs for
every protocol enabled on an interface if you want to control traffic flow for that protocol.
For inbound ACLs, after receiving a packet, the Cisco IOS Software checks the source address
of the packet against the ACL. If the ACL permits the address, the software continues to process
the packet. If the ACL rejects the address, the software discards the packet and returns an ICMP
host unreachable message.
5-16
Copyright
For outbound ACLs, after receiving and routing a packet to a controlled interface, the software
checks the source address of the packet against the ACL. If the ACL permits the address, the
software sends the packet. If the ACL rejects the address, the software discards the packet and
returns an ICMP host unreachable message.
When you apply an ACL that has not yet been defined to an interface, the software acts as if the
ACL has not been applied to the interface and accepts all packets. Remember this behavior if
you use undefined ACLs as a means of security in your network.
The syntax for the access-list command is as follows:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source sourcewildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range timerange-name]
access-list-number
dynamic dynamic-name
(Optional.) Identifies this ACL as a dynamic ACL. Refer to lockand-key access documented in the "Configuring Lock-and-Key
Security (Dynamic Access Lists)" chapter in the Cisco IOS
Security Configuration Guide.
timeout minutes
deny
permit
protocol
source
Copyright
5-17
source-wildcard
5-18
access-list-number
access-list-name
in
out
Copyright
ISP
To campus
CSI 1.15-19
The primary function of the IOS Firewall is to provide connection-state enforcement and
detailed filtering for sessions initiated through the IOS Firewall. The IOS Firewall also acts as a
termination point for site-to-site IPSec VPN tunnels for both remote site production and remote
site management traffic.
There are multiple segments off the IOS Firewall. The first is the public services segment, which
contains all the publicly addressable hosts. The second is for remote access VPN and dial-in,
which are discussed in a later chapter. Publicly addressable servers have some protection against
TCP SYN floods through mechanisms such as the use of half-open connection limits on the IOS
Firewall.
From a filtering standpoint, in addition to limiting traffic on the public services segment to
relevant addresses and ports, filtering in the opposite direction also occurs. If an attack
compromises one of the public servers (by circumventing the IOS Firewall and the HIDS), that
server should not be able to further attack the network. To mitigate this type of attack, specific
filtering prevents any unauthorized requests from being generated by the public servers to any
other location.
As an example, the Web server should be filtered so that it cannot originate requests of its own,
but merely respond to requests from clients. This setup helps prevent a hacker from downloading
additional utilities to the compromised box after the initial attack. It also helps stop unwanted
Copyright
5-19
sessions from being triggered by the hacker during the primary attack. An attack that generates
an xterm from the Web server through the firewall to the hackers machine is an example of such
an attack. In addition, private VLANs prevent a compromised public server from attacking other
servers on the same segment. This traffic is not even detected by the IOS Firewall, a fact that
explains why private VLANs are critical.
5-20
Copyright
CSI 1.15-20
The following are necessary mitigation roles and implementation commands for the IOS
Firewall:
Stateful packet filteringPart of Context-Based Access Control (CBAC) on Cisco IOS
Routers
Spoof mitigation and RFC filtering
Copyright
aaa new-modelEnter this command for each protocol that you want to inspect, using
the same inspection-name, to define a set of inspection rules.
tacacs-serverDefines the TACACS server.
aaa authentication loginEnables authentication, authorization, and accounting
(AAA) authentication at login.
5-21
5-22
Copyright
CSI 1.15-21
IPSec commands
Copyright
5-23
Spoof Mitigation
and RFC FilteringACLs
router(config)#
--- ---
- -
- - -
- -
The access-list command enables you to specify if an IP address
is permitted or denied access to a port or protocol.
---
router(config-if)#
-- --- ---
The access-group command binds an ACL to an interface.
--
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-22
You can use ACLs to control the transmission of packets on an interface, control vty access, and
restrict the contents of routing updates. The Cisco IOS Software stops checking the extended
ACL after a match occurs.
The syntax for the access-list command is as follows:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source sourcewildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range timerange-name]
5-24
access-list-number
dynamic dynamic-name
(Optional.) Identifies this ACL as a dynamic ACL. Refer to lockand-key access documented in the "Configuring Lock-and-Key
Security (Dynamic Access Lists)" chapter in the Cisco IOS
Security Configuration Guide.
timeout minutes
deny
permit
protocol
Copyright
source
source-wildcard
Copyright
access-list-number
access-list-name
in
out
5-25
ISP
network
Customer
network:
192.168.0.0/16
Ingress to Internet
--
--
---
---
---
Egress packets
cannot be from
and to customers
Ensure that
ingress packets
are valid
---
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-23
A resurgence of DoS attacks aimed at various targets in the Internet have produced new
challenges within the ISP and network security communities to find new and innovative methods
to mitigate these types of attacks. While the filtering method in RFC 2827 does absolutely
nothing to protect against flooding attacks, which originate from valid prefixes (IP addresses), it
will prohibit an attacker within the originating network from launching an attack of this nature
using forged source addresses that do not conform to ingress filtering rules.
All providers of Internet connectivity are urged to implement filtering described in RFC 2827 to
prohibit attackers from using forged source addresses, which do not reside within a range of
legitimately advertised prefixes. In other words, if an ISP is aggregating routing announcements
for multiple downstream networks, strict traffic filtering should be used to prohibit traffic that
claims to have originated from outside of these aggregated announcements.
An additional benefit of implementing this type of filtering is that it enables the originator to be
easily traced to its true source, because the attacker would have to use a valid, and legitimately
reachable, source address.
5-26
Copyright
Unauthorized Access
IOS Firewall Intrusion Detection
The following are the IOS Firewall intrusion detection
features:
TCP
UDP
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-24
Cisco IOS Firewall and intrusion-detection solutions are designed to meet security requirements
within a network, whether the requirement is for multilevel security with a dedicated appliance
(Cisco PIX Firewall or Cisco IDS Sensor) or for integrated security wherever a router is
deployed (Cisco IOS Firewall with intrusion detection). The standalone appliance and integrated
Cisco solutions meet the various network security needs in a network, based on an organizations
security policy, network security risk and vulnerability, level of performance requirements at the
site, and network segmentation, network media or interface, and routing requirements.
Copyright
5-27
Implementation Commands
IOS Firewall Intrusion Detection
router #
- -
-
Creates audit rules for info and attack signature types
router #
-
Specifies the default actions for attack signatures
CSI 1.15-25
Use the ip audit name global configuration command to create audit rules for info and attack
signature types. Use the no form of this command to delete an audit rule.
The syntax for the ip audit name is as follows:
ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]]
audit-name
info
attack
list
standard-acl
action
alarm
drop
reset
Use the ip audit attack global configuration command to specify the default actions for attack
signatures. Use the no form of this command to set the default action for attack signatures.
The syntax for the ip audit attack is as follows:
ip audit attack {action [alarm] [drop] [reset]}
5-28
Copyright
Copyright
action
alarm
drop
reset
5-29
Implementation Commands
IOS Firewall Intrusion Detection (cont.)
router#
Specifies the method of event notification
router#
- Specifies the maximum number of event notifications that are
placed in the router's event queue
CSI 1.15-26
Use the ip audit notify global configuration command to specify the method of event
notification. Use the no form of this command to disable event notifications.
The syntax for the ip audit notify is as follows:
ip audit notify {nr-director | log}
nr-director
log
Use the ip audit po max-events global configuration command to specify the maximum number
of event notifications that are placed in the router's event queue. Use the no version of this
command to set the number of recipients to the default setting.
The syntax for the ip audit po max-events is as follows:
ip audit notify {nr-director | log}
number-of-events
5-30
Copyright
Packets are inspected entering the firewall by CBAC if they are not
specifically denied by an ACL.
CBAC permits or denies specified TCP and UDP traffic through a
firewall.
A state table is maintained with session information.
ACLs are dynamically created or deleted.
CBAC protects against DoS attacks.
Protection against unauthorized access.
TCP
UDP
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-27
CBAC adds inspection intelligence to ACL capabilities by performing stateful packet inspection
for application status information for applications using TCP and UDP packets for transport.
Using this information, CBAC creates a temporary or dynamic, session-specific ACL entry,
permitting return traffic into the trusted network. This dynamic ACL effectively opens a door in
the IOS Firewall. When a session times out or ends, the ACL entry is deleted and the door closes
to additional traffic. To perform this function, a state table is maintained for session information.
Standard and extended ACLs cannot create temporary ACL entries, so, until now, administrators
have been forced to weigh security risks against information access requirements. Advanced
applications that select from multiple channels for return traffic have been difficult to secure
using standard or extended ACLs.
CBAC is more secure than current ACL-only solutions because it accounts for application type
in deciding whether to allow a session through the IOS Firewall and determines whether it
selects from multiple channels for return traffic. Before CBAC, administrators could permit
advanced application traffic only by writing permanent ACLs that essentially left IOS Firewall
doors open; so most administrators opted to deny all such application traffic. With CBAC, they
can now securely permit multimedia and other application traffic by opening the IOS Firewall as
needed, and closing it all other times. For example, if CBAC is configured to allow Microsoft
NetMeeting, when an internal user initiates a connection, the IOS Firewall permits return traffic.
However, if an external NetMeeting source initiates a connection with an internal user, CBAC
denies entry and drops the packets.
Copyright
5-31
CSI 1.15-28
On the IOS Firewall interface where traffic initiates ACLs should be applied on the inward
direction that only permits wanted traffic, and on the inward direction that inspects wanted
traffic. On all other interfaces, the ACL should be applied on the inward direction that denies all
traffic, except traffic (such as ICMP) not inspected by CBAC.
5-32
Copyright
- -
--
Defines the application protocols to inspect
Will be applied to an interface
Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd,
realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive
alert, audit-trail, and timeout are configurable per protocol and override
global settings
- -
-
CSI 1.15-29
You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the
internal network through the firewall, even if the application-layer protocol is not configured to
be inspected. However, TCP and UDP inspection do not recognize application-specific
commands, and therefore might not permit all return packets for an application, particularly if
the return packets have a different port number than the previous exiting packet.
Any application-layer protocol that is inspected will take precedence over the TCP or UDP
packet inspection. For example, if inspection is configured for FTP, all control channel
information will be recorded in the state table, and all FTP traffic will be permitted back through
the firewall if the control channel information is valid for the state of the FTP session. The fact
that TCP inspection is configured is irrelevant to the FTP state information.
With TCP and UDP inspection, packets entering the network must exactly match the
corresponding packet that previously exited the network. The entering packets must have the
same source or destination addresses, and source or destination port numbers as the exiting
packet (but reversed); otherwise, the entering packets will be blocked at the interface. Also, all
TCP packets with a sequence number outside of the window are dropped.
With UDP inspection configured, replies will only be permitted back in through the firewall if
they are received within a configurable time after the last request was sent out.
The syntax for the ip inspect name command is as follows:
ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
Copyright
inspection-name
protocol
5-33
5-34
timeout seconds
Copyright
Apply an Inspection
Rule to an Interface
Router(config-if)#
- -
Applies the named inspection rule to an interface
-
Applies the inspection rule to interface e0/0 in inward
direction
CSI 1.15-30
Copyright
inspection-name
in
out
5-35
- - -
--
Controls java blocking with a standard ACL
- -
---
---
CSI 1.15-31
Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of
external sites that you designate as friendly. If an applet is from a friendly site, the firewall
allows the applet through. If the applet is not from a friendly site, the applet is blocked.
(Alternately, you could permit applets from all external sites except for those you specifically
designate as hostile.)
Note
CBAC does not detect or block encapsulated Java applets. Therefore, Java applets that are
wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall.
CBAC also does not detect or block applets loaded from FTP, gopher, HTTP on a
nonstandard port, and so forth.
5-36
inspection-name
http
java-list access-list
Copyright
Copyright
timeout seconds
5-37
Example Inspection
Rule for RPC Applications
Router(config)#
- -
-
--
Allows given RPC program numberswait-time keeps the
connection open for a specified number of minutes
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-32
Remote Procedure Call (RPC) inspection enables the specification of various program numbers.
You can define multiple program numbers by creating multiple entries for RPC inspection, each
with a different program number. If a program number is specified, all traffic for that program
number is permitted. If a program number is not specified, all traffic for that program number is
blocked. For example, if you created an RPC entry with the NFS program number, all NFS
traffic is allowed through the firewall.
The syntax for the ip inspect name command is as follows:
ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail
{on | off}] [timeout seconds]
5-38
inspection-name
wait-time minutes
Copyright
timeout seconds
Copyright
5-39
- - -
--
Only allows the following legal commands in SMTP
applications: DATA, EXPN, HELO, HELP, MAIL, NOOP,
QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY
If disabled, all SMTP commands are allowed through the
firewall, and potential mail server vulnerabilities are
exposed
- -
CSI 1.15-33
SMTP inspection causes SMTP commands to be inspected for illegal commands. Any packets
with illegal commands are dropped, and the SMTP session hangs and eventually times out.
The syntax for the ip inspect name command is as follows:
5-40
inspection-name
protocol
A protocol keyword.
timeout seconds
Copyright
- -
- Protects hosts from certain DoS attacks involving fragmented
IP packets
max = number of unassembled fragmented IP packets
timeout = seconds when the unassembled fragmented IP
packets begin to be discarded
CSI 1.15-34
CBAC inspection rules can help protect hosts against certain DoS attacks involving fragmented
IP packets. Even though the firewall keeps an attacker from making actual connections to a
given host, the attacker may still be able to disrupt services provided by that host. This is done
by sending many non-initial IP fragments or by sending complete fragmented packets through a
router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie
up resources on the target host as it tries to reassemble the incomplete packets.
Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP
traffic. Non-initial fragments are discarded unless the corresponding initial fragment was
permitted to pass through the firewall. Non-initial fragments received before the corresponding
initial fragments are discarded.
Note
Fragmentation inspection can have undesirable effects in certain cases, because it can result
in the firewall discarding any packet whose fragments arrive out of order. There are many
circumstances that can cause out-of-order delivery of legitimate fragments. Apply
fragmentation inspection in situations where legitimate fragments, which are likely to arrive out
of order, might have a severe performance impact.
Because routers running Cisco IOS Software are used in a very large variety of networks, and
because the CBAC feature is often used to isolate parts of internal networks from one another,
the fragmentation inspection feature is not enabled by default. Fragmentation detection must be
explicitly enabled for an inspection rule using the ip inspect name command. Unfragmented
traffic is never discarded because it lacks a fragment state. Even when the system is under heavy
attack with fragmented packets, legitimate fragmented traffic, if any, still gets some fraction of
the firewalls fragment state resources, and legitimate, unfragmented traffic can flow through the
firewall unimpeded.
Copyright
5-41
fragment
max number
timeout seconds
5-42
Copyright
AuthenticationIOS Firewall
Authentication Proxy
The Cisco IOS Firewall authentication proxy provides the
following:
HTTP-based authentication
Dynamic, per-user authentication and authorization via
TACACS+ and RADIUS protocols
CSI 1.15-35
The authentication proxy capability in the Cisco IOS Firewall feature set provides dynamic, peruser authentication and authorization for network users. Previously, user identity and related
authorized access were determined by a users IP address, or the security policy had to be
applied to a user group or subnet. Now, per-user policy can be downloaded dynamically to the
router from the TACACS+ or RADIUS authentication server using Cisco IOS Software
authentication, authorization, and accounting (AAA) services.
Copyright
5-43
Implementation Commands
Authenticate Remote Site
router(config)#
Enables the AAA access control model
router(config)#
-- - -
-
Specifies a TACACS+ host
-- -
- --
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-36
You must configure AAA network security services using the aaa new-model, aaa
authentication, aaa authorization, and aaa accounting global configuration commands.
You also need to configure your network access server to communicate with the applicable
security server, either an extended TACACS or RADIUS daemon.
The syntax for the aaa new-model command is as follows:
aaa new-model
This command has no arguments or keywords.
The syntax for the tacacs-server host command is as follows:
tacacs-server host hostname [port integer] [timeout integer] [key string]
5-44
hostname
port
integer
timeout
integer
key
Copyright
string
Copyright
5-45
Implementation Commands
Authenticate Remote Site (cont.)
router(config)#
-
---
-
-
These commands enable AAA authentication at login, restrict
network access to a user, and define the authentication method
used.
CSI 1.15-37
Step 2
Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are
using a security server.
Define the method lists for authentication by using an AAA authentication command. A method
list is a named list describing the authorization methods to be used (such as RADIUS or
TACACS+), in sequence. Method lists enable you to designate one or more security protocols to
be used for authorization, thus ensuring a backup system in case the initial method fails.
Step 3
5-46
Copyright
Implementation Commands
Authenticate Remote Site (cont.)
-
-
-
- -
Examples of the AAA commands
CSI 1.15-38
Create a method list by entering the aaa authentication login list-name method command for a
particular protocol, where list-name is any character string used to name this method list (for
example, MIS-access). The method argument identifies the list of methods that the
authentication algorithm tries in the given sequence.
Use the login authentication command with the default argument followed by the methods you
want to use in default situations to create a default method list that is used if no method list is
assigned to a line.
The additional methods of authentication are used only if the previous method returns an error,
not if it fails. To ensure that the authentication succeeds even if all methods return an error,
specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no
authentication is performed. Use the more system:running-config command to display
currently configured lists of authentication methods.
Use the aaa authorization command to enable authorization and to create named method lists,
defining authorization methods that can be used when a user accesses the specified function.
Method lists for authorization define the ways authorization is performed and the sequence in
which these methods are performed.
Cisco IOS Software uses the first method listed in your method list to authorize users for specific
network services; if that method fails to respond, the Cisco IOS Software selects the next method
listed in the method list. This process continues until there is successful communication with a
listed authorization method, or all methods defined are exhausted.
Copyright
5-47
The command login authentication is a per-line command used with AAA that specifies the
name of a list of AAA authentication methods to try at login. If no list is specified, the default
list is used (whether or not it is specified in the command line).
The syntax for the aaa authentication login command is as follows:
aaa authentication login {default | list-name} method1 [method2...]
Default
list-name
method1 [method2...]
exec
commands
level
reverse-access
configuration
default
list-name
method1 [method2...]
5-48
auth-proxy
system
network
Copyright
exec
connection
commands level
default
list-name
start-stop
stop-only
wait-start
none
broadcast
group groupname
Copyright
default
Uses the default list created with the aaa authentication login
command.
list-name
Uses the indicated list created with the aaa authentication login
command.
5-49
ImplementationPIX Firewall
This section describes the detailed configuration and implementation of the Cisco PIX Firewall.
Public
services
ISP
To campus
CSI 1.15-40
The following mitigation roles and commands are used to implement the policy on the PIX
Firewall:
Stateful packet filteringThe default for the PIX firewall.
Host DoS mitigation commands
5-50
access-listCreates an ACL
Copyright
Copyright
5-51
Public
services
ISP
To campus
CSI 1.15-41
Terminate IPSec
5-52
Copyright
Copyright
5-53
Internet
e0 outside
security level 0
e1 inside
security level 100
PIX Firewall
CSI 1.15-42
By default, the PIX Firewall denies access to an internal or perimeter (more secure) network
from an external (less secure) network. You specifically allow inbound connections by using
ACLs. ACLs permit access on a first-match basis. For inbound access, you must deny access
first and then permit access.
Note
Beginning with the PIX Firewall version 5.3, ACLs are the preferred method for managing
network access. The conduit command was used in earlier versions. ACLs provide improved
flexibility and greater ease of use for those familiar with Cisco IOS access control. However,
the conduit command is still supported to maintain backward compatibility of configurations
written for previous PIX Firewall versions.
Static NAT creates a permanent, one-to-one mapping between an address on an internal network
(a higher security level interface) and a perimeter or external network (lower security level
interface). For example, to share a web server on a perimeter interface with users on the public
Internet, use static address translation to map the servers actual address to a registered IP
address. Static address translation hides the actual address of the server from users on the less
secure interface, making casual access by unauthorized users less likely. Unlike NAT or PAT, it
requires a dedicated address on the outside network for each host, so it does not save registered
IP addresses.
5-54
Copyright
Implementation Commands
Host DoS Mitigation
pixfirewall(config)#
-
Protects an individual interface against IP spoofing by
enabling both ingress and egress filtering to verify
addressing and route integrity
-
-
pixfirewall(config)#
- - --
Permits or denies the ability to ping a PIX Firewall interface
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-43
Copyright
5-55
The clear ip verify command removes ip verify commands from the configuration. Unicast RPF
is a unidirectional input function that screens inbound packets arriving on an interface. Outbound
packets are not screened.
Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this
risk when possible. Unicast RPF, or reverse route lookup, prevents such manipulation under
certain circumstances.
Unicast RPF is implemented as follows:
ICMP packets have no session, so each packet is checked.
UDP and TCP have sessions, so the initial packet requires a reverse route lookup.
Subsequent packets arriving during the session are checked using an existing state
maintained as part of the session. Non-initial packets are checked to ensure they arrived on
the same interface used by the initial packet.
Note
Before using the ip verify command, add static route command statements for every
network that can be accessed on the interfaces you wish to protect. Only enable ip verify if
routing is fully specified. Otherwise, the PIX Firewall will stop traffic on the interface you
specify if routing is not in place.
Use the show interface command to view the number of dropped packets, which appears in the
unicast rpf drops counter.
The icmp command implements the following:
The icmp command controls ICMP traffic that terminates on the PIX Firewall. If no ICMP
control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at
the interface.
The icmp deny command disables pinging to an interface, and the icmp permit command
enables pinging to an interface. With pinging disabled, the PIX Firewall cannot be detected
on the network. This is also referred to as configurable proxy pinging.
For traffic that is routed through the PIX Firewall only, you can use the access-list or accessgroup commands to control the ICMP traffic routed through the PIX Firewall.
It is recommended that you grant permission for ICMP unreachable message type (type 3).
Denying ICMP unreachable messages disables ICMP Path maximum transmission unit (MTU)
discovery, which can halt IPSec and Point-to-Point Tunneling Protocol (PPTP) traffic. See RFC
1195 and RFC 1435 for details about Path MTU Discovery.
If an ICMP control list is configured, then the PIX Firewall uses a first match to the ICMP traffic
followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP
packet continues to be processed. If the first matched entry is a deny entry or an entry is not
matched, the PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 Syslog
5-56
Copyright
message. An exception is when an ICMP control list is not configured; in that case, a permit is
assumed.
The syntax for the ip verify reverse-path interface command is as follows:
ip verify reverse-path interface int_name
int_name
Copyright
deny
int_name
permit
src_addr
src_mask
type
5-57
Implementation Commands
Host DoS Mitigation (cont.)
pixfirewall(config)#
-- -
Enables the IP Frag Guard feature
The sysopt commands enables you to tune various PIX
Firewall security and configuration features
-- -
CSI 1.15-44
The sysopt security fragguard command enables the IP Frag Guard feature. This feature is
disabled by default. This feature enforces two additional security checks, in addition to the
security checks recommended by RFC 1858, against the many IP fragment style attacks:
teardrop, land, and so on. Each non-initial IP fragments is required to be associated with an
already seen valid initial IP fragment. IP fragments are rated to 100 full IP fragmented packets
per second to each internal host. Note the following:
The IP Frag Guard feature operates on all interfaces in the PIX Firewall and cannot be
selectively enabled or disabled by interface.
The PIX Firewall uses the security fragguard command to enforce the security policy
determined by an access-list permit or access-list deny command to permit or deny packets
through the PIX Firewall.
Note
Disable the security fragguard command feature if the PIX Firewall is used as a tunnel for
FDDI packets between routers.
Note
5-58
Because Linux sends IP fragments in reverse order, fragmented Linux packets will not pass
through the PIX Firewall with the sysopt security fragguard command enabled.
Copyright
Copyright
5-59
Implementation Commands
Host DoS Mitigation (cont.)
pixfirewall(config)#
- -
-- -- -
- - -
- ---
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-45
The static command creates a persistent, one-to-one address translation rule (called a static
translation slot or xlate). This translation can be between a local IP address and a global IP
address (static Network Address Translation [NAT]) or between ports (static Port Address
Translation [PAT]).
For an external host to initiate traffic to an inside host, a static translation rule needs to exist for
the inside host; this can also be done using a nat 0 access-list address translation rule. Without
the persistent translation rule, the translation cannot occur.
You can use the static and access-list commands when you are accessing the interface of a higher
security level from an interface of a lower security level (for example, when accessing the inside
from a perimeter or the outside interface).
Prior to version 5.3, the PIX Firewall offered no mechanism to protect systems reachable via a
static and TCP conduit from TCP SYN attacks. Previously, if an embryonic connection limit was
configured in a static command statement, the PIX Firewall dropped new connection attempts
after the embryonic threshold was reached. Given this, a modest attack could stop an
institutions Web traffic. For static command statements without an embryonic connection limit,
the PIX Firewall passes all traffic. If the affected system does not have TCP SYN attack
protection, and most operating systems do not offer sufficient protection, then the affected
systems embryonic connection table overloads and all traffic stops.
With the new TCP intercept feature, after the optional embryonic connection limit is reached,
and until the embryonic connection count falls below this threshold, every SYN bound for the
affected server is intercepted. For each SYN, the PIX Firewall responds on behalf of the server
with an empty SYN/ACK segment. The PIX Firewall retains pertinent state information, drops
the packet, and waits for the clients acknowledgement. If the ACK is received, then a copy of
the clients SYN segment is sent to the server and the TCP three-way handshake is performed
5-60
Copyright
between the PIX Firewall and the server. If this three-way handshake completes, the connection
resumes as normal. If the client does not respond during any part of the connection phase, the
PIX Firewall retransmits the necessary segment using exponential back-offs.
This feature requires no change to the PIX Firewall command set, only that the embryonic
connection limit on the static command now has a new behavior.
The syntax for the static command is as follows:
static [(prenat_interface, postnat_interface)] {mapped_address| interface} real_address [dns] [netmask mask]
[norandomseq] [connection_limit [em_limit]]
Copyright
dns
Specifies that DNS replies that match the xlate are translated.
em_limit
global_ip
interface
mapped_address
netmask
norandomseq
postnat_interface
prenat_interface
real_address
5-61
CSI 1.15-46
The access-list command allows any outside host access to the static via a specified port. You
use the access-list and access-group commands to permit access based on source or destination
IP address, or by the protocol port number. Use the access-list command to create a single ACL
entry, and use the access-group command to bind one or more ACL entries to a specific
interface. Only specify one access-group command for each interface.
5-62
Copyright
Implementation Commands
Spoof Mitigation and RFC Filtering
pixfirewall(config)#
---
- --
- -
-- -
The access-list command enables you to specify if an IP address
is permitted or denied access to a port or protocol.
---
pixfirewall(config)#
--
The access-group command binds an ACL to an interface.
--
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-47
The access-list command enables you to specify if an IP address is permitted or denied access to
a port or protocol. One or more access-list command statements with the same name are referred
to as an ACL. ACLs associated with IPSec are known as crypto ACLs.
By default, all access-list commands have an implicit deny unless you explicitly specify permit.
In other words, by default, all access in an ACL is denied unless you explicitly grant access
using a permit statement.
The access-group command binds an ACL to an interface. The ACL is applied to traffic
inbound to an interface. If you enter the permit option in an access-list command statement, the
PIX Firewall continues to process the packet. If you enter the deny option in an access-list
command statement, the PIX Firewall discards the packet.
The syntax for the access-list command is as follows:
access-list acl_ID {deny | permit} protocol {source_addr | local_addr} {source_mask | local_mask}[operator port
[port] {destination_addr | remote_addr} {destination_mask | remote_mask} [operator port [port]
acl_ID
deny
Copyright
5-63
destination_addr
destination_mask
local_addr
local_mask
5-64
acl_ID
in interface
Interface_name
Copyright
---
---
---
---
ISP
network
Customer
network
Ingress to Internet
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-48
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the
IP address space for private Internets:
10.0.010.255.255.255 (10/8 prefix)
172.16.0.0172.31.255.255 (172.16/12 prefix)
192.168.0.0192.168.255.255 (192.168/16 prefix)
SAFE SMR Small Network Design recommends that these networks be filtered as RFC 1918
designates them private and they are not to be routed on the Internet. It is recommended that this
filtering be completed on the ISP router as well as the PIX Firewall.
Copyright
5-65
Implementation Commands
Authenticate Remote Site
pixfirewall(config)#
-
- - -
- These commands specify a AAA server
The PIX Firewall enables you to define separate groups of
TACACS+ or RADIUS servers for specifying different types
of traffic
- -
- - - --
CSI 1.15-49
The aaa-server command enables you to specify AAA server groups. The PIX Firewall enables
you to define separate groups of TACACS+ or RADIUS servers for specifying different types of
traffic (for example, a TACACS+ server for inbound traffic and another for outbound traffic).
Another use is where all outbound HTTP traffic is authenticated by a TACACS+ server, and all
inbound traffic uses RADIUS.
AAA server groups are defined by a tag name that directs different types of traffic to each
authentication server. If the first authentication server in the list fails, the AAA subsystem fails
over to the next server in the tag group. You can have up to 14 tag groups and each group can
have up to 14 AAA servers for a total of up to 196 AAA servers.
If your RADIUS server uses ports 1812 for authentication and 1813 for accounting, you are
required to reconfigure the PIX Firewall to use ports 1812 and 1813.
If accounting is in effect, the accounting information goes only to the active server.
If you are upgrading from a previous version of the PIX Firewall and have aaa command
statements in your configuration, using the default server groups enables you to maintain
backward compatibility with the aaa command statements in your configuration.
5-66
Copyright
group_tag
protocol auth_protocol
group_tag
if_name
host server_ip
key
timeout seconds
A retransmit timer that specifies the duration that the PIX Firewall
retries access four times to the AAA server before choosing the
next AAA server. The default is 5 seconds. The maximum time is
30 seconds.
For example, if the timeout value is 10 seconds, the PIX Firewall
retransmits for 10 seconds and if no acknowledgment is received,
tries three times more for a total of 40 seconds to retransmit data
before the next AAA server is selected.
Copyright
5-67
Implementation Commands
Authenticate Remote Site (cont.)
pixfirewall(config)#
-
-- -
Defines the AAA authentication method used.
pixfirewall(config)#
- -
Specifies a syslog server that will receive the messages sent
from the PIX Firewall.
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.15-50
To use the aaa authentication command, you must first designate an authentication server with
the aaa-server command. Also, for each IP address, one aaa authentication command is
permitted for inbound connections and one for outbound connections.
The aaa authentication command is not intended to mandate your security policy. The
authentication servers determine whether a user can or cannot access the system, what services
can be accessed, and what IP addresses the user can access. The PIX Firewall interacts with FTP,
HTTP (Web access), and Telnet to display the credentials prompts for logging in to the network
or logging in to exit the network. You can specify that only a single service be authenticated, but
this must agree with the authentication server to ensure that both the firewall and server agree.
The syntax for the aaa-authentication command is as follows:
aaa authentication [serial | enable | telnet | ssh | http] console group_tag
authentication
5-68
serial
enable
Copyright
telnet
ssh
http
Access verification for the HTTP access to the PIX Firewall (via
PDM). The maximum username prompt for HTTP authentication
is 30 characters. The maximum password length is 15 characters.
console
group_tag
Copyright
host
in_if_name
ip_address
protocol
The protocol over which the syslog message is sent; either tcp or
udp. The PIX Firewall only sends TCP Syslog messages to the
PFSS. You can only view the port and protocol values you
previously entered by using the write terminal command and
finding the command in the listingthe TCP protocol is listed as 6
and the UDP protocol is listed as 17.
port
The port from which the PIX Firewall sends either UDP or TCP
Syslog messages. This must be same port at which the Syslog
server listens. For the UDP port, the default is 514 and the
allowable range for changing the value is 1025 through 65535.
5-69
CSI 1.15-51
Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of
external sites that you designate as friendly. If an applet is from a friendly site, the firewall
allows the applet through. If the applet is not from a friendly site, the applet is blocked.
(Alternately, you could permit applets from all external sites except for those you specifically
designate as hostile.)
5-70
Copyright
pixfirewall(config)#
-
-
The filter java command filters out Java applets that
return to the PIX Firewall from an outbound
connection.
CSI 1.15-52
The filter java command filters out Java applets that return to the PIX Firewall from an
outbound connection. The user still receives the HTML page, but the web page source for the
applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP
addresses to mean all hosts.
Note
If Java applets are known to be in <object> tags, use the filter activex command to remove
them.
Copyright
java
port
local_ip
mask
Any mask.
foreign_ip
5-71
Egress from Internet
ISP
network
Customer
network
Ingress to Internet
CSI 1.15-53
RFC 2827 describes a straightforward method for using ingress traffic filtering to prohibit DoS
attacks that use forged IP addresses to be propagated from behind an ISPs aggregation point.
5-72
Copyright
ActiveX Blocking
pixfirewall(config)#
-
-
Filters out ActiveX usage from outbound
packets.
ActiveX controls are applets that can be
inserted in web pages or other applications.
ActiveX controls can provide a way for
someone to attack servers.
The PIX Firewall can be used to block ActiveX
controls.
CSI 1.15-54
The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages
from outbound packets. ActiveX controls, formerly known as Object Linking and Embedding
(OLE) or Object Linking and Embedding Control (OCX) controls, are components you can
insert in a web page or other application. These controls include custom forms, calendars, or any
of the extensive third-party forms for gathering or displaying information.
The syntax for the filter activex command is as follows:
filter activex port local_ip mask foreign_ip mask
Copyright
activex
port
local_ip
mask
Any mask.
foreign_ip
5-73
Specifies that the ActiveX blocking
applies to web traffic on port 80 from
any local host and for connections to
any foreign host
Engineering
11.0.0.0
Marketing
12.0.0.0
DMZ
Executive
14.0.0.0
TACACS+
server
RADIUS
server
CSI 1.15-55
As a technology, ActiveX creates many potential problems for the network clients including
causing workstations to fail, introducing network security problems, or being used to attack
servers. This feature blocks the HTML <object> tag and comments it out within the HTML web
page.
Note
5-74
The <object> tag is also used for Java applets, image files, and multimedia objects, which is
also blocked by the filter activex command. If the <object> or </object> HTML tags split
across network packets or if the code in the tags is longer than the number of bytes in the
MTU, the PIX Firewall cannot block the tag.
Copyright
Summary
Summary
The SAFE small network design has two modules:
Corporate Internet module
Campus module
The corporate Internet module can use either a PIX
Firewall or an IOS Firewall.
The small network campus module contains all users and
intranet servers.
The mitigation roles identified for each threat in SAFE
SMR are integral to a successful implementation.
The IOS Firewall can be implemented to perform as a
firewall, an IDS, and an authentication proxy.
The PIX Firewall can be used to secure the internal
network as well as allowing for the addition of a DMZ.
2003, Cisco Systems, Inc. All rights reserved.
Copyright
CSI 1.15-57
5-75
5-76
Copyright
Copyright
Visual Objectives
The following figure displays the configuration you will complete in this lab exercise.
172.26.26.P
Pod P (110)
172.26.26.0/24
.150
.10P e0/1
Branch
brP
.1 e0/0
10.2.P.0/24
RBB
.1
10.2.P.11
Branch
.2
.150
172.16.P.0/24
Super
Server
WWW
FTP
PSS
WWW
FTP
.10
e0/1
172.30.P.0/24
e0/0
192.168.P.0/24
rP
.2 e0
priv
.1 e4
.1 e2
.5
.1 e1
.50
.4
DMZ
.5
pP
10.0.P.0 /24
pub
172.18.P.0/24
cP
.100
RTS
sensorP
Student
10.0.P.11
CSI 1.15-1
Objectives
In this lab exercise, you will configure the PIX Firewall to secure the corporate network by
completing the following tasks:
Initial configuration of the PIX Firewall.
Configure global addresses, NAT, and routing.
Deny outbound traffic from the public services segment network.
Allow outbound traffic from internal networks.
Allow necessary Internet services to the public services segment server.
Implement spoofing protection.
Enable logging to the management server on the internal corporate network.
Lab 5-2
Copyright
Allow Internet users access to public services segment server and services.
Allow corporate users access to public services segment server and services.
Deny inbound traffic from the 127.0.0.0, 192.168.0.0, and 10.0.P.0 networks
(where P = pod number).
Permit Internet Control Message Protocol (ICMP) echo replies to internal networks.
Permit ICMP echo request to all PIX interfaces. The outside interface should not
respond to requests from untrusted networks.
Enable logging.
Setup
Before starting this lab exercise, make sure the PIX Firewall is turned on and that your PC is
connected to the PIX Firewall.
Note
Copyright
The instructor will provide you with the procedures for access to the PIX Firewall console port,
as this will vary according to your lab connectivity. After you access the PIX Firewall console
port, the PIX Firewall prompt appears.
Step 2
Step 3
Interface Name
Security Level
ethernet0
outside
ethernet1
inside
100
ethernet2
pss
50
-
- -
- -
-
-
What are the default interface names and security levels? Why is it important to assign
the appropriate security levels?
A)
Step 4
Assign IP addresses to the inside, outside, and PSS network interfaces defined in the following
table:
Interface Name
IP Address
Netmask
outside
192.168.P.2
255.255.255.0
inside
10.0.P.1
255.255.255.0
pss
172.16.P.1
255.255.255.0
Lab 5-4
Copyright
Step 5
Enable the interfaces and set the interface speeds defined in the following table:
Interface Name
Speed
ethernet0
100full
ethernet1
10full
ethernet2
100full
Step 6
Step 7
Assign pools of IP addresses for use by outbound connections defined in the following table:
Interface Name
Global Pool ID
IP Address Range
Netmask
outside
192.168.P.33-222
255.255.255.0
outside
192.168.P.225-254
255.255.255.224
- -
# -
Configure the PIX Firewall to allow all inside hosts to use NAT for outbound access. Assign the
hosts to use global pool identity 1.
-
Why is the internal network address specified instead of the wildcard network address
(0.0.0.0)?
A)
Copyright
Step 3
Assign the perimeter routers inside interface as the PIX Firewalls default route:
# -
Is using a default route preferred over obtaining routes via a routing protocol? Why or
why not?
A)
Step 4
Step 5
Step 6
Lab 5-6
Copyright
Create a static network mapping between the inside and public services segment networks to
gain access from the inside networks to the public services segment network:
Step 7
- --- -
What are some advantages and disadvantages to statically mapping the inside network in
this case?
A)
Step 8
-
-
Step 9
IP Address
Name
172.16.P.50
www-private
Test connectivity to the public services segment server from the student PC:
1. Test ICMP access does not work to the public services segment server: 172.16.P.50.
(where P = pod number)
2. Test FTP and web access to public services segment server: 172.16.P.50.
(where P = pod number)
Create an access control list (ACL) to permit ICMP echo-replies to the internal networks and
deny outbound traffic from the public services segment network:
---
Copyright
Bind the ACL to the public services segment interface by creating an access group:
-- --
Confirm that the public services segment server cannot gain access outside of its local subnet:
1. Test ICMP access to perimeter router: 192.168.P.150.
(where P = pod number)
2. Test FTP and web access to the Student PC: 10.0.P.11.
(where P = pod number)
3.
Q5)
Step 4
Confirm that you still have connectivity to the public services segment server from the Student
PC:
1. Test ICMP access to the public services segment server: 172.16.P.50.
(where P = pod number)
2. Test FTP and web access to public services segment server: 172.16.P.50.
(where P = pod number)
Step 2
Step 3
Lab 5-8
Confirm that you still have connectivity to the public services segment server from the Student
PC:
Copyright
Create a static translation for your public services segment server, and set the maximum number
of connections to unlimited and set the embryonic limit to 1000:
- --- -
Assign a name to the public services segment servers public address using the name command
and verify that the name was entered properly:
IP Address
Name
192.168.P.11
www-public
The course lab topology does not allow for including the complete RFC 1918 private
addresses. The listed addresses are those that do not affect the communication between the
lab equipment. For actual implementation, include all appropriate RFC 1918 private addresses
applicable to your network.
---
---
Copyright
Step 4
Create an ACL to allow inbound web and FTP access to the public address of the public services
segment server:
--- -
--- -
Step 5
---
Step 7
Step 8
-
Step 9
Enable Unicast RPF IP spoofing protection for the outside and public services segment
interfaces:
- -
-
Step 2
Copyright
Enable logging and send information log messages to the management PC:
-
What are some of the benefits of device logging? What determines the appropriate
logging level?
A)
Step 2
Step 3
-
- -
- -
-
-
-
-
--
--
-
Copyright
-
-
-
-
-
-
-
-
---
--- -
---
---
---
--- -
--- -
---
---
-
- -
-
-
-
-
-
-
-- -
-- -
--
--
--
Lab 5-12 Cisco SAFE Implementation 1.1
Copyright
--
- -
-
-- -
-- -
--
--
--
--
-
- -
- -
-
- - -
- - -
-- -
-- -
--
-
-
-
-
-
- -
- -
--
--
--
--
--
--
-
Copyright
Ensure that you cannot access the public services segment server from the VPN client PC via
ICMP, but can access it via FTP and web access:
1. Test ICMP access to the public services segment server: 192.168.P.11.
(where P = pod number)
2. Test FTP and web access to the public services segment server: 192.168.P.11.
(where P = pod number)
Step 2
Ensure that you cannot access the internal corporate network from the VPN client PC:
1. Test ICMP access to the Student PC: 10.0.P.11.
(where P = pod number)
2. Test FTP and web access to the Student PC: 10.0.P.11.
(where P = pod number)
Step 3
Ensure that you can access the Internet from the Student PC:
1. Test ICMP access to the VPN Client PC: 172.26.26.P.
(where P = pod number)
2. Test FTP and web access to the VPN client PC: 172.26.26.P.
(where P = pod number)
Step 4
Ensure that you cannot initiate a connection to any network from the public services segment
server:
1. Test ICMP access to the Student PC: 10.0.P.11.
(where P = pod number)
2. Test FTP and web access to the Student PC: 10.0.P.11.
(where P = pod number)
Step 5
Continue ensuring that you cannot initiate a connection to any network from the public services
segment server:
1. Test ICMP access to the VPN Client PC: 172.26.26.P.
(where P = pod number)
2. Test FTP and web access to the VPN Client PC: 172.26.26.P.
(where P = pod number)
Copyright
Objectives
In this lab exercise you will complete the following tasks:
Secure the branch office router network services.
Secure management access to the branch office router.
Configure NAT IOS features.
Implement access control filtering.
Configure CBAC and IDS features.
Test the branch office router configuration.
Send branch router Syslog output to the internal Syslog server on the branch office
server.
Log informational events on the branch office router to the Syslog server.
Control administrator access to the branch office router to prevent unauthorized access:
Copyright
Control access into the router from the console, aux ports, and the vty lines.
Allow Telnet to the perimeter router only from the student system inside the branch
office network.
Authenticate Telnet sessions with usernames and passwords entered into the perimeter
routers local security database.
Log all administrator attempts to the Syslog server.
Implement Network Address Translation (NAT) and Port Address Translation (PAT)
features to hide the internal network addresses.
Prevent source address spoofing:
Deny outgoing IP traffic with the corporate internal address as the source address.
Deny packets with local host, broadcast or multicast (or both), source addresses.
Permit incoming traffic that is part of a session that originated from the branch office
network or the corporate office network.
Configure Context-Based Access Control (CBAC) and IOS intrusion detection system (IDS)
features:
Inspect common application protocols and generic TCP and UDP sessions.
Enable IOS IDS attack signatures to alarm and drop matching packets.
Setup
You should not have to configure any routing or addressing of interfaces on lab equipment in
this exercise. Before starting this lab exercise, set up your equipment so that you can do the
following from the branch office equipment:
Ping the branch office routers inside and outside interfaces from the branch office PC.
Lab 5-16 Cisco SAFE Implementation 1.1
Copyright
Ping the backbone router in the cloud network from the branch office router.
Establish connectivity to corporate DMZ network resources.
Ensure the Syslog server is running on the branch office PC.
Create a warning message that is displayed when a user establishes an interactive session:
-
-
Step 2
Step 3
-
Step 4
Copyright
Create a standard ACL to permit management access from the branch PC:
--- -
Step 2
Step 3
Step 4
Step 5
Complete the following steps to enable the NAT features to hide the internal network address.
Example command entries are included with each step.
Step 1
Establish static translation between an inside local address and an inside global address:
Copyright
- - -
Step 2
Step 3
Step 4
Step 5
The interface name is specified instead of the IP address. Why might this be preferred
instead of specifying the interfaces IP address?
A)
--- - -
--- -
---
Is allowing ICMP traffic to the branch routers outside interface acceptable? Why or
why not?
A)
Step 2
Copyright
Create an ACL that filters RFC 1918 addresses that do not conflict with your network addresses.
Note
The course lab topology does not allow for including the complete RFC 1918 private
addresses. The listed addresses are those that do not effect the communication between the
lab equipment. For actual implementation, include all appropriate RFC 1918 private addresses
applicable to your network.
---
---
Step 3
Step 4
Step 5
To avoid being locked out of your router and ensure outside connectivity, enter the network
address of the branch office.
---
---
Step 6
Enable inbound CBAC inspection on the inside interface for the following protocols:
TCP
UDP
FTP
H323
Copyright
RealAudio
-
-
-
-
-
-
What other protocols might you consider adding to the inspection list? Why?
A)
Step 2
Ping the branch office routers inside and outside interface from the branch office PC:
Step 2
If you are unable to telnet to your branch office router, console into your branch office router
and check the ACLs applied to your VTY lines and inside interface.
Step 3
Verify HTTP and FTP connectivity to the corporate Web server: 192.168.P.11.
(where P = pod number)
Step 4
Verify that the address translation is working properly using the show ip nat command:
Copyright
- Step 5
-
-
--
- - --
-
-
-
-
-
-
-
-
-
-
-
--
-- -
--
Copyright
--
--
-
-
-
--
--
--
-
-
- - -
--- -
---
--- - -
--- - -
--- -
Copyright
---
---
---
---
---
---
---
---
---
-
-
--
-
----
--
-
-
Copyright
Answers
Q1)
What are the default interface names and security levels? Why is it important to assign
the appropriate security levels?
A)
Q2)
Why is the internal network address specified instead of the wildcard network address
(0.0.0.0)?
A)
Q3)
Copyright
Q7)
Statically mapped address help provide a record of the traffic initiated by the
actual IP address instead of the translated address. A possible disadvantage is
exposing the actual IP address to networks that do not have a need to know.
Why is it important to restrict outbound access from the public services segment
network?
A)
Q6)
A default route is preferred because you can have a higher level of trust over
static routes as opposed to learned routes.
What are some advantages and disadvantages to statically mapping the inside network in
this case?
A)
Q5)
To control the networks that are translated. Specifying the wildcard could
possibly allow rogue networks access to other networks.
Is using a default route preferred over obtaining routes via a routing protocol? Why or
why not?
A)
Q4)
The default interface names are outside and inside. The security levels are
important to define the traffic flows that require access controls to permit or
deny traffic.
A)
Q8)
Q9)
This might be preferred in those network environments where the branch office
is dynamically assigned an IP address by the ISP.
Is allowing ICMP traffic to the branch routers outside interface acceptable? Why or
why not?
A)
Q12)
Device logging enables the network security administrator to visibility into what
traffic is being allowed or denied. The companys security policy should
ultimately determine the appropriate logging level. Some logistical issues that
effect logging are as follows: disk space, log file analysis, and log file rotation.
The interface name is specified instead of the IP address. Why might this be preferred
instead of specifying the interfaces IP address?
A)
Q11)
These ACL entries are used to mitigate IP spoofing attacks where the attacker
uses internal addresses.
What are some of the benefits of device logging? What determines the appropriate
logging level?
A)
Q10)
This prevents internal users from creating their own networks and accessing
outside networks without prior approval.
What other protocols might you consider adding to the inspection list? Why?
A)
Other common protocols that could be added are TFTP, HTTP, and Java. The
protocols are covered to some degree by TCP and UDP but provide more
specific inspection.
Copyright
ImplementationLayer 3 switch
Summary
Lab exercise
6-2
Copyright
Objectives
This section lists the chapters objectives.
Objectives
Copyright
CSI 1.16-2
6-3
Midsize network
or branch edge
Midsize network
or branch Campus
PSTN module
Campus module
Management
server
PSTN
Corporate
users
ISP edge
module
Internet
Frame or ATM
module
FR/ATM
2003, Cisco Systems, Inc. All rights reserved.
Public
services
WAN module
Corporate
servers
CSI 1.16-4
As in the small network design, the corporate Internet module has the connection to the Internet,
and terminates VPN traffic and public-services traffic (Domain Name System [DNS], HTTP,
File Transfer Protocol [FTP], and Simple Mail Transfer Protocol [SMTP]). Dial-in traffic also
terminates at the corporate Internet module. The campus module contains the Layer 2 and Layer
3 switching infrastructure along with all the corporate users, management servers, and intranet
servers.
From a WAN perspective, there are two options for the remote sites connecting into the midsize
design. The first is a private WAN connection using the WAN module; the second is an IPSec
virtual private network (VPN) into the corporate Internet module. Most of the discussion on this
design is based on the midsize network operating as the head-end for a corporation. Specific
design changes when used as a branch are also included.
6-4
Copyright
Servers
Dial-in
SMTP
DNS
FTP or HTTP
Firewall
Layer 2 switch
NIDS appliance
VPN Concentrator
Edge router
PSTN
Internet
Public
services
CSI 1.16-5
The goal of the corporate Internet module for a midsize network is to provide internal users with
connectivity to Internet services and Internet users access to information on the public servers
(DNS, FTP, HTTP, and SMTP). Additionally, this module terminates VPN traffic from remote
users and remote sites as well as traffic from traditional dial-in users.
The following are key devices used in the corporate Internet module for a midsize network:
Dial-in serverAuthenticates individual remote users and terminates their analog
connections
SMTP serverActs as a relay between the Internet and the intranet mail servers and inspects
content
DNS serverServes as authoritative external DNS server for the midsize network and relays
internal requests to the Internet
FTP or HTTP serverProvides public information about the organization
FirewallProvides network-level protection of resources and stateful filtering of traffic,
provides differentiated security for remote access users, and authenticates trusted remote
sites and provides connectivity using IPSec tunnels
Layer 2 switches (with private VLAN support)Provides Layer 2 connectivity for devices
NIDS applianceProvides Layer 4-to-Layer 7 monitoring of key network segments in the
module
Copyright
6-5
6-6
Copyright
Expected Threats
and Mitigation Roles
CSI 1.16-6
From a threat perspective, a small or midsized network is like most networks connected to the
Internetthere are internal users who need access out and external users who need access in.
Several common threats can generate the initial compromise that a hacker needs to further
penetrate the network with secondary exploits.
The following threats can be expected in the SAFE SMR Midsize network:
Unauthorized accessMitigated through filtering at the ISP, edge router, and corporate
firewall
Application layer attacksMitigated through IDSs at the host and network levels
Virus and Trojan horse attacksMitigated through e-mail content filtering, HIDSs, and
host-based virus scanning
Password attacksLimited services available to brute force (operating systems and IDSs
can detect the threat)
DoSCAR at the ISP edge and TCP setup controls at the firewall
Copyright
6-7
IP spoofing
Packet sniffers
Network reconnaissance
Trust exploitation
Port redirection
CSI 1.16-7
IP spoofingRFC 2827 and 1918 filtering at the ISP edge and midsize network edge router
Packet sniffersA switched infrastructure and an HIDS to limit exposure
Network reconnaissanceAn IDS detects reconnaissance, and filters protocols to limit
effectiveness
Trust exploitationRestrictive trust model and private VLANs to limit
trust-based attacks
Port redirectionRestrictive filtering and an HIDS to limit attacks
The publicly addressable servers are likely points of attack within the SAFE SMR Midsize
corporate Internet module. These systems will likely be attacked with application layer
vulnerabilities and denial of service (DoS) attacks.
The remote access and site-to-site VPN services are also points of attack within this module. The
following are expected threats:
Network topology discoveryAccess control lists (ACLs) on the ingress router limit access
to the Cisco VPN Concentrator and firewall (when used to terminate IPSec tunnels from
remote sites), to Internet Key Exchange (IKE), and to Encapsulating Security Payload (ESP)
from the Internet.
Password attackOne-time passwords (OTP) mitigate brute force password attacks.
6-8
Copyright
Copyright
6-9
Authenticate users
and terminate IPSec
Private VLANs
PSTN
Focused Layer
47 analysis
Spoof
mitigation
basic filtering
Spoof
mitigation,
and
rate-limiting
SMTP content
inspection
Internet
Focused Layer
47 analysis
The overall roles and relative location of each device are detailed in the figure. Each device will
be discussed in detail in the following sections.
6-10
Copyright
Public
services
CSI 1.16-10
The primary function of the customer-edge router in the ISP (ISP router) is to provide
connectivity to the Internet or ISP network. The egress of the ISP router rate limits nonessential
traffic that exceeds prespecified thresholds in order to mitigate against distributed denial of
service (DdoS) attacks. Finally, at the egress of the ISP router, RFC 1918 and RFC 2827
filtering is configured to mitigate against source-address spoofing of local networks and private
address ranges.
Copyright
6-11
Spoof mitigation
and basic
filtering
Internet
Public
services
CSI 1.16-11
The function of the edge router on the midsize network is to provide the demarcation point
between the ISP network and the midsize network. At the ingress of the edge router on the
midsize network, basic filtering limits access to allow only expected IP traffic. This provides a
coarse filter for the most basic attacks.
RFC 1918 and RFC 2827 filtering is also provided as a verification of the ISPs filtering. In
addition, because of the enormous security threat that they create, the router is configured to
drop most fragmented packets that should not generally be seen for standard traffic types on the
Internet. Any legitimate traffic lost because of this filtering is considered acceptable when
compared to the risk of allowing such traffic.
Any IPSec traffic destined for the VPN Concentrator or the firewall is allowed through. Filtering
on the router is configured to allow only IKE and IPSec traffic to reach the VPN Concentrator or
firewall. Because with remote access VPNs the IP address of the remote system is not generally
known, the filtering can be specified only to the head-end peer (VPN Concentrator) with which
the remote users are communicating. With site-to-site VPNs, the IP address of the remote site is
usually known; therefore, filtering may be specified for VPN traffic to and from both peers.
6-12
Copyright
PSTN
Internet
Public
services
CSI 1.16-12
The primary function of the PIX Firewall is to provide connection-state enforcement and
detailed filtering for sessions initiated through the firewall. The firewall also acts as a
termination point for site-to-site IPSec VPN tunnels for both remote site production and remote
site management traffic.
There are multiple segments off the firewall. The first is the public services segment
(Demilitarized Zone), which contains all the publicly addressable hosts. The second is for remote
access VPN and dial-in.
DNS should be locked down to respond only to desired commands and eliminate any
unnecessary responses that might assist hackers in network reconnaissance. This includes
preventing zone transfers from anywhere except legitimate secondary DNS servers.
The SMTP server includes mail-content inspection services that mitigate virus attacks and
Trojan horse attacks generated against the internal network, which are usually introduced
through the mail system. The firewall itself filters SMTP messages at Layer 7 to allow only
necessary commands to the mail server.
Publicly addressable servers have some protection against TCP SYN floods through mechanisms
such as the use of half-open connection limits on the firewall. From a filtering standpoint, in
addition to limiting traffic on the public services segment to relevant addresses and ports,
filtering in the opposite direction also occurs. If an attack compromises one of the public servers
(by circumventing the firewall, host-based intrusion detection system [HIDS], and networkbased intrusion detection system [NIDS]), that server should not be able to further attack the
network.
To mitigate this type of attack, specific filtering prevents any unauthorized requests from being
generated by the public servers to any other location. As an example, the web server should be
Copyright
6-13
filtered so that it cannot originate requests of its own, but merely respond to requests from
clients. This setup helps prevent a hacker from downloading additional utilities to the
compromised device after the initial attack. It also helps stop unwanted sessions from being
triggered by the hacker during the primary attack. An attack that generates an xterm from the
web server through the firewall to the hackers machine is an example of such an attack.
Private VLANs prevent a compromised public server from attacking other servers on the same
segment. This traffic is not even detected by the firewall, a fact that explains why private
VLANs are critical.
6-14
Copyright
Design Guidelines
for Intrusion Detection
Focused Layer
47 analysis
PSTN
Internet
Focused Layer
47 analysis
Public
services
CSI 1.16-13
The public services segment includes an NIDS appliance. The primary function of an NIDS is to
detect attacks on ports that the firewall is configured to permit. These attacks are most often
application-layer attacks against specific services. The NIDS on the public services segment
should be set in a restrictive stance because signatures matched here have successfully passed
through the firewall already.
Each of the servers has and HIDS on it as well. The primary function of an HIDS is to monitor
against any rogue activity that occurs at the operating-system level as well as in common server
applications (FTP, HTTP, SMTP, and so on).
The NIDS appliance between the private interface of the firewall and the internal router provides
a final analysis of attacks. Very few attacks should be detected on this segment because only
responses to initiated requests, a few select ports from the public services segment, and traffic
from the remote access segment are allowed to the inside. Only sophisticated attacks should be
seen on this segment because they could mean that a system on the public services segment has
been compromised and the hacker is attempting to take advantage of this foothold to attack the
internal network.
For example, if the public SMTP server was compromised, a hacker might try to attack the
internal mail server over TCP port 25, which is permitted to allow mail transfer between the two
hosts. If attacks are seen on this segment, the responses to those attacks should be more severe
than those on other segments because they probably indicate that a compromise has already
occurred. The use of TCP resets or shunning to thwart, for example, the SMTP attack mentioned
previously, should be seriously considered.
Copyright
6-15
Internet
Public
services
CSI 1.16-14
The primary function of the remote access VPN Concentrator is to provide secure connectivity
to the midsize network for remote users.
Following termination of the VPN tunnel, traffic is sent through a firewall to ensure that VPN
users are appropriately filtered. This setup also enables IDS shunning to take place on the
firewall. This scenario is in contrast to many deployments today that place the firewall in front of
the VPN device. When placed in front, no visibility into the specific types of user traffic is
possible because the traffic is still encrypted.
Via IPSec policy sent from the Concentrator to the client, users are prevented from enabling split
tunneling, thereby forcing users to access the Internet via the corporate connection. The IPSec
parameters used are Triple Data Encryption Standard (3DES) for encryption and secure hash
algorithm (SHA) and hash-based message authentication code (HMAC) for data integrity.
6-16
Copyright
PSTN
Internet
Public
services
CSI 1.16-15
The traditional dial-in users are terminated on an access router with built-in modems. When the
Layer 2 connection is established between the user and the server, three-way Challenge
Handshake Authentication Protocol (CHAP) is used to authenticate the user. As in the remote
access VPN service, the authentication, authorization, and accounting (AAA) server is used for
authentication. When authenticated, the users are provided with IP addresses from an IP pool.
Copyright
6-17
Design Guidelines
for the Inside Router
PSTN
Internet
Public
services
Demarcation
CSI 1.16-16
The primary function of the inside router is to provide Layer 3 separation and routing between
the corporate Internet module and the campus module. This device functions strictly as a router
with no ACLs restricting traffic across either interface.
Because routing information itself can be used in a DoS attack, authentication of routing updates
between devices may be used to mitigate such an attack. The inside router provides a final point
of demarcation between the routed intranet and the outside world. Because most firewalls are
configured without routing protocols, it is important to provide a point of routing within the
corporate Internet module that does not rely on the rest of the network.
6-18
Copyright
Design Alternatives
NIDS and
URL filtering
PSTN
Stateful
firewall
Eliminate
Internet
Public
services
A URL-filtering server
CSI 1.16-17
This SAFE SMR corporate Internet module has several alternative designs:
Rather than implementing basic filtering on the edge router to the midsize network, a
network administrator may choose to implement a stateful firewall on this device as well.
Having two stateful firewalls provides more of a defense-in-depth approach to security
within the module.
Depending on the network administrators attitude toward attack awareness, an NIDS
appliance might be required in front of the firewall. With the appropriate basic filters, the
IDS outside the firewall can provide important alarm information that would otherwise be
dropped by the firewall.
Because the amount of alarms generated on this segment is probably large, alarms generated
here should have a lower severity than alarms generated behind a firewall. Also, consider
logging alarms from this segment to a separate management station to ensure that legitimate
alarms from other segments get the appropriate attention. With the visibility that an NIDS
outside the firewall provides, evaluation of the attack types your organization is attracting
can be better seen. In addition, evaluation of the effectiveness of ISP and enterprise edge
filters can be performed.
Another alternative is the elimination of the router between the firewall and the campus
module. Although its functions can be integrated into the campus module Layer 3 switch,
this setup would eliminate the ability of the corporate Internet module to function without
relying on Layer 3 services from another area of the network.
Copyright
6-19
The addition of content inspection beyond the mail-content inspection already specified
could also be used. For example, a URL-filtering server could be placed on the public
services segment to filter the types of web pages that employees can access.
6-20
Copyright
Layer 3 switch
Layer 2 switch
Corporate servers
To the
SMTP or POP3
corporate
Internet module
File and print
User workstations
NIDS appliance
Management hosts
SNMP
Syslog
TACACS+ or RADIUS
NIDS host
Management
server
Corporate
users
Corporate
servers
CSI 1.16-19
The midsize network campus module contains end-user workstations, corporate intranet servers,
management servers, and the associated Layer 2 and Layer 3 infrastructure required to support
the devices. All the campus modules from SAFE Enterprise have been combined into a single
module. This setup more accurately reflects the smaller size of midsize networks, and reduces
the overall cost of the design. As in the corporate Internet module, the redundancy that would
normally be found in an enterprise design has been removed from the midsize network design.
The following are the midsize network campus module key devices:
Layer 3 switchRoute and switch production and management traffic within the campus
module, provide distribution layer services to the building switches, and support advanced
services such as traffic filtering
Layer 2 switches (with private VLAN support)Provides Layer 2 services to user
workstations
Corporate serversProvides e-mail (SMTP and POP3) services to internal users, as well as
delivering file, print, and DNS services to workstations
User workstationsProvide data services to authorized users on the network
Copyright
6-21
NIDS hostProvides alarm aggregation for all NIDS devices in the network
6-22
Copyright
Expected Threats
and Mitigation Roles
The following threats are expected to the SAFE
SMR Midsize Network Campus Module:
CSI 1.16-20
Copyright
6-23
Expected Threats
and Mitigation Roles (cont.)
CSI 1.16-21
Application layer attacksOperating systems, devices, and applications are kept up-to-date
with the latest security fixes, and they are protected by an HIDS
IP spoofingRFC 2827 filtering prevents source-address spoofing
Trust exploitationTrust arrangements are very explicit (private VLANs prevent hosts on
the same subnet from communicating unless necessary)
Port redirectionAn HIDS prevents the installation of port redirection agents
6-24
Copyright
Focused Layer
47 analysis
Corporate
users
Corporate
servers
Layer 3 and 4 filtering of
management traffic, private
VLANs, and RFC filtering
CSI 1.16-22
Copyright
6-25
Corporate
users
Corporate
servers
CSI 1.16-24
The primary function of the core switch is to provide routing and switching for production and
management traffic, distribution layer services (routing, quality of service [QoS], and access
control) for the distribution and access switches, connectivity for the corporate and management
servers, and advanced services such as traffic filtering between the subnets.
In the figure, a Layer 3 switch is used instead of a Layer 2 switch in order to provide separate
VLANs for the following:
Corporate server segment
Management server segment
Corporate user segment
Connectivity to the WAN module and to the corporate Internet module
The Layer 3 switch provides a line of defense and prevention against internally originated
attacks. It can mitigate the chance of a department accessing confidential information on another
departments server through the use of access control. For example, a network that contains
marketing and research and development might segment off the R and D server to a specific
6-26
Copyright
VLAN and filter access to it, ensuring that only R and D staffs have access to it. For
performance reasons, it is important that this access control be implemented on a hardware
platform that can deliver filtered traffic at near wire rates. This setup generally dictates the use of
Layer 3 switching, as opposed to more traditional dedicated routing devices. This same access
control can also prevent local source-address spoofing through the use of RFC 2827 filtering.
RFC 2827 filtering should be implemented on the corporate user and corporate intranet server
VLANs.
Within each of the VLANs, private VLANs can be used to mitigate trust-exploitation attacks
between the devices. For instance, within the corporate server segment, the individual servers
may not have any requirement to communicate with each other. They need to communicate only
with devices connected to the corporate user segment.
To provide a further line of defense for the management servers, extensive Layer 3 and Layer 4
filtering is configured outbound on the VLAN interface connecting to the management server
segment. The ACL limits connectivity to and from the management servers only to those devices
(via IP addresses) under their control, and only for those protocols and services (via port
number) that are required. This also includes access control for management traffic destined for
the remote site devices. This traffic is encrypted by the firewall and sent to the remote sites.
Allowing only established connections back through the ACL further controls access to the
managed devices.
Copyright
6-27
Design Guidelines
for Intrusion Detection
Management
server
To the
corporate
Internet module
Corporate
users
Focused Layer
47 analysis
Corporate
servers
CSI 1.16-25
The campus module also includes an NIDS appliance. The switch port that connects to the NIDS
appliance is configured such that traffic from all VLANs that require monitoring is mirrored to
the monitoring port of the appliance.
Very few attacks should be detected here because this NIDS appliance provides analysis against
attacks that may originate from within the campus module itself. For instance, if a user
workstation was compromised because of an unknown modem connection to that host, the NIDS
could detect suspicious activity originating from within the campus. Other internal attacks could
originate from disgruntled employees, workstations left where unauthorized people can gain
access to them, or Trojan horse applications inadvertently loaded on portable PCs.
Each of the corporate intranet and management servers also has an HIDS installed.
6-28
Copyright
Design Alternatives
The following design
alternatives are
available:
Integrated IDS
module in the
core switch
If the network is
To the
small enough,
corporate
incorporate Layer 2
Internet module
switch functionality
into the core switch.
Separate the router and Layer 2
switch instead of the core
switch.
Replace the NIDS appliance
with the IDS module in the core
switch.
Integrate switch
functionality
Management
server
Corporate
users
Corporate
servers
Separate
router and
Layer 2 switch
CSI 1.16-26
If the midsize network is small enough, the functionality of the distribution and access switches
can be rolled into the core switch, and the distribution and access switches can be eliminated. In
this case, the end-user workstations would be connected directly to the core switch. Private
VLAN functionality would be implemented on the core switch in order to mitigate trustexploitation attacks.
If the performance requirements of the internal network are not high, a separate router and Layer
2 switch could be used for the core and distribution instead of the higher-performing Layer 3
switch.
If desired, the separate NIDS appliance can be replaced with an integrated IDS that fits into the
core switch. This setup provides higher traffic throughput into the IDS because it sits on the
backplane of the switch, rather than being connected via a single 10/100-Mbps Ethernet port.
ACLs on the switch can be used to control what traffic is sent to the IDS.
Copyright
6-29
FR/ATM
To the campus
module
CSI 1.16-28
The IOS router is a key device for the midsize network WAN. It provides routing, access
control, and QoS mechanisms to remote locations.
The following are mitigated threats for the midsize network WAN:
IP spoofingIP spoofing can be mitigated through Layer 3 filtering.
Unauthorized accessSimple access control on the router can limit the types of protocols to
which branches have access.
6-30
Copyright
FR/ATM
IPSec tunnel
To the campus
module
VPN tunnel
CSI 1.16-29
The amount of security placed in the WAN module depends on the level of trust for the remote
sites and the ISP to which you are connecting. Security is provided by using IOS security
features. In this design, inbound ACLs applied to the serial interface are used to block all
unwanted traffic from accessing the midsize network. Inbound ACLs applied to the Ethernet
interface can be used to further limit what traffic passes from the midsize network back to the
remote sites.
Alternatives involve organizations that are very concerned about information privacy and
encrypt traffic across their classic WAN links. Similar to site-to-site VPNs, IPSec can be used to
achieve this level of information privacy. Additionally, running a firewall on the WAN router
can provide additional access control options when compared with the basic ACLs used in the
SAFE design.
Copyright
6-31
ISP RouterImplementation
Commands Summary
PSTN
Spoof mitigation
and (D)DoS
rate-limiting
Internet
Public
services
rate-limit
CSI 1.16-31
Starting at the customer edge router in the ISP, the egress of the ISP rate limits nonessential
traffic that exceeds pre-specified thresholds in order to mitigate DDoS attacks. Also at the egress
of the ISP router, RFC 1918 and RFC 2827 filtering mitigate source-address spoofing of local
networks and private address ranges.
At the ingress of the firewall, RFC 1918 and RFC 2827 filtering are first provided as a
verification of the ISPs filtering. In addition, because of the enormous security threat that
fragmented packets create, the firewall is configured to drop most fragmented packets that
should not generally be seen for standard traffic types on the Internet. Any legitimate traffic lost
because of this filtering is considered acceptable when compared to the risk of allowing such
traffic. Traffic destined to the firewall itself from the outside is limited to IPSec traffic and any
necessary protocols for routing.
6-32
Copyright
PSTN
access-list
access-group
Internet
Public
services
CSI 1.16-32
The function of the edge router on the midsize network is to provide the demarcation point
between the ISP network and the midsize network. At the ingress of the edge router on the
midsize network, basic filtering limits access to allow only expected IP traffic, providing a
coarse filter for the most basic attacks. RFC 1918 and RFC 2827 filtering are also provided here
as a verification of the ISPs filtering.
In addition, because of the enormous security threat that fragmented packets create, the router is
configured to drop most fragmented packets that should not generally be seen for standard traffic
types on the Internet. Any legitimate traffic lost because of this filtering is considered acceptable
when compared to the risk of allowing such traffic.
Any IPSec traffic destined for the VPN Concentrator or the firewall is allowed through. Filtering
on the router is configured to allow only IKE and IPSec traffic to reach the VPN Concentrator or
firewall. Because with remote access VPNs the IP address of the remote system is not generally
known, the filtering can be specified only to the head-end peer (VPN Concentrator) with which
the remote users are communicating. With site-to-site VPNs, the IP address of the remote site is
usually known; therefore, filtering may be specified for VPN traffic to and from both peers.
Copyright
6-33
Implementation CommandsSpoof
Mitigation and RFC Filtering
router(config)#
--- ---
- -
- - -
- -
The access-list command enables you to specify if an IP address
is permitted or denied access to a port or protocol.
---
router(config-if)#
-- --- ---
The access-group command binds an ACL to an interface.
--
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.16-33
The threat of IP spoofing can be reduced, but not eliminated, through the following measures:
Access controlThe most common method for preventing IP spoofing is to properly
configure access control. To reduce the effectiveness of IP spoofing, configure access
control to deny any traffic from the external network that has a source address that should
reside on the internal network. Note that this helps prevent spoofing attacks only if the
internal addresses are the only trusted addresses. If some external addresses are trusted, this
method is not effective.
RFC 2827 filteringYou can also prevent users of a network from spoofing other networks
(and be a good Internet citizen at the same time) by preventing any outbound traffic on your
network that does not have a source address in your organizations own IP range. Your ISP
can also implement this type of filtering, which is collectively referred to as RFC 2827
filtering. This filtering denies any traffic that does not have the source address that was
expected on a particular interface.
For example, if an ISP is providing a connection to the IP address 15.1.1.0/24, the ISP could
filter traffic so that only traffic sourced from address 15.1.1.0/24 can enter the ISP router
from that interface. Note that unless all ISPs implement this type of filtering, its
effectiveness is significantly reduced. Also, the further you get from the devices you want to
filter, the more difficult it becomes to do that filtering at a granular level. For example,
performing RFC 2827 filtering at the access router to the Internet requires that you allow
your entire major network number (that is, 10.0.0.0/8) to traverse the access router. If you
perform filtering at the distribution layer, as in this architecture, you can achieve more
specific filtering (that is, 10.1.5.0/24).
6-34
Copyright
dynamic dynamic-name
(Optional.) Identifies this ACL as a dynamic ACL. Refer to lockand-key access documented in the "Configuring Lock-and-Key
Security (Dynamic Access Lists)" chapter in the Cisco IOS
Security Configuration Guide.
timeout minutes
deny
permit
protocol
source
source-wildcard
Copyright
6-35
destination
destination-wildcard
precedence precedence
tos tos
log
log-input
time-range time-range-name
6-36
access-list-number
access-list-name
in
out
Copyright
ImplementationIOS Firewall
The following section details the implementation of the IOS Firewall features and configuration.
PSTN
Internet
Public
services
CSI 1.16-35
The primary function of the IOS Firewall is to provide connection-state enforcement and
detailed filtering for sessions initiated through the firewall. The firewall also acts as a
termination point for site-to-site IPSec VPN tunnels for both remote site production and remote
site management traffic.
There are multiple segments off the firewall. The first is the public services segment, which
contains all the publicly addressable hosts. The second is for remote access VPN and dial-in.
Publicly addressable servers have some protection against TCP SYN floods through mechanisms
such as the use of half-open connection limits on the firewall. From a filtering standpoint, in
addition to limiting traffic on the public services segment to relevant addresses and ports,
filtering in the opposite direction also occurs. If an attack compromises one of the public servers
(by circumventing the firewall, HIDS, and NIDS), that server should not be able to further attack
the network.
To mitigate this type of attack, specific filtering prevents any unauthorized requests from being
generated by the public servers to any other location. As an example, the web server should be
filtered so that it cannot originate requests of its own, but merely respond to requests from
clients. This setup helps prevent a hacker from downloading additional utilities to the
compromised device after the initial attack. It also helps stop unwanted sessions from being
triggered by the hacker during the primary attack. An attack that generates an xterm from the
web server through the firewall to the hackers machine is an example of such an attack.
Copyright
6-37
Private VLANs prevent a compromised public server from attacking other servers on the same
segment. This traffic is not even detected by the firewall, a fact that explains why private
VLANs are critical.
6-38
Copyright
IOS FirewallImplementation
Commands Summary
The following are necessary mitigation roles and implementation
commands for the IOS Firewall:
Stateful packet filteringPart of CBAC on IOS Routers
Spoof mitigation and RFC filtering
access-list
access-group
Host DoS mitigation
ip inspect
Authenticate remote site, users, and logging
aaa new-model
tacacs-server
aaa authentication login
aaa authorization exec
aaa accounting exec
login authentication
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.16-36
The following are necessary mitigation roles and implementation commands for the IOS
Firewall:
Stateful packet filteringPart of Context-Based Access Control (CBAC) on Cisco IOS
Routers
Spoof mitigation and RFC filtering
Copyright
aaa new-modelTo define a set of inspection rules, enter this command for each
protocol that you want to inspect, using the same inspection-name.
6-39
6-40
Copyright
IOS FirewallImplementation
Commands Summary (cont.)
IPSec commandsProvide for IPSec tunnel
termination
crypto isakmp policy
encryption
authentication
group
crypto isakmp key
crypto ipsec transform-set
crypto map
set peer
set tranform-set
match address
CSI 1.16-37
Copyright
6-41
ImplementationPIX Firewall
This section describes the detailed configuration and implementation of the Cisco PIX Firewall.
PIX FirewallImplementation
Commands Summary
The following are necessary
mitigation roles and implementation
commands for the PIX Firewall:
Stateful packet filtering (this is the
default for the PIX Firewall)
Host DoS mitigation and basic
layer 7 filtering
ip verify reverse-path interface
PSTN
icmp
attack guard commands
(except for frag guard, these are
on by default)
static
Spoof mitigation and RFC filtering
Internet
access-list
access-group
Public
services
CSI 1.16-39
The following mitigation roles and implementation commands are used to implement the policy
on the PIX Firewall:
Stateful packet filteringThe default for the PIX Firewall
Host DoS mitigation and basic layer 7 filtering
6-42
access-listCreates an ACL
Copyright
PIX FirewallImplementation
Commands Summary (cont.)
Authenticate the remote site (and
PSTN
logging)
aaa-server
aaa authentication
logging on
Terminate IPSec
sysopt connection permit-ipsec
isakmp enable
Internet
isakmp key
isakmp policy
crypto ipsec transform-set
Stateful packet filtering, basic
Layer 7 filtering, host DoS
crypto map
Public
services
CSI 1.16-40
Terminate IPSec
isakmp policyUniquely identifies the IKE policy and assigns a priority to the policy
Copyright
6-43
ImplementationNIDS
This section explains the Cisco Intrusion Detection System (IDS) Sensor setup configuration
tasks. The configuration tasks are presented using the IDS Device Manager (IDM).
NIDS Implementation
IDM Sensor Setup Tasks
The following are the tasks to setup the
Sensor:
CSI 1.16-42
A Cisco IDS Sensor is initialized using the sysconfig-sensor Sensor command. Once the Sensor
has been initialized, configuration of the Sensor is done via a platform such as IDM or IDS
Management Center (MC).
You can change the parameters configured during Sensor initialization by completing the
following Sensor setup tasks:
Configure the Sensors network settingsThis task involves assigning values to network
and IDS communication parameters, such as an IP address and host identifier.
Define the list of hosts that are authorized to manage the SensorThis task involves
identifying those hosts and networks that should be allowed to manage the Sensor.
Configure remote management servicesThis task involves deciding which network
services are used to gain interactive access to the Sensor.
Configure secure shell (SSH) settingsThis task involves generating the Sensors SSH keys
and managing the known hosts file.
6-44
Copyright
Configure the Sensors date and timeThis task involves identifying the time zone and date.
This is important for time stamping log files.
Change the password for the account used to access IDMThis task involves changing the
password for either the netrangr or root account.
Copyright
6-45
Network Settings
Choose Device>Sensor Setup>Network.
CSI 1.16-43
Launch your web browser and specify the Sensor as the location:
-----
6-46
Step 2
Log in to the IDM as the netrangr user. The default netrangr password is attack.
Step 3
Select Device from the area bar. The Device sub-area bar is displayed.
Step 4
Select Sensor Setup from the sub-area bar. The Sensor Setup table of contents (TOC) is
displayed.
Step 5
Select Network from the TOC. The Sensors network settings are displayed in the work content
area.
Step 6
Enter the values listed in the following table for the Cisco IDS settings:
Cisco IDS Settings
Parameter Value
Description
Host Name
<Host Name>
Host ID
165535
Organization Name
<Org Name>
Organization ID
165535
IP Address
<IP Address>
PostOffice Port
102565535
Copyright
Step 7
Choose the alarm severity level from the Route Up Alarm Level drop-down menu.
Step 8
Choose the alarm severity level from the Route Down Alarm Level drop-down menu.
Step 9
Enter the values listed in the following table for the Cisco IDS settings:
Cisco IDS Settings
Parameter Values
Description
<Host Name>
IP address
<IP Address>
Netmask
<network mask>
Default route
<IP Address>
Step 10
Choose Yes or No from the Enable TLS/SSL drop-down menu to enable or disable the TLS/SSL
feature.
Step 11
Enter the port number to use for the IDM web server in the Web Server Port field.
Step 12
Copyright
6-47
CSI 1.16-44
The access control list (ACL) feature enables the network security administrator to set any
number of IP addresseseither by host or networkwhich are allowed to establish TCP
connections (Telnet, FTP, SSH, HTTP) to a Sensor. In most cases, access to the Sensor in this
manner should be limited to trusted hoststypically the IDM.
The ACL feature uses the UNIX software package TCP wrappers. The TCP wrappers software
controls access by using entries in the /etc/hosts.allow and /etc/hosts.deny files. These files
should not be modified. For more information about the TCP wrappers application, visit the
following web site: www.standford.edu/group/itss-ccs/security/unix/tcpwrappers_README.txt.
Complete the following steps to configure the Sensors network access control feature:
Step 1
Select Device from the area bar. The Device sub-area bar is displayed.
Step 2
Select Sensor Setup from the sub-area bar. The Sensor Setup TOC is displayed.
Step 3
Select Allowed Hosts from the TOC. The list of allowed networks and hosts is displayed in the
work content area.
Step 4
Select Add from the work content area. The Adding information is displayed in the work content
area.
Step 5
Step 6
6-48
Include the trailing period when entering network addresses (for example, to enter the network
10.0.1.0/24, enter 10.0.1. in the network address field).
Copyright
CSI 1.16-45
The Remote access configuration option enables the network security administrator to disable
insecure communication protocols such as Telnet and FTP.
Note
Complete the following steps to enable or disable Telnet or FTP access to the Sensor:
Step 1
Select Device from the area bar. The Device sub-area bar is displayed.
Step 2
Select Sensor Setup from the sub-area bar. The Sensor Setup TOC is displayed.
Step 3
Select Remote Access from the TOC. The Sensors remote access settings are displayed in the
work content area.
Step 4
Select or de-select the FTP check box to enable or disable the FTP service.
Step 5
Select or de-select the Telnet check box to enable or disable the Telnet service.
Step 6
Copyright
6-49
Time
Choose Device>Sensor Setup>Time.
CSI 1.16-46
The Time configuration option enables the network security administrator to modify the date,
time, and time zone for the Sensor appliance.
Complete the following steps to set the date and time:
6-50
Step 1
Select Device from the area bar. The Device sub-area bar is displayed.
Step 2
Select Sensor Setup from the sub-area bar. The Sensor Setup TOC is displayed.
Step 3
Select Time from the TOC. The Sensors time settings are displayed in the work content area.
Step 4
Enter the new time in the Time field. The format to enter the time is hh:mm:ss where hh is the
two-digit hour, mm is the two-digit minute number, and ss is the two-digit second number.
Step 5
Choose a system-defined time zone from the System Timezone drop-down menu or choose
Custom Timezone and enter a custom timezone.
Step 6
Copyright
Account Password
Choose Device>Sensor Setup>Password.
CSI 1.16-47
The Password configuration option enables the user to change the password for the account used
to log into IDM. Complete the following steps to change the accounts password:
Step 1
Select Device from the area bar. The Device sub-area bar is displayed.
Step 2
Select Sensor Setup from the sub-area bar. The Sensor Setup TOC is displayed.
Step 3
Select Password from the TOC. The user name whose password is to be changed is displayed in
the work content area.
Step 4
Step 5
Step 6
Step 7
Copyright
6-51
CSI 1.16-48
The Sensor configuration settings are saved by the Director and must be transferred to the
Sensor. Complete the following steps to apply the configuration settings to the Sensor:
6-52
Step 1
Select Apply Changes from the IDM toolbar. The Finished option is displayed in the work
content area.
Step 2
Click Finish to apply your changes to the Sensor. The Changes were applied successfully
message is displayed.
Copyright
NIDS Implementation
Event Logging
The Sensor by default logs all events locally:
Logs events by severity
Logs events by type
The Sensor can transfer archived copies of log
files offline to an FTP server:
Network access to the FTP server
FTP username and password
Directory with write permissions
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.16-49
The Cisco IDS logging service, loggerd, is enabled by default, and the Sensor is configured to
log events of all types locally. The events logged may be based on severity and type.
The Sensor is capable of transferring archived copies of log files offline to an FTP server. The
following are the requirements for the network log file transfer feature:
Network access to an FTP server
FTP username and password
Directory where the FTP user has write privileges
Copyright
6-53
NIDS Implementation
Event Logging (cont.)
The IP logging feature captures packets from an
attacking host:
Logs packets automatically when IP Log is a
signature response
Logs packets if the source address is entered
manually
Requires that event logging is enabled
The IP log file is in tcpdump format
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.16-50
The Sensor IP logging feature captures IP packets from an attacking host. The Sensor may be
configured to capture packets automatically when the signature action is IP Log. The Sensor may
be configured to capture packets if the network security administrator specifies the source
address.
The IP logging feature requires that the Sensors logging feature be enabled. The Director
displays a warning message if logging has not been enabled.
The IP log file is in tcpdump format and may be viewed by any application that is aware of the
tcpdump format.
6-54
Copyright
Event Logging
Choose Configuration>Logging>Event Logging.
CSI 1.16-51
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 2
Select Logging from the sub-area bar. The Logging TOC is displayed.
Step 3
Select Event Logging from the Logging TOC options. The Event logging settings are displayed
in the work content area.
Step 4
Select or de-select the Enable check box to disable or enable the Sensors event logging service.
Step 5
Step 6
Step 7
Copyright
6-55
CSI 1.16-52
Complete the following steps to configure the Sensor to transfer the log files offline to an FTP
server:
Step 1
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 2
Select Logging from the sub-area bar. The Logging TOC is displayed.
Step 3
Select Exporting Event Logs from the Logging TOC options. The Exporting Event Logs
settings are displayed in the work content area.
Step 4
Select or de-select the Export Archived Event Log files to enable or disable the exporting
feature.
Step 5
Parameters
Description
<IP Address>
<Directory Name>
Username
<username>
Password
<Password>
Note
Step 6
6-56
The user must have write access to the target FTP directory on the FTP server.
Copyright
NIDS Implementation
Sensing Overview
The Sensor has parameters that affect the
sensing function and that are not necessarily
specific to a particular signature or set of
signatures.
The following are the global sensing parameters:
Internal network
Sensing properties
Level of traffic logging
CSI 1.16-53
The Sensor has configuration parameters that affect the sensing function. These parameters are
not necessarily specific to a particular signature or set of signatures. The following are the global
sensing parameters:
Internal network
Sensing properties
Level of traffic logging
Copyright
6-57
Internal Networks
Choose Configuration>Sensing Engine>Internal Networks.
CSI 1.16-54
The internal network configuration parameter defines the list of networks that are considered as
protected by the Sensor. This information is used to define inside (IN) and outside (OUT)
network for alarm events. Inside networks are those defined as internal networks. All other
networks are identified as outside networks. The internal network definition is used for two
purposes:
Alarm eventsAlarm events include source (SRC) and destination (DST) fields. The IN and
OUT keywords are the possible values for either the source or destination field.
Signature filteringThe keywords IN and OUT are used when creating an exclusion of
inclusion signature filter.
Note
The internal network definition does not affect the Sensors intrusion detection capabilities. If
no internal network entries are added, the Sensor logs the source and destination of an attack
as OUT, OUT.
Complete the following steps to add addresses to the list of internal networks:
Step 1
Launch your web browser and specify the Sensor as the location:
-----
6-58
Step 2
Log into the IDM as the netrangr user. The default netrangr password is attack.
Step 3
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 4
Select Sensor Engine from the sub-area bar. The Sensor Engine TOC is displayed.
Step 5
Select Internal Networks from the TOC. The list of internal network addresses is displayed in
the work content area.
Copyright
Step 6
Click Add in the work content area. The network address field is displayed.
Step 7
Step 8
Click OK to add the network address to the list. The address is displayed in the list of network
addresses.
Step 9
Click the Edit icon next to the network address to edit the network address settings.
Copyright
6-59
Sensing Properties
Choose Configuration>Sensing Engine>Sensing Properties.
CSI 1.16-55
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 2
Select Sensor Engine from the sub-area bar. The Sensor Engine TOC is displayed.
Step 3
Select Sensing Properties from the TOC. The Sensors sensing properties are displayed in the
work content area.
Step 4
Enter parameter values for the settings listed in the following table:
Cisco IDS Setting
Sensing Interface
Parameter Value
CustomEnables the network
security administrator to enter
a user-defined interface
name.
Description
This is the Sensors monitoring
interface device name.
Automatic is the default value.
AutomaticEnables the
Sensor to detect the correct
monitoring interfaces device
name.
Traffic Flow Severity
High
Medium
Low
Informational
Traffic Flow Timeout
6-60
065000
Copyright
Parameter Value
High
Medium
Low
Description
The alarm severity level
assigned to the Link status
signature. The default security
level is Low.
Informational
Storage Timeout Seconds
Step 5
Copyright
10600
6-61
CSI 1.16-56
The Level of Traffic Logging configuration option is used for TCP and UDP connection
signatures. This defines the types of TCP connection packets and UDP traffic that is logged:
Complete the following steps to configure the Sensors level of traffic logging:
Step 1
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 2
Select Sensor Engine from the sub-area bar. The Sensor Engine TOC is displayed.
Step 3
Select Level Of Traffic Logging from the TOC. The current Level of Traffic logging value is
displayed in the work content area.
Step 4
Choose the traffic logging level from the Level Of Traffic Logging drop-down menu. The
following are the level options:
None
TCP connection requests & UDP traffic (which is the default)
TCP connection requests, SYN-ACK, FIN, RST & UDP traffic
TCP SYN-ACK packets from the specified port & UDP traffic
Step 5
6-62
Copyright
NIDS Implementation
Signature Overview
The sensing engines and signatures are the core
technologies of the Cisco IDSs.
The signatures are researched and developed by
Cisco security engineers.
The sensing engines use the signature
information to determine if the network traffic is
considered malicious activity.
The sensing engines are designed to perform
pattern matching, stateful pattern matching,
protocol decodes, and heuristic methods.
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.16-57
The sensing engines and signatures are the core technology of the Cisco IDS. The Cisco
Countermeasure Response Team (CRT) researches new vulnerabilities and develops signatures
that detect the new threats. The signatures are used by the sensing engine to perform the actual
intrusion detection analysis. The sensing engines are designed to perform a blend of the intrusion
detection analysis techniques, which include the following:
Pattern matching
Stateful pattern matching
Protocol analysis (decoding)
Heuristic methods
Copyright
6-63
NIDS Implementation
Signature Overview (cont.)
The Director enables the network security administrator
to view the signatures, which are categorized by the
following:
Signature groups
TCP connection signatures
UDP connection signatures
String signatures
ACL violation signatures
Basic signature configuration includes the following:
Enabling or disabling the signature
Assigning the severity level
Assigning the signature action
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.16-58
The Director enables the network administrator to view the IDS signature, which are categorized
by the following:
Signature groups
Custom signatures
TCP connection signatures
UDP connection signatures
String signatures
ACL violation signatures
Each signature has the following basic configurable parameters:
Enable statusEnables or disables the signature
Severity levelAssigns the severity level (information, low, medium, or high)
Signature actionAssigns the action to take if the signature is triggered
6-64
Copyright
Signature Groups
Choose Configuration>Sensing Engine>Signature Configuration>Signature
Group.
CSI 1.16-59
The Cisco CRT has grouped the signatures according to either an application or protocol. The
signature groupings are listed in the following table:
All Signatures
Authorization Failure Signatures
BackOrifice Signatures
Custom Signatures
Cisco IOS Signatures
DNS Signatures
Distributed DOS Signatures
FTP Signatures
Fingers Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
Copyright
6-65
INN Signatures
IP Fragmentation Signatures
IP Header Signatures
LPR Signatures
Loki Signatures
POP Signatures
PostOffice Comm Status Signatures
RPC-based Application Signatures
Rlogin Signatures
SATAN Signatures
SMTP/Sendmail Signatures
SNMP Signatures
SQL Signatures
SSH Signatures
Security Violation Signatures
String Match Signatures
TCP Header Signatures
TCP Hijack Signatures
Telnet Signatures
UDP Application Signatures
UDP Header Signatures
WWW Signatures
Windows/NetBIOS Signatures
6-66
Copyright
Note
Copyright
6-67
Custom Signatures
Choose Configuration>Sensing Engine>Signature Configuration>Custom
Signatures.
CSI 1.16-60
The custom signatures are those signatures that the network security administrator has tuned or
created. These signatures are associated with a signature micro-engine.
The following are the signature micro-engines available:
Atomic.ICMPUsed to examine ICMP packets for a single condition, such as an ICMP
type.
Atomic.IPOptionsUsed to examine IP packets with a specified IP option.
Atomic.L3.IPUsed to examine layer 3 IP packets for a single condition, such as detecting
Enhanced Interior Gateway Routing Protocol (EIGRP) packets.
Atomic.TCPUsed to examine TCP packets for a single condition, such as a specific TCP
port.
Atomic.UDPUsed to examine UDP packets for a single condition, such as a specific UDP
port.
Flood.Host.ICMPUsed to examine an excessive number of ICMP packets sent to a target
host.
Flood.Host.UDPUsed to examine an excessive number of UDP packets sent to a target
host.
Flood.NetUsed to examine an excessive number of packets sent to a network segment.
6-68
Copyright
Copyright
6-69
String Signatures
Choose Configuration>Sensing Engine>Signature Configuration>String
Signatures.
CSI 1.16-61
String pattern matching signatures are based on searching to content (data) of a particular TCP
session. The string pattern is in regular expression similar to regular expression used in
programming languages such as Perl or Python.
Note
It is recommended that you add new string-matching signatures by using the STRING
signature micro-engines.
6-70
Step 1
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 2
Select Sensor Engine from the sub-area bar. The Sensor Engine TOC is displayed.
Step 3
Select String Signatures from the TOC. A list of string signatures is displayed in the work
content area.
Step 4
Click Add. The Adding fields are displayed in the work content area.
Step 5
Step 6
Step 7
Enter the number of occurrences the string must occur to trigger the signature in the Occurrences
field.
Step 8
Step 9
Step 10
Choose the signature severity level from the Severity drop-down menu.
Step 11
Select the signature action by selecting the Block, IP Log, or Reset check boxes.
Step 12
Click OK to save the string signature. The signature is displayed in the list of string signatures.
Copyright
Step 13
Copyright
Click the Edit icon next to the signatures Enabled circle to tune the signature.
6-71
NIDS ImplementationIEV
Complete the following tasks to start
using IEV:
Add the IEV host as a remote event destination.
Download the IEV software from the Sensor.
Install the IEV software on the host.
Reboot the IEV host to start IDS services.
Add IDS devices that the IEV will monitor.
CSI 1.16-62
The IDS Event Viewer (IEV) software is included with the Sensor software. You must complete
the following tasks to begin using IEV to monitor events from an IDS device:
6-72
Step 1
Add the IEV host as a remote event destinationThis includes launching a web browser,
specifying the Sensor as the location, and then adding the IEV host as a remote event destination
and enable packet capturing.
Step 2
Download the IEV software from the SensorThis includes launching a web browser,
specifying the Sensor as the location, and then downloading IEV from the Sensor.
Step 3
Install the IEV software on the hostThis includes starting the IEV setup program and
continuing with the installation wizard.
Step 4
Reboot the IEV host to start the IDS servicesThis includes rebooting the IEV host in order to
initialize the IDS services needed by IEV.
Step 5
Add IDS devices that the IEV is to monitorThis includes specifying the IDS devices from
which the IEV application accepts events.
Copyright
CSI 1.16-63
Complete the following steps to add the IEV host as a remote event destination:
Step 1
Launch your web browser and specify the Sensor as the location:
-----
Step 2
Log into the IDM as the netrangr user. The default netrangr password is attack.
Step 3
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 4
Select Communications from the sub-area bar. The Communications TOC is displayed.
Step 5
Select Remote Hosts from the TOC. The remote host options are displayed in the work content
area.
Step 6
Click Add. The Adding window opens in the work content area.
Step 7
Enter the values listed in the following table and accept the default values for the other
parameters.
Copyright
Parameters
Description
Host Name
<Host Name>
Host ID
165535
Organization Name
<Org Name>
Organization ID
165535
IP Address
<IP Address>
PostOffice Port
102565535
6-73
Step 8
6-74
Parameters
Description
Heartbeat
165535
Click OK to accept the host values. The IEV host is displayed in the list of remote hosts.
Copyright
CSI 1.16-64
Select Event Destinations from the Remote Hosts TOC options. The list of event destinations is
displayed in the work content area.
Step 2
Step 3
Step 4
Step 5
Choose the alarm severity from the Level drop-down menu to send medium events to the IEV
host.
Step 6
Choose the Cisco IDS service from the Service drop-down menu.
Step 7
Step 8
Click OK to accept the event destination values. The IEV host is displayed in the list of event
destinations.
Copyright
6-75
CSI 1.16-65
6-76
Step 1
Select Apply Changes from the IDM toolbar. The Finished option is displayed in the work
content area.
Step 2
Click Finish to apply your changes to the Sensor. The Changes were applied successfully
message is displayed. The Sensor is configured to capture traffic and ready to send events to the
IEV.
Step 3
Copyright
IEV Download
Choose Monitoring>IDS Event Viewer.
CSI 1.16-66
Complete the following steps to download the IEV software from the Sensor:
Step 1
Launch your web browser and specify the Sensor as the location by entering the following:
-----
Step 2
Log into the IDM as user netrangr. The default netrangr password is attack.
Step 3
Select Monitoring from the area bar. The Monitoring sub-area bar is displayed.
Step 4
Select IDS Event Viewer from the sub-area bar. The IDS Event Viewer data is displayed in the
Content Area. Notice that Monitoring>IDS Event Viewer is displayed in the path bar.
Step 5
Select Download the Windows NT/2000 IDS Event Viewer from the Downloads section.
Step 6
Save the IEV installation application (iev-win.exe) to your hard disk. Note the destination
location. This information is needed in the next task.
Notice the IEV readme file is available for download. It is recommended to download this file
and review the information prior to installing the IEV.
Copyright
6-77
IEV Installation
CSI 1.16-67
The IEV installation application is a wizard-based installation program. Complete the following
steps to install the IEV application:
6-78
Step 1
Launch the IEV installation application from the location where it was saved. The Cisco IDS
Event Viewer Welcome window opens.
Step 2
Click Next to continue the installation wizard process. The Select Destination Location window
opens.
Step 3
Step 4
Click Next to continue with the wizard installation process. The Select Program Manager
window opens.
Copyright
CSI 1.16-68
Step 5
Enter the Program Manager group if the default location is not acceptable.
Step 6
Click Next to continue with the installation wizard process. The Start installation window opens.
Step 7
Step 8
Click Next to continue with the installation wizard process. The Installing window displays the
IEV installation progress.
Copyright
6-79
Step 9
The IEV application files are copied to the destination location. The IEV file copy process takes
approximately fiveseven minutes depending on system performance. After the files are copied,
the Configure Local Host PostOffice Settings window opens.
Step 10
Enter the local host PostOffice settings in the fields and click Next to continue with the
installation wizard process. The following table contains the communication parameters and a
description of each:
Cisco IDS Settings
Parameters
Description
Port Number
102565535
Organization Name
<Org Name>
Organization ID
165535
Host Name
<Hostname>
Host ID
165535
Note
6-80
CSI 1.16-69
This step does not add an IDS device to monitor. Adding a device to the IEV is described in
the next step.
Copyright
CSI 1.16-70
Step 11
Click Finish to complete the IEV installation wizard process. The Install dialog window opens.
Step 12
Do not remove the c:\my.cnf file. The MySQL server used by the IEV requires this file.
The IEV application requires supporting Cisco IDS services and applications. These services and
applications are initialized after the system is rebooted. The Cisco IDS services and applications
are as follows:
CSIDS Data Feed serviceResponsible for receiving the alarms from remote devices
Cisco IDS Event Viewer serviceStores the alarms in MySQL database, archives the
database files, and checks available disk space
MySQL serviceResponsible for consistently storing the data and serving data when
queried
Note
Copyright
The Cisco IDS Event Viewer service depends on the CSIDS Data Feed and MySQL services.
If you want to stop receiving alarms, you can stop the CSIDS Data Feed service, which will
stop the Cisco IDS Event Viewer service. Later you can restart the Cisco IDS Event Viewer
service, which will cause the CSIDS Data Feed service to resume receiving and storing
alarms.
6-81
CSI 1.16-71
The IEV installation process does not prompt you to add an IDS device to monitor. Complete the
following steps to add an IDS device to the IEV:
6-82
Step 1
Step 2
Choose File>New Devices from the main menu. The Device Properties window opens.
Step 3
Enter the new Sensor information in the fields and click OK to save the information. The IDS
device appears in the Devices folder. The following table contains the Sensor communication
parameters and a description of each:
CIDS Settings
Parameters
Description
IP Address
<IP Address>
Organization Name
<Org Name>
Organization ID
165535
Host Name
<Host Name>
Host ID
165535
PostOffice Port
102565535
Heartbeat
165535
Copyright
ImplementationVPN Concentrator
VPN Concentrator Implementation
PSTN
Authenticate
users and
terminate IPSec
General
IPSec
Internet
Public
services
CSI 1.16-73
Implementation on the Concentrator includes but is not limited to setting up the following:
The IKE proposals that are used
Group configuration
Copyright
Identity
General
IPSec
6-83
3002/Unity Client
2.5 Client
Certicom Client
CSI 1.16-74
The Concentrator can handle three types of remote clients: Cisco client, Altiga client, and
Certicom client. Before the Concentrator can interface with these clients, you must make sure
that the appropriate IKE proposal is configured, activated, and prioritized.In remote access
connections, the client sends IKE proposals to the Concentrator. The Concentrator functions
only as a responder. As the responder, the Concentrator checks the active IKE proposal list, in
priority order, to see if it can find a proposal that matches with parameters in the clients
proposed SA. If a match is found, the tunnel establishment continues. If no match is found, the
tunnel is torn down.
The IKE proposals are as follows:
For the Unity Client, use any of the proposals that start with Cisco VPN Client. The
default is Cisco VPN Client-3DES-MD5. The Unity Client proposal must be listed first
under the Active Proposals list, or your Client will not connect.
For the Altiga Client, use any of the IKE proposals, except the IKE proposals that end in
DH7.
For the Certicom Client, use a proposal that ends in DH7. The Certicom client requires a
proposal that supports Diffie-Hellman group 7 (DH7).
Each IKE proposal in the figure is a template. The parameters assigned to the template are
applied to individual remote connection.
6-84
Copyright
Within the User Management>Groups>Modify training window, you can view or modify
individual group parameters. There are four tabs located under User Management>Groups:
Identity tabConfigure the group name, password, and group authentication server type.
General tabConfigure access rights and privileges, and access protocols.
IPSec tabConfigure IPSec tunneling parameters.
PPTP/L2TP tabConfigure Point-to-Point Tunneling Protocol (PPTP) and Layer 2
Tunneling Protocol (L2TP) tunneling parameters.
In the Identity tab you can set the following Identity parameters:
Group Name fieldEnter a unique name for this specific group. The maximum is 32
characters.
Password fieldEnter a unique password for this specific group. The minimum is 4 and
maximum is 32 characters. The field displays only asterisks.
Verify fieldRe-enter the group password to verify it. The field displays only asterisks.
Type drop-down menuClick the drop-down menu button and choose the type of group:
Copyright
6-85
Simultaneous Logins fieldEnter the number of simultaneous logins that group users are
permitted. The minimum is 1 and the default is 3. While there is no maximum limit,
allowing several could compromise security and affect performance.
Minimum Password Length fieldEnter the minimum number of characters for group user
passwords. The minimum is 1, the default is 8, and the maximum is 32.
Allow Alphabetic-Only Passwords check boxSelect the check box to allow base group
user passwords with alphabetic characters only, which is the default. To protect security, it is
strongly recommended that you not allow such passwords.
Idle Timeout fieldEnter the base group idle timeout period in minutes. If there is no
communication activity on the connection in this period, the system terminates the
connection.
Maximum Connect Time fieldEnter the group maximum connection time in minutes. At
the end of this time, the system terminates the connection.
Filter drop-down menuSelect the type of filter you wish to apply to this group.
Primary DNS fieldEnter the primary IP address of the DNS server for this groups users.
Secondary DNS fieldEnter the IP address of the secondary DNS server for this groups
users.
6-86
Copyright
Primary WINS fieldEnter the primary IP address of the WINS server for this groups
users.
Secondary WINS fieldEnter the secondary IP address of the WINS server for this groups
users.
SEP Card Assignment check boxesIt is recommended that you leave all four check boxes
selected.
Tunneling Protocols check boxesSelect the tunneling protocols the user VPN Clients can
use. (Although the Concentrator can support all four protocols simultaneously, in this
chapters lab exercise, de-select PPTP and L2TP. Select IPSec only.)
Strip Realm check boxSelect this check box only for PPTP, L2TP, or both.
Copyright
6-87
The IPSec tab enables you to configure IPSec parameters that apply to this group. The window
can be divided into two sections: IPSec and remote access parameters. IPSec parameters can be
set as follows:
IPSec SA drop-down menuClick the drop-down menu button and choose the IPSec SA
assigned to this groups IPSec clients. During tunnel establishment, the IPSec client and
server negotiate a SA that governs authentication, encryption, encapsulation, key
management, and so on. View or modify IPSec SAs on the Configuration>Policy
Management>Traffic Management>Security Associations window.
IKE Peer Identity Validation drop-down menuThis option applies only to tunnel
negotiations based on digital certificates.
IKE Keepalives check boxSelect this check box to enable the feature. (IKE Keepalives is
enabled by default.) This feature enables the Concentrator to monitor the continued presence
of a remote peer, and to report its own presence to that peer. If the peer becomes
unresponsive, the Concentrator initiates removal of the connection. Enabling IKE keepalives
prevent hung connections when rebooting either the host or the peer. For this feature to
work, both the Concentrator and its remote peer must support IKE keepalives. The following
peers support IKE keepalives:
6-88
Copyright
ImplementationLayer 3 Switch
This section describes the implementation of the Layer 3 switch in the SAFE SMR medium
network campus module.
Error! Not a valid link.
The following commands and features are used to implement SAFE SMR on a Layer 3 switch:
Layer 3 and 4 filtering (and RFC filtering)
access-list command
access-group command
Trust Exploitation
Copyright
6-89
As with most devices using Cisco IOS or Cisco IOS-like commands, ACLs can be used to
implement Layer 3 and 4 filtering.
The syntax for the access-list command is as follows:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source sourcewildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range timerange-name]
access-list-number
dynamic dynamic-name
(Optional.) Identifies this ACLs as a dynamic ACL. Refer to lockand-key access documented in the "Configuring Lock-and-Key
Security (Dynamic Access Lists)" chapter in the Cisco IOS
Security Configuration Guide.
timeout minutes
deny
permit
protocol
source
source-wildcard
6-90
Copyright
destination
destination-wildcard
precedence precedence
tos tos
log
log-input
time-range time-range-name
Copyright
6-91
6-92
access-list-number
access-list-name
in
out
Copyright
Private VLANs (PVLANs) are available on the Catalyst 6000 running Cat operating system 5.4
or later, and are available on the Catalyst 4000, 2980G, 2980G-A, 2948G, and 4912G running
Cat operating system 6.2 or later.
PVLANs are a tool that enables the segregating of traffic at Layer 2 and turning a broadcast
segment into a non-broadcast multi-access-like segment. Traffic that comes to a switch from a
promiscuous port (that is, a port that is capable of forwarding both primary and secondary
VLANs) is able to go out on all the ports that belong to the same primary VLAN. Traffic that
comes to a switch from a port mapped to a secondary VLAN (it can be either an isolated, a
community, or a two-way community VLAN) can be forwarded to a promiscuous port or a port
belonging to the same community VLAN. Multiple ports mapped to the same isolated VLAN
cannot exchange any traffic.
Note
VLANs 1001, 1002, 1003, 1004, and 1005 cannot be used in PVLANs.
Copyright
vlans
pvlan-type
6-93
Configuring port security on the switch can mitigate these attacks. This option provides for
either the specification of the MAC addresses on a particular switch port or the specification of
the number of MAC addresses that can be learned by a switch port. When an invalid MAC is
detected on the port the switch can either block the offending MAC address or shutdown the
port.
The syntax for the set port security command is as follows:
set port security mod/port... [enable | disable] [mac_addr] [age {age_time}]
[maximum {num_ of_mac}] [shutdown {shutdown_time}] [violation
{shutdown | restrict}]
mod/port...
enable
disable
mac_addr
age age_time
maximum num_of_mac
shutdown shutdown_time
violation
shutdown
restrict
6-94
mod
port
statistics
system
Copyright
Summary
Error! Not a valid link.
Copyright
6-95
6-96
Copyright
Copyright
6-97
Objectives
In this exercise you will complete the following tasks:
Assign the Sensors IP network settings.
Define the lists of hosts that are allowed to access the Sensor.
Assign the Sensors communications infrastructure settings.
Enable the IDS Device Manager web server.
Save the Sensors initial configuration.
Verify the Sensors network configuration.
Cisco IDS Event Viewer.
Download the IEV software from the Sensor.
Install the IEV software on the PC.
Add the IDS devices to the list of devices monitored by the IEV.
Disable the Sensors insecure remote management services.
Configure the Sensor and PIX Firewall to perform IP Blocking.
Exchange SSH keys between the Sensor and the PIX Firewall.
Assign the blocking action to an IDS signature.
Configure the Sensors blocking properties.
Add a PIX Firewall as a blocking device.
Test the blocking configuration.
Copyright
Visual Objectives
The following figure displays the configuration you will complete in this lab exercise.
172.26.26.P
Pod P (110)
172.26.26.0/24
.150
.10P e0/1
Branch
brP
.1 e0/0
10.2.P.0/24
RBB
.1
10.2.P.11
Branch
.2
.150
172.16.P.0/24
Super
Server
WWW
FTP
PSS
WWW
FTP
.10
e0/1
172.30.P.0/24
e0/0
192.168.P.0/24
rP
.2 e0
.5
.1 e1
.50
.4
pub
priv
.1 e4
.1 e2
DMZ
.5
pP
10.0.P.0 /24
172.18.P.0/24
cP
.100
RTS
sensorP
Student
10.0.P.11
CSI 1.16-1
Setup
You should not have to configure any routing or addressing of interfaces on lab equipment in
this exercise. You may find that your sensors setting may already be configured. In this case,
verify the settings are correct using the steps below before proceeding.
Lab 6-2
Copyright
Access the Sensor via its console port as directed by your instructor:
- -
Log into the Sensor as the root user with the default password attack:
--
Step 4
Execute the sysconfig-sensor utility on the Sensor. The Cisco IDS Sensor Initial Configuration
Utility menu appears.
----
Step 5
Enter y if prompted to write the values to disk. Select the options from the main menu listed in
the following table and assign the lab settings:
Cisco IDS Options/Parameters
Lab Settings
IP Address
10.0.P.4
IP Netmask
255.255.255.0
IP Host Name
sensorP
Default Route
Local: 10.0.P.1
In what situations would you not need a default route assigned to the Sensor?
A)
Task 2Define the Lists of Hosts that Are Allowed to Access the
Sensor
Complete the following steps to add the list of hosts and networks that are allowed to access the
Sensor via the network using either Telnet, FTP, SSH, or HTTP:
Step 1
Select the Access Control List option from the main menu. The Access Control List screen is
displayed.
Step 2
Lab Settings
Student PC
Local: 10.0.P.11
Student Network
Local: 10.0.P.
Would you recommend being more restrictive? What other network addresses might be
included, if any?
A)
Copyright
Step 3
Step 4
Select the Communication Infrastructure option from the main menu. The Communication
Infrastructure window opens.
Step 2
Enter y to continue, and enter the Cisco IDS Communications Infrastructure parameters listed in
the following table:
Cisco IDS Parameters
Lab Settings
Sensor Host ID
Sensor Organization ID
sensorP
podP
Sensor IP Address
10.0.P.4
Enter y when prompted if IDM will be used to manage the Sensor. The Communication
Infrastructure settings are displayed.
Step 4
Verify that the settings are correct and enter y when prompted to create the configuration files.
Enter n if any mistakes are made. Then enter y when prompted to enter the values again and
repeat steps 23.
Step 5
The configuration files are created and backup copies of any existing configuration files are
saved.
Step 6
Press Enter to continue. A message stating the configuration files were written successfully is
displayed.
Step 7
Press Enter to continue. The Cisco IDS Sensor Initial Configuration Utility menu is displayed.
Choose the IDS Device Manager option from the main menu. The IDS Device Manager menu
and current mode is displayed.
Step 2
Step 3
Lab 6-4
Copyright
Select the Exit option to exit the Cisco IDS Sensor Initial Configuration utility. A message
stating that the sysconfig-sensor configuration has been completed successfully is displayed.
Step 2
Press Enter to continue. A message stating you have entered values that require a reboot is
displayed.
Step 3
Enter y to reboot. A reboot warning message is displayed. Wait approximately one to two
minutes for the Sensor to reboot.
Launch your web browser and specify the Sensor as the location:
-
Step 2
Step 3
Log into the IDM as user netrangr. The default netrangr password is attack.
Step 4
Select Device from the area bar. The Device sub-area bar is displayed.
Step 5
Select Sensor Setup from the sub-area bar. The Sensor Setup table of contents (TOC) is
displayed.
Step 6
Select Network from the TOC. The Sensors network settings are displayed in the work content
area.
Step 7
Verify the values listed in the following table for the Cisco IDS parameters. Modify the
following values if necessary:
Copyright
Lab Values
Description
Host Name
sensorP
Host ID
Organization Name
podP
Organization ID
PostOffice Port
45000
IP address
10.0.P.4
Lab Values
Description
Netmask
255.255.255.0
Default route
Local: 10.0.P.1
Step 8
Continue with the next task if changes were not made to the Sensors network settings.
Step 9
Step 10
Select Apply Changes from the IDM toolbar. The Finished option is displayed in the work
content area.
Step 11
Click Finish to apply your changes to the Sensor. The Changes were applied successfully
message is displayed.
Launch your web browser and specify the Sensor as the location. To do this, enter the following
in the URL field of your web browser:
-
Step 3
Log into the IDM as user netrangr. The default netrangr password is attack.
Step 4
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 5
Select Communications from the sub-area bar. The Communications TOC is displayed.
Step 6
Select Remote Hosts from the TOC. The remote host options are displayed in the work content
area.
Step 7
Step 8
Enter the values listed in the following table and accept the default values for all other
parameters:
Lab 6-6
Lab Values
Description
Host Name
ievP
Host ID
12
Organization Name
podP
Organization ID
IP Address
Local: 10.0.P.11
PostOffice Port
45000
Copyright
Lab Values
Description
Heartbeat
Click OK to accept the host values. The IEV host is displayed in the list of remote hosts.
Step 10
Select Event Destinations from the Remote Hosts TOC options. The list of event destinations is
displayed in the work content area.
Step 11
Step 12
Choose the IEV host, ievP.podP, from the host drop-down menu.
Step 13
Choose the alarm severity level, Low, from the Level drop-down menu to send low events to the
IEV host.
Step 14
Choose the Cisco IDS Service, smid, from the Service drop-down menu.
Step 15
Select Cisco IDS event types to send to the IEV host: Alarms, Errors, and Commands.
Step 16
Click OK to accept the event destination values. The IEV host is displayed in the list of event
destinations.
Step 17
Select Apply Changes from the IDM toolbar. The Finished option is displayed in the work
content area.
Step 18
Click Finish to apply your changes to the Sensor. When the changes are successfully applied, a
message is displayed. The Sensor is now configured to capture traffic and ready to send events to
the IEV.
If the lab is set up in a remote fashion, do not attempt to download the IEV Software from the
Sensor. Install the software according to the instructor.
Step 1
Select Monitoring from the area bar. The Monitoring sub-area bar is displayed.
Step 2
Select IDS Event Viewer from the sub-area bar. The IEV data is displayed in the content area.
Notice Monitoring>IDS Event Viewer is displayed in the Path bar.
Step 3
Select Download the Windows NT/2000 IDS Event Viewer from the Downloads section. The
File Download window opens.
Step 4
Select Save this file to disk and click OK. The Save As window opens.
Step 5
Choose Desktop as the download location and click Save to save the IEV installation
application (iev-win.exe) to your desktop. The IEV software is installed in the next task. The
IEV installation application download process takes approximately 1015 minutes depending on
system performance.
Step 6
Log out of the IDM interface and close the web browser.
Copyright
Launch the IEV installation application from the PCs desktop. The Cisco IDS Event Viewer
Welcome window opens.
Step 2
Click Next to continue the installation wizard process. The Select Destination Location window
opens.
Step 3
Accept the default installation location and click Next to continue with the wizard installation
process. The Select Program Manager window opens.
Step 4
Accept the default Program Manager group and click Next to continue with the installation
wizard process. The Start installation window opens.
Step 5
Click Back if any mistakes were made. Click Next to continue with the installation wizard
process. The Installing window displays the IEV installation progress.
Step 6
The IEV application files are copied to the destination location. The IEV file copy process takes
approximately five to seven minutes depending on system performance. Once the files are
copied, the Configure Local Host PostOffice Settings window opens.
Step 7
Enter the IEV host PostOffice settings and click Next to continue with the installation wizard
process. The following table contains the communication parameters and a description of each:
Cisco IDS Parameters
Lab Values
Description
Port Number
45000
Organization Name
podP
Organization ID
Host Name
ievP
Host ID
12
Click Finish to complete the IEV installation wizard process. The Install dialog window opens.
Step 9
Task 10Add the IDS Devices to the List of Devices Monitored by the
IEV
This task involves launching the IEV application and adding the Sensor to the list of devices the
IEV will monitor. Complete the following steps to add the IDS devices to the list of devices
monitored by the IEV:
Step 1
Step 2
Choose File>New Device from the main menu. The Device Properties window opens.
Lab 6-8
Copyright
Enter the new Sensor information and click OK to save the information. The IDS device appears
in the Device Folders. The following table contains the Sensor communication parameters and a
description of each:
Step 3
Lab Values
Description
IP Address
10.0.P.4
Organization Name
podP
Organization ID
Host Name
sensorP
Host ID
PostOffice Port
45000
Heartbeat
Step 1
Step 3
Log into the IDM as user netrangr. The default netrangr password is attack.
Step 4
Select Device from the area bar. The Device sub-area bar is displayed.
Step 5
Select Sensor Setup from the sub-area bar. The Sensor Setup TOC is displayed.
Step 6
Select Remote Access from the TOC. The Sensors remote access settings are displayed in the
work content area.
Step 7
Step 8
Step 9
Step 10
Select Apply Changes from the IDM toolbar. The Finished option is displayed in the work
content area.
Step 11
Click Finish to apply your changes to the Sensor. The Changes were applied successfully
message is displayed.
Copyright
Step 12
Attempt to establish a Telnet session to your Sensor. Access should be denied because your
Sensors Telnet service is disabled.
Step 13
Attempt to establish an FTP session to your Sensor. Access should be denied because your
Sensors FTP service is disabled.
Step 14
Establish a secure shell (SSH) session to the Sensor as netrangr with the password attack.
Access should be allowed because SSH is enabled by default and is a secure method of
communication.
Configure SSH on the PIX Firewall to allow connections from the Sensor and the IDM host:
-
Note
You may be asked to zeroize the rsa keys if previously generated keys exist. Enter the ca
zeroize command and repeat the ca gen command.
-
-- -
This step is needed to demonstrate the IDS functionality and is not required in a production
environment.
- -- -
The order of the existing ACL must be modified to permit the following entry.
--- -
Task 13Exchange SSH Keys Between the Sensor and the PIX
Firewall
Complete the following steps to exchange SSH keys between the Sensor and the PIX Firewall:
Step 1
Establish a Telnet or SSH session to the Sensor and log on as user netrangr, password attack.
Copyright
Q3)
Step 2
--- --
Step 3
Note
If you are not prompted to accept the PIX Firewalls SSH key, the key was previously
accepted. Proceed with the next step. If you are given a warning, delete the Sensors
known_hosts file from the Sensor using the rm command.
Step 4
Step 5
Exit the SSH session between the Sensor and the PIX Firewall.
Step 6
Step 1
Log into the Cisco IDM as user netrangr. The default netrangr password is attack.
Step 3
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 4
Select Sensing Engine from the sub-area bar. The Sensing Engine TOC is displayed.
Step 5
Select Signature Groups from the Sensing Engine TOC. A list of signature groups is displayed
in the work content area.
Step 6
Select All Signatures from the list of Signature Groups. The list of All Signatures is displayed.
Step 7
Select Page 18 Sigid [5070-5085] from the drop-down menu at the bottom of the page.
Step 8
Step 9
Select the Edit icon for the WWWinNt cmd.exe access 5081. The Editing window opens.
Step 10
Step 11
Step 12
Change the MinHits value to 1 to enable the signature to trigger after one failed login attempt.
Step 13
Click OK to save the signature settings. The list of Signatures is displayed. Notice that the
WWWinNt cmd.exe Access Signature severity is High and that the action is set to block.
Step 14
Select Page 20 Sigid [5103-5117] from the drop-down menu at the bottom of the page.
Step 15
Copyright
Q4)
Are these signatures good candidates to perform IP blocking if detected? Why or why
not?
A)
Step 16
Select the Edit icon for WWWIIS Unicode Attack Signature 5114. The Editing window opens.
Step 17
Step 18
Change the MinHits value to 1 to enable the signature to trigger after one failed login attempt.
Step 19
Click OK to save the signature settings. The list of Signatures is displayed. Notice that the
WWWIIS Unicode Attack Signature severity is High and that the action is set to block.
Step 20
Select Apply Changes from the IDM toolbar. The Finished option is displayed in the work
content area.
Step 21
Click Finish to apply your changes to the Sensor. The Changes were applied successfully
message is displayed.
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 2
Select Blocking from the sub-area bar. The Blocking TOC is displayed.
Step 3
Select Blocking Properties from the Blocking TOC. The Sensors blocking properties are
displayed.
Step 4
Step 5
Enter values for the Cisco IDS settings listed in the following table:
Cisco IDS Settings
Parameters
Description
Minutes of Block
10
100
Step 6
Select the Enable Policy Violations Logging check box to enable logging of policy violations.
Step 7
Deselect the Allow the Sensor IP to be Blocked check box to disable the ability to block the
Sensors IP address. This is the default setting.
Step 8
Step 9
If prompted, select Apply Changes from the IDM toolbar. The Finished option is displayed in
the work content area.
Step 10
Click Finish to apply your changes to the Sensor. The Changes were applied successfully
message is displayed.
Copyright
Step 1
Select Configuration from the area bar. The Configuration sub-area bar is displayed.
Step 2
Select Blocking from the sub-area bar. The Blocking TOC is displayed.
Step 3
Select Blocking Devices from the Blocking TOC. A list of the Sensors blocking devices is
displayed.
Step 4
Select Add from the content area. The Adding information is displayed in the content area.
Step 5
Enter values for the Cisco IDS settings listed in the following table:
Cisco IDS Settings
Parameters
Description
IP Address
10.0.P.1
NAT Address
Leave blank
Username
pix
Password
cisco
Enable Password
enable
Step 7
Step 8
Click OK to save the Blocking devices properties. The blocking device is displayed in the
content area.
Step 9
Click OK when the pop-up window with the message A Blocking Device Interface must be
specified for configuration of the new Blocking Device to be complete. opens.
Step 10
Select Apply Changes from the IDM toolbar. The Finished option is displayed in the work
content area.
Step 11
Click Finish to apply your changes to the Sensor. The Changes were applied successfully
message is displayed.
Q5)
Step 2
Step 3
Copyright
URL
Signature Name
http://192.168.P.10/msadc/samples/selector/showcode.asp
http://192.168.P.10/scripts/..%c0%af../winnt/system32
http://192.168.P.10/ scripts/..%35c../winnt/system32/cmd.exe?/c+dir
View the alarms generated in the IEV. Select a signature that was configured to perform a Block
if detected.
Q6)
Were all the attacks detected by the Sensor and reported to the IEV? Why or why not?
A)
Note
You can view the blocked hosts directly from the PIX Firewall by issuing the show shun
command.
Step 5
Select Administration from the area bar. The Administration sub-area bar is displayed.
Step 6
Select Manual Blocking from the sub-area bar. A list of blocking devices and the list of blocked
hosts and networks is displayed in the content area. Complete the following sub-steps:
1. Notice the status of the Net Device. The status should be Active.
2. Notice the list of blocked devices. The list includes addresses from other pods because you
are monitoring the same network.
Note
Step 7
You can view the blocked hosts directly from the PIX Firewall by issuing the show shun
command.
Select Unblock All to remove all of the addresses from the list of blocked devices.
Copyright
Answers
Q1)
In what situations would you not need a default route assigned to the Sensor?
A)
Q2)
Would you recommend being more restrictive? What other network addresses might be
included, if any?
A)
Q3)
Q6)
Copyright
Are these signatures good candidates to perform IP blocking if detected? Why or why
not?
A)
Q5)
In general allowing entire network segments is not desirable unless all of the
management workstations reside on that particular network. It is recommended
to be as restrictive as possible when defining what hosts can manage the Sensor.
Q4)
A default route assigned to the Sensor is not needed when the Sensor does not
need to communicate with devices on another network. The typical scenario
occurs when the IDS Director is on the same network and the Sensor is not
performing blocking.
B)
C)
D)
Identify those signatures that are deemed an immediate threat to your networks
security.
E)
Were all the attacks detected by the Sensor and reported to the IEV? Why or why not?
A)
No. The Sensor did not detect all of the signatures once a block signature was
detected. After the block occurred, the PIX Firewall denied the traffic from the
source.
Copyright
Objectives
This section lists the objectives of this chapter.
Objectives
Upon completion of this chapter, you will be able to perform
the following tasks:
Describe the key devices in a remote user network.
List the threats mitigated.
Discuss the four different options for providing remote user
connectivity.
Understand the mitigation roles of each of the following:
VPN Software Client
PIX Firewall
VPN Hardware Client
IOS Firewall
Implement specific configurations to apply the mitigation roles.
7-2
CSI 1.17-2
Copyright
Design Overview
This section gives a brief overview of the SAFE: Extending the Security Blueprint to Small,
Midsize, and Remote-User Networks (SAFE SMR) Remote-User network implementation.
Covers both
mobile and
home-office
workers
Contains
hardware,
software, and
combined designs
VPN
Software
Client with
personal
firewall
Software
access option
Broadban
d access
device
Home
office
firewall
with VPN
Broadband
access
device
Hardware
VPN
Client
Broadband
access
device
(optional)
Router
with
firewall
and VPN
Remote site
router option
CSI 1.17-4
Remote connectivity applies to both mobile workers and home-office workers. The primary
focus of these designs is providing connectivity from the remote site to the corporate
headquarters and through some means, the Internet. The following four options include
software-only, software-with-hardware, and hardware-only solutions:
Software accessRemote user with a virtual private network (VPN) Software client and
personal firewall software on the PC.
Remote-site firewall optionThe remote site is protected with a dedicated firewall that
provides firewalling and IPSec VPN connectivity to corporate headquarters. WAN
connectivity is provided via an ISP-provided broadband access device (for example, a
Digital Subscriber Line [DSL] or cable modem).
VPN Hardware Client optionRemote site using a dedicated VPN Hardware Client that
provides IPSec VPN connectivity to corporate headquarters. WAN connectivity is provided
via an ISP-provided broadband access device.
Remote-site router optionThe remote site using a router that provides both firewall
capabilities and IPSec VPN connectivity to corporate headquarters. This router can either
provide direct broadband access or go through and ISP-provided broadband access device.
Copyright
7-3
Telecommuter
or mobile
worker
ISP
Internet
Application
server
10.0.1.10
VPN public IP
192.168.1.5
CSI 1.17-5
A VPN is defined as customer connectivity deployed on a shared infrastructure with the same
policies as a private network. The shared infrastructure can leverage a service provider IP, Frame
Relay, ATM backbone, or the Internet. The result is that the security perimeter of the
organization is extended to the remote site.
The Cisco end-to-end hardware and Cisco IOS software networking products enables a complete
access VPN solution by providing the following:
Sophisticated security for sensitive private transmissions over the public infrastructure
Quality of Service (QoS) through traffic differentiation
Reliability for mission-critical applications
Scalability for supporting large bandwidth of data
Comprehensive network management
7-4
Copyright
Application
server
VPN
head-end device
ISP
ISP
Telecommuter
or mobile
worker
Internet
PPP connectivity
dial access
IPSec tunnel or session
CSI 1.17-6
Resides on a PC
Establishes a secure tunnel or session through the Internet to a Cisco VPN Concentrator
For dialup applications, IPSec relies on Point-to-Point Protocol (PPP) to establish the
physical connection to the local ISP and Internet
Concentrator
Copyright
7-5
Broadband
access device
Hub
Hardware or
Software VPN
Client
Key devices
CSI 1.17-8
The following are the key devices in the SAFE remote-user configuration:
Broadband access deviceProvides access to the broadband network (for example, DSL,
cable, and so on)
Firewall with VPN supportProvides secure, end-to-end encrypted tunnels between the
remote site and the corporate head-end, and provides network-level protection of remote-site
resources and stateful filtering of traffic
Layer 2 hubProvides connectivity for devices within the remote site, which can be
integrated into the firewall or VPN Hardware Client
Personal firewall softwareProvides device-level protection for individual PCs
Router with firewall and VPN supportProvides secure, end-to-end encrypted tunnels
between the remote site and the corporate head-end, provides network-level protection of
remote-site resources and stateful filtering of traffic, and can provide advanced services such
as voice or QoS
VPN Software ClientProvides secure, end-to-end encrypted tunnels between individual
PCs and the corporate head-end
7-6
Copyright
VPN Hardware ClientProvides secure, end-to-end encrypted tunnels between the remote
site and the corporate head-end
Copyright
7-7
CSI 1.17-9
7-8
Copyright
CSI 1.17-10
The following are the solutions for remote access network threat mitigation:
Remote site firewallUse of a remote-site firewall can provide a high level of security.
Cisco VPN Hardware ClientUse of a hardware client that is independent of the host
provides a connection with a greater level of security than a software client.
Remote-site routerUse of a remote-site router can provide a medium level of security but
can establish an IPSec tunnel and basic security that is independent of the host.
Software accessUse of software for access provides security at a host level, which uses the
host processor and memory.
Copyright
7-9
ISP
VPN
Software
Client
with a
personal
firewall
Software
access option
CSI 1.17-12
The following are the specific attack mitigation roles for the software access option:
Authenticate remote siteProperly identify and verify a user or service
Terminate IPSecSuccessfully establish an IPSec tunnel between the remote site and host
site
Personal firewall and virus scanning for local attack mitigationAllay the risk of virus
infection at the remote site
7-10
Copyright
ISP
VPN
Software
Client
with a
personal
firewall
Software
access option
CSI 1.17-13
The software access option is geared toward the mobile worker as well as the home-office
worker. All the remote user requires is a PC with Cisco VPN Client software and connectivity to
the Internet or ISP network via a dial-in or Ethernet connection.
The primary function of the VPN Software Client is to establish a secure, encrypted tunnel from
the client device to a VPN head-end device. Access and authorization to the network are
controlled from the headquarters location when filtering takes place on the firewall, and on the
client itself if access rights are pushed down via policy. The remote user is first authenticated,
and then receives IP parameters such as a virtual IP address, which is used for all VPN traffic,
and the location of name servers (Domain Name System [DNS] and Windows Internet Name
Service [WINS]).
Split tunneling can also be enabled or disabled via the central site. For the SAFE design, split
tunneling was disabled, making it necessary for all remote users to access the Internet via the
corporate connection when they have a VPN tunnel established. Because the remote user may
not always want the VPN tunnel established when connected to the Internet or ISP network,
personal firewall software is recommended to mitigate unauthorized access to the PC. Virusscanning software is also recommended to mitigate viruses and Trojan horse programs infecting
the PC.
Copyright
7-11
ISP
VPN
Software
Client
with a
personal
firewall
Software
access option
CSI 1.17-14
It is recommended that you use the latest level of the VPN Software Client unless technical
specifications or compatibility issues require an earlier version.
The Cisco VPN Client version 3.5 or higher is the recommended product for implementation of
the software access option:
Provides integrated VPN and firewall functionality
Simple install process
Configured via the head-end VPN termination device
7-12
Copyright
192.168.1.5
CSI 1.17-15
The VPN Windows Client is a software program that runs on Windows 95, 98, ME, 2000, XP,
and NT 4.0. The VPN Client on a remote PC, communicating with a Concentrator at an
enterprise or service provider, creates a secure connection over the Internet that enables you to
access a private network as if you were an on-site user.
The figure displays the VPN Client window. From this window, you can launch the new
connection wizard, change or set optional parameters, and launch the VPN Client. The
Connection Entry field enables you to provide a unique name for this VPN connection. The
address of the Concentrators public interface is configured in the field Host name or IP address
of the remote server.
Copyright
7-13
CSI 1.17-16
The Options drop-down menu enables you to configure or change optional parameters. By
clicking the Options button, the following options become available:
Clone EntryEnables you to copy a connection entry with all its properties.
Delete EntryEnables you to delete a connection entry.
Rename EntryEnables you to rename a connection entry (it is not case sensitive).
Import EntryProvides a pre-configured .pcf file that loads the VPN Client parameters.
Erase User PasswordEliminates a saved password. Erase User Password is available only
when you have enabled Allow Password Storage under the Mode Configuration parameters
for this group.
Create ShortcutEnables you to create a shortcut for your desktop.
PropertiesEnables you to configure or change the properties of the connection.
Stateful Firewall (Always On)Blocks all inbound traffic (to the VPN Client) that is not
related to an outbound session. After the remote user enables the stateful firewall, it is
always on.
Application LauncherEnables you to launch an application before establishing a
connection. This is used in conjunction with Windows Login Properties.
7-14
Copyright
Windows Logon PropertiesWindows Login Properties Enables the VPN Client to make
the connection to the Concentrator before the user logs in.
If the system administrator needs to know what VPN Client version you have installed on your
PC, click the Title Bar Lock icon, or right-click the system tray icon.
Copyright
7-15
Properties Tabs
General
Authentication
Connections
CSI 1.17-17
From the Options drop-down menu on the Cisco Systems VPN Client main screen, choose
Properties. Within Properties there are three tabs:
GeneralEnables IPSec through Network Address Translation (NAT), displays the status of
the local LAN access feature, and selects Microsoft network logon options.
AuthenticationConfigures the VPN Clients group or digital certificate information.
ConnectionsEnables backup connections and links the VPN connection to Dialup
Networking phonebook entries.
7-16
Copyright
PropertiesGeneral Tab
Win 95/98/ME
Win-NT 4/2000/XP
CSI 1.17-18
There are two versions of the General tab, depending on the operating system you are using:
The Windows 95,98, and ME versionProvides options for transparent tunneling, local
LAN access, and Microsoft login options
Windows NT 4.0,2000, and XP versionProvides transparent tunneling and local LAN
access only
The functions of the General tab are as follows:
Enable Transparent Tunneling check boxWorks with Windows 95, 98, NT 4.0, 2000, and
XP. The following are found within the Enable Transparent Tunneling group box:
Allow IPSec over UDP (NAT/PAT) radio buttonEnables you to use the VPN Client to
connect to the Concentrator via UDP through a firewall or router that is running NAT.
Both the VPN Client and Concentrator must be enabled for this feature to work.
Use IPSec over TCP (NAT/PAT/Firewall) radio buttonEnables you to use the VPN
Client to connect to the Concentrator via TCP through a firewall or router that is running
NAT. Both the VPN Client and Concentrator must be enabled for this feature to work.
Allow local LAN access check boxFor security purposes, the user has the ability to
disable local LAN access when using an insecure local LAN (for example, in a hotel).
Peer response timeout fieldThe number of seconds to wait before the VPN Client decides
that the peer is no longer active. The VPN Client continues to send DPD requests until it
reaches the peer response timeout value.
Copyright
7-17
Logon to Microsoft Network check boxWorks with Windows 95, 98, and ME only. The
following are found within the Logon to Microsoft Network group box:
7-18
Use default system logon credentials radio buttonUse the logon username and
password resident on your PC to log onto the Microsoft network (for example, student4).
Prompt for network logon credentials radio buttonIf your logon username and
password differ from the private network, the private network prompts you for the
username and password.
Copyright
PropertiesAuthentication Tab
CSI 1.17-19
The Concentrator and VPN Client connection can be authenticated with either the group name
and password, or digital certificates. The Authentication tab enables you to set your
authentication information. You need to choose one method, group or certificate, via the radio
buttons. Within the Group Access Information group box, enter the group name and password in
the appropriate fields. The group name and password must match what is configured for this
group within the Configuration>User Management>Groups>Identity window. Entries are case
sensitive.
For certificates to be exchanged, the Certificate radio button must be selected. In the Name dropdown menu, any personal certificates loaded on your PC are listed. Choose the certificate to be
exchanged with the Concentrator during connection establishment. If no personal certificates are
loaded in your PC, the drop-down menu is blank. Use the Validate Certificate button to check
the validity of the VPN Clients certificate.
Copyright
7-19
PropertiesConnections Tab
CSI 1.17-20
The last tab is the Connections tab. It defines backup networks and connection to the Internet via
dialup networking. A private network may include one or more backup Concentrators to use if
the primary Concentrator is not available.
Your system administrator tells you whether to enable a backup Concentrator and gives you its
address. If the VPN Client cannot reach the primary Concentrator, the VPN Client tries a backup
Concentrator. Select the Enable backup server(s) check box to enable this feature. Once
selected, click Add to enter the IP address of the backup Concentrator. Your VPN Client then
attempts to connect to your primary Concentrator first. If that Concentrator cannot be reached,
the VPN Client accesses the backup list for the addresses of available backup Concentrators.
Connecting to a private network using a dialup connection is typically a two-step process:
Step 1
Step 2
7-20
Copyright
ISP
Broadband
access
device
Home
office
firewall
with a VPN
Remote site
firewall option
CSI 1.17-22
This figure provides attack mitigation roles for the remote site firewall option:
Stateful packet filteringOffers strong security by thoroughly inspecting data packets and
maintaining critical addresses and port numbers in a lookup table
Basic Layer 7 filteringOffers basic filtering at the application layer of the OSI model
Host DoS mitigationPrevents host-based denial of service (DoS) attacks
Authenticate remote siteProperly identifies and verifies a user or service
Terminate IPSecSuccessfully establishes an IPSec tunnel between the remote site and host
site
Virus scanning for local attack mitigationAllays the risk of virus infection at the remote
site
Copyright
7-21
ISP
Broadband
access
device
Home
office
firewall
with a VPN
Remote site
firewall option
CSI 1.17-23
The remote-site firewall option is geared toward the home-office worker, or potentially a very
small branch office. With this option, it is expected that the remote site have some form of
broadband access available from a service provider. The firewall is installed behind the DSL or
cable modem.
The primary function of the firewall is to establish the secure, encrypted tunnel between itself
and a VPN head-end device, as well as providing connection-state enforcement and detailed
filtering for sessions initiated through it. Individual PCs on the remote-site network do not need
VPN client software to access corporate resources. Additionally, because the stateful firewall
protects access to the Internet, personal firewall software is not necessarily required on the
individual PCs. However, if the network administrator wants an additional level of security,
personal firewall software can also be implemented on remote-site PCs. This setup may be useful
if the home worker also travels and connects to the Internet directly over some public network.
Because the corporate headquarters has a stateful firewall protecting the hosts, the remote site
can have direct access to the Internet, rather than passing all traffic back through the corporate
headquarters. Unless NAT is used when communicating with the headquarters, the IP addresses
of the remote-site devices should be assigned in such a manner as to not overlap addressing
space in the headquarters location or another remote site. Remote-site devices that require direct
access to the Internet will require address translation to a registered address. This address
translation can be achieved by translating all Internet-bound sessions to the public IP address of
the firewall itself.
Access and authorization to the corporate network and the Internet are controlled by the
configuration of both the remote-site firewall and the VPN head-end device. Configuration and
security management of the remote-site firewall can be achieved via an IPSec tunnel from the
public side of the firewall back to the corporate headquarters. This setup ensures that the remotesite user is not required to perform any configuration changes on the home-office firewall.
Authentication should be set up on the firewall to prevent a local user from inadvertently
7-22
Copyright
modifying their firewall configuration and thereby compromise the security policy of that
device. Individual users at the remote site who access the corporate network are not
authenticated with this option. Instead, the remote-site firewall and VPN head-end use device
authentication.
Virus-scanning software is still recommended to mitigate against viruses and Trojan horse
programs infecting individual PCs at the remote sitejust like all the PCs in the entire
corporation.
Copyright
7-23
PIX FirewallImplementation
Commands Summary
The following are the necessary
implementation mitigation roles and
commands for the PIX Firewall:
Stateful packet filtering (this is the
default for the PIX Firewall)
Host DoS mitigation
ip verify reverse-path interface
icmp
attack guard commands (except for
frag guard, these are on by default)
static/nat
Spoof mitigation and RFC filtering
access-list
access-group
ISP
Broadband
access
device
Home
office
firewall
with a VPN
Remote site
firewall option
CSI 1.17-24
The following mitigation roles and commands are used to implement the policy on the Cisco
PIX Firewall:
Stateful packet filtering (this is the default for the PIX Firewall)
Host DoS mitigation
7-24
access-listCreates an ACL
Copyright
PIX FirewallImplementation
Commands Summary (cont.)
Authenticate remote
Site (and logging)
aaa-server
aaa authentication
logging on
Terminate IPSec
sysopt connection
permit-ipsec
isakmp enable
isakmp key
isakmp policy
crypto ipsec
transform-set
crypto map
ISP
Broadband
access
device
Home
office
firewall
with a VPN
Remote site
firewall option
CSI 1.17-25
Copyright
7-25
-- -
Implicitly permit any packet that came from an IPSec tunnel and
bypass the checking of an associated access-list, conduit, or
access-group command statement for IPSec connections.
-- -
pixfirewall(config)#
-
Used to enable ISAKMP negotiation on the interface on which the
IPSec peer will communicate with the PIX Firewall. This is
enabled by default.
- -
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-26
The sysopt connection permit-ipsec command implicitly permits any packet that came from an
IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group
command statement for IPSec connections.
The isakmp enable command is used to enable ISAKMP negotiation on the interface on which
the IPSec peer will communicate with the PIX Firewall. Use the no isakmp enable command to
disable IKE.
The syntax for the sysopt connection command is as follows:
sysopt connection permit-ipsec
connection permit-ipsec
Implicitly permit any packet that came from an IPSec tunnel and
bypass the checking of an associated access-list, conduit, or
access-group command statement for IPSec connections.
7-26
Copyright
- - -- -- -
Specifies the authentication pre-shared key.
You can use any combination of alphanumeric characters
up to 128 bytes. The pre-shared key must be identical at
both peers.
- -
-- -
CSI 1.17-27
To configure a pre-shared authentication key and associate the key with an IPSec peer address or
hostname, use the isakmp key address command. Use the no isakmp key address command to
delete a pre-shared authentication key and its associated IPSec peer address.
You would configure the pre-shared key at both peers whenever you specify pre-shared key in
an IKE policy. Otherwise, the policy cannot be used because it will not be submitted for
matching by the IKE process.
A netmask of 0.0.0.0. can be entered as a wildcard indicating that any IPSec peer with a given
valid pre-shared key is a valid peer.
Note
The PIX Firewall or any IPSec peer can use the same authentication key with multiple peers,
but this is not as secure as using a unique authentication key between each pair of peers.
The no-xauth or no-config-mode command options are to be used only if the following criteria
are met:
You are using the pre-shared key authentication method within your IKE policy.
The security gateway and VPN Client peers terminate on the same interface.
The Xauth or IKE Mode Configuration feature is enabled for VPN Client peers.
Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN
Clients. The Xauth feature enables the PIX Firewall to challenge the peer for a username and
password during IKE negotiation. The IKE Mode Configuration enables the PIX Firewall to
Copyright
7-27
download an IP address to the peer for dynamic IP address assignment. Most security gateways
do not support the Xauth and IKE Mode Configuration features.
If you have the no-xauth command option configured, the PIX Firewall does not challenge the
peer for a username and password. Similarly, if you have the no-config-mode command option
configured, the PIX Firewall does not attempt to download an IP address to the peer for dynamic
IP address assignment.
The syntax for the isakmp key command is as follows:
isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]
7-28
key keystring
address peer-address
netmask mask
no-xauth
Only use this if you enabled the Xauth feature, and you have an
IPSec peer that is a gateway. This option associates a given preshared key with a gateway and allows an exception to the Xauth
feature enabled by the crypto map client authentication
command.
no-config-mode
Only use this if you enabled the IKE Mode Configuration feature,
and you have an IPSec peer that is a gateway. This option
associates a given pre-shared key with a gateway and allows an
exception to the IKE Mode Configuration feature enabled by the
crypto map client configuration address command.
Copyright
- - - - -
- - --
-
- - Sets the various parameters of the IKE policy that will be used
- - - -
-
-
-
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-28
The isakmp policy command enables you to negotiate IPSec SAs and enable IPSec secure
communications. Several parameters can be configured with this command as illustrated in the
figure.
The syntax for the isakmp policy command is as follows:
isakmp policy priority encryption des | 3des
policy priority
encryption 3des
encryption des
Copyright
policy priority
hash md5
hash sha
7-29
authentication pre-share
Authentication rsa-sig
group 1
group 2
7-30
policy priority
lifetime seconds
Copyright
- -- --
- - -
Create, view, or delete IPSec SAs, SA global lifetime values, and
global transform sets.
You can specify up to three transforms. Transforms define the
IPSec security protocols and algorithms. Each transform
represents an IPSec security protocol (ESP, AH, or both) plus the
algorithm you want to use.
- --
- --
CSI 1.17-29
The crypto ipsec transform-set command defines a transform set. To delete a transform set, use
the no crypto ipsec transform-set command. To view the configured transform sets, use the
show crypto ipsec transform-set command.
A transform set specifies one or two IPSec security protocols (either Encapsulating Security
Payload [ESP] or Authentication Header [AH], or both) and specifies which algorithms to use
with the selected security protocol. During the IPSec SA negotiation, the peers agree to use a
particular transform set when protecting a particular data flow.
You can configure multiple transform sets, and then specify one or more of these transform sets
in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA
negotiation to protect the data flows specified by that crypto map entrys ACL. During the
negotiation, the peers search for a transform set that is the same at both peers. When such a
transform set is found, it is selected and is applied to the protected traffic as part of both peers
IPSec SAs.
When SAs are established manually, a single transform set must be used. The transform set is
not negotiated.
Before a transform set can be included in a crypto map entry, it must be defined using the crypto
ipsec transform-set command.
To define a transform set, you specify one to three transformseach transform represents an
IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular
transform set is used during negotiations for IPSec SAs, the entire transform set (the
combination of protocols, algorithms, and other settings) must match a transform set at the
remote peer.
Copyright
7-31
In a transform set you can specify the AH protocol, the ESP protocol, or both. If you specify an
ESP protocol in a transform set, you can specify just an ESP encryption transform or both an
ESP encryption transform and an ESP authentication transform.
Examples of acceptable transform combinations are as follows:
ah-md5-hmac
esp-des
esp-des and esp-md5-hmac
ah-sha-hmac and esp-des and esp-sha-hmac
If one or more transforms are specified in the crypto ipsec transform-set command for an
existing transform set, the specified transforms will replace the existing transforms for that
transform set.
If you change a transform set definition, the change is only applied to crypto map entries that
reference the transform set. The change will not be applied to existing SAs, but will be used in
subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner,
you can clear all or part of the security association database by using the clear [crypto] ipsec sa
command.
The syntax for the crypto ipsec transform-set command is as follows:
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
7-32
transform-set-name
transform1
transform2
transform3
Copyright
Implementation Commands
Terminate IPSec (cont.)
pixfirewall(config)#
- -- -
- --
- - - - - - -- --
--
Sets the various parameters of the IKE policy that will be used.
--
--
-
- -- -
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-30
To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp
command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option
of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp
option of the command. Use the no crypto map command to delete a crypto map entry or set.
Crypto maps provide two functions: filtering and classifying traffic to be protected, and defining
the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the
second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps link together definitions of the following:
What traffic should be protected
Which IPSec peers to which the protected traffic can be forwardedthese are the peers with
which an SA can be established
Which transform sets are acceptable for use with the protected traffic
How keys and SAs should be used and managed (or what the keys are, if IKE is not used)
A crypto map set is a collection of crypto map entries each with a different seq-num but the same
map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer
with specified security applied to that traffic, and other traffic forwarded to the same or a
different peer with different IPSec security applied. To accomplish this you would create two
crypto map entries, each with the same map-name, but each with a different seq-num.
The number you assign to the seq-num argument should not be arbitrary. This number is used to
rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map
Copyright
7-33
entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the
map entry with the lower number has a higher priority.
The syntax for the crypto map map-name command is as follows:
crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamicdynamic-map-name]
map map-name
seq-num
ipsec-isakmp
Indicates that IKE will be used to establish the IPSec SAs for
protecting the traffic specified by this crypto map entry.
ipsec-manual
Indicates that IKE will not be used to establish the IPSec SAs for
protecting the traffic specified by this crypto map entry.
dynamic
dynamic-map-name
seq-num
match address
acl_name
seq-num
set peer
hostname
ip-address
7-34
map map-name
seq-num
Copyright
set transform-set
Specifies which transform sets can be used with the crypto map
entry.
transform-set-name
seq-num
set transform-set
Specifies which transform sets can be used with the crypto map
entry.
transform-set-name
Copyright
7-35
Hardware VPN
Client option
CSI 1.17-32
The following are the mitigation roles for the VPN Hardware Client:
Authenticate remote siteProperly identifies and verifies a user or service
Terminate IPSecSuccessfully establishes an IPSec tunnel between the remote site and host
site
Personal firewall and virus scanning for local attack mitigationProvides firewall
inspection and allays the risk of virus infection at the remote site
7-36
Copyright
ISP
Broadband
access
device
Hardware
VPN
Client
Hardware VPN
Client option
CSI 1.17-33
The VPN Hardware Client option is identical to the remote-site firewall option except that the
VPN Hardware Client does not have a resident stateful firewall. This setup requires use of a
personal firewall on the individual hosts, particularly when split tunneling is enabled. Without
the personal firewall, the security of the individual hosts behind the VPN device is dependant
upon the attacker being unable to circumvent NAT. This is because when split tunneling is
enabled, connections to the Internet pass through a many-to-one NAT translation and do not
undergo any filtering at Layer 4 and above. With split tunneling disabled, all access to the
Internet must be through the corporate headquarters. This setup partially mitigates the
requirement for personal firewalls on the end systems.
Using a VPN Hardware Client offers two primary advantages:
As with the VPN Software Client, access and authorization to the corporate network and the
Internet are controlled centrally from the headquarters location. Configuration and security
management of the VPN Hardware Client device itself is done via a Secure Sockets Layer
(SSL) connection from the central site. This setup ensures that the remote-site user is not
required to perform any configuration changes on the VPN Hardware Client.
Individual PCs on the remote-site network do not need VPN Client software to access
corporate resources. However, individual users at the remote site who access the corporate
network are not authenticated with this option. Instead, the VPN Hardware Client and VPN
head-end Concentrator authenticate each other.
Copyright
7-37
Welcome to
Cisco Systems
VPN 3000 Concentrator Series
Command Line Interface
Copyright (C) 1998-2000 Cisco Systems, Inc.
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
CSI 1.17-34
Once connected, the administrator must gain access to the VPN 3002 Hardware Client Manager.
To gain access, complete the following steps:
Step 1
The VPN 3002 comes from the factory with a private interface IP address of 192.168.10.1. Hook
up a PC to the private port and configure the PCs TCP/IP address.
Step 2
Point the browser to the IP address of the private interface (for example, http//192.168.10.1).
Step 3
Log in using the login name and password of admin. No command line interface (CLI)
intervention is required.
However, if you would rather configure the VPN 3002 via CLI or if you need to change the
default address on the private LAN interface, you can use the CLI. The default CLI setting is
9600 8N1.
7-38
Copyright
GUI
Toolbar
Table of
contents
Manager
screen
CSI 1.17-35
The main window of the VPN 3002 Manager after logging into the device is made up of the
following:
The top frame (VPN 3002 Manager toolbar) provides quick access to Manager functions,
configuration, administration, and monitoring.
The left frame (table of contents [TOC]) provides the TOC to the Managers windows.
The main frame (Managers) displays the current VPN 3002 Manager window. From here
you can navigate the Manager using either the TOC in the left frame or the Cisco toolbar at
the top of the frame. Select a title on the left frame of the window and the VPN 3002 will
bring up the Manager window for the selected title.
Under the location bar, the Save Needed icons may appear. When finished with a configuration
window, click Apply. Apply enables the configuration to take effect immediately. To save the
changes to memory, click the Save Needed icon. If you reboot without saving, your
configuration changes are lost.
Copyright
7-39
Quick Configuration
CSI 1.17-36
There are two ways to configure the VPN 3002: Quick Configuration and the main menu. The
goal of Quick Configuration is to provide the minimal parameters needed for operation. You can
access Quick Configuration from the Configuration>Quick window. The VPN 3002 Quick
Configuration can be run multiple times.
7-40
Copyright
CSI 1.17-37
Quick Configuration guides you through the windows necessary to get a single tunnel up and
running. Use the main menu to tune an application or configure features individually. The
windows in the figure illustrate some of the IPSec remote access configuration screens using
Quick Configuration.
Copyright
7-41
CSI 1.17-38
The VPN 3002 is configured, and now the tunnel needs to be established. In Client Mode, by
default, there is no tunnel established. There are two ways to initiate a tunnel:
By clicking Connect Now, under the Monitoring>System Status window
By sending traffic to the VPN Hardware Client destined for the remote end
You can verify the configuration by trying to ping an interface on the remote Concentrator. The
VPN 3002 recognizes the remote-bound traffic and attempts to establish a tunnel. If a tunnel is
established, it is viewable on this screen. If the tunnel does not come up, check the event log of
the VPN 3002 and the Concentrator.
7-42
Copyright
Remote site
firewall option
CSI 1.17-40
The following are the attack mitigation roles for the remote-site router option:
Host DoS mitigationPrevents host-based DoS attacks
Stateful packet filteringOffers strong security by thoroughly inspecting data packets and
maintaining critical addresses and port numbers in a lookup table
Basic Layer 7 filteringOffers basic filtering at the application layer of the OSI model
Authenticate remote siteProperly identifies and verifies a user or service
Terminate IPSecSuccessfully establishes an IPSec tunnel between the remote site and host
site
Virus scanning for local attack mitigationAllays the risk of virus infection at the remote
site
Copyright
7-43
ISP
Broadband
access
device
Router
with a
firewall
and a VPN
Remote site
firewall option
CSI 1.17-41
The remote-site router option is nearly identical to the remote-site firewall option with a few
exceptions. When deployed behind a standalone broadband access device, the only difference is
the router can support advanced applications such as QoS, routing, and more encapsulation
options. Additionally, if the broadband capability is integrated into the router, a standalone
broadband access device is not needed. This option requires that your ISP allow you to manage
the broadband router itself, which is an uncommon scenario.
7-44
Copyright
Cisco IOSImplementation
Commands Summary
The following are necessary mitigation
roles and implementation commands for
Cisco IOS:
Stateful packet filtering (part of CBAC on
Cisco IOS routers)
Spoof mitigation and RFC filtering
access-list
access-group
Host DoS mitigation and basic layer 7
filtering
ip inspect
Authenticate remote site (and logging)
aaa new-model
tacacs-server
aaa authentication login
aaa authorization exec
aaa accounting exec
login authentication
ISP
Broadband
access
device
Router
with a
firewall
and a VPN
Remote site
firewall option
CSI 1.17-42
The following are necessary mitigation roles and implementation commands for the IOS
Firewall:
Stateful packet filteringPart of Context-Based Access Control (CBAC) on Cisco IOS
Routers
Spoof mitigation and RFC filtering
Copyright
aaa new-modelTo define a set of inspection rules, enter this command for each
protocol that you want to inspect, using the same inspection-name.
7-45
7-46
Copyright
Cisco IOSImplementation
Commands Summary (cont.)
IPSec commandsProvides for
IPSec tunnel termination
crypto isakmp policy
encryption
authentication
group
crypto isakmp key
crypto ipsec transform-set
crypto map
set peer
set tranform-set
match address
ISP
Broadband
access
device
Router
with a
firewall
and a VPN
Remote site
firewall option
CSI 1.17-43
Copyright
7-47
-
Enable Internet Key Exchange.
-
router(config)#
-
Defines an Internet Key Exchange policy
Invokes the Internet Security Association Key
Management Protocol policy configuration (configisakmp) command mode.
-
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-44
IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is
enabled globally for all interfaces at the router.
If you do not want IKE to be used in your IPSec implementation, you can disable IKE at all your
IPSec peers. If you disable IKE at one peer, you must disable it at all your IPSec peers.
If you disable IKE, you will have to make the following concessions at the peers:
You must manually specify all the IPSec SAs in the crypto maps at the peers.
The IPSec SAs of the peers never time out for a given IPSec session.
During IPSec sessions between the peers, the encryption keys never change.
Anti-replay services are not available between the peers.
Certification Authority (CA) support cannot be used.
IKE negotiations must be protected, so each IKE negotiation begins by agreement of both peers
on a common (shared) IKE policy. This policy states which security parameters will be used to
protect subsequent IKE negotiations and mandates how the peers are authenticated.
After the two peers agree upon a policy, the security parameters of the policy are identified by an
SA established at each peer, and these SAs apply to all subsequent IKE traffic during the
negotiation.
You can create multiple, prioritized policies at each peer to ensure that at least one policy will
match the policy of a remote peer.
7-48
Copyright
Copyright
7-49
- -
- -
-- - -
- While in the ISAKMP policy configuration command mode, the
following commands are available to specify the parameters in
the policy. If you do not specify one of these commands for a
policy, the default value will be used for that parameter.
- - - -
- -
-
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-45
If you are interoperating with a device that supports only one of the values for a parameter, your
choice is limited to the value supported by the other device. Aside from this, there is often a
trade-off between security and performance, and many of these parameter values represent such
a trade-off. You should evaluate the level of security risks for your network and your tolerance
for these risks. After doing that, the following tips might help you select which value to specify
for each parameter:
The encryption algorithm has two options: 56-bit Data Encryption Standard-cipher block
chaining (DES-CBC), and 168-bit DES.
The hash algorithm has two options: Secure Hash Algorithm-1 (SHA-1), and Message
Digest 5 (MD5). MD5 has a smaller digest and is considered to be slightly faster than SHA1. There has been a demonstrated successful (but extremely difficult) attack against MD5;
however, the hashed message authentication code (HMAC) variant used by IKE prevents
this attack.
The authentication method has three options: Rivet, Shamir, and Adelman (RSA) signatures,
RSA encrypted nonces, and pre-shared keys.
7-50
RSA signatures provide nonrepudiation for the IKE negotiation (you can prove to a third
party after the fact that you did indeed have an IKE negotiation with the remote peer).
RSA signatures allow the use of a CA. Using a CA can dramatically improve the
manageability and scalability of your IPSec network. Additionally, RSA signature-based
authentication uses only two public key operations, whereas RAS encryption uses four
public key operations, making it costlier in terms of overall performance.
Copyright
RSA encrypted nonces provide repudiation for the IKE negotiation (you cannot prove to
a third party that you had an IKE negotiation with the remote peer). RSA encrypted
nonces require that peers possess each others public keys but do not use a CA. Instead,
there are two ways for peers to get each others public keys:
Pre-shared keys are clumsy to use if your secured network is large, and they do not scale
well with a growing network. However, they do not require use of a CA, as do RSA
signatures, and might be easier to set up in a small network with fewer than ten nodes.
RSA signatures also can be considered more secure when compared with pre-shared key
authentication.
The Diffie-Hellman (DH) group identifier has two options: 768-bit and 1024-bit DH. The
1024-bit DH option is harder to crack, but requires more CPU time to execute.
The lifetime of the SA can be set to any value. As a general rule, the shorter the lifetime (up
to a point), the more secure your IKE negotiations will be. However, with longer lifetimes,
future IPSec SAs can be set up more quickly.
The syntax for the encryption command is as follows:
encryption {des | 3des}
des
3des
md5
rsa-encr
pre-share
Copyright
7-51
7-52
Copyright
- -
--
Router (config) #
- -- --
- - -
Defines a transform set. Also invokes the crypto transform
configuration mode.
- -- -
--
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-46
Complete the following steps at each peer that uses pre-shared keys in an IKE policy to
configure pre-shared keys:
Set the ISAKMP identity of each peer. Each peers identity should be set to either its
hostname or by its IP address. By default, a peers identity is set to its IP address.
Specify the shared keys at each peer. Note that a given pre-shared key is shared between two
peers. At a given peer you could specify the same key to share with multiple remote peers;
however, a more secure approach is to specify different keys to share between different pairs
of peers.
A transform set is an acceptable combination of security protocols, algorithms, and other settings
to apply to IPSec-protected traffic. During the IPSec SA negotiation, the peers agree to use a
particular transform set when protecting a particular data flow.
You can configure multiple transform sets, and then specify one or more of these transform sets
in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA
negotiation to protect the data flows specified by that crypto map entrys ACL. During the
negotiation, the peers search for a transform set that is the same at both peers. When such a
transform set is found, it is selected and will be applied to the protected traffic as part of both
peers IPSec SAs.
To define a transform set, you specify one to three transformseach transform represents an
IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular
transform set is used during negotiations for IPSec SAs, the entire transform set (the
combination of protocols, algorithms, and other settings) must match a transform set at the
remote peer.
Copyright
7-53
address
Use this keyword if the remote peer ISAKMP identity was set with
its IP address.
peer-address
mask
7-54
transform-set-name
transform1
transform2
transform3
Copyright
-
Specifies the mode for a transform set
-
Router (config) #
- --
-
Creates or modifies a crypto map entry and enters the
crypto map configuration mode
--
CSI 1.17-47
After you define a transform set, you are put into the crypto transform configuration mode.
While in this mode you can change the mode to either tunnel or transport. This change applies
only to the transform set just defined.
If the traffic to be protected has the same IP address as the IPSec peers and transport mode is
specified, during negotiation the router requests transport mode but accepts either transport or
tunnel mode. If tunnel mode is specified, the router requests tunnel mode and accepts only tunnel
mode.
If you do not change the mode when you first define the transform set, but later decide you want
to change the mode for the transform set, you must re-enter the transform set (specifying the
transform name and all its transforms) and then change the mode.
If you use this command to change the mode, the change only affects the negotiation of
subsequent IPSec SAs via crypto map entries, which specify this transform set. (If you want the
new settings to take effect sooner, you can clear all or part of the SA database.)
Crypto map entries created for IPSec pull together the various parts used to set up IPSec SAs
including the following:
Which traffic should be protected by IPSec (per a crypto ACL)
The granularity of the flow to be protected by a set of SAs
Where IPSec-protected traffic should be sent (who the remote IPSec peer is)
The local address to be used for the IPSec traffic
Copyright
7-55
What IPSec security should be applied to this traffic (selecting from a list of one or more
transform sets)
Whether SAs are manually established or are established via IKE
Other parameters that might be necessary to define an IPSec SA
The syntax for the mode command is as follows:
mode [tunnel | transport]
tunnel | transport
7-56
map-name
The name that identifies the crypto map set. This is the name
assigned when the crypto map was created.
seq-num
ipsec-isakmp
Indicates that IKE will be used to establish the IPSec SAs for
protecting the traffic specified by this crypto map entry.
dynamic
dynamic-map-name
(Optional.) Specifies the name of the dynamic crypto map set that
should be used as the policy template.
discover
Copyright
-- ---
Identifies the extended ACL
--
Router (config-crypto-map) #
- -- --
----
Specifies which transform sets can be used with the
crypto map entry
- --
-
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-48
The match address command is required for all static crypto map entries. If you are defining a
dynamic crypto map entry (with the crypto dynamic-map command), this command is not
required but is strongly recommended.
Use this command to assign an extended ACL to a crypto map entry. You also need to define
this ACL using the access-list or ip access-list extended commands.
The extended ACL specified with this command is used by IPSec to determine which traffic
should be protected by crypto and which traffic does not need crypto protection. (Traffic that is
permitted by the ACL is protected. Traffic that is denied by the ACL is not be protected in the
context of the corresponding crypto map entry.)
Note
The crypto ACL is not used to determine whether to permit or deny traffic through the
interface. An ACL applied directly to the interface makes that determination.
The crypto ACL specified by the match address command is used when evaluating both
inbound and outbound traffic. Outbound traffic is evaluated against the crypto ACLs specified
by the interfaces crypto map entries to determine if it should be protected by crypto and if so (if
traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static
IPSec crypto maps, new SAs are established using the data flow identity as specified in the
permit entry; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.)
After passing the regular ACLs at the interface, inbound traffic is evaluated against the crypto
ACLs specified by the entries of the interfaces crypto map set to determine if it should be
protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected
traffic is discarded because it should have been protected by IPSec.)
Copyright
7-57
In the case of IPSec, the ACL is also used to identify the flow for which the IPSec SAs are
established. In the outbound case, the permit entry is used as the data flow identity (in general),
while in the inbound case the data flow identity specified by the peer must be permitted by the
crypto ACL.
The set transform-set command is required for all static and dynamic crypto map entries.
Use this command to specify which transform sets to include in a crypto map entry.
For an ipsec-isakmp crypto map entry, you can list multiple transform sets with the set
transform-set command. List the higher priority transform sets first.
If the local router initiates the negotiation, the transform sets are presented to the peer in the
order specified in the crypto map entry. If the peer initiates the negotiation, the local router
accepts the first transform set that matches one of the transform sets specified in the crypto map
entry.
The first matching transform set that is found at both peers is used for the SA. If no match is
found, IPSec does not establish an SA. The traffic is dropped because there is no SA to protect
the traffic.
For an ipsec-manual crypto map entry, you can specify only one transform set. If the transform
set does not match the transform set at the remote peers crypto map, the two peers will fail to
correctly communicate because the peers are using different rules to process the traffic.
If you want to change the list of transform sets, re-specify the new list of transform sets to
replace the old list. This change is only applied to crypto map entries that reference this
transform set. The change will not be applied to existing SAs, but will be used in subsequent
negotiations to establish new SAs. If you want the new settings to take effect sooner, you can
clear all or part of the SA database by using the clear crypto sa command.
The syntax for the match address command is as follows:
match address [access-list-id | name]
access-list-id
name
7-58
Copyright
transform-set-name
Copyright
7-59
Router (config-if) #
Applies a previously defined crypto map set
to an interface
2003, Cisco Systems, Inc. All rights reserved.
CSI 1.17-49
Use the set peer command to specify an IPSec peer for a crypto map.
This command is required for all static crypto maps. If you are defining a dynamic crypto map
(with the crypto dynamic-map command), this command is not required, and in most cases is
not used (because, in general, the peer is unknown).
For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command.
The peer that packets are actually sent to is determined by the last peer that the router heard from
(received either traffic or a negotiation request from) for a given data flow. If the attempt fails
with the first peer, IKE tries the next peer on the crypto map list.
For ipsec-manual crypto entries, you can specify only one IPSec peer per crypto map. If you
want to change the peer, you must first delete the old peer and then specify the new peer.
You can specify the remote IPSec peer by its hostname only if the hostname is mapped to the
peers IP address in a Domain Name Server or if you manually map the hostname to the IP
address with the ip host command.
Use the crypto map command to assign a crypto map set to an interface. You must assign a
crypto map set to an interface before that interface can provide IPSec services. Only one crypto
map set can be assigned to an interface. If multiple crypto map entries have the same map-name
but a different seq-num, they are considered to be part of the same set and are all applied to the
interface. The crypto map entry with the lowest seq-num is considered the highest priority and is
evaluated first. A single crypto map set can contain a combination of cisco, ipsec-isakmp, and
ipsec-manual crypto map entries.
7-60
Copyright
ip-address
Name that identifies the crypto map set. This is the name
assigned when the crypto map was created.
When the no form of the command is used, this argument is
optional. Any value supplied for the argument is ignored.
Copyright
7-61
Summary
This section summarized the information you learned in this chapter.
Summary
The following are the key devices in a remote user
network:
Broadband access devices
Firewalls with VPN support
Layer 2 hubs
Personal firewall software
Routers with firewall and VPN support
VPN Software Clients
VPN Hardware Clients
7-62
CSI 1.17-51
Copyright
Summary (cont.)
The following threats can be expected:
Unauthorized access
Network reconnaissance
Virus and Trojan horse attacks
IP spoofing
Man-in-the-middle attacks
Four basic options are available to mitigate threats: one
software-based and three hardware-based options.
Copyright
CSI 1.17-52
7-63
Copyright
Visual Objectives
The following figure displays the configuration you will complete in this lab exercise.
Error! Not a valid link.
Objectives
In this lab exercise you will configure a site-to-site VPN by completing the following tasks:
Prepare for configuring IPSec pre-shared keys on the PIX Firewall.
Configure IKE parameters on the PIX Firewall.
Configure IPSec parameters on the PIX Firewall.
Configure routing and IKE parameters on the branch office router.
Configure IPSec parameters on the branch office router.
Configure no NAT in the VPN tunnel.
Verify the IPSec configuration.
Copyright
Setup
Before starting this lab exercise, set up your equipment as follows:
Ensure that your PIX Firewall is turned on.
Access the PIX Firewalls console port.
Save your PIX Firewalls configuration from the previous lab exercise to a text file.
Ensure that your branch office router is turned on.
Access the branch office routers console port.
Step 2
Enable the PIX Firewall to implicitly permit any packet that came from an IPSec tunnel and
bypass the checking with an associated conduit or access-group command for IPSec
connections:
-- -
Step 2
Step 3
Create an IKE policy by completing the following sub-steps. Use the following parameter values:
Policy priority number10
Encryption algorithm3des
Hash algorithmsha
Authentication methodpre-share
Diffie-Hellman group identifier1
SA lifetime86400
1. Specify the encryption algorithm:
- -
Step 4
Create an access control list (ACL) to select traffic to protect. The ACL should protect IP traffic
between the internal networks, using the following parameters, and allow branch office users
access to the untranslated public services segment and internal corporate server networks:
Traffic encryptedTraffic between corporate internal networks and branch office networks
Lab 7-4
Copyright
---
Step 2
Step 3
Step 4
Step 5
Copyright
Map number20
Match addressNONAT_PSS
1. Create a crypto map entry:
--
Step 6
Step 7
Step 8
Step 9
Lab 7-6
Copyright
-
- -
- -
-
-
-
-
--
--
-
-
-
-
-
-
-
-
-
---
--- -
---
---
---
--- -
--- -
--- -
---
---
---
---
-
- -
Copyright
-
-
-
-
-
-
-- -
-- -
--
--
--
--
- -
-
-- -
-- -
--
--
--
--
-
- -
- -
- ---
-
---
- - -
- - -
- -- -
-- -
-- -
Lab 7-8
Copyright
--
-
-
-
-
-
- -
- -
--
--
--
--
-- -
--
- -- - - --
--
-
- -- -
--
--
-
- -- -
-
- -
- -- -
- -
- - - -
-
-
-- -
--
-
Step 1
Step 2
The order of the existing ACL must be modified to permit the following entries.
---
--- -
---
Step 3
Step 4
Step 5
Copyright
- - -
Step 2
Step 3
Copyright
Step 4
Step 6
---
Copyright
Set the name of the map, the map number, and the type of key exchange to be used:
Step 7
--
Step 8
--
Step 9
- -- -
Step 10
Step 11
Step 15
Copyright
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
-
- --
- --
- --
Copyright
-
- -
--
- - --
-
-
-
-
-
-
-
-
-
-
-
-
-
- - --
- -- - -
--
-
- -- -
--
Copyright
--
--
-
-
--
--
--
-
- -
---
-
---
--- - -
--- - -
Lab 7-16 Cisco SAFE Implementation 1.1
Copyright
--- -
---
---
--- -
---
---
---
---
---
---
---
---
---
---
---
---
---
---
--
-
-
--
-
-
----
--
-
-
Copyright
Initiate a web session from your student PC to the branch office PC.
Step 2
Ensure that traffic between peers is being encrypted by completing the following sub-steps on
your PIX Firewall:
1. Examine the IPSec SAs. Note the number of packets encrypted and decrypted.
- - -
Step 3
Step 4
Step 5
Step 6
Copyright
Objectives
In this lab exercise, complete the following tasks to enable remote access via VPN:
Configure the Cisco VPN Client.
Reset the Concentrator via CLI.
Configure the Concentrator via CLI.
Configure the PIX Firewall.
Configure the VPN Concentrator using Quick Configuration via the web interface.
Configure the VPN Concentrator via the web interface.
Configure the branch office router.
Test and verify the IPSec configuration.
Copyright
Setup
Before starting this lab exercise, set up your equipment as follows:
Ensure that your Concentrator is turned on.
Access the perimeter routers console port.
Choose Start>Programs>Cisco Systems VPN Client>VPN Dialer from the Programs menu.
The VPN Client window opens.
Step 2
Step 3
Step 4
Click Next.
Step 5
Step 6
Click Next.
Step 7
Group NamepodP_group
(where P = pod number)
Group PasswordpodP_group
(where P = pod number)
Confirm PasswordpodP_group
(where P = pod number)
Step 8
Click Next. You have created a new VPN network connection named studentP.
(where P = pod number)
Step 9
Click Finish.
Step 10
Step 11
Choose Options>Properties.
Copyright
Step 12
Select Properties.
Step 13
Select the General tab, in the Properties window. The properties for studentP window opens.
The following items should be checked on a Windows system:
IPSec through NAT mode should be allowed.
The Peer Response Timeout should be 90.
Allow local LAN access to be checked.
Note
Step 14
Select the Authentication tab and verify that the group name spelling is correct. (It is case
sensitive.)
Note
If needed, you can edit the Group Password here in the Authentication tab.
Step 15
Step 16
Click OK.
Step 17
You are prompted for a login. You may have to press Enter to get a login prompt. Enter the
login name and password as follows:
Loginadmin
Passwordadmin
Note
If you are presented with the Quick> prompt, skip to Task 3. The Concentrator is already in
the default factory state.
Step 2
Proceed to Task 3 when the reboot is complete and you get a login prompt.
Note
Do not close the console window. The reboot will take several minutes to reload the default
configuration to online memory.
You may have to press Enter several times to get a login prompt.
Log into the console by entering the login name and password as follows:
Loginadmin
Passwordadmin
Step 2
If you get the Quick prompt for the system parameters, press Enter to accept the time, date, time
zone, and DST parameters. When finished, proceed with configuring the private interface.
Note
Step 3
A Concentrator received from the factory presents a slightly different order of prompts than
one that was rebooted to factory defaults.
Step 4
Copyright
-
Step 5
Step 6
If you do not exit, the CLI will take you through the Quick Configuration via the GUI instead.
Log in if you are not already logged in, by entering the login name and password as follows:
Loginadmin
Passwordadmin
Step 8
Complete the following actions from the main menu to configure the default gateway:
-
-
Copyright
Complete the following actions from the main menu to configure a static route:
-
-
-
--
-
- -
--
Exit the console access and proceed to the next lab steps.
Step 2
Step 3
Step 4
Copyright
Step 5
Step 6
Step 7
Step 8
Step 9
-
- -
- -
-
-
-
Copyright
-
--
--
-
-
-
-
-
-
-
-
-
---
--- -
---
---
---
--- -
--- -
--- -
---
---
---
---
---
---
-
- -
-
-
Lab 7-26 Cisco SAFE Implementation 1.1
Copyright
-
-
-
-- -
-- -
--
--
--
--
- -
-
-- -
-- -
--
--
--
--
-
- -
- -
- ---
-
---
---
- - -
- - -
- -- -
- - -
- -
-- -
-- -
--
--
Copyright
-
-
-
-
-
- -
- -
--
--
--
--
-- -
--
- -- - - --
--
-
- -- -
--
--
-
- -- -
--
--
-
- -- -
-
- -
- -- -
- -
- - - -
-
-
-- -
--
-
Copyright
Step 2
Enter the IP address of the Concentrators private interface address in the address field. The VPN
3000 Concentrator Series web interface is displayed in your browser.
-
Log into the Concentrator by entering the login name and password as follows:
Loginadmin
Passwordadmin
Step 4
Select click here to start Quick Configuration in the Main window. Quick configuration will
lead you through a series of windows. You will be in the Configuration>Quick>IP Interfaces
window.
Step 5
Check the accuracy of Ethernet 1 and 2 IP addresses and subnet masks, which you configured via
CLI.
Step 6
Step 7
Configuration>Quick>System Info
Complete the following steps to initially configure the VPN Concentrator:
Step 8
Copyright
Default Gateway192.168.P.150
(where P = pod number)
Step 9
Configuration>Quick>Protocols
Complete the following steps to enable the tunneling protocols for this lab exercise:
Step 10
Step 11
Configuration>Quick>Address Assignment
Complete the following steps to configure the Network Address Translation (NAT) address
range for this lab exercise:
Step 12
Step 13
Configuration>Quick>Authentication
Complete the following steps to identify what type of authentication server to use for this lab
exercise:
Step 14
Choose Internal Server from the Select Server type drop-down menu.
Step 15
Configuration>Quick>User Database
Complete the following steps to configure the user parameters for this lab exercise:
Step 16
Copyright
PasswordstudentP
(where P = pod number)
Verify passwordstudentP
(where P = pod number)
Step 17
Click Add to add the user to the database. The username should appear in the Current Users
window.
Step 18
Configuration>Quick>IPSec Group
Complete the following steps to configure the IPSec Group parameters for this lab exercise:
Step 19
The group name and password information is case-sensitive and must match the IPSec group
created earlier.
Group NamepodP_group
(where P = pod number)
PasswordpodP_group
(where P = pod number)
VerifypodP_group
(where P = pod number)
Step 20
Configuration>Quick>Admin Password
You can configure the admin password in the Admin Password window. For lab consistency,
please leave the password at its default value.
Step 21
Click Continue.
Note
Configuration>Quick>Done
You have completed the quick configuration steps. Complete the following steps to save the
quick configuration:
Step 22
Step 23
Copyright
Step 2
Verify that CiscoVPNClient-3DES-MD5 is listed under Active Proposals. If it is not there, select
it from the Inactive Proposals list and click Activate.
Note
Step 3
If Cisco VPN Client-3DES-MD5 is not at the top of the Active Proposals list, click the Move Up
button to place it there. If it is already there, proceed on to Step 3.
Step 5
Step 6
Click Apply.
Step 7
Step 9
Click Add to add the internal corporate network administrators. The Add a manager screen is
displayed.
Copyright
Step 10
Step 11
Click Add. The Manager address is displayed in the Manager Workstations list.
Step 12
Click Add to add Administrators accessing the Concentrator from the VPN network. The Add a
manager screen is displayed.
Step 13
Enter the following Manager Address parameter values so only this IP range can access the
Concentrator with admin rights:
IP Address10.0.(P+20).16
(where P = pod number)
IP Mask255.255.255.240
Access GroupGroup 1 (admin)
Step 14
Click Add. The Manager address is displayed in the Manager Workstations list.
Step 15
Click Add to add student users accessing the concentrator from the VPN network. The Add a
manager screen is displayed.
Step 16
Enter the following Manager Address parameter values so only this IP range can access the
Concentrator with User rights:
IP Address10.0.(P+20).0
(where P = pod number)
IP Mask255.255.255.240
Access GroupGroup 5 (User)
Step 17
Click Add. The Manager address is displayed in the Manager Workstations list.
Step 18
Step 20
Step 21
Step 22
Copyright
Step 23
Step 24
Step 25
Step 26
Step 27
Click Apply.
Step 28
Step 29
Step 30
Step 31
Step 32
Step 33
Click Apply. The HTTP server is automatically restarted to disable HTTP access.
Note
Step 35
Step 36
Step 37
Step 38
Step 39
Step 40
Step 41
Step 42
Step 43
Select the Allow the networks in the list to bypass tunnel check box.
Step 44
Click Apply.
Step 45
Choose Student PC from the drop-down menu next to the Split Tunneling Network List
Attribute.
Step 46
Click Apply.
Step 47
Copyright
Add an ACL entry to allow incoming traffic from the Concentrator network.
Note
---
Step 2
Step 3
Step 4
Step 5
-
- --
- --
- --
-
- -
--
- - --
Copyright
-
-
-
-
-
-
-
-
-
-
-
-
-
- - --
- -- - -
--
-
- -- -
--
--
--
Lab 7-36 Cisco SAFE Implementation 1.1
Copyright
-
-
--
--
--
-
- -
---
-
---
--- - -
--- - -
--- -
---
---
--- -
---
---
Copyright
---
---
---
---
---
---
---
---
---
---
---
---
---
---
---
--
-
-
--
-
-
----
--
-
-
Copyright
Complete the following sub-steps to launch the VPN Client on your VPN Client PC:
1. Choose Start>Programs>Cisco Systems VPN Client>VPN Dialer from the Program
menu.
2. Verify that Connection Entry studentP is selected.
(where P = pod number)
3. Verify the IP address of the remote server: 192.168.P.5.
(where P = pod number)
Step 2
Click Connect. The Connection History window opens, and several messages flash by quickly:
1. If you are prompted for a username, enter: studentP (This is case-sensitive.)
(where P = pod number)
2. When you are prompted to enter a password, enter: studentP (This is case-sensitive.)
(where P = pod number)
Step 3
Verify that the branch office PC can access the following web servers:
Corporate public services segment server172.16.P.50
(where P = pod number)
VPN client PC10.0.(P+20).17
(where P = pod number)
Copyright
Student PC10.0.P.11
(where P = pod number)
Step 5
Verify that the VPN Client system can access the following web servers:
Corporate public services segment server172.16.P.50
(where P = pod number)
Student PC10.0.P.11
(where P = pod number)
Branch office PC10.2.P.11
(where P = pod number)
Step 6
Verify that the student PC can access the following web servers:
Corporate public services segment server172.16.P.50
(where P = pod number)
VPN client PC10.0.(P+20).17
(where P = pod number)
Branch office PC10.2.P.11
(where P = pod number)
Copyright
Objectives
In this lab exercise you will complete the following tasks:
Secure the perimeter router network services.
Configure the PIX Firewall to allow management services.
Secure management access to the perimeter router.
Configure the perimeter router to only allow IPSec traffic to the PIX Firewall and
Concentrator.
Test and verify the perimeter router configuration.
Copyright
Control access into the router from the console, aux ports, and the vty lines.
Allow Telnet to the perimeter router only from the student PC.
Authenticate Telnet sessions with usernames and passwords entered into the perimeter
routers local security database.
The administrator attempts to log into the Syslog server.
Setup
You should not have to configure any routing or addressing of interfaces on lab equipment in
this lab exercise. Before starting this lab exercise, set up your equipment so that you can do the
following from the Student PC:
Ping the perimeter routers outside interface.
Ping the backbone router in the cloud network.
Create a warning message that is displayed when a user establishes an interactive session:
- -
- -
Step 2
Step 3
Lab 7-42 Cisco SAFE Implementation 1.1
Copyright
Step 4
Allow Syslog messages and TFTP transfers through the PIX Firewall to the Student PC.
Note
The order of the existing INBOUND ACL must be modified to permit the management
services. Be sure to bind the ACL to the outside interface.
--- - -
--
--- - -
-- -
Create a standard ACL to permit management access from the Student PC:
---
Step 2
Copyright
Step 3
Step 4
Step 5
Create an ACL entry to only allow IPSec traffic from the branch office router to the PIX
Firewall:
--- - - -
--- - -
-
--- - -
Step 2
Step 3
Copyright
Ping the perimeter routers inside interface from the Student PC. This should be successful.
Step 2
Ping the perimeter routers outside interface from the Student PC. This should be successful.
Step 3
Establish a Telnet session to the perimeter router from the Student PC:
If you are unable to telnet to your perimeter router, console into your perimeter router and
check the ACLs applied to your VTY lines and inside interface.
Step 4
Verify that the devices are sending Syslog messages to the student PC Syslog server.
Step 5
-
- --
- -- -
- --
-
-
--
- - --
-
-
-
-
-
Copyright
--
--
--
--
--- -
---
--- - - -
--- - - -
---
- -
--- - -
--- - -
---
---
- -
- -
--
Lab 7-46 Cisco SAFE Implementation 1.1
Copyright
-
-
----
--
-
-
Step 6
Copyright
---
--- -
---
---
---
--- -
--- -
--- -
---
--- - - --
--- - -
---
---
---
---
---
-
- -
-
-
-
-
-
-- -
-- -
--
--
--
--
- -
-
Lab 7-48 Cisco SAFE Implementation 1.1
Copyright
-- -
-- -
--
--
--
--
-
- -
- -
- ---
-
---
---
- - -
- - -
- -- -
- -
- - -
-- -
-- -
--
--
-
-
-
-
-
- -
- -
--
--
--
--
-- -
--
Copyright
- -- - - --
--
-
- -- -
--
--
-
- -- -
--
--
-
- -- -
-
- -
- -- -
- -
- - - -
-
-
-- -
--
-
Step 7
Step 8
Verify that the branch office PC can access the following via the web browser:
Public services segment server172.16.P.50
(where P = pod number)
Copyright
Verify the VPN Client PC can access the following via the web browser:
Public services segment server172.16.P.50
(where P = pod number)
Student PC10.0.P.11
(where P = pod number)
Branch office PC10.2.P.11
(where P = pod number)
Copyright
Objectives
In this lab exercise, you will complete the following tasks:
Configure AAA on the VPN 3000 Concentrator.
Configure Syslog on the VPN 3000 Concentrator.
Configure the PIX Firewall to secure management access via AAA.
Configure the perimeter router to secure management access via AAA.
Configure the branch router to secure management access via AAA and to centralize
logging.
Test centralized management of all network devices.
Setup
You should not have to configure any routing or addressing of interfaces on lab equipment in
this lab exercise. Before starting this lab exercise, set up your equipment so that you can do the
following from the Student PC:
Ensure that your VPN Concentrator is turned on.
Access the devices via the console ports (except the Concentrator).
Launch your web browser and log into the Concentrator as an administrator user.
Copyright
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Click Apply.
Step 9
Step 10
Step 11
Step 12
Add the following ACL entry to the PIX Firewall to allow traffic from the Concentrator to the
AAA server:
--- - -
--- - -
Step 2
Choose severity level 15 from the Severity to Syslog drop-down menu to send events to the
Syslog server.
Step 3
Step 4
Step 5
Copyright
Step 6
Click Add. The Syslog server is listed in the Syslog Server group.
Step 7
Step 8
Add an ACL entry to the PIX Firewall to allow traffic from the Concentrator to the Syslog
server:
--- - -
--
Create a static mapping on the PIX Firewall for the internal AAA server:
- -- -
Add an ACL entry to the PIX Firewall allowing traffic to the internal AAA server form the
perimeter router.
Note
The order of the existing INBOUND ACL must be modified to permit the management
services. Be sure to bind the ACL to the outside interface.
--- - -
-
Copyright
Step 3
Create a new AAA model and define the AAA server on the perimeter router:
-- - - --
Enable AAA authentication and create the following authentication lists with the specified
methods:
defaultUse the list of all Terminal Access Controller Access Control System Plus
(TACACS+) servers for authentication as the primary method. Use the local username
database for authentication as the secondary method. Use the enable password for
authentication as the last method.
no_tacacsUse the line password for authentication.
-
-
Step 5
Step 6
Step 7
Step 8
Add a crypto ACL entry to allow IPSec traffic between the branch office router and the
corporate office internal network.
--- -
Step 2
Add an ACL entry that does not perform NAT on the branch office routers IP address if the
router communicates with devices on the corporate office internal network:
--- -
Add ACL entries to the PIX Firewall to define IPSec traffic to the branch office router:
--- -
Add an ACL entry that allows the corporate office management server and workstation access to
the router on the branch office router:
--- -
Enable AAA authentication and create the following authentication lists with the specified
methods:
defaultUse the list of all TACACS+ servers for authentication as the primary method. Use
the local username database for authentication as the secondary method. Use the enable
password for authentication as the last method.
no_tacacsUse the line password for authentication.
-
-
Enable AAA authorization for exec sessions that required TACACS+ authentication:
-
Step 8
Step 9
Enable AAA authentication for VTY sessions using the default authentication list:
Copyright
Step 11
Add the corporate office Syslog server to the list of logging hosts:
Password
Description
ACSAdmin
admin
ACSstudent
student
Step 1
Log into the Concentrator as the admin account. Confirm that you have access to manage the
device.
Step 2
Log into the Concentrator as the student account. Confirm that you only have view and not
management access.
Step 3
Step 4
Step 5
Telnet into the perimeter router as the admin account. Confirm that you are logged into enable
mode.
Step 6
Telnet into the perimeter router as the student account. Confirm that you are logged into user
mode.
Step 7
Telnet into the branch office router as the admin account. Confirm that you are logged into
enable mode.
Step 8
Telnet into the branch office router as the student account. Confirm that you are logged into user
mode.
Step 9
Transfer the configuration files for the following devices to the TFTP server address listed:
Branch office router10.0.P.11
(where P = pod number)
Perimeter router192.168.P.10
(where P = pod number)
Copyright
PIX firewall10.0.P.11
(where P = pod number)
Step 10
-
- --
- -- -
- --
-
-
-
-
-- -
-
--
- - --
-
-
-
-
-
--
--
Copyright
--
--
--- -
---
--- - - -
--- - - -
---
- -
--- - -
--- - -
---
---
-- - - --
- -
- -
--
-
-
----
Copyright
--
-
-
-
- -
- -
-
-
-
-
--
--
-
-
-
-
-
-
-
-
-
---
--- -
---
---
---
--- -
--- -
--- -
Lab 7-60 Cisco SAFE Implementation 1.1
Copyright
---
--- - - --
--- - -
--- - - ---
---
---
--- -
---
--- - - --- - -
--- - - --
---
---
-
- -
-
-
-
-
-
-- -
-- -
--
--
--
--
- -
-
Copyright
-- -
-- -
--
--
--
--
-
- -
- -
- ---
-
---
---
- - -
- - -
- -- -
- -
- -- -
- - -
-- -
-- -
--
--
-
-
-
-
-
- -
- -
- - -
- - - - --
- --
--
--
--
Copyright
-- -
--
- -- - - --
--
-
- -- -
--
--
-
- -- -
--
--
-
- -- -
-
- -
- -- -
- -
- - - -
-
-
-
-- -
--
-
-
- --
- --
- --
-
-
Copyright
-
-
-- -
- -
--
- - --
-
-
-
-
-
-
-
-
-
-
-
-
-
- - --
- -- - -
--
-
- -- -
Lab 7-64 Cisco SAFE Implementation 1.1
Copyright
--
--
--
-
-
--
--
--
-
- -
---
-
Copyright
---
---
--- - -
--- - -
--- -
---
---
--- -
---
---
---
---
---
---
---
---
---
---
---
---
---
--- -
---
---
---
---
---
--
-- - - --
-
-
--
-
-
Lab 7-66 Cisco SAFE Implementation 1.1
Copyright
----
--
-
-
Copyright
Copyright
Visual Objectives
The following figure displays the configuration you will complete in this lab exercise.
172.26.26.P
Pod P (110)
172.26.26.0/24
.10P e0/1
.150
brP
Branch
10.3.P.0/24
RBB
.1 e0/0
pub 10.3.P.5
cP
priv 10.2.P.1
10.2.P.0/24
.1
Branch
192.168.P.0/24
10.2.P.11
172.16.P.0/24
Super
Server
WWW
FTP
PSS
WWW
FTP
.2 e0
.1 e2
.50
.1 e1
.10
.1 e4 172.18.P.0/24
.1 e5
.5 e0/1
DMZ
drP
172.19.P.0/24 .5 e0/0
10.0.P.0 /24
.100
RTS
Student
2003, Cisco Systems, Inc. All rights reserved.
pP
10.0.P.11
CSI 1.18-1
Copyright
Objectives
In this lab exercise, you will configure the PIX Firewall to provide basic connectivity by
completing the following tasks:
Initial configuration of the PIX Firewall.
Configure global addresses, NAT, routing and statics.
Allow outbound traffic from internal networks.
Test and verify the configuration.
Setup
Before starting this lab exercise, make sure the PIX Firewall is turned on and that your PC has
console access to the PIX Firewall.
Step 2
Check your current configuration to familiarize yourself with the current setup.
Step 3
Assign the PIX Firewall the parameters and names as defined in the following table and enable
the interfaces:
Interface
Interface Name
Security Level
IP Address/Netmask
ethernet0
outside
192.168.P.2/255.255.2
55.0
ethernet1
inside
100
10.0.P.1/255.255.255.0
ethernet2
PSS
50
172.16.P.1/255.255.25
5.0
ethernet4
DMZ1
70
172.18.P.1/255.255.25
5.0
ethernet5
DMZ2
80
172.19.P.1/255.255.25
5.0
hostname
pixP
Step 1
Assign pools of IP addresses for use by outbound connections defined in the following table:
Interface Name
Global Pool ID
IP Address Range
Netmask
outside
192.168.P.33-222
255.255.255.0
Configure the PIX Firewall to allow all inside hosts to use NAT for outbound access and apply it
to the inside interface. For the inside host, use IP address 10.0.P.0 (where P = pod number).
Step 3
Assign the perimeter routers inside interface as the PIX Firewalls default route.
Step 4
Step 5
Create static network mappings to gain access from the inside networks to the PSS and DMZ
networks according to the following table:
Inside Network
Outside Network
Interfaces
10.0.P.0
10.0.P.0
inside/PSS
10.0.P.0
10.0.P.0
inside/DMZ1
10.0.P.0
10.0.P.0
inside/DMZ2
Step 7
Create an access list named OUTBOUND permitting ip traffic from the internal networks to all
networks and apply it to the inside interface.
Step 2
Create an access list named INBOUND to permit ICMP echo replies initiated from the internal
networks to all outside networks and denying all other access from the outside networks. Apply it
to the outside interface.
Step 3
Create an access list named PSS-OUT to permit ICMP echo replies initiated from the internal
networks to the PSS network and apply it to the PSS interface.
Step 4
Create an access list named DMZ2-OUT to permit ICMP echo replies initiated from the internal
networks to any network and apply it to the DMZ2 (e5) interface.
Step 5
-
- -
- -
-
-
-
Copyright
-
--
--
-
-
-
-
-
-
-
-
-
---
---
---
---
---
-
-
-
-
-- -
-- -
--
--
--
--
Copyright
-- -
-- -
--
--
--
--
-
- -
-
- - -
- - -
- - -
-- -
-- -
--
--
-
-
-
-
-
- -
- -
--
--
--
--
--
--
-
Ping the following devices from the PIX Firewall to ensure they are operational:
PIX Firewall inside interface10.0.P.1
(where P = pod number)
Copyright
Student PC10.0.P.11
(where P = pod number)
PIX Firewall outside interface192.168.P.2
(where P = pod number)
PIX Firewall PSS interface172.16.P.1
(where P = pod number)
PIX Firewall DMZ1 interface172.18.P.1
(where P = pod number)
PIX Firewall DMZ2 interface172.19.P.1
(where P = pod number)
PSS server172.16.P.50
(where P = pod number)
VPN Client172.26.26.P
(where P = pod number)
Step 2
Establish ftp and web access to the PSS server from the Student PC.
Step 3
Establish ftp and web access to the VPN Client from the Student PC.
Copyright
Objectives
In this lab exercise, you will configure the DMZ IOS router to provide basic connectivity by
completing the following tasks:
Initial configuration of the DMZ IOS router.
Test and verify the configuration.
Setup
Before starting this lab exercise, make sure the DMZ IOS router is turned on and that your PC
has console access to the DMZ IOS router.
Check your current configuration to familiarize yourself with the current setup.
Step 2
Assign the DMZ IOS Router the parameters as defined in the following tables and enable the
interfaces:
Ethernet0/0172.19.P.5/255.255.255.0
(where P = pod number)
Ethernet0/1172.18.P.5/255.255.255.0
(where P = pod number)
HostnamedrP
(where P = pod number)
Step 3
Next Hop
10.0.P.0/255.255.255.0
172.19.P.1
172.26.26.0/255.255.255.0
172.18.P.1
10.2.P.0/255.255.255.0
172.18.P.1
10.3.P.0/255.255.255.0
172.18.P.1
172.16.P.0/255.255.255.0
172.19.P.1
Copyright
Step 4
-
- --
- --
- --
- -
-
-
--
--
--
---
-
Copyright
Ping the following devices from the Student PC to ensure they are operational:
DMZ IOS router e0/1 interface172.18.P.5
(where P = pod number)
DMZ IOS router e0/0 interface172.19.P.5
(where P = pod number)
Copyright
Objectives
In this lab exercise, you will configure the Branch IOS router to provide basic connectivity by
completing the following tasks:
Initial configuration of the Branch IOS router.
Test and verify the configuration.
Setup
Before starting this lab exercise, make sure the Branch IOS router is turned on and that your PC
has console access to the Branch IOS router.
Step 2
Check your current configuration to familiarize yourself with the current setup.
Step 3
Assign the IOS Router the parameters as defined in the following tables and enable the
interfaces:
Ethernet0/010.3.P.1/255.255.255.0
(where P = pod number)
Ethernet0/1172.26.26.10P/255.255.255.0
(where P = pod number)
HostnamebrP
(where P = pod number)
Step 4
Configure the IOS Router to use EIGRP according to the following parameters:
Autonomous System Number1
Network10.0.0.0
Network172.26.0.0
Route SummaryNone
Step 5
Configure a static route on the IOS Router to allow access to the private network on the VPN
Concentrator:
Copyright
Verify your routing table ensuring that the static route you entered is being redistributed into
EIGRP.
Step 8
-
- --
- --
- --
-
-
--
--
--
- -
-
Copyright
---
-
Ping the following devices from the Student PC to ensure they are operational:
Branch IOS router e0/0 interface10.3.P.1
(where P = pod number)
Branch IOS router e0/1 interface172.26.26.10P
(where P = pod number)
Copyright
Objectives
In this lab exercise, you will configure the VPN Concentrator to provide basic connectivity by
completing the following tasks:
Reset the VPN concentrator via CLI.
Configure the VPN Concentrator via CLI.
Test and verify the configuration.
Setup
Before starting this lab exercise, make sure the VPN Concentrator is turned on and that your PC
has console access to the VPN Concentrator.
Access the VPN Concentrator console port and reboot the system to the default configuration.
Assign the VPN Concentrator the parameters as defined in the following table and assign a
default gateway of 10.3.P.1 (where P = pod number). Be sure to remove the default filters as
shown in the table:
Interface
IP Address/Netmask
Filter
public (e2)
10.3.P.5/255.255.255.0
none
private (e1)
10.2.P.1/255.255.255.0
none
Ping the following devices from the Student PC to ensure they are operational:
VPN Concentrator public interface10.3.P.5
(where P = pod number)
Copyright
Copyright
Establish ftp and web access to the Branch PC from the Student PC.
Objectives
In this lab exercise, you will configure the PIX Firewall to secure the corporate network by
completing the following tasks:
Deny outbound traffic from the Public Services Segment (PSS) network.
Allow necessary Internet services to the PSS server.
Implement spoofing protection.
Enable logging to the management server on the internal corporate network.
Assign Telnet and enable passwords.
Test and verify the configuration.
Copyright
Enable logging.
Setup
Before starting this lab exercise, make sure the PIX Firewall is turned on and that your PC has
console access to the PIX Firewall.
Modify the PSS-OUT ACL to deny outbound traffic initiated from the PSS server.
Step 2
Confirm that the PSS server cannot gain access outside of its local subnet from the PSS Server:
Test ICMP access to the Branch Router: 172.26.26.10P
(where P = pod number)
Test FTP and web access to the Student PC: 10.0.P.11
(where P = pod number)
Test ICMP access to the VPN Client PC: 172.26.26.P
(where P = pod number)
Step 3
Confirm that you still have connectivity to the PSS server from the Student PC:
Test ICMP access to the PSS Server: 172.16.P.50
(where P = pod number)
Test ftp and web access to PSS server: 172.16.P.50
(where P = pod number)
Create a static translation for your PSS server using the following parameters:
prenat_interfacePSS
postnat_interfaceoutside
mapped_address192.168.P.11
(where P = pod number)
Copyright
real_address172.16.P.50
(where P = pod number)
netmask255.255.255.255
connection_limit0
em_limit1000
Step 2
Modify the INBOUND ACL to deny RFC 2827 and 1918 traffic using the following parameters:
address to be denied127.0.0.0/255.0.0.0
address to be denied10.0.P.0/255.255.255.0
(where P = pod number)
Note
The course lab topology does not allow for including the complete RFC 1918 private
addresses. The listed addresses are those that do not affect the communication between the
lab equipment. For actual implementation, include all appropriate RFC 1918 private addresses
applicable to your network.
Step 3
Modify the INBOUND ACL to allow inbound web and FTP access to the public address of the
PSS server and to explicitly deny all other traffic.
Step 4
Step 5
Step 6
-
- -
- -
-
-
-
-
--
--
-
-
-
-
Copyright
-
-
-
-
-
---
---
---
--- -
--- -
---
---
---
--- -
---
---
-
-
-
-
-
-- -
-- -
--
--
--
--
-- -
-- -
Copyright
--
--
--
--
-
- -
-
- - -
- - -
- - -
- - -
-- -
-- -
--
--
-
-
-
-
-
- -
- -
--
--
--
--
--
--
-
Step 7
Verify the configuration by performing the following test from the VPN Client PC:
Test that ICMP access does not work to the outside interface of the PIX Firewall:
192.168.P.2.
(where P = pod number)
Copyright
Enable Unicast RPF IP spoofing protection for the outside and PSS interfaces.
Step 2
Enable logging and send information log messages to the management PC using the following
parameters:
Management PC10.0.P.11
(where P = pod number)
Trap levelinformational
Step 2
Step 2
Step 3
-
- -
- -
-
-
-
-
Copyright
--
--
-
-
-
-
-
-
-
-
-
---
---
---
--- -
--- -
---
---
---
--- -
---
---
-
- -
-
-
-
-
-- -
Lab 8-22 Cisco SAFE Implementation 1.1
Copyright
-- -
--
--
--
--
- -
-
-- -
-- -
--
--
--
--
-
- -
-
- - -
- - -
- - -
- - -
-- -
-- -
--
--
-
-
-
-
-
- -
- -
--
--
--
--
--
Copyright
--
-
Ensure that you cannot access the PSS server from the VPN client PC via ICMP, but can access
it via FTP and web access:
Test ICMP access to the PSS server: 192.168.P.11
(where P = pod number)
Test FTP and web access to the PSS server: 192.168.P.11
(where P = pod number)
Step 2
Ensure that you can access the Internet from the Student PC:
Test ICMP access to the VPN Client PC: 172.26.26.P
(where P = pod number)
Test FTP and web access to the VPN Client PC: 172.26.26.P
(where P = pod number)
Step 3
Ensure that you cannot access the internal corporate network from the VPN client PC. Test
ICMP, web, and FTP access to the Student PC at IP address: 10.0.P.11 (where P = pod number).
Step 4
Ensure that you cannot initiate a connection to any network from the PSS server.
Copyright
Objectives
In this lab exercise you will complete the following tasks:
Secure the branch office router network services.
Secure management access to the branch office router.
Configure NAT IOS features.
Implement access control filtering.
Configure CBAC and IDS features.
Test the branch office router configuration.
Send branch router Syslog output to the internal Syslog server on the branch office
server.
Log informational events on the branch office router to the Syslog server.
Control administrator access to the branch office router to prevent unauthorized access:
Copyright
Control access into the router from the console and the vty lines.
Allow Telnet to the perimeter router only from the student system inside the branch
office network.
Authenticate Telnet sessions with usernames and passwords entered into the perimeter
routers local security database.
Log all administrator attempts to the Syslog server.
Implement Network Address Translation (NAT) and Port Address Translation (PAT)
features to hide the internal network addresses.
Prevent source address spoofing.
Deny outgoing IP traffic with the corporate internal address as the source address.
Deny packets with local host, broadcast or multicast (or both), source addresses.
Permit incoming traffic that is part of a session that originated from the branch office
network or the corporate office network.
Configure Context-Based Access Control (CBAC) and IOS intrusion detection system (IDS)
features:
Inspect common application protocols and generic TCP and UDP sessions.
Enable IOS IDS attack signatures to alarm and drop matching packets.
Setup
Before starting this lab exercise, set up your equipment so that you can do the following from the
branch office equipment:
Ping the branch office routers inside and outside interfaces from the branch office PC.
Copyright
Ping the backbone router in the cloud network from the branch office router.
Establish connectivity to corporate PSS network resources.
Ensure the Syslog server is running on the branch office PC.
Create a warning message that is displayed when a user establishes an interactive session using
the following parameters:
banner loginWarning. Authorized Company IT Personnel ONLY!
banner execYou are now executing commands on Company Property!
Step 2
Enable password encryption and assign a secret enable password to protect the routers
passwords using the following parameters:
enable password should be encrypted
enable secretsecret
Step 3
Disable unnecessary network and router services to limit the exposure to direct attacks against
the router. The following services should be disabled on each interface:
source-route
cdp run
finger
tcp-small-servers
udp-small-servers
http server
bootp server
domain-lookup
rcmd rsh-enable
rcmd rcp-enable
Copyright
proxy-arp
cdp enable
ip redirects
ip directed-broadcast
Step 4
Enable logging to the Syslog server to provide a method to monitor router events including
attacks:
management PC10.2.P.11
(where P = pod number)
trap levelinformational
Create a standard ACL to permit management access and log those hits from the Branch PC
using the following parameters:
access list number1
Assign a password to the VTY lines (04) and the console line, and allow VTY line access only
from management workstations to the router to prevent access by unauthorized users using the
following parameters:
passwordcisco
access list1
timeout15
Step 2
Create a local user account on the router that is used to log into the router using the following
parameters:
usernamestudent
passwordstudent
Enable the router feature to prevent CPU cycles from being misallocated by guarantying
CPU time for system processes.
Copyright
Caution
Step 1
Establish static translation between an inside local address and an outside global address and
apply it to both interfaces using the following parameters:
local-ip10.2.P.11
(where P = pod number)
global-ip172.26.26.11P
(where P = pod number)
Create an ACL that meets the following criteria and apply it to the public (E0/1) interface:
access list number101
Allows traffic, routing updates, and logs from the ISP router (RBB) and no other routers
Allows traffic from the corporate office
Prevents inbound network traffic with source addresses of the branch office internal
networks
Implements RFC 1918 filtering for the following networks
Step 2
127.0.0.0
172.18.0.0
Create an ACL that only allows outbound traffic originating from the internal network and
explicitly denies all other traffic using the following parameters:
access list number102
logginglog
Enable inbound CBAC inspection on the inside interface for the following protocols:
TCP
UDP
Copyright
FTP
H323
RealAudio
Inspection namebranchfw
Step 2
Step 3
-
- --
- -- -
- --
-
- -
--
- - --
-
-
-
-
-
-
-
Copyright
-
-
-
--
--
-
-
--
--
--
- -
-
---
-
---
--- - -
--- - -
--- -
---
---
Copyright
Case Study Lab 8-31
---
---
---
---
---
---
-
-
--
-
-
----
--
-
-
Ping the branch office routers inside and outside interface from the branch office PC.
Step 2
Establish a Telnet session to the branch office router from the branch office PC:
If you are unable to telnet to your branch office router, console into your branch office router
and check the ACLs applied to your VTY lines and inside interface.
Step 3
Verify HTTP and FTP connectivity to the corporate Web server at IP address 192.168.P.11
(where P = pod number).
Step 4
Verify that the address translation is working properly for a local lab.
Copyright
Objectives
In this lab exercise you will configure a site-to-site VPN by completing the following tasks:
Prepare the PIX Firewall for the DMZ IOS Router to Branch Office IOS Router IPSec tunnel
configuration.
Prepare for configuring IPSec on the Branch Office IOS Router.
Configure IKE parameters on the Branch Office IOS Router.
Configure IPSec parameters on the Branch Office IOS Router.
Prepare for configuring IPSec pre-shared keys on the DMZ IOS Router.
Configure IKE parameters on the DMZ IOS Router.
Configure IPSec parameters on the DMZ IOS Router.
Configure the PIX Firewall to only allow IPSec Traffic to the DMZ IOS Router.
Verify the IPSec configuration.
Setup
Before starting this lab exercise, make sure you can access the console ports of the devices used.
Copyright
Task 1Prepare the PIX Firewall for the DMZ IOS Router to Branch
Office IOS Router IPSec Tunnel Configuration
Step 1
Create a static mapping from the DMZ1 interface to the Outside interface of the PIX Firewall to
translate the e0/1 address on the DMZ IOS Router according to the following:
Inside address172.18.P.5
(where P = pod number)
Outside address192.168.P.200
(where P = pod number)
InterfaceDMZ1
Step 2
Create an access-list entry in the DMZ1-OUT access-list to allow the IOS DMZ Router access to
the Branch Routers outside interface.
Step 3
Create an access-list entry in the INBOUND access-list to allow the outside interface of the
Branch Office IOS Router to the DMZ1 interface of the DMZ IOS Router.
Step 4
Create access list entries in the DMZ2-OUT access-list on the DMZ2 interface to allow the
Branch office networks access to the internal networks and the PSS.
Step 5
Create a static mapping from the DMZ2 interface to the PSS interface of the PIX Firewall to
allow access from the Branch Office networks to the PSS according to the parameters on the
following table:
Inside address10.2.P.0
(where P = pod number)
Outside address10.2.P.0
(where P = pod number)
InterfaceDMZ2
Step 6
Create route statements to route traffic destined for the Branch Office networks to the DMZ IOS
Router interface DMZ2.
Step 7
-
- -
- -
-
-
-
-
--
--
Copyright
-
-
-
-
-
-
-
-
-
---
---
---
--- - -
--- -
--- -
---
---
---
--- -
---
--- -
---
---
---
---
---
---
-
- -
-
-
-
-
Copyright
-- -
-- -
--
--
--
--
- -
-
-- -
-- -
--
--
--
--
-
- -
-
- - -
- - -
- - -
- - -
- - -
- -
-- -
-- -
--
--
--
-
-
-
-
Copyright
-
- -
- -
--
--
--
--
--
--
-
Input static routes for the following networks using the translated address of the DMZ IOS
Router as the next hop:
Next Hop192.168.P.200
(where P = pod number)
10.0.P.0/255.255.255.0
(where P = pod number)
172.16.P.0/255.255.255.0
(where P = pod number)
Step 2
Copyright
Step 1
Create an access control list (ACL) to select traffic to protect. The ACL should protect IP traffic
between the internal networks, using the following parameters, and allow branch office users
access to the untranslated Public Services Segment (PSS) and internal corporate server networks:
Traffic encryptedTraffic between corporate internal networks and branch office networks
Access list name103
ProtocolAny Internet protocol
Step 2
Create access-list entries to allow decrypted traffic from the corporate office networks to the
branch office networks:
Corporate Office Networks10.0.P.0/255.255.255.0 and 172.16.P.0/255.255.255.0
(where P = pod number)
Branch Office Networks10.2.P.0/255.255.255.0 and 10.3.P.0/255.255.255.0
(where P = pod number)
Access list name101
ProtocolAny Internet protocol
Step 3
Configure an IPSec transform set (IKE phase two parameters). Use the parameter values listed:
Transform namemyset
ESP protocols3des
Copyright
Modetunnel
Step 4
Create a crypto map using the parameter values listed and apply it to the e0/1 interface:
Crypto map nameDMZ
Map number10
Key exchange typeisakmp
Peer192.168.P.200
(where P = pod number)
Transform setmyset
Match address103
Step 5
-
- --
- -- -
- --
-
- -
--
- - --
-
-
-
-
-
-
-
-
Copyright
-
-
-
-
-
- - --
- -- - -
--
-
- -- -
--
--
--
-
-
--
--
--
- -
-
Lab 8-40 Cisco SAFE Implementation 1.1
Copyright
---
-
---
--- - -
--- - -
--- -
---
---
---
---
---
---
---
---
---
---
---
---
---
---
---
-
-
--
-
-
----
--
Copyright
-
-
Create an access control list (ACL) to select traffic to protect. The ACL should protect IP traffic
between the internal networks, using the following parameters, and allow branch office users
access to the untranslated Public Services Segment (PSS) and internal corporate server networks:
Copyright
Traffic encryptedTraffic between corporate internal networks and branch office networks
Peer network addressIP address of branch office network
Access list name103
ProtocolAny Internet protocol
Step 2
Configure an IPSec transform set (IKE phase two parameters). Use the parameter values listed in
the table.
Transform namemyset
ESP protocols3des
Modetunnel
Step 3
Create a crypto map using the parameter values listed and apply it to the e0/1 interface:
Crypto map namebranch
Map number10
Key exchange typeisakmp
Peer172.26.26.10P
(where P = pod number)
Transform setmyset
Match address103
Task 8Configure the PIX Firewall to Only Allow IPSec Traffic to the
DMZ IOS Router
Complete the following steps to configure the perimeter router to only allow IPSec traffic to the
PIX Firewall and Concentrator:
Step 1
Create ACL entries to only allow IPSec traffic from the branch office router to the DMZ IOS
Router using the following parameters:
access-list numberINBOUND
ProtocolESP
ProtocolUDPeq ISAKMP
Copyright
Initiate a web session from your student PC to the branch office PC.
Step 2
Ensure that traffic between peers is being encrypted by completing the following sub-steps on
your DMZ IOS Router:
1. Examine the IPSec SAs. Note the number of packets encrypted and decrypted.
2. Generate additional traffic by clicking the Reload button of your web browser.
3. Examine the IPSec SAs again.
4. Note that the packet counters have incremented.
Step 3
Step 4
Confirm that the branch office network addresses have not been translated.
Step 5
Copyright
Objectives
In this lab exercise, complete the following tasks to enable remote access via VPN:
Configure the VPN Concentrator using Quick Configuration via the web interface.
Configure the VPN Concentrator via the web interface.
Configure the Cisco VPN Client.
Configure the Branch Office IOS router.
Test and verify the IPSec configuration.
Setup
Before starting this lab exercise, set up your equipment as follows:
Ensure that your Concentrator is turned on.
Access the branch office routers console port.
Configure the VPN Concentrator using the System Info parameters below:
System NamestudentP VPN
(where P = pod number)
New TimeVerify the current time and date
Copyright
DST SupportEnable
DNS Server0.0.0.0 (which is the default)
Domain NamepodP.com
(where P = pod number)
Default Gateway10.3.P.1
(where P = pod number)
Step 2
Step 3
Step 4
Step 5
The group name and password information is case-sensitive and must match the IPSec group
created earlier.
Group NamepodP_group
(where P = pod number)
Copyright
PasswordpodP_group
(where P = pod number)
VerifypodP_group
(where P = pod number)
Note
You can configure the admin password in the Admin Password window. For lab consistency,
please leave the password at its default value.
This modification is necessary for the classroom lab only and is not recommended on a live
network.
Step 2
Apply the Public (Default) filter to the Ethernet 2 (Public) interface on the VPN Concentrator.
Step 3
Step 4
Step 5
Step 6
Create a static entry on the PIX Firewall to translate the Student PCs host address to
192.168.P.50 from the inside to the outside.
(where P = pod number)
Step 7
Copyright
Step 8
Enable split tunneling on the VPN Concentrator only allowing access to the translated address of
the Student PC.
Translated address192.168.P.50
(where P = pod number)
Step 2
Group NamepodP_group
(where P = pod number)
Group PasswordpodP_group
(where P = pod number)
Confirm PasswordpodP_group
(where P = pod number)
Step 3
Copyright
Step 1
Configure an access-list entry in access-list number 101 to allow IKE and IPSec
traffic access to the public interface of the VPN concentrator.
Launch the VPN client and unsure that you can access the Branch PC through the VPN tunnel.
Test FTP and web access to the Branch PC10.2.P.11
(where P = pod number)
Step 2
Ensure that you can access the PSS server from the VPN client PC through the tunnel via FTP,
and web access:
Test FTP and web access to the PSS server172.16.P.50
(where P = pod number)
Step 3
Ensure that you can access the VPN Client PC through the tunnel from the Student PC:
Test FTP and web access to the VPN client PC10.2.P.17
(where P = pod number)
Step 4
Ensure that you can access the following through the tunnel from the Branch PC:
Test FTP and web access to the VPN client PC10.2.P.17
(where P = pod number)
Test FTP and web access to the PSS Server172.16.P.50
(where P = pod number)
Test FTP and web access to the Student PC10.0.P.11
(where P = pod number)
Copyright
Final Configurations
Compare your final configurations to the ones shown:
PIX Firewall Configuration
-
- -
- -
-
-
-
-
--
--
-
-
-
-
-
-
-
-
-
---
---
---
--- - -
--- - - -
--- - - -
--- - -
--- -
--- -
---
---
---
--- -
---
--- -
---
Lab 8-50 Cisco SAFE Implementation 1.1
Copyright
---
---
---
---
-
- -
-
-
-
-
-- -
-- -
--
--
--
--
- -
-
-- -
-- -
--
--
--
--
-
- -
-
- - -
Copyright
- - -
- - -
- - -
- - -
- -
-- -
-- -
--
--
--
-
-
-
-
-
- -
- -
--
--
--
--
--
--
-
-
- --
- -- -
- --
Copyright
-
- -
--
- - --
-
-
-
-
-
-
-
-
-
-
-
-
-
- - --
- -- - -
--
-
- -- -
--
--
--
-
-
Copyright
--
--
--
- -
-
---
-
---
--- - -
--- - -
--- -
---
--- - -
--- - -
---
---
---
---
---
---
---
---
---
---
---
Lab 8-54 Cisco SAFE Implementation 1.1
Copyright
---
---
---
-
-
--
-
-
----
--
-
-
-
- --
- --
- --
- -
-
-
Copyright
-
-
- - --
- -- - -
--
-
- -- -
--
--
--
--
---
-
---
---
---
---
Copyright
Copyright